Fix Vision read

Fix short buffer
Update to the latest Alpha branch
2023-02-25 10:28:38 +08:00 · 2023-02-24 21:19:57 +08:00 · 2023-02-24 21:06:24 +08:00 · 2023-02-24 20:47:07 +08:00 · 2023-02-24 20:47:07 +08:00 · 2023-02-24 20:47:07 +08:00
184 changed files with 9244 additions and 1655 deletions
--- a/.github/release.sh
+++ b/.github/release.sh
@ -0,0 +1,26 @@
 #!/bin/bash
 FILENAMES=$(ls)
 for FILENAME in $FILENAMES
 do
    if [[ ! ($FILENAME =~ ".exe" || $FILENAME =~ ".sh")]];then
        gzip -S ".gz" $FILENAME
    elif [[ $FILENAME =~ ".exe" ]];then
        zip -m ${FILENAME%.*}.zip $FILENAME
    else echo "skip $FILENAME"
    fi
 done
 FILENAMES=$(ls)
 for FILENAME in $FILENAMES
 do
    if [[ $FILENAME =~ ".zip" ]];then
        echo "rename $FILENAME"
        mv $FILENAME ${FILENAME%.*}-${VERSION}.zip
    elif [[ $FILENAME =~ ".gz" ]];then
        echo "rename $FILENAME"
        mv $FILENAME ${FILENAME%.*}-${VERSION}.gz
    else
        echo "skip $FILENAME"
    fi
 done
--- a/.github/rename-cgo.sh
+++ b/.github/rename-cgo.sh
@ -0,0 +1,26 @@
 #!/bin/bash
 FILENAMES=$(ls)
 for FILENAME in $FILENAMES
 do
    if [[ $FILENAME =~ "darwin-10.16-arm64" ]];then
        echo "rename darwin-10.16-arm64 $FILENAME"
        mv $FILENAME clash.meta-darwin-arm64-cgo
    elif [[ $FILENAME =~ "darwin-10.16-amd64" ]];then
        echo "rename darwin-10.16-amd64 $FILENAME"
        mv $FILENAME clash.meta-darwin-amd64-cgo
    elif [[ $FILENAME =~ "windows-4.0-386" ]];then
        echo "rename windows 386 $FILENAME"
        mv $FILENAME clash.meta-windows-386-cgo.exe
    elif [[ $FILENAME =~ "windows-4.0-amd64" ]];then
        echo "rename windows amd64 $FILENAME"
        mv $FILENAME clash.meta-windows-amd64-cgo.exe
    elif [[ $FILENAME =~ "linux" ]];then
        echo "rename linux $FILENAME"
        mv $FILENAME $FILENAME-cgo
    elif [[ $FILENAME =~ "android" ]];then
        echo "rename android $FILENAME"
        mv $FILENAME $FILENAME-cgo
    else echo "skip $FILENAME"
    fi
 done
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -1,22 +0,0 @@
 name: Build All
 on:
  workflow_dispatch:
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v3
      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.19'
          check-latest: true
          cache: true
      - name: Build
        run: make all
      - name: Release
        uses: softprops/action-gh-release@v1
        with:
          files: bin/*
          draft: true
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -0,0 +1,325 @@
 name: Build
 on:
  workflow_dispatch:
  push:
    paths-ignore:
      - "docs/**"
      - "README.md"
    branches:
      - Alpha
      - Beta
      - Meta
    tags:
      - "v*"
  pull_request_target:
    branches:
      - Alpha
      - Beta
      - Meta
 env:
  REGISTRY: docker.io
 jobs:
  Build:
    permissions: write-all
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        job:
          - {
              type: "WithoutCGO",
              target: "linux-amd64 linux-amd64-compatible",
              id: "1",
            }
          - {
              type: "WithoutCGO",
              target: "linux-armv5 linux-armv6 linux-armv7",
              id: "2",
            }
          - {
              type: "WithoutCGO",
              target: "linux-arm64 linux-mips64 linux-mips64le",
              id: "3",
            }
          - {
              type: "WithoutCGO",
              target: "linux-mips-softfloat linux-mips-hardfloat linux-mipsle-softfloat linux-mipsle-hardfloat",
              id: "4",
            }
          - {
              type: "WithoutCGO",
              target: "freebsd-386 freebsd-amd64 freebsd-arm64",
              id: "5",
            }
          - {
              type: "WithoutCGO",
              target: "windows-amd64-compatible windows-amd64 windows-386",
              id: "6",
            }
          - {
              type: "WithoutCGO",
              target: "windows-arm64 windows-arm32v7",
              id: "7",
            }
          - {
              type: "WithoutCGO",
              target: "darwin-amd64 darwin-arm64 android-arm64",
              id: "8",
            }
          - { type: "WithCGO", target: "windows/*", id: "1" }
          - { type: "WithCGO", target: "linux/386", id: "2" }
          - { type: "WithCGO", target: "linux/amd64", id: "3" }
          - { type: "WithCGO", target: "linux/arm64,linux/riscv64", id: "4" }
          - { type: "WithCGO", target: "linux/arm,", id: "5" }
          - { type: "WithCGO", target: "linux/arm-6,linux/arm-7", id: "6" }
          - { type: "WithCGO", target: "linux/mips,linux/mipsle", id: "7" }
          - { type: "WithCGO", target: "linux/mips64", id: "8" }
          - { type: "WithCGO", target: "linux/mips64le", id: "9" }
          - { type: "WithCGO", target: "darwin-10.16/*", id: "10" }
          - { type: "WithCGO", target: "android", id: "11" }
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v3
      - name: Set variables
        run: echo "VERSION=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set variables
        if: ${{github.ref_name=='Alpha'}}
        run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set variables
        if: ${{github.ref_name=='Beta'}}
        run: echo "VERSION=beta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set variables
        if: ${{github.ref_name=='Meta'}}
        run: echo "VERSION=meta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set variables
        if: ${{github.ref_name=='' || github.ref_type=='tag'}}
        run: echo "VERSION=$(git describe --tags)" >> $GITHUB_ENV
        shell: bash
      - name: Set ENV
        run: |
          echo "NAME=clash.meta" >> $GITHUB_ENV
          echo "REPO=${{ github.repository }}" >> $GITHUB_ENV
          echo "ShortSHA=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV
          echo "BUILDTIME=$(date -u)" >> $GITHUB_ENV
          echo "BRANCH=$(git rev-parse --abbrev-ref HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set ENV
        run: |
          echo "TAGS=with_gvisor,with_lwip" >> $GITHUB_ENV
          echo "LDFLAGS=-X 'github.com/Dreamacro/clash/constant.Version=${VERSION}' -X 'github.com/Dreamacro/clash/constant.BuildTime=${BUILDTIME}' -w -s -buildid=" >> $GITHUB_ENV
        shell: bash
      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version: "1.20"
          check-latest: true
      - name: Test
        if: ${{ matrix.job.id=='1' && matrix.job.type=='WithoutCGO' }}
        run: |
          go test ./...
      - name: Build WithoutCGO
        if: ${{ matrix.job.type=='WithoutCGO' }}
        env:
          NAME: Clash.Meta
          BINDIR: bin
        run: make -j$(($(nproc) + 1)) ${{ matrix.job.target }}
      - uses: nttld/setup-ndk@v1
        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target=='android' }}
        id: setup-ndk
        with:
          ndk-version: r25b
          add-to-path: false
          local-cache: true
      - name: Build Android
        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target=='android' }}
        env:
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
        run: |
          mkdir bin
          CC=${ANDROID_NDK_HOME}/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android33-clang
          CGO_ENABLED=1 CC=${CC} GOARCH=arm64 GOOS=android go build -tags ${TAGS} -trimpath -ldflags "${LDFLAGS}" -o bin/${NAME}-android-arm64
      - name: Set up xgo
        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target!='android' }}
        run: |
          docker pull techknowlogick/xgo:latest
          go install src.techknowlogick.com/xgo@latest
      - name: Build by xgo
        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target!='android' }}
        env:
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
        run: |
          mkdir bin
          xgo --targets="${{ matrix.job.target }}" --tags="${TAGS}" -ldflags="${LDFLAGS}" --out bin/${NAME} ./
      - name: Rename
        if: ${{ matrix.job.type=='WithCGO' }}
        run: |
          cd bin
          ls -la
          cp ../.github/rename-cgo.sh ./
          bash ./rename-cgo.sh
          rm ./rename-cgo.sh
          ls -la
          cd ..
      - name: Zip
        if: ${{  success() }}
        run: |
          cd bin
          ls -la
          chmod +x *
          cp ../.github/release.sh ./
          bash ./release.sh
          rm ./release.sh
          ls -la
          cd ..
      - uses: actions/upload-artifact@v3
        if: ${{  success() }}
        with:
          name: artifact
          path: bin/
  Upload-Prerelease:
    permissions: write-all
    if: ${{ github.ref_type=='branch' }}
    needs: [ Build ]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: artifact
          path: bin/
      - name: Display structure of downloaded files
        run: ls -R
        working-directory: bin
      - name: Delete current release assets
        uses: andreaswilli/delete-release-assets-action@v2.0.0
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          tag: Prerelease-${{ github.ref_name }}
          deleteOnlyFromDrafts: false
      - name: Tag Repo
        uses: richardsimko/update-tag@v1.0.6
        with:
          tag_name: Prerelease-${{ github.ref_name }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload Prerelease
        uses: softprops/action-gh-release@v1
        if: ${{  success() }}
        with:
          tag: ${{ github.ref_name }}
          tag_name: Prerelease-${{ github.ref_name }}
          files: bin/*
          prerelease: true
          generate_release_notes: true
  Upload-Release:
    permissions: write-all
    if: ${{ github.ref_type=='tag' }}
    needs: [ Build ]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: artifact
          path: bin/
      - name: Display structure of downloaded files
        run: ls -R
        working-directory: bin
      - name: Upload Release
        uses: softprops/action-gh-release@v1
        if: ${{  success() }}
        with:
          tag: ${{ github.ref_name }}
          tag_name: ${{ github.ref_name }}
          files: bin/*
          generate_release_notes: true
  Docker:
    permissions: write-all
    needs: [ Build ]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: actions/download-artifact@v3
        with:
          name: artifact
          path: bin/
      - name: Display structure of downloaded files
        run: ls -R
        working-directory: bin
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v1
        with:
          version: latest
      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v3
        with:
          images: ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_ACCOUNT }}/${{secrets.DOCKERHUB_REPO}}
      - name: Show files
        run: |
          ls .
          ls bin/
      - name: Log into registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v2
        with:
          context: .
          file: ./Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          platforms: |
            linux/386
            linux/amd64
            linux/arm64/v8
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@ -1,61 +0,0 @@
 name: Docker
 on:
  push:
    branches:
      - Beta
    tags:
      - "v*"
 env:
  REGISTRY: docker.io
 jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v1
        with:
          version: latest
      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v3
        with:
          images: ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_ACCOUNT }}/${{secrets.DOCKERHUB_REPO}}
      - name: Log into registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v2
        with:
          context: .
          file: ./Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          platforms: |
            linux/386
            linux/amd64
            linux/arm64/v8
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@ -1,60 +0,0 @@
 name: Prerelease
 on:
  workflow_dispatch:
  push:
    branches:
      - Alpha
      - Beta
  pull_request:
    branches:
      - Alpha
      - Beta
 jobs:
  Build:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v3
      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.19'
          check-latest: true
          cache: true
      - name: Test
        if: ${{github.ref_name=='Beta'}}
        run: |
          go test ./...
      - name: Build
        if: success()
        env:
          NAME: Clash.Meta
          BINDIR: bin
        run: make -j$(($(nproc) + 1)) releases
      - name: Delete current release assets
        uses: andreaswilli/delete-release-assets-action@v2.0.0
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          tag: Prerelease-${{ github.ref_name }}
          deleteOnlyFromDrafts: false
      - name: Tag Repo
        uses: richardsimko/update-tag@v1
        with:
          tag_name: Prerelease-${{ github.ref_name }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload Alpha
        uses: softprops/action-gh-release@v1
        if: ${{  success() }}
        with:
          tag: ${{ github.ref_name }}
          tag_name: Prerelease-${{ github.ref_name }}
          files: bin/*
          prerelease: true
          generate_release_notes: true
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -1,36 +0,0 @@
 name: Release
 on:
  push:
    tags:
      - "v*"
 jobs:
  Build:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v3
      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.19'
          check-latest: true
          cache: true
      - name: Test
        run: |
          go test ./...
      - name: Build
        if: success()
        env:
          NAME: Clash.Meta
          BINDIR: bin
        run: make -j$(($(nproc) + 1)) releases
      - name: Upload Release
        uses: softprops/action-gh-release@v1
        if: ${{ success() && startsWith(github.ref, 'refs/tags/')}}
        with:
          tag: ${{ github.ref }}
          files: bin/*
          generate_release_notes: true
--- a/.gitignore
+++ b/.gitignore
@ -24,4 +24,5 @@ vendor
 # test suite
 test/config/cache*
 /output
-/.vscode
+.vscode/
 .fleet/
--- a/19
+++ b/19
@ -1,18 +1,17 @@
-FROM golang:alpine as builder
+FROM alpine:latest as builder
-RUN apk add --no-cache make git && \
+RUN apk add --no-cache gzip && \
    mkdir /clash-config && \
    wget -O /clash-config/Country.mmdb https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb && \
    wget -O /clash-config/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat && \
    wget -O /clash-config/geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
-
+COPY docker/file-name.sh /clash/file-name.sh
-COPY . /clash-src
+WORKDIR /clash
-WORKDIR /clash-src
+COPY bin/ bin/
-RUN go mod download &&\
+RUN FILE_NAME=`sh file-name.sh` && echo $FILE_NAME && \
-    make docker &&\
+    FILE_NAME=`ls bin/ | egrep "$FILE_NAME.*"|awk NR==1` && \
-    mv ./bin/Clash.Meta-docker /clash
+    mv bin/$FILE_NAME clash.gz && gzip -d clash.gz && echo "$FILE_NAME" > /clash-config/test
 FROM alpine:latest
 LABEL org.opencontainers.image.source="https://github.com/MetaCubeX/Clash.Meta"
@ -21,6 +20,6 @@ RUN apk add --no-cache ca-certificates tzdata iptables
 VOLUME ["/root/.config/clash/"]
 COPY --from=builder /clash-config/ /root/.config/clash/
-COPY --from=builder /clash /clash
+COPY --from=builder /clash/clash /clash
 RUN chmod +x /clash
 ENTRYPOINT [ "/clash" ]
--- a/15
+++ b/15
@ -1,4 +1,4 @@
-NAME=Clash.Meta
+NAME=clash.meta
 BINDIR=bin
 BRANCH=$(shell git branch --show-current)
 ifeq ($(BRANCH),Alpha)
@ -47,14 +47,17 @@ all:linux-amd64 linux-arm64\
 	darwin-amd64 darwin-arm64\
 	windows-amd64 windows-arm64\
 darwin-all: darwin-amd64 darwin-arm64
 docker:
-	GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-amd64:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-amd64-compatible:
-	GOARCH=amd64 GOOS=darwin GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOARCH=amd64 GOOS=darwin GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-arm64:
 	GOARCH=arm64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
@ -66,7 +69,7 @@ linux-amd64:
 	GOARCH=amd64 GOOS=linux GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-amd64-compatible:
-	GOARCH=amd64 GOOS=linux GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOARCH=amd64 GOOS=linux GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-arm64:
 	GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
@ -117,7 +120,7 @@ windows-amd64:
 	GOARCH=amd64 GOOS=windows GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 windows-amd64-compatible:
-	GOARCH=amd64 GOOS=windows GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
+	GOARCH=amd64 GOOS=windows GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 windows-arm64:
 	GOARCH=arm64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
@ -154,4 +157,4 @@ CFLAGS := -O2 -g -Wall -Werror $(CFLAGS)
 ebpf: export BPF_CLANG := $(CLANG)
 ebpf: export BPF_CFLAGS := $(CFLAGS)
 ebpf:
-	cd component/ebpf/ && go generate ./...
+	cd component/ebpf/ && go generate ./...
--- a/README.md
+++ b/README.md
@ -29,12 +29,42 @@
 - Netfilter TCP redirecting. Deploy Clash on your Internet gateway with `iptables`.
 - Comprehensive HTTP RESTful API controller
-## Getting Started
+## Wiki
 Documentations are now moved to [GitHub Wiki](https://github.com/Dreamacro/clash/wiki).
-## Advanced usage for this branch
+Documentation and configuring examples are available on [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki) and [Clash.Meta Wiki](https://docs.metacubex.one/).
-### DNS configuration
+## Build
 You should install [golang](https://go.dev) first.
 Then get the source code of Clash.Meta:
 ```shell
 git clone https://github.com/MetaCubeX/Clash.Meta.git
 cd Clash.Meta && go mod download
 ```
 If you can't visit github,you should set proxy first:
 ```shell
 go env -w GOPROXY=https://goproxy.io,direct
 ```
 Now you can build it:
 ```shell
 go build
 ```
 If you need gvisor for tun stack, build with:
 ```shell
 go build -tags with_gvisor
 ```
 <!-- ## Advanced usage of this fork -->
 <!-- ### DNS configuration
 Support `geosite` with `fallback-filter`.
@ -44,7 +74,6 @@ Support resolve ip with a `Proxy Tunnel`.
 ```yaml
 proxy-groups:
  - name: DNS
    type: url-test
    use:
@ -53,6 +82,7 @@ proxy-groups:
    interval: 180
    lazy: true
 ```
 ```yaml
 dns:
  enable: true
@ -68,12 +98,12 @@ dns:
    - https://doh.pub/dns-query
    - tls://223.5.5.5:853
  fallback:
-    - 'https://1.0.0.1/dns-query#DNS'  # append the proxy adapter name or group name to the end of DNS URL with '#' prefix.
+    - "https://1.0.0.1/dns-query#DNS" # append the proxy adapter name or group name to the end of DNS URL with '#' prefix.
-    - 'tls://8.8.4.4:853#DNS'
+    - "tls://8.8.4.4:853#DNS"
  fallback-filter:
    geoip: false
    geosite:
-      - gfw  # `geosite` filter only use fallback server to resolve ip, prevent DNS leaks to unsafe DNS providers.
+      - gfw # `geosite` filter only use fallback server to resolve ip, prevent DNS leaks to unsafe DNS providers.
    domain:
      - +.example.com
    ipcidr:
@ -90,28 +120,30 @@ Built-in [Wintun](https://www.wintun.net) driver.
 # Enable the TUN listener
 tun:
  enable: true
-  stack: gvisor #  only gvisor
+  stack: system #   system/gvisor
-  dns-hijack: 
+  dns-hijack:
    - 0.0.0.0:53 # additional dns server listen on TUN
  auto-route: true # auto set global route
 ```
 ### Rules configuration
 - Support rule `GEOSITE`.
 - Support rule-providers `RULE-SET`.
 - Support `multiport` condition for rule `SRC-PORT` and `DST-PORT`.
 - Support `network` condition for all rules.
 - Support source IPCIDR condition for all rules, just append to the end.
 - The `GEOSITE` databases via https://github.com/Loyalsoldier/v2ray-rules-dat.
 ```yaml
 rules:
  # network(tcp/udp) condition for all rules
  - DOMAIN-SUFFIX,bilibili.com,DIRECT,tcp
  - DOMAIN-SUFFIX,bilibili.com,REJECT,udp
-    
+
  # multiport condition for rules SRC-PORT and DST-PORT
  - DST-PORT,123/136/137-139,DIRECT,udp
-  
+
  # rule GEOSITE
  - GEOSITE,category-ads-all,REJECT
  - GEOSITE,icloud@cn,DIRECT
@ -122,18 +154,17 @@ rules:
  - GEOSITE,youtube,PROXY
  - GEOSITE,geolocation-cn,DIRECT
  - GEOSITE,geolocation-!cn,PROXY
-    
+
  # source IPCIDR condition for all rules in gateway proxy
  #- GEOSITE,geolocation-!cn,REJECT,192.168.1.88/32,192.168.1.99/32
  - GEOIP,telegram,PROXY,no-resolve
  - GEOIP,private,DIRECT,no-resolve
  - GEOIP,cn,DIRECT
-  
+
  - MATCH,PROXY
 ```
 ### Proxies configuration
 Active health detection `urltest / fallback` (based on tcp handshake, multiple failures within a limited time will actively trigger health detection to use the node)
@ -142,18 +173,17 @@ Support `Policy Group Filter`
 ```yaml
 proxy-groups:
  - name: 🚀 HK Group
    type: select
    use:
      - ALL
-    filter: 'HK'
+    filter: "HK"
  - name: 🚀 US Group
    type: select
    use:
      - ALL
-    filter: 'US'
+    filter: "US"
 proxy-providers:
  ALL:
@ -165,14 +195,12 @@ proxy-providers:
      enable: true
      interval: 600
      url: http://www.gstatic.com/generate_204
 ```
 Support outbound transport protocol `VLESS`.
 The XTLS support (TCP/UDP) transport by the XRAY-CORE.
 ```yaml
 proxies:
  - name: "vless"
@ -183,7 +211,7 @@ proxies:
    servername: example.com # AKA SNI
    # flow: xtls-rprx-direct # xtls-rprx-origin  # enable XTLS
    # skip-cert-verify: true
-    
+
  - name: "vless-ws"
    type: vless
    server: server
@ -208,12 +236,12 @@ proxies:
    network: grpc
    servername: example.com # priority over wss host
    # skip-cert-verify: true
-    grpc-opts: 
+    grpc-opts:
      grpc-service-name: grpcname
 ```
 Support outbound transport protocol `Wireguard`
 ```yaml
 proxies:
  - name: "wg"
@ -228,6 +256,7 @@ proxies:
 ```
 Support outbound transport protocol `Tuic`
 ```yaml
 proxies:
  - name: "tuic"
@ -246,11 +275,11 @@ proxies:
    # max-udp-relay-packet-size: 1500
    # fast-open: true
    # skip-cert-verify: true
-
+``` -->
 ```
 ### IPTABLES configuration
-Work on Linux OS who's supported `iptables`
+
 Work on Linux OS which supported `iptables`
 ```yaml
 # Enable the TPROXY listener
@ -261,17 +290,15 @@ iptables:
  inbound-interface: eth0 # detect the inbound interface, default is 'lo'
 ```
 ### General installation guide for Linux
-### General installation guide for Linux  
+- Create user given name `clash-meta`
 + Create user given name `clash-meta`
-+ Download and decompress pre-built binaries from [releases](https://github.com/MetaCubeX/Clash.Meta/releases)  
+- Download and decompress pre-built binaries from [releases](https://github.com/MetaCubeX/Clash.Meta/releases)
 + Rename executable file to `Clash-Meta` and move to `/usr/local/bin/` 
 + Create folder `/etc/Clash-Meta/` as working directory 
 - Rename executable file to `Clash-Meta` and move to `/usr/local/bin/`
 - Create folder `/etc/Clash-Meta/` as working directory
 Run Meta Kernel by user `clash-meta` as a daemon.
@ -297,10 +324,13 @@ ExecStart=/usr/local/bin/Clash-Meta -d /etc/Clash-Meta
 [Install]
 WantedBy=multi-user.target
 ```
 Launch clashd on system startup with:
 ```shell
 $ systemctl enable Clash-Meta
 ```
 Launch clashd immediately with:
 ```shell
@ -311,23 +341,29 @@ $ systemctl start Clash-Meta
 Clash add field `Process` to `Metadata` and prepare to get process name for Restful API `GET /connections`.
-To display process name in GUI please use [Dashboard For Meta](https://github.com/MetaCubeX/clash-dashboard).
+To display process name in GUI please use [Razord-meta](https://github.com/MetaCubeX/Razord-meta).
-![img.png](https://github.com/Clash-Mini/Dashboard/raw/master/View/Dashboard-Process.png)
+### Dashboard
 We also made a custom fork of yacd provide better support for this project, check it out at [Yacd-meta](https://github.com/MetaCubeX/Yacd-meta)
 ## Development
 If you want to build an application that uses clash as a library, check out the
 the [GitHub Wiki](https://github.com/Dreamacro/clash/wiki/use-clash-as-a-library)
 ## Debugging
 Check [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki/How-to-use-debug-api) to get an instruction on using debug API.
