Chore: update dependencies

Co-authored-by: Dreamacro <8615343+Dreamacro@users.noreply.github.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,48 +7,54 @@ assignees: ''
 
 ---
 
-<!-- The English version is available. -->
+<!--
 感谢你向 Clash Core 提交 issue！
 在提交之前，请确认：
 
-- [ ] 我已经在 [Issue Tracker](……/) 中找过我要提出的问题
-- [ ] 这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 Openclash、Koolclash 等）的特定问题
-- [ ] 我已经使用 Clash core 的 dev 分支版本测试过，问题依旧存在
 - [ ] 如果你可以自己 debug 并解决的话，提交 PR 吧！
+- [ ] 我已经在 [Issue Tracker](……/) 中找过我要提出的问题
+- [ ] 我已经使用 dev 分支版本测试过，问题依旧存在
+- [ ] 我已经仔细看过 [Documentation](https://github.com/Dreamacro/clash/wiki/) 并无法自行解决问题
+- [ ] 这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题
 
 请注意，如果你并没有遵照这个 issue template 填写内容，我们将直接关闭这个 issue。
 
-<!--
-Thanks for submitting an issue towards the Clash core!
+Thanks for opening an issue towards the Clash core!
 But before so, please do the following checklist:
 
 - [ ] Is this something you can **debug and fix**? Send a pull request! Bug fixes and documentation fixes are welcome.
-- [ ] Your issue may already be reported! Please search on the [issue tracker](……/) before creating one.
+- [ ] I have searched on the [issue tracker](……/) for a related issue.
 - [ ] I have tested using the dev branch, and the issue still exists.
-- [ ] This is an issue related to the Clash core, not to the derivatives of Clash, like Openclash or Koolclash
+- [ ] I have read the [documentation](https://github.com/Dreamacro/clash/wiki/) and was unable to solve the issue
+- [ ] This is an issue of the Clash core *per se*, not to the derivatives of Clash, like OpenClash or KoolClash
 
-Please understand that we close issues that fail to follow the issue template.
+Please understand that we close issues that fail to follow this issue template.
 -->
 
-我都确认过了，我要继续提交。
-<!-- None of the above, create a bug report -->
 ------------------------------------------------------------------
 
+<!-- 
 请附上任何可以帮助我们解决这个问题的信息，如果我们收到的信息不足，我们将对这个 issue 加上 *Needs more information* 标记并在收到更多资讯之前关闭 issue。
-<!-- Make sure to add **all the information needed to understand the bug** so that someone can help. If the info is missing we'll add the 'Needs more information' label and close the issue until there is enough information. -->
+Make sure to add **all the information needed to understand the bug** so that someone can help. If the info is missing we'll add the 'Needs more information' label and close the issue until there is enough information.
+-->
 
-### clash core config
+### Clash config
 <!--
 在下方附上 Clash core 脱敏后配置文件的内容
 Paste the Clash core configuration below.
 -->
-```
+<details>
+  <summary>config.yaml</summary>
+
+```yaml
 ……
 ```
 
+</details>
+
 ### Clash log
 <!--
-在下方附上 Clash Core 的日志，log level 最好使用 DEBUG
+在下方附上 Clash Core 的日志，log level 使用 DEBUG
 Paste the Clash core log below with the log level set to `DEBUG`.
 -->
 ```
@@ -57,9 +63,7 @@ Paste the Clash core log below with the log level set to `DEBUG`.
 
 ### 环境 Environment
 
-* Clash Core 的操作系统 (the OS that the Clash core is running on)
-……
-* 使用者的操作系统 (the OS running on the client)
+* 操作系统 (the OS that the Clash core is running on)
 ……
 * 网路环境或拓扑 (network conditions/topology)
 ……
@@ -67,7 +71,7 @@ Paste the Clash core log below with the log level set to `DEBUG`.
 ……
 * ISP 有没有进行 DNS 污染 (is your ISP performing DNS pollution?)
 ……
-* 其他
+* 其他 (any other information that would be useful)
 ……
 
 ### 说明 Description
@@ -85,7 +89,7 @@ Paste the Clash core log below with the log level set to `DEBUG`.
 **我预期会发生……？**
 <!-- **Expected behavior:** [What you expected to happen] -->
 
-**实际上发生了什麽？**
+**实际上发生了什么？**
 <!-- **Actual behavior:** [What actually happened] -->
 
 ### 可能的解决方案 Possible Solution

.github/workflows/docker.yml

@@ -0,0 +1,76 @@
+name: Publish Docker Image
+on:
+  push:
+    branches:
+      - dev
+    tags:
+      - '*'
+jobs:
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+        with:
+          platforms: all
+
+      - name: Set up docker buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          version: latest
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      
+      - name: Login to Github Package
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: Dreamacro
+          password: ${{ secrets.PACKAGE_TOKEN }}
+
+      - name: Build dev branch and push
+        if: github.ref == 'refs/heads/dev'
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          push: true
+          tags: 'dreamacro/clash:dev,ghcr.io/dreamacro/clash:dev'
+
+      - name: Get all docker tags
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: actions/github-script@v3
+        id: tags
+        with:
+          script: |
+            const ref = `${context.payload.ref.replace(/\/?refs\/tags\//, '')}`
+            const tags = [
+              'dreamacro/clash:latest',
+              `dreamacro/clash:${ref}`,
+              'ghcr.io/dreamacro/clash:latest',
+              `ghcr.io/dreamacro/clash:${ref}`
+            ]
+            return tags.join(',')
+          result-encoding: string
+
+      - name: Build release and push
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          push: true
+          tags: ${{steps.tags.outputs.result}}

.github/workflows/go.yml

@@ -7,24 +7,27 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v2
         with:
-          go-version: 1.13.x
+          go-version: 1.15.x
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@v1
-      
+        uses: actions/checkout@v2
+
       - name: Cache go module
-        uses: actions/cache@v1
+        uses: actions/cache@v2
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
 
-      - name: Get dependencies and run test
+      - name: Get dependencies, run test and static check
         run: |
           go test ./...
+          go vet ./...
+          go get -u honnef.co/go/tools/cmd/staticcheck
+          staticcheck -- $(go list ./...)
 
       - name: Build
         if: startsWith(github.ref, 'refs/tags/')

.github/workflows/stale.yml

@@ -0,0 +1,19 @@
+  
+name: Mark stale issues and pull requests
+
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  stale:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/stale@v3
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
+          days-before-stale: 60
+          days-before-close: 5

Dockerfile

@@ -3,12 +3,14 @@ FROM golang:alpine as builder
 RUN apk add --no-cache make git && \
     wget -O /Country.mmdb https://github.com/Dreamacro/maxmind-geoip/releases/latest/download/Country.mmdb
 WORKDIR /clash-src
+COPY --from=tonistiigi/xx:golang / /
 COPY . /clash-src
 RUN go mod download && \
-    make linux-amd64 && \
-    mv ./bin/clash-linux-amd64 /clash
+    make docker && \
+    mv ./bin/clash-docker /clash
 
 FROM alpine:latest
+LABEL org.opencontainers.image.source https://github.com/Dreamacro/clash
 
 RUN apk add --no-cache ca-certificates
 COPY --from=builder /Country.mmdb /root/.config/clash/

Dockerfile.arm32v7

@@ -1,20 +0,0 @@
-FROM golang:alpine as builder
-
-RUN apk add --no-cache make git && \
-    wget -O /Country.mmdb https://github.com/Dreamacro/maxmind-geoip/releases/latest/download/Country.mmdb && \
-    wget -O /qemu-arm-static https://github.com/multiarch/qemu-user-static/releases/latest/download/qemu-arm-static && \
-    chmod +x /qemu-arm-static
-
-WORKDIR /clash-src
-COPY . /clash-src
-RUN go mod download && \
-    make linux-armv7 && \
-    mv ./bin/clash-linux-armv7 /clash
-
-FROM arm32v7/alpine:latest
-
-COPY --from=builder /qemu-arm-static /usr/bin/
-COPY --from=builder /Country.mmdb /root/.config/clash/
-COPY --from=builder /clash /
-RUN apk add --no-cache ca-certificates
-ENTRYPOINT ["/clash"]

Dockerfile.arm64v8

@@ -1,20 +0,0 @@
-FROM golang:alpine as builder
-
-RUN apk add --no-cache make git && \
-    wget -O /Country.mmdb https://github.com/Dreamacro/maxmind-geoip/releases/latest/download/Country.mmdb && \
-    wget -O /qemu-aarch64-static https://github.com/multiarch/qemu-user-static/releases/latest/download/qemu-aarch64-static && \
-    chmod +x /qemu-aarch64-static
-
-WORKDIR /clash-src
-COPY . /clash-src
-RUN go mod download && \
-    make linux-armv8 && \
-    mv ./bin/clash-linux-armv8 /clash
-
-FROM arm64v8/alpine:latest
-
-COPY --from=builder /qemu-aarch64-static /usr/bin/
-COPY --from=builder /Country.mmdb /root/.config/clash/
-COPY --from=builder /clash /
-RUN apk add --no-cache ca-certificates
-ENTRYPOINT ["/clash"]

Makefile

@@ -2,9 +2,9 @@ NAME=clash
 BINDIR=bin
 VERSION=$(shell git describe --tags || echo "unknown version")
 BUILDTIME=$(shell date -u)
-GOBUILD=CGO_ENABLED=0 go build -ldflags '-X "github.com/Dreamacro/clash/constant.Version=$(VERSION)" \
+GOBUILD=CGO_ENABLED=0 go build -trimpath -ldflags '-X "github.com/Dreamacro/clash/constant.Version=$(VERSION)" \
 		-X "github.com/Dreamacro/clash/constant.BuildTime=$(BUILDTIME)" \
-		-w -s'
+		-w -s -buildid='
 
 PLATFORM_LIST = \
 	darwin-amd64 \
@@ -25,10 +25,14 @@ PLATFORM_LIST = \
 
 WINDOWS_ARCH_LIST = \
 	windows-386 \
-	windows-amd64
+	windows-amd64 \
+	windows-arm32v7
 
 all: linux-amd64 darwin-amd64 windows-amd64 # Most used
 
+docker:
+	$(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 darwin-amd64:
 	GOARCH=amd64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 
@@ -79,6 +83,9 @@ windows-386:
 
 windows-amd64:
 	GOARCH=amd64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
+	
+windows-arm32v7:
+	GOARCH=arm GOOS=windows GOARM=7 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 
 gz_releases=$(addsuffix .gz, $(PLATFORM_LIST))
 zip_releases=$(addsuffix .zip, $(WINDOWS_ARCH_LIST))

README.md

@@ -19,303 +19,36 @@
 
 ## Features
 
-- Local HTTP/HTTPS/SOCKS server
-- GeoIP rule support
-- Supports Vmess, Shadowsocks, Snell and SOCKS5 protocol
-- Supports Netfilter TCP redirecting
-- Comprehensive HTTP API
+- Local HTTP/HTTPS/SOCKS server with authentication support
+- VMess, Shadowsocks, Trojan, Snell protocol support for remote connections
+- Built-in DNS server that aims to minimize DNS pollution attack impact, supports DoH/DoT upstream and fake IP.
+- Rules based off domains, GEOIP, IP CIDR or ports to forward packets to different nodes
+- Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node based off latency
+- Remote providers, allowing users to get node lists remotely instead of hardcoding in config
+- Netfilter TCP redirecting. Deploy Clash on your Internet gateway with `iptables`.
+- Comprehensive HTTP RESTful API controller
 
-## Install
+## Premium Features
 
-Clash Requires Go >= 1.13. You can build it from source:
+- TUN mode on macOS, Linux and Windows. [Doc](https://github.com/Dreamacro/clash/wiki/premium-core-features#tun-device)
+- Match your tunnel by [Script](https://github.com/Dreamacro/clash/wiki/premium-core-features#script)
+- [Rule Provider](https://github.com/Dreamacro/clash/wiki/premium-core-features#rule-providers)
 
-```sh
-$ go get -u -v github.com/Dreamacro/clash
-```
+## Getting Started
+Documentations are now moved to [GitHub Wiki](https://github.com/Dreamacro/clash/wiki).
 
-Pre-built binaries are available here: [release](https://github.com/Dreamacro/clash/releases)
+## Premium Release
+[Release](https://github.com/Dreamacro/clash/releases/tag/premium)
 
-Pre-built TUN mode binaries are available here: [TUN release](https://github.com/Dreamacro/clash/releases/tag/TUN)
+## Credits
 
-Check Clash version with:
-
-```sh
-$ clash -v
-```
-
-## Daemon
-
-Unfortunately, there is no native and elegant way to implement daemons on Golang.
-
-So we can use third-party daemon tools like PM2, Supervisor or the like.
-
-In the case of [pm2](https://github.com/Unitech/pm2), we can start the daemon this way:
-
-```sh
-$ pm2 start clash
-```
-
-If you have Docker installed, you can run clash directly using `docker-compose`.
-
-[Run clash in docker](https://github.com/Dreamacro/clash/wiki/Run-clash-in-docker)
-
-## Config
-
-The default configuration directory is `$HOME/.config/clash`.
-
-The name of the configuration file is `config.yaml`.
-
-If you want to use another directory, use `-d` to control the configuration directory.
-
-For example, you can use the current directory as the configuration directory:
-
-```sh
-$ clash -d .
-```
-
-<details>
-  <summary>This is an example configuration file (click to expand)</summary>
-
-```yml
-# port of HTTP
-port: 7890
-
-# port of SOCKS5
-socks-port: 7891
-
-# redir port for Linux and macOS
-# redir-port: 7892
-
-allow-lan: false
-
-# Only applicable when setting allow-lan to true
-# "*": bind all IP addresses
-# 192.168.122.11: bind a single IPv4 address
-# "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address
-# bind-address: "*"
-
-# Rule / Global/ Direct (default is Rule)
-mode: Rule
-
-# set log level to stdout (default is info)
-# info / warning / error / debug / silent
-log-level: info
-
-# RESTful API for clash
-external-controller: 127.0.0.1:9090
-
-# you can put the static web resource (such as clash-dashboard) to a directory, and clash would serve in `${API}/ui`
-# input is a relative path to the configuration directory or an absolute path
-# external-ui: folder
-
-# Secret for RESTful API (Optional)
-# secret: ""
-
-# experimental feature
-experimental:
-  ignore-resolve-fail: true # ignore dns resolve fail, default value is true
-  # interface-name: en0 # outbound interface name
-
-# authentication of local SOCKS5/HTTP(S) server
-# authentication:
-#  - "user1:pass1"
-#  - "user2:pass2"
-
-# # experimental hosts, support wildcard (e.g. *.clash.dev Even *.foo.*.example.com)
-# # static domain has a higher priority than wildcard domain (foo.example.com > *.example.com)
-# hosts:
-#   '*.clash.dev': 127.0.0.1
-#   'alpha.clash.dev': '::1'
-
-# dns:
-  # enable: true # set true to enable dns (default is false)
-  # ipv6: false # default is false
-  # listen: 0.0.0.0:53
-  # # default-nameserver: # resolve dns nameserver host, should fill pure IP
-  # #   - 114.114.114.114
-  # #   - 8.8.8.8
-  # enhanced-mode: redir-host # or fake-ip
-  # # fake-ip-range: 198.18.0.1/16 # if you don't know what it is, don't change it
-  # fake-ip-filter: # fake ip white domain list
-  #   - '*.lan'
-  #   - localhost.ptlogin2.qq.com
-  # nameserver:
-  #   - 114.114.114.114
-  #   - tls://dns.rubyfish.cn:853 # dns over tls
-  #   - https://1.1.1.1/dns-query # dns over https
-  # fallback: # concurrent request with nameserver, fallback used when GEOIP country isn't CN
-  #   - tcp://1.1.1.1
-  # fallback-filter:
-  #   geoip: true # default
-  #   ipcidr: # ips in these subnets will be considered polluted
-  #     - 240.0.0.0/4
-
-Proxy:
-  # shadowsocks
-  # The supported ciphers(encrypt methods):
-  #   aes-128-gcm aes-192-gcm aes-256-gcm
-  #   aes-128-cfb aes-192-cfb aes-256-cfb
-  #   aes-128-ctr aes-192-ctr aes-256-ctr
-  #   rc4-md5 chacha20-ietf xchacha20
-  #   chacha20-ietf-poly1305 xchacha20-ietf-poly1305
-  - name: "ss1"
-    type: ss
-    server: server
-    port: 443
-    cipher: chacha20-ietf-poly1305
-    password: "password"
-    # udp: true
-
-  # old obfs configuration format remove after prerelease
-  - name: "ss2"
-    type: ss
-    server: server
-    port: 443
-    cipher: chacha20-ietf-poly1305
-    password: "password"
-    plugin: obfs
-    plugin-opts:
-      mode: tls # or http
-      # host: bing.com
-
-  - name: "ss3"
-    type: ss
-    server: server
-    port: 443
-    cipher: chacha20-ietf-poly1305
-    password: "password"
-    plugin: v2ray-plugin
-    plugin-opts:
-      mode: websocket # no QUIC now
-      # tls: true # wss
-      # skip-cert-verify: true
-      # host: bing.com
-      # path: "/"
-      # mux: true
-      # headers:
-      #   custom: value
-
-  # vmess
-  # cipher support auto/aes-128-gcm/chacha20-poly1305/none
-  - name: "vmess"
-    type: vmess
-    server: server
-    port: 443
-    uuid: uuid
-    alterId: 32
-    cipher: auto
-    # udp: true
-    # tls: true
-    # skip-cert-verify: true
-    # network: ws
-    # ws-path: /path
-    # ws-headers:
-    #   Host: v2ray.com
-
-  # socks5
-  - name: "socks"
-    type: socks5
-    server: server
-    port: 443
-    # username: username
-    # password: password
-    # tls: true
-    # skip-cert-verify: true
-    # udp: true
-
-  # http
-  - name: "http"
-    type: http
-    server: server
-    port: 443
-    # username: username
-    # password: password
-    # tls: true # https
-    # skip-cert-verify: true
-
-  # snell
-  - name: "snell"
-    type: snell
-    server: server
-    port: 44046
-    psk: yourpsk
-    # obfs-opts:
-      # mode: http # or tls
-      # host: bing.com
-
-Proxy Group:
-  # url-test select which proxy will be used by benchmarking speed to a URL.
-  - name: "auto"
-    type: url-test
-    proxies:
-      - ss1
-      - ss2
-      - vmess1
-    url: 'http://www.gstatic.com/generate_204'
-    interval: 300
-
-  # fallback select an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group.
-  - name: "fallback-auto"
-    type: fallback
-    proxies:
-      - ss1
-      - ss2
-      - vmess1
-    url: 'http://www.gstatic.com/generate_204'
-    interval: 300
-
-  # load-balance: The request of the same eTLD will be dial on the same proxy.
-  - name: "load-balance"
-    type: load-balance
-    proxies:
-      - ss1
-      - ss2
-      - vmess1
-    url: 'http://www.gstatic.com/generate_204'
-    interval: 300
-
-  # select is used for selecting proxy or proxy group
-  # you can use RESTful API to switch proxy, is recommended for use in GUI.
-  - name: Proxy
-    type: select
-    proxies:
-      - ss1
-      - ss2
-      - vmess1
-      - auto
-
-Rule:
-  - DOMAIN-SUFFIX,google.com,auto
-  - DOMAIN-KEYWORD,google,auto
-  - DOMAIN,google.com,auto
-  - DOMAIN-SUFFIX,ad.com,REJECT
-  # rename SOURCE-IP-CIDR and would remove after prerelease
-  - SRC-IP-CIDR,192.168.1.201/32,DIRECT
-  # optional param "no-resolve" for IP rules (GEOIP IP-CIDR)
-  - IP-CIDR,127.0.0.0/8,DIRECT
-  - GEOIP,CN,DIRECT
-  - DST-PORT,80,DIRECT
-  - SRC-PORT,7777,DIRECT
-  # FINAL would remove after prerelease
-  # you also can use `FINAL,Proxy` or `FINAL,,Proxy` now
-  - MATCH,auto
-```
-</details>
-
-## Advanced
-[Provider](https://github.com/Dreamacro/clash/wiki/Provider)
-
-## Documentations
-https://clash.gitbook.io/
-
-## Thanks
-
-[riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
-
-[v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
+* [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
+* [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
 
 ## License
 
+This software is released under the GPL-3.0 license.
+
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2FDreamacro%2Fclash.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2FDreamacro%2Fclash?ref=badge_large)
 
 ## TODO
@@ -324,4 +57,4 @@ https://clash.gitbook.io/
 - [x] Redir proxy
 - [x] UDP support
 - [x] Connection manager
-- [ ] Event API
+- [ ] ~~Event API~~

adapters/inbound/socket.go

@@ -19,9 +19,9 @@ func (s *SocketAdapter) Metadata() *C.Metadata {
 }
 
 // NewSocket is SocketAdapter generator
-func NewSocket(target socks5.Addr, conn net.Conn, source C.Type, netType C.NetWork) *SocketAdapter {
+func NewSocket(target socks5.Addr, conn net.Conn, source C.Type) *SocketAdapter {
 	metadata := parseSocksAddr(target)
-	metadata.NetWork = netType
+	metadata.NetWork = C.TCP
 	metadata.Type = source
 	if ip, port, err := parseAddr(conn.RemoteAddr().String()); err == nil {
 		metadata.SrcIP = ip

adapters/inbound/util.go

@@ -4,6 +4,7 @@ import (
 	"net"
 	"net/http"
 	"strconv"
+	"strings"
 
 	"github.com/Dreamacro/clash/component/socks5"
 	C "github.com/Dreamacro/clash/constant"
@@ -16,7 +17,8 @@ func parseSocksAddr(target socks5.Addr) *C.Metadata {
 
 	switch target[0] {
 	case socks5.AtypDomainName:
-		metadata.Host = string(target[2 : 2+target[1]])
+		// trim for FQDN
+		metadata.Host = strings.TrimRight(string(target[2:2+target[1]]), ".")
 		metadata.DstPort = strconv.Itoa((int(target[2+target[1]]) << 8) | int(target[2+target[1]+1]))
 	case socks5.AtypIPv4:
 		ip := net.IP(target[1 : 1+net.IPv4len])
@@ -38,6 +40,9 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 		port = "80"
 	}
 
+	// trim FQDN (#737)
+	host = strings.TrimRight(host, ".")
+
 	metadata := &C.Metadata{
 		NetWork:  C.TCP,
 		AddrType: C.AtypDomainName,

adapters/outbound/base.go

@@ -10,14 +10,13 @@ import (
 
 	"github.com/Dreamacro/clash/common/queue"
 	C "github.com/Dreamacro/clash/constant"
-)
 
-var (
-	defaultURLTestTimeout = time.Second * 5
+	"go.uber.org/atomic"
 )
 
 type Base struct {
 	name string
+	addr string
 	tp   C.AdapterType
 	udp  bool
 }
@@ -30,6 +29,10 @@ func (b *Base) Type() C.AdapterType {
 	return b.tp
 }
 
+func (b *Base) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	return c, errors.New("no support")
+}
+
 func (b *Base) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
 	return nil, errors.New("no support")
 }
@@ -44,8 +47,16 @@ func (b *Base) MarshalJSON() ([]byte, error) {
 	})
 }
 
-func NewBase(name string, tp C.AdapterType, udp bool) *Base {
-	return &Base{name, tp, udp}
+func (b *Base) Addr() string {
+	return b.addr
+}
+
+func (b *Base) Unwrap(metadata *C.Metadata) C.Proxy {
+	return nil
+}
+
+func NewBase(name string, addr string, tp C.AdapterType, udp bool) *Base {
+	return &Base{name, addr, tp, udp}
 }
 
 type conn struct {
@@ -61,17 +72,12 @@ func (c *conn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }
 
-func newConn(c net.Conn, a C.ProxyAdapter) C.Conn {
+func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
 	return &conn{c, []string{a.Name()}}
 }
 
-type PacketConn interface {
-	net.PacketConn
-	WriteWithMetadata(p []byte, metadata *C.Metadata) (n int, err error)
-}
-
 type packetConn struct {
-	PacketConn
+	net.PacketConn
 	chain C.Chain
 }
 
@@ -83,18 +89,18 @@ func (c *packetConn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }
 
-func newPacketConn(pc PacketConn, a C.ProxyAdapter) C.PacketConn {
+func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
 	return &packetConn{pc, []string{a.Name()}}
 }
 
 type Proxy struct {
 	C.ProxyAdapter
 	history *queue.Queue
-	alive   bool
+	alive   *atomic.Bool
 }
 
 func (p *Proxy) Alive() bool {
-	return p.alive
+	return p.alive.Load()
 }
 
 func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
@@ -106,7 +112,7 @@ func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
 func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	conn, err := p.ProxyAdapter.DialContext(ctx, metadata)
 	if err != nil {
-		p.alive = false
+		p.alive.Store(false)
 	}
 	return conn, err
 }
@@ -123,7 +129,7 @@ func (p *Proxy) DelayHistory() []C.DelayHistory {
 // LastDelay return last history record. if proxy is not alive, return the max value of uint16.
 func (p *Proxy) LastDelay() (delay uint16) {
 	var max uint16 = 0xffff
-	if !p.alive {
+	if !p.alive.Load() {
 		return max
 	}
 
@@ -154,7 +160,7 @@ func (p *Proxy) MarshalJSON() ([]byte, error) {
 // URLTest get the delay for the specified URL
 func (p *Proxy) URLTest(ctx context.Context, url string) (t uint16, err error) {
 	defer func() {
-		p.alive = err == nil
+		p.alive.Store(err == nil)
 		record := C.DelayHistory{Time: time.Now()}
 		if err == nil {
 			record.Delay = t
@@ -194,7 +200,12 @@ func (p *Proxy) URLTest(ctx context.Context, url string) (t uint16, err error) {
 		ExpectContinueTimeout: 1 * time.Second,
 	}
 
-	client := http.Client{Transport: transport}
+	client := http.Client{
+		Transport: transport,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
 	resp, err := client.Do(req)
 	if err != nil {
 		return
@@ -205,5 +216,5 @@ func (p *Proxy) URLTest(ctx context.Context, url string) (t uint16, err error) {
 }
 
 func NewProxy(adapter C.ProxyAdapter) *Proxy {
-	return &Proxy{adapter, queue.New(10), true}
+	return &Proxy{adapter, queue.New(10), atomic.NewBool(true)}
 }

adapters/outbound/direct.go

@@ -5,7 +5,6 @@ import (
 	"net"
 
 	"github.com/Dreamacro/clash/component/dialer"
-	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 )
 
@@ -14,17 +13,14 @@ type Direct struct {
 }
 
 func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	address := net.JoinHostPort(metadata.Host, metadata.DstPort)
-	if metadata.DstIP != nil {
-		address = net.JoinHostPort(metadata.DstIP.String(), metadata.DstPort)
-	}
+	address := net.JoinHostPort(metadata.String(), metadata.DstPort)
 
 	c, err := dialer.DialContext(ctx, "tcp", address)
 	if err != nil {
 		return nil, err
 	}
 	tcpKeepAlive(c)
-	return newConn(c, d), nil
+	return NewConn(c, d), nil
 }
 
 func (d *Direct) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
@@ -39,17 +35,6 @@ type directPacketConn struct {
 	net.PacketConn
 }
 
-func (dp *directPacketConn) WriteWithMetadata(p []byte, metadata *C.Metadata) (n int, err error) {
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(metadata.Host)
-		if err != nil {
-			return 0, err
-		}
-		metadata.DstIP = ip
-	}
-	return dp.WriteTo(p, metadata.UDPAddr())
-}
-
 func NewDirect() *Direct {
 	return &Direct{
 		Base: &Base{

adapters/outbound/http.go

@@ -19,7 +19,6 @@ import (
 
 type Http struct {
 	*Base
-	addr      string
 	user      string
 	pass      string
 	tlsConfig *tls.Config
@@ -32,26 +31,39 @@ type HttpOption struct {
 	UserName       string `proxy:"username,omitempty"`
 	Password       string `proxy:"password,omitempty"`
 	TLS            bool   `proxy:"tls,omitempty"`
+	SNI            string `proxy:"sni,omitempty"`
 	SkipCertVerify bool   `proxy:"skip-cert-verify,omitempty"`
 }
 
+func (h *Http) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	if h.tlsConfig != nil {
+		cc := tls.Client(c, h.tlsConfig)
+		err := cc.Handshake()
+		c = cc
+		if err != nil {
+			return nil, fmt.Errorf("%s connect error: %w", h.addr, err)
+		}
+	}
+
+	if err := h.shakeHand(metadata, c); err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
 func (h *Http) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	c, err := dialer.DialContext(ctx, "tcp", h.addr)
-	if err == nil && h.tlsConfig != nil {
-		cc := tls.Client(c, h.tlsConfig)
-		err = cc.Handshake()
-		c = cc
-	}
-
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", h.addr, err)
 	}
 	tcpKeepAlive(c)
-	if err := h.shakeHand(metadata, c); err != nil {
+
+	c, err = h.StreamConn(c, metadata)
+	if err != nil {
 		return nil, err
 	}
 
