chore: add test case

fix: multiple wildcard
chore: add comment
2023-04-01 11:21:38 +08:00 · 2023-04-01 11:17:15 +08:00 · 2023-04-01 10:52:20 +08:00 · 2023-04-01 10:38:30 +08:00 · 2023-03-31 23:51:09 +08:00 · 2023-03-31 21:03:42 +08:00
91 changed files with 2215 additions and 652 deletions
--- a/.github/rename-cgo.sh
+++ b/.github/rename-cgo.sh
@ -15,6 +15,15 @@ do
    elif [[ $FILENAME =~ "windows-4.0-amd64" ]];then
        echo "rename windows amd64 $FILENAME"
        mv $FILENAME clash.meta-windows-amd64-cgo.exe
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-5" ]];then
+        echo "rename clash.meta-linux-arm-5 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv5-cgo
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-6" ]];then
+        echo "rename clash.meta-linux-arm-6 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv6-cgo
+    elif [[ $FILENAME =~ "clash.meta-linux-arm-7" ]];then
+        echo "rename clash.meta-linux-arm-7 $FILENAME"
+        mv $FILENAME clash.meta-linux-armv7-cgo
    elif [[ $FILENAME =~ "linux" ]];then
        echo "rename linux $FILENAME"
        mv $FILENAME $FILENAME-cgo
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -268,6 +268,18 @@ jobs:
          generate_release_notes: true
          body_path: release.txt

+      - name: Git push assets to "release" branch
+        run: |
+          cd bin || exit 1
+          git init
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git checkout -b release
+          git add .
+          git commit -m "${{ env.BUILDTIME }}"
+          git remote add origin "https://${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}"
+          git push -f -u origin release
+
  Upload-Release:
    permissions: write-all
    if: ${{ github.ref_type=='tag' }}
--- a/README.md
+++ b/README.md
@ -31,7 +31,7 @@

 ## Wiki

-Documentation and configuring examples are available on [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki) and [Clash.Meta Wiki](https://docs.metacubex.one/).
+Documentation and configuring examples are available on [Clash.Meta Wiki](https://clash-meta.wiki).

 ## Build

--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@ -34,12 +34,7 @@ func (b *Base) Name() string {
 // Id implements C.ProxyAdapter
 func (b *Base) Id() string {
 	if b.id == "" {
-		id, err := utils.UnsafeUUIDGenerator.NewV6()
-		if err != nil {
-			b.id = b.name
-		} else {
-			b.id = id.String()
-		}
+		b.id = utils.NewUUIDV6().String()
 	}

 	return b.id
@ -210,6 +205,8 @@ func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
 type packetConn struct {
 	net.PacketConn
 	chain                   C.Chain
+	adapterName             string
+	connID                  string
 	actualRemoteDestination string
 }

@ -227,8 +224,13 @@ func (c *packetConn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }

+func (c *packetConn) LocalAddr() net.Addr {
+	lAddr := c.PacketConn.LocalAddr()
+	return N.NewCustomAddr(c.adapterName, c.connID, lAddr) // make quic-go's connMultiplexer happy
+}
+
 func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
-	return &packetConn{pc, []string{a.Name()}, parseRemoteDestination(a.Addr())}
+	return &packetConn{pc, []string{a.Name()}, a.Name(), utils.NewUUIDV4().String(), parseRemoteDestination(a.Addr())}
 }

 func parseRemoteDestination(addr string) string {
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@ -12,11 +12,13 @@ import (
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/restls"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	shadowtls "github.com/Dreamacro/clash/transport/sing-shadowtls"
 	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"

+	restlsC "github.com/3andne/restls-client-go"
 	shadowsocks "github.com/metacubex/sing-shadowsocks"
 	"github.com/metacubex/sing-shadowsocks/shadowimpl"
 	"github.com/sagernet/sing/common/bufio"
@ -34,19 +36,22 @@ type ShadowSocks struct {
 	obfsOption      *simpleObfsOption
 	v2rayOption     *v2rayObfs.Option
 	shadowTLSOption *shadowtls.ShadowTLSOption
+	restlsConfig    *restlsC.Config
 }

 type ShadowSocksOption struct {
 	BasicOption
-	Name       string         `proxy:"name"`
-	Server     string         `proxy:"server"`
-	Port       int            `proxy:"port"`
-	Password   string         `proxy:"password"`
-	Cipher     string         `proxy:"cipher"`
-	UDP        bool           `proxy:"udp,omitempty"`
-	Plugin     string         `proxy:"plugin,omitempty"`
-	PluginOpts map[string]any `proxy:"plugin-opts,omitempty"`
-	UDPOverTCP bool           `proxy:"udp-over-tcp,omitempty"`
+	Name              string         `proxy:"name"`
+	Server            string         `proxy:"server"`
+	Port              int            `proxy:"port"`
+	Password          string         `proxy:"password"`
+	Cipher            string         `proxy:"cipher"`
+	UDP               bool           `proxy:"udp,omitempty"`
+	Plugin            string         `proxy:"plugin,omitempty"`
+	PluginOpts        map[string]any `proxy:"plugin-opts,omitempty"`
+	UDPOverTCP        bool           `proxy:"udp-over-tcp,omitempty"`
+	UDPOverTCPVersion int            `proxy:"udp-over-tcp-version,omitempty"`
+	ClientFingerprint string         `proxy:"client-fingerprint,omitempty"`
 }

 type simpleObfsOption struct {
@ -66,31 +71,30 @@ type v2rayObfsOption struct {
 }

 type shadowTLSOption struct {
-	Password          string `obfs:"password"`
-	Host              string `obfs:"host"`
-	Fingerprint       string `obfs:"fingerprint,omitempty"`
-	ClientFingerprint string `obfs:"client-fingerprint,omitempty"`
-	SkipCertVerify    bool   `obfs:"skip-cert-verify,omitempty"`
-	Version           int    `obfs:"version,omitempty"`
+	Password       string `obfs:"password"`
+	Host           string `obfs:"host"`
+	Fingerprint    string `obfs:"fingerprint,omitempty"`
+	SkipCertVerify bool   `obfs:"skip-cert-verify,omitempty"`
+	Version        int    `obfs:"version,omitempty"`
+}
+
+type restlsOption struct {
+	Password     string `obfs:"password"`
+	Host         string `obfs:"host"`
+	VersionHint  string `obfs:"version-hint"`
+	RestlsScript string `obfs:"restls-script,omitempty"`
 }

 // StreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	switch ss.obfsMode {
-	case shadowtls.Mode:
-		// fix tls handshake not timeout
-		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
-		defer cancel()
-		var err error
-		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return ss.streamConn(c, metadata)
+	// fix tls handshake not timeout
+	ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
+	defer cancel()
+	return ss.StreamConnContext(ctx, c, metadata)
 }

-func (ss *ShadowSocks) streamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+func (ss *ShadowSocks) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	useEarly := false
 	switch ss.obfsMode {
 	case "tls":
 		c = obfs.NewTLSObfs(c, ss.obfsOption.Host)
@ -103,15 +107,31 @@ func (ss *ShadowSocks) streamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
+	case shadowtls.Mode:
+		var err error
+		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
+		if err != nil {
+			return nil, err
+		}
+		useEarly = true
+	case restls.Mode:
+		var err error
+		c, err = restls.NewRestls(ctx, c, ss.restlsConfig)
+		if err != nil {
+			return nil, fmt.Errorf("%s (restls) connect error: %w", ss.addr, err)
+		}
+		useEarly = true
 	}
+	useEarly = useEarly || N.NeedHandshake(c)
 	if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
-		if N.NeedHandshake(c) {
-			return ss.method.DialEarlyConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443")), nil
+		uotDestination := uot.RequestDestination(uint8(ss.option.UDPOverTCPVersion))
+		if useEarly {
+			return ss.method.DialEarlyConn(c, uotDestination), nil
 		} else {
-			return ss.method.DialConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443"))
+			return ss.method.DialConn(c, uotDestination)
 		}
 	}
-	if N.NeedHandshake(c) {
+	if useEarly {
 		return ss.method.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 	} else {
 		return ss.method.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
@ -135,15 +155,7 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 		safeConnClose(c, err)
 	}(c)

-	switch ss.obfsMode {
-	case shadowtls.Mode:
-		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	c, err = ss.streamConn(c, metadata)
+	c, err = ss.StreamConnContext(ctx, c, metadata)
 	return NewConn(c, ss), err
 }

@ -159,7 +171,12 @@ func (ss *ShadowSocks) ListenPacketWithDialer(ctx context.Context, dialer C.Dial
 		if err != nil {
 			return nil, err
 		}
-		return newPacketConn(uot.NewClientConn(tcpConn), ss), nil
+		destination := M.ParseSocksaddr(metadata.RemoteAddress())
+		if ss.option.UDPOverTCPVersion == 1 {
+			return newPacketConn(uot.NewConn(tcpConn, uot.Request{Destination: destination}), ss), nil
+		} else {
+			return newPacketConn(uot.NewLazyConn(tcpConn, uot.Request{Destination: destination}), ss), nil
+		}
 	}
 	addr, err := resolveUDPAddrWithPrefer(ctx, "udp", ss.addr, ss.prefer)
 	if err != nil {
@ -182,7 +199,12 @@ func (ss *ShadowSocks) SupportWithDialer() bool {
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if ss.option.UDPOverTCP {
-		return newPacketConn(uot.NewClientConn(c), ss), nil
+		destination := M.ParseSocksaddr(metadata.RemoteAddress())
+		if ss.option.UDPOverTCPVersion == uot.LegacyVersion {
+			return newPacketConn(uot.NewConn(c, uot.Request{Destination: destination}), ss), nil
+		} else {
+			return newPacketConn(uot.NewLazyConn(c, uot.Request{Destination: destination}), ss), nil
+		}
 	}
 	return nil, errors.New("no support")
 }
@ -202,6 +224,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	var v2rayOption *v2rayObfs.Option
 	var obfsOption *simpleObfsOption
 	var shadowTLSOpt *shadowtls.ShadowTLSOption
+	var restlsConfig *restlsC.Config
 	obfsMode := ""

 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
@ -250,10 +273,30 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			Password:          opt.Password,
 			Host:              opt.Host,
 			Fingerprint:       opt.Fingerprint,
-			ClientFingerprint: opt.ClientFingerprint,
+			ClientFingerprint: option.ClientFingerprint,
 			SkipCertVerify:    opt.SkipCertVerify,
 			Version:           opt.Version,
 		}
+	} else if option.Plugin == restls.Mode {
+		obfsMode = restls.Mode
+		restlsOpt := &restlsOption{}
+		if err := decoder.Decode(option.PluginOpts, restlsOpt); err != nil {
+			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
+		}
+
+		restlsConfig, err = restlsC.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
+		restlsConfig.SessionTicketsDisabled = true
+		if err != nil {
+			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
+		}
+
+	}
+	switch option.UDPOverTCPVersion {
+	case uot.Version, uot.LegacyVersion:
+	case 0:
+		option.UDPOverTCPVersion = uot.Version
+	default:
+		return nil, fmt.Errorf("ss %s unknown udp over tcp protocol version: %d", addr, option.UDPOverTCPVersion)
 	}

 	return &ShadowSocks{
@ -274,6 +317,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		v2rayOption:     v2rayOption,
 		obfsOption:      obfsOption,
 		shadowTLSOption: shadowTLSOpt,
+		restlsConfig:    restlsConfig,
 	}, nil
 }

--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@ -42,16 +42,17 @@ type TuicOption struct {
 	DisableSni            bool     `proxy:"disable-sni,omitempty"`
 	MaxUdpRelayPacketSize int      `proxy:"max-udp-relay-packet-size,omitempty"`

-	FastOpen            bool   `proxy:"fast-open,omitempty"`
-	MaxOpenStreams      int    `proxy:"max-open-streams,omitempty"`
-	SkipCertVerify      bool   `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint         string `proxy:"fingerprint,omitempty"`
-	CustomCA            string `proxy:"ca,omitempty"`
-	CustomCAString      string `proxy:"ca-str,omitempty"`
-	ReceiveWindowConn   int    `proxy:"recv-window-conn,omitempty"`
-	ReceiveWindow       int    `proxy:"recv-window,omitempty"`
-	DisableMTUDiscovery bool   `proxy:"disable-mtu-discovery,omitempty"`
-	SNI                 string `proxy:"sni,omitempty"`
+	FastOpen             bool   `proxy:"fast-open,omitempty"`
+	MaxOpenStreams       int    `proxy:"max-open-streams,omitempty"`
+	SkipCertVerify       bool   `proxy:"skip-cert-verify,omitempty"`
+	Fingerprint          string `proxy:"fingerprint,omitempty"`
+	CustomCA             string `proxy:"ca,omitempty"`
+	CustomCAString       string `proxy:"ca-str,omitempty"`
+	ReceiveWindowConn    int    `proxy:"recv-window-conn,omitempty"`
+	ReceiveWindow        int    `proxy:"recv-window,omitempty"`
+	DisableMTUDiscovery  bool   `proxy:"disable-mtu-discovery,omitempty"`
+	MaxDatagramFrameSize int    `proxy:"max-datagram-frame-size,omitempty"`
+	SNI                  string `proxy:"sni,omitempty"`
 }

 // DialContext implements C.ProxyAdapter
@ -175,6 +176,15 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		option.MaxOpenStreams = 100
 	}

+	if option.MaxDatagramFrameSize == 0 {
+		option.MaxDatagramFrameSize = option.MaxUdpRelayPacketSize + tuic.PacketOverHead
+	}
+
+	if option.MaxDatagramFrameSize > 1400 {
+		option.MaxDatagramFrameSize = 1400
+	}
+	option.MaxUdpRelayPacketSize = option.MaxDatagramFrameSize - tuic.PacketOverHead
+
 	// ensure server's incoming stream can handle correctly, increase to 1.1x
 	quicMaxOpenStreams := int64(option.MaxOpenStreams)
 	quicMaxOpenStreams = quicMaxOpenStreams + int64(math.Ceil(float64(quicMaxOpenStreams)/10.0))
@ -187,6 +197,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 		MaxIncomingUniStreams:          quicMaxOpenStreams,
 		KeepAlivePeriod:                time.Duration(option.HeartbeatInterval) * time.Millisecond,
 		DisablePathMTUDiscovery:        option.DisableMTUDiscovery,
+		MaxDatagramFrameSize:           int64(option.MaxDatagramFrameSize),
 		EnableDatagrams:                true,
 	}
 	if option.ReceiveWindowConn == 0 {
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -23,7 +23,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 	)
 	switch proxyType {
 	case "ss":
-		ssOption := &outbound.ShadowSocksOption{}
+		ssOption := &outbound.ShadowSocksOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, ssOption)
 		if err != nil {
 			break
@ -56,10 +56,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 				Method: "GET",
 				Path:   []string{"/"},
 			},
-		}
-
-		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
-			vmessOption.ClientFingerprint = GlobalUtlsClient
+			ClientFingerprint: tlsC.GetGlobalFingerprint(),
 		}

 		err = decoder.Decode(mapping, vmessOption)
@ -68,12 +65,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
-		vlessOption := &outbound.VlessOption{}
-
-		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
-			vlessOption.ClientFingerprint = GlobalUtlsClient
-		}
-
+		vlessOption := &outbound.VlessOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, vlessOption)
 		if err != nil {
 			break
@ -87,12 +79,7 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		}
 		proxy, err = outbound.NewSnell(*snellOption)
 	case "trojan":
-		trojanOption := &outbound.TrojanOption{}
-
-		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
-			trojanOption.ClientFingerprint = GlobalUtlsClient
-		}
-
+		trojanOption := &outbound.TrojanOption{ClientFingerprint: tlsC.GetGlobalFingerprint()}
 		err = decoder.Decode(mapping, trojanOption)
 		if err != nil {
 			break
--- a/adapter/provider/healthcheck.go
+++ b/adapter/provider/healthcheck.go
@ -34,16 +34,15 @@ type HealthCheck struct {

 func (hc *HealthCheck) process() {
 	ticker := time.NewTicker(time.Duration(hc.interval) * time.Second)
-
-	go func() {
-		time.Sleep(30 * time.Second)
-		hc.lazyCheck()
-	}()
-
 	for {
 		select {
 		case <-ticker.C:
-			hc.lazyCheck()
+			now := time.Now().Unix()
+			if !hc.lazy || now-hc.lastTouch.Load() < int64(hc.interval) {
+				hc.check()
+			} else {
+				log.Debugln("Skip once health check because we are lazy")
+			}
 		case <-hc.done:
 			ticker.Stop()
 			return
@ -51,17 +50,6 @@ func (hc *HealthCheck) process() {
 	}
 }

-func (hc *HealthCheck) lazyCheck() bool {
-	now := time.Now().Unix()
-	if !hc.lazy || now-hc.lastTouch.Load() < int64(hc.interval) {
-		hc.check()
-		return true
-	} else {
-		log.Debugln("Skip once health check because we are lazy")
-		return false
-	}
-}
-
 func (hc *HealthCheck) setProxy(proxies []C.Proxy) {
 	hc.proxies = proxies
 }
@ -76,10 +64,7 @@ func (hc *HealthCheck) touch() {

 func (hc *HealthCheck) check() {
 	_, _, _ = hc.singleDo.Do(func() (struct{}, error) {
-		id := ""
-		if uid, err := utils.UnsafeUUIDGenerator.NewV4(); err == nil {
-			id = uid.String()
-		}
+		id := utils.NewUUIDV4().String()
 		log.Debugln("Start New Health Checking {%s}", id)
 		b, _ := batch.New[bool](context.Background(), batch.WithConcurrencyNum[bool](10))
 		for _, proxy := range hc.proxies {
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@ -80,6 +80,7 @@ func (pp *proxySetProvider) Initial() error {
 		return err
 	}
 	pp.OnUpdate(elm)
+	pp.getSubscriptionInfo()
 	return nil
 }

@ -99,7 +100,7 @@ func (pp *proxySetProvider) setProxies(proxies []C.Proxy) {
 	pp.proxies = proxies
 	pp.healthCheck.setProxy(proxies)
 	if pp.healthCheck.auto() {
-		defer func() { go pp.healthCheck.lazyCheck() }()
+		go pp.healthCheck.check()
 	}
 }

@ -172,8 +173,6 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc

 	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg), proxiesOnUpdate(pd))
 	pd.Fetcher = fetcher
-
-	pd.getSubscriptionInfo()
 	wrapper := &ProxySetProvider{pd}
 	runtime.SetFinalizer(wrapper, stopProxyProvider)
 	return wrapper, nil
--- a/common/convert/util.go
+++ b/common/convert/util.go
@ -294,8 +294,7 @@ var (
 )

 func RandHost() string {
-	id, _ := utils.UnsafeUUIDGenerator.NewV4()
-	base := strings.ToLower(base64.RawURLEncoding.EncodeToString(id.Bytes()))
+	base := strings.ToLower(base64.RawURLEncoding.EncodeToString(utils.NewUUIDV4().Bytes()))
 	base = strings.ReplaceAll(base, "-", "")
 	base = strings.ReplaceAll(base, "_", "")
 	buf := []byte(base)
--- a/common/convert/v.go
+++ b/common/convert/v.go
@ -27,7 +27,7 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	proxy["skip-cert-verify"] = false
 	proxy["tls"] = false
 	tls := strings.ToLower(query.Get("security"))
-	if strings.HasSuffix(tls, "tls") {
+	if strings.HasSuffix(tls, "tls") || tls == "reality" {
 		proxy["tls"] = true
 		if fingerprint := query.Get("fp"); fingerprint == "" {
 			proxy["client-fingerprint"] = "chrome"
@ -38,6 +38,12 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	if sni := query.Get("sni"); sni != "" {
 		proxy["servername"] = sni
 	}
+	if realityPublicKey := query.Get("pbk"); realityPublicKey != "" {
+		proxy["reality-opts"] = map[string]any{
+			"public-key": realityPublicKey,
+			"short-id":   query.Get("sid"),
+		}
+	}

 	switch query.Get("packetEncoding") {
 	case "none":
--- a/common/net/addr.go
+++ b/common/net/addr.go
@ -0,0 +1,36 @@
+package net
+
+import (
+	"net"
+)
+
+type CustomAddr interface {
+	net.Addr
+	RawAddr() net.Addr
+}
+
+type customAddr struct {
+	networkStr string
+	addrStr    string
+	rawAddr    net.Addr
+}
+
+func (a customAddr) Network() string {
+	return a.networkStr
+}
+
+func (a customAddr) String() string {
+	return a.addrStr
+}
+
+func (a customAddr) RawAddr() net.Addr {
+	return a.rawAddr
+}
+
+func NewCustomAddr(networkStr string, addrStr string, rawAddr net.Addr) CustomAddr {
+	return customAddr{
+		networkStr: networkStr,
+		addrStr:    addrStr,
+		rawAddr:    rawAddr,
+	}
+}
--- a/common/pool/buffer_low_memory.go
+++ b/common/pool/buffer_low_memory.go
@ -0,0 +1,15 @@
+//go:build with_low_memory
+
+package pool
+
+const (
+	// io.Copy default buffer size is 32 KiB
+	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
+	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
+	RelayBufferSize = 16 * 1024
+
+	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
+	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
+	// set to 9000, so the UDP Buffer size set to 16Kib
+	UDPBufferSize = 8 * 1024
+)
--- a/common/pool/buffer_standard.go
+++ b/common/pool/buffer_standard.go
@ -0,0 +1,15 @@
+//go:build !with_low_memory
+
+package pool
+
+const (
+	// io.Copy default buffer size is 32 KiB
+	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
+	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
+	RelayBufferSize = 20 * 1024
+
+	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
+	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
+	// set to 9000, so the UDP Buffer size set to 16Kib
+	UDPBufferSize = 16 * 1024
+)
--- a/common/pool/pool.go
+++ b/common/pool/pool.go
@ -1,17 +1,5 @@
 package pool