 ## Credits
-* [Dreamacro/clash](https://github.com/Dreamacro/clash)
+- [Dreamacro/clash](https://github.com/Dreamacro/clash)
-* [SagerNet/sing-box](https://github.com/SagerNet/sing-box)
+- [SagerNet/sing-box](https://github.com/SagerNet/sing-box)
-* [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
+- [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
-* [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
+- [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
-* [WireGuard/wireguard-go](https://github.com/WireGuard/wireguard-go)
+- [WireGuard/wireguard-go](https://github.com/WireGuard/wireguard-go)
-* [yaling888/clash-plus-pro](https://github.com/yaling888/clash)
+- [yaling888/clash-plus-pro](https://github.com/yaling888/clash)
 ## License
--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@ -92,6 +92,7 @@ func (p *Proxy) MarshalJSON() ([]byte, error) {
 	mapping["history"] = p.DelayHistory()
 	mapping["name"] = p.Name()
 	mapping["udp"] = p.SupportUDP()
 	mapping["xudp"] = p.SupportXUDP()
 	mapping["tfo"] = p.SupportTFO()
 	return json.Marshal(mapping)
 }
--- a/adapter/inbound/http.go
+++ b/adapter/inbound/http.go
@ -16,11 +16,11 @@ func NewHTTP(target socks5.Addr, source net.Addr, conn net.Conn, additions ...Ad
 	for _, addition := range additions {
 		addition.Apply(metadata)
 	}
-	if ip, port, err := parseAddr(source.String()); err == nil {
+	if ip, port, err := parseAddr(source); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
-	if ip, port, err := parseAddr(conn.LocalAddr().String()); err == nil {
+	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
 		metadata.InIP = ip
 		metadata.InPort = port
 	}
--- a/adapter/inbound/https.go
+++ b/adapter/inbound/https.go
@ -15,11 +15,11 @@ func NewHTTPS(request *http.Request, conn net.Conn, additions ...Addition) *cont
 	for _, addition := range additions {
 		addition.Apply(metadata)
 	}
-	if ip, port, err := parseAddr(conn.RemoteAddr().String()); err == nil {
+	if ip, port, err := parseAddr(conn.RemoteAddr()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
-	if ip, port, err := parseAddr(conn.LocalAddr().String()); err == nil {
+	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
 		metadata.InIP = ip
 		metadata.InPort = port
 	}
--- a/adapter/inbound/listen.go
+++ b/adapter/inbound/listen.go
@ -4,7 +4,7 @@ import (
 	"context"
 	"net"
-	"github.com/database64128/tfo-go/v2"
+	"github.com/sagernet/tfo-go"
 )
 var (
--- a/adapter/inbound/packet.go
+++ b/adapter/inbound/packet.go
@ -24,12 +24,12 @@ func NewPacket(target socks5.Addr, packet C.UDPPacket, source C.Type, additions
 	for _, addition := range additions {
 		addition.Apply(metadata)
 	}
-	if ip, port, err := parseAddr(packet.LocalAddr().String()); err == nil {
+	if ip, port, err := parseAddr(packet.LocalAddr()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
 	if p, ok := packet.(C.UDPPacketInAddr); ok {
-		if ip, port, err := parseAddr(p.InAddr().String()); err == nil {
+		if ip, port, err := parseAddr(p.InAddr()); err == nil {
 			metadata.InIP = ip
 			metadata.InPort = port
 		}
--- a/adapter/inbound/socket.go
+++ b/adapter/inbound/socket.go
@ -18,22 +18,13 @@ func NewSocket(target socks5.Addr, conn net.Conn, source C.Type, additions ...Ad
 		addition.Apply(metadata)
 	}
-	remoteAddr := conn.RemoteAddr()
+	if ip, port, err := parseAddr(conn.RemoteAddr()); err == nil {
-
+		metadata.SrcIP = ip
-	// Filter when net.Addr interface is nil
+		metadata.SrcPort = port
 	if remoteAddr != nil {
 		if ip, port, err := parseAddr(remoteAddr.String()); err == nil {
 			metadata.SrcIP = ip
 			metadata.SrcPort = port
 		}
 	}
-	localAddr := conn.LocalAddr()
+	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
-	// Filter when net.Addr interface is nil
+		metadata.InIP = ip
-	if localAddr != nil {
+		metadata.InPort = port
 		if ip, port, err := parseAddr(localAddr.String()); err == nil {
 			metadata.InIP = ip
 			metadata.InPort = port
 		}
 	}
 	return context.NewConnContext(conn, metadata)
@ -43,7 +34,7 @@ func NewInner(conn net.Conn, dst string, host string) *context.ConnContext {
 	metadata := &C.Metadata{}
 	metadata.NetWork = C.TCP
 	metadata.Type = C.INNER
-	metadata.DNSMode = C.DNSMapping
+	metadata.DNSMode = C.DNSNormal
 	metadata.Host = host
 	metadata.Process = C.ClashName
 	if h, port, err := net.SplitHostPort(dst); err == nil {
--- a/adapter/inbound/util.go
+++ b/adapter/inbound/util.go
@ -1,13 +1,14 @@
 package inbound
 import (
-	"github.com/Dreamacro/clash/common/nnip"
+	"errors"
 	"net"
 	"net/http"
 	"net/netip"
 	"strconv"
 	"strings"
 	"github.com/Dreamacro/clash/common/nnip"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
@ -57,8 +58,19 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 	return metadata
 }
-func parseAddr(addr string) (netip.Addr, string, error) {
+func parseAddr(addr net.Addr) (netip.Addr, string, error) {
-	host, port, err := net.SplitHostPort(addr)
+	// Filter when net.Addr interface is nil
 	if addr == nil {
 		return netip.Addr{}, "", errors.New("nil addr")
 	}
 	if rawAddr, ok := addr.(interface{ RawAddr() net.Addr }); ok {
 		ip, port, err := parseAddr(rawAddr.RawAddr())
 		if err == nil {
 			return ip, port, err
 		}
 	}
 	addrStr := addr.String()
 	host, port, err := net.SplitHostPort(addrStr)
 	if err != nil {
 		return netip.Addr{}, "", err
 	}
--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@ -4,12 +4,14 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
 	"github.com/gofrs/uuid"
 	"net"
 	"strings"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/gofrs/uuid"
 )
 type Base struct {
@ -18,6 +20,7 @@ type Base struct {
 	iface  string
 	tp     C.AdapterType
 	udp    bool
 	xudp   bool
 	tfo    bool
 	rmark  int
 	id     string
@ -87,6 +90,11 @@ func (b *Base) SupportUDP() bool {
 	return b.udp
 }
 // SupportXUDP implements C.ProxyAdapter
 func (b *Base) SupportXUDP() bool {
 	return b.xudp
 }
 // SupportTFO implements C.ProxyAdapter
 func (b *Base) SupportTFO() bool {
 	return b.tfo
@ -132,10 +140,15 @@ func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
 	default:
 	}
 	if b.tfo {
 		opts = append(opts, dialer.WithTFO(true))
 	}
 	return opts
 }
 type BasicOption struct {
 	TFO         bool   `proxy:"tfo,omitempty" group:"tfo,omitempty"`
 	Interface   string `proxy:"interface-name,omitempty" group:"interface-name,omitempty"`
 	RoutingMark int    `proxy:"routing-mark,omitempty" group:"routing-mark,omitempty"`
 	IPVersion   string `proxy:"ip-version,omitempty" group:"ip-version,omitempty"`
@ -146,6 +159,7 @@ type BaseOption struct {
 	Addr        string
 	Type        C.AdapterType
 	UDP         bool
 	XUDP        bool
 	TFO         bool
 	Interface   string
 	RoutingMark int
@ -158,6 +172,7 @@ func NewBase(opt BaseOption) *Base {
 		addr:   opt.Addr,
 		tp:     opt.Type,
 		udp:    opt.UDP,
 		xudp:   opt.XUDP,
 		tfo:    opt.TFO,
 		iface:  opt.Interface,
 		rmark:  opt.RoutingMark,
@ -166,7 +181,7 @@ func NewBase(opt BaseOption) *Base {
 }
 type conn struct {
-	net.Conn
+	N.ExtendedConn
 	chain                   C.Chain
 	actualRemoteDestination string
 }
@ -185,8 +200,12 @@ func (c *conn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }
 func (c *conn) Upstream() any {
 	return c.ExtendedConn
 }
 func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
-	return &conn{c, []string{a.Name()}, parseRemoteDestination(a.Addr())}
+	return &conn{N.NewExtendedConn(c), []string{a.Name()}, parseRemoteDestination(a.Addr())}
 }
 type packetConn struct {
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@ -7,7 +7,6 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"io"
 	"net"
 	"net/http"
@ -15,6 +14,7 @@ import (
 	"strconv"
 	"github.com/Dreamacro/clash/component/dialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 )
@ -150,7 +150,7 @@ func NewHttp(option HttpOption) (*Http, error) {
 			sni = option.SNI
 		}
 		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(&tls.Config{
+			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
 				InsecureSkipVerify: option.SkipCertVerify,
 				ServerName:         sni,
 			})
@ -170,6 +170,7 @@ func NewHttp(option HttpOption) (*Http, error) {
 			name:   option.Name,
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Http,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@ -178,7 +178,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			return nil, err
 		}
 	} else {
-		tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 	}
 	if len(option.ALPN) > 0 {
--- a/adapter/outbound/reject.go
+++ b/adapter/outbound/reject.go
@ -53,6 +53,9 @@ func (rw *nopConn) Read(b []byte) (int, error) {
 }
 func (rw *nopConn) Write(b []byte) (int, error) {
 	if len(b) == 0 {
 		return 0, nil
 	}
 	return 0, io.EOF
 }
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@ -11,10 +11,11 @@ import (
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	shadowtls "github.com/Dreamacro/clash/transport/sing-shadowtls"
 	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"
-	"github.com/metacubex/sing-shadowsocks"
+	shadowsocks "github.com/metacubex/sing-shadowsocks"
 	"github.com/metacubex/sing-shadowsocks/shadowimpl"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
@ -27,9 +28,10 @@ type ShadowSocks struct {
 	option *ShadowSocksOption
 	// obfs
-	obfsMode    string
+	obfsMode        string
-	obfsOption  *simpleObfsOption
+	obfsOption      *simpleObfsOption
-	v2rayOption *v2rayObfs.Option
+	v2rayOption     *v2rayObfs.Option
 	shadowTLSOption *shadowtls.ShadowTLSOption
 }
 type ShadowSocksOption struct {
@ -61,8 +63,32 @@ type v2rayObfsOption struct {
 	Mux            bool              `obfs:"mux,omitempty"`
 }
 type shadowTLSOption struct {
 	Password          string `obfs:"password"`
 	Host              string `obfs:"host"`
 	Fingerprint       string `obfs:"fingerprint,omitempty"`
 	ClientFingerprint string `obfs:"client-fingerprint,omitempty"`
 	SkipCertVerify    bool   `obfs:"skip-cert-verify,omitempty"`
 	Version           int    `obfs:"version,omitempty"`
 }
 // StreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	switch ss.obfsMode {
 	case shadowtls.Mode:
 		// fix tls handshake not timeout
 		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
 		defer cancel()
 		var err error
 		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return ss.streamConn(c, metadata)
 }
 func (ss *ShadowSocks) streamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	switch ss.obfsMode {
 	case "tls":
 		c = obfs.NewTLSObfs(c, ss.obfsOption.Host)
@ -77,9 +103,9 @@ func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
 		}
 	}
 	if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
-		return ss.method.DialConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443"))
+		return ss.method.DialEarlyConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443")), nil
 	}
-	return ss.method.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+	return ss.method.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 }
 // DialContext implements C.ProxyAdapter
@ -99,7 +125,15 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 		safeConnClose(c, err)
 	}(c)
-	c, err = ss.StreamConn(c, metadata)
+	switch ss.obfsMode {
 	case shadowtls.Mode:
 		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
 		if err != nil {
 			return nil, err
 		}
 	}
 	c, err = ss.streamConn(c, metadata)
 	return NewConn(c, ss), err
 }
@ -157,6 +191,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	var v2rayOption *v2rayObfs.Option
 	var obfsOption *simpleObfsOption
 	var shadowTLSOpt *shadowtls.ShadowTLSOption
 	obfsMode := ""
 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
@ -192,6 +227,23 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			v2rayOption.TLS = true
 			v2rayOption.SkipCertVerify = opts.SkipCertVerify
 		}
 	} else if option.Plugin == shadowtls.Mode {
 		obfsMode = shadowtls.Mode
 		opt := &shadowTLSOption{
 			Version: 2,
 		}
 		if err := decoder.Decode(option.PluginOpts, opt); err != nil {
 			return nil, fmt.Errorf("ss %s initialize shadow-tls-plugin error: %w", addr, err)
 		}
 		shadowTLSOpt = &shadowtls.ShadowTLSOption{
 			Password:          opt.Password,
 			Host:              opt.Host,
 			Fingerprint:       opt.Fingerprint,
 			ClientFingerprint: opt.ClientFingerprint,
 			SkipCertVerify:    opt.SkipCertVerify,
 			Version:           opt.Version,
 		}
 	}
 	return &ShadowSocks{
@ -200,16 +252,18 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			addr:   addr,
 			tp:     C.Shadowsocks,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		method: method,
-		option:      &option,
+		option:          &option,
-		obfsMode:    obfsMode,
+		obfsMode:        obfsMode,
-		v2rayOption: v2rayOption,
+		v2rayOption:     v2rayOption,
-		obfsOption:  obfsOption,
+		obfsOption:      obfsOption,
 		shadowTLSOption: shadowTLSOpt,
 	}, nil
 }
--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@ -163,6 +163,7 @@ func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
 			addr:   addr,
 			tp:     C.ShadowsocksR,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@ -167,6 +167,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 			addr:   addr,
 			tp:     C.Snell,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@ -5,12 +5,12 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"io"
 	"net"
 	"strconv"
 	"github.com/Dreamacro/clash/component/dialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
@ -167,7 +167,7 @@ func NewSocks5(option Socks5Option) (*Socks5, error) {
 		}
 		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+			tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 		} else {
 			var err error
 			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
@ -182,6 +182,7 @@ func NewSocks5(option Socks5Option) (*Socks5, error) {
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Socks5,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@ -4,12 +4,13 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"net"
 	"net/http"
 	"strconv"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/trojan"
@ -29,20 +30,21 @@ type Trojan struct {
 type TrojanOption struct {
 	BasicOption
-	Name           string      `proxy:"name"`
+	Name              string      `proxy:"name"`
-	Server         string      `proxy:"server"`
+	Server            string      `proxy:"server"`
-	Port           int         `proxy:"port"`
+	Port              int         `proxy:"port"`
-	Password       string      `proxy:"password"`
+	Password          string      `proxy:"password"`
-	ALPN           []string    `proxy:"alpn,omitempty"`
+	ALPN              []string    `proxy:"alpn,omitempty"`
-	SNI            string      `proxy:"sni,omitempty"`
+	SNI               string      `proxy:"sni,omitempty"`
-	SkipCertVerify bool        `proxy:"skip-cert-verify,omitempty"`
+	SkipCertVerify    bool        `proxy:"skip-cert-verify,omitempty"`
-	Fingerprint    string      `proxy:"fingerprint,omitempty"`
+	Fingerprint       string      `proxy:"fingerprint,omitempty"`
-	UDP            bool        `proxy:"udp,omitempty"`
+	UDP               bool        `proxy:"udp,omitempty"`
-	Network        string      `proxy:"network,omitempty"`
+	Network           string      `proxy:"network,omitempty"`
-	GrpcOpts       GrpcOptions `proxy:"grpc-opts,omitempty"`
+	GrpcOpts          GrpcOptions `proxy:"grpc-opts,omitempty"`
-	WSOpts         WSOptions   `proxy:"ws-opts,omitempty"`
+	WSOpts            WSOptions   `proxy:"ws-opts,omitempty"`
-	Flow           string      `proxy:"flow,omitempty"`
+	Flow              string      `proxy:"flow,omitempty"`
-	FlowShow       bool        `proxy:"flow-show,omitempty"`
+	FlowShow          bool        `proxy:"flow-show,omitempty"`
 	ClientFingerprint string      `proxy:"client-fingerprint,omitempty"`
 }
 func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
@ -75,6 +77,11 @@ func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
 // StreamConn implements C.ProxyAdapter
 func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	if tlsC.HaveGlobalFingerprint() && len(t.option.ClientFingerprint) == 0 {
 		t.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
 	}
 	if t.transport != nil {
 		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig)
 	} else {
@ -95,7 +102,7 @@ func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error)
 		return c, err
 	}
 	err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata))
-	return c, err
+	return N.NewExtendedConn(c), err
 }
 // DialContext implements C.ProxyAdapter
@ -211,21 +218,25 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	tOption := &trojan.Option{
-		Password:       option.Password,
+		Password:          option.Password,
-		ALPN:           option.ALPN,
+		ALPN:              option.ALPN,
-		ServerName:     option.Server,
+		ServerName:        option.Server,
-		SkipCertVerify: option.SkipCertVerify,
+		SkipCertVerify:    option.SkipCertVerify,
-		FlowShow:       option.FlowShow,
+		FlowShow:          option.FlowShow,
-		Fingerprint:    option.Fingerprint,
+		Fingerprint:       option.Fingerprint,
 		ClientFingerprint: option.ClientFingerprint,
 	}
-	if option.Network != "ws" && len(option.Flow) >= 16 {
+	switch option.Network {
-		option.Flow = option.Flow[:16]
+	case "", "tcp":
-		switch option.Flow {
+		if len(option.Flow) >= 16 {
-		case vless.XRO, vless.XRD, vless.XRS:
+			option.Flow = option.Flow[:16]
-			tOption.Flow = option.Flow
+			switch option.Flow {
-		default:
+			case vless.XRO, vless.XRD, vless.XRS:
-			return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
+				tOption.Flow = option.Flow
 			default:
 				return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
 			}
 		}
 	}
@ -239,6 +250,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			addr:   addr,
 			tp:     C.Trojan,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@ -265,7 +277,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		}
 		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+			tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 		} else {
 			var err error
 			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
@ -273,11 +285,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			}
 		}
-		if t.option.Flow != "" {
+		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, tOption.ClientFingerprint)
 			t.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
 		} else {
 			t.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
 		}
 		t.gunTLSConfig = tlsConfig
 		t.gunConfig = &gun.Config{
--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@ -51,6 +51,7 @@ type TuicOption struct {
 	ReceiveWindowConn   int    `proxy:"recv-window-conn,omitempty"`
 	ReceiveWindow       int    `proxy:"recv-window,omitempty"`
 	DisableMTUDiscovery bool   `proxy:"disable-mtu-discovery,omitempty"`
 	SNI                 string `proxy:"sni,omitempty"`
 }
 // DialContext implements C.ProxyAdapter
@ -106,12 +107,14 @@ func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (pc net.Pack
 func NewTuic(option TuicOption) (*Tuic, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	serverName := option.Server
 	tlsConfig := &tls.Config{
 		ServerName:         serverName,
 		InsecureSkipVerify: option.SkipCertVerify,
 		MinVersion:         tls.VersionTLS13,
 	}
 	if option.SNI != "" {
 		tlsConfig.ServerName = option.SNI
 	}
 	var bs []byte
 	var err error
@ -143,7 +146,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			return nil, err
 		}
 	} else {
-		tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 	}
 	if len(option.ALPN) > 0 {
@ -165,7 +168,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 	}
 	if option.MaxUdpRelayPacketSize == 0 {
-		option.MaxUdpRelayPacketSize = 1500
+		option.MaxUdpRelayPacketSize = 1252
 	}
 	if option.MaxOpenStreams == 0 {
@ -213,12 +216,18 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			udp:    true,
 			tfo:    option.FastOpen,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 	}
-	// to avoid tuic's "too many open streams", decrease to 0.9x
+
 	clientMaxOpenStreams := int64(option.MaxOpenStreams)
-	clientMaxOpenStreams = clientMaxOpenStreams - int64(math.Ceil(float64(clientMaxOpenStreams)/10.0))
+
 	// to avoid tuic's "too many open streams", decrease to 0.9x
 	if clientMaxOpenStreams == 100 {
 		clientMaxOpenStreams = clientMaxOpenStreams - int64(math.Ceil(float64(clientMaxOpenStreams)/10.0))
 	}
 	if clientMaxOpenStreams < 1 {
 		clientMaxOpenStreams = 1
 	}
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@ -21,6 +21,10 @@ import (
 	"github.com/Dreamacro/clash/transport/socks5"
 	"github.com/Dreamacro/clash/transport/vless"
 	"github.com/Dreamacro/clash/transport/vmess"
 	vmessSing "github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing-vmess/packetaddr"
 	M "github.com/sagernet/sing/common/metadata"
 )
 const (
@ -41,28 +45,37 @@ type Vless struct {
 type VlessOption struct {
 	BasicOption
-	Name           string            `proxy:"name"`
+	Name              string            `proxy:"name"`
-	Server         string            `proxy:"server"`
+	Server            string            `proxy:"server"`
-	Port           int               `proxy:"port"`
+	Port              int               `proxy:"port"`
-	UUID           string            `proxy:"uuid"`
+	UUID              string            `proxy:"uuid"`
-	Flow           string            `proxy:"flow,omitempty"`
+	Flow              string            `proxy:"flow,omitempty"`
-	FlowShow       bool              `proxy:"flow-show,omitempty"`
+	FlowShow          bool              `proxy:"flow-show,omitempty"`
-	TLS            bool              `proxy:"tls,omitempty"`
+	TLS               bool              `proxy:"tls,omitempty"`
-	UDP            bool              `proxy:"udp,omitempty"`
+	UDP               bool              `proxy:"udp,omitempty"`
-	Network        string            `proxy:"network,omitempty"`
+	PacketAddr        bool              `proxy:"packet-addr,omitempty"`
-	HTTPOpts       HTTPOptions       `proxy:"http-opts,omitempty"`
+	XUDP              bool              `proxy:"xudp,omitempty"`
-	HTTP2Opts      HTTP2Options      `proxy:"h2-opts,omitempty"`
+	PacketEncoding    string            `proxy:"packet-encoding,omitempty"`
-	GrpcOpts       GrpcOptions       `proxy:"grpc-opts,omitempty"`
+	Network           string            `proxy:"network,omitempty"`
-	WSOpts         WSOptions         `proxy:"ws-opts,omitempty"`
+	HTTPOpts          HTTPOptions       `proxy:"http-opts,omitempty"`
-	WSPath         string            `proxy:"ws-path,omitempty"`
+	HTTP2Opts         HTTP2Options      `proxy:"h2-opts,omitempty"`
-	WSHeaders      map[string]string `proxy:"ws-headers,omitempty"`
+	GrpcOpts          GrpcOptions       `proxy:"grpc-opts,omitempty"`
-	SkipCertVerify bool              `proxy:"skip-cert-verify,omitempty"`
+	WSOpts            WSOptions         `proxy:"ws-opts,omitempty"`
-	Fingerprint    string            `proxy:"fingerprint,omitempty"`
+	WSPath            string            `proxy:"ws-path,omitempty"`
-	ServerName     string            `proxy:"servername,omitempty"`
+	WSHeaders         map[string]string `proxy:"ws-headers,omitempty"`
 	SkipCertVerify    bool              `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint       string            `proxy:"fingerprint,omitempty"`
 	ServerName        string            `proxy:"servername,omitempty"`
 	ClientFingerprint string            `proxy:"client-fingerprint,omitempty"`
 }
 func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	if tlsC.HaveGlobalFingerprint() && len(v.option.ClientFingerprint) == 0 {
 		v.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
 	}
 	switch v.option.Network {
 	case "ws":
@ -73,6 +86,7 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
 			ClientFingerprint:   v.option.ClientFingerprint,
 			Headers:             http.Header{},
 		}
@ -91,9 +105,12 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			}
 			if len(v.option.Fingerprint) == 0 {
-				wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+				wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 			} else {
 				wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
 				if err != nil {
 					return nil, err
 				}
 			}
 			if v.option.ServerName != "" {
@ -137,11 +154,7 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		c, err = vmess.StreamH2Conn(c, h2Opts)
 	case "grpc":
-		if v.isXTLSEnabled() {
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
 			c, err = gun.StreamGunWithXTLSConn(c, v.gunTLSConfig, v.gunConfig)
 		} else {
 			c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
 		}
 	default:
 		// default tcp network
 		// handle TLS And XTLS
@ -152,21 +165,17 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		return nil, err
 	}
-	return v.client.StreamConn(c, parseVlessAddr(metadata))
+	return v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 }
 func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error) {
 	host, _, _ := net.SplitHostPort(v.addr)
-	if v.isXTLSEnabled() {
+	if v.isLegacyXTLSEnabled() && !isH2 {
 		xtlsOpts := vless.XTLSConfig{
 			Host:           host,
 			SkipCertVerify: v.option.SkipCertVerify,
-			FingerPrint:    v.option.Fingerprint,
+			Fingerprint:    v.option.Fingerprint,
 		}
 		if isH2 {
 			xtlsOpts.NextProtos = []string{"h2"}
 		}
 		if v.option.ServerName != "" {
@ -177,9 +186,10 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 	} else if v.option.TLS {
 		tlsOpts := vmess.TLSConfig{
-			Host:           host,
+			Host:              host,
-			SkipCertVerify: v.option.SkipCertVerify,
+			SkipCertVerify:    v.option.SkipCertVerify,
-			FingerPrint:    v.option.Fingerprint,
+			FingerPrint:       v.option.Fingerprint,
 			ClientFingerprint: v.option.ClientFingerprint,
 		}
 		if isH2 {
@ -196,8 +206,8 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 	return conn, nil
 }
-func (v *Vless) isXTLSEnabled() bool {
+func (v *Vless) isLegacyXTLSEnabled() bool {
-	return v.client.Addons != nil
+	return v.client.Addons != nil && v.client.Addons.Flow != vless.XRV
 }
 // DialContext implements C.ProxyAdapter
@ -212,7 +222,7 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 			safeConnClose(c, err)
 		}(c)
-		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
+		c, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 		if err != nil {
 			return nil, err
 		}
@ -234,12 +244,15 @@ func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 	}(c)
 	c, err = v.StreamConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
 	return NewConn(c, v), err
 }
 // ListenPacketContext implements C.ProxyAdapter
 func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -259,7 +272,15 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			safeConnClose(c, err)
 		}(c)
-		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
+		if v.option.PacketAddr {
 			packetAddrMetadata := *metadata // make a copy
 			packetAddrMetadata.Host = packetaddr.SeqPacketMagicAddress
 			packetAddrMetadata.DstPort = "443"
 			c, err = v.client.StreamConn(c, parseVlessAddr(&packetAddrMetadata, false))
 		} else {
 			c, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 		}
 		if err != nil {
 			return nil, fmt.Errorf("new vless client error: %v", err)
@ -272,7 +293,7 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 // ListenPacketWithDialer implements C.ProxyAdapter
 func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -289,7 +310,15 @@ func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 		safeConnClose(c, err)
 	}(c)
-	c, err = v.StreamConn(c, metadata)
+	if v.option.PacketAddr {
 		packetAddrMetadata := *metadata // make a copy
 		packetAddrMetadata.Host = packetaddr.SeqPacketMagicAddress
 		packetAddrMetadata.DstPort = "443"
 		c, err = v.StreamConn(c, &packetAddrMetadata)
 	} else {
 		c, err = v.StreamConn(c, metadata)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("new vless client error: %v", err)
@ -305,6 +334,17 @@ func (v *Vless) SupportWithDialer() bool {
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (v *Vless) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if v.option.XUDP {
 		return newPacketConn(&threadSafePacketConn{
 			PacketConn: vmessSing.NewXUDPConn(c, M.ParseSocksaddr(metadata.RemoteAddress())),
 		}, v), nil
 	} else if v.option.PacketAddr {
 		return newPacketConn(&threadSafePacketConn{
 			PacketConn: packetaddr.NewConn(&vlessPacketConn{
 				Conn: c, rAddr: metadata.UDPAddr(),