-	return newConn(c, h), nil
+	return NewConn(c, h), nil
 }
 
 func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
@@ -103,19 +115,23 @@ func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
 func NewHttp(option HttpOption) *Http {
 	var tlsConfig *tls.Config
 	if option.TLS {
+		sni := option.Server
+		if option.SNI != "" {
+			sni = option.SNI
+		}
 		tlsConfig = &tls.Config{
 			InsecureSkipVerify: option.SkipCertVerify,
 			ClientSessionCache: getClientSessionCache(),
-			ServerName:         option.Server,
+			ServerName:         sni,
 		}
 	}
 
 	return &Http{
 		Base: &Base{
 			name: option.Name,
+			addr: net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:   C.Http,
 		},
-		addr:      net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 		user:      option.UserName,
 		pass:      option.Password,
 		tlsConfig: tlsConfig,

adapters/outbound/parser.go

@@ -11,11 +11,13 @@ func ParseProxy(mapping map[string]interface{}) (C.Proxy, error) {
 	decoder := structure.NewDecoder(structure.Option{TagName: "proxy", WeaklyTypedInput: true})
 	proxyType, existType := mapping["type"].(string)
 	if !existType {
-		return nil, fmt.Errorf("Missing type")
+		return nil, fmt.Errorf("missing type")
 	}
 
-	var proxy C.ProxyAdapter
-	err := fmt.Errorf("Cannot parse")
+	var (
+		proxy C.ProxyAdapter
+		err   error
+	)
 	switch proxyType {
 	case "ss":
 		ssOption := &ShadowSocksOption{}
@@ -24,6 +26,13 @@ func ParseProxy(mapping map[string]interface{}) (C.Proxy, error) {
 			break
 		}
 		proxy, err = NewShadowSocks(*ssOption)
+	case "ssr":
+		ssrOption := &ShadowSocksROption{}
+		err = decoder.Decode(mapping, ssrOption)
+		if err != nil {
+			break
+		}
+		proxy, err = NewShadowSocksR(*ssrOption)
 	case "socks5":
 		socksOption := &Socks5Option{}
 		err = decoder.Decode(mapping, socksOption)
@@ -39,7 +48,12 @@ func ParseProxy(mapping map[string]interface{}) (C.Proxy, error) {
 		}
 		proxy = NewHttp(*httpOption)
 	case "vmess":
-		vmessOption := &VmessOption{}
+		vmessOption := &VmessOption{
+			HTTPOpts: HTTPOptions{
+				Method: "GET",
+				Path:   []string{"/"},
+			},
+		}
 		err = decoder.Decode(mapping, vmessOption)
 		if err != nil {
 			break
@@ -52,8 +66,15 @@ func ParseProxy(mapping map[string]interface{}) (C.Proxy, error) {
 			break
 		}
 		proxy, err = NewSnell(*snellOption)
+	case "trojan":
+		trojanOption := &TrojanOption{}
+		err = decoder.Decode(mapping, trojanOption)
+		if err != nil {
+			break
+		}
+		proxy, err = NewTrojan(*trojanOption)
 	default:
-		return nil, fmt.Errorf("Unsupport proxy type: %s", proxyType)
+		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
 
 	if err != nil {

adapters/outbound/reject.go

@@ -15,7 +15,7 @@ type Reject struct {
 }
 
 func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	return newConn(&NopConn{}, r), nil
+	return NewConn(&NopConn{}, r), nil
 }
 
 func (r *Reject) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {

adapters/outbound/shadowsocks.go

@@ -2,8 +2,8 @@ package outbound
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"net"
 	"strconv"
@@ -20,7 +20,6 @@ import (
 
 type ShadowSocks struct {
 	*Base
-	server string
 	cipher core.Cipher
 
 	// obfs
@@ -38,14 +37,10 @@ type ShadowSocksOption struct {
 	UDP        bool                   `proxy:"udp,omitempty"`
 	Plugin     string                 `proxy:"plugin,omitempty"`
 	PluginOpts map[string]interface{} `proxy:"plugin-opts,omitempty"`
-
-	// deprecated when bump to 1.0
-	Obfs     string `proxy:"obfs,omitempty"`
-	ObfsHost string `proxy:"obfs-host,omitempty"`
 }
 
 type simpleObfsOption struct {
-	Mode string `obfs:"mode"`
+	Mode string `obfs:"mode,omitempty"`
 	Host string `obfs:"host,omitempty"`
 }
 
@@ -59,28 +54,34 @@ type v2rayObfsOption struct {
 	Mux            bool              `obfs:"mux,omitempty"`
 }
 
-func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	c, err := dialer.DialContext(ctx, "tcp", ss.server)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", ss.server, err)
-	}
-	tcpKeepAlive(c)
+func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	switch ss.obfsMode {
 	case "tls":
 		c = obfs.NewTLSObfs(c, ss.obfsOption.Host)
 	case "http":
-		_, port, _ := net.SplitHostPort(ss.server)
+		_, port, _ := net.SplitHostPort(ss.addr)
 		c = obfs.NewHTTPObfs(c, ss.obfsOption.Host, port)
 	case "websocket":
 		var err error
 		c, err = v2rayObfs.NewV2rayObfs(c, ss.v2rayOption)
 		if err != nil {
-			return nil, fmt.Errorf("%s connect error: %w", ss.server, err)
+			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
 	}
 	c = ss.cipher.StreamConn(c)
-	_, err = c.Write(serializesSocksAddr(metadata))
-	return newConn(c, ss), err
+	_, err := c.Write(serializesSocksAddr(metadata))
+	return c, err
+}
+
+func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	c, err := dialer.DialContext(ctx, "tcp", ss.addr)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
+	}
+	tcpKeepAlive(c)
+
+	c, err = ss.StreamConn(c, metadata)
+	return NewConn(c, ss), err
 }
 
 func (ss *ShadowSocks) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
@@ -89,7 +90,7 @@ func (ss *ShadowSocks) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
 		return nil, err
 	}
 
-	addr, err := resolveUDPAddr("udp", ss.server)
+	addr, err := resolveUDPAddr("udp", ss.addr)
 	if err != nil {
 		return nil, err
 	}
@@ -105,76 +106,61 @@ func (ss *ShadowSocks) MarshalJSON() ([]byte, error) {
 }
 
 func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
-	server := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	cipher := option.Cipher
 	password := option.Password
 	ciph, err := core.PickCipher(cipher, nil, password)
 	if err != nil {
-		return nil, fmt.Errorf("ss %s initialize error: %w", server, err)
+		return nil, fmt.Errorf("ss %s initialize error: %w", addr, err)
 	}
 
 	var v2rayOption *v2rayObfs.Option
 	var obfsOption *simpleObfsOption
 	obfsMode := ""
 
-	// forward compatibility before 1.0
-	if option.Obfs != "" {
-		obfsMode = option.Obfs
-		obfsOption = &simpleObfsOption{
-			Host: "bing.com",
-		}
-		if option.ObfsHost != "" {
-			obfsOption.Host = option.ObfsHost
-		}
-	}
-
 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
 	if option.Plugin == "obfs" {
 		opts := simpleObfsOption{Host: "bing.com"}
 		if err := decoder.Decode(option.PluginOpts, &opts); err != nil {
-			return nil, fmt.Errorf("ss %s initialize obfs error: %w", server, err)
+			return nil, fmt.Errorf("ss %s initialize obfs error: %w", addr, err)
 		}
 
 		if opts.Mode != "tls" && opts.Mode != "http" {
-			return nil, fmt.Errorf("ss %s obfs mode error: %s", server, opts.Mode)
+			return nil, fmt.Errorf("ss %s obfs mode error: %s", addr, opts.Mode)
 		}
 		obfsMode = opts.Mode
 		obfsOption = &opts
 	} else if option.Plugin == "v2ray-plugin" {
 		opts := v2rayObfsOption{Host: "bing.com", Mux: true}
 		if err := decoder.Decode(option.PluginOpts, &opts); err != nil {
-			return nil, fmt.Errorf("ss %s initialize v2ray-plugin error: %w", server, err)
+			return nil, fmt.Errorf("ss %s initialize v2ray-plugin error: %w", addr, err)
 		}
 
 		if opts.Mode != "websocket" {
-			return nil, fmt.Errorf("ss %s obfs mode error: %s", server, opts.Mode)
+			return nil, fmt.Errorf("ss %s obfs mode error: %s", addr, opts.Mode)
 		}
 		obfsMode = opts.Mode
-
-		var tlsConfig *tls.Config
-		if opts.TLS {
-			tlsConfig = &tls.Config{
-				ServerName:         opts.Host,
-				InsecureSkipVerify: opts.SkipCertVerify,
-				ClientSessionCache: getClientSessionCache(),
-			}
-		}
 		v2rayOption = &v2rayObfs.Option{
-			Host:      opts.Host,
-			Path:      opts.Path,
-			Headers:   opts.Headers,
-			TLSConfig: tlsConfig,
-			Mux:       opts.Mux,
+			Host:    opts.Host,
+			Path:    opts.Path,
+			Headers: opts.Headers,
+			Mux:     opts.Mux,
+		}
+
+		if opts.TLS {
+			v2rayOption.TLS = true
+			v2rayOption.SkipCertVerify = opts.SkipCertVerify
+			v2rayOption.SessionCache = getClientSessionCache()
 		}
 	}
 
 	return &ShadowSocks{
 		Base: &Base{
 			name: option.Name,
+			addr: addr,
 			tp:   C.Shadowsocks,
 			udp:  option.UDP,
 		},
-		server: server,
 		cipher: ciph,
 
 		obfsMode:    obfsMode,
@@ -196,20 +182,22 @@ func (spc *ssPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
 	return spc.PacketConn.WriteTo(packet[3:], spc.rAddr)
 }
 
-func (spc *ssPacketConn) WriteWithMetadata(p []byte, metadata *C.Metadata) (n int, err error) {
-	packet, err := socks5.EncodeUDPPacket(socks5.ParseAddr(metadata.RemoteAddress()), p)
-	if err != nil {
-		return
-	}
-	return spc.PacketConn.WriteTo(packet[3:], spc.rAddr)
-}
-
 func (spc *ssPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
 	n, _, e := spc.PacketConn.ReadFrom(b)
 	if e != nil {
 		return 0, nil, e
 	}
+
 	addr := socks5.SplitAddr(b[:n])
+	if addr == nil {
+		return 0, nil, errors.New("parse addr error")
+	}
+
+	udpAddr := addr.UDPAddr()
+	if udpAddr == nil {
+		return 0, nil, errors.New("parse addr error")
+	}
+
 	copy(b, b[len(addr):])
-	return n - len(addr), addr.UDPAddr(), e
+	return n - len(addr), udpAddr, e
 }

adapters/outbound/shadowsocksr.go

@@ -0,0 +1,134 @@
+package outbound
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"strconv"
+
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/ssr/obfs"
+	"github.com/Dreamacro/clash/component/ssr/protocol"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/go-shadowsocks2/core"
+	"github.com/Dreamacro/go-shadowsocks2/shadowstream"
+)
+
+type ShadowSocksR struct {
+	*Base
+	cipher   *core.StreamCipher
+	obfs     obfs.Obfs
+	protocol protocol.Protocol
+}
+
+type ShadowSocksROption struct {
+	Name          string `proxy:"name"`
+	Server        string `proxy:"server"`
+	Port          int    `proxy:"port"`
+	Password      string `proxy:"password"`
+	Cipher        string `proxy:"cipher"`
+	Obfs          string `proxy:"obfs"`
+	ObfsParam     string `proxy:"obfs-param,omitempty"`
+	Protocol      string `proxy:"protocol"`
+	ProtocolParam string `proxy:"protocol-param,omitempty"`
+	UDP           bool   `proxy:"udp,omitempty"`
+}
+
+func (ssr *ShadowSocksR) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	c = obfs.NewConn(c, ssr.obfs)
+	c = ssr.cipher.StreamConn(c)
+	conn, ok := c.(*shadowstream.Conn)
+	if !ok {
+		return nil, fmt.Errorf("invalid connection type")
+	}
+	iv, err := conn.ObtainWriteIV()
+	if err != nil {
+		return nil, err
+	}
+	c = protocol.NewConn(c, ssr.protocol, iv)
+	_, err = c.Write(serializesSocksAddr(metadata))
+	return c, err
+}
+
+func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	c, err := dialer.DialContext(ctx, "tcp", ssr.addr)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", ssr.addr, err)
+	}
+	tcpKeepAlive(c)
+
+	c, err = ssr.StreamConn(c, metadata)
+	return NewConn(c, ssr), err
+}
+
+func (ssr *ShadowSocksR) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
+	pc, err := dialer.ListenPacket("udp", "")
+	if err != nil {
+		return nil, err
+	}
+
+	addr, err := resolveUDPAddr("udp", ssr.addr)
+	if err != nil {
+		return nil, err
+	}
+
+	pc = ssr.cipher.PacketConn(pc)
+	pc = protocol.NewPacketConn(pc, ssr.protocol)
+	return newPacketConn(&ssPacketConn{PacketConn: pc, rAddr: addr}, ssr), nil
+}
+
+func (ssr *ShadowSocksR) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]string{
+		"type": ssr.Type().String(),
+	})
+}
+
+func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
+	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	cipher := option.Cipher
+	password := option.Password
+	coreCiph, err := core.PickCipher(cipher, nil, password)
+	if err != nil {
+		return nil, fmt.Errorf("ssr %s initialize cipher error: %w", addr, err)
+	}
+	ciph, ok := coreCiph.(*core.StreamCipher)
+	if !ok {
+		return nil, fmt.Errorf("%s is not a supported stream cipher in ssr", cipher)
+	}
+
+	obfs, err := obfs.PickObfs(option.Obfs, &obfs.Base{
+		IVSize:  ciph.IVSize(),
+		Key:     ciph.Key,
+		HeadLen: 30,
+		Host:    option.Server,
+		Port:    option.Port,
+		Param:   option.ObfsParam,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("ssr %s initialize obfs error: %w", addr, err)
+	}
+
+	protocol, err := protocol.PickProtocol(option.Protocol, &protocol.Base{
+		IV:     nil,
+		Key:    ciph.Key,
+		TCPMss: 1460,
+		Param:  option.ProtocolParam,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("ssr %s initialize protocol error: %w", addr, err)
+	}
+	protocol.SetOverhead(obfs.GetObfsOverhead() + protocol.GetProtocolOverhead())
+
+	return &ShadowSocksR{
+		Base: &Base{
+			name: option.Name,
+			addr: addr,
+			tp:   C.ShadowsocksR,
+			udp:  option.UDP,
+		},
+		cipher:   ciph,
+		obfs:     obfs,
+		protocol: protocol,
+	}, nil
+}

adapters/outbound/snell.go

@@ -15,9 +15,10 @@ import (
 
 type Snell struct {
 	*Base
-	server     string
 	psk        []byte
+	pool       *snell.Pool
 	obfsOption *simpleObfsOption
+	version    int
 }
 
 type SnellOption struct {
@@ -25,49 +26,103 @@ type SnellOption struct {
 	Server   string                 `proxy:"server"`
 	Port     int                    `proxy:"port"`
 	Psk      string                 `proxy:"psk"`
+	Version  int                    `proxy:"version,omitempty"`
 	ObfsOpts map[string]interface{} `proxy:"obfs-opts,omitempty"`
 }
 
+type streamOption struct {
+	psk        []byte
+	version    int
+	addr       string
+	obfsOption *simpleObfsOption
+}
+
+func streamConn(c net.Conn, option streamOption) *snell.Snell {
+	switch option.obfsOption.Mode {
+	case "tls":
+		c = obfs.NewTLSObfs(c, option.obfsOption.Host)
+	case "http":
+		_, port, _ := net.SplitHostPort(option.addr)
+		c = obfs.NewHTTPObfs(c, option.obfsOption.Host, port)
+	}
+	return snell.StreamConn(c, option.psk, option.version)
+}
+
+func (s *Snell) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
+	port, _ := strconv.Atoi(metadata.DstPort)
+	err := snell.WriteHeader(c, metadata.String(), uint(port), s.version)
+	return c, err
+}
+
 func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	c, err := dialer.DialContext(ctx, "tcp", s.server)
+	if s.version == snell.Version2 {
+		c, err := s.pool.Get()
+		if err != nil {
+			return nil, err
+		}
+
+		port, _ := strconv.Atoi(metadata.DstPort)
+		err = snell.WriteHeader(c, metadata.String(), uint(port), s.version)
+		return NewConn(c, s), err
+	}
+
+	c, err := dialer.DialContext(ctx, "tcp", s.addr)
 	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", s.server, err)
+		return nil, fmt.Errorf("%s connect error: %w", s.addr, err)
 	}
 	tcpKeepAlive(c)
-	switch s.obfsOption.Mode {
-	case "tls":
-		c = obfs.NewTLSObfs(c, s.obfsOption.Host)
-	case "http":
-		_, port, _ := net.SplitHostPort(s.server)
-		c = obfs.NewHTTPObfs(c, s.obfsOption.Host, port)
-	}
-	c = snell.StreamConn(c, s.psk)
-	port, _ := strconv.Atoi(metadata.DstPort)
-	err = snell.WriteHeader(c, metadata.String(), uint(port))
-	return newConn(c, s), err
+
+	c, err = s.StreamConn(c, metadata)
+	return NewConn(c, s), err
 }
 
 func NewSnell(option SnellOption) (*Snell, error) {
-	server := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	psk := []byte(option.Psk)
 
 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
 	obfsOption := &simpleObfsOption{Host: "bing.com"}
 	if err := decoder.Decode(option.ObfsOpts, obfsOption); err != nil {
-		return nil, fmt.Errorf("snell %s initialize obfs error: %w", server, err)
+		return nil, fmt.Errorf("snell %s initialize obfs error: %w", addr, err)
 	}
 
-	if obfsOption.Mode != "tls" && obfsOption.Mode != "http" {
-		return nil, fmt.Errorf("snell %s obfs mode error: %s", server, obfsOption.Mode)
+	switch obfsOption.Mode {
+	case "tls", "http", "":
+		break
+	default:
+		return nil, fmt.Errorf("snell %s obfs mode error: %s", addr, obfsOption.Mode)
 	}
 
-	return &Snell{
+	// backward compatible
+	if option.Version == 0 {
+		option.Version = snell.DefaultSnellVersion
+	}
+	if option.Version != snell.Version1 && option.Version != snell.Version2 {
+		return nil, fmt.Errorf("snell version error: %d", option.Version)
+	}
+
+	s := &Snell{
 		Base: &Base{
 			name: option.Name,
+			addr: addr,
 			tp:   C.Snell,
 		},
-		server:     server,
 		psk:        psk,
 		obfsOption: obfsOption,
-	}, nil
+		version:    option.Version,
+	}
+
+	if option.Version == snell.Version2 {
+		s.pool = snell.NewPool(func(ctx context.Context) (*snell.Snell, error) {
+			c, err := dialer.DialContext(ctx, "tcp", addr)
+			if err != nil {
+				return nil, err
+			}
+
+			tcpKeepAlive(c)
+			return streamConn(c, streamOption{psk, option.Version, addr, obfsOption}), nil
+		})
+	}
+	return s, nil
 }

adapters/outbound/socks5.go

@@ -3,6 +3,7 @@ package outbound
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -16,7 +17,6 @@ import (
 
 type Socks5 struct {
 	*Base
-	addr           string
 	user           string
 	pass           string
 	tls            bool
@@ -35,19 +35,16 @@ type Socks5Option struct {
 	SkipCertVerify bool   `proxy:"skip-cert-verify,omitempty"`
 }
 
-func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	c, err := dialer.DialContext(ctx, "tcp", ss.addr)
-
-	if err == nil && ss.tls {
+func (ss *Socks5) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	if ss.tls {
 		cc := tls.Client(c, ss.tlsConfig)
-		err = cc.Handshake()
+		err := cc.Handshake()
 		c = cc
+		if err != nil {
+			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
+		}
 	}
 
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
-	}
-	tcpKeepAlive(c)
 	var user *socks5.User
 	if ss.user != "" {
 		user = &socks5.User{
@@ -58,7 +55,22 @@ func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn
 	if _, err := socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdConnect, user); err != nil {
 		return nil, err
 	}
-	return newConn(c, ss), nil
+	return c, nil
+}
+
+func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	c, err := dialer.DialContext(ctx, "tcp", ss.addr)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
+	}
+	tcpKeepAlive(c)
+
+	c, err = ss.StreamConn(c, metadata)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewConn(c, ss), nil
 }
 
 func (ss *Socks5) DialUDP(metadata *C.Metadata) (_ C.PacketConn, err error) {
@@ -126,10 +138,10 @@ func NewSocks5(option Socks5Option) *Socks5 {
 	return &Socks5{
 		Base: &Base{
 			name: option.Name,
+			addr: net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:   C.Socks5,
 			udp:  option.UDP,
 		},
-		addr:           net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 		user:           option.UserName,
 		pass:           option.Password,
 		tls:            option.TLS,
@@ -152,16 +164,8 @@ func (uc *socksPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
 	return uc.PacketConn.WriteTo(packet, uc.rAddr)
 }
 
-func (uc *socksPacketConn) WriteWithMetadata(p []byte, metadata *C.Metadata) (n int, err error) {
-	packet, err := socks5.EncodeUDPPacket(socks5.ParseAddr(metadata.RemoteAddress()), p)
-	if err != nil {
-		return
-	}
-	return uc.PacketConn.WriteTo(packet, uc.rAddr)
-}
-
 func (uc *socksPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
-	n, a, e := uc.PacketConn.ReadFrom(b)
+	n, _, e := uc.PacketConn.ReadFrom(b)
 	if e != nil {
 		return 0, nil, e
 	}
@@ -169,10 +173,15 @@ func (uc *socksPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
 	if err != nil {
 		return 0, nil, err
 	}
+
+	udpAddr := addr.UDPAddr()
+	if udpAddr == nil {
+		return 0, nil, errors.New("parse udp addr error")
+	}
+
 	// due to DecodeUDPPacket is mutable, record addr length
-	addrLength := len(addr)
 	copy(b, payload)
-	return n - addrLength - 3, a, nil
+	return n - len(addr) - 3, udpAddr, nil
 }
 
 func (uc *socksPacketConn) Close() error {

adapters/outbound/trojan.go

@@ -0,0 +1,107 @@
+package outbound
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"strconv"
+
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/trojan"
+	C "github.com/Dreamacro/clash/constant"
+)
+
+type Trojan struct {
+	*Base
+	instance *trojan.Trojan
+}
+
+type TrojanOption struct {
+	Name           string   `proxy:"name"`
+	Server         string   `proxy:"server"`
+	Port           int      `proxy:"port"`
+	Password       string   `proxy:"password"`
+	ALPN           []string `proxy:"alpn,omitempty"`
+	SNI            string   `proxy:"sni,omitempty"`
+	SkipCertVerify bool     `proxy:"skip-cert-verify,omitempty"`
+	UDP            bool     `proxy:"udp,omitempty"`
+}
+
+func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	c, err := t.instance.StreamConn(c)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
+	}
+
+	err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata))
+	return c, err
+}
+
+func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	c, err := dialer.DialContext(ctx, "tcp", t.addr)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
+	}
+	tcpKeepAlive(c)
+	c, err = t.StreamConn(c, metadata)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewConn(c, t), err
+}
+
+func (t *Trojan) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), tcpTimeout)
+	defer cancel()
+	c, err := dialer.DialContext(ctx, "tcp", t.addr)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
+	}
+	tcpKeepAlive(c)
+	c, err = t.instance.StreamConn(c)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
+	}
+
+	err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
+	if err != nil {
+		return nil, err
+	}
+
+	pc := t.instance.PacketConn(c)
+	return newPacketConn(pc, t), err
+}
+
+func (t *Trojan) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]string{
+		"type": t.Type().String(),
+	})
+}
+
+func NewTrojan(option TrojanOption) (*Trojan, error) {
+	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+
+	tOption := &trojan.Option{
+		Password:           option.Password,
+		ALPN:               option.ALPN,
+		ServerName:         option.Server,
+		SkipCertVerify:     option.SkipCertVerify,
+		ClientSessionCache: getClientSessionCache(),
+	}
+
+	if option.SNI != "" {
+		tOption.ServerName = option.SNI
+	}
+
+	return &Trojan{
+		Base: &Base{
+			name: option.Name,
+			addr: addr,
+			tp:   C.Trojan,
+			udp:  option.UDP,
+		},
+		instance: trojan.New(tOption),
+	}, nil
+}

adapters/outbound/vmess.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/http"
 	"strconv"
 	"strings"
 
@@ -16,8 +17,8 @@ import (
 
 type Vmess struct {
 	*Base
-	server string
 	client *vmess.Client
+	option *VmessOption
 }
 
 type VmessOption struct {
@@ -30,19 +31,138 @@ type VmessOption struct {
 	TLS            bool              `proxy:"tls,omitempty"`
 	UDP            bool              `proxy:"udp,omitempty"`
 	Network        string            `proxy:"network,omitempty"`
+	HTTPOpts       HTTPOptions       `proxy:"http-opts,omitempty"`
+	HTTP2Opts      HTTP2Options      `proxy:"h2-opts,omitempty"`
 	WSPath         string            `proxy:"ws-path,omitempty"`
 	WSHeaders      map[string]string `proxy:"ws-headers,omitempty"`
 	SkipCertVerify bool              `proxy:"skip-cert-verify,omitempty"`
+	ServerName     string            `proxy:"servername,omitempty"`
+}
+
+type HTTPOptions struct {
+	Method  string              `proxy:"method,omitempty"`
+	Path    []string            `proxy:"path,omitempty"`
+	Headers map[string][]string `proxy:"headers,omitempty"`
+}
+
+type HTTP2Options struct {
+	Host []string `proxy:"host,omitempty"`
+	Path string   `proxy:"path,omitempty"`
+}
+
+func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	var err error
+	switch v.option.Network {
+	case "ws":
+		host, port, _ := net.SplitHostPort(v.addr)
+		wsOpts := &vmess.WebsocketConfig{
+			Host: host,
+			Port: port,
+			Path: v.option.WSPath,
+		}
+
+		if len(v.option.WSHeaders) != 0 {
+			header := http.Header{}
+			for key, value := range v.option.WSHeaders {
+				header.Add(key, value)
+			}
+			wsOpts.Headers = header
+		}
+
+		if v.option.TLS {
+			wsOpts.TLS = true
+			wsOpts.SessionCache = getClientSessionCache()
+			wsOpts.SkipCertVerify = v.option.SkipCertVerify
+			wsOpts.ServerName = v.option.ServerName
+		}
+		c, err = vmess.StreamWebsocketConn(c, wsOpts)
+	case "http":
+		// readability first, so just copy default TLS logic
+		if v.option.TLS {
+			host, _, _ := net.SplitHostPort(v.addr)
+			tlsOpts := &vmess.TLSConfig{
+				Host:           host,
+				SkipCertVerify: v.option.SkipCertVerify,
+				SessionCache:   getClientSessionCache(),
+			}
+
+			if v.option.ServerName != "" {
+				tlsOpts.Host = v.option.ServerName
+			}
+
+			c, err = vmess.StreamTLSConn(c, tlsOpts)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		host, _, _ := net.SplitHostPort(v.addr)
+		httpOpts := &vmess.HTTPConfig{
+			Host:    host,
+			Method:  v.option.HTTPOpts.Method,
+			Path:    v.option.HTTPOpts.Path,
+			Headers: v.option.HTTPOpts.Headers,
+		}
+
+		c = vmess.StreamHTTPConn(c, httpOpts)
+	case "h2":
+		host, _, _ := net.SplitHostPort(v.addr)
+		tlsOpts := vmess.TLSConfig{
+			Host:           host,
+			SkipCertVerify: v.option.SkipCertVerify,
+			SessionCache:   getClientSessionCache(),
+			NextProtos:     []string{"h2"},
+		}
+
+		if v.option.ServerName != "" {
+			tlsOpts.Host = v.option.ServerName
+		}
+
+		c, err = vmess.StreamTLSConn(c, &tlsOpts)
+		if err != nil {
+			return nil, err
+		}
+
+		h2Opts := &vmess.H2Config{
+			Hosts: v.option.HTTP2Opts.Host,
+			Path:  v.option.HTTP2Opts.Path,
+		}
+
+		c, err = vmess.StreamH2Conn(c, h2Opts)
+	default:
+		// handle TLS
+		if v.option.TLS {
+			host, _, _ := net.SplitHostPort(v.addr)
+			tlsOpts := &vmess.TLSConfig{
+				Host:           host,
+				SkipCertVerify: v.option.SkipCertVerify,
+				SessionCache:   getClientSessionCache(),
+			}
+
+			if v.option.ServerName != "" {
+				tlsOpts.Host = v.option.ServerName
+			}
+
+			c, err = vmess.StreamTLSConn(c, tlsOpts)
+		}
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return v.client.StreamConn(c, parseVmessAddr(metadata))
 }
 
 func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	c, err := dialer.DialContext(ctx, "tcp", v.server)
+	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
-		return nil, fmt.Errorf("%s connect error", v.server)
+		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
 	tcpKeepAlive(c)
-	c, err = v.client.New(c, parseVmessAddr(metadata))
-	return newConn(c, v), err
+
+	c, err = v.StreamConn(c, metadata)
+	return NewConn(c, v), err
 }
 
 func (v *Vmess) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
@@ -57,12 +177,12 @@ func (v *Vmess) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
 
 	ctx, cancel := context.WithTimeout(context.Background(), tcpTimeout)
 	defer cancel()
-	c, err := dialer.DialContext(ctx, "tcp", v.server)
+	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
-		return nil, fmt.Errorf("%s connect error", v.server)
+		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
 	tcpKeepAlive(c)
-	c, err = v.client.New(c, parseVmessAddr(metadata))
+	c, err = v.StreamConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("new vmess client error: %v", err)
 	}
@@ -72,30 +192,28 @@ func (v *Vmess) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
 func NewVmess(option VmessOption) (*Vmess, error) {
 	security := strings.ToLower(option.Cipher)
 	client, err := vmess.NewClient(vmess.Config{
-		UUID:             option.UUID,
-		AlterID:          uint16(option.AlterID),
-		Security:         security,
-		TLS:              option.TLS,
-		HostName:         option.Server,
-		Port:             strconv.Itoa(option.Port),
-		NetWork:          option.Network,
-		WebSocketPath:    option.WSPath,
-		WebSocketHeaders: option.WSHeaders,
-		SkipCertVerify:   option.SkipCertVerify,
-		SessionCache:     getClientSessionCache(),
+		UUID:     option.UUID,
+		AlterID:  uint16(option.AlterID),
+		Security: security,
+		HostName: option.Server,
+		Port:     strconv.Itoa(option.Port),
 	})
 	if err != nil {
 		return nil, err
 	}
+	if option.Network == "h2" && !option.TLS {
+		return nil, fmt.Errorf("TLS must be true with h2 network")
+	}
 
 	return &Vmess{
 		Base: &Base{
 			name: option.Name,
+			addr: net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:   C.Vmess,
-			udp:  true,
+			udp:  option.UDP,
 		},
-		server: net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 		client: client,
+		option: &option,
 	}, nil
 }
 