-const (
-	// io.Copy default buffer size is 32 KiB
-	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
-	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
-	RelayBufferSize = 20 * 1024
-
-	// RelayBufferSize uses 20KiB, but due to the allocator it will actually
-	// request 32Kib. Most UDPs are smaller than the MTU, and the TUN's MTU
-	// set to 9000, so the UDP Buffer size set to 16Kib
-	UDPBufferSize = 16 * 1024
-)
-
 func Get(size int) []byte {
 	return defaultAllocator.Get(size)
 }
--- a/common/utils/slice.go
+++ b/common/utils/slice.go
@ -0,0 +1,34 @@
+package utils
+
+import (
+	"errors"
+	"fmt"
+	"reflect"
+)
+
+func Filter[T comparable](tSlice []T, filter func(t T) bool) []T {
+	result := make([]T, 0)
+	for _, t := range tSlice {
+		if filter(t) {
+			result = append(result, t)
+		}
+	}
+	return result
+}
+
+func ToStringSlice(value any) ([]string, error) {
+	strArr := make([]string, 0)
+	switch reflect.TypeOf(value).Kind() {
+	case reflect.Slice, reflect.Array:
+		origin := reflect.ValueOf(value)
+		for i := 0; i < origin.Len(); i++ {
+			item := fmt.Sprintf("%v", origin.Index(i))
+			strArr = append(strArr, item)
+		}
+	case reflect.String:
+		strArr = append(strArr, fmt.Sprintf("%v", value))
+	default:
+		return nil, errors.New("value format error, must be string or array")
+	}
+	return strArr, nil
+}
--- a/common/utils/strings.go
+++ b/common/utils/strings.go
@ -0,0 +1,9 @@
+package utils
+
+func Reverse(s string) string {
+	a := []rune(s)
+	for i, j := 0, len(a)-1; i < j; i, j = i+1, j-1 {
+		a[i], a[j] = a[j], a[i]
+	}
+	return string(a)
+}
--- a/common/utils/uuid.go
+++ b/common/utils/uuid.go
@ -13,11 +13,39 @@ func (r fastRandReader) Read(p []byte) (int, error) {

 var UnsafeUUIDGenerator = uuid.NewGenWithOptions(uuid.WithRandomReader(fastRandReader{}))

+func NewUUIDV1() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV1() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV3(ns uuid.UUID, name string) uuid.UUID {
+	return UnsafeUUIDGenerator.NewV3(ns, name)
+}
+
+func NewUUIDV4() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV4() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV5(ns uuid.UUID, name string) uuid.UUID {
+	return UnsafeUUIDGenerator.NewV5(ns, name)
+}
+
+func NewUUIDV6() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV6() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
+func NewUUIDV7() uuid.UUID {
+	u, _ := UnsafeUUIDGenerator.NewV7() // fastrand.Read wouldn't cause error, so ignore err is safe
+	return u
+}
+
 // UUIDMap https://github.com/XTLS/Xray-core/issues/158#issue-783294090
 func UUIDMap(str string) (uuid.UUID, error) {
 	u, err := uuid.FromString(str)
 	if err != nil {
-		return UnsafeUUIDGenerator.NewV5(uuid.Nil, str), nil
+		return NewUUIDV5(uuid.Nil, str), nil
 	}
 	return u, nil
 }
--- a/component/geodata/geodata.go
+++ b/component/geodata/geodata.go
@ -1,13 +1,10 @@
 package geodata

 import (
-	"errors"
 	"fmt"
-	C "github.com/Dreamacro/clash/constant"
-	"strings"

 	"github.com/Dreamacro/clash/component/geodata/router"
-	"github.com/Dreamacro/clash/log"
+	C "github.com/Dreamacro/clash/constant"
 )

 type loader struct {
@ -15,47 +12,7 @@ type loader struct {
 }

 func (l *loader) LoadGeoSite(list string) ([]*router.Domain, error) {
-	return l.LoadGeoSiteWithAttr(C.GeositeName, list)
-}
-
-func (l *loader) LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error) {
-	parts := strings.Split(siteWithAttr, "@")
-	if len(parts) == 0 {
-		return nil, errors.New("empty rule")
-	}
-	list := strings.TrimSpace(parts[0])
-	attrVal := parts[1:]
-
-	if len(list) == 0 {
-		return nil, fmt.Errorf("empty listname in rule: %s", siteWithAttr)
-	}
-
-	domains, err := l.LoadSiteByPath(file, list)
-	if err != nil {
-		return nil, err
-	}
-
-	attrs := parseAttrs(attrVal)
-	if attrs.IsEmpty() {
-		if strings.Contains(siteWithAttr, "@") {
-			log.Warnln("empty attribute list: %s", siteWithAttr)
-		}
-		return domains, nil
-	}
-
-	filteredDomains := make([]*router.Domain, 0, len(domains))
-	hasAttrMatched := false
-	for _, domain := range domains {
-		if attrs.Match(domain) {
-			hasAttrMatched = true
-			filteredDomains = append(filteredDomains, domain)
-		}
-	}
-	if !hasAttrMatched {
-		log.Warnln("attribute match no rule: geosite: %s", siteWithAttr)
-	}
-
-	return filteredDomains, nil
+	return l.LoadSiteByPath(C.GeositeName, list)
 }

 func (l *loader) LoadGeoIP(country string) ([]*router.CIDR, error) {
--- a/component/geodata/geodataproto.go
+++ b/component/geodata/geodataproto.go
@ -14,6 +14,5 @@ type LoaderImplementation interface {
 type Loader interface {
 	LoaderImplementation
 	LoadGeoSite(list string) ([]*router.Domain, error)
-	LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error)
 	LoadGeoIP(country string) ([]*router.CIDR, error)
 }
--- a/component/geodata/memconservative/cache.go
+++ b/component/geodata/memconservative/cache.go
@ -118,7 +118,7 @@ func (g GeoSiteCache) Unmarshal(filename, code string) (*router.GeoSite, error)

 	case errFailedToReadBytes, errFailedToReadExpectedLenBytes,
 		errInvalidGeodataFile, errInvalidGeodataVarintLength:
-		log.Warnln("failed to decode geoip file: %s%s", filename, ", fallback to the original ReadFile method")
+		log.Warnln("failed to decode geosite file: %s%s", filename, ", fallback to the original ReadFile method")
 		geositeBytes, err = os.ReadFile(asset)
 		if err != nil {
 			return nil, err
--- a/component/geodata/utils.go
+++ b/component/geodata/utils.go
@ -1,9 +1,14 @@
 package geodata

 import (
+	"errors"
 	"fmt"
+	"golang.org/x/sync/singleflight"
+	"strings"
+
 	"github.com/Dreamacro/clash/component/geodata/router"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
 )

 var geoLoaderName = "memconservative"
@ -34,6 +39,8 @@ func Verify(name string) error {
 	}
 }

+var loadGeoSiteMatcherSF = singleflight.Group{}
+
 func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error) {
 	if len(countryCode) == 0 {
 		return nil, 0, fmt.Errorf("country code could not be empty")
@ -44,16 +51,53 @@ func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 		not = true
 		countryCode = countryCode[1:]
 	}
+	countryCode = strings.ToLower(countryCode)

-	geoLoader, err := GetGeoDataLoader(geoLoaderName)
-	if err != nil {
-		return nil, 0, err
+	parts := strings.Split(countryCode, "@")
+	if len(parts) == 0 {
+		return nil, 0, errors.New("empty rule")
+	}
+	listName := strings.TrimSpace(parts[0])
+	attrVal := parts[1:]
+
+	if len(listName) == 0 {
+		return nil, 0, fmt.Errorf("empty listname in rule: %s", countryCode)
 	}

-	domains, err := geoLoader.LoadGeoSite(countryCode)
+	v, err, shared := loadGeoSiteMatcherSF.Do(listName, func() (interface{}, error) {
+		geoLoader, err := GetGeoDataLoader(geoLoaderName)
+		if err != nil {
+			return nil, err
+		}
+		return geoLoader.LoadGeoSite(listName)
+	})
 	if err != nil {
+		if !shared {
+			loadGeoSiteMatcherSF.Forget(listName) // don't store the error result
+		}
 		return nil, 0, err
 	}
+	domains := v.([]*router.Domain)
+
+	attrs := parseAttrs(attrVal)
+	if attrs.IsEmpty() {
+		if strings.Contains(countryCode, "@") {
+			log.Warnln("empty attribute list: %s", countryCode)
+		}
+	} else {
+		filteredDomains := make([]*router.Domain, 0, len(domains))
+		hasAttrMatched := false
+		for _, domain := range domains {
+			if attrs.Match(domain) {
+				hasAttrMatched = true
+				filteredDomains = append(filteredDomains, domain)
+			}
+		}
+		if !hasAttrMatched {
+			log.Warnln("attribute match no rule: geosite: %s", countryCode)
+		}
+		domains = filteredDomains
+	}

 	/**
 	linear: linear algorithm
@ -68,25 +112,34 @@ func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 	return matcher, len(domains), nil
 }

+var loadGeoIPMatcherSF = singleflight.Group{}
+
 func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) {
 	if len(country) == 0 {
 		return nil, 0, fmt.Errorf("country code could not be empty")
 	}
-	geoLoader, err := GetGeoDataLoader(geoLoaderName)
-	if err != nil {
-		return nil, 0, err
-	}

 	not := false
 	if country[0] == '!' {
 		not = true
 		country = country[1:]
 	}
+	country = strings.ToLower(country)

-	records, err := geoLoader.LoadGeoIP(country)
+	v, err, shared := loadGeoIPMatcherSF.Do(country, func() (interface{}, error) {
+		geoLoader, err := GetGeoDataLoader(geoLoaderName)
+		if err != nil {
+			return nil, err
+		}
+		return geoLoader.LoadGeoIP(country)
+	})
 	if err != nil {
+		if !shared {
+			loadGeoIPMatcherSF.Forget(country) // don't store the error result
+		}
 		return nil, 0, err
 	}
+	records := v.([]*router.CIDR)

 	geoIP := &router.GeoIP{
 		CountryCode:  country,
@ -98,6 +151,10 @@ func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) {
 	if err != nil {
 		return nil, 0, err
 	}
-
 	return matcher, len(records), nil
 }
+
+func ClearCache() {
+	loadGeoSiteMatcherSF = singleflight.Group{}
+	loadGeoIPMatcherSF = singleflight.Group{}
+}
--- a/component/http/http.go
+++ b/component/http/http.go
@ -2,14 +2,15 @@ package http

 import (
 	"context"
-	"github.com/Dreamacro/clash/component/tls"
-	"github.com/Dreamacro/clash/listener/inner"
 	"io"
 	"net"
 	"net/http"
 	URL "net/url"
 	"strings"
 	"time"
+
+	"github.com/Dreamacro/clash/component/tls"
+	"github.com/Dreamacro/clash/listener/inner"
 )

 const (
--- a/component/resolver/host.go
+++ b/component/resolver/host.go
@ -0,0 +1,113 @@
+package resolver
+
+import (
+	"errors"
+	"net/netip"
+	"strings"
+
+	"github.com/Dreamacro/clash/common/utils"
+	"github.com/Dreamacro/clash/component/trie"
+	"github.com/zhangyunhao116/fastrand"
+)
+
+type Hosts struct {
+	*trie.DomainTrie[HostValue]
+}
+
+func NewHosts(hosts *trie.DomainTrie[HostValue]) Hosts {
+	return Hosts{
+		hosts,
+	}
+}
+
+// Return the search result and whether to match the parameter `isDomain`
+func (h *Hosts) Search(domain string, isDomain bool) (*HostValue, bool) {
+	value := h.DomainTrie.Search(domain)
+	if value == nil {
+		return nil, false
+	}
+	hostValue := value.Data()
+	for {
+		if isDomain && hostValue.IsDomain {
+			return &hostValue, true
+		} else {
+			if node := h.DomainTrie.Search(hostValue.Domain); node != nil {
+				hostValue = node.Data()
+			} else {
+				break
+			}
+		}
+	}
+	if isDomain == hostValue.IsDomain {
+		return &hostValue, true
+	}
+	return &hostValue, false
+}
+
+type HostValue struct {
+	IsDomain bool
+	IPs      []netip.Addr
+	Domain   string
+}
+
+func NewHostValue(value any) (HostValue, error) {
+	isDomain := true
+	ips := make([]netip.Addr, 0)
+	domain := ""
+	if valueArr, err := utils.ToStringSlice(value); err != nil {
+		return HostValue{}, err
+	} else {
+		if len(valueArr) > 1 {
+			isDomain = false
+			for _, str := range valueArr {
+				if ip, err := netip.ParseAddr(str); err == nil {
+					ips = append(ips, ip)
+				} else {
+					return HostValue{}, err
+				}
+			}
+		} else if len(valueArr) == 1 {
+			host := valueArr[0]
+			if ip, err := netip.ParseAddr(host); err == nil {
+				ips = append(ips, ip)
+				isDomain = false
+			} else {
+				domain = host
+			}
+		}
+	}
+	if isDomain {
+		return NewHostValueByDomain(domain)
+	} else {
+		return NewHostValueByIPs(ips)
+	}
+}
+
+func NewHostValueByIPs(ips []netip.Addr) (HostValue, error) {
+	if len(ips) == 0 {
+		return HostValue{}, errors.New("ip list is empty")
+	}
+	return HostValue{
+		IsDomain: false,
+		IPs:      ips,
+	}, nil
+}
+
+func NewHostValueByDomain(domain string) (HostValue, error) {
+	domain = strings.Trim(domain, ".")
+	item := strings.Split(domain, ".")
+	if len(item) < 2 {
+		return HostValue{}, errors.New("invaild domain")
+	}
+	return HostValue{
+		IsDomain: true,
+		Domain:   domain,
+	}, nil
+}
+
+func (hv HostValue) RandIP() (netip.Addr, error) {
+	if hv.IsDomain {
+		return netip.Addr{}, errors.New("value type is error")
+	}
+	return hv.IPs[fastrand.Intn(len(hv.IPs))], nil
+}
--- a/component/resolver/resolver.go
+++ b/component/resolver/resolver.go
@ -9,6 +9,7 @@ import (
 	"strings"
 	"time"

+	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/trie"

 	"github.com/miekg/dns"
@ -27,7 +28,7 @@ var (
 	DisableIPv6 = true

 	// DefaultHosts aim to resolve hosts
-	DefaultHosts = trie.New[netip.Addr]()
+	DefaultHosts = NewHosts(trie.New[HostValue]())

 	// DefaultDNSTimeout defined the default dns request timeout
 	DefaultDNSTimeout = time.Second * 5
@ -51,9 +52,11 @@ type Resolver interface {

 // LookupIPv4WithResolver same as LookupIPv4, but with a resolver
 func LookupIPv4WithResolver(ctx context.Context, host string, r Resolver) ([]netip.Addr, error) {
-	if node := DefaultHosts.Search(host); node != nil {
-		if ip := node.Data(); ip.Is4() {
-			return []netip.Addr{node.Data()}, nil
+	if node, ok := DefaultHosts.Search(host, false); ok {
+		if addrs := utils.Filter(node.IPs, func(ip netip.Addr) bool {
+			return ip.Is4()
+		}); len(addrs) > 0 {
+			return addrs, nil
 		}
 	}

@ -106,9 +109,11 @@ func LookupIPv6WithResolver(ctx context.Context, host string, r Resolver) ([]net
 		return nil, ErrIPv6Disabled
 	}

-	if node := DefaultHosts.Search(host); node != nil {
-		if ip := node.Data(); ip.Is6() {
-			return []netip.Addr{ip}, nil
+	if node, ok := DefaultHosts.Search(host, false); ok {
+		if addrs := utils.Filter(node.IPs, func(ip netip.Addr) bool {
+			return ip.Is6()
+		}); len(addrs) > 0 {
+			return addrs, nil
 		}
 	}

@ -155,8 +160,8 @@ func ResolveIPv6(ctx context.Context, host string) (netip.Addr, error) {

 // LookupIPWithResolver same as LookupIP, but with a resolver
 func LookupIPWithResolver(ctx context.Context, host string, r Resolver) ([]netip.Addr, error) {
-	if node := DefaultHosts.Search(host); node != nil {
-		return []netip.Addr{node.Data()}, nil
+	if node, ok := DefaultHosts.Search(host, false); ok {
+		return node.IPs, nil
 	}

 	if r != nil {
--- a/component/sniffer/dispatcher.go
+++ b/component/sniffer/dispatcher.go
@ -28,8 +28,8 @@ var Dispatcher *SnifferDispatcher
 type SnifferDispatcher struct {
 	enable          bool
 	sniffers        map[sniffer.Sniffer]SnifferConfig
-	forceDomain     *trie.DomainTrie[struct{}]
-	skipSNI         *trie.DomainTrie[struct{}]
+	forceDomain     *trie.DomainSet
+	skipSNI         *trie.DomainSet
 	skipList        *cache.LruCache[string, uint8]
 	rwMux           sync.RWMutex
 	forceDnsMapping bool
@ -37,7 +37,7 @@ type SnifferDispatcher struct {
 }

 func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) {
-	if (metadata.Host == "" && sd.parsePureIp) || sd.forceDomain.Search(metadata.Host) != nil || (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) {
+	if (metadata.Host == "" && sd.parsePureIp) || sd.forceDomain.Has(metadata.Host) || (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) {
 		port, err := strconv.ParseUint(metadata.DstPort, 10, 16)
 		if err != nil {
 			log.Debugln("[Sniffer] Dst port is error")
@ -74,7 +74,7 @@ func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata
 			log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%s] to [%s:%s]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort)
 			return
 		} else {
-			if sd.skipSNI.Search(host) != nil {
+			if sd.skipSNI.Has(host) {
 				log.Debugln("[Sniffer] Skip sni[%s]", host)
 				return
 			}
@ -166,8 +166,8 @@ func NewCloseSnifferDispatcher() (*SnifferDispatcher, error) {
 	return &dispatcher, nil
 }

-func NewSnifferDispatcher(snifferConfig map[sniffer.Type]SnifferConfig, forceDomain *trie.DomainTrie[struct{}],
-	skipSNI *trie.DomainTrie[struct{}],
+func NewSnifferDispatcher(snifferConfig map[sniffer.Type]SnifferConfig,
+	forceDomain *trie.DomainSet, skipSNI *trie.DomainSet,
 	forceDnsMapping bool, parsePureIp bool) (*SnifferDispatcher, error) {
 	dispatcher := SnifferDispatcher{
 		enable:          true,
--- a/component/tls/config.go
+++ b/component/tls/config.go
@ -14,8 +14,8 @@ import (
 	xtls "github.com/xtls/go"
 )

-var trustCert, _ = x509.SystemCertPool()
-
+var trustCerts []*x509.Certificate
+var certPool *x509.CertPool
 var mutex sync.RWMutex
 var errNotMacth error = errors.New("certificate fingerprints do not match")

@ -25,16 +25,38 @@ func AddCertificate(certificate string) error {
 	if certificate == "" {
 		return fmt.Errorf("certificate is empty")
 	}
-	if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
+	if cert, err := x509.ParseCertificate([]byte(certificate)); err == nil {
+		trustCerts = append(trustCerts, cert)
+		return nil
+	} else {
 		return fmt.Errorf("add certificate failed")
 	}
-	return nil
 }

 func ResetCertificate() {
 	mutex.Lock()
 	defer mutex.Unlock()
-	trustCert, _ = x509.SystemCertPool()
+	trustCerts = nil
+}
+
+func getCertPool() *x509.CertPool {
+	if len(trustCerts) == 0 {
+		return nil
+	}
+	if certPool == nil {
+		mutex.Lock()
+		defer mutex.Unlock()
+		if certPool != nil {
+			return certPool
+		}
+		certPool, err := x509.SystemCertPool()
+		if err == nil {
+			for _, cert := range trustCerts {
+				certPool.AddCert(cert)
+			}
+		}
+	}
+	return certPool
 }

 func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@ -84,12 +106,13 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
 }

 func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
+	certPool := getCertPool()
 	if tlsConfig == nil {
 		return &tls.Config{
-			RootCAs: trustCert,
+			RootCAs: certPool,
 		}
 	}
-	tlsConfig.RootCAs = trustCert
+	tlsConfig.RootCAs = certPool
 	return tlsConfig
 }

@ -106,12 +129,13 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
 }

 func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
+	certPool := getCertPool()
 	if tlsConfig == nil {
 		return &xtls.Config{
-			RootCAs: trustCert,
+			RootCAs: certPool,
 		}
 	}

-	tlsConfig.RootCAs = trustCert
+	tlsConfig.RootCAs = certPool
 	return tlsConfig
 }
--- a/component/tls/reality.go
+++ b/component/tls/reality.go
@ -44,7 +44,6 @@ func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string
 		}
 		uConfig := &utls.Config{
 			ServerName:             tlsConfig.ServerName,
-			NextProtos:             tlsConfig.NextProtos,
 			InsecureSkipVerify:     true,
 			SessionTicketsDisabled: true,
 			VerifyPeerCertificate:  verifier.VerifyPeerCertificate,
@ -62,20 +61,16 @@ func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string
 		}

 		hello := uConn.HandshakeState.Hello
-		hello.SessionId = make([]byte, 32)
+		for i := range hello.SessionId { // https://github.com/golang/go/issues/5373
+			hello.SessionId[i] = 0
+		}
 		copy(hello.Raw[39:], hello.SessionId)

-		var nowTime time.Time
-		if uConfig.Time != nil {
-			nowTime = uConfig.Time()
-		} else {
-			nowTime = time.Now()
-		}
-		binary.BigEndian.PutUint64(hello.SessionId, uint64(nowTime.Unix()))
+		binary.BigEndian.PutUint64(hello.SessionId, uint64(time.Now().Unix()))

 		hello.SessionId[0] = 1
-		hello.SessionId[1] = 7
-		hello.SessionId[2] = 5
+		hello.SessionId[1] = 8
+		hello.SessionId[2] = 0
 		copy(hello.SessionId[8:], realityConfig.ShortID[:])

 		//log.Debugln("REALITY hello.sessionId[:16]: %v", hello.SessionId[:16])
@ -130,7 +125,7 @@ func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.C
 		return
 	}
 	//_, _ = io.Copy(io.Discard, response.Body)
-	time.Sleep(time.Duration(5 + fastrand.Int63n(10)))
+	time.Sleep(time.Duration(5+fastrand.Int63n(10)) * time.Second)
 	response.Body.Close()
 	client.CloseIdleConnections()
 }
--- a/component/tls/utls.go
+++ b/component/tls/utls.go
@ -45,8 +45,13 @@ func GetFingerprint(ClientFingerprint string) (UClientHelloID, bool) {
 	}

 	fingerprint, ok := Fingerprints[ClientFingerprint]
-	log.Debugln("use specified fingerprint:%s", fingerprint.Client)
-	return fingerprint, ok
+	if ok {
+		log.Debugln("use specified fingerprint:%s", fingerprint.Client)
+		return fingerprint, ok
+	} else {
+		log.Warnln("wrong ClientFingerprint:%s", ClientFingerprint)
+		return UClientHelloID{}, false
+	}
 }

 func RollFingerprint() (UClientHelloID, bool) {
@ -89,7 +94,6 @@ func copyConfig(c *tls.Config) *utls.Config {
 	return &utls.Config{
 		RootCAs:               c.RootCAs,
 		ServerName:            c.ServerName,
-		NextProtos:            c.NextProtos,
 		InsecureSkipVerify:    c.InsecureSkipVerify,
 		VerifyPeerCertificate: c.VerifyPeerCertificate,
 	}
@ -128,10 +132,7 @@ func SetGlobalUtlsClient(Client string) {
 }

 func HaveGlobalFingerprint() bool {
-	if len(initUtlsClient) != 0 && initUtlsClient != "none" {
-		return true
-	}
-	return false
+	return len(initUtlsClient) != 0 && initUtlsClient != "none"
 }

 func GetGlobalFingerprint() string {
--- a/component/trie/domain.go
+++ b/component/trie/domain.go
@ -25,7 +25,7 @@ func ValidAndSplitDomain(domain string) ([]string, bool) {
 	if domain != "" && domain[len(domain)-1] == '.' {
 		return nil, false
 	}
-
+	domain=strings.ToLower(domain)
 	parts := strings.Split(domain, domainStep)
 	if len(parts) == 1 {
 		if parts[0] == "" {
@ -123,6 +123,30 @@ func (t *DomainTrie[T]) Optimize() {
 	t.root.optimize()
 }