 			}, M.ParseSocksaddr(metadata.RemoteAddress())),
 		}, v), nil
 	}
 	return newPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
 }
@ -313,7 +353,7 @@ func (v *Vless) SupportUOT() bool {
 	return true
 }
-func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
+func parseVlessAddr(metadata *C.Metadata, xudp bool) *vless.DstAddr {
 	var addrType byte
 	var addr []byte
 	switch metadata.AddrType() {
@ -337,7 +377,8 @@ func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
 		UDP:      metadata.NetWork == C.UDP,
 		AddrType: addrType,
 		Addr:     addr,
-		Port:     uint(port),
+		Port:     uint16(port),
 		Mux:      metadata.NetWork == C.UDP && xudp,
 	}
 }
@ -438,7 +479,7 @@ func NewVless(option VlessOption) (*Vless, error) {
 	if option.Network != "ws" && len(option.Flow) >= 16 {
 		option.Flow = option.Flow[:16]
 		switch option.Flow {
-		case vless.XRO, vless.XRD, vless.XRS:
+		case vless.XRO, vless.XRD, vless.XRS, vless.XRV:
 			addons = &vless.Addons{
 				Flow: option.Flow,
 			}
@ -447,6 +488,16 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 	}
 	switch option.PacketEncoding {
 	case "packetaddr", "packet":
 		option.PacketAddr = true
 		option.XUDP = false
 	default: // https://github.com/XTLS/Xray-core/pull/1567#issuecomment-1407305458
 		if !option.PacketAddr {
 			option.XUDP = true
 		}
 	}
 	client, err := vless.NewClient(option.UUID, addons, option.FlowShow)
 	if err != nil {
 		return nil, err
@ -458,7 +509,10 @@ func NewVless(option VlessOption) (*Vless, error) {
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Vless,
 			udp:    option.UDP,
 			xudp:   option.XUDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		client: client,
@ -481,10 +535,11 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 		gunConfig := &gun.Config{
-			ServiceName: v.option.GrpcOpts.GrpcServiceName,
+			ServiceName:       v.option.GrpcOpts.GrpcServiceName,
-			Host:        v.option.ServerName,
+			Host:              v.option.ServerName,
 			ClientFingerprint: v.option.ClientFingerprint,
 		}
-		tlsConfig := tlsC.GetGlobalFingerprintTLCConfig(&tls.Config{
+		tlsConfig := tlsC.GetGlobalTLSConfig(&tls.Config{
 			InsecureSkipVerify: v.option.SkipCertVerify,
 			ServerName:         v.option.ServerName,
 		})
@ -497,11 +552,9 @@ func NewVless(option VlessOption) (*Vless, error) {
 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		if v.isXTLSEnabled() {
+
-			v.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint)
-		} else {
+
 			v.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
 		}
 	}
 	return v, nil
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@ -5,8 +5,6 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	vmess "github.com/sagernet/sing-vmess"
 	"net"
 	"net/http"
 	"strconv"
@ -15,10 +13,12 @@ import (
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	clashVMess "github.com/Dreamacro/clash/transport/vmess"
 	vmess "github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing-vmess/packetaddr"
 	M "github.com/sagernet/sing/common/metadata"
 )
@ -59,6 +59,7 @@ type VmessOption struct {
 	PacketEncoding      string       `proxy:"packet-encoding,omitempty"`
 	GlobalPadding       bool         `proxy:"global-padding,omitempty"`
 	AuthenticatedLength bool         `proxy:"authenticated-length,omitempty"`
 	ClientFingerprint   string       `proxy:"client-fingerprint,omitempty"`
 }
 type HTTPOptions struct {
@ -86,6 +87,11 @@ type WSOptions struct {
 // StreamConn implements C.ProxyAdapter
 func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	if tlsC.HaveGlobalFingerprint() && (len(v.option.ClientFingerprint) == 0) {
 		v.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
 	}
 	switch v.option.Network {
 	case "ws":
@ -96,6 +102,7 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
 			ClientFingerprint:   v.option.ClientFingerprint,
 			Headers:             http.Header{},
 		}
@ -114,9 +121,8 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			}
 			if len(v.option.Fingerprint) == 0 {
-				wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+				wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 			} else {
 				var err error
 				if wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint); err != nil {
 					return nil, err
 				}
@ -134,8 +140,9 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		if v.option.TLS {
 			host, _, _ := net.SplitHostPort(v.addr)
 			tlsOpts := &clashVMess.TLSConfig{
-				Host:           host,
+				Host:              host,
-				SkipCertVerify: v.option.SkipCertVerify,
+				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
 			}
 			if v.option.ServerName != "" {
@ -160,9 +167,10 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	case "h2":
 		host, _, _ := net.SplitHostPort(v.addr)
 		tlsOpts := clashVMess.TLSConfig{
-			Host:           host,
+			Host:              host,
-			SkipCertVerify: v.option.SkipCertVerify,
+			SkipCertVerify:    v.option.SkipCertVerify,
-			NextProtos:     []string{"h2"},
+			NextProtos:        []string{"h2"},
 			ClientFingerprint: v.option.ClientFingerprint,
 		}
 		if v.option.ServerName != "" {
@ -187,8 +195,9 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		if v.option.TLS {
 			host, _, _ := net.SplitHostPort(v.addr)
 			tlsOpts := &clashVMess.TLSConfig{
-				Host:           host,
+				Host:              host,
-				SkipCertVerify: v.option.SkipCertVerify,
+				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
 			}
 			if v.option.ServerName != "" {
@ -204,12 +213,12 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	}
 	if metadata.NetWork == C.UDP {
 		if v.option.XUDP {
-			return v.client.DialXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+			return v.client.DialEarlyXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 		} else {
-			return v.client.DialPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+			return v.client.DialEarlyPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 		}
 	} else {
-		return v.client.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+		return v.client.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 	}
 }
@ -252,7 +261,7 @@ func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 // ListenPacketContext implements C.ProxyAdapter
 func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -280,9 +289,9 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		}(c)
 		if v.option.XUDP {
-			c, err = v.client.DialXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+			c = v.client.DialEarlyXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 		} else {
-			c, err = v.client.DialPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
+			c = v.client.DialEarlyPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 		}
 		if err != nil {
@ -290,22 +299,12 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		}
 		return v.ListenPacketOnStreamConn(c, metadata)
 	}
 	c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
 	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
 	c, err = v.StreamConn(c, metadata)
 	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
 }
 // ListenPacketWithDialer implements C.ProxyAdapter
 func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -315,10 +314,18 @@ func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	}
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
 	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
 	c, err = v.StreamConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("new vmess client error: %v", err)
 	}
 	return v.ListenPacketOnStreamConn(c, metadata)
 }
@ -369,7 +376,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 	switch option.Network {
 	case "h2", "grpc":
 		if !option.TLS {
-			return nil, fmt.Errorf("TLS must be true with h2/grpc network")
+			option.TLS = true
 		}
 	}
@ -379,6 +386,8 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Vmess,
 			udp:    option.UDP,
 			xudp:   option.XUDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@ -403,8 +412,9 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		}
 		gunConfig := &gun.Config{
-			ServiceName: v.option.GrpcOpts.GrpcServiceName,
+			ServiceName:       v.option.GrpcOpts.GrpcServiceName,
-			Host:        v.option.ServerName,
+			Host:              v.option.ServerName,
 			ClientFingerprint: v.option.ClientFingerprint,
 		}
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: v.option.SkipCertVerify,
@ -419,7 +429,9 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
+
 		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint)
 	}
 	return v, nil
 }
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@ -17,7 +17,7 @@ import (
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/listener/sing"
+	"github.com/Dreamacro/clash/log"
 	wireguard "github.com/metacubex/sing-wireguard"
@ -174,14 +174,14 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	}
 	outbound.device = device.NewDevice(outbound.tunDevice, outbound.bind, &device.Logger{
 		Verbosef: func(format string, args ...interface{}) {
-			sing.Logger.Debug(fmt.Sprintf(strings.ToLower(format), args...))
+			log.SingLogger.Debug(fmt.Sprintf(strings.ToLower(format), args...))
 		},
 		Errorf: func(format string, args ...interface{}) {
-			sing.Logger.Error(fmt.Sprintf(strings.ToLower(format), args...))
+			log.SingLogger.Error(fmt.Sprintf(strings.ToLower(format), args...))
 		},
 	}, option.Workers)
 	if debug.Enabled {
-		sing.Logger.Trace("created wireguard ipc conf: \n", ipcConf)
+		log.SingLogger.Trace("created wireguard ipc conf: \n", ipcConf)
 	}
 	err = outbound.device.IpcSet(ipcConf)
 	if err != nil {
--- a/adapter/outboundgroup/fallback.go
+++ b/adapter/outboundgroup/fallback.go
@ -4,11 +4,13 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
 	"time"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/callback"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 	"time"
 )
 type Fallback struct {
@ -29,11 +31,21 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 	c, err := proxy.DialContext(ctx, metadata, f.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(f)
 		f.onDialSuccess()
 	} else {
 		f.onDialFailed(proxy.Type(), err)
 	}
 	c = &callback.FirstWriteCallBackConn{
 		Conn: c,
 		Callback: func(err error) {
 			if err == nil {
 				f.onDialSuccess()
 			} else {
 				f.onDialFailed(proxy.Type(), err)
 			}
 		},
 	}
 	return c, err
 }
@ -132,6 +144,7 @@ func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider)
 			},
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
 			providers,
 		}),
 		disableUDP: option.DisableUDP,
--- a/adapter/outboundgroup/groupbase.go
+++ b/adapter/outboundgroup/groupbase.go
@ -3,23 +3,26 @@ package outboundgroup
 import (
 	"context"
 	"fmt"
 	"strings"
 	"sync"
 	"time"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 	types "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/tunnel"
 	"github.com/dlclark/regexp2"
 	"go.uber.org/atomic"
 	"strings"
 	"sync"
 	"time"
 )
 type GroupBase struct {
 	*outbound.Base
 	filterRegs       []*regexp2.Regexp
 	excludeFilterReg *regexp2.Regexp
 	excludeTypeArray []string
 	providers        []provider.ProxyProvider
 	failedTestMux    sync.Mutex
 	failedTimes      int
@ -33,6 +36,7 @@ type GroupBaseOption struct {
 	outbound.BaseOption
 	filter        string
 	excludeFilter string
 	excludeType   string
 	providers     []provider.ProxyProvider
 }
@ -41,6 +45,10 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 	if opt.excludeFilter != "" {
 		excludeFilterReg = regexp2.MustCompile(opt.excludeFilter, 0)
 	}
 	var excludeTypeArray []string
 	if opt.excludeType != "" {
 		excludeTypeArray = strings.Split(opt.excludeType, "|")
 	}
 	var filterRegs []*regexp2.Regexp
 	if opt.filter != "" {
@ -54,6 +62,7 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 		Base:             outbound.NewBase(opt.BaseOption),
 		filterRegs:       filterRegs,
 		excludeFilterReg: excludeFilterReg,
 		excludeTypeArray: excludeTypeArray,
 		providers:        opt.providers,
 		failedTesting:    atomic.NewBool(false),
 	}
@ -148,6 +157,25 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		}
 		proxies = newProxies
 	}
 	if gb.excludeTypeArray != nil {
 		var newProxies []C.Proxy
 		for _, p := range proxies {
 			mType := p.Type().String()
 			flag := false
 			for i := range gb.excludeTypeArray {
 				if strings.EqualFold(mType, gb.excludeTypeArray[i]) {
 					flag = true
 					break
 				}
 			}
 			if flag {
 				continue
 			}
 			newProxies = append(newProxies, p)
 		}
 		proxies = newProxies
 	}
 	if gb.excludeFilterReg != nil {
 		var newProxies []C.Proxy
--- a/adapter/outboundgroup/loadbalance.go
+++ b/adapter/outboundgroup/loadbalance.go
@ -5,11 +5,12 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"github.com/Dreamacro/clash/common/cache"
 	"net"
 	"time"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/cache"
 	"github.com/Dreamacro/clash/common/callback"
 	"github.com/Dreamacro/clash/common/murmur3"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
@ -83,17 +84,24 @@ func jumpHash(key uint64, buckets int32) int32 {
 // DialContext implements C.ProxyAdapter
 func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
 	proxy := lb.Unwrap(metadata, true)
 	defer func() {
 		if err == nil {
 			c.AppendToChains(lb)
 			lb.onDialSuccess()
 		} else {
 			lb.onDialFailed(proxy.Type(), err)
 		}
 	}()
 	c, err = proxy.DialContext(ctx, metadata, lb.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(lb)
 	} else {
 		lb.onDialFailed(proxy.Type(), err)
 	}
 	c = &callback.FirstWriteCallBackConn{
 		Conn: c,
 		Callback: func(err error) {
 			if err == nil {
 				lb.onDialSuccess()
 			} else {
 				lb.onDialFailed(proxy.Type(), err)
 			}
 		},
 	}
 	return
 }
@ -115,11 +123,20 @@ func (lb *LoadBalance) SupportUDP() bool {
 }
 func strategyRoundRobin() strategyFn {
 	flag := true
 	idx := 0
 	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
 		length := len(proxies)
 		for i := 0; i < length; i++ {
-			idx = (idx + 1) % length
+			flag = !flag
 			if flag {
 				idx = (idx - 1) % length
 			} else {
 				idx = (idx + 2) % length
 			}
 			if idx < 0 {
 				idx = idx + length
 			}
 			proxy := proxies[idx]
 			if proxy.Alive() {
 				return proxy
@ -229,6 +246,7 @@ func NewLoadBalance(option *GroupCommonOption, providers []provider.ProxyProvide
 			},
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
 			providers,
 		}),
 		strategyFn: strategyFn,
--- a/adapter/outboundgroup/parser.go
+++ b/adapter/outboundgroup/parser.go
@ -31,6 +31,7 @@ type GroupCommonOption struct {
 	DisableUDP    bool     `group:"disable-udp,omitempty"`
 	Filter        string   `group:"filter,omitempty"`
 	ExcludeFilter string   `group:"exclude-filter,omitempty"`
 	ExcludeType   string   `group:"exclude-type,omitempty"`
 }
 func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, providersMap map[string]types.ProxyProvider) (C.ProxyAdapter, error) {
@ -77,7 +78,7 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 			providersMap[groupName] = pd
 		} else {
 			if groupOption.URL == "" {
-				groupOption.URL = "http://www.gstatic.com/generate_204"
+				groupOption.URL = "https://cp.cloudflare.com/generate_204"
 			}
 			if groupOption.Interval == 0 {
--- a/adapter/outboundgroup/relay.go
+++ b/adapter/outboundgroup/relay.go
@ -191,6 +191,7 @@ func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Re
 			},
 			"",
 			"",
 			"",
 			providers,
 		}),
 	}
--- a/adapter/outboundgroup/selector.go
+++ b/adapter/outboundgroup/selector.go
@ -100,6 +100,7 @@ func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider)
 			},
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
 			providers,
 		}),
 		selected:   "COMPATIBLE",
--- a/adapter/outboundgroup/urltest.go
+++ b/adapter/outboundgroup/urltest.go
@ -6,6 +6,7 @@ import (
 	"time"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/callback"
 	"github.com/Dreamacro/clash/common/singledo"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
@ -38,10 +39,20 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 	c, err = proxy.DialContext(ctx, metadata, u.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(u)
 		u.onDialSuccess()
 	} else {
 		u.onDialFailed(proxy.Type(), err)
 	}
 	c = &callback.FirstWriteCallBackConn{
 		Conn: c,
 		Callback: func(err error) {
 			if err == nil {
 				u.onDialSuccess()
 			} else {
 				u.onDialFailed(proxy.Type(), err)
 			}
 		},
 	}
 	return c, err
 }
@ -144,6 +155,7 @@ func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, o
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
 			providers,
 		}),
 		fastSingle: singledo.NewSingle[C.Proxy](time.Second * 10),
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -2,6 +2,9 @@ package adapter
 import (
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/structure"
 	C "github.com/Dreamacro/clash/constant"
@ -54,6 +57,11 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 				Path:   []string{"/"},
 			},
 		}
 		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
 			vmessOption.ClientFingerprint = GlobalUtlsClient
 		}
 		err = decoder.Decode(mapping, vmessOption)
 		if err != nil {
 			break
@ -61,6 +69,11 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
 		vlessOption := &outbound.VlessOption{}
 		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
 			vlessOption.ClientFingerprint = GlobalUtlsClient
 		}
 		err = decoder.Decode(mapping, vlessOption)
 		if err != nil {
 			break
@ -75,6 +88,11 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		proxy, err = outbound.NewSnell(*snellOption)
 	case "trojan":
 		trojanOption := &outbound.TrojanOption{}
 		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
 			trojanOption.ClientFingerprint = GlobalUtlsClient
 		}
 		err = decoder.Decode(mapping, trojanOption)
 		if err != nil {
 			break
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@ -3,10 +3,10 @@ package provider
 import (
 	"errors"
 	"fmt"
 	"github.com/Dreamacro/clash/component/resource"
 	"time"
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/resource"
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
 )
@ -27,6 +27,7 @@ type proxyProviderSchema struct {
 	Interval      int               `provider:"interval,omitempty"`
 	Filter        string            `provider:"filter,omitempty"`
 	ExcludeFilter string            `provider:"exclude-filter,omitempty"`
 	ExcludeType   string            `provider:"exclude-type,omitempty"`
 	HealthCheck   healthCheckSchema `provider:"health-check,omitempty"`
 }
@ -63,5 +64,7 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	interval := time.Duration(uint(schema.Interval)) * time.Second
 	filter := schema.Filter
 	excludeFilter := schema.ExcludeFilter
-	return NewProxySetProvider(name, interval, filter, excludeFilter, vehicle, hc)
+	excludeType := schema.ExcludeType
 	return NewProxySetProvider(name, interval, filter, excludeFilter, excludeType, vehicle, hc)
 }
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@ -5,8 +5,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"github.com/dlclark/regexp2"
 	"gopkg.in/yaml.v3"
 	"net/http"
 	"runtime"
 	"strings"
@ -19,6 +17,9 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"
 	"github.com/dlclark/regexp2"
 	"gopkg.in/yaml.v3"
 )
 const (
@ -141,11 +142,16 @@ func stopProxyProvider(pd *ProxySetProvider) {
 	_ = pd.Fetcher.Destroy()
 }
-func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
+func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, excludeType string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
 	excludeFilterReg, err := regexp2.Compile(excludeFilter, 0)
 	if err != nil {
 		return nil, fmt.Errorf("invalid excludeFilter regex: %w", err)
 	}
 	var excludeTypeArray []string
 	if excludeType != "" {
 		excludeTypeArray = strings.Split(excludeType, "|")
 	}
 	var filterRegs []*regexp2.Regexp
 	for _, filter := range strings.Split(filter, "`") {
 		filterReg, err := regexp2.Compile(filter, 0)
@ -164,7 +170,7 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc
 		healthCheck: hc,
 	}
-	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, filterRegs, excludeFilterReg), proxiesOnUpdate(pd))
+	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg), proxiesOnUpdate(pd))
 	pd.Fetcher = fetcher
 	pd.getSubscriptionInfo()
@ -262,7 +268,7 @@ func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
 	}
 }
-func proxiesParseAndFilter(filter string, excludeFilter string, filterRegs []*regexp2.Regexp, excludeFilterReg *regexp2.Regexp) resource.Parser[[]C.Proxy] {
+func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray []string, filterRegs []*regexp2.Regexp, excludeFilterReg *regexp2.Regexp) resource.Parser[[]C.Proxy] {
 	return func(buf []byte) ([]C.Proxy, error) {
 		schema := &ProxySchema{}
@ -282,6 +288,28 @@ func proxiesParseAndFilter(filter string, excludeFilter string, filterRegs []*re
 		proxiesSet := map[string]struct{}{}
 		for _, filterReg := range filterRegs {
 			for idx, mapping := range schema.Proxies {
 				if nil != excludeTypeArray && len(excludeTypeArray) > 0 {
 					mType, ok := mapping["type"]
 					if !ok {
 						continue
 					}
 					pType, ok := mType.(string)
 					if !ok {
 						continue
 					}
 					flag := false
 					for i := range excludeTypeArray {
 						if strings.EqualFold(pType, excludeTypeArray[i]) {
 							flag = true
 							break
 						}
 					}
 					if flag {
 						continue
 					}
 				}
 				mName, ok := mapping["name"]
 				if !ok {
 					continue
--- a/common/buf/sing.go
+++ b/common/buf/sing.go
@ -0,0 +1,20 @@
 package buf
 import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 )
 type Buffer = buf.Buffer
 var StackNew = buf.StackNew
 var StackNewSize = buf.StackNewSize
 var KeepAlive = common.KeepAlive
 //go:norace
 func Dup[T any](obj T) T {
 	return common.Dup(obj)
 }
 var Must = common.Must
 var Error = common.Error
--- a/common/callback/callback.go
+++ b/common/callback/callback.go
@ -0,0 +1,25 @@
 package callback
 import (
 	C "github.com/Dreamacro/clash/constant"
 )
 type FirstWriteCallBackConn struct {
 	C.Conn
 	Callback func(error)
 	written  bool
 }
 func (c *FirstWriteCallBackConn) Write(b []byte) (n int, err error) {
 	defer func() {
 		if !c.written {
 			c.written = true
 			c.Callback(err)
 		}
 	}()
 	return c.Conn.Write(b)
 }
 func (c *FirstWriteCallBackConn) Upstream() any {
 	return c.Conn
 }
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@ -2,8 +2,10 @@ package convert
 import (
 	"bytes"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"github.com/Dreamacro/clash/log"
 	"net/url"
 	"strconv"
 	"strings"
@ -111,6 +113,12 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				trojan["grpc-opts"] = grpcOpts
 			}
 			if fingerprint := query.Get("fp"); fingerprint == "" {
 				trojan["client-fingerprint"] = "chrome"
 			} else {
 				trojan["client-fingerprint"] = fingerprint
 			}
 			proxies = append(proxies, trojan)
 		case "vless":
@ -120,7 +128,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}
 			query := urlVLess.Query()
 			vless := make(map[string]any, 20)
-			handleVShareLink(names, urlVLess, scheme, vless)
+			err = handleVShareLink(names, urlVLess, scheme, vless)
 			if err != nil {
 				log.Warnln("error:%s line:%s", err.Error(), line)
 				continue
 			}
 			if flow := query.Get("flow"); flow != "" {
 				vless["flow"] = strings.ToLower(flow)
 			}
@ -138,20 +150,16 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				}
 				query := urlVMess.Query()
 				vmess := make(map[string]any, 20)
-				handleVShareLink(names, urlVMess, scheme, vmess)
+				err = handleVShareLink(names, urlVMess, scheme, vmess)
 				if err != nil {
 					log.Warnln("error:%s line:%s", err.Error(), line)
 					continue
 				}
 				vmess["alterId"] = 0
 				vmess["cipher"] = "auto"
 				if encryption := query.Get("encryption"); encryption != "" {
 					vmess["cipher"] = encryption
 				}
 				if packetEncoding := query.Get("packetEncoding"); packetEncoding != "" {
 					switch packetEncoding {
 					case "packet":
 						vmess["packet-addr"] = true
 					case "xudp":
 						vmess["xudp"] = true
 					}
 				}
 				proxies = append(proxies, vmess)
 				continue
 			}
@ -162,8 +170,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			if jsonDc.Decode(&values) != nil {
 				continue
 			}
-
+			tempName, ok := values["ps"].(string)
-			name := uniqueName(names, values["ps"].(string))
+			if !ok {
 				continue
 			}
 			name := uniqueName(names, tempName)
 			vmess := make(map[string]any, 20)
 			vmess["name"] = name
@ -177,6 +188,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				vmess["alterId"] = 0
 			}
 			vmess["udp"] = true
 			vmess["xudp"] = true
 			vmess["tls"] = false
 			vmess["skip-cert-verify"] = false
@ -272,19 +284,25 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}
 			var (
-				cipher   = urlSS.User.Username()
+				cipherRaw = urlSS.User.Username()
-				password string
+				cipher    string
 				password  string
 			)
-
+			cipher = cipherRaw
 			if password, found = urlSS.User.Password(); !found {
-				dcBuf, _ := enc.DecodeString(cipher)
+				dcBuf, err := base64.RawURLEncoding.DecodeString(cipherRaw)
-				if !strings.Contains(string(dcBuf), "2022-blake3") {
+				if err != nil {
-					dcBuf, _ = encRaw.DecodeString(cipher)
+					dcBuf, _ = enc.DecodeString(cipherRaw)
 				}
 				cipher, password, found = strings.Cut(string(dcBuf), ":")
 				if !found {
 					continue
 				}
 				err = VerifyMethod(cipher, password)
 				if err != nil {
 					dcBuf, _ = encRaw.DecodeString(cipherRaw)
 					cipher, password, found = strings.Cut(string(dcBuf), ":")
 				}
 			}
 			ss := make(map[string]any, 10)
--- a/common/convert/util.go
+++ b/common/convert/util.go
@ -2,6 +2,7 @@ package convert
 import (
 	"encoding/base64"
 	"github.com/metacubex/sing-shadowsocks/shadowimpl"
 	"math/rand"
 	"net/http"
 	"strings"
@ -314,3 +315,8 @@ func SetUserAgent(header http.Header) {
 	userAgent := RandUserAgent()
 	header.Set("User-Agent", userAgent)
 }
 func VerifyMethod(cipher, password string) (err error) {
 	_, err = shadowimpl.FetchMethod(cipher, password)
 	return
 }
--- a/common/convert/v.go
+++ b/common/convert/v.go
@ -1,15 +1,24 @@
 package convert
 import (
 	"errors"
 	"fmt"
 	"net/url"
 	"strconv"
 	"strings"
 )
-func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy map[string]any) {
+func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy map[string]any) error {
 	// Xray VMessAEAD / VLESS share link standard
 	// https://github.com/XTLS/Xray-core/discussions/716
 	query := url.Query()
 	proxy["name"] = uniqueName(names, url.Fragment)
 	if url.Hostname() == "" {
 		return errors.New("url.Hostname() is empty")
 	}
 	if url.Port() == "" {
 		return errors.New("url.Port() is empty")
 	}
 	proxy["type"] = scheme
 	proxy["server"] = url.Hostname()
 	proxy["port"] = url.Port()
@ -20,11 +29,24 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	tls := strings.ToLower(query.Get("security"))
 	if strings.HasSuffix(tls, "tls") {
 		proxy["tls"] = true
 		if fingerprint := query.Get("fp"); fingerprint == "" {
 			proxy["client-fingerprint"] = "chrome"
 		} else {
 			proxy["client-fingerprint"] = fingerprint
 		}
 	}
 	if sni := query.Get("sni"); sni != "" {
 		proxy["servername"] = sni
 	}
 	switch query.Get("packetEncoding") {
 	case "none":
 	case "packet":
 		proxy["packet-addr"] = true
 	default:
 		proxy["xudp"] = true
 	}
 	network := strings.ToLower(query.Get("type"))
 	if network == "" {
 		network = "tcp"
@ -79,6 +101,17 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		wsOpts["path"] = query.Get("path")
 		wsOpts["headers"] = headers
 		if earlyData := query.Get("ed"); earlyData != "" {
 			med, err := strconv.Atoi(earlyData)
 			if err != nil {
 				return fmt.Errorf("bad WebSocket max early data size: %v", err)
 			}
 			wsOpts["max-early-data"] = med
 		}
 		if earlyDataHeader := query.Get("eh"); earlyDataHeader != "" {
 			wsOpts["early-data-header-name"] = earlyDataHeader
 		}
 		proxy["ws-opts"] = wsOpts
 	case "grpc":
@ -86,4 +119,5 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		grpcOpts["grpc-service-name"] = query.Get("serviceName")
 		proxy["grpc-opts"] = grpcOpts
 	}
 	return nil
 }
--- a/common/generics/list/list.go
+++ b/common/generics/list/list.go
@ -5,10 +5,10 @@
 // Package list implements a doubly linked list.