@@ -136,10 +254,6 @@ func (uc *vmessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
 	return uc.Conn.Write(b)
 }
 
-func (uc *vmessPacketConn) WriteWithMetadata(p []byte, metadata *C.Metadata) (n int, err error) {
-	return uc.Conn.Write(p)
-}
-
 func (uc *vmessPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
 	n, err := uc.Conn.Read(b)
 	return n, uc.rAddr, err

adapters/outboundgroup/common.go

@@ -11,10 +11,14 @@ const (
 	defaultGetProxiesDuration = time.Second * 5
 )
 
-func getProvidersProxies(providers []provider.ProxyProvider) []C.Proxy {
+func getProvidersProxies(providers []provider.ProxyProvider, touch bool) []C.Proxy {
 	proxies := []C.Proxy{}
 	for _, provider := range providers {
-		proxies = append(proxies, provider.Proxies()...)
+		if touch {
+			proxies = append(proxies, provider.ProxiesWithTouch()...)
+		} else {
+			proxies = append(proxies, provider.Proxies()...)
+		}
 	}
 	return proxies
 }

adapters/outboundgroup/fallback.go

@@ -12,17 +12,18 @@ import (
 
 type Fallback struct {
 	*outbound.Base
-	single    *singledo.Single
-	providers []provider.ProxyProvider
+	disableUDP bool
+	single     *singledo.Single
+	providers  []provider.ProxyProvider
 }
 
 func (f *Fallback) Now() string {
-	proxy := f.findAliveProxy()
+	proxy := f.findAliveProxy(false)
 	return proxy.Name()
 }
 
 func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	proxy := f.findAliveProxy()
+	proxy := f.findAliveProxy(true)
 	c, err := proxy.DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(f)
@@ -31,7 +32,7 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata) (C.Con
 }
 
 func (f *Fallback) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
-	proxy := f.findAliveProxy()
+	proxy := f.findAliveProxy(true)
 	pc, err := proxy.DialUDP(metadata)
 	if err == nil {
 		pc.AppendToChains(f)
@@ -40,13 +41,17 @@ func (f *Fallback) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
 }
 
 func (f *Fallback) SupportUDP() bool {
-	proxy := f.findAliveProxy()
+	if f.disableUDP {
+		return false
+	}
+
+	proxy := f.findAliveProxy(false)
 	return proxy.SupportUDP()
 }
 
 func (f *Fallback) MarshalJSON() ([]byte, error) {
 	var all []string
-	for _, proxy := range f.proxies() {
+	for _, proxy := range f.proxies(false) {
 		all = append(all, proxy.Name())
 	}
 	return json.Marshal(map[string]interface{}{
@@ -56,29 +61,35 @@ func (f *Fallback) MarshalJSON() ([]byte, error) {
 	})
 }
 
-func (f *Fallback) proxies() []C.Proxy {
+func (f *Fallback) Unwrap(metadata *C.Metadata) C.Proxy {
+	proxy := f.findAliveProxy(true)
+	return proxy
+}
+
+func (f *Fallback) proxies(touch bool) []C.Proxy {
 	elm, _, _ := f.single.Do(func() (interface{}, error) {
-		return getProvidersProxies(f.providers), nil
+		return getProvidersProxies(f.providers, touch), nil
 	})
 
 	return elm.([]C.Proxy)
 }
 
-func (f *Fallback) findAliveProxy() C.Proxy {
-	proxies := f.proxies()
+func (f *Fallback) findAliveProxy(touch bool) C.Proxy {
+	proxies := f.proxies(touch)
 	for _, proxy := range proxies {
 		if proxy.Alive() {
 			return proxy
 		}
 	}
 
-	return f.proxies()[0]
+	return proxies[0]
 }
 
-func NewFallback(name string, providers []provider.ProxyProvider) *Fallback {
+func NewFallback(options *GroupCommonOption, providers []provider.ProxyProvider) *Fallback {
 	return &Fallback{
-		Base:      outbound.NewBase(name, C.Fallback, false),
-		single:    singledo.NewSingle(defaultGetProxiesDuration),
-		providers: providers,
+		Base:       outbound.NewBase(options.Name, "", C.Fallback, false),
+		single:     singledo.NewSingle(defaultGetProxiesDuration),
+		providers:  providers,
+		disableUDP: options.DisableUDP,
 	}
 }

adapters/outboundgroup/loadbalance.go

@@ -3,6 +3,8 @@ package outboundgroup
 import (
 	"context"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"net"
 
 	"github.com/Dreamacro/clash/adapters/outbound"
@@ -14,11 +16,25 @@ import (
 	"golang.org/x/net/publicsuffix"
 )
 
+type strategyFn = func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy
+
 type LoadBalance struct {
 	*outbound.Base
-	single    *singledo.Single
-	maxRetry  int
-	providers []provider.ProxyProvider
+	disableUDP bool
+	single     *singledo.Single
+	providers  []provider.ProxyProvider
+	strategyFn strategyFn
+}
+
+var errStrategy = errors.New("unsupported strategy")
+
+func parseStrategy(config map[string]interface{}) string {
+	if elm, ok := config["strategy"]; ok {
+		if strategy, ok := elm.(string); ok {
+			return strategy
+		}
+	}
+	return "consistent-hashing"
 }
 
 func getKey(metadata *C.Metadata) string {
@@ -59,18 +75,9 @@ func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata) (c
 		}
 	}()
 
-	key := uint64(murmur3.Sum32([]byte(getKey(metadata))))
-	proxies := lb.proxies()
-	buckets := int32(len(proxies))
-	for i := 0; i < lb.maxRetry; i, key = i+1, key+1 {
-		idx := jumpHash(key, buckets)
-		proxy := proxies[idx]
-		if proxy.Alive() {
-			c, err = proxy.DialContext(ctx, metadata)
-			return
-		}
-	}
-	c, err = proxies[0].DialContext(ctx, metadata)
+	proxy := lb.Unwrap(metadata)
+
+	c, err = proxy.DialContext(ctx, metadata)
 	return
 }
 
@@ -81,27 +88,56 @@ func (lb *LoadBalance) DialUDP(metadata *C.Metadata) (pc C.PacketConn, err error
 		}
 	}()
 
-	key := uint64(murmur3.Sum32([]byte(getKey(metadata))))
-	proxies := lb.proxies()
-	buckets := int32(len(proxies))
-	for i := 0; i < lb.maxRetry; i, key = i+1, key+1 {
-		idx := jumpHash(key, buckets)
-		proxy := proxies[idx]
-		if proxy.Alive() {
-			return proxy.DialUDP(metadata)
-		}
-	}
+	proxy := lb.Unwrap(metadata)
 
-	return proxies[0].DialUDP(metadata)
+	return proxy.DialUDP(metadata)
 }
 
 func (lb *LoadBalance) SupportUDP() bool {
-	return true
+	return !lb.disableUDP
 }
 
-func (lb *LoadBalance) proxies() []C.Proxy {
+func strategyRoundRobin() strategyFn {
+	idx := 0
+	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+		length := len(proxies)
+		for i := 0; i < length; i++ {
+			idx = (idx + 1) % length
+			proxy := proxies[idx]
+			if proxy.Alive() {
+				return proxy
+			}
+		}
+
+		return proxies[0]
+	}
+}
+
+func strategyConsistentHashing() strategyFn {
+	maxRetry := 5
+	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+		key := uint64(murmur3.Sum32([]byte(getKey(metadata))))
+		buckets := int32(len(proxies))
+		for i := 0; i < maxRetry; i, key = i+1, key+1 {
+			idx := jumpHash(key, buckets)
+			proxy := proxies[idx]
+			if proxy.Alive() {
+				return proxy
+			}
+		}
+
+		return proxies[0]
+	}
+}
+
+func (lb *LoadBalance) Unwrap(metadata *C.Metadata) C.Proxy {
+	proxies := lb.proxies(true)
+	return lb.strategyFn(proxies, metadata)
+}
+
+func (lb *LoadBalance) proxies(touch bool) []C.Proxy {
 	elm, _, _ := lb.single.Do(func() (interface{}, error) {
-		return getProvidersProxies(lb.providers), nil
+		return getProvidersProxies(lb.providers, touch), nil
 	})
 
 	return elm.([]C.Proxy)
@@ -109,7 +145,7 @@ func (lb *LoadBalance) proxies() []C.Proxy {
 
 func (lb *LoadBalance) MarshalJSON() ([]byte, error) {
 	var all []string
-	for _, proxy := range lb.proxies() {
+	for _, proxy := range lb.proxies(false) {
 		all = append(all, proxy.Name())
 	}
 	return json.Marshal(map[string]interface{}{
@@ -118,11 +154,21 @@ func (lb *LoadBalance) MarshalJSON() ([]byte, error) {
 	})
 }
 
-func NewLoadBalance(name string, providers []provider.ProxyProvider) *LoadBalance {
-	return &LoadBalance{
-		Base:      outbound.NewBase(name, C.LoadBalance, false),
-		single:    singledo.NewSingle(defaultGetProxiesDuration),
-		maxRetry:  3,
-		providers: providers,
+func NewLoadBalance(options *GroupCommonOption, providers []provider.ProxyProvider, strategy string) (lb *LoadBalance, err error) {
+	var strategyFn strategyFn
+	switch strategy {
+	case "consistent-hashing":
+		strategyFn = strategyConsistentHashing()
+	case "round-robin":
+		strategyFn = strategyRoundRobin()
+	default:
+		return nil, fmt.Errorf("%w: %s", errStrategy, strategy)
 	}
+	return &LoadBalance{
+		Base:       outbound.NewBase(options.Name, "", C.LoadBalance, false),
+		single:     singledo.NewSingle(defaultGetProxiesDuration),
+		providers:  providers,
+		strategyFn: strategyFn,
+		disableUDP: options.DisableUDP,
+	}, nil
 }

adapters/outboundgroup/parser.go

@@ -12,25 +12,28 @@ import (
 var (
 	errFormat            = errors.New("format error")
 	errType              = errors.New("unsupport type")
-	errMissUse           = errors.New("`use` field should not be empty")
 	errMissProxy         = errors.New("`use` or `proxies` missing")
 	errMissHealthCheck   = errors.New("`url` or `interval` missing")
 	errDuplicateProvider = errors.New("`duplicate provider name")
 )
 
 type GroupCommonOption struct {
-	Name     string   `group:"name"`
-	Type     string   `group:"type"`
-	Proxies  []string `group:"proxies,omitempty"`
-	Use      []string `group:"use,omitempty"`
-	URL      string   `group:"url,omitempty"`
-	Interval int      `group:"interval,omitempty"`
+	Name       string   `group:"name"`
+	Type       string   `group:"type"`
+	Proxies    []string `group:"proxies,omitempty"`
+	Use        []string `group:"use,omitempty"`
+	URL        string   `group:"url,omitempty"`
+	Interval   int      `group:"interval,omitempty"`
+	Lazy       bool     `group:"lazy,omitempty"`
+	DisableUDP bool     `group:"disable-udp,omitempty"`
 }
 
 func ParseProxyGroup(config map[string]interface{}, proxyMap map[string]C.Proxy, providersMap map[string]provider.ProxyProvider) (C.ProxyAdapter, error) {
 	decoder := structure.NewDecoder(structure.Option{TagName: "group", WeaklyTypedInput: true})
 
-	groupOption := &GroupCommonOption{}
+	groupOption := &GroupCommonOption{
+		Lazy: true,
+	}
 	if err := decoder.Decode(config, groupOption); err != nil {
 		return nil, errFormat
 	}
@@ -55,7 +58,7 @@ func ParseProxyGroup(config map[string]interface{}, proxyMap map[string]C.Proxy,
 
 		// if Use not empty, drop health check options
 		if len(groupOption.Use) != 0 {
-			hc := provider.NewHealthCheck(ps, "", 0)
+			hc := provider.NewHealthCheck(ps, "", 0, true)
 			pd, err := provider.NewCompatibleProvider(groupName, ps, hc)
 			if err != nil {
 				return nil, err
@@ -63,9 +66,13 @@ func ParseProxyGroup(config map[string]interface{}, proxyMap map[string]C.Proxy,
 
 			providers = append(providers, pd)
 		} else {
+			if _, ok := providersMap[groupName]; ok {
+				return nil, errDuplicateProvider
+			}
+
 			// select don't need health check
-			if groupOption.Type == "select" {
-				hc := provider.NewHealthCheck(ps, "", 0)
+			if groupOption.Type == "select" || groupOption.Type == "relay" {
+				hc := provider.NewHealthCheck(ps, "", 0, true)
 				pd, err := provider.NewCompatibleProvider(groupName, ps, hc)
 				if err != nil {
 					return nil, err
@@ -78,7 +85,7 @@ func ParseProxyGroup(config map[string]interface{}, proxyMap map[string]C.Proxy,
 					return nil, errMissHealthCheck
 				}
 
-				hc := provider.NewHealthCheck(ps, groupOption.URL, uint(groupOption.Interval))
+				hc := provider.NewHealthCheck(ps, groupOption.URL, uint(groupOption.Interval), groupOption.Lazy)
 				pd, err := provider.NewCompatibleProvider(groupName, ps, hc)
 				if err != nil {
 					return nil, err
@@ -101,13 +108,17 @@ func ParseProxyGroup(config map[string]interface{}, proxyMap map[string]C.Proxy,
 	var group C.ProxyAdapter
 	switch groupOption.Type {
 	case "url-test":
-		group = NewURLTest(groupName, providers)
+		opts := parseURLTestOption(config)
+		group = NewURLTest(groupOption, providers, opts...)
 	case "select":
-		group = NewSelector(groupName, providers)
+		group = NewSelector(groupOption, providers)
 	case "fallback":
-		group = NewFallback(groupName, providers)
+		group = NewFallback(groupOption, providers)
 	case "load-balance":
-		group = NewLoadBalance(groupName, providers)
+		strategy := parseStrategy(config)
+		return NewLoadBalance(groupOption, providers, strategy)
+	case "relay":
+		group = NewRelay(groupOption, providers)
 	default:
 		return nil, fmt.Errorf("%w: %s", errType, groupOption.Type)
 	}

adapters/outboundgroup/relay.go

@@ -0,0 +1,98 @@
+package outboundgroup
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/Dreamacro/clash/adapters/outbound"
+	"github.com/Dreamacro/clash/adapters/provider"
+	"github.com/Dreamacro/clash/common/singledo"
+	"github.com/Dreamacro/clash/component/dialer"
+	C "github.com/Dreamacro/clash/constant"
+)
+
+type Relay struct {
+	*outbound.Base
+	single    *singledo.Single
+	providers []provider.ProxyProvider
+}
+
+func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	proxies := r.proxies(metadata, true)
+	if len(proxies) == 0 {
+		return nil, errors.New("proxy does not exist")
+	}
+	first := proxies[0]
+	last := proxies[len(proxies)-1]
+
+	c, err := dialer.DialContext(ctx, "tcp", first.Addr())
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+	}
+	tcpKeepAlive(c)
+
+	var currentMeta *C.Metadata
+	for _, proxy := range proxies[1:] {
+		currentMeta, err = addrToMetadata(proxy.Addr())
+		if err != nil {
+			return nil, err
+		}
+
+		c, err = first.StreamConn(c, currentMeta)
+		if err != nil {
+			return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+		}
+
+		first = proxy
+	}
+
+	c, err = last.StreamConn(c, metadata)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", last.Addr(), err)
+	}
+
+	return outbound.NewConn(c, r), nil
+}
+
+func (r *Relay) MarshalJSON() ([]byte, error) {
+	var all []string
+	for _, proxy := range r.rawProxies(false) {
+		all = append(all, proxy.Name())
+	}
+	return json.Marshal(map[string]interface{}{
+		"type": r.Type().String(),
+		"all":  all,
+	})
+}
+
+func (r *Relay) rawProxies(touch bool) []C.Proxy {
+	elm, _, _ := r.single.Do(func() (interface{}, error) {
+		return getProvidersProxies(r.providers, touch), nil
+	})
+
+	return elm.([]C.Proxy)
+}
+
+func (r *Relay) proxies(metadata *C.Metadata, touch bool) []C.Proxy {
+	proxies := r.rawProxies(touch)
+
+	for n, proxy := range proxies {
+		subproxy := proxy.Unwrap(metadata)
+		for subproxy != nil {
+			proxies[n] = subproxy
+			subproxy = subproxy.Unwrap(metadata)
+		}
+	}
+
+	return proxies
+}
+
+func NewRelay(options *GroupCommonOption, providers []provider.ProxyProvider) *Relay {
+	return &Relay{
+		Base:      outbound.NewBase(options.Name, "", C.Relay, false),
+		single:    singledo.NewSingle(defaultGetProxiesDuration),
+		providers: providers,
+	}
+}

adapters/outboundgroup/selector.go

@@ -13,13 +13,14 @@ import (
 
 type Selector struct {
 	*outbound.Base
-	single    *singledo.Single
-	selected  C.Proxy
-	providers []provider.ProxyProvider
+	disableUDP bool
+	single     *singledo.Single
+	selected   string
+	providers  []provider.ProxyProvider
 }
 
 func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
-	c, err := s.selected.DialContext(ctx, metadata)
+	c, err := s.selectedProxy(true).DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(s)
 	}
@@ -27,7 +28,7 @@ func (s *Selector) DialContext(ctx context.Context, metadata *C.Metadata) (C.Con
 }
 
 func (s *Selector) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
-	pc, err := s.selected.DialUDP(metadata)
+	pc, err := s.selectedProxy(true).DialUDP(metadata)
 	if err == nil {
 		pc.AppendToChains(s)
 	}
@@ -35,12 +36,16 @@ func (s *Selector) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
 }
 
 func (s *Selector) SupportUDP() bool {
-	return s.selected.SupportUDP()
+	if s.disableUDP {
+		return false
+	}
+
+	return s.selectedProxy(false).SupportUDP()
 }
 
 func (s *Selector) MarshalJSON() ([]byte, error) {
 	var all []string
-	for _, proxy := range s.proxies() {
+	for _, proxy := range getProvidersProxies(s.providers, false) {
 		all = append(all, proxy.Name())
 	}
 
@@ -52,34 +57,47 @@ func (s *Selector) MarshalJSON() ([]byte, error) {
 }
 
 func (s *Selector) Now() string {
-	return s.selected.Name()
+	return s.selectedProxy(false).Name()
 }
 
 func (s *Selector) Set(name string) error {
-	for _, proxy := range s.proxies() {
+	for _, proxy := range getProvidersProxies(s.providers, false) {
 		if proxy.Name() == name {
-			s.selected = proxy
+			s.selected = name
+			s.single.Reset()
 			return nil
 		}
 	}
 
-	return errors.New("Proxy does not exist")
+	return errors.New("proxy not exist")
 }
 
-func (s *Selector) proxies() []C.Proxy {
+func (s *Selector) Unwrap(metadata *C.Metadata) C.Proxy {
+	return s.selectedProxy(true)
+}
+
+func (s *Selector) selectedProxy(touch bool) C.Proxy {
 	elm, _, _ := s.single.Do(func() (interface{}, error) {
-		return getProvidersProxies(s.providers), nil
+		proxies := getProvidersProxies(s.providers, touch)
+		for _, proxy := range proxies {
+			if proxy.Name() == s.selected {
+				return proxy, nil
+			}
+		}
+
+		return proxies[0], nil
 	})
 
-	return elm.([]C.Proxy)
+	return elm.(C.Proxy)
 }
 
-func NewSelector(name string, providers []provider.ProxyProvider) *Selector {
-	selected := providers[0].Proxies()[0]
+func NewSelector(options *GroupCommonOption, providers []provider.ProxyProvider) *Selector {
+	selected := providers[0].Proxies()[0].Name()
 	return &Selector{
-		Base:      outbound.NewBase(name, C.Selector, false),
-		single:    singledo.NewSingle(defaultGetProxiesDuration),
-		providers: providers,
-		selected:  selected,
+		Base:       outbound.NewBase(options.Name, "", C.Selector, false),
+		single:     singledo.NewSingle(defaultGetProxiesDuration),
+		providers:  providers,
+		selected:   selected,
+		disableUDP: options.DisableUDP,
 	}
 }

adapters/outboundgroup/urltest.go

@@ -11,19 +11,30 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 )
 
+type urlTestOption func(*URLTest)
+
+func urlTestWithTolerance(tolerance uint16) urlTestOption {
+	return func(u *URLTest) {
+		u.tolerance = tolerance
+	}
+}
+
 type URLTest struct {
 	*outbound.Base
+	tolerance  uint16
+	disableUDP bool
+	fastNode   C.Proxy
 	single     *singledo.Single
 	fastSingle *singledo.Single
 	providers  []provider.ProxyProvider
 }
 
 func (u *URLTest) Now() string {
-	return u.fast().Name()
+	return u.fast(false).Name()
 }
 
 func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata) (c C.Conn, err error) {
-	c, err = u.fast().DialContext(ctx, metadata)
+	c, err = u.fast(true).DialContext(ctx, metadata)
 	if err == nil {
 		c.AppendToChains(u)
 	}
@@ -31,24 +42,28 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata) (c C.Co
 }
 
 func (u *URLTest) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
-	pc, err := u.fast().DialUDP(metadata)
+	pc, err := u.fast(true).DialUDP(metadata)
 	if err == nil {
 		pc.AppendToChains(u)
 	}
 	return pc, err
 }
 
-func (u *URLTest) proxies() []C.Proxy {
+func (u *URLTest) Unwrap(metadata *C.Metadata) C.Proxy {
+	return u.fast(true)
+}
+
+func (u *URLTest) proxies(touch bool) []C.Proxy {
 	elm, _, _ := u.single.Do(func() (interface{}, error) {
-		return getProvidersProxies(u.providers), nil
+		return getProvidersProxies(u.providers, touch), nil
 	})
 
 	return elm.([]C.Proxy)
 }
 
-func (u *URLTest) fast() C.Proxy {
+func (u *URLTest) fast(touch bool) C.Proxy {
 	elm, _, _ := u.fastSingle.Do(func() (interface{}, error) {
-		proxies := u.proxies()
+		proxies := u.proxies(touch)
 		fast := proxies[0]
 		min := fast.LastDelay()
 		for _, proxy := range proxies[1:] {
@@ -62,19 +77,29 @@ func (u *URLTest) fast() C.Proxy {
 				min = delay
 			}
 		}
-		return fast, nil
+
+		// tolerance
+		if u.fastNode == nil || u.fastNode.LastDelay() > fast.LastDelay()+u.tolerance {
+			u.fastNode = fast
+		}
+
+		return u.fastNode, nil
 	})
 
 	return elm.(C.Proxy)
 }
 
 func (u *URLTest) SupportUDP() bool {
-	return u.fast().SupportUDP()
+	if u.disableUDP {
+		return false
+	}
+
+	return u.fast(false).SupportUDP()
 }
 
 func (u *URLTest) MarshalJSON() ([]byte, error) {
 	var all []string
-	for _, proxy := range u.proxies() {
+	for _, proxy := range u.proxies(false) {
 		all = append(all, proxy.Name())
 	}
 	return json.Marshal(map[string]interface{}{
@@ -84,11 +109,31 @@ func (u *URLTest) MarshalJSON() ([]byte, error) {
 	})
 }
 