+func (t *DomainTrie[T]) Foreach(print func(domain string, data T)) {
+	for key, data := range t.root.getChildren() {
+		recursion([]string{key}, data, print)
+	}
+}
+
+func recursion[T any](items []string, node *Node[T], fn func(domain string, data T)) {
+	for key, data := range node.getChildren() {
+		newItems := append([]string{key}, items...)
+		if data != nil && data.inited {
+			domain := joinDomain(newItems)
+			if domain[0] == domainStepByte {
+				domain = complexWildcard + domain
+			}
+			fn(domain, data.Data())
+		}
+		recursion(newItems, data, fn)
+	}
+}
+
+func joinDomain(items []string) string {
+	return strings.Join(items, domainStep)
+}
+
 // New returns a new, empty Trie.
 func New[T any]() *DomainTrie[T] {
 	return &DomainTrie[T]{root: newNode[T]()}
--- a/component/trie/domain_test.go
+++ b/component/trie/domain_test.go
@ -105,3 +105,23 @@ func TestTrie_WildcardBoundary(t *testing.T) {

 	assert.NotNil(t, tree.Search("example.com"))
 }
+
+func TestTrie_Foreach(t *testing.T) {
+	tree := New[netip.Addr]()
+	domainList := []string{
+		"google.com",
+		"stun.*.*.*",
+		"test.*.google.com",
+		"+.baidu.com",
+		"*.baidu.com",
+		"*.*.baidu.com",
+	}
+	for _, domain := range domainList {
+		tree.Insert(domain, localIP)
+	}
+	count := 0
+	tree.Foreach(func(domain string, data netip.Addr) {
+		count++
+	})
+	assert.Equal(t, 7, count)
+}
--- a/component/trie/node.go
+++ b/component/trie/node.go
@ -116,6 +116,18 @@ func (n *Node[T]) setData(data T) {
 	n.inited = true
 }

+func (n *Node[T]) getChildren() map[string]*Node[T] {
+	if n.childMap == nil {
+		if n.childNode != nil {
+			m := make(map[string]*Node[T])
+			m[n.childStr] = n.childNode
+			return m
+		}
+	} else {
+		return n.childMap
+	}
+	return nil
+}
 func (n *Node[T]) Data() T {
 	return n.data
 }
--- a/component/trie/set_test.go
+++ b/component/trie/set_test.go
@ -0,0 +1,60 @@
+package trie_test
+
+import (
+	"testing"
+
+	"github.com/Dreamacro/clash/component/trie"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDomain(t *testing.T) {
+	domainSet := []string{
+		"baidu.com",
+		"google.com",
+		"www.google.com",
+		"test.a.net",
+		"test.a.oc",
+	}
+	set := trie.NewDomainSet(domainSet)
+	assert.NotNil(t, set)
+	assert.True(t, set.Has("test.a.net"))
+	assert.True(t, set.Has("google.com"))
+	assert.False(t, set.Has("www.baidu.com"))
+}
+
+func TestDomainComplexWildcard(t *testing.T) {
+	domainSet := []string{
+		"+.baidu.com",
+		"+.a.baidu.com",
+		"www.baidu.com",
+		"+.bb.baidu.com",
+		"test.a.net",
+		"test.a.oc",
+		"www.qq.com",
+	}
+	set := trie.NewDomainSet(domainSet)
+	assert.NotNil(t, set)
+	assert.False(t, set.Has("google.com"))
+	assert.True(t, set.Has("www.baidu.com"))
+	assert.True(t, set.Has("test.test.baidu.com"))
+}
+
+func TestDomainWildcard(t *testing.T) {
+	domainSet := []string{
+		"*.*.*.baidu.com",
+		"www.baidu.*",
+		"stun.*.*",
+		"*.*.qq.com",
+		"test.*.baidu.com",
+	}
+	set := trie.NewDomainSet(domainSet)
+	assert.NotNil(t, set)
+	assert.True(t, set.Has("www.baidu.com"))
+	assert.True(t, set.Has("test.test.baidu.com"))
+	assert.True(t, set.Has("test.test.qq.com"))
+	assert.True(t,set.Has("stun.ab.cd"))
+	assert.False(t, set.Has("test.baidu.com"))
+	assert.False(t,set.Has("www.google.com"))
+	assert.False(t, set.Has("test.qq.com"))
+	assert.False(t, set.Has("test.test.test.qq.com"))
+}
--- a/component/trie/sskv.go
+++ b/component/trie/sskv.go
@ -0,0 +1,178 @@
+package trie
+
+// Package succinct provides several succinct data types.
+// Modify from https://github.com/openacid/succinct/blob/d4684c35d123f7528b14e03c24327231723db704/sskv.go
+
+import (
+	"sort"
+	"strings"
+
+	"github.com/Dreamacro/clash/common/utils"
+	"github.com/openacid/low/bitmap"
+)
+
+const (
+	complexWildcardByte = byte('+')
+	wildcardByte        = byte('*')
+	domainStepByte      = byte('.')
+)
+
+type DomainSet struct {
+	leaves, labelBitmap []uint64
+	labels              []byte
+	ranks, selects      []int32
+}
+
+// NewDomainSet creates a new *DomainSet struct, from a slice of sorted strings.
+func NewDomainSet(keys []string) *DomainSet {
+	domainTrie := New[struct{}]()
+	for _, domain := range keys {
+		domainTrie.Insert(domain, struct{}{})
+	}
+	reserveDomains := make([]string, 0, len(keys))
+	domainTrie.Foreach(func(domain string, data struct{}) {
+		reserveDomains = append(reserveDomains, utils.Reverse(domain))
+	})
+	// ensure that the same prefix is continuous
+	// and according to the ascending sequence of length
+	sort.Strings(reserveDomains)
+	keys = reserveDomains
+	if len(keys) == 0 {
+		return nil
+	}
+	ss := &DomainSet{}
+	lIdx := 0
+
+	type qElt struct{ s, e, col int }
+	queue := []qElt{{0, len(keys), 0}}
+	for i := 0; i < len(queue); i++ {
+		elt := queue[i]
+		if elt.col == len(keys[elt.s]) {
+			elt.s++
+			// a leaf node
+			setBit(&ss.leaves, i, 1)
+		}
+
+		for j := elt.s; j < elt.e; {
+
+			frm := j
+
+			for ; j < elt.e && keys[j][elt.col] == keys[frm][elt.col]; j++ {
+			}
+			queue = append(queue, qElt{frm, j, elt.col + 1})
+			ss.labels = append(ss.labels, keys[frm][elt.col])
+			setBit(&ss.labelBitmap, lIdx, 0)
+			lIdx++
+		}
+		setBit(&ss.labelBitmap, lIdx, 1)
+		lIdx++
+	}
+
+	ss.init()
+	return ss
+}
+
+// Has query for a key and return whether it presents in the DomainSet.
+func (ss *DomainSet) Has(key string) bool {
+	if ss == nil {
+		return false
+	}
+	key = utils.Reverse(key)
+	key = strings.ToLower(key)
+	// no more labels in this node
+	// skip character matching
+	// go to next level
+	nodeId, bmIdx := 0, 0
+	type wildcardCursor struct {
+		bmIdx, index int
+	}
+	stack := make([]wildcardCursor, 0)
+	for i := 0; i < len(key); i++ {
+	RESTART:
+		c := key[i]
+		for ; ; bmIdx++ {
+			if getBit(ss.labelBitmap, bmIdx) != 0 {
+				if len(stack) > 0 {
+					cursor := stack[len(stack)-1]
+					stack = stack[0 : len(stack)-1]
+					// back wildcard and find next node
+					nextNodeId := countZeros(ss.labelBitmap, ss.ranks, cursor.bmIdx+1)
+					nextBmIdx := selectIthOne(ss.labelBitmap, ss.ranks, ss.selects, nextNodeId-1) + 1
+					j := cursor.index
+					for ; j < len(key) && key[j] != domainStepByte; j++ {
+					}
+					if j == len(key) {
+						if getBit(ss.leaves, nextNodeId) != 0 {
+							return true
+						}else {
+							goto RESTART
+						}
+					}
+					for ; ; nextBmIdx++ {
+						if ss.labels[nextBmIdx-nextNodeId] == domainStepByte {
+							bmIdx = nextBmIdx
+							nodeId = nextNodeId
+							i = j
+							goto RESTART
+						}
+					}
+				}
+				return false
+			}
+			// handle wildcard for domain
+			if ss.labels[bmIdx-nodeId] == complexWildcardByte {
+				return true
+			} else if ss.labels[bmIdx-nodeId] == wildcardByte {
+				cursor := wildcardCursor{}
+				cursor.bmIdx = bmIdx
+				cursor.index = i
+				stack = append(stack, cursor)
+			} else if ss.labels[bmIdx-nodeId] == c {
+				break
+			}
+		}
+		nodeId = countZeros(ss.labelBitmap, ss.ranks, bmIdx+1)
+		bmIdx = selectIthOne(ss.labelBitmap, ss.ranks, ss.selects, nodeId-1) + 1
+	}
+
+	return getBit(ss.leaves, nodeId) != 0
+
+}
+
+func setBit(bm *[]uint64, i int, v int) {
+	for i>>6 >= len(*bm) {
+		*bm = append(*bm, 0)
+	}
+	(*bm)[i>>6] |= uint64(v) << uint(i&63)
+}
+
+func getBit(bm []uint64, i int) uint64 {
+	return bm[i>>6] & (1 << uint(i&63))
+}
+
+// init builds pre-calculated cache to speed up rank() and select()
+func (ss *DomainSet) init() {
+	ss.selects, ss.ranks = bitmap.IndexSelect32R64(ss.labelBitmap)
+}
+
+// countZeros counts the number of "0" in a bitmap before the i-th bit(excluding
+// the i-th bit) on behalf of rank index.
+// E.g.:
+//
+//	countZeros("010010", 4) == 3
+//	//          012345
+func countZeros(bm []uint64, ranks []int32, i int) int {
+	a, _ := bitmap.Rank64(bm, ranks, int32(i))
+	return i - int(a)
+}
+
+// selectIthOne returns the index of the i-th "1" in a bitmap, on behalf of rank
+// and select indexes.
+// E.g.:
+//
+//	selectIthOne("010010", 1) == 4
+//	//            012345
+func selectIthOne(bm []uint64, ranks, selects []int32, i int) int {
+	a, _ := bitmap.Select32R64(bm, selects, ranks, int32(i))
+	return int(a)
+}
--- a/config/config.go
+++ b/config/config.go
@ -4,13 +4,11 @@ import (
 	"container/list"
 	"errors"
 	"fmt"
-
 	"net"
 	"net/netip"
 	"net/url"
 	"os"
-	"reflect"
-	"runtime"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@ -26,6 +24,7 @@ import (
 	"github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/geodata/router"
 	P "github.com/Dreamacro/clash/component/process"
+	"github.com/Dreamacro/clash/component/resolver"
 	SNIFF "github.com/Dreamacro/clash/component/sniffer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/component/trie"
@ -100,7 +99,7 @@ type DNS struct {
 	EnhancedMode          C.DNSMode        `yaml:"enhanced-mode"`
 	DefaultNameserver     []dns.NameServer `yaml:"default-nameserver"`
 	FakeIPRange           *fakeip.Pool
-	Hosts                 *trie.DomainTrie[netip.Addr]
+	Hosts                 *trie.DomainTrie[resolver.HostValue]
 	NameServerPolicy      map[string][]dns.NameServer
 	ProxyServerNameserver []dns.NameServer
 }
@ -136,9 +135,8 @@ type IPTables struct {
 type Sniffer struct {
 	Enable          bool
 	Sniffers        map[snifferTypes.Type]SNIFF.SnifferConfig
-	Reverses        *trie.DomainTrie[struct{}]
-	ForceDomain     *trie.DomainTrie[struct{}]
-	SkipDomain      *trie.DomainTrie[struct{}]
+	ForceDomain     *trie.DomainSet
+	SkipDomain      *trie.DomainSet
 	ForceDnsMapping bool
 	ParsePureIp     bool
 }
@ -154,7 +152,7 @@ type Config struct {
 	IPTables      *IPTables
 	DNS           *DNS
 	Experimental  *Experimental
-	Hosts         *trie.DomainTrie[netip.Addr]
+	Hosts         *trie.DomainTrie[resolver.HostValue]
 	Profile       *Profile
 	Rules         []C.Rule
 	SubRules      map[string][]C.Rule
@ -218,6 +216,7 @@ type RawTun struct {
 	ExcludePackage         []string          `yaml:"exclude-package" json:"exclude_package,omitempty"`
 	EndpointIndependentNat bool              `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"`
 	UDPTimeout             int64             `yaml:"udp-timeout" json:"udp_timeout,omitempty"`
+	FileDescriptor         int               `yaml:"file-descriptor" json:"file-descriptor"`
 }

 type RawTuicServer struct {
@ -265,7 +264,7 @@ type RawConfig struct {
 	Sniffer       RawSniffer                `yaml:"sniffer"`
 	ProxyProvider map[string]map[string]any `yaml:"proxy-providers"`
 	RuleProvider  map[string]map[string]any `yaml:"rule-providers"`
-	Hosts         map[string]string         `yaml:"hosts"`
+	Hosts         map[string]any            `yaml:"hosts"`
 	DNS           RawDNS                    `yaml:"dns"`
 	Tun           RawTun                    `yaml:"tun"`
 	TuicServer    RawTuicServer             `yaml:"tuic-server"`
@ -339,7 +338,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		UnifiedDelay:    false,
 		Authentication:  []string{},
 		LogLevel:        log.INFO,
-		Hosts:           map[string]string{},
+		Hosts:           map[string]any{},
 		Rule:            []string{},
 		Proxy:           []map[string]any{},
 		ProxyGroup:      []map[string]any{},
@ -446,7 +445,11 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.General = general

-	dialer.DefaultInterface.Store(config.General.Interface)
+	if len(config.General.GlobalClientFingerprint) != 0 {
+		log.Debugln("GlobalClientFingerprint:%s", config.General.GlobalClientFingerprint)
+		tlsC.SetGlobalUtlsClient(config.General.GlobalClientFingerprint)
+	}
+
 	proxies, providers, err := parseProxies(rawCfg)
 	if err != nil {
 		return nil, err
@ -485,7 +488,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.Hosts = hosts

-	dnsCfg, err := parseDNS(rawCfg, hosts, rules)
+	dnsCfg, err := parseDNS(rawCfg, hosts, rules, ruleProviders)
 	if err != nil {
 		return nil, err
 	}
@ -521,11 +524,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	elapsedTime := time.Since(startTime) / time.Millisecond                     // duration in ms
 	log.Infoln("Initial configuration complete, total time: %dms", elapsedTime) //Segment finished in xxm

-	if len(config.General.GlobalClientFingerprint) != 0 {
-		log.Debugln("GlobalClientFingerprint:%s", config.General.GlobalClientFingerprint)
-		tlsC.SetGlobalUtlsClient(config.General.GlobalClientFingerprint)
-	}
-
 	return config, nil
 }

@ -822,26 +820,50 @@ func parseRules(rulesConfig []string, proxies map[string]C.Proxy, subRules map[s
 		rules = append(rules, parsed)
 	}

-	runtime.GC()
-
 	return rules, nil
 }

-func parseHosts(cfg *RawConfig) (*trie.DomainTrie[netip.Addr], error) {
-	tree := trie.New[netip.Addr]()
+func parseHosts(cfg *RawConfig) (*trie.DomainTrie[resolver.HostValue], error) {
+	tree := trie.New[resolver.HostValue]()

 	// add default hosts
-	if err := tree.Insert("localhost", netip.AddrFrom4([4]byte{127, 0, 0, 1})); err != nil {
+	hostValue, _ := resolver.NewHostValueByIPs(
+		[]netip.Addr{netip.AddrFrom4([4]byte{127, 0, 0, 1})})
+	if err := tree.Insert("localhost", hostValue); err != nil {
 		log.Errorln("insert localhost to host error: %s", err.Error())
 	}

 	if len(cfg.Hosts) != 0 {
-		for domain, ipStr := range cfg.Hosts {
-			ip, err := netip.ParseAddr(ipStr)
-			if err != nil {
-				return nil, fmt.Errorf("%s is not a valid IP", ipStr)
+		for domain, anyValue := range cfg.Hosts {
+			if str, ok := anyValue.(string); ok && str == "clash" {
+				if addrs, err := net.InterfaceAddrs(); err != nil {
+					log.Errorln("insert clash to host error: %s", err)
+				} else {
+					ips := make([]netip.Addr, 0)
+					for _, addr := range addrs {
+						if ipnet, ok := addr.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
+							if ip, err := netip.ParseAddr(ipnet.IP.String()); err == nil {
+								ips = append(ips, ip)
+							}
+						}
+					}
+					anyValue = ips
+				}
 			}
-			_ = tree.Insert(domain, ip)
+			value, err := resolver.NewHostValue(anyValue)
+			if err != nil {
+				return nil, fmt.Errorf("%s is not a valid value", anyValue)
+			}
+			if value.IsDomain {
+				node := tree.Search(value.Domain)
+				for node != nil && node.Data().IsDomain {
+					if node.Data().Domain == domain {
+						return nil, fmt.Errorf("%s, there is a cycle in domain name mapping", domain)
+					}
+					node = tree.Search(node.Data().Domain)
+				}
+			}
+			_ = tree.Insert(domain, value)
 		}
 	}
 	tree.Optimize()
@ -957,34 +979,65 @@ func parsePureDNSServer(server string) string {
 		}
 	}
 }
-func parseNameServerPolicy(nsPolicy map[string]any, preferH3 bool) (map[string][]dns.NameServer, error) {
+func parseNameServerPolicy(nsPolicy map[string]any, ruleProviders map[string]providerTypes.RuleProvider, preferH3 bool) (map[string][]dns.NameServer, error) {
 	policy := map[string][]dns.NameServer{}
+	updatedPolicy := make(map[string]interface{})
+	re := regexp.MustCompile(`[a-zA-Z0-9\-]+\.[a-zA-Z]{2,}(\.[a-zA-Z]{2,})?`)

-	for domain, server := range nsPolicy {
-		var (
-			nameservers []dns.NameServer
-			err         error
-		)
-
-		switch reflect.TypeOf(server).Kind() {
-		case reflect.Slice, reflect.Array:
-			origin := reflect.ValueOf(server)
-			servers := make([]string, 0)
-			for i := 0; i < origin.Len(); i++ {
-				servers = append(servers, fmt.Sprintf("%v", origin.Index(i)))
+	for k, v := range nsPolicy {
+		if strings.Contains(k, ",") {
+			if strings.Contains(k, "geosite:") {
+				subkeys := strings.Split(k, ":")
+				subkeys = subkeys[1:]
+				subkeys = strings.Split(subkeys[0], ",")
+				for _, subkey := range subkeys {
+					newKey := "geosite:" + subkey
+					updatedPolicy[newKey] = v
+				}
+			} else if strings.Contains(k, "rule-set:") {
+				subkeys := strings.Split(k, ":")
+				subkeys = subkeys[1:]
+				subkeys = strings.Split(subkeys[0], ",")
+				for _, subkey := range subkeys {
+					newKey := "rule-set:" + subkey
+					updatedPolicy[newKey] = v
+				}
+			} else if re.MatchString(k) {
+				subkeys := strings.Split(k, ",")
+				for _, subkey := range subkeys {
+					updatedPolicy[subkey] = v
+				}
 			}
-			nameservers, err = parseNameServer(servers, preferH3)
-		case reflect.String:
-			nameservers, err = parseNameServer([]string{fmt.Sprintf("%v", server)}, preferH3)
-		default:
-			return nil, errors.New("server format error, must be string or array")
+		} else {
+			updatedPolicy[k] = v
 		}
+	}
+
+	for domain, server := range updatedPolicy {
+		servers, err := utils.ToStringSlice(server)
+		if err != nil {
+			return nil, err
+		}
+		nameservers, err := parseNameServer(servers, preferH3)
 		if err != nil {
 			return nil, err
 		}
 		if _, valid := trie.ValidAndSplitDomain(domain); !valid {
 			return nil, fmt.Errorf("DNS ResoverRule invalid domain: %s", domain)
 		}
+		if strings.HasPrefix(domain, "rule-set:") {
+			domainSetName := domain[9:]
+			if provider, ok := ruleProviders[domainSetName]; !ok {
+				return nil, fmt.Errorf("not found rule-set: %s", domainSetName)
+			} else {
+				switch provider.Behavior() {
+				case providerTypes.IPCIDR:
+					return nil, fmt.Errorf("rule provider type error, except domain,actual %s", provider.Behavior())
+				case providerTypes.Classical:
+					log.Warnln("%s provider is %s, only matching it contain domain rule", provider.Name(), provider.Behavior())
+				}
+			}
+		}
 		policy[domain] = nameservers
 	}

@ -1037,11 +1090,10 @@ func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]*router.DomainM
 			log.Infoln("Start initial GeoSite dns fallback filter `%s`, records: %d", country, recordsCount)
 		}
 	}
-	runtime.GC()
 	return sites, nil
 }

-func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.Rule) (*DNS, error) {
+func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rules []C.Rule, ruleProviders map[string]providerTypes.RuleProvider) (*DNS, error) {
 	cfg := rawCfg.DNS
 	if cfg.Enable && len(cfg.NameServer) == 0 {
 		return nil, fmt.Errorf("if DNS configuration is turned on, NameServer cannot be empty")
@ -1068,7 +1120,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.R
 		return nil, err
 	}