 //
 // To iterate over a list (where l is a *List):
 //
 //	for e := l.Front(); e != nil; e = e.Next() {
 //		// do something with e.Value
 //	}
 //
 package list
 // Element is an element of a linked list.
--- a/common/net/bufconn.go
+++ b/common/net/bufconn.go
@ -3,18 +3,23 @@ package net
 import (
 	"bufio"
 	"net"
 	"github.com/Dreamacro/clash/common/buf"
 )
 var _ ExtendedConn = (*BufferedConn)(nil)
 type BufferedConn struct {
 	r *bufio.Reader
-	net.Conn
+	ExtendedConn
 	peeked bool
 }
 func NewBufferedConn(c net.Conn) *BufferedConn {
 	if bc, ok := c.(*BufferedConn); ok {
 		return bc
 	}
-	return &BufferedConn{bufio.NewReader(c), c}
+	return &BufferedConn{bufio.NewReader(c), NewExtendedConn(c), false}
 }
 // Reader returns the internal bufio.Reader.
@ -22,11 +27,20 @@ func (c *BufferedConn) Reader() *bufio.Reader {
 	return c.r
 }
 func (c *BufferedConn) Peeked() bool {
 	return c.peeked
 }
 // Peek returns the next n bytes without advancing the reader.
 func (c *BufferedConn) Peek(n int) ([]byte, error) {
 	c.peeked = true
 	return c.r.Peek(n)
 }
 func (c *BufferedConn) Discard(n int) (discarded int, err error) {
 	return c.r.Discard(n)
 }
 func (c *BufferedConn) Read(p []byte) (int, error) {
 	return c.r.Read(p)
 }
@ -42,3 +56,22 @@ func (c *BufferedConn) UnreadByte() error {
 func (c *BufferedConn) Buffered() int {
 	return c.r.Buffered()
 }
 func (c *BufferedConn) ReadBuffer(buffer *buf.Buffer) (err error) {
 	if c.r.Buffered() > 0 {
 		_, err = buffer.ReadOnceFrom(c.r)
 		return
 	}
 	return c.ExtendedConn.ReadBuffer(buffer)
 }
 func (c *BufferedConn) Upstream() any {
 	return c.ExtendedConn
 }
 func (c *BufferedConn) ReaderReplaceable() bool {
 	if c.r.Buffered() > 0 {
 		return false
 	}
 	return true
 }
--- a/common/net/refconn.go
+++ b/common/net/refconn.go
@ -51,6 +51,10 @@ func (c *refConn) SetWriteDeadline(t time.Time) error {
 	return c.conn.SetWriteDeadline(t)
 }
 func (c *refConn) Upstream() any {
 	return c.conn
 }
 func NewRefConn(conn net.Conn, ref any) net.Conn {
 	return &refConn{conn: conn, ref: ref}
 }
--- a/common/net/relay.go
+++ b/common/net/relay.go
@ -1,24 +1,24 @@
 package net
-import (
+//import (
-	"io"
+//	"io"
-	"net"
+//	"net"
-	"time"
+//	"time"
-)
+//)
-
+//
-// Relay copies between left and right bidirectionally.
+//// Relay copies between left and right bidirectionally.
-func Relay(leftConn, rightConn net.Conn) {
+//func Relay(leftConn, rightConn net.Conn) {
-	ch := make(chan error)
+//	ch := make(chan error)
-
+//
-	go func() {
+//	go func() {
-		// Wrapping to avoid using *net.TCPConn.(ReadFrom)
+//		// Wrapping to avoid using *net.TCPConn.(ReadFrom)
-		// See also https://github.com/Dreamacro/clash/pull/1209
+//		// See also https://github.com/Dreamacro/clash/pull/1209
-		_, err := io.Copy(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn})
+//		_, err := io.Copy(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn})
-		leftConn.SetReadDeadline(time.Now())
+//		leftConn.SetReadDeadline(time.Now())
-		ch <- err
+//		ch <- err
-	}()
+//	}()
-
+//
-	_, _ = io.Copy(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn})
+//	_, _ = io.Copy(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn})
-	rightConn.SetReadDeadline(time.Now())
+//	rightConn.SetReadDeadline(time.Now())
-	<-ch
+//	<-ch
-}
+//}
--- a/common/net/sing.go
+++ b/common/net/sing.go
@ -0,0 +1,22 @@
 package net
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing/common/bufio"
 	"github.com/sagernet/sing/common/network"
 )
 var NewExtendedConn = bufio.NewExtendedConn
 var NewExtendedWriter = bufio.NewExtendedWriter
 var NewExtendedReader = bufio.NewExtendedReader
 type ExtendedConn = network.ExtendedConn
 type ExtendedWriter = network.ExtendedWriter
 type ExtendedReader = network.ExtendedReader
 // Relay copies between left and right bidirectionally.
 func Relay(leftConn, rightConn net.Conn) {
 	_ = bufio.CopyConn(context.TODO(), leftConn, rightConn)
 }
--- a/common/net/tls.go
+++ b/common/net/tls.go
@ -1,11 +1,19 @@
 package net
 import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"math/big"
 )
 func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
 	if certificate == "" || privateKey == "" {
 		return newRandomTLSKeyPair()
 	}
 	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
 	if painTextErr == nil {
 		return cert, nil
@ -17,3 +25,28 @@ func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
 	}
 	return cert, nil
 }
 func newRandomTLSKeyPair() (tls.Certificate, error) {
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
 	template := x509.Certificate{SerialNumber: big.NewInt(1)}
 	certDER, err := x509.CreateCertificate(
 		rand.Reader,
 		&template,
 		&template,
 		&key.PublicKey,
 		key)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
 	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
 	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
 	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
 	return tlsCert, nil
 }
--- a/common/net/websocket.go
+++ b/common/net/websocket.go
@ -0,0 +1,131 @@
 package net
 import (
 	"encoding/binary"
 	"math/bits"
 )
 // kanged from https://github.com/nhooyr/websocket/blob/master/frame.go
 // License: MIT
 // MaskWebSocket applies the WebSocket masking algorithm to p
 // with the given key.
 // See https://tools.ietf.org/html/rfc6455#section-5.3
 //
 // The returned value is the correctly rotated key to
 // to continue to mask/unmask the message.
 //
 // It is optimized for LittleEndian and expects the key
 // to be in little endian.
 //
 // See https://github.com/golang/go/issues/31586
 func MaskWebSocket(key uint32, b []byte) uint32 {
 	if len(b) >= 8 {
 		key64 := uint64(key)<<32 | uint64(key)
 		// At some point in the future we can clean these unrolled loops up.
 		// See https://github.com/golang/go/issues/31586#issuecomment-487436401
 		// Then we xor until b is less than 128 bytes.
 		for len(b) >= 128 {
 			v := binary.LittleEndian.Uint64(b)
 			binary.LittleEndian.PutUint64(b, v^key64)
 			v = binary.LittleEndian.Uint64(b[8:16])
 			binary.LittleEndian.PutUint64(b[8:16], v^key64)
 			v = binary.LittleEndian.Uint64(b[16:24])
 			binary.LittleEndian.PutUint64(b[16:24], v^key64)
 			v = binary.LittleEndian.Uint64(b[24:32])
 			binary.LittleEndian.PutUint64(b[24:32], v^key64)
 			v = binary.LittleEndian.Uint64(b[32:40])
 			binary.LittleEndian.PutUint64(b[32:40], v^key64)
 			v = binary.LittleEndian.Uint64(b[40:48])
 			binary.LittleEndian.PutUint64(b[40:48], v^key64)
 			v = binary.LittleEndian.Uint64(b[48:56])
 			binary.LittleEndian.PutUint64(b[48:56], v^key64)
 			v = binary.LittleEndian.Uint64(b[56:64])
 			binary.LittleEndian.PutUint64(b[56:64], v^key64)
 			v = binary.LittleEndian.Uint64(b[64:72])
 			binary.LittleEndian.PutUint64(b[64:72], v^key64)
 			v = binary.LittleEndian.Uint64(b[72:80])
 			binary.LittleEndian.PutUint64(b[72:80], v^key64)
 			v = binary.LittleEndian.Uint64(b[80:88])
 			binary.LittleEndian.PutUint64(b[80:88], v^key64)
 			v = binary.LittleEndian.Uint64(b[88:96])
 			binary.LittleEndian.PutUint64(b[88:96], v^key64)
 			v = binary.LittleEndian.Uint64(b[96:104])
 			binary.LittleEndian.PutUint64(b[96:104], v^key64)
 			v = binary.LittleEndian.Uint64(b[104:112])
 			binary.LittleEndian.PutUint64(b[104:112], v^key64)
 			v = binary.LittleEndian.Uint64(b[112:120])
 			binary.LittleEndian.PutUint64(b[112:120], v^key64)
 			v = binary.LittleEndian.Uint64(b[120:128])
 			binary.LittleEndian.PutUint64(b[120:128], v^key64)
 			b = b[128:]
 		}
 		// Then we xor until b is less than 64 bytes.
 		for len(b) >= 64 {
 			v := binary.LittleEndian.Uint64(b)
 			binary.LittleEndian.PutUint64(b, v^key64)
 			v = binary.LittleEndian.Uint64(b[8:16])
 			binary.LittleEndian.PutUint64(b[8:16], v^key64)
 			v = binary.LittleEndian.Uint64(b[16:24])
 			binary.LittleEndian.PutUint64(b[16:24], v^key64)
 			v = binary.LittleEndian.Uint64(b[24:32])
 			binary.LittleEndian.PutUint64(b[24:32], v^key64)
 			v = binary.LittleEndian.Uint64(b[32:40])
 			binary.LittleEndian.PutUint64(b[32:40], v^key64)
 			v = binary.LittleEndian.Uint64(b[40:48])
 			binary.LittleEndian.PutUint64(b[40:48], v^key64)
 			v = binary.LittleEndian.Uint64(b[48:56])
 			binary.LittleEndian.PutUint64(b[48:56], v^key64)
 			v = binary.LittleEndian.Uint64(b[56:64])
 			binary.LittleEndian.PutUint64(b[56:64], v^key64)
 			b = b[64:]
 		}
 		// Then we xor until b is less than 32 bytes.
 		for len(b) >= 32 {
 			v := binary.LittleEndian.Uint64(b)
 			binary.LittleEndian.PutUint64(b, v^key64)
 			v = binary.LittleEndian.Uint64(b[8:16])
 			binary.LittleEndian.PutUint64(b[8:16], v^key64)
 			v = binary.LittleEndian.Uint64(b[16:24])
 			binary.LittleEndian.PutUint64(b[16:24], v^key64)
 			v = binary.LittleEndian.Uint64(b[24:32])
 			binary.LittleEndian.PutUint64(b[24:32], v^key64)
 			b = b[32:]
 		}
 		// Then we xor until b is less than 16 bytes.
 		for len(b) >= 16 {
 			v := binary.LittleEndian.Uint64(b)
 			binary.LittleEndian.PutUint64(b, v^key64)
 			v = binary.LittleEndian.Uint64(b[8:16])
 			binary.LittleEndian.PutUint64(b[8:16], v^key64)
 			b = b[16:]
 		}
 		// Then we xor until b is less than 8 bytes.
 		for len(b) >= 8 {
 			v := binary.LittleEndian.Uint64(b)
 			binary.LittleEndian.PutUint64(b, v^key64)
 			b = b[8:]
 		}
 	}
 	// Then we xor until b is less than 4 bytes.
 	for len(b) >= 4 {
 		v := binary.LittleEndian.Uint32(b)
 		binary.LittleEndian.PutUint32(b, v^key)
 		b = b[4:]
 	}
 	// xor remaining bytes.
 	for i := range b {
 		b[i] ^= byte(key)
 		key = bits.RotateLeft32(key, -8)
 	}
 	return key
 }
--- a/component/dialer/bind_darwin.go
+++ b/component/dialer/bind_darwin.go
@ -1,6 +1,7 @@
 package dialer
 import (
 	"context"
 	"net"
 	"net/netip"
 	"syscall"
@ -10,16 +11,8 @@ import (
 	"golang.org/x/sys/unix"
 )
-type controlFn = func(network, address string, c syscall.RawConn) error
+func bindControl(ifaceIdx int) controlFn {
-
+	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 func bindControl(ifaceIdx int, chain controlFn) controlFn {
 	return func(network, address string, c syscall.RawConn) (err error) {
 		defer func() {
 			if err == nil && chain != nil {
 				err = chain(network, address, c)
 			}
 		}()
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
 			return
@ -49,7 +42,7 @@ func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.A
 		return err
 	}
-	dialer.Control = bindControl(ifaceObj.Index, dialer.Control)
+	addControlToDialer(dialer, bindControl(ifaceObj.Index))
 	return nil
 }
@ -59,6 +52,10 @@ func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address
 		return "", err
 	}
-	lc.Control = bindControl(ifaceObj.Index, lc.Control)
+	addControlToListenConfig(lc, bindControl(ifaceObj.Index))
 	return address, nil
 }
 func ParseNetwork(network string, addr netip.Addr) string {
 	return network
 }
--- a/component/dialer/bind_linux.go
+++ b/component/dialer/bind_linux.go
@ -1,6 +1,7 @@
 package dialer
 import (
 	"context"
 	"net"
 	"net/netip"
 	"syscall"
@ -8,16 +9,8 @@ import (
 	"golang.org/x/sys/unix"
 )
-type controlFn = func(network, address string, c syscall.RawConn) error
+func bindControl(ifaceName string) controlFn {
-
+	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 func bindControl(ifaceName string, chain controlFn) controlFn {
 	return func(network, address string, c syscall.RawConn) (err error) {
 		defer func() {
 			if err == nil && chain != nil {
 				err = chain(network, address, c)
 			}
 		}()
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
 			return
@ -37,13 +30,17 @@ func bindControl(ifaceName string, chain controlFn) controlFn {
 }
 func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.Addr) error {
-	dialer.Control = bindControl(ifaceName, dialer.Control)
+	addControlToDialer(dialer, bindControl(ifaceName))
 	return nil
 }
 func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string) (string, error) {
-	lc.Control = bindControl(ifaceName, lc.Control)
+	addControlToListenConfig(lc, bindControl(ifaceName))
 	return address, nil
 }
 func ParseNetwork(network string, addr netip.Addr) string {
 	return network
 }
--- a/component/dialer/bind_others.go
+++ b/component/dialer/bind_others.go
@ -1,4 +1,4 @@
-//go:build !linux && !darwin
+//go:build !linux && !darwin && !windows
 package dialer
@ -91,3 +91,13 @@ func bindIfaceToListenConfig(ifaceName string, _ *net.ListenConfig, network, add
 	return addr.String(), nil
 }
 func ParseNetwork(network string, addr netip.Addr) string {
 	// fix bindIfaceToListenConfig() force bind to an ipv4 address
 	if !strings.HasSuffix(network, "4") &&
 		!strings.HasSuffix(network, "6") &&
 		addr.Unmap().Is6() {
 		network += "6"
 	}
 	return network
 }
--- a/component/dialer/bind_windows.go
+++ b/component/dialer/bind_windows.go
@ -0,0 +1,92 @@
 package dialer
 import (
 	"context"
 	"encoding/binary"
 	"net"
 	"net/netip"
 	"syscall"
 	"unsafe"
 	"github.com/Dreamacro/clash/component/iface"
 )
 const (
 	IP_UNICAST_IF   = 31
 	IPV6_UNICAST_IF = 31
 )
 func bind4(handle syscall.Handle, ifaceIdx int) error {
 	var bytes [4]byte
 	binary.BigEndian.PutUint32(bytes[:], uint32(ifaceIdx))
 	idx := *(*uint32)(unsafe.Pointer(&bytes[0]))
 	return syscall.SetsockoptInt(handle, syscall.IPPROTO_IP, IP_UNICAST_IF, int(idx))
 }
 func bind6(handle syscall.Handle, ifaceIdx int) error {
 	return syscall.SetsockoptInt(handle, syscall.IPPROTO_IPV6, IPV6_UNICAST_IF, ifaceIdx)
 }
 func bindControl(ifaceIdx int) controlFn {
 	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
 			return
 		}
 		var innerErr error
 		err = c.Control(func(fd uintptr) {
 			handle := syscall.Handle(fd)
 			bind6err := bind6(handle, ifaceIdx)
 			bind4err := bind4(handle, ifaceIdx)
 			switch network {
 			case "ip6", "tcp6":
 				innerErr = bind6err
 			case "ip4", "tcp4", "udp4":
 				innerErr = bind4err
 			case "udp6":
 				// golang will set network to udp6 when listenUDP on wildcard ip (eg: ":0", "")
 				if (!addrPort.Addr().IsValid() || addrPort.Addr().IsUnspecified()) && bind6err != nil {
 					// try bind ipv6, if failed, ignore. it's a workaround for windows disable interface ipv6
 					if bind4err != nil {
 						innerErr = bind6err
 					} else {
 						innerErr = bind4err
 					}
 				} else {
 					innerErr = bind6err
 				}
 			}
 		})
 		if innerErr != nil {
 			err = innerErr
 		}
 		return
 	}
 }
 func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.Addr) error {
 	ifaceObj, err := iface.ResolveInterface(ifaceName)
 	if err != nil {
 		return err
 	}
 	addControlToDialer(dialer, bindControl(ifaceObj.Index))
 	return nil
 }
 func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string) (string, error) {
 	ifaceObj, err := iface.ResolveInterface(ifaceName)
 	if err != nil {
 		return "", err
 	}
 	addControlToListenConfig(lc, bindControl(ifaceObj.Index))
 	return address, nil
 }
 func ParseNetwork(network string, addr netip.Addr) string {
 	return network
 }
--- a/component/dialer/control.go
+++ b/component/dialer/control.go
@ -0,0 +1,22 @@
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
 )
 type controlFn = func(ctx context.Context, network, address string, c syscall.RawConn) error
 func addControlToListenConfig(lc *net.ListenConfig, fn controlFn) {
 	llc := *lc
 	lc.Control = func(network, address string, c syscall.RawConn) (err error) {
 		switch {
 		case llc.Control != nil:
 			if err = llc.Control(network, address, c); err != nil {
 				return
 			}
 		}
 		return fn(context.Background(), network, address, c)
 	}
 }
--- a/component/dialer/control_go119.go
+++ b/component/dialer/control_go119.go
@ -0,0 +1,22 @@
 //go:build !go1.20
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
 )
 func addControlToDialer(d *net.Dialer, fn controlFn) {
 	ld := *d
 	d.Control = func(network, address string, c syscall.RawConn) (err error) {
 		switch {
 		case ld.Control != nil:
 			if err = ld.Control(network, address, c); err != nil {
 				return
 			}
 		}
 		return fn(context.Background(), network, address, c)
 	}
 }
--- a/component/dialer/control_go120.go
+++ b/component/dialer/control_go120.go
@ -0,0 +1,26 @@
 //go:build go1.20
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
 )
 func addControlToDialer(d *net.Dialer, fn controlFn) {
 	ld := *d
 	d.ControlContext = func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		switch {
 		case ld.ControlContext != nil:
 			if err = ld.ControlContext(ctx, network, address, c); err != nil {
 				return
 			}
 		case ld.Control != nil:
 			if err = ld.Control(network, address, c); err != nil {
 				return
 			}
 		}
 		return fn(ctx, network, address, c)
 	}
 }
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@ -6,7 +6,6 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
 	"runtime"
 	"strings"
 	"sync"
@ -25,17 +24,6 @@ var (
 	ErrorDisableIPv6           = errors.New("IPv6 is disabled, dialer cancel")
 )
 func ParseNetwork(network string, addr netip.Addr) string {
 	if runtime.GOOS == "windows" { // fix bindIfaceToListenConfig() in windows force bind to an ipv4 address
 		if !strings.HasSuffix(network, "4") &&
 			!strings.HasSuffix(network, "6") &&
 			addr.Unmap().Is6() {
 			network += "6"
 		}
 	}
 	return network
 }
 func applyOptions(options ...Option) *option {
 	opt := &option{
 		interfaceName: DefaultInterface.Load(),
@ -77,18 +65,7 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 }
 func ListenPacket(ctx context.Context, network, address string, options ...Option) (net.PacketConn, error) {
-	cfg := &option{
+	cfg := applyOptions(options...)