-func NewURLTest(name string, providers []provider.ProxyProvider) *URLTest {
-	return &URLTest{
-		Base:       outbound.NewBase(name, C.URLTest, false),
+func parseURLTestOption(config map[string]interface{}) []urlTestOption {
+	opts := []urlTestOption{}
+
+	// tolerance
+	if elm, ok := config["tolerance"]; ok {
+		if tolerance, ok := elm.(int); ok {
+			opts = append(opts, urlTestWithTolerance(uint16(tolerance)))
+		}
+	}
+
+	return opts
+}
+
+func NewURLTest(commonOptions *GroupCommonOption, providers []provider.ProxyProvider, options ...urlTestOption) *URLTest {
+	urlTest := &URLTest{
+		Base:       outbound.NewBase(commonOptions.Name, "", C.URLTest, false),
 		single:     singledo.NewSingle(defaultGetProxiesDuration),
 		fastSingle: singledo.NewSingle(time.Second * 10),
 		providers:  providers,
+		disableUDP: commonOptions.DisableUDP,
 	}
+
+	for _, option := range options {
+		option(urlTest)
+	}
+
+	return urlTest
 }

adapters/outboundgroup/util.go

@@ -0,0 +1,53 @@
+package outboundgroup
+
+import (
+	"fmt"
+	"net"
+	"time"
+
+	C "github.com/Dreamacro/clash/constant"
+)
+
+func addrToMetadata(rawAddress string) (addr *C.Metadata, err error) {
+	host, port, err := net.SplitHostPort(rawAddress)
+	if err != nil {
+		err = fmt.Errorf("addrToMetadata failed: %w", err)
+		return
+	}
+
+	ip := net.ParseIP(host)
+	if ip != nil {
+		if ip.To4() != nil {
+			addr = &C.Metadata{
+				AddrType: C.AtypIPv4,
+				Host:     "",
+				DstIP:    ip,
+				DstPort:  port,
+			}
+			return
+		} else {
+			addr = &C.Metadata{
+				AddrType: C.AtypIPv6,
+				Host:     "",
+				DstIP:    ip,
+				DstPort:  port,
+			}
+			return
+		}
+	} else {
+		addr = &C.Metadata{
+			AddrType: C.AtypDomainName,
+			Host:     host,
+			DstIP:    nil,
+			DstPort:  port,
+		}
+		return
+	}
+}
+
+func tcpKeepAlive(c net.Conn) {
+	if tcp, ok := c.(*net.TCPConn); ok {
+		tcp.SetKeepAlive(true)
+		tcp.SetKeepAlivePeriod(30 * time.Second)
+	}
+}

adapters/provider/fetcher.go

@@ -0,0 +1,180 @@
+package provider
+
+import (
+	"bytes"
+	"crypto/md5"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/Dreamacro/clash/log"
+)
+
+var (
+	fileMode os.FileMode = 0666
+	dirMode  os.FileMode = 0755
+)
+
+type parser = func([]byte) (interface{}, error)
+
+type fetcher struct {
+	name      string
+	vehicle   Vehicle
+	updatedAt *time.Time
+	ticker    *time.Ticker
+	done      chan struct{}
+	hash      [16]byte
+	parser    parser
+	onUpdate  func(interface{})
+}
+
+func (f *fetcher) Name() string {
+	return f.name
+}
+
+func (f *fetcher) VehicleType() VehicleType {
+	return f.vehicle.Type()
+}
+
+func (f *fetcher) Initial() (interface{}, error) {
+	var (
+		buf     []byte
+		err     error
+		isLocal bool
+	)
+	if stat, fErr := os.Stat(f.vehicle.Path()); fErr == nil {
+		buf, err = ioutil.ReadFile(f.vehicle.Path())
+		modTime := stat.ModTime()
+		f.updatedAt = &modTime
+		isLocal = true
+	} else {
+		buf, err = f.vehicle.Read()
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	proxies, err := f.parser(buf)
+	if err != nil {
+		if !isLocal {
+			return nil, err
+		}
+
+		// parse local file error, fallback to remote
+		buf, err = f.vehicle.Read()
+		if err != nil {
+			return nil, err
+		}
+
+		proxies, err = f.parser(buf)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if f.vehicle.Type() != File {
+		if err := safeWrite(f.vehicle.Path(), buf); err != nil {
+			return nil, err
+		}
+	}
+
+	f.hash = md5.Sum(buf)
+
+	// pull proxies automatically
+	if f.ticker != nil {
+		go f.pullLoop()
+	}
+
+	return proxies, nil
+}
+
+func (f *fetcher) Update() (interface{}, bool, error) {
+	buf, err := f.vehicle.Read()
+	if err != nil {
+		return nil, false, err
+	}
+
+	now := time.Now()
+	hash := md5.Sum(buf)
+	if bytes.Equal(f.hash[:], hash[:]) {
+		f.updatedAt = &now
+		return nil, true, nil
+	}
+
+	proxies, err := f.parser(buf)
+	if err != nil {
+		return nil, false, err
+	}
+
+	if err := safeWrite(f.vehicle.Path(), buf); err != nil {
+		return nil, false, err
+	}
+
+	f.updatedAt = &now
+	f.hash = hash
+
+	return proxies, false, nil
+}
+
+func (f *fetcher) Destroy() error {
+	if f.ticker != nil {
+		f.done <- struct{}{}
+	}
+	return nil
+}
+
+func (f *fetcher) pullLoop() {
+	for {
+		select {
+		case <-f.ticker.C:
+			elm, same, err := f.Update()
+			if err != nil {
+				log.Warnln("[Provider] %s pull error: %s", f.Name(), err.Error())
+				continue
+			}
+
+			if same {
+				log.Debugln("[Provider] %s's proxies doesn't change", f.Name())
+				continue
+			}
+
+			log.Infoln("[Provider] %s's proxies update", f.Name())
+			if f.onUpdate != nil {
+				f.onUpdate(elm)
+			}
+		case <-f.done:
+			f.ticker.Stop()
+			return
+		}
+	}
+}
+
+func safeWrite(path string, buf []byte) error {
+	dir := filepath.Dir(path)
+
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		if err := os.MkdirAll(dir, dirMode); err != nil {
+			return err
+		}
+	}
+
+	return ioutil.WriteFile(path, buf, fileMode)
+}
+
+func newFetcher(name string, interval time.Duration, vehicle Vehicle, parser parser, onUpdate func(interface{})) *fetcher {
+	var ticker *time.Ticker
+	if interval != 0 {
+		ticker = time.NewTicker(interval)
+	}
+
+	return &fetcher{
+		name:     name,
+		ticker:   ticker,
+		vehicle:  vehicle,
+		parser:   parser,
+		done:     make(chan struct{}, 1),
+		onUpdate: onUpdate,
+	}
+}

adapters/provider/healthcheck.go

@@ -2,9 +2,12 @@ package provider
 
 import (
 	"context"
+	"sync"
 	"time"
 
 	C "github.com/Dreamacro/clash/constant"
+
+	"go.uber.org/atomic"
 )
 
 const (
@@ -17,10 +20,12 @@ type HealthCheckOption struct {
 }
 
 type HealthCheck struct {
-	url      string
-	proxies  []C.Proxy
-	interval uint
-	done     chan struct{}
+	url       string
+	proxies   []C.Proxy
+	interval  uint
+	lazy      bool
+	lastTouch *atomic.Int64
+	done      chan struct{}
 }
 
 func (hc *HealthCheck) process() {
@@ -30,7 +35,10 @@ func (hc *HealthCheck) process() {
 	for {
 		select {
 		case <-ticker.C:
-			hc.check()
+			now := time.Now().Unix()
+			if !hc.lazy || now-hc.lastTouch.Load() < int64(hc.interval) {
+				hc.check()
+			}
 		case <-hc.done:
 			ticker.Stop()
 			return
@@ -46,13 +54,24 @@ func (hc *HealthCheck) auto() bool {
 	return hc.interval != 0
 }
 
+func (hc *HealthCheck) touch() {
+	hc.lastTouch.Store(time.Now().Unix())
+}
+
 func (hc *HealthCheck) check() {
 	ctx, cancel := context.WithTimeout(context.Background(), defaultURLTestTimeout)
+	wg := &sync.WaitGroup{}
+
 	for _, proxy := range hc.proxies {
-		go proxy.URLTest(ctx, hc.url)
+		wg.Add(1)
+
+		go func(p C.Proxy) {
+			p.URLTest(ctx, hc.url)
+			wg.Done()
+		}(proxy)
 	}
 
-	<-ctx.Done()
+	wg.Wait()
 	cancel()
 }
 
@@ -60,11 +79,13 @@ func (hc *HealthCheck) close() {
 	hc.done <- struct{}{}
 }
 
-func NewHealthCheck(proxies []C.Proxy, url string, interval uint) *HealthCheck {
+func NewHealthCheck(proxies []C.Proxy, url string, interval uint, lazy bool) *HealthCheck {
 	return &HealthCheck{
-		proxies:  proxies,
-		url:      url,
-		interval: interval,
-		done:     make(chan struct{}, 1),
+		proxies:   proxies,
+		url:       url,
+		interval:  interval,
+		lazy:      lazy,
+		lastTouch: atomic.NewInt64(0),
+		done:      make(chan struct{}, 1),
 	}
 }

adapters/provider/parser.go

@@ -17,6 +17,7 @@ type healthCheckSchema struct {
 	Enable   bool   `provider:"enable"`
 	URL      string `provider:"url"`
 	Interval int    `provider:"interval"`
+	Lazy     bool   `provider:"lazy,omitempty"`
 }
 
 type proxyProviderSchema struct {
@@ -30,7 +31,11 @@ type proxyProviderSchema struct {
 func ParseProxyProvider(name string, mapping map[string]interface{}) (ProxyProvider, error) {
 	decoder := structure.NewDecoder(structure.Option{TagName: "provider", WeaklyTypedInput: true})
 
-	schema := &proxyProviderSchema{}
+	schema := &proxyProviderSchema{
+		HealthCheck: healthCheckSchema{
+			Lazy: true,
+		},
+	}
 	if err := decoder.Decode(mapping, schema); err != nil {
 		return nil, err
 	}
@@ -39,7 +44,7 @@ func ParseProxyProvider(name string, mapping map[string]interface{}) (ProxyProvi
 	if schema.HealthCheck.Enable {
 		hcInterval = uint(schema.HealthCheck.Interval)
 	}
-	hc := NewHealthCheck([]C.Proxy{}, schema.HealthCheck.URL, hcInterval)
+	hc := NewHealthCheck([]C.Proxy{}, schema.HealthCheck.URL, hcInterval, schema.HealthCheck.Lazy)
 
 	path := C.Path.Resolve(schema.Path)
 

adapters/provider/provider.go

@@ -1,26 +1,20 @@
 package provider
 
 import (
-	"bytes"
-	"crypto/md5"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
-	"os"
+	"runtime"
 	"time"
 
 	"github.com/Dreamacro/clash/adapters/outbound"
 	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/log"
 
 	"gopkg.in/yaml.v2"
 )
 
 const (
 	ReservedName = "default"
-
-	fileMode = 0666
 )
 
 // Provider Type
@@ -49,33 +43,35 @@ type Provider interface {
 	VehicleType() VehicleType
 	Type() ProviderType
 	Initial() error
-	Reload() error
-	Destroy() error
+	Update() error
 }
 
 // ProxyProvider interface
 type ProxyProvider interface {
 	Provider
 	Proxies() []C.Proxy
+	// ProxiesWithTouch is used to inform the provider that the proxy is actually being used while getting the list of proxies.
+	// Commonly used in Dial and DialUDP
+	ProxiesWithTouch() []C.Proxy
 	HealthCheck()
-	Update() error
 }
 
 type ProxySchema struct {
 	Proxies []map[string]interface{} `yaml:"proxies"`
 }
 
+// for auto gc
 type ProxySetProvider struct {
-	name        string
-	vehicle     Vehicle
-	hash        [16]byte
-	proxies     []C.Proxy
-	healthCheck *HealthCheck
-	ticker      *time.Ticker
-	updatedAt   *time.Time
+	*proxySetProvider
 }
 
-func (pp *ProxySetProvider) MarshalJSON() ([]byte, error) {
+type proxySetProvider struct {
+	*fetcher
+	proxies     []C.Proxy
+	healthCheck *HealthCheck
+}
+
+func (pp *proxySetProvider) MarshalJSON() ([]byte, error) {
 	return json.Marshal(map[string]interface{}{
 		"name":        pp.Name(),
 		"type":        pp.Type().String(),
@@ -85,123 +81,46 @@ func (pp *ProxySetProvider) MarshalJSON() ([]byte, error) {
 	})
 }
 
-func (pp *ProxySetProvider) Name() string {
+func (pp *proxySetProvider) Name() string {
 	return pp.name
 }
 
-func (pp *ProxySetProvider) Reload() error {
-	return nil
-}
-
-func (pp *ProxySetProvider) HealthCheck() {
+func (pp *proxySetProvider) HealthCheck() {
 	pp.healthCheck.check()
 }
 
-func (pp *ProxySetProvider) Update() error {
-	return pp.pull()
+func (pp *proxySetProvider) Update() error {
+	elm, same, err := pp.fetcher.Update()
+	if err == nil && !same {
+		pp.onUpdate(elm)
+	}
+	return err
 }
 
-func (pp *ProxySetProvider) Destroy() error {
-	pp.healthCheck.close()
-
-	if pp.ticker != nil {
-		pp.ticker.Stop()
-	}
-
-	return nil
-}
-
-func (pp *ProxySetProvider) Initial() error {
-	var buf []byte
-	var err error
-	if stat, err := os.Stat(pp.vehicle.Path()); err == nil {
-		buf, err = ioutil.ReadFile(pp.vehicle.Path())
-		modTime := stat.ModTime()
-		pp.updatedAt = &modTime
-	} else {
-		buf, err = pp.vehicle.Read()
-	}
-
+func (pp *proxySetProvider) Initial() error {
+	elm, err := pp.fetcher.Initial()
 	if err != nil {
 		return err
 	}
 
-	proxies, err := pp.parse(buf)
-	if err != nil {
-		// parse local file error, fallback to remote
-		buf, err = pp.vehicle.Read()
-		if err != nil {
-			return err
-		}
-	}
-
-	if err := ioutil.WriteFile(pp.vehicle.Path(), buf, fileMode); err != nil {
-		return err
-	}
-
-	pp.hash = md5.Sum(buf)
-	pp.setProxies(proxies)
-
-	// pull proxies automatically
-	if pp.ticker != nil {
-		go pp.pullLoop()
-	}
-
+	pp.onUpdate(elm)
 	return nil
 }
 
-func (pp *ProxySetProvider) VehicleType() VehicleType {
-	return pp.vehicle.Type()
-}
-
-func (pp *ProxySetProvider) Type() ProviderType {
+func (pp *proxySetProvider) Type() ProviderType {
 	return Proxy
 }
 
-func (pp *ProxySetProvider) Proxies() []C.Proxy {
+func (pp *proxySetProvider) Proxies() []C.Proxy {
 	return pp.proxies
 }
 
-func (pp *ProxySetProvider) pullLoop() {
-	for range pp.ticker.C {
-		if err := pp.pull(); err != nil {
-			log.Warnln("[Provider] %s pull error: %s", pp.Name(), err.Error())
-		}
-	}
+func (pp *proxySetProvider) ProxiesWithTouch() []C.Proxy {
+	pp.healthCheck.touch()
+	return pp.Proxies()
 }
 
-func (pp *ProxySetProvider) pull() error {
-	buf, err := pp.vehicle.Read()
-	if err != nil {
-		return err
-	}
-
-	now := time.Now()
-	hash := md5.Sum(buf)
-	if bytes.Equal(pp.hash[:], hash[:]) {
-		log.Debugln("[Provider] %s's proxies doesn't change", pp.Name())
-		pp.updatedAt = &now
-		return nil
-	}
-
-	proxies, err := pp.parse(buf)
-	if err != nil {
-		return err
-	}
-	log.Infoln("[Provider] %s's proxies update", pp.Name())
-
-	if err := ioutil.WriteFile(pp.vehicle.Path(), buf, fileMode); err != nil {
-		return err
-	}
-
-	pp.updatedAt = &now
-	pp.hash = hash
-	pp.setProxies(proxies)
-
-	return nil
-}
-
-func (pp *ProxySetProvider) parse(buf []byte) ([]C.Proxy, error) {
+func proxiesParse(buf []byte) (interface{}, error) {
 	schema := &ProxySchema{}
 
 	if err := yaml.Unmarshal(buf, schema); err != nil {
@@ -209,57 +128,73 @@ func (pp *ProxySetProvider) parse(buf []byte) ([]C.Proxy, error) {
 	}
 
 	if schema.Proxies == nil {
-		return nil, errors.New("File must have a `proxies` field")
+		return nil, errors.New("file must have a `proxies` field")
 	}
 
 	proxies := []C.Proxy{}
 	for idx, mapping := range schema.Proxies {
 		proxy, err := outbound.ParseProxy(mapping)
 		if err != nil {
-			return nil, fmt.Errorf("Proxy %d error: %w", idx, err)
+			return nil, fmt.Errorf("proxy %d error: %w", idx, err)
 		}
 		proxies = append(proxies, proxy)
 	}
 
 	if len(proxies) == 0 {
-		return nil, errors.New("File doesn't have any valid proxy")
+		return nil, errors.New("file doesn't have any valid proxy")
 	}
 
 	return proxies, nil
 }
 
-func (pp *ProxySetProvider) setProxies(proxies []C.Proxy) {
+func (pp *proxySetProvider) setProxies(proxies []C.Proxy) {
 	pp.proxies = proxies
 	pp.healthCheck.setProxy(proxies)
-	go pp.healthCheck.check()
+	if pp.healthCheck.auto() {
+		go pp.healthCheck.check()
+	}
+}
+
+func stopProxyProvider(pd *ProxySetProvider) {
+	pd.healthCheck.close()
+	pd.fetcher.Destroy()
 }
 
 func NewProxySetProvider(name string, interval time.Duration, vehicle Vehicle, hc *HealthCheck) *ProxySetProvider {
-	var ticker *time.Ticker
-	if interval != 0 {
-		ticker = time.NewTicker(interval)
-	}
-
 	if hc.auto() {
 		go hc.process()
 	}
 
-	return &ProxySetProvider{
-		name:        name,
-		vehicle:     vehicle,
+	pd := &proxySetProvider{
 		proxies:     []C.Proxy{},
 		healthCheck: hc,
-		ticker:      ticker,
 	}
+
+	onUpdate := func(elm interface{}) {
+		ret := elm.([]C.Proxy)
+		pd.setProxies(ret)
+	}
+
+	fetcher := newFetcher(name, interval, vehicle, proxiesParse, onUpdate)
+	pd.fetcher = fetcher
+
+	wrapper := &ProxySetProvider{pd}
+	runtime.SetFinalizer(wrapper, stopProxyProvider)
+	return wrapper
 }
 
+// for auto gc
 type CompatibleProvider struct {
+	*compatibleProvider
+}
+
+type compatibleProvider struct {
 	name        string
 	healthCheck *HealthCheck
 	proxies     []C.Proxy
 }
 
-func (cp *CompatibleProvider) MarshalJSON() ([]byte, error) {
+func (cp *compatibleProvider) MarshalJSON() ([]byte, error) {
 	return json.Marshal(map[string]interface{}{
 		"name":        cp.Name(),
 		"type":        cp.Type().String(),
@@ -268,43 +203,43 @@ func (cp *CompatibleProvider) MarshalJSON() ([]byte, error) {
 	})
 }
 
-func (cp *CompatibleProvider) Name() string {
+func (cp *compatibleProvider) Name() string {
 	return cp.name
 }
 
-func (cp *CompatibleProvider) Reload() error {
-	return nil
-}
-
-func (cp *CompatibleProvider) Destroy() error {
-	cp.healthCheck.close()
-	return nil
-}
-
-func (cp *CompatibleProvider) HealthCheck() {
+func (cp *compatibleProvider) HealthCheck() {
 	cp.healthCheck.check()
 }
 
-func (cp *CompatibleProvider) Update() error {
+func (cp *compatibleProvider) Update() error {
 	return nil
 }
 
-func (cp *CompatibleProvider) Initial() error {
+func (cp *compatibleProvider) Initial() error {
 	return nil
 }
 
-func (cp *CompatibleProvider) VehicleType() VehicleType {
+func (cp *compatibleProvider) VehicleType() VehicleType {
 	return Compatible
 }
 
-func (cp *CompatibleProvider) Type() ProviderType {
+func (cp *compatibleProvider) Type() ProviderType {
 	return Proxy
 }
 
-func (cp *CompatibleProvider) Proxies() []C.Proxy {
+func (cp *compatibleProvider) Proxies() []C.Proxy {
 	return cp.proxies
 }
 
+func (cp *compatibleProvider) ProxiesWithTouch() []C.Proxy {
+	cp.healthCheck.touch()
+	return cp.Proxies()
+}
+
+func stopCompatibleProvider(pd *CompatibleProvider) {
+	pd.healthCheck.close()
+}
+
 func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*CompatibleProvider, error) {
 	if len(proxies) == 0 {
 		return nil, errors.New("Provider need one proxy at least")
@@ -314,9 +249,13 @@ func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*Co
 		go hc.process()
 	}
 
-	return &CompatibleProvider{
+	pd := &compatibleProvider{
 		name:        name,
 		proxies:     proxies,
 		healthCheck: hc,
-	}, nil
+	}
+
+	wrapper := &CompatibleProvider{pd}
+	runtime.SetFinalizer(wrapper, stopCompatibleProvider)
+	return wrapper, nil
 }

adapters/provider/vehicle.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"io/ioutil"
 	"net/http"
+	"net/url"
 	"time"
 
 	"github.com/Dreamacro/clash/component/dialer"
@@ -75,10 +76,21 @@ func (h *HTTPVehicle) Read() ([]byte, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancel()
 
-	req, err := http.NewRequest(http.MethodGet, h.url, nil)
+	uri, err := url.Parse(h.url)
 	if err != nil {
 		return nil, err
 	}
+
+	req, err := http.NewRequest(http.MethodGet, uri.String(), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if user := uri.User; user != nil {
+		password, _ := user.Password()
+		req.SetBasicAuth(user.Username(), password)
+	}
+
 	req = req.WithContext(ctx)
 
 	transport := &http.Transport{

common/cache/lrucache.go

@@ -42,6 +42,14 @@ func WithSize(maxSize int) Option {
 	}
 }
 
+// WithStale decide whether Stale return is enabled.
+// If this feature is enabled, element will not get Evicted according to `WithAge`.
+func WithStale(stale bool) Option {
+	return func(l *LruCache) {
+		l.staleReturn = stale
+	}
+}
+
 // LruCache is a thread-safe, in-memory lru-cache that evicts the
 // least recently used entries from memory when (if set) the entries are
 // older than maxAge (in seconds).  Use the New constructor to create one.
@@ -52,6 +60,7 @@ type LruCache struct {
 	cache          map[interface{}]*list.Element
 	lru            *list.List // Front is least-recent
 	updateAgeOnGet bool
+	staleReturn    bool
 	onEvict        EvictCallback
 }
 
@@ -72,31 +81,28 @@ func NewLRUCache(options ...Option) *LruCache {
 // Get returns the interface{} representation of a cached response and a bool
 // set to true if the key was found.
 func (c *LruCache) Get(key interface{}) (interface{}, bool) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	le, ok := c.cache[key]
-	if !ok {
+	entry := c.get(key)
+	if entry == nil {
 		return nil, false
 	}
-
-	if c.maxAge > 0 && le.Value.(*entry).expires <= time.Now().Unix() {
-		c.deleteElement(le)
-		c.maybeDeleteOldest()
-
-		return nil, false
-	}
-
-	c.lru.MoveToBack(le)
-	entry := le.Value.(*entry)
-	if c.maxAge > 0 && c.updateAgeOnGet {
-		entry.expires = time.Now().Unix() + c.maxAge
-	}
 	value := entry.value
 
 	return value, true
 }
 
+// GetWithExpire returns the interface{} representation of a cached response,
+// a time.Time Give expected expires,
+// and a bool set to true if the key was found.
+// This method will NOT check the maxAge of element and will NOT update the expires.
+func (c *LruCache) GetWithExpire(key interface{}) (interface{}, time.Time, bool) {
+	entry := c.get(key)
+	if entry == nil {
+		return nil, time.Time{}, false
+	}
+
+	return entry.value, time.Unix(entry.expires, 0), true
+}
+
 // Exist returns if key exist in cache but not put item to the head of linked list
 func (c *LruCache) Exist(key interface{}) bool {
 	c.mu.Lock()
@@ -108,21 +114,26 @@ func (c *LruCache) Exist(key interface{}) bool {
 
 // Set stores the interface{} representation of a response for a given key.
 func (c *LruCache) Set(key interface{}, value interface{}) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
 	expires := int64(0)
 	if c.maxAge > 0 {
 		expires = time.Now().Unix() + c.maxAge
 	}
+	c.SetWithExpire(key, value, time.Unix(expires, 0))
+}
+
+// SetWithExpire stores the interface{} representation of a response for a given key and given expires.
+// The expires time will round to second.
+func (c *LruCache) SetWithExpire(key interface{}, value interface{}, expires time.Time) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
 
 	if le, ok := c.cache[key]; ok {
 		c.lru.MoveToBack(le)
 		e := le.Value.(*entry)
 		e.value = value
-		e.expires = expires
+		e.expires = expires.Unix()
 	} else {
-		e := &entry{key: key, value: value, expires: expires}
+		e := &entry{key: key, value: value, expires: expires.Unix()}
 		c.cache[key] = c.lru.PushBack(e)
 
 		if c.maxSize > 0 {
@@ -135,8 +146,49 @@ func (c *LruCache) Set(key interface{}, value interface{}) {
 	c.maybeDeleteOldest()
 }
 
+// CloneTo clone and overwrite elements to another LruCache
+func (c *LruCache) CloneTo(n *LruCache) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	n.mu.Lock()
+	defer n.mu.Unlock()
+
+	n.lru = list.New()
+	n.cache = make(map[interface{}]*list.Element)
+
+	for e := c.lru.Front(); e != nil; e = e.Next() {
+		elm := e.Value.(*entry)
+		n.cache[elm.key] = n.lru.PushBack(elm)
+	}
+}
+
+func (c *LruCache) get(key interface{}) *entry {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	le, ok := c.cache[key]
+	if !ok {
+		return nil
+	}
+
+	if !c.staleReturn && c.maxAge > 0 && le.Value.(*entry).expires <= time.Now().Unix() {
+		c.deleteElement(le)
+		c.maybeDeleteOldest()
+
+		return nil
+	}
+
+	c.lru.MoveToBack(le)
+	entry := le.Value.(*entry)
+	if c.maxAge > 0 && c.updateAgeOnGet {
+		entry.expires = time.Now().Unix() + c.maxAge
+	}
+	return entry
+}
+
 // Delete removes the value associated with a key.
-func (c *LruCache) Delete(key string) {
+func (c *LruCache) Delete(key interface{}) {
 	c.mu.Lock()
 
 	if le, ok := c.cache[key]; ok {
@@ -147,7 +199,7 @@ func (c *LruCache) Delete(key string) {
 }
 
 func (c *LruCache) maybeDeleteOldest() {
-	if c.maxAge > 0 {
+	if !c.staleReturn && c.maxAge > 0 {
 		now := time.Now().Unix()
 		for le := c.lru.Front(); le != nil && le.Value.(*entry).expires <= now; le = c.lru.Front() {
 			c.deleteElement(le)

common/cache/lrucache_test.go

@@ -136,3 +136,49 @@ func TestEvict(t *testing.T) {
 
 	assert.Equal(t, temp, 3)
 }
+
+func TestSetWithExpire(t *testing.T) {
+	c := NewLRUCache(WithAge(1))
+	now := time.Now().Unix()
+
+	tenSecBefore := time.Unix(now-10, 0)
+	c.SetWithExpire(1, 2, tenSecBefore)
+
+	// res is expected not to exist, and expires should be empty time.Time
+	res, expires, exist := c.GetWithExpire(1)
+	assert.Equal(t, nil, res)
+	assert.Equal(t, time.Time{}, expires)
+	assert.Equal(t, false, exist)
+
+}
+
+func TestStale(t *testing.T) {
+	c := NewLRUCache(WithAge(1), WithStale(true))
+	now := time.Now().Unix()
+
+	tenSecBefore := time.Unix(now-10, 0)
+	c.SetWithExpire(1, 2, tenSecBefore)
+
+	res, expires, exist := c.GetWithExpire(1)
+	assert.Equal(t, 2, res)
+	assert.Equal(t, tenSecBefore, expires)
+	assert.Equal(t, true, exist)
+}
+
+func TestCloneTo(t *testing.T) {
+	o := NewLRUCache(WithSize(10))
+	o.Set("1", 1)
+	o.Set("2", 2)
+
+	n := NewLRUCache(WithSize(2))
+	n.Set("3", 3)
+	n.Set("4", 4)
+
+	o.CloneTo(n)
+
+	assert.False(t, n.Exist("3"))
+	assert.True(t, n.Exist("1"))
+
+	n.Set("5", 5)
+	assert.False(t, n.Exist("1"))
+}

common/observable/observable_test.go

@@ -1,12 +1,12 @@
 package observable
 
 import (
-	"runtime"
 	"sync"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"go.uber.org/atomic"
 )
 
 func iterator(item []interface{}) chan interface{} {
@@ -33,25 +33,25 @@ func TestObservable(t *testing.T) {
 	assert.Equal(t, count, 5)
 }
 