-	if dnsCfg.NameServerPolicy, err = parseNameServerPolicy(cfg.NameServerPolicy, cfg.PreferH3); err != nil {
+	if dnsCfg.NameServerPolicy, err = parseNameServerPolicy(cfg.NameServerPolicy, ruleProviders, cfg.PreferH3); err != nil {
 		return nil, err
 	}

@ -1204,6 +1256,7 @@ func parseTun(rawTun RawTun, general *General) error {
 		ExcludePackage:         rawTun.ExcludePackage,
 		EndpointIndependentNat: rawTun.EndpointIndependentNat,
 		UDPTimeout:             rawTun.UDPTimeout,
+		FileDescriptor:         rawTun.FileDescriptor,
 	}

 	return nil
@ -1287,24 +1340,8 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 	}

 	sniffer.Sniffers = loadSniffer
-	sniffer.ForceDomain = trie.New[struct{}]()
-	for _, domain := range snifferRaw.ForceDomain {
-		err := sniffer.ForceDomain.Insert(domain, struct{}{})
-		if err != nil {
-			return nil, fmt.Errorf("error domian[%s] in force-domain, error:%v", domain, err)
-		}
-	}
-	sniffer.ForceDomain.Optimize()
-
-	sniffer.SkipDomain = trie.New[struct{}]()
-	for _, domain := range snifferRaw.SkipDomain {
-		err := sniffer.SkipDomain.Insert(domain, struct{}{})
-		if err != nil {
-			return nil, fmt.Errorf("error domian[%s] in force-domain, error:%v", domain, err)
-		}
-	}
-	sniffer.SkipDomain.Optimize()
-
+	sniffer.ForceDomain = trie.NewDomainSet(snifferRaw.ForceDomain)
+	sniffer.SkipDomain = trie.NewDomainSet(snifferRaw.SkipDomain)
 	return sniffer, nil
 }

--- a/config/updateGeo.go
+++ b/config/updateGeo.go
@ -63,6 +63,8 @@ func UpdateGeoDatabases() error {
 		return fmt.Errorf("can't save GeoSite database file: %w", err)
 	}

+	geodata.ClearCache()
+
 	return nil
 }

--- a/constant/features/low_memory.go
+++ b/constant/features/low_memory.go
@ -0,0 +1,5 @@
+package features
+
+func init() {
+	TAGS = append(TAGS, "with_low_memory")
+}
--- a/constant/features/no_doq.go
+++ b/constant/features/no_doq.go
@ -1,7 +0,0 @@
-//go:build no_doq
-
-package features
-
-func init() {
-	TAGS = append(TAGS, "no_doq")
-}
--- a/constant/features/no_fake_tcp.go
+++ b/constant/features/no_fake_tcp.go
@ -0,0 +1,7 @@
+//go:build no_fake_tcp
+
+package features
+
+func init() {
+	TAGS = append(TAGS, "no_fake_tcp")
+}
--- a/constant/features/no_gvisor.go
+++ b/constant/features/no_gvisor.go
@ -1,7 +0,0 @@
-//go:build no_gvisor
-
-package features
-
-func init() {
-	TAGS = append(TAGS, "no_gvisor")
-}
--- a/constant/features/with_gvisor.go
+++ b/constant/features/with_gvisor.go
@ -0,0 +1,7 @@
+//go:build with_gvisor
+
+package features
+
+func init() {
+	TAGS = append(TAGS, "with_gvisor")
+}
--- a/constant/path.go
+++ b/constant/path.go
@ -66,7 +66,7 @@ func (p *path) MMDB() string {
 			// 目录则直接跳过
 			continue
 		} else {
-			if strings.EqualFold(fi.Name(), "Country.mmdb") {
+			if strings.EqualFold(strings.ToLower(fi.Name()), "country.mmdb") {
 				GeoipName = fi.Name()
 				return P.Join(p.homeDir, fi.Name())
 			}
@ -93,7 +93,7 @@ func (p *path) GeoIP() string {
 			// 目录则直接跳过
 			continue
 		} else {
-			if strings.EqualFold(fi.Name(), "GeoIP.dat") {
+			if strings.EqualFold(strings.ToLower(fi.Name()), "geoip.dat") {
 				GeoipName = fi.Name()
 				return P.Join(p.homeDir, fi.Name())
 			}
@ -112,7 +112,7 @@ func (p *path) GeoSite() string {
 			// 目录则直接跳过
 			continue
 		} else {
-			if strings.EqualFold(fi.Name(), "GeoSite.dat") {
+			if strings.EqualFold(strings.ToLower(fi.Name()), "geosite.dat") {
 				GeositeName = fi.Name()
 				return P.Join(p.homeDir, fi.Name())
 			}
--- a/context/conn.go
+++ b/context/conn.go
@ -17,10 +17,8 @@ type ConnContext struct {
 }

 func NewConnContext(conn net.Conn, metadata *C.Metadata) *ConnContext {
-	id, _ := utils.UnsafeUUIDGenerator.NewV4()
-
 	return &ConnContext{
-		id:       id,
+		id:       utils.NewUUIDV4(),
 		metadata: metadata,
 		conn:     N.NewBufferedConn(conn),
 	}
--- a/context/dns.go
+++ b/context/dns.go
@ -23,11 +23,10 @@ type DNSContext struct {
 }

 func NewDNSContext(ctx context.Context, msg *dns.Msg) *DNSContext {
-	id, _ := utils.UnsafeUUIDGenerator.NewV4()
 	return &DNSContext{
 		Context: ctx,

-		id:  id,
+		id:  utils.NewUUIDV4(),
 		msg: msg,
 	}
 }
--- a/context/packetconn.go
+++ b/context/packetconn.go
@ -16,9 +16,8 @@ type PacketConnContext struct {
 }

 func NewPacketConnContext(metadata *C.Metadata) *PacketConnContext {
-	id, _ := utils.UnsafeUUIDGenerator.NewV4()
 	return &PacketConnContext{
-		id:       id,
+		id:       utils.NewUUIDV4(),
 		metadata: metadata,
 	}
 }
--- a/dns/filters.go
+++ b/dns/filters.go
@ -29,29 +29,10 @@ func (gf *geoipFilter) Match(ip netip.Addr) bool {
 	}

 	if geoIPMatcher == nil {
-		countryCode := "cn"
-		geoLoader, err := geodata.GetGeoDataLoader(geodata.LoaderName())
+		var err error
+		geoIPMatcher, _, err = geodata.LoadGeoIPMatcher("CN")
 		if err != nil {
-			log.Errorln("[GeoIPFilter] GetGeoDataLoader error: %s", err.Error())
-			return false
-		}
-
-		records, err := geoLoader.LoadGeoIP(countryCode)
-		if err != nil {
-			log.Errorln("[GeoIPFilter] LoadGeoIP error: %s", err.Error())
-			return false
-		}
-
-		geoIP := &router.GeoIP{
-			CountryCode:  countryCode,
-			Cidr:         records,
-			ReverseMatch: false,
-		}
-
-		geoIPMatcher, err = router.NewGeoIPMatcher(geoIP)
-
-		if err != nil {
-			log.Errorln("[GeoIPFilter] NewGeoIPMatcher error: %s", err.Error())
+			log.Errorln("[GeoIPFilter] LoadGeoIPMatcher error: %s", err.Error())
 			return false
 		}
 	}
@ -92,6 +73,10 @@ type geoSiteFilter struct {
 }

 func NewGeoSite(group string) (fallbackDomainFilter, error) {
+	if err := geodata.InitGeoSite(); err != nil {
+		log.Errorln("can't initial GeoSite: %s", err)
+		return nil, err
+	}
 	matcher, _, err := geodata.LoadGeoSiteMatcher(group)
 	if err != nil {
 		return nil, err
--- a/dns/middleware.go
+++ b/dns/middleware.go
@ -8,7 +8,7 @@ import (
 	"github.com/Dreamacro/clash/common/cache"
 	"github.com/Dreamacro/clash/common/nnip"
 	"github.com/Dreamacro/clash/component/fakeip"
-	"github.com/Dreamacro/clash/component/trie"
+	R "github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/context"
 	"github.com/Dreamacro/clash/log"
@ -21,7 +21,7 @@ type (
 	middleware func(next handler) handler
 )

-func withHosts(hosts *trie.DomainTrie[netip.Addr], mapping *cache.LruCache[netip.Addr, string]) middleware {
+func withHosts(hosts R.Hosts, mapping *cache.LruCache[netip.Addr, string]) middleware {
 	return func(next handler) handler {
 		return func(ctx *context.DNSContext, r *D.Msg) (*D.Msg, error) {
 			q := r.Question[0]
@ -31,40 +31,68 @@ func withHosts(hosts *trie.DomainTrie[netip.Addr], mapping *cache.LruCache[netip
 			}

 			host := strings.TrimRight(q.Name, ".")
-
-			record := hosts.Search(host)
-			if record == nil {
+			handleCName := func(resp *D.Msg, domain string) {
+				rr := &D.CNAME{}
+				rr.Hdr = D.RR_Header{Name: q.Name, Rrtype: D.TypeCNAME, Class: D.ClassINET, Ttl: 10}
+				rr.Target = domain + "."
+				resp.Answer = append([]D.RR{rr}, resp.Answer...)
+			}
+			record, ok := hosts.Search(host, q.Qtype != D.TypeA && q.Qtype != D.TypeAAAA)
+			if !ok {
+				if record != nil && record.IsDomain {
+					// replace request domain
+					newR := r.Copy()
+					newR.Question[0].Name = record.Domain + "."
+					resp, err := next(ctx, newR)
+					if err == nil {
+						resp.Id = r.Id
+						resp.Question = r.Question
+						handleCName(resp, record.Domain)
+					}
+					return resp, err
+				}
 				return next(ctx, r)
 			}

-			ip := record.Data()
 			msg := r.Copy()
-
-			if ip.Is4() && q.Qtype == D.TypeA {
-				rr := &D.A{}
-				rr.Hdr = D.RR_Header{Name: q.Name, Rrtype: D.TypeA, Class: D.ClassINET, Ttl: 10}
-				rr.A = ip.AsSlice()
-
-				msg.Answer = []D.RR{rr}
-			} else if q.Qtype == D.TypeAAAA {
-				rr := &D.AAAA{}
-				rr.Hdr = D.RR_Header{Name: q.Name, Rrtype: D.TypeAAAA, Class: D.ClassINET, Ttl: 10}
-				ip := ip.As16()
-				rr.AAAA = ip[:]
-				msg.Answer = []D.RR{rr}
-			} else {
-				return next(ctx, r)
+			handleIPs := func() {
+				for _, ipAddr := range record.IPs {
+					if ipAddr.Is4() && q.Qtype == D.TypeA {
+						rr := &D.A{}
+						rr.Hdr = D.RR_Header{Name: q.Name, Rrtype: D.TypeA, Class: D.ClassINET, Ttl: 10}
+						rr.A = ipAddr.AsSlice()
+						msg.Answer = append(msg.Answer, rr)
+						if mapping != nil {
+							mapping.SetWithExpire(ipAddr, host, time.Now().Add(time.Second*10))
+						}
+					} else if q.Qtype == D.TypeAAAA {
+						rr := &D.AAAA{}
+						rr.Hdr = D.RR_Header{Name: q.Name, Rrtype: D.TypeAAAA, Class: D.ClassINET, Ttl: 10}
+						ip := ipAddr.As16()
+						rr.AAAA = ip[:]
+						msg.Answer = append(msg.Answer, rr)
+						if mapping != nil {
+							mapping.SetWithExpire(ipAddr, host, time.Now().Add(time.Second*10))
+						}
+					}
+				}
 			}

-			if mapping != nil {
-				mapping.SetWithExpire(ip, host, time.Now().Add(time.Second*10))
+			switch q.Qtype {
+			case D.TypeA:
+				handleIPs()
+			case D.TypeAAAA:
+				handleIPs()
+			case D.TypeCNAME:
+				handleCName(r, record.Domain)
+			default:
+				return next(ctx, r)
 			}

 			ctx.SetType(context.DNSTypeHost)
 			msg.SetRcode(r, D.RcodeSuccess)
 			msg.Authoritative = true
 			msg.RecursionAvailable = true
-
 			return msg, nil
 		}
 	}
@ -149,6 +177,7 @@ func withFakeIP(fakePool *fakeip.Pool) middleware {
 func withResolver(resolver *Resolver) handler {
 	return func(ctx *context.DNSContext, r *D.Msg) (*D.Msg, error) {
 		ctx.SetType(context.DNSTypeRaw)
+
 		q := r.Question[0]

 		// return a empty AAAA msg when ipv6 disabled
@ -183,7 +212,7 @@ func NewHandler(resolver *Resolver, mapper *ResolverEnhancer) handler {
 	middlewares := []middleware{}

 	if resolver.hosts != nil {
-		middlewares = append(middlewares, withHosts(resolver.hosts, mapper.mapping))
+		middlewares = append(middlewares, withHosts(R.NewHosts(resolver.hosts), mapper.mapping))
 	}

 	if mapper.mode == C.DNSFakeIP {
--- a/dns/resolver.go
+++ b/dns/resolver.go
@ -16,6 +16,7 @@ import (
 	"github.com/Dreamacro/clash/component/resolver"
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"

 	D "github.com/miekg/dns"
@ -40,10 +41,15 @@ type geositePolicyRecord struct {
 	inversedMatching bool
 }

+type domainSetPolicyRecord struct {
+	domainSetProvider provider.RuleProvider
+	policy            *Policy
+}
+
 type Resolver struct {
 	ipv6                  bool
 	ipv6Timeout           time.Duration
-	hosts                 *trie.DomainTrie[netip.Addr]
+	hosts                 *trie.DomainTrie[resolver.HostValue]
 	main                  []dnsClient
 	fallback              []dnsClient
 	fallbackDomainFilters []fallbackDomainFilter
@ -51,6 +57,7 @@ type Resolver struct {
 	group                 singleflight.Group
 	lruCache              *cache.LruCache[string, *D.Msg]
 	policy                *trie.DomainTrie[*Policy]
+	domainSetPolicy       []domainSetPolicyRecord
 	geositePolicy         []geositePolicyRecord
 	proxyServer           []dnsClient
 }
@ -301,6 +308,12 @@ func (r *Resolver) matchPolicy(m *D.Msg) []dnsClient {
 			return geositeRecord.policy.GetData()
 		}
 	}
+	metadata := &C.Metadata{Host: domain}
+	for _, domainSetRecord := range r.domainSetPolicy {
+		if ok := domainSetRecord.domainSetProvider.Match(metadata); ok {
+			return domainSetRecord.policy.GetData()
+		}
+	}
 	return nil
 }

@ -422,16 +435,18 @@ type FallbackFilter struct {
 }

 type Config struct {
-	Main, Fallback []NameServer
-	Default        []NameServer
-	ProxyServer    []NameServer
-	IPv6           bool
-	IPv6Timeout    uint
-	EnhancedMode   C.DNSMode
-	FallbackFilter FallbackFilter
-	Pool           *fakeip.Pool
-	Hosts          *trie.DomainTrie[netip.Addr]
-	Policy         map[string][]NameServer
+	Main, Fallback  []NameServer
+	Default         []NameServer
+	ProxyServer     []NameServer
+	IPv6            bool
+	IPv6Timeout     uint
+	EnhancedMode    C.DNSMode
+	FallbackFilter  FallbackFilter
+	Pool            *fakeip.Pool
+	Hosts           *trie.DomainTrie[resolver.HostValue]
+	Policy          map[string][]NameServer
+	DomainSetPolicy map[provider.RuleProvider][]NameServer
+	GeositePolicy   map[router.DomainMatcher][]NameServer
 }

 func NewResolver(config Config) *Resolver {
@ -483,6 +498,14 @@ func NewResolver(config Config) *Resolver {
 		}
 		r.policy.Optimize()
 	}
+	if len(config.DomainSetPolicy) > 0 {
+		for p, n := range config.DomainSetPolicy {
+			r.domainSetPolicy = append(r.domainSetPolicy, domainSetPolicyRecord{
+				domainSetProvider: p,
+				policy:            NewPolicy(transform(n, defaultResolver)),
+			})
+		}
+	}

 	fallbackIPFilters := []fallbackIPFilter{}
 	if config.FallbackFilter.GeoIP {
@ -516,7 +539,7 @@ func NewProxyServerHostResolver(old *Resolver) *Resolver {
 		main:        old.proxyServer,
 		lruCache:    old.lruCache,
 		hosts:       old.hosts,
-		policy:      old.policy,
+		policy:      trie.New[*Policy](),
 		ipv6Timeout: old.ipv6Timeout,
 	}
 	return r
--- a/dns/util.go
+++ b/dns/util.go
@ -66,7 +66,7 @@ func setMsgTTL(msg *D.Msg, ttl uint32) {
 }

 func isIPRequest(q D.Question) bool {
-	return q.Qclass == D.ClassINET && (q.Qtype == D.TypeA || q.Qtype == D.TypeAAAA)
+	return q.Qclass == D.ClassINET && (q.Qtype == D.TypeA || q.Qtype == D.TypeAAAA || q.Qtype == D.TypeCNAME)
 }

 func transform(servers []NameServer, resolver *Resolver) []dnsClient {
--- a/docs/config.yaml
+++ b/docs/config.yaml
@ -58,6 +58,9 @@ hosts:
 # '*.clash.dev': 127.0.0.1
 # '.dev': 127.0.0.1
 # 'alpha.clash.dev': '::1'
+# test.com: [1.1.1.1, 2.2.2.2]
+# clash.lan: clash # clash 为特别字段，将加入本地所有网卡的地址
+# baidu.com: google.com # 只允许配置一个别名

 profile: # 存储 select 选择记录
  store-selected: false
@ -228,12 +231,14 @@ dns:
  #     - '+.youtube.com'
  
  # 配置查询域名使用的 DNS 服务器
-  nameserver-policy: #   'www.baidu.com': '114.114.114.114'
+  nameserver-policy:
+    #   'www.baidu.com': '114.114.114.114'
    #   '+.internal.crop.com': '10.0.0.1'
-    "geosite:cn":
+    "geosite:cn,private,apple":
      - https://doh.pub/dns-query
      - https://dns.alidns.com/dns-query
-    "www.baidu.com": [https://doh.pub/dns-query, https://dns.alidns.com/dns-query]
+    "www.baidu.com,+.google.cn": [223.5.5.5, https://dns.alidns.com/dns-query]
+    # "rule-set:global,dns": 8.8.8.8 # global，dns 为 rule-providers 中的名为 global 和 dns 的规则提供器名字，且 behavior 必须为 domain 

 proxies: # socks5
  - name: "socks"
@ -327,17 +332,55 @@ proxies: # socks5
    # headers:
    #   custom: value
  
-  - name: "ss4"
+  - name: "ss4-shadow-tls"
    type: ss
    server: server
    port: 443
    cipher: chacha20-ietf-poly1305
    password: "password"
    plugin: shadow-tls
+    client-fingerprint: chrome
    plugin-opts:
      host: "cloud.tencent.com"
      password: "shadow_tls_password"
      version: 2 # support 1/2/3
+
+  - name: "ss-restls-tls13"
+    type: ss
+    server: [YOUR_SERVER_IP]
+    port: 443
+    cipher: chacha20-ietf-poly1305
+    password: [YOUR_SS_PASSWORD]
+    client-fingerprint: chrome # One of: chrome, ios, firefox or safari
+                               # 可以是chrome, ios, firefox, safari中的一个
+    plugin: restls
+    plugin-opts:
+        host: "www.microsoft.com" # Must be a TLS 1.3 server
+                                  # 应当是一个TLS 1.3 服务器
+        password: [YOUR_RESTLS_PASSWORD]
+        version-hint: "tls13"
+        # Control your post-handshake traffic through restls-script
+        # Hide proxy behaviors like "tls in tls". 
+        # see https://github.com/3andne/restls/blob/main/Restls-Script:%20Hide%20Your%20Proxy%20Traffic%20Behavior.md
+        # 用restls剧本来控制握手后的行为，隐藏"tls in tls"等特征
+        # 详情：https://github.com/3andne/restls/blob/main/Restls-Script:%20%E9%9A%90%E8%97%8F%E4%BD%A0%E7%9A%84%E4%BB%A3%E7%90%86%E8%A1%8C%E4%B8%BA.md
+        restls-script: "300?100<1,400~100,350~100,600~100,300~200,300~100"
+
+  - name: "ss-restls-tls12"
+    type: ss
+    server: [YOUR_SERVER_IP]
+    port: 443
+    cipher: chacha20-ietf-poly1305
+    password: [YOUR_SS_PASSWORD]
+    client-fingerprint: chrome # One of: chrome, ios, firefox or safari
+                               # 可以是chrome, ios, firefox, safari中的一个
+    plugin: restls
+    plugin-opts:
+        host: "vscode.dev" # Must be a TLS 1.2 server
+                           # 应当是一个TLS 1.2 服务器
+        password: [YOUR_RESTLS_PASSWORD]
+        version-hint: "tls12"
+        restls-script: "1000?100<1,500~100,350~100,600~100,400~200"
  
  # vmess
  # cipher支持 auto/aes-128-gcm/chacha20-poly1305/none
--- a/flake.nix
+++ b/flake.nix
@ -28,7 +28,7 @@
            inherit version;
            src = ./.;

-            vendorSha256 = "sha256-8cbcE9gKJjU14DNTLPc6nneEPZg7Akt+FlSDlPRvG5k=";
+            vendorSha256 = "sha256-W5oiPtTRin0731QQWr98xZ2Vpk97HYcBtKoi1OKZz+w=";