 		interfaceName: DefaultInterface.Load(),
 		routingMark:   int(DefaultRoutingMark.Load()),
 	}
 	for _, o := range DefaultOptions {
 		o(cfg)
 	}
 	for _, o := range options {
 		o(cfg)
 	}
 	lc := &net.ListenConfig{}
 	if cfg.interfaceName != "" {
@ -141,7 +118,40 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 		return nil, ErrorDisableIPv6
 	}
-	return dialer.DialContext(ctx, network, net.JoinHostPort(destination.String(), port))
+	address := net.JoinHostPort(destination.String(), port)
 	if opt.tfo {
 		return dialTFO(ctx, *dialer, network, address)
 	}
 	return dialer.DialContext(ctx, network, address)
 }
 func singleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ip netip.Addr
 	switch network {
 	case "tcp4", "udp4":
 		if opt.resolver == nil {
 			ip, err = resolver.ResolveIPv4ProxyServerHost(ctx, host)
 		} else {
 			ip, err = resolver.ResolveIPv4WithResolver(ctx, host, opt.resolver)
 		}
 	default:
 		if opt.resolver == nil {
 			ip, err = resolver.ResolveIPv6ProxyServerHost(ctx, host)
 		} else {
 			ip, err = resolver.ResolveIPv6WithResolver(ctx, host, opt.resolver)
 		}
 	}
 	if err != nil {
 		err = fmt.Errorf("dns resolve failed:%w", err)
 		return nil, err
 	}
 	return dialContext(ctx, network, ip, port, opt)
 }
 func dualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
@ -190,6 +200,7 @@ func dualStackDialContext(ctx context.Context, network, address string, opt *opt
 			}
 		}
 		if result.error != nil {
 			result.error = fmt.Errorf("dns resolve failed:%w", result.error)
 			return
 		}
 		result.resolved = true
@ -237,26 +248,6 @@ func dualStackDialContext(ctx context.Context, network, address string, opt *opt
 	return nil, err
 }
 func concurrentDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ips []netip.Addr
 	if opt.resolver != nil {
 		ips, err = resolver.LookupIPWithResolver(ctx, host, opt.resolver)
 	} else {
 		ips, err = resolver.LookupIPProxyServerHost(ctx, host)
 	}
 	if err != nil {
 		return nil, err
 	}
 	return concurrentDialContext(ctx, network, ips, port, opt)
 }
 func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	returned := make(chan struct{})
 	defer close(returned)
@ -368,77 +359,51 @@ func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr
 	return nil, finalError
 }
 func singleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ip netip.Addr
 	switch network {
 	case "tcp4", "udp4":
 		if opt.resolver == nil {
 			ip, err = resolver.ResolveIPv4ProxyServerHost(ctx, host)
 		} else {
 			ip, err = resolver.ResolveIPv4WithResolver(ctx, host, opt.resolver)
 		}
 	default:
 		if opt.resolver == nil {
 			ip, err = resolver.ResolveIPv6ProxyServerHost(ctx, host)
 		} else {
 			ip, err = resolver.ResolveIPv6WithResolver(ctx, host, opt.resolver)
 		}
 	}
 	if err != nil {
 		return nil, err
 	}
 	return dialContext(ctx, network, ip, port, opt)
 }
 func concurrentSingleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
 	switch network {
 	case "tcp4", "udp4":
 		return concurrentIPv4DialContext(ctx, network, address, opt)
 	default:
 		return concurrentIPv6DialContext(ctx, network, address, opt)
 	}
 }
 func concurrentIPv4DialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ips []netip.Addr
-	if opt.resolver == nil {
+	switch network {
-		ips, err = resolver.LookupIPv4ProxyServerHost(ctx, host)
+	case "tcp4", "udp4":
-	} else {
+		if opt.resolver == nil {
-		ips, err = resolver.LookupIPv4WithResolver(ctx, host, opt.resolver)
+			ips, err = resolver.LookupIPv4ProxyServerHost(ctx, host)
 		} else {
 			ips, err = resolver.LookupIPv4WithResolver(ctx, host, opt.resolver)
 		}
 	default:
 		if opt.resolver == nil {
 			ips, err = resolver.LookupIPv6ProxyServerHost(ctx, host)
 		} else {
 			ips, err = resolver.LookupIPv6WithResolver(ctx, host, opt.resolver)
 		}
 	}
 	if err != nil {
 		err = fmt.Errorf("dns resolve failed:%w", err)
 		return nil, err
 	}
 	return concurrentDialContext(ctx, network, ips, port, opt)
 }
-func concurrentIPv6DialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
+func concurrentDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ips []netip.Addr
-	if opt.resolver == nil {
+	if opt.resolver != nil {
-		ips, err = resolver.LookupIPv6ProxyServerHost(ctx, host)
+		ips, err = resolver.LookupIPWithResolver(ctx, host, opt.resolver)
 	} else {
-		ips, err = resolver.LookupIPv6WithResolver(ctx, host, opt.resolver)
+		ips, err = resolver.LookupIPProxyServerHost(ctx, host)
 	}
 	if err != nil {
 		err = fmt.Errorf("dns resolve failed:%w", err)
 		return nil, err
 	}
--- a/component/dialer/mark_linux.go
+++ b/component/dialer/mark_linux.go
@ -3,26 +3,22 @@
 package dialer
 import (
 	"context"
 	"net"
 	"net/netip"
 	"syscall"
 )
 func bindMarkToDialer(mark int, dialer *net.Dialer, _ string, _ netip.Addr) {
-	dialer.Control = bindMarkToControl(mark, dialer.Control)
+	addControlToDialer(dialer, bindMarkToControl(mark))
 }
 func bindMarkToListenConfig(mark int, lc *net.ListenConfig, _, _ string) {
-	lc.Control = bindMarkToControl(mark, lc.Control)
+	addControlToListenConfig(lc, bindMarkToControl(mark))
 }
-func bindMarkToControl(mark int, chain controlFn) controlFn {
+func bindMarkToControl(mark int) controlFn {
-	return func(network, address string, c syscall.RawConn) (err error) {
+	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		defer func() {
 			if err == nil && chain != nil {
 				err = chain(network, address, c)
 			}
 		}()
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
--- a/component/dialer/options.go
+++ b/component/dialer/options.go
@ -18,6 +18,7 @@ type option struct {
 	routingMark   int
 	network       int
 	prefer        int
 	tfo           bool
 	resolver      resolver.Resolver
 }
@ -69,6 +70,12 @@ func WithOnlySingleStack(isIPv4 bool) Option {
 	}
 }
 func WithTFO(tfo bool) Option {
 	return func(opt *option) {
 		opt.tfo = tfo
 	}
 }
 func WithOption(o option) Option {
 	return func(opt *option) {
 		*opt = o
--- a/component/dialer/reuse_unix.go
+++ b/component/dialer/reuse_unix.go
@ -3,6 +3,7 @@
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
@ -10,18 +11,10 @@ import (
 )
 func addrReuseToListenConfig(lc *net.ListenConfig) {
-	chain := lc.Control
+	addControlToListenConfig(lc, func(ctx context.Context, network, address string, c syscall.RawConn) error {
 	lc.Control = func(network, address string, c syscall.RawConn) (err error) {
 		defer func() {
 			if err == nil && chain != nil {
 				err = chain(network, address, c)
 			}
 		}()
 		return c.Control(func(fd uintptr) {
 			unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEADDR, 1)
 			unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEPORT, 1)
 		})
-	}
+	})
 }
--- a/component/dialer/reuse_windows.go
+++ b/component/dialer/reuse_windows.go
@ -1,6 +1,7 @@
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
@ -8,17 +9,9 @@ import (
 )
 func addrReuseToListenConfig(lc *net.ListenConfig) {
-	chain := lc.Control
+	addControlToListenConfig(lc, func(ctx context.Context, network, address string, c syscall.RawConn) error {
 	lc.Control = func(network, address string, c syscall.RawConn) (err error) {
 		defer func() {
 			if err == nil && chain != nil {
 				err = chain(network, address, c)
 			}
 		}()
 		return c.Control(func(fd uintptr) {
 			windows.SetsockoptInt(windows.Handle(fd), windows.SOL_SOCKET, windows.SO_REUSEADDR, 1)
 		})
-	}
+	})
 }
--- a/component/dialer/tfo.go
+++ b/component/dialer/tfo.go
@ -0,0 +1,119 @@
 package dialer
 import (
 	"context"
 	"github.com/sagernet/tfo-go"
 	"io"
 	"net"
 	"time"
 )
 type tfoConn struct {
 	net.Conn
 	closed bool
 	dialed chan bool
 	cancel context.CancelFunc
 	ctx    context.Context
 	dialFn func(ctx context.Context, earlyData []byte) (net.Conn, error)
 }
 func (c *tfoConn) Dial(earlyData []byte) (err error) {
 	c.Conn, err = c.dialFn(c.ctx, earlyData)
 	if err != nil {
 		return
 	}
 	c.dialed <- true
 	return err
 }
 func (c *tfoConn) Read(b []byte) (n int, err error) {
 	if c.closed {
 		return 0, io.ErrClosedPipe
 	}
 	if c.Conn == nil {
 		select {
 		case <-c.ctx.Done():
 			return 0, io.ErrUnexpectedEOF
 		case <-c.dialed:
 		}
 	}
 	return c.Conn.Read(b)
 }
 func (c *tfoConn) Write(b []byte) (n int, err error) {
 	if c.closed {
 		return 0, io.ErrClosedPipe
 	}
 	if c.Conn == nil {
 		if err := c.Dial(b); err != nil {
 			return 0, err
 		}
 		return len(b), nil
 	}
 	return c.Conn.Write(b)
 }
 func (c *tfoConn) Close() error {
 	c.closed = true
 	c.cancel()
 	if c.Conn == nil {
 		return nil
 	}
 	return c.Conn.Close()
 }
 func (c *tfoConn) LocalAddr() net.Addr {
 	if c.Conn == nil {
 		return nil
 	}
 	return c.Conn.LocalAddr()
 }
 func (c *tfoConn) RemoteAddr() net.Addr {
 	if c.Conn == nil {
 		return nil
 	}
 	return c.Conn.RemoteAddr()
 }
 func (c *tfoConn) SetDeadline(t time.Time) error {
 	if err := c.SetReadDeadline(t); err != nil {
 		return err
 	}
 	return c.SetWriteDeadline(t)
 }
 func (c *tfoConn) SetReadDeadline(t time.Time) error {
 	if c.Conn == nil {
 		return nil
 	}
 	return c.Conn.SetReadDeadline(t)
 }
 func (c *tfoConn) SetWriteDeadline(t time.Time) error {
 	if c.Conn == nil {
 		return nil
 	}
 	return c.Conn.SetWriteDeadline(t)
 }
 func (c *tfoConn) Upstream() any {
 	if c.Conn == nil { // ensure return a nil interface not an interface with nil value
 		return nil
 	}
 	return c.Conn
 }
 func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) {
 	ctx, cancel := context.WithCancel(ctx)
 	dialer := tfo.Dialer{Dialer: netDialer, DisableTFO: false}
 	return &tfoConn{
 		dialed: make(chan bool, 1),
 		cancel: cancel,
 		ctx:    ctx,
 		dialFn: func(ctx context.Context, earlyData []byte) (net.Conn, error) {
 			return dialer.DialContext(ctx, network, address, earlyData)
 		},
 	}, nil
 }
--- a/component/ebpf/redir/bpf_bpfeb.go
+++ b/component/ebpf/redir/bpf_bpfeb.go
@ -41,9 +41,9 @@ func loadBpf() (*ebpf.CollectionSpec, error) {
 //
 // The following types are suitable as obj argument:
 //
-//     *bpfObjects
+//	*bpfObjects
-//     *bpfPrograms
+//	*bpfPrograms
-//     *bpfMaps
+//	*bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
@ -134,5 +134,6 @@ func _BpfClose(closers ...io.Closer) error {
 }
 // Do not access this directly.
 //
 //go:embed bpf_bpfeb.o
 var _BpfBytes []byte
--- a/component/ebpf/redir/bpf_bpfel.go
+++ b/component/ebpf/redir/bpf_bpfel.go
@ -41,9 +41,9 @@ func loadBpf() (*ebpf.CollectionSpec, error) {
 //
 // The following types are suitable as obj argument:
 //
-//     *bpfObjects
+//	*bpfObjects
-//     *bpfPrograms
+//	*bpfPrograms
-//     *bpfMaps
+//	*bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
@ -134,5 +134,6 @@ func _BpfClose(closers ...io.Closer) error {
 }
 // Do not access this directly.
 //
 //go:embed bpf_bpfel.o
 var _BpfBytes []byte
--- a/component/ebpf/tc/bpf_bpfeb.go
+++ b/component/ebpf/tc/bpf_bpfeb.go
@ -28,9 +28,9 @@ func loadBpf() (*ebpf.CollectionSpec, error) {
 //
 // The following types are suitable as obj argument:
 //
-//     *bpfObjects
+//	*bpfObjects
-//     *bpfPrograms
+//	*bpfPrograms
-//     *bpfMaps
+//	*bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
@ -115,5 +115,6 @@ func _BpfClose(closers ...io.Closer) error {
 }
 // Do not access this directly.
 //
 //go:embed bpf_bpfeb.o
 var _BpfBytes []byte
--- a/component/ebpf/tc/bpf_bpfel.go
+++ b/component/ebpf/tc/bpf_bpfel.go
@ -28,9 +28,9 @@ func loadBpf() (*ebpf.CollectionSpec, error) {
 //
 // The following types are suitable as obj argument:
 //
-//     *bpfObjects
+//	*bpfObjects
-//     *bpfPrograms
+//	*bpfPrograms
-//     *bpfMaps
+//	*bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
@ -115,5 +115,6 @@ func _BpfClose(closers ...io.Closer) error {
 }
 // Do not access this directly.
 //
 //go:embed bpf_bpfel.o
 var _BpfBytes []byte
--- a/component/geodata/init.go
+++ b/component/geodata/init.go
@ -2,6 +2,7 @@ package geodata
 import (
 	"fmt"
 	"github.com/Dreamacro/clash/component/mmdb"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"io"
@ -9,7 +10,8 @@ import (
 	"os"
 )
-var initFlag bool
+var initGeoSite bool
 var initGeoIP int
 func InitGeoSite() error {
 	if _, err := os.Stat(C.Path.GeoSite()); os.IsNotExist(err) {
@ -18,8 +20,9 @@ func InitGeoSite() error {
 			return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
 		}
 		log.Infoln("Download GeoSite.dat finish")
 		initGeoSite = false
 	}
-	if !initFlag {
+	if !initGeoSite {
 		if err := Verify(C.GeositeName); err != nil {
 			log.Warnln("GeoSite.dat invalid, remove and download: %s", err)
 			if err := os.Remove(C.Path.GeoSite()); err != nil {
@ -29,7 +32,7 @@ func InitGeoSite() error {
 				return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
 			}
 		}
-		initFlag = true
+		initGeoSite = true
 	}
 	return nil
 }
@ -50,3 +53,68 @@ func downloadGeoSite(path string) (err error) {
 	return err
 }
 func downloadGeoIP(path string) (err error) {
 	resp, err := http.Get(C.GeoIpUrl)
 	if err != nil {
 		return
 	}
 	defer resp.Body.Close()
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	_, err = io.Copy(f, resp.Body)
 	return err
 }
 func InitGeoIP() error {
 	if C.GeodataMode {
 		if _, err := os.Stat(C.Path.GeoIP()); os.IsNotExist(err) {
 			log.Infoln("Can't find GeoIP.dat, start download")
 			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
 				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
 			}
 			log.Infoln("Download GeoIP.dat finish")
 			initGeoIP = 0
 		}
 		if initGeoIP != 1 {
 			if err := Verify(C.GeoipName); err != nil {
 				log.Warnln("GeoIP.dat invalid, remove and download: %s", err)
 				if err := os.Remove(C.Path.GeoIP()); err != nil {
 					return fmt.Errorf("can't remove invalid GeoIP.dat: %s", err.Error())
 				}
 				if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
 					return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
 				}
 			}
 			initGeoIP = 1
 		}
 		return nil
 	}
 	if _, err := os.Stat(C.Path.MMDB()); os.IsNotExist(err) {
 		log.Infoln("Can't find MMDB, start download")
 		if err := mmdb.DownloadMMDB(C.Path.MMDB()); err != nil {
 			return fmt.Errorf("can't download MMDB: %s", err.Error())
 		}
 	}
 	if initGeoIP != 2 {
 		if !mmdb.Verify() {
 			log.Warnln("MMDB invalid, remove and download")
 			if err := os.Remove(C.Path.MMDB()); err != nil {
 				return fmt.Errorf("can't remove invalid MMDB: %s", err.Error())
 			}
 			if err := mmdb.DownloadMMDB(C.Path.MMDB()); err != nil {
 				return fmt.Errorf("can't download MMDB: %s", err.Error())
 			}
 		}
 		initGeoIP = 2
 	}
 	return nil
 }
--- a/component/http/http.go
+++ b/component/http/http.go
@ -13,7 +13,7 @@ import (
 )
 const (
-	UA = "Clash"
+	UA = "clash.meta"
 )
 func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) {
--- a/component/mmdb/mmdb.go
+++ b/component/mmdb/mmdb.go
@ -2,6 +2,9 @@ package mmdb
 import (
 	"github.com/oschwald/geoip2-golang"
 	"io"
 	"net/http"
 	"os"
 	"sync"
 	C "github.com/Dreamacro/clash/constant"
@ -42,3 +45,20 @@ func Instance() *geoip2.Reader {
 	return mmdb
 }
 func DownloadMMDB(path string) (err error) {
 	resp, err := http.Get(C.MmdbUrl)
 	if err != nil {
 		return
 	}
 	defer resp.Body.Close()
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	_, err = io.Copy(f, resp.Body)
 	return err
 }
--- a/component/nat/table.go
+++ b/component/nat/table.go
@ -1,6 +1,7 @@
 package nat
 import (
 	"net"
 	"sync"
 	C "github.com/Dreamacro/clash/constant"
@ -10,16 +11,24 @@ type Table struct {
 	mapping sync.Map
 }
-func (t *Table) Set(key string, pc C.PacketConn) {
+type Entry struct {
-	t.mapping.Store(key, pc)
+	PacketConn      C.PacketConn
 	LocalUDPConnMap sync.Map
 }
 func (t *Table) Set(key string, e C.PacketConn) {
 	t.mapping.Store(key, &Entry{
 		PacketConn:      e,
 		LocalUDPConnMap: sync.Map{},
 	})
 }
 func (t *Table) Get(key string) C.PacketConn {
-	item, exist := t.mapping.Load(key)
+	entry, exist := t.getEntry(key)
 	if !exist {
 		return nil
 	}
-	return item.(C.PacketConn)
+	return entry.PacketConn
 }
 func (t *Table) GetOrCreateLock(key string) (*sync.Cond, bool) {
@ -31,6 +40,62 @@ func (t *Table) Delete(key string) {
 	t.mapping.Delete(key)
 }
 func (t *Table) GetLocalConn(lAddr, rAddr string) *net.UDPConn {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return nil
 	}
 	item, exist := entry.LocalUDPConnMap.Load(rAddr)
 	if !exist {
 		return nil
 	}
 	return item.(*net.UDPConn)
 }
 func (t *Table) AddLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return false
 	}
 	entry.LocalUDPConnMap.Store(rAddr, conn)
 	return true
 }
 func (t *Table) RangeLocalConn(lAddr string, f func(key, value any) bool) {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return
 	}
 	entry.LocalUDPConnMap.Range(f)
 }
 func (t *Table) GetOrCreateLockForLocalConn(lAddr, key string) (*sync.Cond, bool) {
 	entry, loaded := t.getEntry(lAddr)
 	if !loaded {
 		return nil, false
 	}
 	item, loaded := entry.LocalUDPConnMap.LoadOrStore(key, sync.NewCond(&sync.Mutex{}))
 	return item.(*sync.Cond), loaded
 }
 func (t *Table) DeleteLocalConnMap(lAddr, key string) {
 	entry, loaded := t.getEntry(lAddr)
 	if !loaded {
 		return
 	}
 	entry.LocalUDPConnMap.Delete(key)
 }
 func (t *Table) getEntry(key string) (*Entry, bool) {
 	item, ok := t.mapping.Load(key)
 	// This should not happen usually since this function called after PacketConn created
 	if !ok {
 		return nil, false
 	}
 	entry, ok := item.(*Entry)
 	return entry, ok
 }
 // New return *Cache
 func New() *Table {
 	return &Table{}
--- a/component/process/find_process_mode.go
+++ b/component/process/find_process_mode.go
@ -0,0 +1,57 @@
 package process
 import (
 	"encoding/json"
 	"errors"
 	"strings"
 )
 const (
 	FindProcessAlways = "always"
 	FindProcessStrict = "strict"
 	FindProcessOff    = "off"
 )
 var (
 	validModes = map[string]struct{}{
 		FindProcessAlways: {},
 		FindProcessOff:    {},
 		FindProcessStrict: {},
 	}
 )
 type FindProcessMode string
 func (m FindProcessMode) Always() bool {
 	return m == FindProcessAlways
 }
 func (m FindProcessMode) Off() bool {
 	return m == FindProcessOff
 }
 func (m *FindProcessMode) UnmarshalYAML(unmarshal func(any) error) error {
 	var tp string
 	if err := unmarshal(&tp); err != nil {
 		return err
 	}
 	return m.Set(tp)
 }
 func (m *FindProcessMode) UnmarshalJSON(data []byte) error {
 	var tp string
 	if err := json.Unmarshal(data, &tp); err != nil {
 		return err
 	}
 	return m.Set(tp)
 }
 func (m *FindProcessMode) Set(value string) error {
 	mode := strings.ToLower(value)
 	_, exist := validModes[mode]
 	if !exist {
 		return errors.New("invalid find process mode")
 	}
 	*m = FindProcessMode(mode)
 	return nil
 }
--- a/component/process/process.go
+++ b/component/process/process.go
@ -16,14 +16,6 @@ const (
 	UDP = "udp"
 )
-func FindProcessName(network string, srcIP netip.Addr, srcPort int) (*uint32, string, error) {
+func FindProcessName(network string, srcIP netip.Addr, srcPort int) (uint32, string, error) {
 	return findProcessName(network, srcIP, srcPort)
 }
 func FindUid(network string, srcIP netip.Addr, srcPort int) (*uint32, error) {
 	_, uid, err := resolveSocketByNetlink(network, srcIP, srcPort)
 	if err != nil {
 		return nil, err
 	}
 	return &uid, nil
 }
--- a/component/process/process_darwin.go
+++ b/component/process/process_darwin.go
@ -33,11 +33,7 @@ var structSize = func() int {
 	}
 }()
-func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
+func findProcessName(network string, ip netip.Addr, port int) (uint32, string, error) {
 	return 0, 0, ErrPlatformNotSupport
 }
 func findProcessName(network string, ip netip.Addr, port int) (*uint32, string, error) {
 	var spath string
 	switch network {
 	case TCP:
@ -45,14 +41,14 @@ func findProcessName(network string, ip netip.Addr, port int) (*uint32, string,
 	case UDP:
 		spath = "net.inet.udp.pcblist_n"
 	default:
-		return nil, "", ErrInvalidNetwork
+		return 0, "", ErrInvalidNetwork
 	}
 	isIPv4 := ip.Is4()
 	value, err := syscall.Sysctl(spath)
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	buf := []byte(value)
@ -96,7 +92,7 @@ func findProcessName(network string, ip netip.Addr, port int) (*uint32, string,
 			// xsocket_n.so_last_pid
 			pid := readNativeUint32(buf[so+68 : so+72])
 			pp, err := getExecPathFromPID(pid)
-			return nil, pp, err
+			return 0, pp, err
 		}
 		// udp packet connection may be not equal with srcIP
@ -106,10 +102,10 @@ func findProcessName(network string, ip netip.Addr, port int) (*uint32, string,
 	}
 	if network == UDP && fallbackUDPProcess != "" {
-		return nil, fallbackUDPProcess, nil
+		return 0, fallbackUDPProcess, nil
 	}
-	return nil, "", ErrNotFound
+	return 0, "", ErrNotFound
 }
 func getExecPathFromPID(pid uint32) (string, error) {
--- a/component/process/process_freebsd_amd64.go
+++ b/component/process/process_freebsd_amd64.go
@ -21,11 +21,7 @@ var (
 	once sync.Once
 )
-func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (uint32, string, error) {