-func TestObservable_MutilSubscribe(t *testing.T) {
+func TestObservable_MultiSubscribe(t *testing.T) {
 	iter := iterator([]interface{}{1, 2, 3, 4, 5})
 	src := NewObservable(iter)
 	ch1, _ := src.Subscribe()
 	ch2, _ := src.Subscribe()
-	count := 0
+	var count = atomic.NewInt32(0)
 
 	var wg sync.WaitGroup
 	wg.Add(2)
 	waitCh := func(ch <-chan interface{}) {
 		for range ch {
-			count++
+			count.Inc()
 		}
 		wg.Done()
 	}
 	go waitCh(ch1)
 	go waitCh(ch2)
 	wg.Wait()
-	assert.Equal(t, count, 10)
+	assert.Equal(t, int32(10), count.Load())
 }
 
 func TestObservable_UnSubscribe(t *testing.T) {
@@ -82,9 +82,6 @@ func TestObservable_UnSubscribeWithNotExistSubscription(t *testing.T) {
 }
 
 func TestObservable_SubscribeGoroutineLeak(t *testing.T) {
-	// waiting for other goroutine recycle
-	time.Sleep(120 * time.Millisecond)
-	init := runtime.NumGoroutine()
 	iter := iterator([]interface{}{1, 2, 3, 4, 5})
 	src := NewObservable(iter)
 	max := 100
@@ -107,6 +104,43 @@ func TestObservable_SubscribeGoroutineLeak(t *testing.T) {
 		go waitCh(ch)
 	}
 	wg.Wait()
-	now := runtime.NumGoroutine()
-	assert.Equal(t, init, now)
+
+	for _, sub := range list {
+		_, more := <-sub
+		assert.False(t, more)
+	}
+
+	_, more := <-list[0]
+	assert.False(t, more)
+}
+
+func Benchmark_Observable_1000(b *testing.B) {
+	ch := make(chan interface{})
+	o := NewObservable(ch)
+	num := 1000
+
+	subs := []Subscription{}
+	for i := 0; i < num; i++ {
+		sub, _ := o.Subscribe()
+		subs = append(subs, sub)
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(num)
+
+	b.ResetTimer()
+	for _, sub := range subs {
+		go func(s Subscription) {
+			for range s {
+			}
+			wg.Done()
+		}(sub)
+	}
+
+	for i := 0; i < b.N; i++ {
+		ch <- i
+	}
+
+	close(ch)
+	wg.Wait()
 }

common/observable/subscriber.go

@@ -2,34 +2,32 @@ package observable
 
 import (
 	"sync"
-
-	"gopkg.in/eapache/channels.v1"
 )
 
 type Subscription <-chan interface{}
 
 type Subscriber struct {
-	buffer *channels.InfiniteChannel
+	buffer chan interface{}
 	once   sync.Once
 }
 
 func (s *Subscriber) Emit(item interface{}) {
-	s.buffer.In() <- item
+	s.buffer <- item
 }
 
 func (s *Subscriber) Out() Subscription {
-	return s.buffer.Out()
+	return s.buffer
 }
 
 func (s *Subscriber) Close() {
 	s.once.Do(func() {
-		s.buffer.Close()
+		close(s.buffer)
 	})
 }
 
 func newSubscriber() *Subscriber {
 	sub := &Subscriber{
-		buffer: channels.NewInfiniteChannel(),
+		buffer: make(chan interface{}, 200),
 	}
 	return sub
 }

common/picker/picker.go

@@ -15,8 +15,10 @@ type Picker struct {
 
 	wg sync.WaitGroup
 
-	once   sync.Once
-	result interface{}
+	once    sync.Once
+	errOnce sync.Once
+	result  interface{}
+	err     error
 }
 
 func newPicker(ctx context.Context, cancel func()) *Picker {
@@ -49,6 +51,11 @@ func (p *Picker) Wait() interface{} {
 	return p.result
 }
 
+// Error return the first error (if all success return nil)
+func (p *Picker) Error() error {
+	return p.err
+}
+
 // Go calls the given function in a new goroutine.
 // The first call to return a nil error cancels the group; its result will be returned by Wait.
 func (p *Picker) Go(f func() (interface{}, error)) {
@@ -64,6 +71,10 @@ func (p *Picker) Go(f func() (interface{}, error)) {
 					p.cancel()
 				}
 			})
+		} else {
+			p.errOnce.Do(func() {
+				p.err = err
+			})
 		}
 	}()
 }

common/picker/picker_test.go

@@ -36,4 +36,5 @@ func TestPicker_Timeout(t *testing.T) {
 
 	number := picker.Wait()
 	assert.Nil(t, number)
+	assert.NotNil(t, picker.Error())
 }

common/pool/alloc.go

@@ -0,0 +1,67 @@
+package pool
+
+// Inspired by https://github.com/xtaci/smux/blob/master/alloc.go
+
+import (
+	"errors"
+	"math/bits"
+	"sync"
+)
+
+var defaultAllocator *Allocator
+
+func init() {
+	defaultAllocator = NewAllocator()
+}
+
+// Allocator for incoming frames, optimized to prevent overwriting after zeroing
+type Allocator struct {
+	buffers []sync.Pool
+}
+
+// NewAllocator initiates a []byte allocator for frames less than 65536 bytes,
+// the waste(memory fragmentation) of space allocation is guaranteed to be
+// no more than 50%.
+func NewAllocator() *Allocator {
+	alloc := new(Allocator)
+	alloc.buffers = make([]sync.Pool, 17) // 1B -> 64K
+	for k := range alloc.buffers {
+		i := k
+		alloc.buffers[k].New = func() interface{} {
+			return make([]byte, 1<<uint32(i))
+		}
+	}
+	return alloc
+}
+
+// Get a []byte from pool with most appropriate cap
+func (alloc *Allocator) Get(size int) []byte {
+	if size <= 0 || size > 65536 {
+		return nil
+	}
+
+	bits := msb(size)
+	if size == 1<<bits {
+		return alloc.buffers[bits].Get().([]byte)[:size]
+	}
+
+	return alloc.buffers[bits+1].Get().([]byte)[:size]
+}
+
+// Put returns a []byte to pool for future use,
+// which the cap must be exactly 2^n
+func (alloc *Allocator) Put(buf []byte) error {
+	bits := msb(cap(buf))
+	if cap(buf) == 0 || cap(buf) > 65536 || cap(buf) != 1<<bits {
+		return errors.New("allocator Put() incorrect buffer size")
+	}
+
+	//lint:ignore SA6002 ignore temporarily
+	alloc.buffers[bits].Put(buf)
+	return nil
+}
+
+// msb return the pos of most significant bit
+func msb(size int) uint16 {
+	return uint16(bits.Len32(uint32(size)) - 1)
+}

common/pool/alloc_test.go

@@ -0,0 +1,48 @@
+package pool
+
+import (
+	"math/rand"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAllocGet(t *testing.T) {
+	alloc := NewAllocator()
+	assert.Nil(t, alloc.Get(0))
+	assert.Equal(t, 1, len(alloc.Get(1)))
+	assert.Equal(t, 2, len(alloc.Get(2)))
+	assert.Equal(t, 3, len(alloc.Get(3)))
+	assert.Equal(t, 4, cap(alloc.Get(3)))
+	assert.Equal(t, 4, cap(alloc.Get(4)))
+	assert.Equal(t, 1023, len(alloc.Get(1023)))
+	assert.Equal(t, 1024, cap(alloc.Get(1023)))
+	assert.Equal(t, 1024, len(alloc.Get(1024)))
+	assert.Equal(t, 65536, len(alloc.Get(65536)))
+	assert.Nil(t, alloc.Get(65537))
+}
+
+func TestAllocPut(t *testing.T) {
+	alloc := NewAllocator()
+	assert.NotNil(t, alloc.Put(nil), "put nil misbehavior")
+	assert.NotNil(t, alloc.Put(make([]byte, 3)), "put elem:3 []bytes misbehavior")
+	assert.Nil(t, alloc.Put(make([]byte, 4)), "put elem:4 []bytes misbehavior")
+	assert.Nil(t, alloc.Put(make([]byte, 1023, 1024)), "put elem:1024 []bytes misbehavior")
+	assert.Nil(t, alloc.Put(make([]byte, 65536)), "put elem:65536 []bytes misbehavior")
+	assert.NotNil(t, alloc.Put(make([]byte, 65537)), "put elem:65537 []bytes misbehavior")
+}
+
+func TestAllocPutThenGet(t *testing.T) {
+	alloc := NewAllocator()
+	data := alloc.Get(4)
+	alloc.Put(data)
+	newData := alloc.Get(4)
+
+	assert.Equal(t, cap(data), cap(newData), "different cap while alloc.Get()")
+}
+
+func BenchmarkMSB(b *testing.B) {
+	for i := 0; i < b.N; i++ {
+		msb(rand.Int())
+	}
+}

common/pool/pool.go

@@ -1,15 +1,16 @@
 package pool
 
-import (
-	"sync"
-)
-
 const (
 	// io.Copy default buffer size is 32 KiB
 	// but the maximum packet size of vmess/shadowsocks is about 16 KiB
 	// so define a buffer of 20 KiB to reduce the memory of each TCP relay
-	bufferSize = 20 * 1024
+	RelayBufferSize = 20 * 1024
 )
 
-// BufPool provide buffer for relay
-var BufPool = sync.Pool{New: func() interface{} { return make([]byte, bufferSize) }}
+func Get(size int) []byte {
+	return defaultAllocator.Get(size)
+}
+
+func Put(buf []byte) error {
+	return defaultAllocator.Put(buf)
+}

common/singledo/singledo.go

@@ -24,6 +24,8 @@ type Result struct {
 	Err error
 }
 
+// Do single.Do likes sync.singleFlight
+//lint:ignore ST1008 it likes sync.singleFlight
 func (s *Single) Do(fn func() (interface{}, error)) (v interface{}, err error, shared bool) {
 	s.mux.Lock()
 	now := time.Now()
@@ -44,12 +46,19 @@ func (s *Single) Do(fn func() (interface{}, error)) (v interface{}, err error, s
 	s.mux.Unlock()
 	call.val, call.err = fn()
 	call.wg.Done()
+
+	s.mux.Lock()
 	s.call = nil
 	s.result = &Result{call.val, call.err}
 	s.last = now
+	s.mux.Unlock()
 	return call.val, call.err, false
 }
 
+func (s *Single) Reset() {
+	s.last = time.Time{}
+}
+
 func NewSingle(wait time.Duration) *Single {
 	return &Single{wait: wait}
 }

common/singledo/singledo_test.go

@@ -6,12 +6,13 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"go.uber.org/atomic"
 )
 
 func TestBasic(t *testing.T) {
 	single := NewSingle(time.Millisecond * 30)
 	foo := 0
-	shardCount := 0
+	var shardCount = atomic.NewInt32(0)
 	call := func() (interface{}, error) {
 		foo++
 		time.Sleep(time.Millisecond * 5)
@@ -19,13 +20,13 @@ func TestBasic(t *testing.T) {
 	}
 
 	var wg sync.WaitGroup
-	const n = 10
+	const n = 5
 	wg.Add(n)
 	for i := 0; i < n; i++ {
 		go func() {
 			_, _, shard := single.Do(call)
 			if shard {
-				shardCount++
+				shardCount.Inc()
 			}
 			wg.Done()
 		}()
@@ -33,7 +34,7 @@ func TestBasic(t *testing.T) {
 
 	wg.Wait()
 	assert.Equal(t, 1, foo)
-	assert.Equal(t, 9, shardCount)
+	assert.Equal(t, int32(4), shardCount.Load())
 }
 
 func TestTimer(t *testing.T) {
@@ -51,3 +52,18 @@ func TestTimer(t *testing.T) {
 	assert.Equal(t, 1, foo)
 	assert.True(t, shard)
 }
+
+func TestReset(t *testing.T) {
+	single := NewSingle(time.Millisecond * 30)
+	foo := 0
+	call := func() (interface{}, error) {
+		foo++
+		return nil, nil
+	}
+
+	single.Do(call)
+	single.Reset()
+	single.Do(call)
+
+	assert.Equal(t, 2, foo)
+}

common/sockopt/reuseaddr_linux.go

@@ -0,0 +1,19 @@
+package sockopt
+
+import (
+	"net"
+	"syscall"
+)
+
+func UDPReuseaddr(c *net.UDPConn) (err error) {
+	rc, err := c.SyscallConn()
+	if err != nil {
+		return
+	}
+
+	rc.Control(func(fd uintptr) {
+		err = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 1)
+	})
+
+	return
+}

common/sockopt/reuseaddr_other.go

@@ -0,0 +1,11 @@
+// +build !linux
+
+package sockopt
+
+import (
+	"net"
+)
+
+func UDPReuseaddr(c *net.UDPConn) (err error) {
+	return
+}

common/structure/structure.go

@@ -216,6 +216,11 @@ func (d *Decoder) decodeMapFromMap(name string, dataVal reflect.Value, val refle
 		}
 
 		v := dataVal.MapIndex(k).Interface()
+		if v == nil {
+			errors = append(errors, fmt.Sprintf("filed %s invalid", fieldName))
+			continue
+		}
+
 		currentVal := reflect.Indirect(reflect.New(valElemType))
 		if err := d.decode(fieldName, v, currentVal); err != nil {
 			errors = append(errors, err.Error())

component/dialer/bind.go

@@ -0,0 +1,104 @@
+package dialer
+
+import (
+	"errors"
+	"net"
+)
+
+var (
+	errPlatformNotSupport = errors.New("unsupport platform")
+)
+
+func lookupTCPAddr(ip net.IP, addrs []net.Addr) (*net.TCPAddr, error) {
+	ipv4 := ip.To4() != nil
+
+	for _, elm := range addrs {
+		addr, ok := elm.(*net.IPNet)
+		if !ok {
+			continue
+		}
+
+		addrV4 := addr.IP.To4() != nil
+
+		if addrV4 && ipv4 {
+			return &net.TCPAddr{IP: addr.IP, Port: 0}, nil
+		} else if !addrV4 && !ipv4 {
+			return &net.TCPAddr{IP: addr.IP, Port: 0}, nil
+		}
+	}
+
+	return nil, ErrAddrNotFound
+}
+
+func lookupUDPAddr(ip net.IP, addrs []net.Addr) (*net.UDPAddr, error) {
+	ipv4 := ip.To4() != nil
+
+	for _, elm := range addrs {
+		addr, ok := elm.(*net.IPNet)
+		if !ok {
+			continue
+		}
+
+		addrV4 := addr.IP.To4() != nil
+
+		if addrV4 && ipv4 {
+			return &net.UDPAddr{IP: addr.IP, Port: 0}, nil
+		} else if !addrV4 && !ipv4 {
+			return &net.UDPAddr{IP: addr.IP, Port: 0}, nil
+		}
+	}
+
+	return nil, ErrAddrNotFound
+}
+
+func fallbackBindToDialer(dialer *net.Dialer, network string, ip net.IP, name string) error {
+	iface, err := net.InterfaceByName(name)
+	if err != nil {
+		return err
+	}
+
+	addrs, err := iface.Addrs()
+	if err != nil {
+		return err
+	}
+
+	switch network {
+	case "tcp", "tcp4", "tcp6":
+		if addr, err := lookupTCPAddr(ip, addrs); err == nil {
+			dialer.LocalAddr = addr
+		} else {
+			return err
+		}
+	case "udp", "udp4", "udp6":
+		if addr, err := lookupUDPAddr(ip, addrs); err == nil {
+			dialer.LocalAddr = addr
+		} else {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func fallbackBindToListenConfig(name string) (string, error) {
+	iface, err := net.InterfaceByName(name)
+	if err != nil {
+		return "", err
+	}
+
+	addrs, err := iface.Addrs()
+	if err != nil {
+		return "", err
+	}
+
+	for _, elm := range addrs {
+		addr, ok := elm.(*net.IPNet)
+		if !ok || addr.IP.To4() == nil {
+			continue
+		}
+
+		return net.JoinHostPort(addr.IP.String(), "0"), nil
+	}
+
+	return "", ErrAddrNotFound
+}

component/dialer/bind_darwin.go

@@ -0,0 +1,51 @@
+package dialer
+
+import (
+	"net"
+	"syscall"
+)
+
+type controlFn = func(network, address string, c syscall.RawConn) error
+
+func bindControl(ifaceIdx int) controlFn {
+	return func(network, address string, c syscall.RawConn) error {
+		ipStr, _, err := net.SplitHostPort(address)
+		if err == nil {
+			ip := net.ParseIP(ipStr)
+			if ip != nil && !ip.IsGlobalUnicast() {
+				return nil
+			}
+		}
+
+		return c.Control(func(fd uintptr) {
+			switch network {
+			case "tcp4", "udp4":
+				syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IP, syscall.IP_BOUND_IF, ifaceIdx)
+			case "tcp6", "udp6":
+				syscall.SetsockoptInt(int(fd), syscall.IPPROTO_IPV6, syscall.IPV6_BOUND_IF, ifaceIdx)
+			}
+		})
+	}
+}
+
+func bindIfaceToDialer(dialer *net.Dialer, ifaceName string) error {
+	iface, err := net.InterfaceByName(ifaceName)
+	if err != nil {
+		return err
+	}
+
+	dialer.Control = bindControl(iface.Index)
+
+	return nil
+}
+
+func bindIfaceToListenConfig(lc *net.ListenConfig, ifaceName string) error {
+	iface, err := net.InterfaceByName(ifaceName)
+	if err != nil {
+		return err
+	}
+
+	lc.Control = bindControl(iface.Index)
+
+	return nil
+}

component/dialer/bind_linux.go

@@ -0,0 +1,36 @@
+package dialer
+
+import (
+	"net"
+	"syscall"
+)
+
+type controlFn = func(network, address string, c syscall.RawConn) error
+
+func bindControl(ifaceName string) controlFn {
+	return func(network, address string, c syscall.RawConn) error {
+		ipStr, _, err := net.SplitHostPort(address)
+		if err == nil {
+			ip := net.ParseIP(ipStr)
+			if ip != nil && !ip.IsGlobalUnicast() {
+				return nil
+			}
+		}
+
+		return c.Control(func(fd uintptr) {
+			syscall.BindToDevice(int(fd), ifaceName)
+		})
+	}
+}
+
+func bindIfaceToDialer(dialer *net.Dialer, ifaceName string) error {
+	dialer.Control = bindControl(ifaceName)
+
+	return nil
+}
+
+func bindIfaceToListenConfig(lc *net.ListenConfig, ifaceName string) error {
+	lc.Control = bindControl(ifaceName)
+
+	return nil
+}

component/dialer/bind_others.go

@@ -0,0 +1,13 @@
+// +build !linux,!darwin
+
+package dialer
+
+import "net"
+
+func bindIfaceToDialer(dialer *net.Dialer, ifaceName string) error {
+	return errPlatformNotSupport
+}
+
+func bindIfaceToListenConfig(lc *net.ListenConfig, ifaceName string) error {
+	return errPlatformNotSupport
+}

component/dialer/dialer.go

@@ -8,22 +8,15 @@ import (
 	"github.com/Dreamacro/clash/component/resolver"
 )
 
-func Dialer() *net.Dialer {
+func Dialer() (*net.Dialer, error) {
 	dialer := &net.Dialer{}
 	if DialerHook != nil {
-		DialerHook(dialer)
+		if err := DialerHook(dialer); err != nil {
+			return nil, err
+		}
 	}
 
-	return dialer
-}
-
-func ListenConfig() *net.ListenConfig {
-	cfg := &net.ListenConfig{}
-	if ListenConfigHook != nil {
-		ListenConfigHook(cfg)
-	}
-
-	return cfg
+	return dialer, nil
 }
 
 func Dial(network, address string) (net.Conn, error) {
@@ -38,7 +31,10 @@ func DialContext(ctx context.Context, network, address string) (net.Conn, error)
 			return nil, err
 		}
 
-		dialer := Dialer()
+		dialer, err := Dialer()
+		if err != nil {
+			return nil, err
+		}
 
 		var ip net.IP
 		switch network {
@@ -53,29 +49,32 @@ func DialContext(ctx context.Context, network, address string) (net.Conn, error)
 		}
 
 		if DialHook != nil {
-			DialHook(dialer, network, ip)
+			if err := DialHook(dialer, network, ip); err != nil {
+				return nil, err
+			}
 		}
 		return dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), port))
 	case "tcp", "udp":
-		return dualStackDailContext(ctx, network, address)
+		return dualStackDialContext(ctx, network, address)
 	default:
 		return nil, errors.New("network invalid")
 	}
 }
 
 func ListenPacket(network, address string) (net.PacketConn, error) {
-	lc := ListenConfig()
-
-	if ListenPacketHook != nil && address == "" {
-		ip := ListenPacketHook()
-		if ip != nil {
-			address = net.JoinHostPort(ip.String(), "0")
+	cfg := &net.ListenConfig{}
+	if ListenPacketHook != nil {
+		var err error
+		address, err = ListenPacketHook(cfg, address)
+		if err != nil {
+			return nil, err
 		}
 	}
-	return lc.ListenPacket(context.Background(), network, address)
+
+	return cfg.ListenPacket(context.Background(), network, address)
 }
 
-func dualStackDailContext(ctx context.Context, network, address string) (net.Conn, error) {
+func dualStackDialContext(ctx context.Context, network, address string) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
@@ -95,7 +94,6 @@ func dualStackDailContext(ctx context.Context, network, address string) (net.Con
 	var primary, fallback dialResult
 
 	startRacer := func(ctx context.Context, network, host string, ipv6 bool) {
-		dialer := Dialer()
 		result := dialResult{ipv6: ipv6, done: true}
 		defer func() {
 			select {
@@ -107,6 +105,12 @@ func dualStackDailContext(ctx context.Context, network, address string) (net.Con
 			}
 		}()
 
+		dialer, err := Dialer()
+		if err != nil {
+			result.error = err
+			return
+		}
+
 		var ip net.IP
 		if ipv6 {
 			ip, result.error = resolver.ResolveIPv6(host)
@@ -119,7 +123,9 @@ func dualStackDailContext(ctx context.Context, network, address string) (net.Con
 		result.resolved = true
 
 		if DialHook != nil {
-			DialHook(dialer, network, ip)
+			if result.error = DialHook(dialer, network, ip); result.error != nil {
+				return
+			}
 		}
 		result.Conn, result.error = dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), port))
 	}
@@ -127,28 +133,27 @@ func dualStackDailContext(ctx context.Context, network, address string) (net.Con
 	go startRacer(ctx, network+"4", host, false)
 	go startRacer(ctx, network+"6", host, true)
 
-	for {
-		select {
-		case res := <-results:
-			if res.error == nil {
-				return res.Conn, nil
-			}
+	for res := range results {
+		if res.error == nil {
+			return res.Conn, nil
+		}
 
-			if !res.ipv6 {
-				primary = res
+		if !res.ipv6 {
+			primary = res
+		} else {
+			fallback = res
+		}
+
+		if primary.done && fallback.done {
+			if primary.resolved {
+				return nil, primary.error
+			} else if fallback.resolved {
+				return nil, fallback.error
 			} else {
-				fallback = res
-			}
-
-			if primary.done && fallback.done {
-				if primary.resolved {
-					return nil, primary.error
-				} else if fallback.resolved {
-					return nil, fallback.error
-				} else {
-					return nil, primary.error
-				}
+				return nil, primary.error
 			}
 		}
 	}
+
+	return nil, errors.New("never touched")
 }

component/dialer/hook.go

@@ -3,20 +3,15 @@ package dialer
 import (
 	"errors"
 	"net"
-	"time"
-
-	"github.com/Dreamacro/clash/common/singledo"
 )
 
-type DialerHookFunc = func(dialer *net.Dialer)
-type DialHookFunc = func(dialer *net.Dialer, network string, ip net.IP)
-type ListenConfigHookFunc = func(*net.ListenConfig)
-type ListenPacketHookFunc = func() net.IP
+type DialerHookFunc = func(dialer *net.Dialer) error
+type DialHookFunc = func(dialer *net.Dialer, network string, ip net.IP) error
+type ListenPacketHookFunc = func(lc *net.ListenConfig, address string) (string, error)
 
 var (
 	DialerHook       DialerHookFunc
 	DialHook         DialHookFunc
-	ListenConfigHook ListenConfigHookFunc
 	ListenPacketHook ListenPacketHookFunc
 )
 
@@ -25,118 +20,24 @@ var (
 	ErrNetworkNotSupport = errors.New("network not support")
 )
 
-func lookupTCPAddr(ip net.IP, addrs []net.Addr) (*net.TCPAddr, error) {
-	ipv4 := ip.To4() != nil
-
-	for _, elm := range addrs {
-		addr, ok := elm.(*net.IPNet)
-		if !ok {
-			continue
-		}
-
-		addrV4 := addr.IP.To4() != nil
-
-		if addrV4 && ipv4 {
-			return &net.TCPAddr{IP: addr.IP, Port: 0}, nil
-		} else if !addrV4 && !ipv4 {
-			return &net.TCPAddr{IP: addr.IP, Port: 0}, nil
-		}
-	}
-
-	return nil, ErrAddrNotFound
-}
-
-func lookupUDPAddr(ip net.IP, addrs []net.Addr) (*net.UDPAddr, error) {
-	ipv4 := ip.To4() != nil
-
-	for _, elm := range addrs {
-		addr, ok := elm.(*net.IPNet)
-		if !ok {
-			continue
-		}
-
-		addrV4 := addr.IP.To4() != nil
-
-		if addrV4 && ipv4 {
-			return &net.UDPAddr{IP: addr.IP, Port: 0}, nil
-		} else if !addrV4 && !ipv4 {
-			return &net.UDPAddr{IP: addr.IP, Port: 0}, nil
-		}
-	}
-
-	return nil, ErrAddrNotFound
-}
-
 func ListenPacketWithInterface(name string) ListenPacketHookFunc {
-	single := singledo.NewSingle(5 * time.Second)
-
-	return func() net.IP {
-		elm, err, _ := single.Do(func() (interface{}, error) {
-			iface, err := net.InterfaceByName(name)
-			if err != nil {
-				return nil, err
-			}
-
-			addrs, err := iface.Addrs()
-			if err != nil {
-				return nil, err
-			}
-
-			return addrs, nil
-		})
-
-		if err != nil {
-			return nil
+	return func(lc *net.ListenConfig, address string) (string, error) {
+		err := bindIfaceToListenConfig(lc, name)
+		if err == errPlatformNotSupport {
+			address, err = fallbackBindToListenConfig(name)
 		}
 
-		addrs := elm.([]net.Addr)
-
-		for _, elm := range addrs {
-			addr, ok := elm.(*net.IPNet)
-			if !ok || addr.IP.To4() == nil {
-				continue
-			}
-
-			return addr.IP
-		}
-
-		return nil
+		return address, err
 	}
 }
 
 func DialerWithInterface(name string) DialHookFunc {
-	single := singledo.NewSingle(5 * time.Second)
-
-	return func(dialer *net.Dialer, network string, ip net.IP) {
-		elm, err, _ := single.Do(func() (interface{}, error) {
-			iface, err := net.InterfaceByName(name)
-			if err != nil {
-				return nil, err
-			}
-
-			addrs, err := iface.Addrs()
-			if err != nil {
-				return nil, err
-			}
-
-			return addrs, nil
-		})
-
-		if err != nil {
-			return
+	return func(dialer *net.Dialer, network string, ip net.IP) error {
+		err := bindIfaceToDialer(dialer, name)
+		if err == errPlatformNotSupport {
+			err = fallbackBindToDialer(dialer, network, ip, name)
 		}
 
-		addrs := elm.([]net.Addr)
-
-		switch network {
-		case "tcp", "tcp4", "tcp6":
-			if addr, err := lookupTCPAddr(ip, addrs); err == nil {
-				dialer.LocalAddr = addr
-			}
-		case "udp", "udp4", "udp6":
-			if addr, err := lookupUDPAddr(ip, addrs); err == nil {
-				dialer.LocalAddr = addr
-			}
-		}
+		return err
 	}
 }

component/domain-trie/tire.go

@@ -1,92 +0,0 @@
-package trie
-
-import (
-	"errors"
-	"strings"
-)
-
-const (
-	wildcard   = "*"
-	domainStep = "."
-)
-
-var (
-	// ErrInvalidDomain means insert domain is invalid
-	ErrInvalidDomain = errors.New("invalid domain")
-)
-
-// Trie contains the main logic for adding and searching nodes for domain segments.
-// support wildcard domain (e.g *.google.com)
-type Trie struct {
-	root *Node
-}
-
-func isValidDomain(domain string) bool {
-	return domain != "" && domain[0] != '.' && domain[len(domain)-1] != '.'
-}
-
-// Insert adds a node to the trie.
-// Support
-// 1. www.example.com
-// 2. *.example.com
-// 3. subdomain.*.example.com
-func (t *Trie) Insert(domain string, data interface{}) error {
-	if !isValidDomain(domain) {
-		return ErrInvalidDomain
-	}
-
-	parts := strings.Split(domain, domainStep)
-	node := t.root
-	// reverse storage domain part to save space
-	for i := len(parts) - 1; i >= 0; i-- {
-		part := parts[i]
-		if !node.hasChild(part) {
-			node.addChild(part, newNode(nil))
-		}
-
-		node = node.getChild(part)
-	}
-
-	node.Data = data
-	return nil
-}
-
-// Search is the most important part of the Trie.
-// Priority as:
-// 1. static part
-// 2. wildcard domain
-func (t *Trie) Search(domain string) *Node {
-	if !isValidDomain(domain) {
-		return nil
-	}
-	parts := strings.Split(domain, domainStep)
-
-	n := t.root
-	for i := len(parts) - 1; i >= 0; i-- {
-		part := parts[i]
-
-		var child *Node
-		if !n.hasChild(part) {
-			if !n.hasChild(wildcard) {
-				return nil
-			}
-
-			child = n.getChild(wildcard)
-		} else {
-			child = n.getChild(part)
-		}
-
-		n = child
-	}
-
-	if n.Data == nil {
-		return nil
-	}
-
-	return n
-}
-
-// New returns a new, empty Trie.
-func New() *Trie {
-	return &Trie{root: newNode(nil)}
-}

component/domain-trie/trie_test.go

@@ -1,87 +0,0 @@
-package trie
-
-import (
-	"net"
-	"testing"
-)
-
-var localIP = net.IP{127, 0, 0, 1}
-
-func TestTrie_Basic(t *testing.T) {
-	tree := New()
-	domains := []string{
-		"example.com",
-		"google.com",
-	}
-
-	for _, domain := range domains {
-		tree.Insert(domain, localIP)
-	}
-
-	node := tree.Search("example.com")
-	if node == nil {
-		t.Error("should not recv nil")
-	}
-
-	if !node.Data.(net.IP).Equal(localIP) {
-		t.Error("should equal 127.0.0.1")
-	}
-
-	if tree.Insert("", localIP) == nil {
-		t.Error("should return error")
-	}
-}
-
-func TestTrie_Wildcard(t *testing.T) {
-	tree := New()
-	domains := []string{
-		"*.example.com",
-		"sub.*.example.com",
-		"*.dev",
-	}
-
-	for _, domain := range domains {
-		tree.Insert(domain, localIP)
-	}
-
-	if tree.Search("sub.example.com") == nil {
-		t.Error("should not recv nil")
-	}
-
-	if tree.Search("sub.foo.example.com") == nil {
-		t.Error("should not recv nil")
-	}
-
-	if tree.Search("foo.sub.example.com") != nil {
-		t.Error("should recv nil")
-	}
-
-	if tree.Search("foo.example.dev") != nil {
-		t.Error("should recv nil")
-	}
-
-	if tree.Search("example.com") != nil {
-		t.Error("should recv nil")
-	}
-}
-
-func TestTrie_Boundary(t *testing.T) {
-	tree := New()
-	tree.Insert("*.dev", localIP)
-
-	if err := tree.Insert(".", localIP); err == nil {
-		t.Error("should recv err")
-	}
-
-	if err := tree.Insert(".com", localIP); err == nil {
-		t.Error("should recv err")
-	}
-
-	if tree.Search("dev") != nil {
-		t.Error("should recv nil")
-	}
-
-	if tree.Search(".dev") != nil {
-		t.Error("should recv nil")
-	}
-}

component/fakeip/pool.go

@@ -6,7 +6,7 @@ import (
 	"sync"
 