            # Do not build testing suit
            excludedPackages = [ "./test" ];
--- a/go.mod
+++ b/go.mod
@ -3,6 +3,7 @@ module github.com/Dreamacro/clash
 go 1.19

 require (
+	github.com/3andne/restls-client-go v0.1.4
 	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da
 	github.com/cilium/ebpf v0.9.3
 	github.com/coreos/go-iptables v0.6.0
@ -18,38 +19,43 @@ require (
 	github.com/jpillora/backoff v1.0.0
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
 	github.com/mdlayher/netlink v1.7.2-0.20221213171556-9881fafed8c7
-	github.com/metacubex/quic-go v0.32.0
+	github.com/metacubex/quic-go v0.33.3-0.20230322045857-901b636b4594
 	github.com/metacubex/sing-shadowsocks v0.1.1-0.20230226153717-4e80da7e6947
-	github.com/metacubex/sing-tun v0.1.1-0.20230304153753-5058534177f3
+	github.com/metacubex/sing-tun v0.1.3-0.20230323115055-7935ba0ac8b3
 	github.com/metacubex/sing-wireguard v0.0.0-20230310035749-f7595fcae5cb
-	github.com/miekg/dns v1.1.50
+	github.com/miekg/dns v1.1.52
 	github.com/mroth/weightedrand/v2 v2.0.0
 	github.com/oschwald/geoip2-golang v1.8.0
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97
-	github.com/sagernet/sing v0.1.8
+	github.com/sagernet/sing v0.2.1-0.20230323071235-f8038854d286
 	github.com/sagernet/sing-shadowtls v0.1.0
-	github.com/sagernet/sing-vmess v0.1.3-0.20230307060529-d110e81a50bc
-	github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d
+	github.com/sagernet/sing-vmess v0.1.3
+	github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9
 	github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2
 	github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c
 	github.com/samber/lo v1.37.0
 	github.com/sirupsen/logrus v1.9.0
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.8.2
 	github.com/xtls/go v0.0.0-20220914232946-0441cf4cf837
 	github.com/zhangyunhao116/fastrand v0.3.0
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/atomic v1.10.0
 	go.uber.org/automaxprocs v1.5.1
-	golang.org/x/crypto v0.6.0
-	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db
-	golang.org/x/net v0.7.0
+	golang.org/x/crypto v0.7.0
+	golang.org/x/exp v0.0.0-20230321023759-10a507213a29
+	golang.org/x/net v0.8.0
 	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.5.0
+	golang.org/x/sys v0.6.0
 	google.golang.org/protobuf v1.28.2-0.20230118093459-a9481185b34d
 	gopkg.in/yaml.v3 v3.0.1
 	lukechampine.com/blake3 v1.1.7
 )

+require (
+	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
+)
+
 require (
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/andybalholm/brotli v1.0.5 // indirect
@ -64,21 +70,21 @@ require (
 	github.com/klauspost/compress v1.15.15 // indirect
 	github.com/klauspost/cpuid/v2 v2.0.12 // indirect
 	github.com/mdlayher/socket v0.4.0 // indirect
-	github.com/metacubex/gvisor v0.0.0-20230304153416-e2bb9c726005 // indirect
+	github.com/metacubex/gvisor v0.0.0-20230323114922-412956fb6a03 // indirect
 	github.com/onsi/ginkgo/v2 v2.2.0 // indirect
+	github.com/openacid/low v0.1.21
 	github.com/oschwald/maxminddb-golang v1.10.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-18 v0.2.0 // indirect
-	github.com/quic-go/qtls-go1-19 v0.2.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.1.0 // indirect
+	github.com/quic-go/qtls-go1-19 v0.2.1 // indirect
+	github.com/quic-go/qtls-go1-20 v0.1.1 // indirect
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 // indirect
 	github.com/u-root/uio v0.0.0-20221213070652-c3537552635f // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
-	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/mod v0.8.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
-	golang.org/x/tools v0.5.0 // indirect
+	golang.org/x/tools v0.6.0 // indirect
 )

 replace go.uber.org/atomic v1.10.0 => github.com/metacubex/uber-atomic v0.0.0-20230202125923-feb10b770370
--- a/go.sum
+++ b/go.sum
@ -1,9 +1,12 @@
+github.com/3andne/restls-client-go v0.1.4 h1:kLNC2aSRHPlEVYmTj6EOqJoorCpobEe2toMRSfBF7FU=
+github.com/3andne/restls-client-go v0.1.4/go.mod h1:04CGbRk1BwBiEDles8b5mlKgTqIwE5MqF7JDloJV47I=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
@ -32,6 +35,7 @@ github.com/gofrs/uuid v4.4.0+incompatible h1:3qXRTX8/NbyulANqlc0lchS1gqAVxRgsuW1
 github.com/gofrs/uuid v4.4.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
 github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
@ -73,6 +77,8 @@ github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa02
 github.com/klauspost/cpuid/v2 v2.0.12 h1:p9dKCg8i4gmOxtv35DvrYoWqYzQrvEVdjQ762Y0OqZE=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc=
 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40/go.mod h1:vy1vK6wD6j7xX6O6hXe621WabdtNkou2h7uRtTfRMyg=
@ -87,54 +93,60 @@ github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZ
 github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mdlayher/socket v0.4.0 h1:280wsy40IC9M9q1uPGcLBwXpcTQDtoGwVt+BNoITxIw=
 github.com/mdlayher/socket v0.4.0/go.mod h1:xxFqz5GRCUN3UEOm9CZqEJsAbe1C8OwSK46NlmWuVoc=
-github.com/metacubex/gvisor v0.0.0-20230304153416-e2bb9c726005 h1:0TEvReK/D6YLszjGj/bdx4d7amQSjQ2X/98r4ZiUbxU=
-github.com/metacubex/gvisor v0.0.0-20230304153416-e2bb9c726005/go.mod h1:wqEuzdImyqD2MCGE8CYRJXbB77oSEJeoSSXXdwKjnsE=
-github.com/metacubex/quic-go v0.32.0 h1:dSD8LB4MSeBuD4otd8y1DUZcRdDcEB0Ax5esPOqn2Hw=
-github.com/metacubex/quic-go v0.32.0/go.mod h1:yParIzDYUd/t/pzFlDtZKhnvSqbUu0bPChlKEGmJStA=
+github.com/metacubex/gvisor v0.0.0-20230323114922-412956fb6a03 h1:gREIdurac9fpyBMBRPPMF/Sk3gKfPfdNCa4GQyR9FoA=
+github.com/metacubex/gvisor v0.0.0-20230323114922-412956fb6a03/go.mod h1:wqEuzdImyqD2MCGE8CYRJXbB77oSEJeoSSXXdwKjnsE=
+github.com/metacubex/quic-go v0.33.3-0.20230322045857-901b636b4594 h1:KD96JPdTIayTGGgRl6PuVqo2Bpo6+x3LqDDyqrYDDXw=
+github.com/metacubex/quic-go v0.33.3-0.20230322045857-901b636b4594/go.mod h1:9nOiGX6kqV3+ZbkDKdTNzdFD726QQHPH6WDb36jUSpA=
 github.com/metacubex/sing-shadowsocks v0.1.1-0.20230226153717-4e80da7e6947 h1:NnjC2+aIiyzzvFlo+C2WzBOJdsp+HAtu18FZomqYhUE=
 github.com/metacubex/sing-shadowsocks v0.1.1-0.20230226153717-4e80da7e6947/go.mod h1:U2gwhxzqgbhKCgn2B4z3t0Cj0LpMWFl/02BGCoG421w=
-github.com/metacubex/sing-tun v0.1.1-0.20230304153753-5058534177f3 h1:oQLThm1a8E7hHmoM9XF2cO0FZPsHVynC4YXW4b3liUI=
-github.com/metacubex/sing-tun v0.1.1-0.20230304153753-5058534177f3/go.mod h1:b/19bRRhwampNPV+1gVDyDsQHmuGDaplxPQkwJh1kj4=
+github.com/metacubex/sing-tun v0.1.3-0.20230323115055-7935ba0ac8b3 h1:LnKcLs0HI0HX4xH/2XerX+1BLXS1Uj6Xvzn20xFuCOk=
+github.com/metacubex/sing-tun v0.1.3-0.20230323115055-7935ba0ac8b3/go.mod h1:0i22nk0tgkQz/N96hrhPib1O/C5AjxSnco7Mwi2YSF0=
 github.com/metacubex/sing-wireguard v0.0.0-20230310035749-f7595fcae5cb h1:uhvzbtOvyg2c1k1H2EeVPuPvTEjDHCq4+U0AljG40P8=
 github.com/metacubex/sing-wireguard v0.0.0-20230310035749-f7595fcae5cb/go.mod h1:7mPG9qYln+CLKBcDt7Dk4c7b3S53VzEfexMVPe6T6FM=
 github.com/metacubex/uber-atomic v0.0.0-20230202125923-feb10b770370 h1:UkViS4DCESAUEYgbIEQdD02hyMacFt6Dny+1MOJtNIo=
 github.com/metacubex/uber-atomic v0.0.0-20230202125923-feb10b770370/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
-github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
+github.com/miekg/dns v1.1.52 h1:Bmlc/qsNNULOe6bpXcUTsuOajd0DzRHwup6D9k1An0c=
+github.com/miekg/dns v1.1.52/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/mroth/weightedrand/v2 v2.0.0 h1:ADehnByWbliEDIazDAKFdBHoqgHSXAkgyKqM/9YsPoo=
 github.com/mroth/weightedrand/v2 v2.0.0/go.mod h1:f2faGsfOGOwc1p94wzHKKZyTpcJUW7OJ/9U4yfiNAOU=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
 github.com/onsi/ginkgo/v2 v2.2.0/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk=
 github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
+github.com/openacid/errors v0.8.1/go.mod h1:GUQEJJOJE3W9skHm8E8Y4phdl2LLEN8iD7c5gcGgdx0=
+github.com/openacid/low v0.1.21 h1:Tr2GNu4N/+rGRYdOsEHOE89cxUIaDViZbVmKz29uKGo=
+github.com/openacid/low v0.1.21/go.mod h1:q+MsKI6Pz2xsCkzV4BLj7NR5M4EX0sGz5AqotpZDVh0=
+github.com/openacid/must v0.1.3/go.mod h1:luPiXCuJlEo3UUFQngVQokV0MPGryeYvtCbQPs3U1+I=
+github.com/openacid/testkeys v0.1.6/go.mod h1:MfA7cACzBpbiwekivj8StqX0WIRmqlMsci1c37CA3Do=
 github.com/oschwald/geoip2-golang v1.8.0 h1:KfjYB8ojCEn/QLqsDU0AzrJ3R5Qa9vFlx3z6SLNcKTs=
 github.com/oschwald/geoip2-golang v1.8.0/go.mod h1:R7bRvYjOeaoenAp9sKRS8GX5bJWcZ0laWO5+DauEktw=
 github.com/oschwald/maxminddb-golang v1.10.0 h1:Xp1u0ZhqkSuopaKmk1WwHtjF0H9Hd9181uj2MQ5Vndg=
 github.com/oschwald/maxminddb-golang v1.10.0/go.mod h1:Y2ELenReaLAZ0b400URyGwvYxHV1dLIxBuyOsyYjHK0=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
-github.com/quic-go/qtls-go1-18 v0.2.0 h1:5ViXqBZ90wpUcZS0ge79rf029yx0dYB0McyPJwqqj7U=
-github.com/quic-go/qtls-go1-18 v0.2.0/go.mod h1:moGulGHK7o6O8lSPSZNoOwcLvJKJ85vVNc7oJFD65bc=
-github.com/quic-go/qtls-go1-19 v0.2.0 h1:Cvn2WdhyViFUHoOqK52i51k4nDX8EwIh5VJiVM4nttk=
-github.com/quic-go/qtls-go1-19 v0.2.0/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
-github.com/quic-go/qtls-go1-20 v0.1.0 h1:d1PK3ErFy9t7zxKsG3NXBJXZjp/kMLoIb3y/kV54oAI=
-github.com/quic-go/qtls-go1-20 v0.1.0/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
+github.com/quic-go/qtls-go1-19 v0.2.1 h1:aJcKNMkH5ASEJB9FXNeZCyTEIHU1J7MmHyz1Q1TSG1A=
+github.com/quic-go/qtls-go1-19 v0.2.1/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
+github.com/quic-go/qtls-go1-20 v0.1.1 h1:KbChDlg82d3IHqaj2bn6GfKRj84Per2VGf5XV3wSwQk=
+github.com/quic-go/qtls-go1-20 v0.1.1/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
-github.com/sagernet/sing v0.1.8 h1:6DKo2FkSHn0nUcjO7bAext/ai7y7pCusK/+fScBJ5Jk=
-github.com/sagernet/sing v0.1.8/go.mod h1:jt1w2u7lJQFFSGLiRrRIs5YWmx4kAPfWuOejuDW9qMk=
+github.com/sagernet/sing v0.2.1-0.20230323071235-f8038854d286 h1:0Td2b5l1KgrdlOnbRWgFFWsyb0TLoq/tP6j9Lut4JN0=
+github.com/sagernet/sing v0.2.1-0.20230323071235-f8038854d286/go.mod h1:9uHswk2hITw8leDbiLS/xn0t9nzBcbePxzm9PJhwdlw=
 github.com/sagernet/sing-shadowtls v0.1.0 h1:05MYce8aR5xfKIn+y7xRFsdKhKt44QZTSEQW+lG5IWQ=
 github.com/sagernet/sing-shadowtls v0.1.0/go.mod h1:Kn1VUIprdkwCgkS6SXYaLmIpKzQbqBIKJBMY+RvBhYc=
-github.com/sagernet/sing-vmess v0.1.3-0.20230307060529-d110e81a50bc h1:vqlYWupvVDRpvv2F+RtECJN+VbuKjLtmQculQvOecls=
-github.com/sagernet/sing-vmess v0.1.3-0.20230307060529-d110e81a50bc/go.mod h1:V14iffGwhZPU2S7wgIiPlLWXygSjAXazYzD1w0ejBl4=
-github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d h1:trP/l6ZPWvQ/5Gv99Z7/t/v8iYy06akDMejxW1sznUk=
-github.com/sagernet/tfo-go v0.0.0-20230207095944-549363a7327d/go.mod h1:jk6Ii8Y3En+j2KQDLgdgQGwb3M6y7EL567jFnGYhN9g=
+github.com/sagernet/sing-vmess v0.1.3 h1:q/+tsF46dvvapL6CpQBgPHJ6nQrDUZqEtLHCbsjO7iM=
+github.com/sagernet/sing-vmess v0.1.3/go.mod h1:GVXqAHwe9U21uS+Voh4YBIrADQyE4F9v0ayGSixSQAE=
+github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9 h1:2ItpW1nMNkPzmBTxV0/eClCklHrFSQMnUGcpUmJxVeE=
+github.com/sagernet/tfo-go v0.0.0-20230303015439-ffcfd8c41cf9/go.mod h1:FUyTEc5ye5NjKnDTDMuiLF2M6T4BE6y6KZuax//UCEg=
 github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2 h1:kDUqhc9Vsk5HJuhfIATJ8oQwBmpOZJuozQG7Vk88lL4=
 github.com/sagernet/utls v0.0.0-20230309024959-6732c2ab36f2/go.mod h1:JKQMZq/O2qnZjdrt+B57olmfgEmLtY9iiSIEYtWvoSM=
 github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c h1:vK2wyt9aWYHHvNLWniwijBu/n4pySypiKRhN32u/JGo=
@ -148,13 +160,14 @@ github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/u-root/uio v0.0.0-20221213070652-c3537552635f h1:dpx1PHxYqAnXzbryJrWP1NQLzEjwcVgFLhkknuFQ7ww=
 github.com/u-root/uio v0.0.0-20221213070652-c3537552635f/go.mod h1:IogEAUBXDEwX7oR/BMmCctShYs80ql4hF0ySdzGxf7E=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
@ -171,15 +184,15 @@ go.uber.org/automaxprocs v1.5.1/go.mod h1:BF4eumQw0P9GtnuxxovUd06vwm1o18oMzFtK66
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/exp v0.0.0-20221205204356-47842c84f3db h1:D/cFflL63o2KSLJIwjlcIt8PR064j/xsmdEJL/YvY/o=
-golang.org/x/exp v0.0.0-20221205204356-47842c84f3db/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug=
+golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@ -191,9 +204,8 @@ golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
@ -215,21 +227,18 @@ golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
 golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -237,9 +246,8 @@ golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.5.0 h1:+bSpV5HIeWkuvgaMfI3UmKRThoTA5ODJTUd8T17NO+4=
-golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
+golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@ -248,7 +256,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.28.2-0.20230118093459-a9481185b34d h1:qp0AnQCvRCMlu9jBjtdbTaaEmThIgZOrbVyDEOcmKhQ=
 google.golang.org/protobuf v1.28.2-0.20230118093459-a9481185b34d/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@ -5,6 +5,7 @@ import (
 	"net/netip"
 	"os"
 	"runtime"
+	"strings"
 	"sync"

 	"github.com/Dreamacro/clash/adapter"
@ -75,24 +76,38 @@ func ParseWithBytes(buf []byte) (*config.Config, error) {
 func ApplyConfig(cfg *config.Config, force bool) {
 	mux.Lock()
 	defer mux.Unlock()
-	preUpdateExperimental(cfg)
+
+	tunnel.OnSuspend()
+
+	CTLS.ResetCertificate()
+	for _, c := range cfg.TLS.CustomTrustCert {
+		if err := CTLS.AddCertificate(c); err != nil {
+			log.Warnln("%s\nadd error: %s", c, err.Error())
+		}
+	}
+
 	updateUsers(cfg.Users)
 	updateProxies(cfg.Proxies, cfg.Providers)
 	updateRules(cfg.Rules, cfg.SubRules, cfg.RuleProviders)
 	updateSniffer(cfg.Sniffer)
 	updateHosts(cfg.Hosts)
 	updateGeneral(cfg.General)
-	initInnerTcp()
-	updateDNS(cfg.DNS, cfg.General.IPv6)
-	loadProxyProvider(cfg.Providers)
-	updateProfile(cfg)
-	loadRuleProvider(cfg.RuleProviders)
+	updateDNS(cfg.DNS, cfg.RuleProviders, cfg.General.IPv6)
 	updateListeners(cfg.General, cfg.Listeners, force)
 	updateIPTables(cfg)
 	updateTun(cfg.General)
 	updateExperimental(cfg)
 	updateTunnels(cfg.Tunnels)

+	tunnel.OnInnerLoading()
+
+	initInnerTcp()
+	loadProxyProvider(cfg.Providers)
+	updateProfile(cfg)
+	loadRuleProvider(cfg.RuleProviders)
+	runtime.GC()
+	tunnel.OnRunning()
+
 	log.SetLevel(cfg.General.LogLevel)
 }

@ -144,10 +159,6 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList
 		return
 	}

-	if general.Interface == "" && (!general.Tun.Enable || !general.Tun.AutoDetectInterface) {
-		dialer.DefaultInterface.Store(general.Interface)
-	}
-
 	allowLan := general.AllowLan
 	listener.SetAllowLan(allowLan)

@ -165,19 +176,9 @@ func updateListeners(general *config.General, listeners map[string]C.InboundList
 }

 func updateExperimental(c *config.Config) {
-	runtime.GC()
 }

-func preUpdateExperimental(c *config.Config) {
-	CTLS.ResetCertificate()
-	for _, c := range c.TLS.CustomTrustCert {
-		if err := CTLS.AddCertificate(c); err != nil {
-			log.Warnln("%s\nadd error: %s", c, err.Error())
-		}
-	}
-}
-
-func updateDNS(c *config.DNS, generalIPv6 bool) {
+func updateDNS(c *config.DNS, ruleProvider map[string]provider.RuleProvider, generalIPv6 bool) {
 	if !c.Enable {
 		resolver.DefaultResolver = nil
 		resolver.DefaultHostMapper = nil
@ -185,7 +186,25 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {
 		dns.ReCreateServer("", nil, nil)
 		return
 	}
-
+	policy := make(map[string][]dns.NameServer)
+	domainSetPolicies := make(map[provider.RuleProvider][]dns.NameServer)
+	for key, nameservers := range c.NameServerPolicy {
+		temp := strings.Split(key, ":")
+		if len(temp) == 2 {
+			prefix := temp[0]
+			key := temp[1]
+			switch strings.ToLower(prefix) {
+			case "rule-set":
+				if p, ok := ruleProvider[key]; ok {
+					domainSetPolicies[p] = nameservers
+				}
+			case "geosite":
+				// TODO:
+			}
+		} else {
+			policy[key] = nameservers
+		}
+	}
 	cfg := dns.Config{
 		Main:         c.NameServer,
 		Fallback:     c.Fallback,
@ -201,9 +220,10 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {
 			Domain:    c.FallbackFilter.Domain,
 			GeoSite:   c.FallbackFilter.GeoSite,
 		},
-		Default:     c.DefaultNameserver,
-		Policy:      c.NameServerPolicy,
-		ProxyServer: c.ProxyServerNameserver,
+		Default:         c.DefaultNameserver,
+		Policy:          c.NameServerPolicy,
+		ProxyServer:     c.ProxyServerNameserver,
+		DomainSetPolicy: domainSetPolicies,
 	}

 	r := dns.NewResolver(cfg)
@ -226,8 +246,8 @@ func updateDNS(c *config.DNS, generalIPv6 bool) {
 	dns.ReCreateServer(c.Listen, r, m)
 }

-func updateHosts(tree *trie.DomainTrie[netip.Addr]) {
-	resolver.DefaultHosts = tree
+func updateHosts(tree *trie.DomainTrie[resolver.HostValue]) {
+	resolver.DefaultHosts = resolver.NewHosts(tree)
 }

 func updateProxies(proxies map[string]C.Proxy, providers map[string]provider.ProxyProvider) {
@ -342,17 +362,8 @@ func updateGeneral(general *config.General) {
 	inbound.SetTfo(general.InboundTfo)

 	adapter.UnifiedDelay.Store(general.UnifiedDelay)
-	// Avoid reload configuration clean the value, causing traffic loops
-	if listener.GetTunConf().Enable && listener.GetTunConf().AutoDetectInterface {
-		// changed only when the name is specified
-		// if name is empty, setting delay until after tun loaded
-		if general.Interface != "" && (!general.Tun.Enable || !general.Tun.AutoDetectInterface) {
-			dialer.DefaultInterface.Store(general.Interface)
-		}
-	} else {
-		dialer.DefaultInterface.Store(general.Interface)
-	}