 	return 0, 0, ErrPlatformNotSupport
 }
 func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
 	once.Do(func() {
 		if err := initSearcher(); err != nil {
 			log.Errorln("Initialize PROCESS-NAME failed: %s", err.Error())
@ -35,7 +31,7 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, strin
 	})
 	if defaultSearcher == nil {
-		return nil, "", ErrPlatformNotSupport
+		return 0, "", ErrPlatformNotSupport
 	}
 	var spath string
@ -46,22 +42,22 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, strin
 	case UDP:
 		spath = "net.inet.udp.pcblist"
 	default:
-		return nil, "", ErrInvalidNetwork
+		return 0, "", ErrInvalidNetwork
 	}
 	value, err := syscall.Sysctl(spath)
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	buf := []byte(value)
 	pid, err := defaultSearcher.Search(buf, ip, uint16(srcPort), isTCP)
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	pp, err := getExecPathFromPID(pid)
-	return nil, pp, err
+	return 0, pp, err
 }
 func getExecPathFromPID(pid uint32) (string, error) {
--- a/component/process/process_linux.go
+++ b/component/process/process_linux.go
@ -59,14 +59,14 @@ type inetDiagResponse struct {
 	INode   uint32
 }
-func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (uint32, string, error) {
-	inode, uid, err := resolveSocketByNetlink(network, ip, srcPort)
+	uid, inode, err := resolveSocketByNetlink(network, ip, srcPort)
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	pp, err := resolveProcessNameByProcSearch(inode, uid)
-	return &uid, pp, err
+	return uid, pp, err
 }
 func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
@ -119,7 +119,7 @@ func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32,
 		response := (*inetDiagResponse)(unsafe.Pointer(&msg.Data[0]))
-		return response.INode, response.UID, nil
+		return response.UID, response.INode, nil
 	}
 	return 0, 0, ErrNotFound
--- a/component/process/process_other.go
+++ b/component/process/process_other.go
@ -4,8 +4,8 @@ package process
 import "net/netip"
-func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (uint32, string, error) {
-	return nil, "", ErrPlatformNotSupport
+	return 0, "", ErrPlatformNotSupport
 }
 func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
--- a/component/process/process_windows.go
+++ b/component/process/process_windows.go
@ -62,7 +62,7 @@ func initWin32API() error {
 	return nil
 }
-func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (uint32, string, error) {
 	once.Do(func() {
 		err := initWin32API()
 		if err != nil {
@ -86,22 +86,22 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, strin
 		fn = getExUDPTable
 		class = udpTablePid
 	default:
-		return nil, "", ErrInvalidNetwork
+		return 0, "", ErrInvalidNetwork
 	}
 	buf, err := getTransportTable(fn, family, class)
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	s := newSearcher(family == windows.AF_INET, network == TCP)
 	pid, err := s.Search(buf, ip, uint16(srcPort))
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	pp, err := getExecPathFromPID(pid)
-	return nil, pp, err
+	return 0, pp, err
 }
 type searcher struct {
--- a/component/resolver/resolver.go
+++ b/component/resolver/resolver.go
@ -11,6 +11,8 @@ import (
 	"time"
 	"github.com/Dreamacro/clash/component/trie"
 	"github.com/miekg/dns"
 )
 var (
@ -44,6 +46,7 @@ type Resolver interface {
 	ResolveIP(ctx context.Context, host string) (ip netip.Addr, err error)
 	ResolveIPv4(ctx context.Context, host string) (ip netip.Addr, err error)
 	ResolveIPv6(ctx context.Context, host string) (ip netip.Addr, err error)
 	ExchangeContext(ctx context.Context, m *dns.Msg) (msg *dns.Msg, err error)
 }
 // LookupIPv4WithResolver same as LookupIPv4, but with a resolver
--- a/component/resource/fetcher.go
+++ b/component/resource/fetcher.go
@ -57,7 +57,7 @@ func (f *Fetcher[V]) Initial() (V, error) {
 		f.UpdatedAt = &modTime
 		isLocal = true
 		if f.interval != 0 && modTime.Add(f.interval).Before(time.Now()) {
-			log.Infoln("[Provider] %s not updated for a long time, force refresh", f.Name())
+			log.Warnln("[Provider] %s not updated for a long time, force refresh", f.Name())
 			forceUpdate = true
 		}
 	} else {
@ -162,7 +162,7 @@ func (f *Fetcher[V]) pullLoop() {
 		case <-f.ticker.C:
 			elm, same, err := f.Update()
 			if err != nil {
-				log.Warnln("[Provider] %s pull error: %s", f.Name(), err.Error())
+				log.Errorln("[Provider] %s pull error: %s", f.Name(), err.Error())
 				continue
 			}
--- a/component/sniffer/base_sniffer.go
+++ b/component/sniffer/base_sniffer.go
@ -0,0 +1,53 @@
 package sniffer
 import (
 	"errors"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/sniffer"
 )
 type SnifferConfig struct {
 	OverrideDest bool
 	Ports        []utils.Range[uint16]
 }
 type BaseSniffer struct {
 	ports              []utils.Range[uint16]
 	supportNetworkType constant.NetWork
 }
 // Protocol implements sniffer.Sniffer
 func (*BaseSniffer) Protocol() string {
 	return "unknown"
 }
 // SniffTCP implements sniffer.Sniffer
 func (*BaseSniffer) SniffTCP(bytes []byte) (string, error) {
 	return "", errors.New("TODO")
 }
 // SupportNetwork implements sniffer.Sniffer
 func (bs *BaseSniffer) SupportNetwork() constant.NetWork {
 	return bs.supportNetworkType
 }
 // SupportPort implements sniffer.Sniffer
 func (bs *BaseSniffer) SupportPort(port uint16) bool {
 	for _, portRange := range bs.ports {
 		if portRange.Contains(port) {
 			return true
 		}
 	}
 	return false
 }
 func NewBaseSniffer(ports []utils.Range[uint16], networkType constant.NetWork) *BaseSniffer {
 	return &BaseSniffer{
 		ports:              ports,
 		supportNetworkType: networkType,
 	}
 }
 var _ sniffer.Sniffer = (*BaseSniffer)(nil)
--- a/component/sniffer/dispatcher.go
+++ b/component/sniffer/dispatcher.go
@ -11,7 +11,6 @@ import (
 	"github.com/Dreamacro/clash/common/cache"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/sniffer"
@ -27,26 +26,17 @@ var (
 var Dispatcher *SnifferDispatcher
 type SnifferDispatcher struct {
-	enable bool
+	enable          bool
-
+	sniffers        map[sniffer.Sniffer]SnifferConfig
-	sniffers []sniffer.Sniffer
+	forceDomain     *trie.DomainTrie[struct{}]
-
+	skipSNI         *trie.DomainTrie[struct{}]
-	forceDomain *trie.DomainTrie[struct{}]
+	skipList        *cache.LruCache[string, uint8]
-	skipSNI     *trie.DomainTrie[struct{}]
+	rwMux           sync.RWMutex
 	portRanges  *[]utils.Range[uint16]
 	skipList    *cache.LruCache[string, uint8]
 	rwMux       sync.RWMutex
 	forceDnsMapping bool
 	parsePureIp     bool
 }
-func (sd *SnifferDispatcher) TCPSniff(conn net.Conn, metadata *C.Metadata) {
+func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) {
 	bufConn, ok := conn.(*N.BufferedConn)
 	if !ok {
 		return
 	}
 	if (metadata.Host == "" && sd.parsePureIp) || sd.forceDomain.Search(metadata.Host) != nil || (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) {
 		port, err := strconv.ParseUint(metadata.DstPort, 10, 16)
 		if err != nil {
@ -55,10 +45,14 @@ func (sd *SnifferDispatcher) TCPSniff(conn net.Conn, metadata *C.Metadata) {
 		}
 		inWhitelist := false
-		for _, portRange := range *sd.portRanges {
+		overrideDest := false
-			if portRange.Contains(uint16(port)) {
+		for sniffer, config := range sd.sniffers {
-				inWhitelist = true
+			if sniffer.SupportNetwork() == C.TCP || sniffer.SupportNetwork() == C.ALLNet {
-				break
+				inWhitelist = sniffer.SupportPort(uint16(port))
 				if inWhitelist {
 					overrideDest = config.OverrideDest
 					break
 				}
 			}
 		}
@ -75,7 +69,7 @@ func (sd *SnifferDispatcher) TCPSniff(conn net.Conn, metadata *C.Metadata) {
 		}
 		sd.rwMux.RUnlock()
-		if host, err := sd.sniffDomain(bufConn, metadata); err != nil {
+		if host, err := sd.sniffDomain(conn, metadata); err != nil {
 			sd.cacheSniffFailed(metadata)
 			log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%s] to [%s:%s]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort)
 			return
@ -89,31 +83,21 @@ func (sd *SnifferDispatcher) TCPSniff(conn net.Conn, metadata *C.Metadata) {
 			sd.skipList.Delete(dst)
 			sd.rwMux.RUnlock()
-			sd.replaceDomain(metadata, host)
+			sd.replaceDomain(metadata, host, overrideDest)
 		}
 	}
 }
-func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string) {
+func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string, overrideDest bool) {
-	dstIP := ""
+	metadata.SniffHost = host
-	if metadata.DstIP.IsValid() {
+	if overrideDest {
-		dstIP = metadata.DstIP.String()
+		metadata.Host = host
 	}
 	originHost := metadata.Host
 	if originHost != host {
 		log.Infoln("[Sniffer] Sniff TCP [%s:%s]-->[%s:%s] success, replace domain [%s]-->[%s]",
 			metadata.SrcIP, metadata.SrcPort,
 			dstIP, metadata.DstPort,
 			metadata.Host, host)
 	} else {
 		log.Debugln("[Sniffer] Sniff TCP [%s:%s]-->[%s:%s] success, replace domain [%s]-->[%s]",
 			metadata.SrcIP, metadata.SrcPort,
 			dstIP, metadata.DstPort,
 			metadata.Host, host)
 	}
 	metadata.Host = host
 	metadata.DNSMode = C.DNSNormal
 	log.Debugln("[Sniffer] Sniff TCP [%s]-->[%s] success, replace domain [%s]-->[%s]",
 		metadata.SourceDetail(),
 		metadata.RemoteAddress(),
 		metadata.Host, host)
 }
 func (sd *SnifferDispatcher) Enable() bool {
@ -121,7 +105,7 @@ func (sd *SnifferDispatcher) Enable() bool {
 }
 func (sd *SnifferDispatcher) sniffDomain(conn *N.BufferedConn, metadata *C.Metadata) (string, error) {
-	for _, s := range sd.sniffers {
+	for s := range sd.sniffers {
 		if s.SupportNetwork() == C.TCP {
 			_ = conn.SetReadDeadline(time.Now().Add(1 * time.Second))
 			_, err := conn.Peek(1)
@ -182,38 +166,37 @@ func NewCloseSnifferDispatcher() (*SnifferDispatcher, error) {
 	return &dispatcher, nil
 }
-func NewSnifferDispatcher(needSniffer []sniffer.Type, forceDomain *trie.DomainTrie[struct{}],
+func NewSnifferDispatcher(snifferConfig map[sniffer.Type]SnifferConfig, forceDomain *trie.DomainTrie[struct{}],
-	skipSNI *trie.DomainTrie[struct{}], ports *[]utils.Range[uint16],
+	skipSNI *trie.DomainTrie[struct{}],
 	forceDnsMapping bool, parsePureIp bool) (*SnifferDispatcher, error) {
 	dispatcher := SnifferDispatcher{
 		enable:          true,
 		forceDomain:     forceDomain,
 		skipSNI:         skipSNI,
-		portRanges:      ports,
+		skipList:        cache.New(cache.WithSize[string, uint8](128), cache.WithAge[string, uint8](600)),
 		skipList:        cache.New[string, uint8](cache.WithSize[string, uint8](128), cache.WithAge[string, uint8](600)),
 		forceDnsMapping: forceDnsMapping,
 		parsePureIp:     parsePureIp,
 		sniffers:        make(map[sniffer.Sniffer]SnifferConfig, 0),
 	}
-	for _, snifferName := range needSniffer {
+	for snifferName, config := range snifferConfig {
-		s, err := NewSniffer(snifferName)
+		s, err := NewSniffer(snifferName, config)
 		if err != nil {
 			log.Errorln("Sniffer name[%s] is error", snifferName)
 			return &SnifferDispatcher{enable: false}, err
 		}
-
+		dispatcher.sniffers[s] = config
 		dispatcher.sniffers = append(dispatcher.sniffers, s)
 	}
 	return &dispatcher, nil
 }
-func NewSniffer(name sniffer.Type) (sniffer.Sniffer, error) {
+func NewSniffer(name sniffer.Type, snifferConfig SnifferConfig) (sniffer.Sniffer, error) {
 	switch name {
 	case sniffer.TLS:
-		return &TLSSniffer{}, nil
+		return NewTLSSniffer(snifferConfig)
 	case sniffer.HTTP:
-		return &HTTPSniffer{}, nil
+		return NewHTTPSniffer(snifferConfig)
 	default:
 		return nil, ErrorUnsupportedSniffer
 	}
--- a/component/sniffer/http_sniffer.go
+++ b/component/sniffer/http_sniffer.go
@ -7,7 +7,9 @@ import (
 	"net"
 	"strings"
 	"github.com/Dreamacro/clash/common/utils"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/sniffer"
 )
 var (
@ -24,10 +26,25 @@ const (
 )
 type HTTPSniffer struct {
 	*BaseSniffer
 	version version
 	host    string
 }
 var _ sniffer.Sniffer = (*HTTPSniffer)(nil)
 func NewHTTPSniffer(snifferConfig SnifferConfig) (*HTTPSniffer, error) {
 	ports := make([]utils.Range[uint16], 0)
 	if len(snifferConfig.Ports) == 0 {
 		ports = append(ports, *utils.NewRange[uint16](80, 80))
 	} else {
 		ports = append(ports, snifferConfig.Ports...)
 	}
 	return &HTTPSniffer{
 		BaseSniffer: NewBaseSniffer(ports, C.TCP),
 	}, nil
 }
 func (http *HTTPSniffer) Protocol() string {
 	switch http.version {
 	case HTTP1:
--- a/component/sniffer/tls_sniffer.go
+++ b/component/sniffer/tls_sniffer.go
@ -5,7 +5,9 @@ import (
 	"errors"
 	"strings"
 	"github.com/Dreamacro/clash/common/utils"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/sniffer"
 )
 var (
@ -13,7 +15,22 @@ var (
 	errNotClientHello = errors.New("not client hello")
 )
 var _ sniffer.Sniffer = (*TLSSniffer)(nil)
 type TLSSniffer struct {
 	*BaseSniffer
 }
 func NewTLSSniffer(snifferConfig SnifferConfig) (*TLSSniffer, error) {
 	ports := make([]utils.Range[uint16], 0)
 	if len(snifferConfig.Ports) == 0 {
 		ports = append(ports, *utils.NewRange[uint16](443, 443))
 	} else {
 		ports = append(ports, snifferConfig.Ports...)
 	}
 	return &TLSSniffer{
 		BaseSniffer: NewBaseSniffer(ports, C.TCP),
 	}, nil
 }
 func (tls *TLSSniffer) Protocol() string {
--- a/component/tls/config.go
+++ b/component/tls/config.go
@ -6,75 +6,70 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
 	"errors"
 	"fmt"
-	xtls "github.com/xtls/go"
+	"strings"
 	"sync"
-	"time"
+
 	CN "github.com/Dreamacro/clash/common/net"
 	xtls "github.com/xtls/go"
 )
-var globalFingerprints = make([][32]byte, 0, 0)
+var tlsCertificates = make([]tls.Certificate, 0)
 var mutex sync.Mutex
-func verifyPeerCertificateAndFingerprints(fingerprints *[][32]byte, insecureSkipVerify bool) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+var mutex sync.RWMutex
 var errNotMacth error = errors.New("certificate fingerprints do not match")
 func AddCertificate(privateKey, certificate string) error {
 	mutex.Lock()
 	defer mutex.Unlock()
 	if cert, err := CN.ParseCert(certificate, privateKey); err != nil {
 		return err
 	} else {
 		tlsCertificates = append(tlsCertificates, cert)
 	}
 	return nil
 }
 func GetCertificates() []tls.Certificate {
 	mutex.RLock()
 	defer mutex.RUnlock()
 	return tlsCertificates
 }
 func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-		if insecureSkipVerify {
+		// ssl pining
 			return nil
 		}
 		var preErr error
 		for i := range rawCerts {
 			rawCert := rawCerts[i]
 			cert, err := x509.ParseCertificate(rawCert)
 			if err == nil {
-				opts := x509.VerifyOptions{
+				hash := sha256.Sum256(cert.Raw)
-					CurrentTime: time.Now(),
+				if bytes.Equal(fingerprint[:], hash[:]) {
 				}
 				if _, err := cert.Verify(opts); err == nil {
 					return nil
 				} else {
 					fingerprint := sha256.Sum256(cert.Raw)
 					for _, fp := range *fingerprints {
 						if bytes.Equal(fingerprint[:], fp[:]) {
 							return nil
 						}
 					}
 					preErr = err
 				}
 			}
 		}
-
+		return errNotMacth
 		return preErr
 	}
 }
 func AddCertFingerprint(fingerprint string) error {
 	fpByte, err2 := convertFingerprint(fingerprint)
 	if err2 != nil {
 		return err2
 	}
 	mutex.Lock()
 	globalFingerprints = append(globalFingerprints, *fpByte)
 	mutex.Unlock()
 	return nil
 }
 func convertFingerprint(fingerprint string) (*[32]byte, error) {
 	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
 	fpByte, err := hex.DecodeString(fingerprint)
 	if err != nil {
 		return nil, err
 	}
 	if len(fpByte) != 32 {
-		return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")
+		return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")
 	}
 	return (*[32]byte)(fpByte), nil
 }
 func GetDefaultTLSConfig() *tls.Config {
-	return GetGlobalFingerprintTLCConfig(nil)
+	return GetGlobalTLSConfig(nil)
 }
 // GetSpecifiedFingerprintTLSConfig specified fingerprint
@ -82,29 +77,20 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
 	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
 		return nil, err
 	} else {
-		if tlsConfig == nil {
+		tlsConfig = GetGlobalTLSConfig(tlsConfig)
-			return &tls.Config{
+		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
-				InsecureSkipVerify:    true,
+		tlsConfig.InsecureSkipVerify = true
-				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),
+		return tlsConfig, nil
 			}, nil
 		} else {
 			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
 			tlsConfig.InsecureSkipVerify = true
 			return tlsConfig, nil
 		}
 	}
 }
-func GetGlobalFingerprintTLCConfig(tlsConfig *tls.Config) *tls.Config {
+func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
 	if tlsConfig == nil {
 		return &tls.Config{
-			InsecureSkipVerify:    true,
+			Certificates: tlsCertificates,
 			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),
 		}
 	}
-
+	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)
 	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)
 	tlsConfig.InsecureSkipVerify = true
 	return tlsConfig
 }
@ -113,28 +99,37 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
 	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
 		return nil, err
 	} else {
-		if tlsConfig == nil {
+		tlsConfig = GetGlobalXTLSConfig(tlsConfig)
-			return &xtls.Config{
+		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
-				InsecureSkipVerify:    true,
+		tlsConfig.InsecureSkipVerify = true
-				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),
+		return tlsConfig, nil
 			}, nil
 		} else {
 			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
 			tlsConfig.InsecureSkipVerify = true
 			return tlsConfig, nil
 		}
 	}
 }
-func GetGlobalFingerprintXTLCConfig(tlsConfig *xtls.Config) *xtls.Config {
+func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
 	xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
 	for _, cert := range tlsCertificates {
 		tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
 		for _, ssa := range cert.SupportedSignatureAlgorithms {
 			tlsSsa := xtls.SignatureScheme(ssa)
 			tlsSsaList = append(tlsSsaList, tlsSsa)
 		}
 		xtlsCert := xtls.Certificate{
 			Certificate:                  cert.Certificate,
 			PrivateKey:                   cert.PrivateKey,
 			OCSPStaple:                   cert.OCSPStaple,
 			SignedCertificateTimestamps:  cert.SignedCertificateTimestamps,
 			Leaf:                         cert.Leaf,
 			SupportedSignatureAlgorithms: tlsSsaList,
 		}
 		xtlsCerts = append(xtlsCerts, xtlsCert)
 	}
 	if tlsConfig == nil {
 		return &xtls.Config{
-			InsecureSkipVerify:    true,
+			Certificates: xtlsCerts,
 			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),
 		}
 	}
-	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)
+	tlsConfig.Certificates = xtlsCerts
 	tlsConfig.InsecureSkipVerify = true
 	return tlsConfig
 }
--- a/component/tls/utls.go
+++ b/component/tls/utls.go
@ -0,0 +1,123 @@
 package tls
 import (
 	"crypto/tls"
 	"net"
 	"github.com/Dreamacro/clash/log"
 	"github.com/mroth/weightedrand/v2"
 	utls "github.com/sagernet/utls"
 )
 type UConn struct {
 	*utls.UConn
 }
 type UClientHelloID struct {
 	*utls.ClientHelloID
 }
 var initRandomFingerprint UClientHelloID
 var initUtlsClient string
 func UClient(c net.Conn, config *tls.Config, fingerprint UClientHelloID) net.Conn {
 	utlsConn := utls.UClient(c, copyConfig(config), utls.ClientHelloID{
 		Client:  fingerprint.Client,
 		Version: fingerprint.Version,
 		Seed:    fingerprint.Seed,
 	})
 	return &UConn{UConn: utlsConn}
 }
 func GetFingerprint(ClientFingerprint string) (UClientHelloID, bool) {
 	if ClientFingerprint == "none" {
 		return UClientHelloID{}, false
 	}
 	if initRandomFingerprint.ClientHelloID == nil {
 		initRandomFingerprint, _ = RollFingerprint()
 	}
 	if ClientFingerprint == "random" {
 		log.Debugln("use initial random HelloID:%s", initRandomFingerprint.Client)
 		return initRandomFingerprint, true
 	}
 	fingerprint, ok := Fingerprints[ClientFingerprint]
 	log.Debugln("use specified fingerprint:%s", fingerprint.Client)
 	return fingerprint, ok
 }
 func RollFingerprint() (UClientHelloID, bool) {
 	chooser, _ := weightedrand.NewChooser(
 		weightedrand.NewChoice("chrome", 6),
 		weightedrand.NewChoice("safari", 3),
 		weightedrand.NewChoice("ios", 2),
 		weightedrand.NewChoice("firefox", 1),
 	)
 	initClient := chooser.Pick()
 	log.Debugln("initial random HelloID:%s", initClient)
 	fingerprint, ok := Fingerprints[initClient]
 	return fingerprint, ok
 }
 var Fingerprints = map[string]UClientHelloID{
 	"chrome":     {&utls.HelloChrome_Auto},
 	"firefox":    {&utls.HelloFirefox_Auto},
 	"safari":     {&utls.HelloSafari_Auto},
 	"ios":        {&utls.HelloIOS_Auto},
 	"randomized": {&utls.HelloRandomized},
 }
 func copyConfig(c *tls.Config) *utls.Config {
 	return &utls.Config{
 		RootCAs:               c.RootCAs,
 		ServerName:            c.ServerName,
 		InsecureSkipVerify:    c.InsecureSkipVerify,
 		VerifyPeerCertificate: c.VerifyPeerCertificate,
 	}
 }
 // WebsocketHandshake basically calls UConn.Handshake inside it but it will only send
 // http/1.1 in its ALPN.