 	"github.com/Dreamacro/clash/common/cache"
-	trie "github.com/Dreamacro/clash/component/domain-trie"
+	"github.com/Dreamacro/clash/component/trie"
 )
 
 // Pool is a implementation about fake ip generator without storage
@@ -16,7 +16,8 @@ type Pool struct {
 	gateway uint32
 	offset  uint32
 	mux     sync.Mutex
-	host    *trie.Trie
+	host    *trie.DomainTrie
+	ipnet   *net.IPNet
 	cache   *cache.LruCache
 }
 
@@ -89,6 +90,16 @@ func (p *Pool) Gateway() net.IP {
 	return uintToIP(p.gateway)
 }
 
+// IPNet return raw ipnet
+func (p *Pool) IPNet() *net.IPNet {
+	return p.ipnet
+}
+
+// PatchFrom clone cache from old pool
+func (p *Pool) PatchFrom(o *Pool) {
+	o.cache.CloneTo(p.cache)
+}
+
 func (p *Pool) get(host string) net.IP {
 	current := p.offset
 	for {
@@ -116,11 +127,11 @@ func ipToUint(ip net.IP) uint32 {
 }
 
 func uintToIP(v uint32) net.IP {
-	return net.IPv4(byte(v>>24), byte(v>>16), byte(v>>8), byte(v))
+	return net.IP{byte(v >> 24), byte(v >> 16), byte(v >> 8), byte(v)}
 }
 
 // New return Pool instance
-func New(ipnet *net.IPNet, size int, host *trie.Trie) (*Pool, error) {
+func New(ipnet *net.IPNet, size int, host *trie.DomainTrie) (*Pool, error) {
 	min := ipToUint(ipnet.IP) + 2
 
 	ones, bits := ipnet.Mask.Size()
@@ -136,6 +147,7 @@ func New(ipnet *net.IPNet, size int, host *trie.Trie) (*Pool, error) {
 		max:     max,
 		gateway: min - 1,
 		host:    host,
+		ipnet:   ipnet,
 		cache:   cache.NewLRUCache(cache.WithSize(size * 2)),
 	}, nil
 }

component/mmdb/mmdb.go

@@ -22,6 +22,14 @@ func LoadFromBytes(buffer []byte) {
 	})
 }
 
+func Verify() bool {
+	instance, err := geoip2.Open(C.Path.MMDB())
+	if err == nil {
+		instance.Close()
+	}
+	return err == nil
+}
+
 func Instance() *geoip2.Reader {
 	once.Do(func() {
 		var err error

component/nat/table.go

@@ -22,9 +22,9 @@ func (t *Table) Get(key string) C.PacketConn {
 	return item.(C.PacketConn)
 }
 
-func (t *Table) GetOrCreateLock(key string) (*sync.WaitGroup, bool) {
-	item, loaded := t.mapping.LoadOrStore(key, &sync.WaitGroup{})
-	return item.(*sync.WaitGroup), loaded
+func (t *Table) GetOrCreateLock(key string) (*sync.Cond, bool) {
+	item, loaded := t.mapping.LoadOrStore(key, sync.NewCond(&sync.Mutex{}))
+	return item.(*sync.Cond), loaded
 }
 
 func (t *Table) Delete(key string) {

component/pool/pool.go

@@ -0,0 +1,114 @@
+package pool
+
+import (
+	"context"
+	"runtime"
+	"time"
+)
+
+type Factory = func(context.Context) (interface{}, error)
+
+type entry struct {
+	elm  interface{}
+	time time.Time
+}
+
+type Option func(*pool)
+
+// WithEvict set the evict callback
+func WithEvict(cb func(interface{})) Option {
+	return func(p *pool) {
+		p.evict = cb
+	}
+}
+
+// WithAge defined element max age (millisecond)
+func WithAge(maxAge int64) Option {
+	return func(p *pool) {
+		p.maxAge = maxAge
+	}
+}
+
+// WithSize defined max size of Pool
+func WithSize(maxSize int) Option {
+	return func(p *pool) {
+		p.ch = make(chan interface{}, maxSize)
+	}
+}
+
+// Pool is for GC, see New for detail
+type Pool struct {
+	*pool
+}
+
+type pool struct {
+	ch      chan interface{}
+	factory Factory
+	evict   func(interface{})
+	maxAge  int64
+}
+
+func (p *pool) GetContext(ctx context.Context) (interface{}, error) {
+	now := time.Now()
+	for {
+		select {
+		case item := <-p.ch:
+			elm := item.(*entry)
+			if p.maxAge != 0 && now.Sub(item.(*entry).time).Milliseconds() > p.maxAge {
+				if p.evict != nil {
+					p.evict(elm.elm)
+				}
+				continue
+			}
+
+			return elm.elm, nil
+		default:
+			return p.factory(ctx)
+		}
+	}
+}
+
+func (p *pool) Get() (interface{}, error) {
+	return p.GetContext(context.Background())
+}
+
+func (p *pool) Put(item interface{}) {
+	e := &entry{
+		elm:  item,
+		time: time.Now(),
+	}
+
+	select {
+	case p.ch <- e:
+		return
+	default:
+		// pool is full
+		if p.evict != nil {
+			p.evict(item)
+		}
+		return
+	}
+}
+
+func recycle(p *Pool) {
+	for item := range p.pool.ch {
+		if p.pool.evict != nil {
+			p.pool.evict(item.(*entry).elm)
+		}
+	}
+}
+
+func New(factory Factory, options ...Option) *Pool {
+	p := &pool{
+		ch:      make(chan interface{}, 10),
+		factory: factory,
+	}
+
+	for _, option := range options {
+		option(p)
+	}
+
+	P := &Pool{p}
+	runtime.SetFinalizer(P, recycle)
+	return P
+}

component/pool/pool_test.go

@@ -0,0 +1,73 @@
+package pool
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func lg() Factory {
+	initial := -1
+	return func(context.Context) (interface{}, error) {
+		initial++
+		return initial, nil
+	}
+}
+
+func TestPool_Basic(t *testing.T) {
+	g := lg()
+	pool := New(g)
+
+	elm, _ := pool.Get()
+	assert.Equal(t, 0, elm.(int))
+	pool.Put(elm)
+	elm, _ = pool.Get()
+	assert.Equal(t, 0, elm.(int))
+	elm, _ = pool.Get()
+	assert.Equal(t, 1, elm.(int))
+}
+
+func TestPool_MaxSize(t *testing.T) {
+	g := lg()
+	size := 5
+	pool := New(g, WithSize(size))
+
+	items := []interface{}{}
+
+	for i := 0; i < size; i++ {
+		item, _ := pool.Get()
+		items = append(items, item)
+	}
+
+	extra, _ := pool.Get()
+	assert.Equal(t, size, extra.(int))
+
+	for _, item := range items {
+		pool.Put(item)
+	}
+
+	pool.Put(extra)
+
+	for _, item := range items {
+		elm, _ := pool.Get()
+		assert.Equal(t, item.(int), elm.(int))
+	}
+}
+
+func TestPool_MaxAge(t *testing.T) {
+	g := lg()
+	pool := New(g, WithAge(20))
+
+	elm, _ := pool.Get()
+	pool.Put(elm)
+
+	elm, _ = pool.Get()
+	assert.Equal(t, 0, elm.(int))
+	pool.Put(elm)
+
+	time.Sleep(time.Millisecond * 22)
+	elm, _ = pool.Get()
+	assert.Equal(t, 1, elm.(int))
+}

component/process/process.go

@@ -0,0 +1,21 @@
+package process
+
+import (
+	"errors"
+	"net"
+)
+
+var (
+	ErrInvalidNetwork     = errors.New("invalid network")
+	ErrPlatformNotSupport = errors.New("not support on this platform")
+	ErrNotFound           = errors.New("process not found")
+)
+
+const (
+	TCP = "tcp"
+	UDP = "udp"
+)
+
+func FindProcessName(network string, srcIP net.IP, srcPort int) (string, error) {
+	return findProcessName(network, srcIP, srcPort)
+}

component/process/process_darwin.go

@@ -0,0 +1,107 @@
+package process
+
+import (
+	"bytes"
+	"encoding/binary"
+	"net"
+	"path/filepath"
+	"syscall"
+	"unsafe"
+)
+
+const (
+	procpidpathinfo     = 0xb
+	procpidpathinfosize = 1024
+	proccallnumpidinfo  = 0x2
+)
+
+func findProcessName(network string, ip net.IP, port int) (string, error) {
+	var spath string
+	switch network {
+	case TCP:
+		spath = "net.inet.tcp.pcblist_n"
+	case UDP:
+		spath = "net.inet.udp.pcblist_n"
+	default:
+		return "", ErrInvalidNetwork
+	}
+
+	isIPv4 := ip.To4() != nil
+
+	value, err := syscall.Sysctl(spath)
+	if err != nil {
+		return "", err
+	}
+
+	buf := []byte(value)
+
+	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
+	// size/offset are round up (aligned) to 8 bytes in darwin
+	// rup8(sizeof(xinpcb_n)) + rup8(sizeof(xsocket_n)) +
+	// 2 * rup8(sizeof(xsockbuf_n)) + rup8(sizeof(xsockstat_n))
+	itemSize := 384
+	if network == TCP {
+		// rup8(sizeof(xtcpcb_n))
+		itemSize += 208
+	}
+	// skip the first xinpgen(24 bytes) block
+	for i := 24; i+itemSize <= len(buf); i += itemSize {
+		// offset of xinpcb_n and xsocket_n
+		inp, so := i, i+104
+
+		srcPort := binary.BigEndian.Uint16(buf[inp+18 : inp+20])
+		if uint16(port) != srcPort {
+			continue
+		}
+
+		// xinpcb_n.inp_vflag
+		flag := buf[inp+44]
+
+		var srcIP net.IP
+		switch {
+		case flag&0x1 > 0 && isIPv4:
+			// ipv4
+			srcIP = net.IP(buf[inp+76 : inp+80])
+		case flag&0x2 > 0 && !isIPv4:
+			// ipv6
+			srcIP = net.IP(buf[inp+64 : inp+80])
+		default:
+			continue
+		}
+
+		if !ip.Equal(srcIP) {
+			continue
+		}
+
+		// xsocket_n.so_last_pid
+		pid := readNativeUint32(buf[so+68 : so+72])
+		return getExecPathFromPID(pid)
+	}
+
+	return "", ErrNotFound
+}
+
+func getExecPathFromPID(pid uint32) (string, error) {
+	buf := make([]byte, procpidpathinfosize)
+	_, _, errno := syscall.Syscall6(
+		syscall.SYS_PROC_INFO,
+		proccallnumpidinfo,
+		uintptr(pid),
+		procpidpathinfo,
+		0,
+		uintptr(unsafe.Pointer(&buf[0])),
+		procpidpathinfosize)
+	if errno != 0 {
+		return "", errno
+	}
+	firstZero := bytes.IndexByte(buf, 0)
+	if firstZero <= 0 {
+		return "", nil
+	}
+
+	return filepath.Base(string(buf[:firstZero])), nil
+}
+
+func readNativeUint32(b []byte) uint32 {
+	return *(*uint32)(unsafe.Pointer(&b[0]))
+}

component/process/process_freebsd_amd64.go

@@ -0,0 +1,228 @@
+package process
+
+import (
+	"encoding/binary"
+	"fmt"
+	"net"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/log"
+)
+
+// store process name for when dealing with multiple PROCESS-NAME rules
+var (
+	defaultSearcher *searcher
+
+	once sync.Once
+)
+
+func findProcessName(network string, ip net.IP, srcPort int) (string, error) {
+	once.Do(func() {
+		if err := initSearcher(); err != nil {
+			log.Errorln("Initialize PROCESS-NAME failed: %s", err.Error())
+			log.Warnln("All PROCESS-NAME rules will be skipped")
+			return
+		}
+	})
+
+	var spath string
+	isTCP := network == TCP
+	switch network {
+	case TCP:
+		spath = "net.inet.tcp.pcblist"
+	case UDP:
+		spath = "net.inet.udp.pcblist"
+	default:
+		return "", ErrInvalidNetwork
+	}
+
+	value, err := syscall.Sysctl(spath)
+	if err != nil {
+		return "", err
+	}
+
+	buf := []byte(value)
+	pid, err := defaultSearcher.Search(buf, ip, uint16(srcPort), isTCP)
+	if err != nil {
+		return "", err
+	}
+
+	return getExecPathFromPID(pid)
+}
+
+func getExecPathFromPID(pid uint32) (string, error) {
+	buf := make([]byte, 2048)
+	size := uint64(len(buf))
+	// CTL_KERN, KERN_PROC, KERN_PROC_PATHNAME, pid
+	mib := [4]uint32{1, 14, 12, pid}
+
+	_, _, errno := syscall.Syscall6(
+		syscall.SYS___SYSCTL,
+		uintptr(unsafe.Pointer(&mib[0])),
+		uintptr(len(mib)),
+		uintptr(unsafe.Pointer(&buf[0])),
+		uintptr(unsafe.Pointer(&size)),
+		0,
+		0)
+	if errno != 0 || size == 0 {
+		return "", errno
+	}
+
+	return filepath.Base(string(buf[:size-1])), nil
+}
+
+func readNativeUint32(b []byte) uint32 {
+	return *(*uint32)(unsafe.Pointer(&b[0]))
+}
+
+type searcher struct {
+	// sizeof(struct xinpgen)
+	headSize int
+	// sizeof(struct xtcpcb)
+	tcpItemSize int
+	// sizeof(struct xinpcb)
+	udpItemSize  int
+	udpInpOffset int
+	port         int
+	ip           int
+	vflag        int
+	socket       int
+
+	// sizeof(struct xfile)
+	fileItemSize int
+	data         int
+	pid          int
+}
+
+func (s *searcher) Search(buf []byte, ip net.IP, port uint16, isTCP bool) (uint32, error) {
+	var itemSize int
+	var inpOffset int
+
+	if isTCP {
+		// struct xtcpcb
+		itemSize = s.tcpItemSize
+		inpOffset = 8
+	} else {
+		// struct xinpcb
+		itemSize = s.udpItemSize
+		inpOffset = s.udpInpOffset
+	}
+
+	isIPv4 := ip.To4() != nil
+	// skip the first xinpgen block
+	for i := s.headSize; i+itemSize <= len(buf); i += itemSize {
+		inp := i + inpOffset
+
+		srcPort := binary.BigEndian.Uint16(buf[inp+s.port : inp+s.port+2])
+
+		if port != srcPort {
+			continue
+		}
+
+		// xinpcb.inp_vflag
+		flag := buf[inp+s.vflag]
+
+		var srcIP net.IP
+		switch {
+		case flag&0x1 > 0 && isIPv4:
+			// ipv4
+			srcIP = net.IP(buf[inp+s.ip : inp+s.ip+4])
+		case flag&0x2 > 0 && !isIPv4:
+			// ipv6
+			srcIP = net.IP(buf[inp+s.ip-12 : inp+s.ip+4])
+		default:
+			continue
+		}
+
+		if !ip.Equal(srcIP) {
+			continue
+		}
+
+		// xsocket.xso_so, interpreted as big endian anyway since it's only used for comparison
+		socket := binary.BigEndian.Uint64(buf[inp+s.socket : inp+s.socket+8])
+		return s.searchSocketPid(socket)
+	}
+	return 0, ErrNotFound
+}
+
+func (s *searcher) searchSocketPid(socket uint64) (uint32, error) {
+	value, err := syscall.Sysctl("kern.file")
+	if err != nil {
+		return 0, err
+	}
+
+	buf := []byte(value)
+
+	// struct xfile
+	itemSize := s.fileItemSize
+	for i := 0; i+itemSize <= len(buf); i += itemSize {
+		// xfile.xf_data
+		data := binary.BigEndian.Uint64(buf[i+s.data : i+s.data+8])
+		if data == socket {
+			// xfile.xf_pid
+			pid := readNativeUint32(buf[i+s.pid : i+s.pid+4])
+			return pid, nil
+		}
+	}
+	return 0, ErrNotFound
+}
+
+func newSearcher(major int) *searcher {
+	var s *searcher = nil
+	switch major {
+	case 11:
+		s = &searcher{
+			headSize:     32,
+			tcpItemSize:  1304,
+			udpItemSize:  632,
+			port:         198,
+			ip:           228,
+			vflag:        116,
+			socket:       88,
+			fileItemSize: 80,
+			data:         56,
+			pid:          8,
+			udpInpOffset: 8,
+		}
+	case 12:
+		s = &searcher{
+			headSize:     64,
+			tcpItemSize:  744,
+			udpItemSize:  400,
+			port:         254,
+			ip:           284,
+			vflag:        392,
+			socket:       16,
+			fileItemSize: 128,
+			data:         56,
+			pid:          8,
+		}
+	}
+	return s
+}
+
+func initSearcher() error {
+	osRelease, err := syscall.Sysctl("kern.osrelease")
+	if err != nil {
+		return err
+	}
+
+	dot := strings.Index(osRelease, ".")
+	if dot != -1 {
+		osRelease = osRelease[:dot]
+	}
+	major, err := strconv.Atoi(osRelease)
+	if err != nil {
+		return err
+	}
+	defaultSearcher = newSearcher(major)
+	if defaultSearcher == nil {
+		return fmt.Errorf("unsupported freebsd version %d", major)
+	}
+	return nil
+}

component/process/process_linux.go

@@ -0,0 +1,238 @@
+package process
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"path"
+	"path/filepath"
+	"syscall"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+// from https://github.com/vishvananda/netlink/blob/bca67dfc8220b44ef582c9da4e9172bf1c9ec973/nl/nl_linux.go#L52-L62
+func init() {
+	var x uint32 = 0x01020304
+	if *(*byte)(unsafe.Pointer(&x)) == 0x01 {
+		nativeEndian = binary.BigEndian
+	} else {
+		nativeEndian = binary.LittleEndian
+	}
+}
+
+type SocketResolver func(network string, ip net.IP, srcPort int) (inode, uid int, err error)
+type ProcessNameResolver func(inode, uid int) (name string, err error)
+
+// export for android
+var (
+	DefaultSocketResolver      SocketResolver      = resolveSocketByNetlink
+	DefaultProcessNameResolver ProcessNameResolver = resolveProcessNameByProcSearch
+)
+
+const (
+	sizeOfSocketDiagRequest = syscall.SizeofNlMsghdr + 8 + 48
+	socketDiagByFamily      = 20
+	pathProc                = "/proc"
+)
+
+var nativeEndian binary.ByteOrder = binary.LittleEndian
+
+func findProcessName(network string, ip net.IP, srcPort int) (string, error) {
+	inode, uid, err := DefaultSocketResolver(network, ip, srcPort)
+	if err != nil {
+		return "", err
+	}
+
+	return DefaultProcessNameResolver(inode, uid)
+}
+
+func resolveSocketByNetlink(network string, ip net.IP, srcPort int) (int, int, error) {
+	var family byte
+	var protocol byte
+
+	switch network {
+	case TCP:
+		protocol = syscall.IPPROTO_TCP
+	case UDP:
+		protocol = syscall.IPPROTO_UDP
+	default:
+		return 0, 0, ErrInvalidNetwork
+	}
+
+	if ip.To4() != nil {
+		family = syscall.AF_INET
+	} else {
+		family = syscall.AF_INET6
+	}
+
+	req := packSocketDiagRequest(family, protocol, ip, uint16(srcPort))
+
+	socket, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_INET_DIAG)
+	if err != nil {
+		return 0, 0, err
+	}
+	defer syscall.Close(socket)
+
+	syscall.SetNonblock(socket, true)
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, &syscall.Timeval{Usec: 50})
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, &syscall.Timeval{Usec: 50})
+
+	if err := syscall.Connect(socket, &syscall.SockaddrNetlink{
+		Family: syscall.AF_NETLINK,
+		Pad:    0,
+		Pid:    0,
+		Groups: 0,
+	}); err != nil {
+		return 0, 0, err
+	}
+
+	if _, err := syscall.Write(socket, req); err != nil {
+		return 0, 0, err
+	}
+
+	rb := pool.Get(pool.RelayBufferSize)
+	defer pool.Put(rb)
+
+	n, err := syscall.Read(socket, rb)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	messages, err := syscall.ParseNetlinkMessage(rb[:n])
+	if err != nil {
+		return 0, 0, err
+	} else if len(messages) == 0 {
+		return 0, 0, io.ErrUnexpectedEOF
+	}
+
+	message := messages[0]
+	if message.Header.Type&syscall.NLMSG_ERROR != 0 {
+		return 0, 0, syscall.ESRCH
+	}
+
+	uid, inode := unpackSocketDiagResponse(&messages[0])
+
+	return int(uid), int(inode), nil
+}
+
+func packSocketDiagRequest(family, protocol byte, source net.IP, sourcePort uint16) []byte {
+	s := make([]byte, 16)
+
+	if v4 := source.To4(); v4 != nil {
+		copy(s, v4)
+	} else {
+		copy(s, source)
+	}
+
+	buf := make([]byte, sizeOfSocketDiagRequest)
+
+	nativeEndian.PutUint32(buf[0:4], sizeOfSocketDiagRequest)
+	nativeEndian.PutUint16(buf[4:6], socketDiagByFamily)
+	nativeEndian.PutUint16(buf[6:8], syscall.NLM_F_REQUEST|syscall.NLM_F_DUMP)
+	nativeEndian.PutUint32(buf[8:12], 0)
+	nativeEndian.PutUint32(buf[12:16], 0)
+
+	buf[16] = family
+	buf[17] = protocol
+	buf[18] = 0
+	buf[19] = 0
+	nativeEndian.PutUint32(buf[20:24], 0xFFFFFFFF)
+
+	binary.BigEndian.PutUint16(buf[24:26], sourcePort)
+	binary.BigEndian.PutUint16(buf[26:28], 0)
+
+	copy(buf[28:44], s)
+	copy(buf[44:60], net.IPv6zero)
+
+	nativeEndian.PutUint32(buf[60:64], 0)
+	nativeEndian.PutUint64(buf[64:72], 0xFFFFFFFFFFFFFFFF)
+
+	return buf
+}
+
+func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid uint32) {
+	if len(msg.Data) < 72 {
+		return 0, 0
+	}
+
+	data := msg.Data
+
+	uid = nativeEndian.Uint32(data[64:68])
+	inode = nativeEndian.Uint32(data[68:72])
+
+	return
+}
+
+func resolveProcessNameByProcSearch(inode, uid int) (string, error) {
+	files, err := ioutil.ReadDir(pathProc)
+	if err != nil {
+		return "", err
+	}
+
+	buffer := make([]byte, syscall.PathMax)
+	socket := []byte(fmt.Sprintf("socket:[%d]", inode))
+
+	for _, f := range files {
+		if !f.IsDir() || !isPid(f.Name()) {
+			continue
+		}
+
+		if f.Sys().(*syscall.Stat_t).Uid != uint32(uid) {
+			continue
+		}
+
+		processPath := path.Join(pathProc, f.Name())
+		fdPath := path.Join(processPath, "fd")
+
+		fds, err := ioutil.ReadDir(fdPath)
+		if err != nil {
+			continue
+		}
+
+		for _, fd := range fds {
+			n, err := syscall.Readlink(path.Join(fdPath, fd.Name()), buffer)
+			if err != nil {
+				continue
+			}
+
+			if bytes.Equal(buffer[:n], socket) {
+				cmdline, err := ioutil.ReadFile(path.Join(processPath, "cmdline"))
+				if err != nil {
+					return "", err
+				}
+
+				return splitCmdline(cmdline), nil
+			}
+		}
+	}
+
+	return "", syscall.ESRCH
+}
+
+func splitCmdline(cmdline []byte) string {
+	indexOfEndOfString := len(cmdline)
+
+	for i, c := range cmdline {
+		if c == 0 {
+			indexOfEndOfString = i
+			break
+		}
+	}
+
+	return filepath.Base(string(cmdline[:indexOfEndOfString]))
+}
+
+func isPid(s string) bool {
+	for _, s := range s {
+		if s < '0' || s > '9' {
+			return false
+		}
+	}
+
+	return true
+}

component/process/process_other.go

@@ -0,0 +1,10 @@
+// +build !darwin,!linux,!windows
+// +build !freebsd !amd64
+
+package process
+
+import "net"
+
+func findProcessName(network string, ip net.IP, srcPort int) (string, error) {
+	return "", ErrPlatformNotSupport
+}