+	dialer.DefaultInterface.Store(general.Interface)
 	dialer.DefaultRoutingMark.Store(int32(general.RoutingMark))
 	if general.RoutingMark > 0 {
 		log.Infoln("Use routing mark: %#x", general.RoutingMark)
--- a/hub/hub.go
+++ b/hub/hub.go
@ -44,7 +44,7 @@ func Parse(options ...Option) error {

 	if cfg.General.ExternalController != "" {
 		go route.Start(cfg.General.ExternalController, cfg.General.ExternalControllerTLS,
-			cfg.General.Secret, cfg.TLS.Certificate, cfg.TLS.PrivateKey,cfg.General.LogLevel==log.DEBUG)
+			cfg.General.Secret, cfg.TLS.Certificate, cfg.TLS.PrivateKey, cfg.General.LogLevel == log.DEBUG)
 	}

 	executor.ApplyConfig(cfg, true)
--- a/hub/route/configs.go
+++ b/hub/route/configs.go
@ -80,6 +80,7 @@ type tunSchema struct {
 	ExcludePackage         *[]string          `yaml:"exclude-package" json:"exclude-package,omitempty"`
 	EndpointIndependentNat *bool              `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
 	UDPTimeout             *int64             `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+	FileDescriptor         *int               `yaml:"file-descriptor" json:"file-descriptor"`
 }

 type tuicServerSchema struct {
@ -169,6 +170,9 @@ func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun {
 		if p.UDPTimeout != nil {
 			def.UDPTimeout = *p.UDPTimeout
 		}
+		if p.FileDescriptor != nil {
+			def.FileDescriptor = *p.FileDescriptor
+		}
 	}
 	return def
 }
--- a/hub/route/restart.go
+++ b/hub/route/restart.go
@ -0,0 +1,62 @@
+package route
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"os/exec"
+	"runtime"
+	"syscall"
+
+	"github.com/Dreamacro/clash/log"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/render"
+)
+
+func restartRouter() http.Handler {
+	r := chi.NewRouter()
+	r.Post("/", restart)
+	return r
+}
+
+func restart(w http.ResponseWriter, r *http.Request) {
+	// modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/home/controlupdate.go#L108
+	execPath, err := os.Executable()
+	if err != nil {
+		render.Status(r, http.StatusInternalServerError)
+		render.JSON(w, r, newError(fmt.Sprintf("getting path: %s", err)))
+		return
+	}
+
+	render.JSON(w, r, render.M{"status": "ok"})
+	if f, ok := w.(http.Flusher); ok {
+		f.Flush()
+	}
+
+	// modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/home/controlupdate.go#L180
+	// The background context is used because the underlying functions wrap it
+	// with timeout and shut down the server, which handles current request.  It
+	// also should be done in a separate goroutine for the same reason.
+	go func() {
+		if runtime.GOOS == "windows" {
+			cmd := exec.Command(execPath, os.Args[1:]...)
+			log.Infoln("restarting: %q %q", execPath, os.Args[1:])
+			cmd.Stdin = os.Stdin
+			cmd.Stdout = os.Stdout
+			cmd.Stderr = os.Stderr
+			err = cmd.Start()
+			if err != nil {
+				log.Fatalln("restarting:: %s", err)
+			}
+
+			os.Exit(0)
+		}
+
+		log.Infoln("restarting: %q %q", execPath, os.Args[1:])
+		err = syscall.Exec(execPath, os.Args, os.Environ())
+		if err != nil {
+			log.Fatalln("restarting: %s", err)
+		}
+	}()
+}
--- a/hub/route/server.go
+++ b/hub/route/server.go
@ -86,6 +86,9 @@ func Start(addr string, tlsAddr string, secret string,
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/cache", cacheRouter())
 		r.Mount("/dns", dnsRouter())
+		r.Mount("/restart", restartRouter())
+		r.Mount("/upgrade", upgradeRouter())
+
 	})

 	if uiPath != "" {
--- a/hub/route/upgrade.go
+++ b/hub/route/upgrade.go
@ -0,0 +1,70 @@
+package route
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"os/exec"
+	"runtime"
+	"syscall"
+
+	"github.com/Dreamacro/clash/hub/updater"
+	"github.com/Dreamacro/clash/log"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/render"
+)
+
+func upgradeRouter() http.Handler {
+	r := chi.NewRouter()
+	r.Post("/", upgrade)
+	return r
+}
+
+func upgrade(w http.ResponseWriter, r *http.Request) {
+	// modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/home/controlupdate.go#L108
+	log.Infoln("start update")
+	err := updater.Update()
+	if err != nil {
+		log.Errorln("err:%s", err)
+		return
+	}
+
+	execPath, err := os.Executable()
+	if err != nil {
+		render.Status(r, http.StatusInternalServerError)
+		render.JSON(w, r, newError(fmt.Sprintf("getting path: %s", err)))
+		return
+	}
+
+	render.JSON(w, r, render.M{"status": "ok"})
+	if f, ok := w.(http.Flusher); ok {
+		f.Flush()
+	}
+
+	// modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/home/controlupdate.go#L180
+	// The background context is used because the underlying functions wrap it
+	// with timeout and shut down the server, which handles current request.  It
+	// also should be done in a separate goroutine for the same reason.
+	go func() {
+		if runtime.GOOS == "windows" {
+			cmd := exec.Command(execPath, os.Args[1:]...)
+			log.Infoln("restarting: %q %q", execPath, os.Args[1:])
+			cmd.Stdin = os.Stdin
+			cmd.Stdout = os.Stdout
+			cmd.Stderr = os.Stderr
+			err = cmd.Start()
+			if err != nil {
+				log.Fatalln("restarting: %s", err)
+			}
+
+			os.Exit(0)
+		}
+
+		log.Infoln("restarting: %q %q", execPath, os.Args[1:])
+		err = syscall.Exec(execPath, os.Args, os.Environ())
+		if err != nil {
+			log.Fatalln("restarting: %s", err)
+		}
+	}()
+}
--- a/hub/updater/limitedreader.go
+++ b/hub/updater/limitedreader.go
@ -0,0 +1,67 @@
+package updater
+
+import (
+	"fmt"
+	"io"
+
+	"golang.org/x/exp/constraints"
+)
+
+// LimitReachedError records the limit and the operation that caused it.
+type LimitReachedError struct {
+	Limit int64
+}
+
+// Error implements the [error] interface for *LimitReachedError.
+//
+// TODO(a.garipov): Think about error string format.
+func (lre *LimitReachedError) Error() string {
+	return fmt.Sprintf("attempted to read more than %d bytes", lre.Limit)
+}
+
+// limitedReader is a wrapper for [io.Reader] limiting the input and dealing
+// with errors package.
+type limitedReader struct {
+	r     io.Reader
+	limit int64
+	n     int64
+}
+
+// Read implements the [io.Reader] interface.
+func (lr *limitedReader) Read(p []byte) (n int, err error) {
+	if lr.n == 0 {
+		return 0, &LimitReachedError{
+			Limit: lr.limit,
+		}
+	}
+
+	p = p[:Min(lr.n, int64(len(p)))]
+
+	n, err = lr.r.Read(p)
+	lr.n -= int64(n)
+
+	return n, err
+}
+
+// LimitReader wraps Reader to make it's Reader stop with ErrLimitReached after
+// n bytes read.
+func LimitReader(r io.Reader, n int64) (limited io.Reader, err error) {
+	if n < 0 {
+		return nil, &updateError{Message: "limit must be non-negative"}
+	}
+
+	return &limitedReader{
+		r:     r,
+		limit: n,
+		n:     n,
+	}, nil
+}
+
+// Min returns the smaller of x or y.
+func Min[T constraints.Integer | ~string](x, y T) (res T) {
+	if x < y {
+		return x
+	}
+
+	return y
+}
--- a/hub/updater/updater.go
+++ b/hub/updater/updater.go
@ -0,0 +1,464 @@
+package updater
+
+import (
+	"archive/zip"
+	"compress/gzip"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	clashHttp "github.com/Dreamacro/clash/component/http"
+	"github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
+)
+
+// modify from https://github.com/AdguardTeam/AdGuardHome/blob/595484e0b3fb4c457f9bb727a6b94faa78a66c5f/internal/updater/updater.go
+// Updater is the Clash.Meta updater.
+var (
+	client http.Client
+
+	goarch string
+	goos   string
+	goarm  string
+	gomips string
+
+	workDir string
+
+	// mu protects all fields below.
+	mu sync.RWMutex
+
+	// TODO(a.garipov): See if all of these fields actually have to be in
+	// this struct.
+	currentExeName string // 当前可执行文件
+	updateDir      string // 更新目录
+	packageName    string // 更新压缩文件
+	backupDir      string // 备份目录
+	backupExeName  string // 备份文件名
+	updateExeName  string // 更新后的可执行文件
+	unpackedFile   string
+
+	baseURL       string = "https://testingcf.jsdelivr.net/gh/MetaCubeX/Clash.Meta@release/clash.meta"
+	versionURL    string = "https://raw.githubusercontent.com/MetaCubeX/Clash.Meta/release/version.txt"
+	packageURL    string
+	latestVersion string
+)
+
+type updateError struct {
+	Message string
+}
+
+func (e *updateError) Error() string {
+	return fmt.Sprintf("error: %s", e.Message)
+}
+
+// Update performs the auto-updater.  It returns an error if the updater failed.
+// If firstRun is true, it assumes the configuration file doesn't exist.
+func Update() (err error) {
+	goos = runtime.GOOS
+	goarch = runtime.GOARCH
+	latestVersion, err = getLatestVersion()
+	if err != nil {
+		err := &updateError{Message: err.Error()}
+		return err
+	}
+
+	if latestVersion == constant.Version {
+		err := &updateError{Message: "Already using latest version"}
+		return err
+	}
+
+	updateDownloadURL()
+	mu.Lock()
+	defer mu.Unlock()
+
+	log.Infoln("current version alpha-%s", constant.Version)
+
+	defer func() {
+		if err != nil {
+			log.Errorln("updater: failed: %v", err)
+		} else {
+			log.Infoln("updater: finished")
+		}
+	}()
+
+	execPath, err := os.Executable()
+	if err != nil {
+		return fmt.Errorf("getting executable path: %w", err)
+	}
+
+	workDir = filepath.Dir(execPath)
+	//log.Infoln("workDir %s", execPath)
+
+	err = prepare(execPath)
+	if err != nil {
+		return fmt.Errorf("preparing: %w", err)
+	}
+
+	defer clean()
+
+	err = downloadPackageFile()
+	if err != nil {
+		return fmt.Errorf("downloading package file: %w", err)
+	}
+
+	err = unpack()
+	if err != nil {
+		return fmt.Errorf("unpacking: %w", err)
+	}
+
+	err = replace()
+	if err != nil {
+		return fmt.Errorf("replacing: %w", err)
+	}
+
+	return nil
+}
+
+// prepare fills all necessary fields in Updater object.
+func prepare(exePath string) (err error) {
+	updateDir = filepath.Join(workDir, "meta-update")
+	currentExeName = exePath
+	_, pkgNameOnly := filepath.Split(packageURL)
+	if pkgNameOnly == "" {
+		return fmt.Errorf("invalid PackageURL: %q", packageURL)
+	}
+
+	packageName = filepath.Join(updateDir, pkgNameOnly)
+	//log.Infoln(packageName)
+	backupDir = filepath.Join(workDir, "meta-backup")
+
+	if goos == "windows" {
+		updateExeName = "clash.meta" + "-" + goos + "-" + goarch + ".exe"
+	} else {
+		updateExeName = "clash.meta" + "-" + goos + "-" + goarch
+	}
+
+	log.Infoln("updateExeName: %s ,currentExeName: %s", updateExeName, currentExeName)
+
+	backupExeName = filepath.Join(backupDir, filepath.Base(exePath))
+	updateExeName = filepath.Join(updateDir, updateExeName)
+
+	log.Infoln(
+		"updater: updating using url: %s",
+		packageURL,
+	)
+
+	currentExeName = exePath
+	_, err = os.Stat(currentExeName)
+	if err != nil {
+		return fmt.Errorf("checking %q: %w", currentExeName, err)
+	}
+
+	return nil
+}
+
+// unpack extracts the files from the downloaded archive.
+func unpack() error {
+	var err error
+	_, pkgNameOnly := filepath.Split(packageURL)
+
+	log.Debugln("updater: unpacking package")
+	if strings.HasSuffix(pkgNameOnly, ".zip") {
+		unpackedFile, err = zipFileUnpack(packageName, updateDir)
+		if err != nil {
+			return fmt.Errorf(".zip unpack failed: %w", err)
+		}
+
+	} else if strings.HasSuffix(pkgNameOnly, ".gz") {
+		unpackedFile, err = gzFileUnpack(packageName, updateDir)
+		if err != nil {
+			return fmt.Errorf(".gz unpack failed: %w", err)
+		}
+
+	} else {
+		return fmt.Errorf("unknown package extension")
+	}
+
+	return nil
+}
+
+// replace moves the current executable with the updated one and also copies the
+// supporting files.
+func replace() error {
+	//err := copySupportingFiles(unpackedFiles, updateDir, workDir)
+	//if err != nil {
+	//	return fmt.Errorf("copySupportingFiles(%s, %s) failed: %w", updateDir, workDir, err)
+	//}
+
+	log.Infoln("updater: renaming: %s to %s", currentExeName, backupExeName)
+	err := os.Rename(currentExeName, backupExeName)
+	if err != nil {
+		return err
+	}
+
+	if goos == "windows" {
+		// rename fails with "File in use" error
+		log.Infoln("copying:%s to %s", updateExeName, currentExeName)
+		err = copyFile(updateExeName, currentExeName)
+	} else {
+		err = os.Rename(updateExeName, currentExeName)
+	}
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// clean removes the temporary directory itself and all it's contents.
+func clean() {
+	_ = os.RemoveAll(updateDir)
+}
+
+// MaxPackageFileSize is a maximum package file length in bytes. The largest
+// package whose size is limited by this constant currently has the size of
+// approximately 9 MiB.
+const MaxPackageFileSize = 32 * 1024 * 1024
+
+// Download package file and save it to disk
+func downloadPackageFile() (err error) {
+	// var resp *http.Response
+	// resp, err = client.Get(packageURL)
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, packageURL, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
+	if err != nil {
+		return fmt.Errorf("http request failed: %w", err)
+	}
+
+	defer func() {
+		closeErr := resp.Body.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+
+	var r io.Reader
+	r, err = LimitReader(resp.Body, MaxPackageFileSize)
+	if err != nil {
+		return fmt.Errorf("http request failed: %w", err)
+	}
+
+	log.Debugln("updater: reading http body")
+	// This use of ReadAll is now safe, because we limited body's Reader.
+	body, err := io.ReadAll(r)
+	if err != nil {
+		return fmt.Errorf("io.ReadAll() failed: %w", err)
+	}
+
+	log.Debugln("updateDir %s", updateDir)
+	err = os.Mkdir(updateDir, 0o755)
+	if err != nil {
+		fmt.Errorf("mkdir error: %w", err)
+	}
+
+	log.Debugln("updater: saving package to file %s", packageName)
+	err = os.WriteFile(packageName, body, 0o755)
+	if err != nil {
+		return fmt.Errorf("os.WriteFile() failed: %w", err)
+	}
+	return nil
+}
+
+// Unpack a single .gz file to the specified directory
+// Existing files are overwritten
+// All files are created inside outDir, subdirectories are not created
+// Return the output file name
+func gzFileUnpack(gzfile, outDir string) (string, error) {
+	f, err := os.Open(gzfile)
+	if err != nil {
+		return "", fmt.Errorf("os.Open(): %w", err)
+	}
+
+	defer func() {
+		closeErr := f.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+
+	gzReader, err := gzip.NewReader(f)
+	if err != nil {
+		return "", fmt.Errorf("gzip.NewReader(): %w", err)
+	}
+
+	defer func() {
+		closeErr := gzReader.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+	// Get the original file name from the .gz file header
+	originalName := gzReader.Header.Name
+	if originalName == "" {
+		// Fallback: remove the .gz extension from the input file name if the header doesn't provide the original name
+		originalName = filepath.Base(gzfile)
+		originalName = strings.TrimSuffix(originalName, ".gz")
+	}
+
+	outputName := filepath.Join(outDir, originalName)
+
+	// Create the output file
+	wc, err := os.OpenFile(
+		outputName,
+		os.O_WRONLY|os.O_CREATE|os.O_TRUNC,
+		0o755,
+	)
+	if err != nil {
+		return "", fmt.Errorf("os.OpenFile(%s): %w", outputName, err)
+	}
+
+	defer func() {
+		closeErr := wc.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+
+	// Copy the contents of the gzReader to the output file
+	_, err = io.Copy(wc, gzReader)
+	if err != nil {
+		return "", fmt.Errorf("io.Copy(): %w", err)
+	}
+
+	return outputName, nil
+}
+
+// Unpack a single file from .zip file to the specified directory
+// Existing files are overwritten
+// All files are created inside 'outDir', subdirectories are not created
+// Return the output file name
+func zipFileUnpack(zipfile, outDir string) (string, error) {
+	zrc, err := zip.OpenReader(zipfile)
+	if err != nil {
+		return "", fmt.Errorf("zip.OpenReader(): %w", err)
+	}
+
+	defer func() {
+		closeErr := zrc.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+	if len(zrc.File) == 0 {
+		return "", fmt.Errorf("no files in the zip archive")
+	}
+
+	// Assuming the first file in the zip archive is the target file
+	zf := zrc.File[0]
+	var rc io.ReadCloser
+	rc, err = zf.Open()
+	if err != nil {
+		return "", fmt.Errorf("zip file Open(): %w", err)
+	}
+
+	defer func() {
+		closeErr := rc.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+	fi := zf.FileInfo()
+	name := fi.Name()
+	outputName := filepath.Join(outDir, name)
+
+	if fi.IsDir() {
+		return "", fmt.Errorf("the target file is a directory")
+	}
+
+	var wc io.WriteCloser
+	wc, err = os.OpenFile(outputName, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, fi.Mode())
+	if err != nil {
+		return "", fmt.Errorf("os.OpenFile(): %w", err)
+	}
+
+	defer func() {
+		closeErr := wc.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+	_, err = io.Copy(wc, rc)
+	if err != nil {
+		return "", fmt.Errorf("io.Copy(): %w", err)
+	}
+
+	return outputName, nil
+}
+
+// Copy file on disk
+func copyFile(src, dst string) error {
+	d, e := os.ReadFile(src)
+	if e != nil {
+		return e
+	}
+	e = os.WriteFile(dst, d, 0o644)
+	if e != nil {
+		return e
+	}
+	return nil
+}
+
+func getLatestVersion() (version string, err error) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
+	defer cancel()
+	resp, err := clashHttp.HttpRequest(ctx, versionURL, http.MethodGet, http.Header{"User-Agent": {"clash"}}, nil)
+	if err != nil {
+		return "", fmt.Errorf("get Latest Version fail: %w", err)
+	}
+	defer func() {
+		closeErr := resp.Body.Close()
+		if closeErr != nil && err == nil {
+			err = closeErr
+		}
+	}()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", fmt.Errorf("get Latest Version fail: %w", err)
+	}
+	content := strings.TrimRight(string(body), "\n")
+	log.Infoln("latest:%s", content)
+	return content, nil
+}
+
+func updateDownloadURL() {
+	var middle string
+
+	if goarch == "arm" && goarm != "" {
+		middle = fmt.Sprintf("-%s-%sv%s-%s", goos, goarch, goarm, latestVersion)
+	} else if isMIPS(goarch) && gomips != "" {
+		middle = fmt.Sprintf("-%s-%s-%s-%s", goos, goarch, gomips, latestVersion)
+	} else {
+		middle = fmt.Sprintf("-%s-%s-%s", goos, goarch, latestVersion)
+	}
+
+	if goos == "windows" {
+		middle += ".zip"
+	} else {
+		middle += ".gz"
+	}
+	packageURL = baseURL + middle
+	//log.Infoln(packageURL)
+}
+
+// isMIPS returns true if arch is any MIPS architecture.
+func isMIPS(arch string) (ok bool) {
+	switch arch {
+	case
+		"mips",
+		"mips64",
+		"mips64le",
+		"mipsle":
+		return true
+	default:
+		return false
+	}
+}
--- a/listener/config/shadowsocks.go
+++ b/listener/config/shadowsocks.go
@ -9,6 +9,7 @@ type ShadowsocksServer struct {
 	Listen   string
 	Password string
 	Cipher   string
+	Udp      bool
 }

 func (t ShadowsocksServer) String() string {
--- a/listener/config/tuic.go
+++ b/listener/config/tuic.go
@ -15,6 +15,7 @@ type TuicServer struct {
 	AuthenticationTimeout int      `yaml:"authentication-timeout" json:"authentication-timeout,omitempty"`
 	ALPN                  []string `yaml:"alpn" json:"alpn,omitempty"`
 	MaxUdpRelayPacketSize int      `yaml:"max-udp-relay-packet-size" json:"max-udp-relay-packet-size,omitempty"`
+	MaxDatagramFrameSize  int      `yaml:"max-datagram-frame-size" json:"max-datagram-frame-size,omitempty"`
 }

 func (t TuicServer) String() string {
--- a/listener/config/tun.go
+++ b/listener/config/tun.go
@ -95,4 +95,5 @@ type Tun struct {
 	ExcludePackage         []string       `yaml:"exclude-package" json:"exclude-package,omitempty"`
 	EndpointIndependentNat bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
 	UDPTimeout             int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
+	FileDescriptor         int            `yaml:"file-descriptor" json:"file-descriptor"`
 }
--- a/listener/inbound/shadowsocks.go
+++ b/listener/inbound/shadowsocks.go
@ -11,6 +11,7 @@ type ShadowSocksOption struct {
 	BaseOption
 	Password string `inbound:"password"`
 	Cipher   string `inbound:"cipher"`
+	UDP      bool   `inbound:"udp,omitempty"`
 }

 func (o ShadowSocksOption) Equal(config C.InboundConfig) bool {
@ -37,6 +38,7 @@ func NewShadowSocks(options *ShadowSocksOption) (*ShadowSocks, error) {
 			Listen:   base.RawAddress(),
 			Password: options.Password,
 			Cipher:   options.Cipher,
+			Udp:      options.UDP,
 		},
 	}, nil
 }
--- a/listener/inbound/tproxy.go
+++ b/listener/inbound/tproxy.go
@ -56,13 +56,10 @@ func (t *TProxy) Listen(tcpIn chan<- C.ConnContext, udpIn chan<- C.PacketAdapter
 		return err
 	}
 	if t.udp {
-		if t.lUDP != nil {
-			t.lUDP, err = tproxy.NewUDP(t.RawAddress(), udpIn, natTable, t.Additions()...)
-			if err != nil {
-				return err
-			}
+		t.lUDP, err = tproxy.NewUDP(t.RawAddress(), udpIn, natTable, t.Additions()...)
+		if err != nil {
+			return err
 		}
-
 	}
 	log.Infoln("TProxy[%s] proxy listening at: %s", t.Name(), t.Address())
 	return nil
--- a/listener/inbound/tun.go
+++ b/listener/inbound/tun.go
@ -33,6 +33,7 @@ type TunOption struct {
 	ExcludePackage         []string `inbound:"exclude_package,omitempty"`
 	EndpointIndependentNat bool     `inbound:"endpoint_independent_nat,omitempty"`
 	UDPTimeout             int64    `inbound:"udp_timeout,omitempty"`
+	FileDescriptor         int      `inbound:"file-descriptor,omitempty"`
 }

 func (o TunOption) Equal(config C.InboundConfig) bool {
@ -96,6 +97,7 @@ func NewTun(options *TunOption) (*Tun, error) {
 			ExcludePackage:         options.ExcludePackage,
 			EndpointIndependentNat: options.EndpointIndependentNat,
 			UDPTimeout:             options.UDPTimeout,
+			FileDescriptor:         options.FileDescriptor,
 		},
 	}, nil
 }
--- a/listener/listener.go
+++ b/listener/listener.go
@ -271,6 +271,7 @@ func ReCreateShadowSocks(shadowSocksConfig string, tcpIn chan<- C.ConnContext, u
 			Listen:   addr,
 			Password: password,
 			Cipher:   cipher,
+			Udp:      true,
 		}
 	}