 // Copy from https://github.com/XTLS/Xray-core/blob/main/transport/internet/tls/tls.go
 func (c *UConn) WebsocketHandshake() error {
 	// Build the handshake state. This will apply every variable of the TLS of the
 	// fingerprint in the UConn
 	if err := c.BuildHandshakeState(); err != nil {
 		return err
 	}
 	// Iterate over extensions and check for utls.ALPNExtension
 	hasALPNExtension := false
 	for _, extension := range c.Extensions {
 		if alpn, ok := extension.(*utls.ALPNExtension); ok {
 			hasALPNExtension = true
 			alpn.AlpnProtocols = []string{"http/1.1"}
 			break
 		}
 	}
 	if !hasALPNExtension { // Append extension if doesn't exists
 		c.Extensions = append(c.Extensions, &utls.ALPNExtension{AlpnProtocols: []string{"http/1.1"}})
 	}
 	// Rebuild the client hello and do the handshake
 	if err := c.BuildHandshakeState(); err != nil {
 		return err
 	}
 	return c.Handshake()
 }
 func SetGlobalUtlsClient(Client string) {
 	initUtlsClient = Client
 }
 func HaveGlobalFingerprint() bool {
 	if len(initUtlsClient) != 0 && initUtlsClient != "none" {
 		return true
 	}
 	return false
 }
 func GetGlobalFingerprint() string {
 	return initUtlsClient
 }
--- a/config/config.go
+++ b/config/config.go
@ -4,10 +4,12 @@ import (
 	"container/list"
 	"errors"
 	"fmt"
 	"net"
 	"net/netip"
 	"net/url"
 	"os"
 	"reflect"
 	"runtime"
 	"strconv"
 	"strings"
@ -23,6 +25,9 @@ import (
 	"github.com/Dreamacro/clash/component/fakeip"
 	"github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/geodata/router"
 	P "github.com/Dreamacro/clash/component/process"
 	SNIFF "github.com/Dreamacro/clash/component/sniffer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
 	providerTypes "github.com/Dreamacro/clash/constant/provider"
@ -42,18 +47,19 @@ import (
 type General struct {
 	Inbound
 	Controller
-	Mode          T.TunnelMode `json:"mode"`
+	Mode                    T.TunnelMode `json:"mode"`
-	UnifiedDelay  bool
+	UnifiedDelay            bool
-	LogLevel      log.LogLevel `json:"log-level"`
+	LogLevel                log.LogLevel      `json:"log-level"`
-	IPv6          bool         `json:"ipv6"`
+	IPv6                    bool              `json:"ipv6"`
-	Interface     string       `json:"interface-name"`
+	Interface               string            `json:"interface-name"`
-	RoutingMark   int          `json:"-"`
+	RoutingMark             int               `json:"-"`
-	GeodataMode   bool         `json:"geodata-mode"`
+	GeodataMode             bool              `json:"geodata-mode"`
-	GeodataLoader string       `json:"geodata-loader"`
+	GeodataLoader           string            `json:"geodata-loader"`
-	TCPConcurrent bool         `json:"tcp-concurrent"`
+	TCPConcurrent           bool              `json:"tcp-concurrent"`
-	EnableProcess bool         `json:"enable-process"`
+	FindProcessMode         P.FindProcessMode `json:"find-process-mode"`
-	Sniffing      bool         `json:"sniffing"`
+	Sniffing                bool              `json:"sniffing"`
-	EBpf          EBpf         `json:"-"`
+	EBpf                    EBpf              `json:"-"`
 	GlobalClientFingerprint string            `json:"global-client-fingerprint"`
 }
 // Inbound config
@ -94,7 +100,7 @@ type DNS struct {
 	DefaultNameserver     []dns.NameServer `yaml:"default-nameserver"`
 	FakeIPRange           *fakeip.Pool
 	Hosts                 *trie.DomainTrie[netip.Addr]
-	NameServerPolicy      map[string]dns.NameServer
+	NameServerPolicy      map[string][]dns.NameServer
 	ProxyServerNameserver []dns.NameServer
 }
@ -114,6 +120,11 @@ type Profile struct {
 }
 type TLS struct {
 	RawCert         `yaml:",inline"`
 	CustomTrustCert []RawCert `yaml:"custom-certifactes"`
 }
 type RawCert struct {
 	Certificate string `yaml:"certificate"`
 	PrivateKey  string `yaml:"private-key"`
 }
@ -127,11 +138,10 @@ type IPTables struct {
 type Sniffer struct {
 	Enable          bool
-	Sniffers        []snifferTypes.Type
+	Sniffers        map[snifferTypes.Type]SNIFF.SnifferConfig
 	Reverses        *trie.DomainTrie[struct{}]
 	ForceDomain     *trie.DomainTrie[struct{}]
 	SkipDomain      *trie.DomainTrie[struct{}]
 	Ports           *[]utils.Range[uint16]
 	ForceDnsMapping bool
 	ParsePureIp     bool
 }
@ -174,7 +184,7 @@ type RawDNS struct {
 	FakeIPRange           string            `yaml:"fake-ip-range"`
 	FakeIPFilter          []string          `yaml:"fake-ip-filter"`
 	DefaultNameserver     []string          `yaml:"default-nameserver"`
-	NameServerPolicy      map[string]string `yaml:"nameserver-policy"`
+	NameServerPolicy      map[string]any    `yaml:"nameserver-policy"`
 	ProxyServerNameserver []string          `yaml:"proxy-server-nameserver"`
 }
@ -226,32 +236,33 @@ type RawTuicServer struct {
 }
 type RawConfig struct {
-	Port                  int          `yaml:"port"`
+	Port                    int               `yaml:"port"`
-	SocksPort             int          `yaml:"socks-port"`
+	SocksPort               int               `yaml:"socks-port"`
-	RedirPort             int          `yaml:"redir-port"`
+	RedirPort               int               `yaml:"redir-port"`
-	TProxyPort            int          `yaml:"tproxy-port"`
+	TProxyPort              int               `yaml:"tproxy-port"`
-	MixedPort             int          `yaml:"mixed-port"`
+	MixedPort               int               `yaml:"mixed-port"`
-	ShadowSocksConfig     string       `yaml:"ss-config"`
+	ShadowSocksConfig       string            `yaml:"ss-config"`
-	VmessConfig           string       `yaml:"vmess-config"`
+	VmessConfig             string            `yaml:"vmess-config"`
-	InboundTfo            bool         `yaml:"inbound-tfo"`
+	InboundTfo              bool              `yaml:"inbound-tfo"`
-	Authentication        []string     `yaml:"authentication"`
+	Authentication          []string          `yaml:"authentication"`
-	AllowLan              bool         `yaml:"allow-lan"`
+	AllowLan                bool              `yaml:"allow-lan"`
-	BindAddress           string       `yaml:"bind-address"`
+	BindAddress             string            `yaml:"bind-address"`
-	Mode                  T.TunnelMode `yaml:"mode"`
+	Mode                    T.TunnelMode      `yaml:"mode"`
-	UnifiedDelay          bool         `yaml:"unified-delay"`
+	UnifiedDelay            bool              `yaml:"unified-delay"`
-	LogLevel              log.LogLevel `yaml:"log-level"`
+	LogLevel                log.LogLevel      `yaml:"log-level"`
-	IPv6                  bool         `yaml:"ipv6"`
+	IPv6                    bool              `yaml:"ipv6"`
-	ExternalController    string       `yaml:"external-controller"`
+	ExternalController      string            `yaml:"external-controller"`
-	ExternalControllerTLS string       `yaml:"external-controller-tls"`
+	ExternalControllerTLS   string            `yaml:"external-controller-tls"`
-	ExternalUI            string       `yaml:"external-ui"`
+	ExternalUI              string            `yaml:"external-ui"`
-	Secret                string       `yaml:"secret"`
+	Secret                  string            `yaml:"secret"`
-	Interface             string       `yaml:"interface-name"`
+	Interface               string            `yaml:"interface-name"`
-	RoutingMark           int          `yaml:"routing-mark"`
+	RoutingMark             int               `yaml:"routing-mark"`
-	Tunnels               []LC.Tunnel  `yaml:"tunnels"`
+	Tunnels                 []LC.Tunnel       `yaml:"tunnels"`
-	GeodataMode           bool         `yaml:"geodata-mode"`
+	GeodataMode             bool              `yaml:"geodata-mode"`
-	GeodataLoader         string       `yaml:"geodata-loader"`
+	GeodataLoader           string            `yaml:"geodata-loader"`
-	TCPConcurrent         bool         `yaml:"tcp-concurrent" json:"tcp-concurrent"`
+	TCPConcurrent           bool              `yaml:"tcp-concurrent" json:"tcp-concurrent"`
-	EnableProcess         bool         `yaml:"enable-process" json:"enable-process"`
+	FindProcessMode         P.FindProcessMode `yaml:"find-process-mode" json:"find-process-mode"`
 	GlobalClientFingerprint string            `yaml:"global-client-fingerprint"`
 	Sniffer       RawSniffer                `yaml:"sniffer"`
 	ProxyProvider map[string]map[string]any `yaml:"proxy-providers"`
@ -280,13 +291,20 @@ type RawGeoXUrl struct {
 }
 type RawSniffer struct {
-	Enable          bool     `yaml:"enable" json:"enable"`
+	Enable          bool                         `yaml:"enable" json:"enable"`
-	Sniffing        []string `yaml:"sniffing" json:"sniffing"`
+	OverrideDest    bool                         `yaml:"override-destination" json:"override-destination"`
-	ForceDomain     []string `yaml:"force-domain" json:"force-domain"`
+	Sniffing        []string                     `yaml:"sniffing" json:"sniffing"`
-	SkipDomain      []string `yaml:"skip-domain" json:"skip-domain"`
+	ForceDomain     []string                     `yaml:"force-domain" json:"force-domain"`
-	Ports           []string `yaml:"port-whitelist" json:"port-whitelist"`
+	SkipDomain      []string                     `yaml:"skip-domain" json:"skip-domain"`
-	ForceDnsMapping bool     `yaml:"force-dns-mapping" json:"force-dns-mapping"`
+	Ports           []string                     `yaml:"port-whitelist" json:"port-whitelist"`
-	ParsePureIp     bool     `yaml:"parse-pure-ip" json:"parse-pure-ip"`
+	ForceDnsMapping bool                         `yaml:"force-dns-mapping" json:"force-dns-mapping"`
 	ParsePureIp     bool                         `yaml:"parse-pure-ip" json:"parse-pure-ip"`
 	Sniff           map[string]RawSniffingConfig `yaml:"sniff" json:"sniff"`
 }
 type RawSniffingConfig struct {
 	Ports        []string `yaml:"ports" json:"ports"`
 	OverrideDest *bool    `yaml:"override-destination" json:"override-destination"`
 }
 // EBpf config
@ -314,21 +332,21 @@ func Parse(buf []byte) (*Config, error) {
 func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 	// config with default value
 	rawCfg := &RawConfig{
-		AllowLan:       false,
+		AllowLan:        false,
-		BindAddress:    "*",
+		BindAddress:     "*",
-		IPv6:           true,
+		IPv6:            true,
-		Mode:           T.Rule,
+		Mode:            T.Rule,
-		GeodataMode:    C.GeodataMode,
+		GeodataMode:     C.GeodataMode,
-		GeodataLoader:  "memconservative",
+		GeodataLoader:   "memconservative",
-		UnifiedDelay:   false,
+		UnifiedDelay:    false,
-		Authentication: []string{},
+		Authentication:  []string{},
-		LogLevel:       log.INFO,
+		LogLevel:        log.INFO,
-		Hosts:          map[string]string{},
+		Hosts:           map[string]string{},
-		Rule:           []string{},
+		Rule:            []string{},
-		Proxy:          []map[string]any{},
+		Proxy:           []map[string]any{},
-		ProxyGroup:     []map[string]any{},
+		ProxyGroup:      []map[string]any{},
-		TCPConcurrent:  false,
+		TCPConcurrent:   false,
-		EnableProcess:  false,
+		FindProcessMode: P.FindProcessStrict,
 		Tun: RawTun{
 			Enable:              false,
 			Device:              "",
@ -395,6 +413,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			Ports:           []string{},
 			ForceDnsMapping: true,
 			ParsePureIp:     true,
 			OverrideDest:    true,
 		},
 		Profile: Profile{
 			StoreSelected: true,
@ -428,7 +447,6 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.General = general
 	dialer.DefaultInterface.Store(config.General.Interface)
 	proxies, providers, err := parseProxies(rawCfg)
 	if err != nil {
 		return nil, err
@ -503,6 +521,11 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	elapsedTime := time.Since(startTime) / time.Millisecond                     // duration in ms
 	log.Infoln("Initial configuration complete, total time: %dms", elapsedTime) //Segment finished in xxm
 	if len(config.General.GlobalClientFingerprint) != 0 {
 		log.Debugln("GlobalClientFingerprint:%s", config.General.GlobalClientFingerprint)
 		tlsC.SetGlobalUtlsClient(config.General.GlobalClientFingerprint)
 	}
 	return config, nil
 }
@ -536,17 +559,18 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 			Secret:                cfg.Secret,
 			ExternalControllerTLS: cfg.ExternalControllerTLS,
 		},
-		UnifiedDelay:  cfg.UnifiedDelay,
+		UnifiedDelay:            cfg.UnifiedDelay,
-		Mode:          cfg.Mode,
+		Mode:                    cfg.Mode,
-		LogLevel:      cfg.LogLevel,
+		LogLevel:                cfg.LogLevel,
-		IPv6:          cfg.IPv6,
+		IPv6:                    cfg.IPv6,
-		Interface:     cfg.Interface,
+		Interface:               cfg.Interface,
-		RoutingMark:   cfg.RoutingMark,
+		RoutingMark:             cfg.RoutingMark,
-		GeodataMode:   cfg.GeodataMode,
+		GeodataMode:             cfg.GeodataMode,
-		GeodataLoader: cfg.GeodataLoader,
+		GeodataLoader:           cfg.GeodataLoader,
-		TCPConcurrent: cfg.TCPConcurrent,
+		TCPConcurrent:           cfg.TCPConcurrent,
-		EnableProcess: cfg.EnableProcess,
+		FindProcessMode:         cfg.FindProcessMode,
-		EBpf:          cfg.EBpf,
+		EBpf:                    cfg.EBpf,
 		GlobalClientFingerprint: cfg.GlobalClientFingerprint,
 	}, nil
 }
@ -826,17 +850,15 @@ func parseHosts(cfg *RawConfig) (*trie.DomainTrie[netip.Addr], error) {
 }
 func hostWithDefaultPort(host string, defPort string) (string, error) {
 	if !strings.Contains(host, ":") {
 		host += ":"
 	}
 	hostname, port, err := net.SplitHostPort(host)
 	if err != nil {
-		return "", err
+		if !strings.Contains(err.Error(), "missing port in address") {
-	}
+			return "", err
-
+		}
-	if port == "" {
+		host = host + ":" + defPort
-		port = defPort
+		if hostname, port, err = net.SplitHostPort(host); err != nil {
 			return "", err
 		}
 	}
 	return net.JoinHostPort(hostname, port), nil
@ -846,10 +868,7 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 	var nameservers []dns.NameServer
 	for idx, server := range servers {
-		// parse without scheme .e.g 8.8.8.8:53
+		server = parsePureDNSServer(server)
 		if !strings.Contains(server, "://") {
 			server = "udp://" + server
 		}
 		u, err := url.Parse(server)
 		if err != nil {
 			return nil, fmt.Errorf("DNS NameServer[%d] format error: %s", idx, err.Error())
@ -870,29 +889,24 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 			addr, err = hostWithDefaultPort(u.Host, "853")
 			dnsNetType = "tcp-tls" // DNS over TLS
 		case "https":
-			host := u.Host
+			addr, err = hostWithDefaultPort(u.Host, "443")
-			proxyAdapter = ""
+			if err == nil {
-			if _, _, err := net.SplitHostPort(host); err != nil && strings.Contains(err.Error(), "missing port in address") {
+				proxyAdapter = ""
-				host = net.JoinHostPort(host, "443")
+				clearURL := url.URL{Scheme: "https", Host: addr, Path: u.Path}
-			} else {
+				addr = clearURL.String()
-				if err != nil {
+				dnsNetType = "https" // DNS over HTTPS
-					return nil, err
+				if len(u.Fragment) != 0 {
-				}
+					for _, s := range strings.Split(u.Fragment, "&") {
-			}
+						arr := strings.Split(s, "=")
-			clearURL := url.URL{Scheme: "https", Host: host, Path: u.Path}
+						if len(arr) == 0 {
-			addr = clearURL.String()
+							continue
-			dnsNetType = "https" // DNS over HTTPS
+						} else if len(arr) == 1 {
-			if len(u.Fragment) != 0 {
+							proxyAdapter = arr[0]
-				for _, s := range strings.Split(u.Fragment, "&") {
+						} else if len(arr) == 2 {
-					arr := strings.Split(s, "=")
+							params[arr[0]] = arr[1]
-					if len(arr) == 0 {
+						} else {
-						continue
+							params[arr[0]] = strings.Join(arr[1:], "=")
-					} else if len(arr) == 1 {
+						}
 						proxyAdapter = arr[0]
 					} else if len(arr) == 2 {
 						params[arr[0]] = arr[1]
 					} else {
 						params[arr[0]] = strings.Join(arr[1:], "=")
 					}
 				}
 			}
@ -925,18 +939,53 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 	return nameservers, nil
 }
-func parseNameServerPolicy(nsPolicy map[string]string, preferH3 bool) (map[string]dns.NameServer, error) {
+func parsePureDNSServer(server string) string {
-	policy := map[string]dns.NameServer{}
+	addPre := func(server string) string {
 		return "udp://" + server
 	}
 	if ip, err := netip.ParseAddr(server); err != nil {
 		if strings.Contains(server, "://") {
 			return server
 		}
 		return addPre(server)
 	} else {
 		if ip.Is4() {
 			return addPre(server)
 		} else {
 			return addPre("[" + server + "]")
 		}
 	}
 }
 func parseNameServerPolicy(nsPolicy map[string]any, preferH3 bool) (map[string][]dns.NameServer, error) {
 	policy := map[string][]dns.NameServer{}
 	for domain, server := range nsPolicy {
-		nameservers, err := parseNameServer([]string{server}, preferH3)
+		var (
 			nameservers []dns.NameServer
 			err         error
 		)
 		switch reflect.TypeOf(server).Kind() {
 		case reflect.Slice, reflect.Array:
 			origin := reflect.ValueOf(server)
 			servers := make([]string, 0)
 			for i := 0; i < origin.Len(); i++ {
 				servers = append(servers, fmt.Sprintf("%v", origin.Index(i)))
 			}
 			nameservers, err = parseNameServer(servers, preferH3)
 		case reflect.String:
 			nameservers, err = parseNameServer([]string{fmt.Sprintf("%v", server)}, preferH3)
 		default:
 			return nil, errors.New("server format error, must be string or array")
 		}
 		if err != nil {
 			return nil, err
 		}
 		if _, valid := trie.ValidAndSplitDomain(domain); !valid {
 			return nil, fmt.Errorf("DNS ResoverRule invalid domain: %s", domain)
 		}
-		policy[domain] = nameservers[0]
+		policy[domain] = nameservers
 	}
 	return policy, nil
@ -962,6 +1011,7 @@ func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]*router.DomainM
 		if err := geodata.InitGeoSite(); err != nil {
 			return nil, fmt.Errorf("can't initial GeoSite: %s", err)
 		}
 		log.Warnln("replace fallback-filter.geosite with nameserver-policy, it will be removed in the future")
 	}
 	for _, country := range countries {
@ -1180,55 +1230,60 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 		ForceDnsMapping: snifferRaw.ForceDnsMapping,
 		ParsePureIp:     snifferRaw.ParsePureIp,
 	}
 	loadSniffer := make(map[snifferTypes.Type]SNIFF.SnifferConfig)
-	var ports []utils.Range[uint16]
+	if len(snifferRaw.Sniff) != 0 {
-	if len(snifferRaw.Ports) == 0 {
+		for sniffType, sniffConfig := range snifferRaw.Sniff {
-		ports = append(ports, *utils.NewRange[uint16](80, 80))
+			find := false
-		ports = append(ports, *utils.NewRange[uint16](443, 443))
+			ports, err := parsePortRange(sniffConfig.Ports)
 	} else {
 		for _, portRange := range snifferRaw.Ports {
 			portRaws := strings.Split(portRange, "-")
 			p, err := strconv.ParseUint(portRaws[0], 10, 16)
 			if err != nil {
-				return nil, fmt.Errorf("%s format error", portRange)
+				return nil, err
 			}
-
+			overrideDest := snifferRaw.OverrideDest
-			start := uint16(p)
+			if sniffConfig.OverrideDest != nil {
-			if len(portRaws) > 1 {
+				overrideDest = *sniffConfig.OverrideDest
-				p, err = strconv.ParseUint(portRaws[1], 10, 16)
+			}
-				if err != nil {
+			for _, snifferType := range snifferTypes.List {
-					return nil, fmt.Errorf("%s format error", portRange)
+				if snifferType.String() == strings.ToUpper(sniffType) {
 					find = true
 					loadSniffer[snifferType] = SNIFF.SnifferConfig{
 						Ports:        ports,
 						OverrideDest: overrideDest,
 					}
 				}
 			}
-				end := uint16(p)
+			if !find {
-				ports = append(ports, *utils.NewRange(start, end))
+				return nil, fmt.Errorf("not find the sniffer[%s]", sniffType)
-			} else {
+			}
-				ports = append(ports, *utils.NewRange(start, start))
+		}
 	} else {
 		// Deprecated: Use Sniff instead
 		log.Warnln("Deprecated: Use Sniff instead")
 		globalPorts, err := parsePortRange(snifferRaw.Ports)
 		if err != nil {
 			return nil, err
 		}
 		for _, snifferName := range snifferRaw.Sniffing {
 			find := false
 			for _, snifferType := range snifferTypes.List {
 				if snifferType.String() == strings.ToUpper(snifferName) {
 					find = true
 					loadSniffer[snifferType] = SNIFF.SnifferConfig{
 						Ports:        globalPorts,
 						OverrideDest: snifferRaw.OverrideDest,
 					}
 				}
 			}
 			if !find {
 				return nil, fmt.Errorf("not find the sniffer[%s]", snifferName)
 			}
 		}
 	}
-	sniffer.Ports = &ports
+	sniffer.Sniffers = loadSniffer
 	loadSniffer := make(map[snifferTypes.Type]struct{})
 	for _, snifferName := range snifferRaw.Sniffing {
 		find := false
 		for _, snifferType := range snifferTypes.List {
 			if snifferType.String() == strings.ToUpper(snifferName) {
 				find = true
 				loadSniffer[snifferType] = struct{}{}
 			}
 		}
 		if !find {
 			return nil, fmt.Errorf("not find the sniffer[%s]", snifferName)
 		}
 	}
 	for st := range loadSniffer {
 		sniffer.Sniffers = append(sniffer.Sniffers, st)
 	}
 	sniffer.ForceDomain = trie.New[struct{}]()
 	for _, domain := range snifferRaw.ForceDomain {
 		err := sniffer.ForceDomain.Insert(domain, struct{}{})
@ -1249,3 +1304,28 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 	return sniffer, nil
 }
 func parsePortRange(portRanges []string) ([]utils.Range[uint16], error) {
 	ports := make([]utils.Range[uint16], 0)
 	for _, portRange := range portRanges {
 		portRaws := strings.Split(portRange, "-")
 		p, err := strconv.ParseUint(portRaws[0], 10, 16)
 		if err != nil {
 			return nil, fmt.Errorf("%s format error", portRange)
 		}
 		start := uint16(p)
 		if len(portRaws) > 1 {
 			p, err = strconv.ParseUint(portRaws[1], 10, 16)
 			if err != nil {
 				return nil, fmt.Errorf("%s format error", portRange)
 			}
 			end := uint16(p)
 			ports = append(ports, *utils.NewRange(start, end))
 		} else {
 			ports = append(ports, *utils.NewRange(start, start))
 		}
 	}
 	return ports, nil
 }
--- a/config/initial.go
+++ b/config/initial.go
@ -3,92 +3,12 @@ package config
 import (
 	"fmt"
 	"github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/mmdb"
 	"io"
 	"net/http"
 	"os"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 )
 func downloadMMDB(path string) (err error) {
 	resp, err := http.Get(C.MmdbUrl)
 	if err != nil {
 		return
 	}
 	defer resp.Body.Close()
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	_, err = io.Copy(f, resp.Body)
 	return err
 }
 func downloadGeoIP(path string) (err error) {
 	resp, err := http.Get(C.GeoIpUrl)
 	if err != nil {
 		return
 	}
 	defer resp.Body.Close()
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	_, err = io.Copy(f, resp.Body)
 	return err
 }
 func initGeoIP() error {
 	if C.GeodataMode {
 		if _, err := os.Stat(C.Path.GeoIP()); os.IsNotExist(err) {
 			log.Infoln("Can't find GeoIP.dat, start download")
 			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
 				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
 			}
 			log.Infoln("Download GeoIP.dat finish")
 		}
 		if err := geodata.Verify(C.GeoipName); err != nil {
 			log.Warnln("GeoIP.dat invalid, remove and download: %s", err)
 			if err := os.Remove(C.Path.GeoIP()); err != nil {
 				return fmt.Errorf("can't remove invalid GeoIP.dat: %s", err.Error())
 			}
 			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
 				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
 			}
 		}
 		return nil
 	}
 	if _, err := os.Stat(C.Path.MMDB()); os.IsNotExist(err) {
 		log.Infoln("Can't find MMDB, start download")
 		if err := downloadMMDB(C.Path.MMDB()); err != nil {
 			return fmt.Errorf("can't download MMDB: %s", err.Error())
 		}
 	}
 	if !mmdb.Verify() {
 		log.Warnln("MMDB invalid, remove and download")
 		if err := os.Remove(C.Path.MMDB()); err != nil {
 			return fmt.Errorf("can't remove invalid MMDB: %s", err.Error())
 		}
 		if err := downloadMMDB(C.Path.MMDB()); err != nil {
 			return fmt.Errorf("can't download MMDB: %s", err.Error())
 		}
 	}
 	return nil
 }
 // Init prepare necessary files
 func Init(dir string) error {
 	// initial homedir
@ -122,7 +42,7 @@ func Init(dir string) error {
 	C.GeoSiteUrl = rawCfg.GeoXUrl.GeoSite
 	C.MmdbUrl = rawCfg.GeoXUrl.Mmdb
 	// initial GeoIP
-	if err := initGeoIP(); err != nil {
+	if err := geodata.InitGeoIP(); err != nil {
 		return fmt.Errorf("can't initial GeoIP: %w", err)
 	}
--- a/constant/adapters.go
+++ b/constant/adapters.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
 	"sync"
 	"time"
 	"github.com/Dreamacro/clash/component/dialer"
@ -92,6 +93,7 @@ type ProxyAdapter interface {
 	Type() AdapterType
 	Addr() string
 	SupportUDP() bool
 	SupportXUDP() bool
 	SupportTFO() bool
 	MarshalJSON() ([]byte, error)
@ -226,3 +228,23 @@ type PacketAdapter interface {
 	UDPPacket
 	Metadata() *Metadata
 }
 type NatTable interface {
 	Set(key string, e PacketConn)
 	Get(key string) PacketConn
 	GetOrCreateLock(key string) (*sync.Cond, bool)
 	Delete(key string)
 	GetLocalConn(lAddr, rAddr string) *net.UDPConn
 	AddLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool
 	RangeLocalConn(lAddr string, f func(key, value any) bool)
 	GetOrCreateLockForLocalConn(lAddr, key string) (*sync.Cond, bool)
 	DeleteLocalConnMap(lAddr, key string)
 }
--- a/constant/context.go
+++ b/constant/context.go
@ -3,6 +3,8 @@ package constant
 import (
 	"net"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/gofrs/uuid"
 )
@ -13,7 +15,7 @@ type PlainContext interface {
 type ConnContext interface {
 	PlainContext
 	Metadata() *Metadata
-	Conn() net.Conn
+	Conn() *N.BufferedConn
 }
 type PacketConnContext interface {
--- a/constant/dns.go
+++ b/constant/dns.go
@ -124,4 +124,4 @@ const (
 	HTTPVersion2 HTTPVersion = "h2"
 	// HTTPVersion3 is HTTP/3.