component/process/process_windows.go

@@ -0,0 +1,224 @@
+package process
+
+import (
+	"fmt"
+	"net"
+	"path/filepath"
+	"sync"
+	"syscall"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/log"
+
+	"golang.org/x/sys/windows"
+)
+
+const (
+	tcpTableFunc      = "GetExtendedTcpTable"
+	tcpTablePidConn   = 4
+	udpTableFunc      = "GetExtendedUdpTable"
+	udpTablePid       = 1
+	queryProcNameFunc = "QueryFullProcessImageNameW"
+)
+
+var (
+	getExTcpTable uintptr
+	getExUdpTable uintptr
+	queryProcName uintptr
+
+	once sync.Once
+)
+
+func initWin32API() error {
+	h, err := windows.LoadLibrary("iphlpapi.dll")
+	if err != nil {
+		return fmt.Errorf("LoadLibrary iphlpapi.dll failed: %s", err.Error())
+	}
+
+	getExTcpTable, err = windows.GetProcAddress(h, tcpTableFunc)
+	if err != nil {
+		return fmt.Errorf("GetProcAddress of %s failed: %s", tcpTableFunc, err.Error())
+	}
+
+	getExUdpTable, err = windows.GetProcAddress(h, udpTableFunc)
+	if err != nil {
+		return fmt.Errorf("GetProcAddress of %s failed: %s", udpTableFunc, err.Error())
+	}
+
+	h, err = windows.LoadLibrary("kernel32.dll")
+	if err != nil {
+		return fmt.Errorf("LoadLibrary kernel32.dll failed: %s", err.Error())
+	}
+
+	queryProcName, err = windows.GetProcAddress(h, queryProcNameFunc)
+	if err != nil {
+		return fmt.Errorf("GetProcAddress of %s failed: %s", queryProcNameFunc, err.Error())
+	}
+
+	return nil
+}
+
+func findProcessName(network string, ip net.IP, srcPort int) (string, error) {
+	once.Do(func() {
+		err := initWin32API()
+		if err != nil {
+			log.Errorln("Initialize PROCESS-NAME failed: %s", err.Error())
+			log.Warnln("All PROCESS-NAMES rules will be skiped")
+			return
+		}
+	})
+	family := windows.AF_INET
+	if ip.To4() == nil {
+		family = windows.AF_INET6
+	}
+
+	var class int
+	var fn uintptr
+	switch network {
+	case TCP:
+		fn = getExTcpTable
+		class = tcpTablePidConn
+	case UDP:
+		fn = getExUdpTable
+		class = udpTablePid
+	default:
+		return "", ErrInvalidNetwork
+	}
+
+	buf, err := getTransportTable(fn, family, class)
+	if err != nil {
+		return "", err
+	}
+
+	s := newSearcher(family == windows.AF_INET, network == TCP)
+
+	pid, err := s.Search(buf, ip, uint16(srcPort))
+	if err != nil {
+		return "", err
+	}
+	return getExecPathFromPID(pid)
+}
+
+type searcher struct {
+	itemSize int
+	port     int
+	ip       int
+	ipSize   int
+	pid      int
+	tcpState int
+}
+
+func (s *searcher) Search(b []byte, ip net.IP, port uint16) (uint32, error) {
+	n := int(readNativeUint32(b[:4]))
+	itemSize := s.itemSize
+	for i := 0; i < n; i++ {
+		row := b[4+itemSize*i : 4+itemSize*(i+1)]
+
+		if s.tcpState >= 0 {
+			tcpState := readNativeUint32(row[s.tcpState : s.tcpState+4])
+			// MIB_TCP_STATE_ESTAB, only check established connections for TCP
+			if tcpState != 5 {
+				continue
+			}
+		}
+
+		// according to MSDN, only the lower 16 bits of dwLocalPort are used and the port number is in network endian.
+		// this field can be illustrated as follows depends on different machine endianess:
+		//     little endian: [ MSB LSB  0   0  ]   interpret as native uint32 is ((LSB<<8)|MSB)
+		//       big  endian: [  0   0  MSB LSB ]   interpret as native uint32 is ((MSB<<8)|LSB)
+		// so we need an syscall.Ntohs on the lower 16 bits after read the port as native uint32
+		srcPort := syscall.Ntohs(uint16(readNativeUint32(row[s.port : s.port+4])))
+		if srcPort != port {
+			continue
+		}
+
+		srcIP := net.IP(row[s.ip : s.ip+s.ipSize])
+		// windows binds an unbound udp socket to 0.0.0.0/[::] while first sendto
+		if !ip.Equal(srcIP) && (!srcIP.IsUnspecified() || s.tcpState != -1) {
+			continue
+		}
+
+		pid := readNativeUint32(row[s.pid : s.pid+4])
+		return pid, nil
+	}
+	return 0, ErrNotFound
+}
+
+func newSearcher(isV4, isTCP bool) *searcher {
+	var itemSize, port, ip, ipSize, pid int
+	tcpState := -1
+	switch {
+	case isV4 && isTCP:
+		// struct MIB_TCPROW_OWNER_PID
+		itemSize, port, ip, ipSize, pid, tcpState = 24, 8, 4, 4, 20, 0
+	case isV4 && !isTCP:
+		// struct MIB_UDPROW_OWNER_PID
+		itemSize, port, ip, ipSize, pid = 12, 4, 0, 4, 8
+	case !isV4 && isTCP:
+		// struct MIB_TCP6ROW_OWNER_PID
+		itemSize, port, ip, ipSize, pid, tcpState = 56, 20, 0, 16, 52, 48
+	case !isV4 && !isTCP:
+		// struct MIB_UDP6ROW_OWNER_PID
+		itemSize, port, ip, ipSize, pid = 28, 20, 0, 16, 24
+	}
+
+	return &searcher{
+		itemSize: itemSize,
+		port:     port,
+		ip:       ip,
+		ipSize:   ipSize,
+		pid:      pid,
+		tcpState: tcpState,
+	}
+}
+
+func getTransportTable(fn uintptr, family int, class int) ([]byte, error) {
+	for size, buf := uint32(8), make([]byte, 8); ; {
+		ptr := unsafe.Pointer(&buf[0])
+		err, _, _ := syscall.Syscall6(fn, 6, uintptr(ptr), uintptr(unsafe.Pointer(&size)), 0, uintptr(family), uintptr(class), 0)
+
+		switch err {
+		case 0:
+			return buf, nil
+		case uintptr(syscall.ERROR_INSUFFICIENT_BUFFER):
+			buf = make([]byte, size)
+		default:
+			return nil, fmt.Errorf("syscall error: %d", err)
+		}
+	}
+}
+
+func readNativeUint32(b []byte) uint32 {
+	return *(*uint32)(unsafe.Pointer(&b[0]))
+}
+
+func getExecPathFromPID(pid uint32) (string, error) {
+	// kernel process starts with a colon in order to distinguish with normal processes
+	switch pid {
+	case 0:
+		// reserved pid for system idle process
+		return ":System Idle Process", nil
+	case 4:
+		// reserved pid for windows kernel image
+		return ":System", nil
+	}
+	h, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, pid)
+	if err != nil {
+		return "", err
+	}
+	defer windows.CloseHandle(h)
+
+	buf := make([]uint16, syscall.MAX_LONG_PATH)
+	size := uint32(len(buf))
+	r1, _, err := syscall.Syscall6(
+		queryProcName, 4,
+		uintptr(h),
+		uintptr(1),
+		uintptr(unsafe.Pointer(&buf[0])),
+		uintptr(unsafe.Pointer(&size)),
+		0, 0)
+	if r1 == 0 {
+		return "", err
+	}
+	return filepath.Base(syscall.UTF16ToString(buf[:size])), nil
+}

component/resolver/enhancer.go

@@ -0,0 +1,55 @@
+package resolver
+
+import (
+	"net"
+)
+
+var DefaultHostMapper Enhancer
+
+type Enhancer interface {
+	FakeIPEnabled() bool
+	MappingEnabled() bool
+	IsFakeIP(net.IP) bool
+	IsExistFakeIP(net.IP) bool
+	FindHostByIP(net.IP) (string, bool)
+}
+
+func FakeIPEnabled() bool {
+	if mapper := DefaultHostMapper; mapper != nil {
+		return mapper.FakeIPEnabled()
+	}
+
+	return false
+}
+
+func MappingEnabled() bool {
+	if mapper := DefaultHostMapper; mapper != nil {
+		return mapper.MappingEnabled()
+	}
+
+	return false
+}
+
+func IsFakeIP(ip net.IP) bool {
+	if mapper := DefaultHostMapper; mapper != nil {
+		return mapper.IsFakeIP(ip)
+	}
+
+	return false
+}
+
+func IsExistFakeIP(ip net.IP) bool {
+	if mapper := DefaultHostMapper; mapper != nil {
+		return mapper.IsExistFakeIP(ip)
+	}
+
+	return false
+}
+
+func FindHostByIP(ip net.IP) (string, bool) {
+	if mapper := DefaultHostMapper; mapper != nil {
+		return mapper.FindHostByIP(ip)
+	}
+
+	return "", false
+}

component/resolver/resolver.go

@@ -5,20 +5,25 @@ import (
 	"net"
 	"strings"
 
-	trie "github.com/Dreamacro/clash/component/domain-trie"
+	"github.com/Dreamacro/clash/component/trie"
 )
 
 var (
 	// DefaultResolver aim to resolve ip
 	DefaultResolver Resolver
 
+	// DisableIPv6 means don't resolve ipv6 host
+	// default value is true
+	DisableIPv6 = true
+
 	// DefaultHosts aim to resolve hosts
 	DefaultHosts = trie.New()
 )
 
 var (
-	ErrIPNotFound = errors.New("couldn't find ip")
-	ErrIPVersion  = errors.New("ip version error")
+	ErrIPNotFound   = errors.New("couldn't find ip")
+	ErrIPVersion    = errors.New("ip version error")
+	ErrIPv6Disabled = errors.New("ipv6 disabled")
 )
 
 type Resolver interface {
@@ -63,6 +68,10 @@ func ResolveIPv4(host string) (net.IP, error) {
 
 // ResolveIPv6 with a host, return ipv6
 func ResolveIPv6(host string) (net.IP, error) {
+	if DisableIPv6 {
+		return nil, ErrIPv6Disabled
+	}
+
 	if node := DefaultHosts.Search(host); node != nil {
 		if ip := node.Data.(net.IP).To16(); ip != nil {
 			return ip, nil
@@ -102,7 +111,12 @@ func ResolveIP(host string) (net.IP, error) {
 	}
 
 	if DefaultResolver != nil {
+		if DisableIPv6 {
+			return DefaultResolver.ResolveIPv4(host)
+		}
 		return DefaultResolver.ResolveIP(host)
+	} else if DisableIPv6 {
+		return ResolveIPv4(host)
 	}
 
 	ip := net.ParseIP(host)

component/simple-obfs/http.go

@@ -28,21 +28,22 @@ func (ho *HTTPObfs) Read(b []byte) (int, error) {
 		n := copy(b, ho.buf[ho.offset:])
 		ho.offset += n
 		if ho.offset == len(ho.buf) {
+			pool.Put(ho.buf)
 			ho.buf = nil
 		}
 		return n, nil
 	}
 
 	if ho.firstResponse {
-		buf := pool.BufPool.Get().([]byte)
+		buf := pool.Get(pool.RelayBufferSize)
 		n, err := ho.Conn.Read(buf)
 		if err != nil {
-			pool.BufPool.Put(buf[:cap(buf)])
+			pool.Put(buf)
 			return 0, err
 		}
 		idx := bytes.Index(buf[:n], []byte("\r\n\r\n"))
 		if idx == -1 {
-			pool.BufPool.Put(buf[:cap(buf)])
+			pool.Put(buf)
 			return 0, io.EOF
 		}
 		ho.firstResponse = false
@@ -52,7 +53,7 @@ func (ho *HTTPObfs) Read(b []byte) (int, error) {
 			ho.buf = buf[:idx+4+length]
 			ho.offset = idx + 4 + n
 		} else {
-			pool.BufPool.Put(buf[:cap(buf)])
+			pool.Put(buf)
 		}
 		return n, nil
 	}
@@ -67,7 +68,10 @@ func (ho *HTTPObfs) Write(b []byte) (int, error) {
 		req.Header.Set("User-Agent", fmt.Sprintf("curl/7.%d.%d", rand.Int()%54, rand.Int()%2))
 		req.Header.Set("Upgrade", "websocket")
 		req.Header.Set("Connection", "Upgrade")
-		req.Host = fmt.Sprintf("%s:%s", ho.host, ho.port)
+		req.Host = ho.host
+		if ho.port != "80" {
+			req.Host = fmt.Sprintf("%s:%s", ho.host, ho.port)
+		}
 		req.Header.Set("Sec-WebSocket-Key", base64.URLEncoding.EncodeToString(randBytes))
 		req.ContentLength = int64(len(b))
 		err := req.Write(ho.Conn)

component/simple-obfs/tls.go

@@ -29,12 +29,12 @@ type TLSObfs struct {
 }
 
 func (to *TLSObfs) read(b []byte, discardN int) (int, error) {
-	buf := pool.BufPool.Get().([]byte)
-	_, err := io.ReadFull(to.Conn, buf[:discardN])
+	buf := pool.Get(discardN)
+	_, err := io.ReadFull(to.Conn, buf)
 	if err != nil {
 		return 0, err
 	}
-	pool.BufPool.Put(buf[:cap(buf)])
+	pool.Put(buf)
 
 	sizeBuf := make([]byte, 2)
 	_, err = io.ReadFull(to.Conn, sizeBuf)
@@ -102,15 +102,11 @@ func (to *TLSObfs) write(b []byte) (int, error) {
 		return len(b), err
 	}
 
-	size := pool.BufPool.Get().([]byte)
-	binary.BigEndian.PutUint16(size[:2], uint16(len(b)))
-
 	buf := &bytes.Buffer{}
 	buf.Write([]byte{0x17, 0x03, 0x03})
-	buf.Write(size[:2])
+	binary.Write(buf, binary.BigEndian, uint16(len(b)))
 	buf.Write(b)
 	_, err := to.Conn.Write(buf.Bytes())
-	pool.BufPool.Put(size[:cap(size)])
 	return len(b), err
 }
 

component/snell/cipher.go

@@ -1,21 +1,54 @@
 package snell
 
 import (
+	"crypto/aes"
 	"crypto/cipher"
 
+	"github.com/Dreamacro/go-shadowsocks2/shadowaead"
 	"golang.org/x/crypto/argon2"
+	"golang.org/x/crypto/chacha20poly1305"
 )
 
 type snellCipher struct {
 	psk      []byte
+	keySize  int
 	makeAEAD func(key []byte) (cipher.AEAD, error)
 }
 
-func (sc *snellCipher) KeySize() int  { return 32 }
+func (sc *snellCipher) KeySize() int  { return sc.keySize }
 func (sc *snellCipher) SaltSize() int { return 16 }
 func (sc *snellCipher) Encrypter(salt []byte) (cipher.AEAD, error) {
-	return sc.makeAEAD(argon2.IDKey(sc.psk, salt, 3, 8, 1, uint32(sc.KeySize())))
+	return sc.makeAEAD(snellKDF(sc.psk, salt, sc.KeySize()))
 }
 func (sc *snellCipher) Decrypter(salt []byte) (cipher.AEAD, error) {
-	return sc.makeAEAD(argon2.IDKey(sc.psk, salt, 3, 8, 1, uint32(sc.KeySize())))
+	return sc.makeAEAD(snellKDF(sc.psk, salt, sc.KeySize()))
+}
+
+func snellKDF(psk, salt []byte, keySize int) []byte {
+	// snell use a special kdf function
+	return argon2.IDKey(psk, salt, 3, 8, 1, 32)[:keySize]
+}
+
+func aesGCM(key []byte) (cipher.AEAD, error) {
+	blk, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	return cipher.NewGCM(blk)
+}
+
+func NewAES128GCM(psk []byte) shadowaead.Cipher {
+	return &snellCipher{
+		psk:      psk,
+		keySize:  16,
+		makeAEAD: aesGCM,
+	}
+}
+
+func NewChacha20Poly1305(psk []byte) shadowaead.Cipher {
+	return &snellCipher{
+		psk:      psk,
+		keySize:  32,
+		makeAEAD: chacha20poly1305.New,
+	}
 }

component/snell/pool.go

@@ -0,0 +1,80 @@
+package snell
+
+import (
+	"context"
+	"net"
+
+	"github.com/Dreamacro/clash/component/pool"
+	"github.com/Dreamacro/go-shadowsocks2/shadowaead"
+)
+
+type Pool struct {
+	pool *pool.Pool
+}
+
+func (p *Pool) Get() (net.Conn, error) {
+	return p.GetContext(context.Background())
+}
+
+func (p *Pool) GetContext(ctx context.Context) (net.Conn, error) {
+	elm, err := p.pool.GetContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PoolConn{elm.(*Snell), p}, nil
+}
+
+func (p *Pool) Put(conn net.Conn) {
+	if err := HalfClose(conn); err != nil {
+		conn.Close()
+		return
+	}
+
+	p.pool.Put(conn)
+}
+
+type PoolConn struct {
+	*Snell
+	pool *Pool
+}
+
+func (pc *PoolConn) Read(b []byte) (int, error) {
+	// save old status of reply (it mutable by Read)
+	reply := pc.Snell.reply
+
+	n, err := pc.Snell.Read(b)
+	if err == shadowaead.ErrZeroChunk {
+		// if reply is false, it should be client halfclose.
+		// ignore error and read data again.
+		if !reply {
+			pc.Snell.reply = false
+			return pc.Snell.Read(b)
+		}
+	}
+	return n, err
+}
+
+func (pc *PoolConn) Write(b []byte) (int, error) {
+	return pc.Snell.Write(b)
+}
+
+func (pc *PoolConn) Close() error {
+	pc.pool.Put(pc.Snell)
+	return nil
+}
+
+func NewPool(factory func(context.Context) (*Snell, error)) *Pool {
+	p := pool.New(
+		func(ctx context.Context) (interface{}, error) {
+			return factory(ctx)
+		},
+		pool.WithAge(15000),
+		pool.WithSize(10),
+		pool.WithEvict(func(item interface{}) {
+			item.(*Snell).Close()
+		}),
+	)
+
+	return &Pool{p}
+}

component/snell/snell.go

@@ -4,19 +4,27 @@ import (
 	"bytes"
 	"encoding/binary"
 	"errors"
+	"fmt"
 	"io"
 	"net"
 	"sync"
 
 	"github.com/Dreamacro/go-shadowsocks2/shadowaead"
-	"golang.org/x/crypto/chacha20poly1305"
 )
 
 const (
-	CommandPing    byte = 0
-	CommandConnect byte = 1
+	Version1            = 1
+	Version2            = 2
+	DefaultSnellVersion = Version1
+)
+
+const (
+	CommandPing      byte = 0
+	CommandConnect   byte = 1
+	CommandConnectV2 byte = 5
 
 	CommandTunnel byte = 0
+	CommandPong   byte = 1
 	CommandError  byte = 2
 
 	Version byte = 1
@@ -24,6 +32,7 @@ const (
 
 var (
 	bufferPool = sync.Pool{New: func() interface{} { return &bytes.Buffer{} }}
+	endSignal  = []byte{}
 )
 
 type Snell struct {
@@ -45,14 +54,20 @@ func (s *Snell) Read(b []byte) (int, error) {
 	if s.buffer[0] == CommandTunnel {
 		return s.Conn.Read(b)
 	} else if s.buffer[0] != CommandError {
-		return 0, errors.New("Command not support")
+		return 0, errors.New("command not support")
 	}
 
 	// CommandError
+	// 1 byte error code
 	if _, err := io.ReadFull(s.Conn, s.buffer[:]); err != nil {
 		return 0, err
 	}
+	errcode := int(s.buffer[0])
 
+	// 1 byte error message length
+	if _, err := io.ReadFull(s.Conn, s.buffer[:]); err != nil {
+		return 0, err
+	}
 	length := int(s.buffer[0])
 	msg := make([]byte, length)
 
@@ -60,15 +75,19 @@ func (s *Snell) Read(b []byte) (int, error) {
 		return 0, err
 	}
 
-	return 0, errors.New(string(msg))
+	return 0, fmt.Errorf("server reported code: %d, message: %s", errcode, string(msg))
 }
 
-func WriteHeader(conn net.Conn, host string, port uint) error {
+func WriteHeader(conn net.Conn, host string, port uint, version int) error {
 	buf := bufferPool.Get().(*bytes.Buffer)
 	buf.Reset()
 	defer bufferPool.Put(buf)
 	buf.WriteByte(Version)
-	buf.WriteByte(CommandConnect)
+	if version == Version2 {
+		buf.WriteByte(CommandConnectV2)
+	} else {
+		buf.WriteByte(CommandConnect)
+	}
 
 	// clientID length & id
 	buf.WriteByte(0)
@@ -85,7 +104,24 @@ func WriteHeader(conn net.Conn, host string, port uint) error {
 	return nil
 }
 
-func StreamConn(conn net.Conn, psk []byte) net.Conn {
-	cipher := &snellCipher{psk, chacha20poly1305.New}
+// HalfClose works only on version2
+func HalfClose(conn net.Conn) error {
+	if _, err := conn.Write(endSignal); err != nil {
+		return err
+	}
+
+	if s, ok := conn.(*Snell); ok {
+		s.reply = false
+	}
+	return nil
+}
+
+func StreamConn(conn net.Conn, psk []byte, version int) *Snell {
+	var cipher shadowaead.Cipher
+	if version == Version2 {
+		cipher = NewAES128GCM(psk)
+	} else {
+		cipher = NewChacha20Poly1305(psk)
+	}
 	return &Snell{Conn: shadowaead.NewConn(conn, cipher)}
 }

component/socks5/socks5.go

@@ -21,6 +21,8 @@ func (err Error) Error() string {
 // Command is request commands as defined in RFC 1928 section 4.
 type Command = uint8
 
+const Version = 5
+
 // SOCKS request commands as defined in RFC 1928 section 4.
 const (
 	CmdConnect      Command = 1
@@ -178,7 +180,7 @@ func ServerHandshake(rw net.Conn, authenticator auth.Authenticator) (addr Addr,
 	}
 
 	command = buf[1]
-	addr, err = readAddr(rw, buf)
+	addr, err = ReadAddr(rw, buf)
 	if err != nil {
 		return
 	}
@@ -227,6 +229,10 @@ func ClientHandshake(rw io.ReadWriter, addr Addr, command Command, user *User) (
 	}
 
 	if buf[1] == 2 {
+		if user == nil {
+			return nil, ErrAuth
+		}
+
 		// password protocol version
 		authMsg := &bytes.Buffer{}
 		authMsg.WriteByte(1)
@@ -260,10 +266,10 @@ func ClientHandshake(rw io.ReadWriter, addr Addr, command Command, user *User) (
 		return nil, err
 	}
 
-	return readAddr(rw, buf)
+	return ReadAddr(rw, buf)
 }
 
-func readAddr(r io.Reader, b []byte) (Addr, error) {
+func ReadAddr(r io.Reader, b []byte) (Addr, error) {
 	if len(b) < MaxAddrLen {
 		return nil, io.ErrShortBuffer
 	}

component/ssr/obfs/base.go

@@ -0,0 +1,11 @@
+package obfs
+
+// Base information for obfs
+type Base struct {
+	IVSize  int
+	Key     []byte
+	HeadLen int
+	Host    string
+	Port    int
+	Param   string
+}

component/ssr/obfs/http_post.go

@@ -0,0 +1,9 @@
+package obfs
+
+func init() {
+	register("http_post", newHTTPPost)
+}
+
+func newHTTPPost(b *Base) Obfs {
+	return &httpObfs{Base: b, post: true}
+}

component/ssr/obfs/http_simple.go

@@ -0,0 +1,402 @@
+package obfs
+
+import (
+	"bytes"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"math/rand"
+	"strings"
+)
+
+type httpObfs struct {
+	*Base
+	firstRequest  bool
+	firstResponse bool
+	post          bool
+}
+
+func init() {
+	register("http_simple", newHTTPSimple)
+}
+
+func newHTTPSimple(b *Base) Obfs {
+	return &httpObfs{Base: b}
+}
+
+func (h *httpObfs) initForConn() Obfs {
+	return &httpObfs{
+		Base:          h.Base,
+		firstRequest:  true,
+		firstResponse: true,
+		post:          h.post,
+	}
+}
+
+func (h *httpObfs) GetObfsOverhead() int {
+	return 0
+}
+
+func (h *httpObfs) Decode(b []byte) ([]byte, bool, error) {
+	if h.firstResponse {
+		idx := bytes.Index(b, []byte("\r\n\r\n"))
+		if idx == -1 {
+			return nil, false, io.EOF
+		}
+		h.firstResponse = false
+		return b[idx+4:], false, nil
+	}
+	return b, false, nil
+}
+
+func (h *httpObfs) Encode(b []byte) ([]byte, error) {
+	if h.firstRequest {
+		bSize := len(b)
+		var headData []byte
+
+		if headSize := h.IVSize + h.HeadLen; bSize-headSize > 64 {
+			headData = make([]byte, headSize+rand.Intn(64))
+		} else {
+			headData = make([]byte, bSize)
+		}
+		copy(headData, b[:len(headData)])
+		host := h.Host
+		var customHead string
+
+		if len(h.Param) > 0 {
+			customHeads := strings.Split(h.Param, "#")
+			if len(customHeads) > 2 {
+				customHeads = customHeads[:2]
+			}
+			customHosts := h.Param
+			if len(customHeads) > 1 {
+				customHosts = customHeads[0]
+				customHead = customHeads[1]
+			}
+			hosts := strings.Split(customHosts, ",")
+			if len(hosts) > 0 {
+				host = strings.TrimSpace(hosts[rand.Intn(len(hosts))])
+			}
+		}
+
+		method := "GET /"
+		if h.post {
+			method = "POST /"
+		}
+		requestPathIndex := rand.Intn(len(requestPath)/2) * 2
+		httpBuf := fmt.Sprintf("%s%s%s%s HTTP/1.1\r\nHost: %s:%d\r\n",
+			method,
+			requestPath[requestPathIndex],
+			data2URLEncode(headData),
+			requestPath[requestPathIndex+1],
+			host, h.Port)
+		if len(customHead) > 0 {
+			httpBuf = httpBuf + strings.Replace(customHead, "\\n", "\r\n", -1) + "\r\n\r\n"
+		} else {
+			var contentType string
+			if h.post {
+				contentType = "Content-Type: multipart/form-data; boundary=" + boundary() + "\r\n"
+			}
+			httpBuf = httpBuf + "User-agent: " + requestUserAgent[rand.Intn(len(requestUserAgent))] + "\r\n" +
+				"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +
+				"Accept-Language: en-US,en;q=0.8\r\n" +
+				"Accept-Encoding: gzip, deflate\r\n" +
+				contentType +
+				"DNT: 1\r\n" +
+				"Connection: keep-alive\r\n" +
+				"\r\n"
+		}
+
+		var encoded []byte
+		if len(headData) < bSize {
+			encoded = make([]byte, len(httpBuf)+(bSize-len(headData)))
+			copy(encoded, []byte(httpBuf))
+			copy(encoded[len(httpBuf):], b[len(headData):])
+		} else {
+			encoded = []byte(httpBuf)
+		}
+		h.firstRequest = false
+		return encoded, nil
+	}
+
+	return b, nil
+}
+
+func data2URLEncode(data []byte) (ret string) {
+	for i := 0; i < len(data); i++ {
+		ret = fmt.Sprintf("%s%%%s", ret, hex.EncodeToString([]byte{data[i]}))
+	}
+	return
+}
+
+func boundary() (ret string) {
+	set := "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+	for i := 0; i < 32; i++ {
+		ret = fmt.Sprintf("%s%c", ret, set[rand.Intn(len(set))])
+	}
+	return
+}
+
+var (
+	requestPath = []string{
+		"", "",
+		"login.php?redir=", "",
+		"register.php?code=", "",
+		"?keyword=", "",
+		"search?src=typd&q=", "&lang=en",
+		"s?ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&ch=&bar=&wd=", "&rn=",
+		"post.php?id=", "&goto=view.php",
+	}
+	requestUserAgent = []string{
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; Moto C Build/NRD90M.059) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532M Build/MMB29T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1.1; SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; Moto G (5) Build/NPPS25.137-93-14) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-G570M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0; CAM-L03 Build/HUAWEICAM-L03) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3",
+		"Mozilla/5.0 (Linux; Android 8.0.0; FIG-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.1 Safari/533.2",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36",
+		"Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1.1; SM-J111M Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36",
+		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-J700M Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36",
+		"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Slackware/Chrome/12.0.742.100 Safari/534.30",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+		"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 8.0.0; WAS-LX3 Build/HUAWEIWAS-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.1805 Safari/537.36 MVisionPlayer/1.0.0.0",
+		"Mozilla/5.0 (Linux; Android 7.0; TRT-LX3 Build/HUAWEITRT-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0; vivo 1610 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG GT-I9195 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36",
+		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 8.0.0; ANE-LX3 Build/HUAWEIANE-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (X11; U; Linux i586; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.1 Safari/533.2",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-G610M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-J500M Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.104 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0; vivo 1606 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-G610M Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.1; vivo 1716 Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-G570M Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0; MYA-L22 Build/HUAWEIMYA-L22) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1; A1601 Build/LMY47I) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; TRT-LX2 Build/HUAWEITRT-LX2; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/59.0.3071.125 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.17 (KHTML, like Gecko) Chrome/10.0.649.0 Safari/534.17",
+		"Mozilla/5.0 (Linux; Android 6.0; CAM-L21 Build/HUAWEICAM-L21; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
+		"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.3 Safari/534.24",
+		"Mozilla/5.0 (Linux; Android 7.1.2; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 4.4.2; SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1; HUAWEI CUN-L22 Build/HUAWEICUN-L22; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1.1; A37fw Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-J730GM Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-G610F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.1.2; Redmi Note 5A Build/N2G47H; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; Redmi Note 4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36",
+		"Mozilla/5.0 (Unknown; Linux) AppleWebKit/538.1 (KHTML, like Gecko) Chrome/v1.0.0 Safari/538.1",
+		"Mozilla/5.0 (Linux; Android 7.0; BLL-L22 Build/HUAWEIBLL-L22) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-J710F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532M Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.1.1; CPH1723 Build/N6F26Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 8.0.0; FIG-LX3 Build/HUAWEIFIG-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 6.1; de-DE) AppleWebKit/534.17 (KHTML, like Gecko) Chrome/10.0.649.0 Safari/534.17",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.1; Mi A1 Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 MVisionPlayer/1.0.0.0",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1; A37f Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; CPH1607 Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36",
+		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; vivo 1603 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532M Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; Redmi 4A Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.116 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532G Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.83 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0; vivo 1713 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36",
+	}
+)