@ -821,7 +822,8 @@ func hasTunConfigChange(tunConf *LC.Tun) bool {
 		LastTunConf.MTU != tunConf.MTU ||
 		LastTunConf.StrictRoute != tunConf.StrictRoute ||
 		LastTunConf.EndpointIndependentNat != tunConf.EndpointIndependentNat ||
-		LastTunConf.UDPTimeout != tunConf.UDPTimeout {
+		LastTunConf.UDPTimeout != tunConf.UDPTimeout ||
+		LastTunConf.FileDescriptor != tunConf.FileDescriptor {
 		return true
 	}

--- a/listener/parse.go
+++ b/listener/parse.go
@ -73,7 +73,7 @@ func ParseListener(mapping map[string]any) (C.InboundListener, error) {
 		}
 		listener, err = IN.NewTun(tunOption)
 	case "shadowsocks":
-		shadowsocksOption := &IN.ShadowSocksOption{}
+		shadowsocksOption := &IN.ShadowSocksOption{UDP: true}
 		err = decoder.Decode(mapping, shadowsocksOption)
 		if err != nil {
 			return nil, err
--- a/listener/shadowsocks/tcp.go
+++ b/listener/shadowsocks/tcp.go
@ -33,12 +33,14 @@ func New(config LC.ShadowsocksServer, tcpIn chan<- C.ConnContext, udpIn chan<- C
 	for _, addr := range strings.Split(config.Listen, ",") {
 		addr := addr

-		//UDP
-		ul, err := NewUDP(addr, pickCipher, udpIn)
-		if err != nil {
-			return nil, err
+		if config.Udp {
+			//UDP
+			ul, err := NewUDP(addr, pickCipher, udpIn)
+			if err != nil {
+				return nil, err
+			}
+			sl.udpListeners = append(sl.udpListeners, ul)
 		}
-		sl.udpListeners = append(sl.udpListeners, ul)

 		//TCP
 		l, err := inbound.Listen("tcp", addr)
--- a/listener/sing/sing.go
+++ b/listener/sing/sing.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"golang.org/x/exp/slices"
 	"net"
+	"net/netip"
 	"sync"
 	"time"

@ -24,10 +25,11 @@ import (
 const UDPTimeout = 5 * time.Minute

 type ListenerHandler struct {
-	TcpIn     chan<- C.ConnContext
-	UdpIn     chan<- C.PacketAdapter
-	Type      C.Type
-	Additions []inbound.Addition
+	TcpIn      chan<- C.ConnContext
+	UdpIn      chan<- C.PacketAdapter
+	Type       C.Type
+	Additions  []inbound.Addition
+	UDPTimeout time.Duration
 }

 type waitCloseConn struct {
@ -61,9 +63,16 @@ func (h *ListenerHandler) NewConnection(ctx context.Context, conn net.Conn, meta
 	switch metadata.Destination.Fqdn {
 	case vmess.MuxDestination.Fqdn:
 		return vmess.HandleMuxConnection(ctx, conn, h)
-	case uot.UOTMagicAddress:
-		metadata.Destination = M.Socksaddr{}
-		return h.NewPacketConnection(ctx, uot.NewClientConn(conn), metadata)
+	case uot.MagicAddress:
+		request, err := uot.ReadRequest(conn)
+		if err != nil {
+			return E.Cause(err, "read UoT request")
+		}
+		metadata.Destination = request.Destination
+		return h.NewPacketConnection(ctx, uot.NewConn(conn, *request), metadata)
+	case uot.LegacyMagicAddress:
+		metadata.Destination = M.Socksaddr{Addr: netip.IPv4Unspecified()}
+		return h.NewPacketConnection(ctx, uot.NewConn(conn, uot.Request{}), metadata)
 	}
 	target := socks5.ParseAddr(metadata.Destination.String())
 	wg := &sync.WaitGroup{}
@ -151,6 +160,9 @@ func (c *packet) WriteBack(b []byte, addr net.Addr) (n int, err error) {
 		return
 	}
 	err = conn.WritePacket(buff, M.SocksaddrFromNet(addr))
+	if err != nil {
+		return
+	}
 	return
 }

--- a/listener/sing_shadowsocks/server.go
+++ b/listener/sing_shadowsocks/server.go
@ -76,37 +76,39 @@ func New(config LC.ShadowsocksServer, tcpIn chan<- C.ConnContext, udpIn chan<- C
 	for _, addr := range strings.Split(config.Listen, ",") {
 		addr := addr

-		//UDP
-		ul, err := net.ListenPacket("udp", addr)
-		if err != nil {
-			return nil, err
-		}
-
-		err = sockopt.UDPReuseaddr(ul.(*net.UDPConn))
-		if err != nil {
-			log.Warnln("Failed to Reuse UDP Address: %s", err)
-		}
-
-		sl.udpListeners = append(sl.udpListeners, ul)
-
-		go func() {
-			conn := bufio.NewPacketConn(ul)
-			for {
-				buff := buf.NewPacket()
-				remoteAddr, err := conn.ReadPacket(buff)
-				if err != nil {
-					buff.Release()
-					if sl.closed {
-						break
-					}
-					continue
-				}
-				_ = sl.service.NewPacket(context.TODO(), conn, buff, metadata.Metadata{
-					Protocol: "shadowsocks",
-					Source:   remoteAddr,
-				})
+		if config.Udp {
+			//UDP
+			ul, err := net.ListenPacket("udp", addr)
+			if err != nil {
+				return nil, err
 			}
-		}()
+
+			err = sockopt.UDPReuseaddr(ul.(*net.UDPConn))
+			if err != nil {
+				log.Warnln("Failed to Reuse UDP Address: %s", err)
+			}
+
+			sl.udpListeners = append(sl.udpListeners, ul)
+
+			go func() {
+				conn := bufio.NewPacketConn(ul)
+				for {
+					buff := buf.NewPacket()
+					remoteAddr, err := conn.ReadPacket(buff)
+					if err != nil {
+						buff.Release()
+						if sl.closed {
+							break
+						}
+						continue
+					}
+					_ = sl.service.NewPacket(context.TODO(), conn, buff, metadata.Metadata{
+						Protocol: "shadowsocks",
+						Source:   remoteAddr,
+					})
+				}
+			}()
+		}

 		//TCP
 		l, err := inbound.Listen("tcp", addr)
--- a/listener/sing_tun/dns.go
+++ b/listener/sing_tun/dns.go
@ -110,7 +110,10 @@ func (h *ListenerHandler) NewPacketConnection(ctx context.Context, conn network.
 			conn2 = nil
 		}()
 		for {
-			buff := buf.NewPacket()
+			// safe size which is 1232 from https://dnsflagday.net/2020/.
+			// so 2048 is enough
+			buff := buf.NewSize(2 * 1024)
+			_ = conn.SetReadDeadline(time.Now().Add(DefaultDnsReadTimeout))
 			dest, err := conn.ReadPacket(buff)
 			if err != nil {
 				buff.Release()
--- a/listener/sing_tun/server.go
+++ b/listener/sing_tun/server.go
@ -8,6 +8,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"time"

 	"github.com/Dreamacro/clash/adapter/inbound"
 	"github.com/Dreamacro/clash/component/dialer"
@ -151,10 +152,11 @@ func New(options LC.Tun, tcpIn chan<- C.ConnContext, udpIn chan<- C.PacketAdapte

 	handler := &ListenerHandler{
 		ListenerHandler: sing.ListenerHandler{
-			TcpIn:     tcpIn,
-			UdpIn:     udpIn,
-			Type:      C.TUN,
-			Additions: additions,
+			TcpIn:      tcpIn,
+			UdpIn:      udpIn,
+			Type:       C.TUN,
+			Additions:  additions,
+			UDPTimeout: time.Second * time.Duration(udpTimeout),
 		},
 		DnsAdds: dnsAdds,
 	}
@ -212,6 +214,7 @@ func New(options LC.Tun, tcpIn chan<- C.ConnContext, udpIn chan<- C.PacketAdapte
 		IncludeAndroidUser: options.IncludeAndroidUser,
 		IncludePackage:     options.IncludePackage,
 		ExcludePackage:     options.ExcludePackage,
+		FileDescriptor:     options.FileDescriptor,
 		InterfaceMonitor:   defaultInterfaceMonitor,
 		TableIndex:         2022,
 	}
--- a/listener/tuic/server.go
+++ b/listener/tuic/server.go
@ -61,6 +61,16 @@ func New(config LC.TuicServer, tcpIn chan<- C.ConnContext, udpIn chan<- C.Packet
 	quicConfig.InitialConnectionReceiveWindow = tuic.DefaultConnectionReceiveWindow / 10
 	quicConfig.MaxConnectionReceiveWindow = tuic.DefaultConnectionReceiveWindow

+	if config.MaxUdpRelayPacketSize == 0 {
+		config.MaxUdpRelayPacketSize = 1500
+	}
+	maxDatagramFrameSize := config.MaxUdpRelayPacketSize + tuic.PacketOverHead
+	if maxDatagramFrameSize > 1400 {
+		maxDatagramFrameSize = 1400
+	}
+	config.MaxUdpRelayPacketSize = maxDatagramFrameSize - tuic.PacketOverHead
+	quicConfig.MaxDatagramFrameSize = int64(maxDatagramFrameSize)
+
 	tokens := make([][32]byte, len(config.Token))
 	for i, token := range config.Token {
 		tokens[i] = tuic.GenTKN(token)
--- a/rules/common/domain.go
+++ b/rules/common/domain.go
@ -1,7 +1,6 @@
 package common

 import (
-	"golang.org/x/net/idna"
 	"strings"

 	C "github.com/Dreamacro/clash/constant"
@ -11,7 +10,6 @@ type Domain struct {
 	*Base
 	domain  string
 	adapter string
-	isIDNA  bool
 }

 func (d *Domain) RuleType() C.RuleType {
@ -27,20 +25,14 @@ func (d *Domain) Adapter() string {
 }

 func (d *Domain) Payload() string {
-	domain := d.domain
-	if d.isIDNA {
-		domain, _ = idna.ToUnicode(domain)
-	}
-	return domain
+	return d.domain
 }

 func NewDomain(domain string, adapter string) *Domain {
-	actualDomain, _ := idna.ToASCII(domain)
 	return &Domain{
 		Base:    &Base{},
-		domain:  strings.ToLower(actualDomain),
+		domain:  strings.ToLower(domain),
 		adapter: adapter,
-		isIDNA:  actualDomain != domain,
 	}
 }

--- a/rules/common/domain_keyword.go
+++ b/rules/common/domain_keyword.go
@ -1,7 +1,6 @@
 package common

 import (
-	"golang.org/x/net/idna"
 	"strings"

 	C "github.com/Dreamacro/clash/constant"
@ -11,7 +10,6 @@ type DomainKeyword struct {
 	*Base
 	keyword string
 	adapter string
-	isIDNA  bool
 }

 func (dk *DomainKeyword) RuleType() C.RuleType {
@ -28,20 +26,14 @@ func (dk *DomainKeyword) Adapter() string {
 }

 func (dk *DomainKeyword) Payload() string {
-	keyword := dk.keyword
-	if dk.isIDNA {
-		keyword, _ = idna.ToUnicode(keyword)
-	}
-	return keyword
+	return dk.keyword
 }

 func NewDomainKeyword(keyword string, adapter string) *DomainKeyword {
-	actualDomainKeyword, _ := idna.ToASCII(keyword)
 	return &DomainKeyword{
 		Base:    &Base{},
-		keyword: strings.ToLower(actualDomainKeyword),
+		keyword: strings.ToLower(keyword),
 		adapter: adapter,
-		isIDNA:  keyword != actualDomainKeyword,
 	}
 }

--- a/rules/common/domain_suffix.go
+++ b/rules/common/domain_suffix.go
@ -1,7 +1,6 @@
 package common

 import (
-	"golang.org/x/net/idna"
 	"strings"

 	C "github.com/Dreamacro/clash/constant"
@ -11,7 +10,6 @@ type DomainSuffix struct {
 	*Base
 	suffix  string
 	adapter string
-	isIDNA  bool
 }

 func (ds *DomainSuffix) RuleType() C.RuleType {
@ -28,20 +26,14 @@ func (ds *DomainSuffix) Adapter() string {
 }

 func (ds *DomainSuffix) Payload() string {
-	suffix := ds.suffix
-	if ds.isIDNA {
-		suffix, _ = idna.ToUnicode(suffix)
-	}
-	return suffix
+	return ds.suffix
 }

 func NewDomainSuffix(suffix string, adapter string) *DomainSuffix {
-	actualDomainSuffix, _ := idna.ToASCII(suffix)
 	return &DomainSuffix{
 		Base:    &Base{},
-		suffix:  strings.ToLower(actualDomainSuffix),
+		suffix:  strings.ToLower(suffix),
 		adapter: adapter,
-		isIDNA:  suffix != actualDomainSuffix,
 	}
 }

--- a/rules/common/network_type.go
+++ b/rules/common/network_type.go
@ -21,10 +21,8 @@ func NewNetworkType(network, adapter string) (*NetworkType, error) {
 	switch strings.ToUpper(network) {
 	case "TCP":
 		ntType.network = C.TCP
-		break
 	case "UDP":
 		ntType.network = C.UDP
-		break
 	default:
 		return nil, fmt.Errorf("unsupported network type, only TCP/UDP")
 	}
--- a/rules/provider/domain_strategy.go
+++ b/rules/provider/domain_strategy.go
@ -3,13 +3,11 @@ package provider
 import (
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/log"
-	"golang.org/x/net/idna"
 )

 type domainStrategy struct {
 	count       int
-	domainRules *trie.DomainTrie[struct{}]
+	domainRules *trie.DomainSet
 }

 func (d *domainStrategy) ShouldFindProcess() bool {
@ -17,7 +15,7 @@ func (d *domainStrategy) ShouldFindProcess() bool {
 }

 func (d *domainStrategy) Match(metadata *C.Metadata) bool {
-	return d.domainRules != nil && d.domainRules.Search(metadata.RuleHost()) != nil
+	return d.domainRules != nil && d.domainRules.Has(metadata.RuleHost())
 }

 func (d *domainStrategy) Count() int {
@ -29,21 +27,9 @@ func (d *domainStrategy) ShouldResolveIP() bool {
 }

 func (d *domainStrategy) OnUpdate(rules []string) {
-	domainTrie := trie.New[struct{}]()
-	count := 0
-	for _, rule := range rules {
-		actualDomain, _ := idna.ToASCII(rule)
-		err := domainTrie.Insert(actualDomain, struct{}{})
-		if err != nil {
-			log.Warnln("invalid domain:[%s]", rule)
-		} else {
-			count++
-		}
-	}
-	domainTrie.Optimize()
-
+	domainTrie := trie.NewDomainSet(rules)
 	d.domainRules = domainTrie
-	d.count = count
+	d.count = len(rules)
 }

 func NewDomainStrategy() *domainStrategy {
--- a/transport/hysteria/conns/faketcp/tcp_linux.go
+++ b/transport/hysteria/conns/faketcp/tcp_linux.go
@ -1,5 +1,5 @@
-//go:build linux
-// +build linux
+//go:build linux && !no_fake_tcp
+// +build linux,!no_fake_tcp

 package faketcp

--- a/transport/hysteria/conns/faketcp/tcp_stub.go
+++ b/transport/hysteria/conns/faketcp/tcp_stub.go
@ -1,5 +1,5 @@
-//go:build !linux
-// +build !linux
+//go:build !linux || no_fake_tcp
+// +build !linux no_fake_tcp

 package faketcp

--- a/transport/restls/restls.go
+++ b/transport/restls/restls.go
@ -0,0 +1,39 @@
+package restls
+
+import (
+	"context"
+	"net"
+
+	tls "github.com/3andne/restls-client-go"
+)
+
+const (
+	Mode string = "restls"
+)
+
+type Restls struct {
+	*tls.UConn
+}
+
+func (r *Restls) Upstream() any {
+	return r.UConn.NetConn()
+}
+
+// NewRestls return a Restls Connection
+func NewRestls(ctx context.Context, conn net.Conn, config *tls.Config) (net.Conn, error) {
+	clientHellowID := tls.HelloChrome_Auto
+	if config != nil {
+		clientIDPtr := config.ClientID.Load()
+		if clientIDPtr != nil {
+			clientHellowID = *clientIDPtr
+		}
+	}
+	restls := &Restls{
+		UConn: tls.UClient(conn, config, clientHellowID),
+	}
+	if err := restls.HandshakeContext(ctx); err != nil {
+		return nil, err
+	}
+
+	return restls, nil
+}
--- a/transport/tuic/conn.go
+++ b/transport/tuic/conn.go
@ -1,7 +1,6 @@
 package tuic

 import (
-	"fmt"
 	"net"
 	"net/netip"
 	"sync"
@ -200,8 +199,8 @@ func (q *quicStreamPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err err
 }

 func (q *quicStreamPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
-	if len(p) > q.maxUdpRelayPacketSize {
-		return 0, fmt.Errorf("udp packet too large(%d > %d)", len(p), q.maxUdpRelayPacketSize)
+	if q.udpRelayMode != "quic" && len(p) > q.maxUdpRelayPacketSize {
+		return 0, quic.ErrMessageTooLarge(q.maxUdpRelayPacketSize)
 	}
 	if q.closed {
 		return 0, net.ErrClosed
@ -215,7 +214,6 @@ func (q *quicStreamPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err erro
 			q.deferQuicConnFn(q.quicConn, err)
 		}()
 	}
-	addr.String()
 	buf := pool.GetBuffer()
 	defer pool.PutBuffer(buf)
 	addrPort, err := netip.ParseAddrPort(addr.String())
@ -239,7 +237,8 @@ func (q *quicStreamPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err erro
 			return
 		}
 	default: // native
-		err = q.quicConn.SendMessage(buf.Bytes())
+		data := buf.Bytes()
+		err = q.quicConn.SendMessage(data)
 		if err != nil {
 			return
 		}
--- a/transport/tuic/protocol.go
+++ b/transport/tuic/protocol.go
@ -114,9 +114,6 @@ func NewAuthenticate(TKN [32]byte) Authenticate {

 func ReadAuthenticateWithHead(head CommandHead, reader BufferedReader) (c Authenticate, err error) {
 	c.CommandHead = head
-	if err != nil {
-		return
-	}
 	if c.CommandHead.TYPE != AuthenticateType {
 		err = fmt.Errorf("error command type: %s", c.CommandHead.TYPE)
 		return
@ -170,9 +167,6 @@ func NewConnect(ADDR Address) Connect {

 func ReadConnectWithHead(head CommandHead, reader BufferedReader) (c Connect, err error) {
 	c.CommandHead = head
-	if err != nil {
-		return
-	}
 	if c.CommandHead.TYPE != ConnectType {
 		err = fmt.Errorf("error command type: %s", c.CommandHead.TYPE)
 		return
@ -228,9 +222,6 @@ func NewPacket(ASSOC_ID uint32, LEN uint16, ADDR Address, DATA []byte) Packet {

 func ReadPacketWithHead(head CommandHead, reader BufferedReader) (c Packet, err error) {
 	c.CommandHead = head
-	if err != nil {
-		return
-	}
 	if c.CommandHead.TYPE != PacketType {
 		err = fmt.Errorf("error command type: %s", c.CommandHead.TYPE)
 		return
@ -291,6 +282,8 @@ func (c Packet) BytesLen() int {
 	return c.CommandHead.BytesLen() + 4 + 2 + c.ADDR.BytesLen() + len(c.DATA)
 }

+var PacketOverHead = NewPacket(0, 0, NewAddressAddrPort(netip.AddrPortFrom(netip.IPv6Unspecified(), 0)), nil).BytesLen()
+
 type Dissociate struct {
 	CommandHead
 	ASSOC_ID uint32
@ -305,9 +298,6 @@ func NewDissociate(ASSOC_ID uint32) Dissociate {

 func ReadDissociateWithHead(head CommandHead, reader BufferedReader) (c Dissociate, err error) {
 	c.CommandHead = head
-	if err != nil {
-		return
-	}
 	if c.CommandHead.TYPE != DissociateType {
 		err = fmt.Errorf("error command type: %s", c.CommandHead.TYPE)
 		return
@ -476,15 +466,17 @@ func NewAddress(metadata *C.Metadata) Address {

 func NewAddressAddrPort(addrPort netip.AddrPort) Address {
 	var addrType byte
-	if addrPort.Addr().Is4() {
+	port := addrPort.Port()
+	addr := addrPort.Addr().Unmap()
+	if addr.Is4() {
 		addrType = AtypIPv4
 	} else {
 		addrType = AtypIPv6
 	}
 	return Address{
 		TYPE: addrType,
-		ADDR: addrPort.Addr().AsSlice(),
-		PORT: addrPort.Port(),
+		ADDR: addr.AsSlice(),
+		PORT: port,
 	}
 }

--- a/transport/tuic/server.go
+++ b/transport/tuic/server.go
@ -56,14 +56,10 @@ func (s *Server) Serve() error {
 			return err
 		}
 		SetCongestionController(conn, s.CongestionController)
-		uuid, err := utils.UnsafeUUIDGenerator.NewV4()
-		if err != nil {
-			return err
-		}
 		h := &serverHandler{
 			Server:   s,
 			quicConn: conn,
-			uuid:     uuid,
+			uuid:     utils.NewUUIDV4(),
 			authCh:   make(chan struct{}),
 		}
 		go h.handle()
@ -154,14 +150,10 @@ func (s *serverHandler) parsePacket(packet Packet, udpRelayMode string) (err err
 	return s.HandleUdpFn(packet.ADDR.SocksAddr(), &serverUDPPacket{
 		pc:     pc,
 		packet: &packet,
-		rAddr:  s.genServerAssocIdAddr(assocId, s.quicConn.RemoteAddr()),
+		rAddr:  N.NewCustomAddr("tuic", fmt.Sprintf("tuic-%s-%d", s.uuid, assocId), s.quicConn.RemoteAddr()), // for tunnel's handleUDPConn
 	})
 }