 	HTTPVersion3 HTTPVersion = "h3"
-)
+)
--- a/constant/listener.go
+++ b/constant/listener.go
@ -16,7 +16,7 @@ type MultiAddrListener interface {
 type InboundListener interface {
 	Name() string
-	Listen(tcpIn chan<- ConnContext, udpIn chan<- PacketAdapter) error
+	Listen(tcpIn chan<- ConnContext, udpIn chan<- PacketAdapter, natTable NatTable) error
 	Close() error
 	Address() string
 	RawAddress() string
--- a/constant/metadata.go
+++ b/constant/metadata.go
@ -128,12 +128,14 @@ type Metadata struct {
 	InName       string     `json:"inboundName"`
 	Host         string     `json:"host"`
 	DNSMode      DNSMode    `json:"dnsMode"`
-	Uid          *uint32    `json:"uid"`
+	Uid          uint32     `json:"uid"`
 	Process      string     `json:"process"`
 	ProcessPath  string     `json:"processPath"`
 	SpecialProxy string     `json:"specialProxy"`
 	SpecialRules string     `json:"specialRules"`
 	RemoteDst    string     `json:"remoteDestination"`
 	// Only domain rule
 	SniffHost string `json:"sniffHost"`
 }
 func (m *Metadata) RemoteAddress() string {
@ -146,16 +148,17 @@ func (m *Metadata) SourceAddress() string {
 func (m *Metadata) SourceDetail() string {
 	if m.Type == INNER {
-		return fmt.Sprintf("[%s]", ClashName)
+		return fmt.Sprintf("%s", ClashName)
 	}
-	if m.Process != "" && m.Uid != nil {
+	switch {
-		return fmt.Sprintf("%s(%s, uid=%d)", m.SourceAddress(), m.Process, *m.Uid)
+	case m.Process != "" && m.Uid != 0:
-	} else if m.Uid != nil {
+		return fmt.Sprintf("%s(%s, uid=%d)", m.SourceAddress(), m.Process, m.Uid)
-		return fmt.Sprintf("%s(uid=%d)", m.SourceAddress(), *m.Uid)
+	case m.Uid != 0:
-	} else if m.Process != "" {
+		return fmt.Sprintf("%s(uid=%d)", m.SourceAddress(), m.Uid)
 	case m.Process != "":
 		return fmt.Sprintf("%s(%s)", m.SourceAddress(), m.Process)
-	} else {
+	default:
 		return fmt.Sprintf("%s", m.SourceAddress())
 	}
 }
@ -175,6 +178,14 @@ func (m *Metadata) Resolved() bool {
 	return m.DstIP.IsValid()
 }
 func (m *Metadata) RuleHost() string {
 	if len(m.SniffHost) == 0 {
 		return m.Host
 	} else {
 		return m.SniffHost
 	}
 }
 // Pure is used to solve unexpected behavior
 // when dialing proxy connection in DNSMapping mode.
 func (m *Metadata) Pure() *Metadata {
--- a/constant/provider/interface.go
+++ b/constant/provider/interface.go
@ -102,5 +102,6 @@ type RuleProvider interface {
 	Behavior() RuleType
 	Match(*constant.Metadata) bool
 	ShouldResolveIP() bool
 	ShouldFindProcess() bool
 	AsRule(adaptor string) constant.Rule
 }
--- a/constant/sniffer/sniffer.go
+++ b/constant/sniffer/sniffer.go
@ -6,6 +6,7 @@ type Sniffer interface {
 	SupportNetwork() constant.NetWork
 	SniffTCP(bytes []byte) (string, error)
 	Protocol() string
 	SupportPort(port uint16) bool
 }
 const (
--- a/constant/version.go
+++ b/constant/version.go
@ -4,5 +4,5 @@ var (
 	Meta      = true
 	Version   = "1.10.0"
 	BuildTime = "unknown time"
-	ClashName = "Clash.Meta"
+	ClashName = "clash.meta"
 )
--- a/context/conn.go
+++ b/context/conn.go
@ -12,7 +12,7 @@ import (
 type ConnContext struct {
 	id       uuid.UUID
 	metadata *C.Metadata
-	conn     net.Conn
+	conn     *N.BufferedConn
 }
 func NewConnContext(conn net.Conn, metadata *C.Metadata) *ConnContext {
@ -36,6 +36,6 @@ func (c *ConnContext) Metadata() *C.Metadata {
 }
 // Conn implement C.ConnContext Conn
-func (c *ConnContext) Conn() net.Conn {
+func (c *ConnContext) Conn() *N.BufferedConn {
 	return c.conn
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
H1JK	66f108bf24	Fix Vision read	2023-02-25 10:28:38 +08:00
H1JK	c5444a03ac	Fix short buffer	2023-02-24 21:19:57 +08:00
H1JK	9aacfe11e7	Update to the latest Alpha branch	2023-02-24 21:06:24 +08:00
H1JK	11e0bbebf4	PREVIEW	2023-02-24 20:47:07 +08:00
H1JK	fc58f80cc8	DRAFT 3	2023-02-24 20:47:07 +08:00
H1JK	abced62f4d	DRAFT 2	2023-02-24 20:47:07 +08:00
H1JK	4f27911659	DRAFT 1	2023-02-24 20:46:59 +08:00
wwqgtxx	5bfad04b41	fix: checkTunName mistake	2023-02-24 14:58:01 +08:00
wwqgtxx	880664c6ab	fix: tunnel's inboundTFO missing	2023-02-24 14:19:50 +08:00
wwqgtxx	8f0c61ed14	fix: tuic missing routing mark	2023-02-24 14:02:20 +08:00
wwqgtxx	7d524668e0	chore: support TFO for outbounds	2023-02-24 13:53:44 +08:00
wwqgtxx	75680c5866	chore: use early conn to support real ws 0-rtt	2023-02-24 09:54:54 +08:00
Skyxim	a1d008e6f0	chore: add pprof api, when log-level is debug	2023-02-23 23:30:53 +08:00
Skyxim	d5d62a4ffd	chore: change internal tcp traffic type	2023-02-23 20:26:25 +08:00
Skyxim	b72bd5bb37	chore: adjust the configuration loading order	2023-02-23 14:13:27 +08:00
Skyxim	7fecd20a1d	chore: adjust the configuration loading order	2023-02-22 23:45:18 +08:00
Skyxim	f586f22ce3	fix: incorrect time to set interface name	2023-02-22 21:08:08 +08:00
wwqgtxx	21848d6bf1	chore: code cleanup	2023-02-22 19:43:32 +08:00
wwqgtxx	28c57c4144	chore: Update dependencies	2023-02-22 19:35:43 +08:00
wwqgtxx	4a6ebff473	fix: add "dns resolve failed" error in dialer	2023-02-22 19:14:11 +08:00
wwqgtxx	5c8d955f61	chore: better windows bind error handle	2023-02-22 13:41:33 +08:00
wwqgtxx	baaf509637	chore: using sing-shadowtls to support shadowtls v1/2/3	2023-02-21 21:58:37 +08:00
Skyxim	db3e1b9ed5	feat: add sni field for tuic	2023-02-19 16:20:30 +08:00
wwqgtxx	1a1e3345f4	chore: reset tunName in macos when it isn't startWith "utun"	2023-02-19 10:10:27 +08:00
wwqgtxx	527fc2790b	chore: combine workflows	2023-02-19 01:23:06 +08:00
Skyxim	cd7d9fc4f5	fix: socks5 serialize error #376	2023-02-18 17:18:58 +08:00
wwqgtxx	a61685ce01	fix: disable header protection in vmess server	2023-02-18 16:42:54 +08:00
wwqgtxx	b9e63d3f7d	fix: ensure return a nil interface not an interface with nil value	2023-02-18 14:16:03 +08:00
wwqgtxx	cc3a9dd553	fix: websocket headroom	2023-02-18 13:58:08 +08:00
wwqgtxx	6a89cc15c3	chore: Considering remove GOAMD64=v2 of linux-amd64-compatible close https://github.com/MetaCubeX/Clash.Meta/issues/391	2023-02-18 13:32:26 +08:00
wwqgtxx	fc50392ec7	chore: cleanup natTable's api	2023-02-18 13:16:07 +08:00
Skyxim	59cd89a9c9	fix: parsing ipv6 doh error	2023-02-17 23:30:38 +08:00
kunish	d6ff5f7d96	style: run go fmt on every .go file (#392 )	2023-02-17 16:31:37 +08:00
Ovear	8e4dfbd10d	feat: introduce a new robust approach to handle tproxy udp. (#389 )	2023-02-17 16:31:15 +08:00
Ovear	b2d1cea759	fix: RoundRobin strategy of load balance when called multiple times (#390 )	2023-02-17 16:31:00 +08:00
Skyxim	6fe1766c83	chore: add log	2023-02-17 13:48:29 +08:00
Larvan2	e59c35a308	fix issue #357 . Copy from upstream.	2023-02-16 21:14:27 +08:00
Skyxim	b50071ed37	chore: better log time	2023-02-15 22:39:28 +08:00
Skyxim	28c7de6185	fix: avoid modifying the request message id	2023-02-14 21:09:37 +08:00
Larvan2	6fb4ebba15	chore: Allow 0-RTT in Tuic server refers to: https://github.com/quic-go/quic-go/pull/3635	2023-02-13 23:52:15 +08:00
wwqgtxx	d00d83abd4	fix: tun udp with 4in6 ip	2023-02-13 22:06:09 +08:00
wwqgtxx	e6d16e458f	chore: update gvisor	2023-02-13 20:50:11 +08:00
wwqgtxx	ae42d35184	chore: support golang1.20's dialer.ControlContext	2023-02-13 11:14:19 +08:00
wwqgtxx	ce8929d153	chore: better bind in windows	2023-02-13 10:14:59 +08:00
H1JK	cc2a775271	feat: Converter support uTLS fingerprint field	2023-02-11 16:40:01 +08:00
H1JK	83d719cf79	fix: VLESS handshake write	2023-02-11 15:13:17 +08:00
Skyxim	4643b5835e	chore: setting sniffHost value	2023-02-10 13:01:53 +08:00
metacubex	a991bf9045	fix: missing sniffhost field in RESTful API	2023-02-10 12:48:02 +08:00
H1JK	3fd3d83029	feat: Attempts to send request with first payload on VLESS	2023-02-10 10:03:37 +08:00
wwqgtxx	24419551a9	chore: update tfo-go for golang1.20	2023-02-08 13:10:44 +08:00
Skyxim	c83eb2e0c9	chore: adjust log	2023-02-07 21:29:40 +08:00
Skyxim	929b1675e3	chore: avoid repeated wrapper	2023-02-07 21:29:40 +08:00
wwqgtxx	db54b438e6	chore: do not use extra pointer in UClient	2023-02-07 17:51:37 +08:00
Larvan2	967254d9ca	chore: move global-utls-client snippets to components\tls	2023-02-07 17:24:14 +08:00
Skyxim	2d806df9b9	fix: sniff domain don't match geosite when override-destination value is false	2023-02-07 15:59:44 +08:00
wwqgtxx	4fe798ec3b	chore: update sing-vmess	2023-02-07 15:10:36 +08:00
Skyxim	3555ff5f4e	chore: update docs/config.yml	2023-02-07 13:19:19 +08:00
Larvan2	05ca819823	feat: add global-client-fingerprint. * Available: "chrome","firefox","safari","ios","random","none". * global-client-fingerprint will NOT overwrite the proxy's client-fingerprint setting when "client-fingerprint: none".	2023-02-07 01:26:56 +08:00
Skyxim	c8b8b60b93	chore: override-destination default value is true	2023-02-06 17:48:49 +08:00
Larvan2	287986d524	Update README.md	2023-02-05 23:36:08 +08:00
Larvan2	4c25f5e73b	feat: Update utls support. * client-fingerprint is used to apply Utls for modifying ClientHello, it accepts "chrome","firefox","safari","ios","random" options. * Utls is currently support TLS transport in TCP/grpc/WS/HTTP for VLESS/Vmess and trojan.	2023-02-05 17:34:37 +08:00
H1JK	cbc217e80a	fix: Converter Shadowsocks password parse	2023-02-04 16:58:17 +08:00
Skyxim	fe348e89c5	chore: add nameserver-policy demo	2023-02-03 21:41:26 +08:00
Skyxim	e1e1984d3e	feat: nameserver policy support multiple server	2023-02-03 21:40:05 +08:00
wwqgtxx	99662b616f	fix: tuic listener config name	2023-02-02 21:48:20 +08:00
Larvan2	857d6e419f	fix: Parse CC fail in tuic.	2023-02-02 21:29:12 +08:00
wwqgtxx	a298b9ea01	chore: fix mips atomic panic	2023-02-02 21:03:24 +08:00
wwqgtxx	61097d0826	chore: update to golang1.20	2023-02-02 15:39:57 +08:00
Larvan2	2ee0f634e6	feat: Add utls for modifying client's fingerprint. Currently only support TLS transport in TCP/GRPC/WS/HTTP for VLESS/Vmess and trojan-grpc.	2023-02-01 22:36:05 +08:00
Larvan2	61b3b4f775	fix: Handle error earlier in DialContextWithDialer. chore: Fix typo.	2023-01-31 18:05:46 +08:00
Skyxim	dc4b9753d3	Merge pull request #360 from tgNotHouse/Alpha fix: get tlsconfig err not handle, return nil pointer #358	2023-01-31 15:40:44 +08:00
qiaoweijie	f1ef6c2096	fix: get tlsconfig err not handle, return nil pointer	2023-01-31 15:26:18 +08:00
Larvan2	872c915cf7	Chore: Add images for wiki	2023-01-30 21:19:46 +08:00
Larvan2	fb9f09c97f	Update README.md	2023-01-30 20:39:13 +08:00
Larvan2	884db8a8b5	chore: add patch for debug api,better workflow.	2023-01-30 20:19:44 +08:00
wwqgtxx	ee21b7bc37	chore: update gvisor	2023-01-29 22:30:40 +08:00
Skyxim	32c53b9584	chore: dns log error	2023-01-29 11:03:39 +08:00
Larvan2	4e5f3fbe84	Merge pull request #356 from kunish/Alpha Chore: Remove missing image link, mention Yacd-meta in README.md	2023-01-29 00:24:37 +08:00
kunish	2ce193877b	docs(README.md): remove missing image link, mention Yacd-meta	2023-01-29 00:17:33 +08:00
Skyxim	e52d599326	chore: better dns log	2023-01-28 22:33:03 +08:00
Skyxim	2cf66f41cb	fix: parse error	2023-01-28 16:09:14 +08:00
H1JK	a06b387acc	adjust: VLESS enable XUDP by default	2023-01-28 14:58:52 +08:00
yaling888	03520e0d6f	Fix: dns api panic on disable dns section (#2498 )	2023-01-28 00:55:30 +08:00
Dreamacro	a6a72a5b54	Feature: add dns query json api	2023-01-28 00:55:24 +08:00
metacubex	85db58aeb5	chore: update config.yaml	2023-01-28 00:32:17 +08:00
metacubex	596bf32caa	chore: adjust keyword for geosite-based nameserver policy	2023-01-28 00:19:58 +08:00
metacubex	2b2644a76f	chore: restful api display xudp for VLESS and VMess	2023-01-28 00:07:20 +08:00
i40e	02684a868f	feature: geosite-based nameserver policy	2023-01-27 23:40:53 +08:00
Skyxim	1924b308fd	chore: clear code	2023-01-27 17:10:15 +08:00
Skyxim	0d62e42c50	chore: better parsing pure UDP DNS	2023-01-27 17:02:58 +08:00
Larvan2	d3193cf8b7	Chore: Better parsing pure IPv6 UDP DNS	2023-01-27 15:08:05 +08:00
Larvan2	f7538568c0	Chore: Change default latency test url to HTTPS.	2023-01-27 13:41:23 +08:00
Larvan2	4629ecb8ee	Chore: Add GEO data url configuration.	2023-01-27 13:27:39 +08:00
Skyxim	5bcea37d59	chore: better parse udp dns	2023-01-27 13:07:52 +08:00
Skyxim	6decaef050	fix: sub-rule condition don't work	2023-01-27 12:38:15 +08:00
H1JK	248578086f	feat: Converter support WS early data parameters	2023-01-27 11:31:58 +08:00
Larvan2	87553c6aa0	Update config.yaml	2023-01-26 23:19:33 +08:00
Skyxim	a2aa267e43	chore: update workflows docker	2023-01-25 20:53:39 +08:00
Skyxim	a563e9375e	chore: better source address	2023-01-25 13:00:18 +08:00
Larvan2	9a4be1fbec	Chore: Action ignore docs/**,README.md when push.	2023-01-24 21:56:17 +08:00
Larvan2	80f48518ca	Chore: Update config.yaml	2023-01-24 21:50:21 +08:00
Larvan2	16c4b55e31	Chore: Decrease the default MaxUdpRelayPacketSize to 1252 to avoid the relay UDP exceeding the size of the QUIC's datagram. ClientMaxOpenStreams now follows the config.yaml option.	2023-01-24 21:48:31 +08:00
ag2s20150909	023a96a6d3	make ConvertsV2Ray more robust (#349 ) * make ConvertsV2Ray more robust * add log * fix	2023-01-24 16:34:52 +08:00
Skyxim	39394e49ae	chore: update config.yaml	2023-01-23 14:51:25 +08:00
Skyxim	b54ddc3aa9	chore: update config.yaml	2023-01-23 14:19:13 +08:00
Skyxim	97537bd185	chore: update config.yaml	2023-01-23 14:14:18 +08:00
Skyxim	1225173a43	chore: update config.yaml	2023-01-23 14:12:53 +08:00
Skyxim	096bb8d439	feat: add override-destination for sniffer	2023-01-23 14:08:11 +08:00
Skyxim	df1f6e2b99	feat: better config for sniffer	2023-01-23 13:16:25 +08:00
Skyxim	d1f5bef25d	chore: better log	2023-01-23 11:17:30 +08:00
Skyxim	d426db43ec	chore: adjust log	2023-01-23 11:14:45 +08:00
Skyxim	3bace07948	fix: ipv6 logic	2023-01-21 22:31:07 +08:00
Larvan2	24e31d0a40	Chore: Update paths-ignore	2023-01-21 14:42:48 +08:00
Larvan2	fb623c0929	chore: Correct the decision of enabling find process	2023-01-21 14:27:09 +08:00
H1JK	4f641ce12d	fix: ShadowTLS header use array instead	2023-01-20 17:35:49 +08:00
Larvan2	8cd1e40fb3	Update README.md	2023-01-20 17:13:32 +08:00
Larvan2	8a7027e8d6	Fix: Remove EnableProcess from config.go and enable-process from config.yaml. Fix: FindProcess is now enabled by default when the rule set contains process-name rules.	2023-01-20 16:29:08 +08:00
wwqgtxx	5bbf73e3b5	chore: new Random TLS KeyPair when empty input	2023-01-18 12:06:36 +08:00
wwqgtxx	106a58779d	chore: update quic-go	2023-01-17 22:06:21 +08:00
wwqgtxx	fa5b5ca02d	fix: tcpTracker's upload	2023-01-17 21:36:16 +08:00
wwqgtxx	ba6163574e	chore: better parseAddr	2023-01-17 15:41:51 +08:00
wwqgtxx	37eca8af24	fix: tuic server's MaxIncomingStreams	2023-01-17 14:25:19 +08:00
Skyxim	421c91a58c	chore: update docker.yaml and Makefile docker	2023-01-17 12:43:51 +08:00
Larvan2	c90bf1c6e2	chore: Update const type	2023-01-17 12:33:15 +08:00
wwqgtxx	5b1de296af	chore: Update dependencies	2023-01-17 12:26:31 +08:00
wwqgtxx	f4414566d3	fix: tuic server's SetCongestionController	2023-01-17 10:41:51 +08:00
Larvan2	db4f3eda55	fix: Add CC for TUIC server	2023-01-17 01:08:30 +08:00
Larvan2	f3b76df13b	chore: Update BBR config chore: Adjust workflow	2023-01-16 21:50:02 +08:00
wwqgtxx	bb79272020	chore: better workflow	2023-01-16 16:44:47 +08:00
H1JK	926ef9e33d	feat: gRPC gun implement extended writer	2023-01-16 15:54:20 +08:00
wwqgtxx	ead21f37d7	chore: better workflow	2023-01-16 15:09:25 +08:00
wwqgtxx	49a2602329	fix: add Upstream to refconn	2023-01-16 13:26:30 +08:00
wwqgtxx	e88bddc24f	fix: addr panic	2023-01-16 12:47:22 +08:00
wwqgtxx	a5821e5785	fix: add ReaderReplaceable to BufferedConn, avoid buffered data lost	2023-01-16 12:28:30 +08:00
wwqgtxx	4e4d741075	chore: code cleanup	2023-01-16 12:11:34 +08:00
H1JK	bec66e9e69	adjust: Improve WebSocket mask	2023-01-16 11:42:10 +08:00
wwqgtxx	50832aab47	chore: decrease direct depend on the sing package	2023-01-16 10:50:31 +08:00
wwqgtxx	643fdd0bce	chore: tuic decrease unneeded copy	2023-01-16 09:55:06 +08:00
H1JK	d1565bb46f	refactor: Implement extended IO	2023-01-16 09:42:03 +08:00
wwqgtxx	8fa66c13a9	chore: better workflow	2023-01-15 21:51:33 +08:00
H1JK	c0ffa06b95	chore: Update dependencies	2023-01-15 15:04:58 +08:00
wwqgtxx	3b53f5bca3	chore: better workflow	2023-01-15 15:04:27 +08:00
Larvan2	2c80155c6f	Update Makefile add CGO support for release build add release.sh	2023-01-15 02:08:46 +08:00
Skyxim	8a9b3b3d59	fix: config parse error	2023-01-14 22:34:54 +08:00
metacubex	5dd691aa95	fix: ss converter cipher missing	2023-01-14 21:37:10 +08:00
Skyxim	27ceae580a	chore: update config.yaml	2023-01-14 21:34:26 +08:00
Skyxim	b6b6413d04	refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning	2023-01-14 21:08:06 +08:00
Skyxim	2095f4f670	chore: update gitignore	2023-01-14 18:10:22 +08:00
metacubex	606e8948c0	Fix: TLS defaults to true for h2/grpc networks	2023-01-14 16:20:58 +08:00
metacubex	3b6fc1c496	chore: adjust the case of Program names and HttpRequest UA	2023-01-14 16:17:10 +08:00
metacubex	f96bf65557	chore: Refine process code	2023-01-14 16:16:59 +08:00
3andero	804cff8c55	fix: skip-cert-verify is true by default (#333 ) * fix: skip-cert-verify is true by default * fix: format * fix: typo Co-authored-by: 3andero <3andero@github.com> Co-authored-by: Hellojack <106379370+H1JK@users.noreply.github.com>	2023-01-13 09:55:01 +08:00
metacubex	633b9c0426	chore: adjust Dockerfile	2023-01-12 02:13:22 +08:00
metacubex	7d6991dd65	chore: adjust makefile	2023-01-12 01:31:38 +08:00
Larvan2	95247154d6	Fix: Deprecate TCPMSS (#336 ) * 修改 DefaultTCPMSS 为 MaxDatagramSize 修改 MaxDatagramSize 的值提高 TUIC 的上传速度	2023-01-12 00:53:42 +08:00
Hellojack	be6142aa43	feat: VLESS support packet encodings (#334 ) * adjust: Do not use XTLS on H2 connections * feat: VLESS support XUDP fullcone NAT * fix: VLESS with PacketAddr does not work * fix: VLESS XUDP crash	2023-01-11 22:01:15 +08:00
wwqgtxx	0069513780	chore: shadowtls don't depend on trojan's code	2023-01-11 10:19:30 +08:00
wwqgtxx	0c9a23a53c	fix: dns cache index out of range	2023-01-11 09:54:07 +08:00
cubemaze	0035fc2313	Update prerelease.yml	2023-01-11 00:50:04 +08:00
metacubex	6f62d4d5c1	chore: update config.yaml	2023-01-11 00:28:21 +08:00
3andero	51f9b34a7c	feat: Support ShadowTLS v2 as Shadowsocks plugin (#330 )	2023-01-11 00:13:48 +08:00
metacubex	337be9124f	chore: clean code	2023-01-11 00:01:28 +08:00
metacubex	dd4e4d7559	chore: ss2022 converter method verify	2023-01-10 21:55:36 +08:00
H1JK	0f29c267be	fix: Converter VMess XUDP not enabled by default when using v2rayN style share link	2023-01-10 20:47:58 +08:00
H1JK	d38ceb78c9	chore: Refine converter packet encoding parse	2023-01-10 18:25:05 +08:00
metacubex	0c354c748a	fix: ss2022 converter password decode error	2023-01-10 18:13:18 +08:00
metacubex	3a8e7c8899	chore: vemss converter xudp is true by default	2023-01-10 18:10:21 +08:00
wwqgtxx	261b8a1d06	fix: vmess udp	2023-01-10 13:21:32 +08:00
metacubex	01d8b224db	fix: vless RoutingMark bind	2023-01-09 23:15:17 +08:00
metacubex	e9a7e104c0	fix: geoip mmdb/geodata init	2023-01-09 21:12:13 +08:00
chain710	b4503908df	fix #322 : add option general.find-process-mode, user can turn off findProcess feature in router findProcess slow down connection due to repeat call to FindProcessName in router environment this option has 3 values: always, strict, off - always, equal to enable-process: true. Just try to merge all process related option into one - strict, as default value, behavior remains unchanged - off, turn off findProcess, useful in router environment	2023-01-09 19:48:39 +08:00
H1JK	fd48c6df8a	chore: Fix fmt in #321 Replace all double spaces to tabs due to Go fmt proposal.	2023-01-07 12:24:28 +08:00
cubemaze	cd7134e309	Merge pull request #321 from ag2s20150909/Alpha proxy-provider and proxy-groups support exclude node by node type	2023-01-06 11:58:12 +08:00
Skyxim	5fa6777239	fix: Process rule is not work in classical rule-set	2023-01-04 21:18:07 +08:00
ag2s20150909	908d0b0007	Merge pull request #1 from ag2s20150909/fixConverter fix converter error	2023-01-03 22:36:38 +08:00
ag2s20150909	8e6989758e	fix converter error	2023-01-03 22:33:29 +08:00
ag2s20150909	29b72df14c	proxy-groups support exclude node by node type	2023-01-03 21:47:57 +08:00
ag2s20150909	f100a33d98	proxy-provider support exclude node by node type	2023-01-03 21:27:07 +08:00