-func (s *serverHandler) genServerAssocIdAddr(assocId uint32, addr net.Addr) net.Addr {
-	return &ServerAssocIdAddr{assocId: fmt.Sprintf("tuic-%s-%d", s.uuid.String(), assocId), addr: addr}
-}
-
 func (s *serverHandler) handleStream() (err error) {
 	for {
 		var quicStream quic.Stream
@ -276,23 +268,6 @@ func (s *serverHandler) handleUniStream() (err error) {
 	}
 }

-type ServerAssocIdAddr struct {
-	assocId string
-	addr    net.Addr
-}
-
-func (a ServerAssocIdAddr) Network() string {
-	return "ServerAssocIdAddr"
-}
-
-func (a ServerAssocIdAddr) String() string {
-	return a.assocId
-}
-
-func (a ServerAssocIdAddr) RawAddr() net.Addr {
-	return a.addr
-}
-
 type serverUDPPacket struct {
 	pc     *quicStreamPacketConn
 	packet *Packet
--- a/transport/vless/vision.go
+++ b/transport/vless/vision.go
@ -3,7 +3,6 @@ package vless
 import (
 	"bytes"
 	"encoding/binary"
-	"sync"

 	"github.com/Dreamacro/clash/common/buf"
 	"github.com/Dreamacro/clash/log"
@ -20,12 +19,9 @@ const (
 	commandPaddingDirect   byte = 0x02
 )

-var mutex sync.RWMutex
-
 func WriteWithPadding(buffer *buf.Buffer, p []byte, command byte, userUUID *uuid.UUID, paddingTLS bool) {
 	contentLen := int32(len(p))
 	var paddingLen int32
-	mutex.Lock()
 	if contentLen < 900 {
 		if paddingTLS {
 			//log.Debugln("long padding")
@ -34,8 +30,7 @@ func WriteWithPadding(buffer *buf.Buffer, p []byte, command byte, userUUID *uuid
 			paddingLen = fastrand.Int31n(256)
 		}
 	}
-	mutex.Unlock()
-	if userUUID != nil { // unnecessary, but keep the same with Xray
+	if userUUID != nil {
 		buffer.Write(userUUID.Bytes())
 	}

@ -51,7 +46,6 @@ func WriteWithPadding(buffer *buf.Buffer, p []byte, command byte, userUUID *uuid
 func ApplyPadding(buffer *buf.Buffer, command byte, userUUID *uuid.UUID, paddingTLS bool) {
 	contentLen := int32(buffer.Len())
 	var paddingLen int32
-	mutex.Lock()
 	if contentLen < 900 {
 		if paddingTLS {
 			//log.Debugln("long padding")
@ -60,12 +54,11 @@ func ApplyPadding(buffer *buf.Buffer, command byte, userUUID *uuid.UUID, padding
 			paddingLen = fastrand.Int31n(256)
 		}
 	}
-	mutex.Unlock()

 	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(paddingLen))
 	binary.BigEndian.PutUint16(buffer.ExtendHeader(2), uint16(contentLen))
 	buffer.ExtendHeader(1)[0] = command
-	if userUUID != nil { // unnecessary, but keep the same with Xray
+	if userUUID != nil {
 		copy(buffer.ExtendHeader(uuid.Size), userUUID.Bytes())
 	}

--- a/tunnel/connection.go
+++ b/tunnel/connection.go
@ -46,7 +46,8 @@ func handleUDPToLocal(packet C.UDPPacket, pc net.PacketConn, key string, oAddr,
 		}

 		fromUDPAddr := from.(*net.UDPAddr)
-		fromUDPAddr = &(*fromUDPAddr) // make a copy
+		_fromUDPAddr := *fromUDPAddr
+		fromUDPAddr = &_fromUDPAddr // make a copy
 		if fromAddr, ok := netip.AddrFromSlice(fromUDPAddr.IP); ok {
 			if fAddr.IsValid() && (oAddr.Unmap() == fromAddr.Unmap()) {
 				fromUDPAddr.IP = fAddr.Unmap().AsSlice()
--- a/tunnel/statistic/tracker.go
+++ b/tunnel/statistic/tracker.go
@ -83,7 +83,6 @@ func (tt *tcpTracker) Upstream() any {
 }

 func NewTCPTracker(conn C.Conn, manager *Manager, metadata *C.Metadata, rule C.Rule, uploadTotal int64, downloadTotal int64) *tcpTracker {
-	uuid, _ := utils.UnsafeUUIDGenerator.NewV4()
 	if conn != nil {
 		if tcpAddr, ok := conn.RemoteAddr().(*net.TCPAddr); ok {
 			metadata.RemoteDst = tcpAddr.IP.String()
@ -96,7 +95,7 @@ func NewTCPTracker(conn C.Conn, manager *Manager, metadata *C.Metadata, rule C.R
 		Conn:    conn,
 		manager: manager,
 		trackerInfo: &trackerInfo{
-			UUID:          uuid,
+			UUID:          utils.NewUUIDV4(),
 			Start:         time.Now(),
 			Metadata:      metadata,
 			Chain:         conn.Chains(),
@ -149,14 +148,13 @@ func (ut *udpTracker) Close() error {
 }

 func NewUDPTracker(conn C.PacketConn, manager *Manager, metadata *C.Metadata, rule C.Rule, uploadTotal int64, downloadTotal int64) *udpTracker {
-	uuid, _ := utils.UnsafeUUIDGenerator.NewV4()
 	metadata.RemoteDst = conn.RemoteDestination()

 	ut := &udpTracker{
 		PacketConn: conn,
 		manager:    manager,
 		trackerInfo: &trackerInfo{
-			UUID:          uuid,
+			UUID:          utils.NewUUIDV4(),
 			Start:         time.Now(),
 			Metadata:      metadata,
 			Chain:         conn.Chains(),
--- a/tunnel/status.go
+++ b/tunnel/status.go
@ -0,0 +1,92 @@
+package tunnel
+
+import (
+	"encoding/json"
+	"errors"
+	"strings"
+	"sync/atomic"
+)
+
+type TunnelStatus int
+
+// StatusMapping is a mapping for Status enum
+var StatusMapping = map[string]TunnelStatus{
+	Suspend.String(): Suspend,
+	Inner.String():   Inner,
+	Running.String(): Running,
+}
+
+const (
+	Suspend TunnelStatus = iota
+	Inner
+	Running
+)
+
+// UnmarshalJSON unserialize Status
+func (s *TunnelStatus) UnmarshalJSON(data []byte) error {
+	var tp string
+	json.Unmarshal(data, &tp)
+	status, exist := StatusMapping[strings.ToLower(tp)]
+	if !exist {
+		return errors.New("invalid mode")
+	}
+	*s = status
+	return nil
+}
+
+// UnmarshalYAML unserialize Status with yaml
+func (s *TunnelStatus) UnmarshalYAML(unmarshal func(any) error) error {
+	var tp string
+	unmarshal(&tp)
+	status, exist := StatusMapping[strings.ToLower(tp)]
+	if !exist {
+		return errors.New("invalid status")
+	}
+	*s = status
+	return nil
+}
+
+// MarshalJSON serialize Status
+func (s TunnelStatus) MarshalJSON() ([]byte, error) {
+	return json.Marshal(s.String())
+}
+
+// MarshalYAML serialize TunnelMode with yaml
+func (s TunnelStatus) MarshalYAML() (any, error) {
+	return s.String(), nil
+}
+
+func (s TunnelStatus) String() string {
+	switch s {
+	case Suspend:
+		return "suspend"
+	case Inner:
+		return "inner"
+	case Running:
+		return "running"
+	default:
+		return "Unknown"
+	}
+}
+
+type AtomicStatus struct {
+	value atomic.Int32
+}
+
+func (a *AtomicStatus) Store(s TunnelStatus) {
+	a.value.Store(int32(s))
+}
+
+func (a *AtomicStatus) Load() TunnelStatus {
+	return TunnelStatus(a.value.Load())
+}
+
+func (a *AtomicStatus) String() string {
+	return a.Load().String()
+}
+
+func newAtomicStatus(s TunnelStatus) *AtomicStatus {
+	a := &AtomicStatus{}
+	a.Store(s)
+	return a
+}
--- a/tunnel/tunnel.go
+++ b/tunnel/tunnel.go
@ -26,6 +26,7 @@ import (
 )

 var (
+	status         = newAtomicStatus(Suspend)
 	tcpQueue       = make(chan C.ConnContext, 200)
 	udpQueue       = make(chan C.PacketAdapter, 200)
 	natTable       = nat.New()
@ -49,6 +50,22 @@ var (
 	fakeIPRange netip.Prefix
 )

+func OnSuspend() {
+	status.Store(Suspend)
+}
+
+func OnInnerLoading() {
+	status.Store(Inner)
+}
+
+func OnRunning() {
+	status.Store(Running)
+}
+
+func Status() TunnelStatus {
+	return status.Load()
+}
+
 func SetFakeIPRange(p netip.Prefix) {
 	fakeIPRange = p
 }
@ -158,10 +175,19 @@ func SetFindProcessMode(mode P.FindProcessMode) {
 	findProcessMode = mode
 }

+func isHandle(t C.Type) bool {
+	status := status.Load()
+	return status == Running || (status == Inner && t == C.INNER)
+}
+
 // processUDP starts a loop to handle udp packet
 func processUDP() {
 	queue := udpQueue
 	for conn := range queue {
+		if !isHandle(conn.Metadata().Type) {
+			conn.Drop()
+			continue
+		}
 		handleUDPConn(conn)
 	}
 }
@ -177,6 +203,10 @@ func process() {

 	queue := tcpQueue
 	for conn := range queue {
+		if !isHandle(conn.Metadata().Type) {
+			_ = conn.Conn().Close()
+			continue
+		}
 		go handleTCPConn(conn)
 	}
 }
@ -201,13 +231,18 @@ func preHandleMetadata(metadata *C.Metadata) error {
 			if resolver.FakeIPEnabled() {
 				metadata.DstIP = netip.Addr{}
 				metadata.DNSMode = C.DNSFakeIP
-			} else if node := resolver.DefaultHosts.Search(host); node != nil {
+			} else if node, ok := resolver.DefaultHosts.Search(host, false); ok {
 				// redir-host should lookup the hosts
-				metadata.DstIP = node.Data()
+				metadata.DstIP, _ = node.RandIP()
+			} else if node != nil && node.IsDomain {
+				metadata.Host = node.Domain
 			}
 		} else if resolver.IsFakeIP(metadata.DstIP) {
 			return fmt.Errorf("fake DNS record %s missing", metadata.DstIP)
 		}
+	} else if node, ok := resolver.DefaultHosts.Search(metadata.Host, true); ok {
+		// try use domain mapping
+		metadata.Host = node.Domain
 	}

 	return nil
@ -392,8 +427,8 @@ func handleTCPConn(connCtx C.ConnContext) {

 	dialMetadata := metadata
 	if len(metadata.Host) > 0 {
-		if node := resolver.DefaultHosts.Search(metadata.Host); node != nil {
-			if dstIp := node.Data(); !FakeIPRange().Contains(dstIp) {
+		if node, ok := resolver.DefaultHosts.Search(metadata.Host, false); ok {
+			if dstIp, _ := node.RandIP(); !FakeIPRange().Contains(dstIp) {
 				dialMetadata.DstIP = dstIp
 				dialMetadata.DNSMode = C.DNSHosts
 				dialMetadata = dialMetadata.Pure()
@ -498,8 +533,8 @@ func match(metadata *C.Metadata) (C.Proxy, C.Rule, error) {
 		processFound bool
 	)

-	if node := resolver.DefaultHosts.Search(metadata.Host); node != nil {
-		metadata.DstIP = node.Data()
+	if node, ok := resolver.DefaultHosts.Search(metadata.Host, false); ok {
+		metadata.DstIP, _ = node.RandIP()
 		resolved = true
 	}
Author	SHA1	Message	Date
Skyxim	d4e48d709f	chore: add test case	2023-04-01 11:21:38 +08:00
Skyxim	f54bf2d935	fix: multiple wildcard	2023-04-01 11:17:15 +08:00
Skyxim	971131d951	chore: add comment	2023-04-01 10:52:20 +08:00
Skyxim	07fb529e36	fix: processing data	2023-04-01 10:38:30 +08:00
Skyxim	a6ee3348df	chore: optimized initialization	2023-03-31 23:51:09 +08:00
Skyxim	53b1250cd8	chore: print low_memory tag	2023-03-31 21:03:42 +08:00
Skyxim	3a4b5fb145	chore: remove unused field	2023-03-31 20:57:26 +08:00
Skyxim	858d9de250	chore: default buffer use standard	2023-03-31 20:50:43 +08:00
Skyxim	1e989b68bd	fix: wildcard match	2023-03-31 20:43:49 +08:00
rookisbusy	752074c68e	Merge pull request #475 from rookisbusy/memory adjust buff size,same as sing	2023-03-30 16:45:28 +08:00
rookisbusy	d0663277dc	safe dns buff size	2023-03-30 14:17:25 +08:00
rookisbusy	14a0a3c790	adjust buff size,same as sing	2023-03-30 14:05:05 +08:00
Skyxim	6c9c0bd755	chore: add unit test and adjust logic error	2023-03-30 13:36:14 +08:00
Skyxim	e0cf342672	chore: clean code	2023-03-29 22:55:36 +08:00
Skyxim	7b7a8981a6	chore: trigger gc when the rule is loaded	2023-03-29 22:46:16 +08:00
Skyxim	d462257e53	chore: force memory to be released once after rule loading	2023-03-29 22:39:07 +08:00
Skyxim	2e1c5091c3	chore: do not load cert pool if not necessary	2023-03-29 20:12:12 +08:00
wwqgtxx	ae13418929	fix: broken url	2023-03-29 19:43:06 +08:00
wwqgtxx	ae8913587d	fix: better DomainSet	2023-03-29 18:47:56 +08:00
Skyxim	c486d7c67e	fix: filtering out duplicate domains	2023-03-29 17:40:22 +08:00
Skyxim	4c4f734572	fix: adjust log level	2023-03-29 16:29:37 +08:00
Skyxim	82dddf932a	chore: add classical provider for `nameserver-policy`, and rename `domain-set` to `rule-set`	2023-03-29 16:28:26 +08:00
Skyxim	75ed879121	chore: update docs/config.yaml	2023-03-29 14:34:29 +08:00
Skyxim	5b73942960	chore: reuse cert pool	2023-03-29 14:09:42 +08:00
Skyxim	d305e0ddfc	chore: with_gvisor output	2023-03-29 13:58:37 +08:00
Skyxim	9f7a0052a8	fix: an empty set match will panic	2023-03-29 13:43:10 +08:00
Skyxim	c6873c5c04	chore: add `no_fake_tcp` complie option	2023-03-29 13:35:29 +08:00
Skyxim	c3ed06e99d	chore: sniffer use TrieSet	2023-03-29 13:24:26 +08:00
Skyxim	d52748165f	feat: `nameserver-policy` support domain-set, reduce domain-set memory usage	2023-03-29 13:14:02 +08:00
Larvan2	56e525114d	chore: use inner for upgrade core	2023-03-28 17:37:00 +00:00
Larvan2	1fdd1f702e	chore: better rename	2023-03-28 17:00:21 +00:00
Larvan2	34c91e5fe0	chore: add release branch	2023-03-28 16:40:45 +00:00
Skyxim	6d40de2179	chore: adjust trust cert	2023-03-27 22:27:59 +08:00
Skyxim	6ca14c814e	fix: tproxy listener cannot listen udp	2023-03-27 22:18:54 +08:00
Larvan2	545cbeeec0	chore: skip restart when update error	2023-03-27 00:49:47 +08:00
H1JK	431dcfa914	fix: Converter REALITY security type	2023-03-26 11:03:32 +08:00
Larvan2	4d30788738	chore: clean up code	2023-03-25 22:56:24 +08:00
Larvan2	e4364cc985	chore: update for testing the updater	2023-03-23 21:04:04 +08:00
Larvan2	99ede63a9a	feat: add upgrade api example: curl -X POST -H "Authorization: Bearer 123456" http://ip:port/upgrade	2023-03-23 20:48:20 +08:00
wwqgtxx	291b5be986	chore: move sing-tun's udpTimeout fix to there lib	2023-03-23 19:53:28 +08:00
wwqgtxx	a7944f1369	chore: better geodata shared	2023-03-23 18:58:24 +08:00
wwqgtxx	7e10d78d53	chore: share the same geodata in different rule	2023-03-23 18:35:37 +08:00
wwqgtxx	fd0580bfdd	fix: sing_tun apply udpTimeout when using gvisor stack	2023-03-23 14:05:31 +08:00
Skyxim	5737fbc23c	chore: `proxy-server-nameserver` does not follow the `nameserver-policy`	2023-03-23 12:58:59 +08:00
Larvan2	e026ac6a2a	chore: update xray-core version	2023-03-22 23:45:26 +08:00
wwqgtxx	e7bb1f42b1	chore: update quic-go to release unused buffer when error	2023-03-22 13:01:58 +08:00
Larvan2	a22000c41b	Update README.md	2023-03-21 23:56:40 +08:00
wwqgtxx	0336435ebc	chore: shadowsocks listener support the "udp" setting	2023-03-21 12:40:36 +08:00
metacubex	154fbb34ea	fix: log typo	2023-03-21 00:45:25 +08:00
H1JK	3e47bfacf0	feat: Converter support REALITY share standard	2023-03-19 17:31:52 +08:00
metacubex	9316c1293e	fix: geosite of nameserver-policy cannot be loaded correctly	2023-03-18 22:33:39 +08:00
Larvan2	f6f02bb5eb	fix: ToLower first	2023-03-18 22:20:31 +08:00
Phie Ash	84967ace53	Update flake.nix (#452 )	2023-03-18 19:55:29 +08:00
Larvan2	c7362fce9c	chore: do not modify ALPN in utls	2023-03-17 14:49:42 +08:00
世界	8cb67b6480	Update UoT protocol	2023-03-17 13:23:45 +08:00
wwqgtxx	3ae4285702	fix: tuic udp native mode can't relay packetSize>1200	2023-03-16 21:09:44 +08:00
wwqgtxx	998d407d44	Feat: support set tun file-descriptor in config file Co-authored-by: DuFoxit <DuFoxit@users.noreply.github.com>	2023-03-15 23:43:58 +08:00
wwqgtxx	520cc807d6	chore: Update dependencies	2023-03-15 18:58:59 +08:00
H1JK	7404bfdc44	chore: Improve REALITY handshake	2023-03-15 15:55:18 +08:00
世界	e8d4f8ae7b	Update UoT protocol	2023-03-15 14:46:35 +08:00
wwqgtxx	f7610ce2ad	chore: better uuid using	2023-03-15 10:10:03 +08:00
wwqgtxx	516c219580	fix: let quic-go works on outbound's packetConn	2023-03-15 09:56:00 +08:00
Skyxim	5d0efb5472	chore: keep existing connections	2023-03-15 09:18:03 +08:00
Skyxim	9d9bd245f3	fix: Adjust the timing of subscription information acquisition	2023-03-15 09:05:16 +08:00
wwqgtxx	53928eb895	chore: better TunnelStatus define	2023-03-15 00:11:31 +08:00
Skyxim	8dda9fdb70	fix: The default interface is actually configured incorrectly	2023-03-14 23:52:27 +08:00
Skyxim	cf7520ec22	chore: disconnect when suspended	2023-03-14 22:57:43 +08:00
wwqgtxx	68d7a6da7f	fix: ensure restart api return ok	2023-03-14 22:38:59 +08:00
Skyxim	09c53e7cb7	chore: Chore: adjust the loading order, and then load the resource at last	2023-03-14 22:37:07 +08:00
wwqgtxx	0f24c2f849	chore: add /restart to restful api	2023-03-14 22:19:12 +08:00
Skyxim	88116d9032	fix: optimize health check	2023-03-14 20:10:52 +08:00
wwqgtxx	6ba82c6d85	chore: cleanup code	2023-03-14 17:45:37 +08:00
wwqgtxx	5816dc2955	chore: better restls	2023-03-14 16:50:27 +08:00
Larvan2	f4251e58a5	chore: clean up code	2023-03-14 14:23:10 +08:00
3andne	2fef00d2a8	Support Restls-V1 in Clash.Meta (#441 ) * feat: impl restls * fix: don't break shadowtls' working * chores: correct restls-client-go version * feat: bump restls-client-go version * fix: consistent naming `client-fingerprint` * docs: update example config * chore: adjust client-fingerprint's snippet --------- Co-authored-by: wwqgtxx <wwqgtxx@gmail.com> Co-authored-by: Larvan2 <78135608+Larvan2@users.noreply.github.com>	2023-03-14 13:33:24 +08:00
Larvan2	2f992e9863	chore: fix issues #440	2023-03-13 21:19:39 +08:00
wwqgtxx	13111081be	fix: SA4001 for net.UDPAddr copy	2023-03-12 23:37:45 +08:00
wwqgtxx	5de043acc6	fix: tuic relay tuic	2023-03-12 19:03:18 +08:00
Skyxim	7d230139a0	fix: rand ip error and `clash` remove loopback ip	2023-03-12 18:44:30 +08:00
Larvan2	0a6c848c9e	feat: nameserver-policy support multiple keys e.g., nameserver-policy: # 'www.baidu.com': '114.114.114.114' # '+.internal.crop.com': '10.0.0.1' "geosite:cn,private,apple": - https://doh.pub/dns-query - https://dns.alidns.com/dns-query "www.baidu.com,+.google.cn": - 223.5.5.5 - 1.1.1.1	2023-03-12 16:56:29 +08:00
Skyxim	074fee2b48	chore: add comment	2023-03-12 15:05:28 +08:00
Skyxim	7f588935ea	feta: add hosts support domain and mulitple ip (#439 ) * feat: host support domain and multiple ips * chore: append local address via `clash` * chore: update hosts demo * chore: unified parse mixed string and array * fix: flatten cname * chore: adjust logic * chore: reuse code * chore: use cname in tunnel * chore: try use domain mapping when normal dns * chore: format code	2023-03-12 15:00:59 +08:00
Larvan2	4b72ae7aab	fix: global-client-fingerprint is now work	2023-03-12 13:35:59 +08:00
H1JK	09b4a7ff15	chore: Remove useless mutex in Vision	2023-03-12 10:13:23 +08:00
wwqgtxx	7944522188	chore: update quic-go	2023-03-12 09:39:13 +08:00