component/ssr/obfs/obfs.go

@@ -0,0 +1,37 @@
+package obfs
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+)
+
+var (
+	errTLS12TicketAuthIncorrectMagicNumber = errors.New("tls1.2_ticket_auth incorrect magic number")
+	errTLS12TicketAuthTooShortData         = errors.New("tls1.2_ticket_auth too short data")
+	errTLS12TicketAuthHMACError            = errors.New("tls1.2_ticket_auth hmac verifying failed")
+)
+
+// Obfs provides methods for decoding and encoding
+type Obfs interface {
+	initForConn() Obfs
+	GetObfsOverhead() int
+	Decode(b []byte) ([]byte, bool, error)
+	Encode(b []byte) ([]byte, error)
+}
+
+type obfsCreator func(b *Base) Obfs
+
+var obfsList = make(map[string]obfsCreator)
+
+func register(name string, c obfsCreator) {
+	obfsList[name] = c
+}
+
+// PickObfs returns an obfs of the given name
+func PickObfs(name string, b *Base) (Obfs, error) {
+	if obfsCreator, ok := obfsList[strings.ToLower(name)]; ok {
+		return obfsCreator(b), nil
+	}
+	return nil, fmt.Errorf("Obfs %s not supported", name)
+}

component/ssr/obfs/plain.go

@@ -0,0 +1,25 @@
+package obfs
+
+type plain struct{}
+
+func init() {
+	register("plain", newPlain)
+}
+
+func newPlain(b *Base) Obfs {
+	return &plain{}
+}
+
+func (p *plain) initForConn() Obfs { return &plain{} }
+
+func (p *plain) GetObfsOverhead() int {
+	return 0
+}
+
+func (p *plain) Encode(b []byte) ([]byte, error) {
+	return b, nil
+}
+
+func (p *plain) Decode(b []byte) ([]byte, bool, error) {
+	return b, false, nil
+}

component/ssr/obfs/random_head.go

@@ -0,0 +1,75 @@
+package obfs
+
+import (
+	"encoding/binary"
+	"hash/crc32"
+	"math/rand"
+)
+
+type randomHead struct {
+	*Base
+	firstRequest  bool
+	firstResponse bool
+	headerSent    bool
+	buffer        []byte
+}
+
+func init() {
+	register("random_head", newRandomHead)
+}
+
+func newRandomHead(b *Base) Obfs {
+	return &randomHead{Base: b}
+}
+
+func (r *randomHead) initForConn() Obfs {
+	return &randomHead{
+		Base:          r.Base,
+		firstRequest:  true,
+		firstResponse: true,
+	}
+}
+
+func (r *randomHead) GetObfsOverhead() int {
+	return 0
+}
+
+func (r *randomHead) Encode(b []byte) (encoded []byte, err error) {
+	if !r.firstRequest {
+		return b, nil
+	}
+
+	bSize := len(b)
+	if r.headerSent {
+		if bSize > 0 {
+			d := make([]byte, len(r.buffer)+bSize)
+			copy(d, r.buffer)
+			copy(d[len(r.buffer):], b)
+			r.buffer = d
+		} else {
+			encoded = r.buffer
+			r.buffer = nil
+			r.firstRequest = false
+		}
+	} else {
+		size := rand.Intn(96) + 8
+		encoded = make([]byte, size)
+		rand.Read(encoded)
+		crc := (0xFFFFFFFF - crc32.ChecksumIEEE(encoded[:size-4])) & 0xFFFFFFFF
+		binary.LittleEndian.PutUint32(encoded[size-4:], crc)
+
+		d := make([]byte, bSize)
+		copy(d, b)
+		r.buffer = d
+	}
+	r.headerSent = true
+	return encoded, nil
+}
+
+func (r *randomHead) Decode(b []byte) ([]byte, bool, error) {
+	if r.firstResponse {
+		r.firstResponse = false
+		return b, true, nil
+	}
+	return b, false, nil
+}

component/ssr/obfs/stream.go

@@ -0,0 +1,72 @@
+package obfs
+
+import (
+	"net"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+// NewConn wraps a stream-oriented net.Conn with obfs decoding/encoding
+func NewConn(c net.Conn, o Obfs) net.Conn {
+	return &Conn{Conn: c, Obfs: o.initForConn()}
+}
+
+// Conn represents an obfs connection
+type Conn struct {
+	net.Conn
+	Obfs
+	buf    []byte
+	offset int
+}
+
+func (c *Conn) Read(b []byte) (int, error) {
+	if c.buf != nil {
+		n := copy(b, c.buf[c.offset:])
+		c.offset += n
+		if c.offset == len(c.buf) {
+			pool.Put(c.buf)
+			c.buf = nil
+		}
+		return n, nil
+	}
+
+	buf := pool.Get(pool.RelayBufferSize)
+	defer pool.Put(buf)
+	n, err := c.Conn.Read(buf)
+	if err != nil {
+		return 0, err
+	}
+	decoded, sendback, err := c.Decode(buf[:n])
+	// decoded may be part of buf
+	decodedData := pool.Get(len(decoded))
+	copy(decodedData, decoded)
+	if err != nil {
+		pool.Put(decodedData)
+		return 0, err
+	}
+	if sendback {
+		c.Write(nil)
+		pool.Put(decodedData)
+		return 0, nil
+	}
+	n = copy(b, decodedData)
+	if len(decodedData) > len(b) {
+		c.buf = decodedData
+		c.offset = n
+	} else {
+		pool.Put(decodedData)
+	}
+	return n, err
+}
+
+func (c *Conn) Write(b []byte) (int, error) {
+	encoded, err := c.Encode(b)
+	if err != nil {
+		return 0, err
+	}
+	_, err = c.Conn.Write(encoded)
+	if err != nil {
+		return 0, err
+	}
+	return len(b), nil
+}

component/ssr/obfs/tls12_ticket_auth.go

@@ -0,0 +1,290 @@
+package obfs
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"math/rand"
+	"strings"
+	"time"
+
+	"github.com/Dreamacro/clash/common/pool"
+	"github.com/Dreamacro/clash/component/ssr/tools"
+	"github.com/Dreamacro/clash/log"
+)
+
+type tlsAuthData struct {
+	localClientID [32]byte
+}
+
+type tls12Ticket struct {
+	*Base
+	*tlsAuthData
+	handshakeStatus int
+	sendSaver       bytes.Buffer
+	recvBuffer      bytes.Buffer
+	buffer          bytes.Buffer
+}
+
+func init() {
+	register("tls1.2_ticket_auth", newTLS12Ticket)
+	register("tls1.2_ticket_fastauth", newTLS12Ticket)
+}
+
+func newTLS12Ticket(b *Base) Obfs {
+	return &tls12Ticket{
+		Base: b,
+	}
+}
+
+func (t *tls12Ticket) initForConn() Obfs {
+	r := &tls12Ticket{
+		Base:        t.Base,
+		tlsAuthData: &tlsAuthData{},
+	}
+	rand.Read(r.localClientID[:])
+	return r
+}
+
+func (t *tls12Ticket) GetObfsOverhead() int {
+	return 5
+}
+
+func (t *tls12Ticket) Decode(b []byte) ([]byte, bool, error) {
+	if t.handshakeStatus == -1 {
+		return b, false, nil
+	}
+	t.buffer.Reset()
+	if t.handshakeStatus == 8 {
+		t.recvBuffer.Write(b)
+		for t.recvBuffer.Len() > 5 {
+			var h [5]byte
+			t.recvBuffer.Read(h[:])
+			if !bytes.Equal(h[:3], []byte{0x17, 0x3, 0x3}) {
+				log.Warnln("incorrect magic number %x, 0x170303 is expected", h[:3])
+				return nil, false, errTLS12TicketAuthIncorrectMagicNumber
+			}
+			size := int(binary.BigEndian.Uint16(h[3:5]))
+			if t.recvBuffer.Len() < size {
+				// 不够读，下回再读吧
+				unread := t.recvBuffer.Bytes()
+				t.recvBuffer.Reset()
+				t.recvBuffer.Write(h[:])
+				t.recvBuffer.Write(unread)
+				break
+			}
+			d := pool.Get(size)
+			t.recvBuffer.Read(d)
+			t.buffer.Write(d)
+			pool.Put(d)
+		}
+		return t.buffer.Bytes(), false, nil
+	}
+
+	if len(b) < 11+32+1+32 {
+		return nil, false, errTLS12TicketAuthTooShortData
+	}
+
+	hash := t.hmacSHA1(b[11 : 11+22])
+
+	if !hmac.Equal(b[33:33+tools.HmacSHA1Len], hash) {
+		return nil, false, errTLS12TicketAuthHMACError
+	}
+	return nil, true, nil
+}
+
+func (t *tls12Ticket) Encode(b []byte) ([]byte, error) {
+	t.buffer.Reset()
+	switch t.handshakeStatus {
+	case 8:
+		if len(b) < 1024 {
+			d := []byte{0x17, 0x3, 0x3, 0, 0}
+			binary.BigEndian.PutUint16(d[3:5], uint16(len(b)&0xFFFF))
+			t.buffer.Write(d)
+			t.buffer.Write(b)
+			return t.buffer.Bytes(), nil
+		}
+		start := 0
+		var l int
+		for len(b)-start > 2048 {
+			l = rand.Intn(4096) + 100
+			if l > len(b)-start {
+				l = len(b) - start
+			}
+			packData(&t.buffer, b[start:start+l])
+			start += l
+		}
+		if len(b)-start > 0 {
+			l = len(b) - start
+			packData(&t.buffer, b[start:start+l])
+		}
+		return t.buffer.Bytes(), nil
+	case 1:
+		if len(b) > 0 {
+			if len(b) < 1024 {
+				packData(&t.sendSaver, b)
+			} else {
+				start := 0
+				var l int
+				for len(b)-start > 2048 {
+					l = rand.Intn(4096) + 100
+					if l > len(b)-start {
+						l = len(b) - start
+					}
+					packData(&t.buffer, b[start:start+l])
+					start += l
+				}
+				if len(b)-start > 0 {
+					l = len(b) - start
+					packData(&t.buffer, b[start:start+l])
+				}
+				io.Copy(&t.sendSaver, &t.buffer)
+			}
+			return []byte{}, nil
+		}
+		hmacData := make([]byte, 43)
+		handshakeFinish := []byte("\x14\x03\x03\x00\x01\x01\x16\x03\x03\x00\x20")
+		copy(hmacData, handshakeFinish)
+		rand.Read(hmacData[11:33])
+		h := t.hmacSHA1(hmacData[:33])
+		copy(hmacData[33:], h)
+		t.buffer.Write(hmacData)
+		io.Copy(&t.buffer, &t.sendSaver)
+		t.handshakeStatus = 8
+		return t.buffer.Bytes(), nil
+	case 0:
+		tlsData0 := []byte("\x00\x1c\xc0\x2b\xc0\x2f\xcc\xa9\xcc\xa8\xcc\x14\xcc\x13\xc0\x0a\xc0\x14\xc0\x09\xc0\x13\x00\x9c\x00\x35\x00\x2f\x00\x0a\x01\x00")
+		tlsData1 := []byte("\xff\x01\x00\x01\x00")
+		tlsData2 := []byte("\x00\x17\x00\x00\x00\x23\x00\xd0")
+		// tlsData3 := []byte("\x00\x0d\x00\x16\x00\x14\x06\x01\x06\x03\x05\x01\x05\x03\x04\x01\x04\x03\x03\x01\x03\x03\x02\x01\x02\x03\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x12\x00\x00\x75\x50\x00\x00\x00\x0b\x00\x02\x01\x00\x00\x0a\x00\x06\x00\x04\x00\x17\x00\x18\x00\x15\x00\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+		tlsData3 := []byte("\x00\x0d\x00\x16\x00\x14\x06\x01\x06\x03\x05\x01\x05\x03\x04\x01\x04\x03\x03\x01\x03\x03\x02\x01\x02\x03\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x12\x00\x00\x75\x50\x00\x00\x00\x0b\x00\x02\x01\x00\x00\x0a\x00\x06\x00\x04\x00\x17\x00\x18")
+
+		var tlsData [2048]byte
+		tlsDataLen := 0
+		copy(tlsData[0:], tlsData1)
+		tlsDataLen += len(tlsData1)
+		sni := t.sni(t.getHost())
+		copy(tlsData[tlsDataLen:], sni)
+		tlsDataLen += len(sni)
+		copy(tlsData[tlsDataLen:], tlsData2)
+		tlsDataLen += len(tlsData2)
+		ticketLen := rand.Intn(164)*2 + 64
+		tlsData[tlsDataLen-1] = uint8(ticketLen & 0xff)
+		tlsData[tlsDataLen-2] = uint8(ticketLen >> 8)
+		//ticketLen := 208
+		rand.Read(tlsData[tlsDataLen : tlsDataLen+ticketLen])
+		tlsDataLen += ticketLen
+		copy(tlsData[tlsDataLen:], tlsData3)
+		tlsDataLen += len(tlsData3)
+
+		length := 11 + 32 + 1 + 32 + len(tlsData0) + 2 + tlsDataLen
+		encodedData := make([]byte, length)
+		pdata := length - tlsDataLen
+		l := tlsDataLen
+		copy(encodedData[pdata:], tlsData[:tlsDataLen])
+		encodedData[pdata-1] = uint8(tlsDataLen)
+		encodedData[pdata-2] = uint8(tlsDataLen >> 8)
+		pdata -= 2
+		l += 2
+		copy(encodedData[pdata-len(tlsData0):], tlsData0)
+		pdata -= len(tlsData0)
+		l += len(tlsData0)
+		copy(encodedData[pdata-32:], t.localClientID[:])
+		pdata -= 32
+		l += 32
+		encodedData[pdata-1] = 0x20
+		pdata--
+		l++
+		copy(encodedData[pdata-32:], t.packAuthData())
+		pdata -= 32
+		l += 32
+		encodedData[pdata-1] = 0x3
+		encodedData[pdata-2] = 0x3 // tls version
+		pdata -= 2
+		l += 2
+		encodedData[pdata-1] = uint8(l)
+		encodedData[pdata-2] = uint8(l >> 8)
+		encodedData[pdata-3] = 0
+		encodedData[pdata-4] = 1
+		pdata -= 4
+		l += 4
+		encodedData[pdata-1] = uint8(l)
+		encodedData[pdata-2] = uint8(l >> 8)
+		pdata -= 2
+		l += 2
+		encodedData[pdata-1] = 0x1
+		encodedData[pdata-2] = 0x3 // tls version
+		pdata -= 2
+		l += 2
+		encodedData[pdata-1] = 0x16 // tls handshake
+		pdata--
+		l++
+		packData(&t.sendSaver, b)
+		t.handshakeStatus = 1
+		return encodedData, nil
+	default:
+		return nil, fmt.Errorf("unexpected handshake status: %d", t.handshakeStatus)
+	}
+}
+
+func (t *tls12Ticket) hmacSHA1(data []byte) []byte {
+	key := make([]byte, len(t.Key)+32)
+	copy(key, t.Key)
+	copy(key[len(t.Key):], t.localClientID[:])
+
+	sha1Data := tools.HmacSHA1(key, data)
+	return sha1Data[:tools.HmacSHA1Len]
+}
+
+func (t *tls12Ticket) sni(u string) []byte {
+	bURL := []byte(u)
+	length := len(bURL)
+	ret := make([]byte, length+9)
+	copy(ret[9:9+length], bURL)
+	binary.BigEndian.PutUint16(ret[7:], uint16(length&0xFFFF))
+	length += 3
+	binary.BigEndian.PutUint16(ret[4:], uint16(length&0xFFFF))
+	length += 2
+	binary.BigEndian.PutUint16(ret[2:], uint16(length&0xFFFF))
+	return ret
+}
+
+func (t *tls12Ticket) getHost() string {
+	host := t.Host
+	if len(t.Param) > 0 {
+		hosts := strings.Split(t.Param, ",")
+		if len(hosts) > 0 {
+
+			host = hosts[rand.Intn(len(hosts))]
+			host = strings.TrimSpace(host)
+		}
+	}
+	if len(host) > 0 && host[len(host)-1] >= byte('0') && host[len(host)-1] <= byte('9') && len(t.Param) == 0 {
+		host = ""
+	}
+	return host
+}
+
+func (t *tls12Ticket) packAuthData() (ret []byte) {
+	retSize := 32
+	ret = make([]byte, retSize)
+
+	now := time.Now().Unix()
+	binary.BigEndian.PutUint32(ret[:4], uint32(now))
+
+	rand.Read(ret[4 : 4+18])
+
+	hash := t.hmacSHA1(ret[:retSize-tools.HmacSHA1Len])
+	copy(ret[retSize-tools.HmacSHA1Len:], hash)
+
+	return
+}
+
+func packData(buffer *bytes.Buffer, suffix []byte) {
+	d := []byte{0x17, 0x3, 0x3, 0, 0}
+	binary.BigEndian.PutUint16(d[3:5], uint16(len(suffix)&0xFFFF))
+	buffer.Write(d)
+	buffer.Write(suffix)
+}

component/ssr/protocol/auth_aes128_md5.go

@@ -0,0 +1,310 @@
+package protocol
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/base64"
+	"encoding/binary"
+	"math/rand"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/Dreamacro/clash/common/pool"
+	"github.com/Dreamacro/clash/component/ssr/tools"
+	"github.com/Dreamacro/go-shadowsocks2/core"
+)
+
+type authAES128 struct {
+	*Base
+	*recvInfo
+	*authData
+	hasSentHeader bool
+	packID        uint32
+	userKey       []byte
+	uid           [4]byte
+	salt          string
+	hmac          hmacMethod
+	hashDigest    hashDigestMethod
+}
+
+func init() {
+	register("auth_aes128_md5", newAuthAES128MD5)
+}
+
+func newAuthAES128MD5(b *Base) Protocol {
+	return &authAES128{
+		Base:       b,
+		authData:   &authData{},
+		salt:       "auth_aes128_md5",
+		hmac:       tools.HmacMD5,
+		hashDigest: tools.MD5Sum,
+	}
+}
+
+func (a *authAES128) initForConn(iv []byte) Protocol {
+	return &authAES128{
+		Base: &Base{
+			IV:       iv,
+			Key:      a.Key,
+			TCPMss:   a.TCPMss,
+			Overhead: a.Overhead,
+			Param:    a.Param,
+		},
+		recvInfo:   &recvInfo{recvID: 1, buffer: new(bytes.Buffer)},
+		authData:   a.authData,
+		packID:     1,
+		salt:       a.salt,
+		hmac:       a.hmac,
+		hashDigest: a.hashDigest,
+	}
+}
+
+func (a *authAES128) GetProtocolOverhead() int {
+	return 9
+}
+
+func (a *authAES128) SetOverhead(overhead int) {
+	a.Overhead = overhead
+}
+
+func (a *authAES128) Decode(b []byte) ([]byte, int, error) {
+	a.buffer.Reset()
+	bSize := len(b)
+	readSize := 0
+	key := pool.Get(len(a.userKey) + 4)
+	defer pool.Put(key)
+	copy(key, a.userKey)
+	for bSize > 4 {
+		binary.LittleEndian.PutUint32(key[len(key)-4:], a.recvID)
+
+		h := a.hmac(key, b[:2])
+		if !bytes.Equal(h[:2], b[2:4]) {
+			return nil, 0, errAuthAES128IncorrectMAC
+		}
+
+		length := int(binary.LittleEndian.Uint16(b[:2]))
+		if length >= 8192 || length < 8 {
+			return nil, 0, errAuthAES128DataLengthError
+		}
+		if length > bSize {
+			break
+		}
+
+		h = a.hmac(key, b[:length-4])
+		if !bytes.Equal(h[:4], b[length-4:length]) {
+			return nil, 0, errAuthAES128IncorrectChecksum
+		}
+
+		a.recvID++
+		pos := int(b[4])
+		if pos < 255 {
+			pos += 4
+		} else {
+			pos = int(binary.LittleEndian.Uint16(b[5:7])) + 4
+		}
+
+		if pos > length-4 {
+			return nil, 0, errAuthAES128PositionTooLarge
+		}
+		a.buffer.Write(b[pos : length-4])
+		b = b[length:]
+		bSize -= length
+		readSize += length
+	}
+	return a.buffer.Bytes(), readSize, nil
+}
+
+func (a *authAES128) Encode(b []byte) ([]byte, error) {
+	a.buffer.Reset()
+	bSize := len(b)
+	offset := 0
+	if bSize > 0 && !a.hasSentHeader {
+		authSize := bSize
+		if authSize > 1200 {
+			authSize = 1200
+		}
+		a.hasSentHeader = true
+		a.buffer.Write(a.packAuthData(b[:authSize]))
+		bSize -= authSize
+		offset += authSize
+	}
+	const blockSize = 4096
+	for bSize > blockSize {
+		packSize, randSize := a.packedDataSize(b[offset : offset+blockSize])
+		pack := pool.Get(packSize)
+		a.packData(b[offset:offset+blockSize], pack, randSize)
+		a.buffer.Write(pack)
+		pool.Put(pack)
+		bSize -= blockSize
+		offset += blockSize
+	}
+	if bSize > 0 {
+		packSize, randSize := a.packedDataSize(b[offset:])
+		pack := pool.Get(packSize)
+		a.packData(b[offset:], pack, randSize)
+		a.buffer.Write(pack)
+		pool.Put(pack)
+	}
+	return a.buffer.Bytes(), nil
+}
+
+func (a *authAES128) DecodePacket(b []byte) ([]byte, int, error) {
+	bSize := len(b)
+	h := a.hmac(a.Key, b[:bSize-4])
+	if !bytes.Equal(h[:4], b[bSize-4:]) {
+		return nil, 0, errAuthAES128IncorrectMAC
+	}
+	return b[:bSize-4], bSize - 4, nil
+}
+
+func (a *authAES128) EncodePacket(b []byte) ([]byte, error) {
+	a.initUserKeyAndID()
+
+	var buf bytes.Buffer
+	buf.Write(b)
+	buf.Write(a.uid[:])
+	h := a.hmac(a.userKey, buf.Bytes())
+	buf.Write(h[:4])
+	return buf.Bytes(), nil
+}
+
+func (a *authAES128) initUserKeyAndID() {
+	if a.userKey == nil {
+		params := strings.Split(a.Param, ":")
+		if len(params) >= 2 {
+			if userID, err := strconv.ParseUint(params[0], 10, 32); err == nil {
+				binary.LittleEndian.PutUint32(a.uid[:], uint32(userID))
+				a.userKey = a.hashDigest([]byte(params[1]))
+			}
+		}
+
+		if a.userKey == nil {
+			rand.Read(a.uid[:])
+			a.userKey = make([]byte, len(a.Key))
+			copy(a.userKey, a.Key)
+		}
+	}
+}
+
+func (a *authAES128) packedDataSize(data []byte) (packSize, randSize int) {
+	dataSize := len(data)
+	randSize = 1
+	if dataSize <= 1200 {
+		if a.packID > 4 {
+			randSize += rand.Intn(32)
+		} else {
+			if dataSize > 900 {
+				randSize += rand.Intn(128)
+			} else {
+				randSize += rand.Intn(512)
+			}
+		}
+	}
+	packSize = randSize + dataSize + 8
+	return
+}
+
+func (a *authAES128) packData(data, ret []byte, randSize int) {
+	dataSize := len(data)
+	retSize := len(ret)
+	// 0~1, ret_size
+	binary.LittleEndian.PutUint16(ret[0:], uint16(retSize&0xFFFF))
+	// 2~3, hmac
+	key := pool.Get(len(a.userKey) + 4)
+	defer pool.Put(key)
+	copy(key, a.userKey)
+	binary.LittleEndian.PutUint32(key[len(key)-4:], a.packID)
+	h := a.hmac(key, ret[:2])
+	copy(ret[2:4], h[:2])
+	// 4~rand_size+4, rand number
+	rand.Read(ret[4 : 4+randSize])
+	// 4, rand_size
+	if randSize < 128 {
+		ret[4] = byte(randSize & 0xFF)
+	} else {
+		// 4, magic number 0xFF
+		ret[4] = 0xFF
+		// 5~6, rand_size
+		binary.LittleEndian.PutUint16(ret[5:], uint16(randSize&0xFFFF))
+	}
+	// rand_size+4~ret_size-4, data
+	if dataSize > 0 {
+		copy(ret[randSize+4:], data)
+	}
+	a.packID++
+	h = a.hmac(key, ret[:retSize-4])
+	copy(ret[retSize-4:], h[:4])
+}
+
+func (a *authAES128) packAuthData(data []byte) (ret []byte) {
+	dataSize := len(data)
+	var randSize int
+
+	if dataSize > 400 {
+		randSize = rand.Intn(512)
+	} else {
+		randSize = rand.Intn(1024)
+	}
+
+	dataOffset := randSize + 16 + 4 + 4 + 7
+	retSize := dataOffset + dataSize + 4
+	ret = make([]byte, retSize)
+	encrypt := make([]byte, 24)
+	key := make([]byte, len(a.IV)+len(a.Key))
+	copy(key, a.IV)
+	copy(key[len(a.IV):], a.Key)
+
+	rand.Read(ret[dataOffset-randSize:])
+	a.mutex.Lock()
+	defer a.mutex.Unlock()
+	a.connectionID++
+	if a.connectionID > 0xFF000000 {
+		a.clientID = nil
+	}
+	if len(a.clientID) == 0 {
+		a.clientID = make([]byte, 8)
+		rand.Read(a.clientID)
+		b := make([]byte, 4)
+		rand.Read(b)
+		a.connectionID = binary.LittleEndian.Uint32(b) & 0xFFFFFF
+	}
+	copy(encrypt[4:], a.clientID)
+	binary.LittleEndian.PutUint32(encrypt[8:], a.connectionID)
+
+	now := time.Now().Unix()
+	binary.LittleEndian.PutUint32(encrypt[:4], uint32(now))
+
+	binary.LittleEndian.PutUint16(encrypt[12:], uint16(retSize&0xFFFF))
+	binary.LittleEndian.PutUint16(encrypt[14:], uint16(randSize&0xFFFF))
+
+	a.initUserKeyAndID()
+
+	aesCipherKey := core.Kdf(base64.StdEncoding.EncodeToString(a.userKey)+a.salt, 16)
+	block, err := aes.NewCipher(aesCipherKey)
+	if err != nil {
+		return nil
+	}
+	encryptData := make([]byte, 16)
+	iv := make([]byte, aes.BlockSize)
+	cbc := cipher.NewCBCEncrypter(block, iv)
+	cbc.CryptBlocks(encryptData, encrypt[:16])
+	copy(encrypt[:4], a.uid[:])
+	copy(encrypt[4:4+16], encryptData)
+
+	h := a.hmac(key, encrypt[:20])
+	copy(encrypt[20:], h[:4])
+
+	rand.Read(ret[:1])
+	h = a.hmac(key, ret[:1])
+	copy(ret[1:], h[:7-1])
+
+	copy(ret[7:], encrypt)
+	copy(ret[dataOffset:], data)
+
+	h = a.hmac(a.userKey, ret[:retSize-4])
+	copy(ret[retSize-4:], h[:4])
+
+	return
+}

component/ssr/protocol/auth_aes128_sha1.go

@@ -0,0 +1,22 @@
+package protocol
+
+import (
+	"bytes"
+
+	"github.com/Dreamacro/clash/component/ssr/tools"
+)
+
+func init() {
+	register("auth_aes128_sha1", newAuthAES128SHA1)
+}
+
+func newAuthAES128SHA1(b *Base) Protocol {
+	return &authAES128{
+		Base:       b,
+		recvInfo:   &recvInfo{buffer: new(bytes.Buffer)},
+		authData:   &authData{},
+		salt:       "auth_aes128_sha1",
+		hmac:       tools.HmacSHA1,
+		hashDigest: tools.SHA1Sum,
+	}
+}

component/ssr/protocol/auth_chain_a.go

@@ -0,0 +1,427 @@
+package protocol
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rc4"
+	"encoding/base64"
+	"encoding/binary"
+	"math/rand"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/Dreamacro/clash/common/pool"
+	"github.com/Dreamacro/clash/component/ssr/tools"
+	"github.com/Dreamacro/go-shadowsocks2/core"
+)
+
+type authChain struct {
+	*Base
+	*recvInfo
+	*authData
+	randomClient   shift128PlusContext
+	randomServer   shift128PlusContext
+	enc            cipher.Stream
+	dec            cipher.Stream
+	headerSent     bool
+	lastClientHash []byte
+	lastServerHash []byte
+	userKey        []byte
+	uid            [4]byte
+	salt           string
+	hmac           hmacMethod
+	hashDigest     hashDigestMethod
+	rnd            rndMethod
+	dataSizeList   []int
+	dataSizeList2  []int
+	chunkID        uint32
+}
+
+func init() {
+	register("auth_chain_a", newAuthChainA)
+}
+
+func newAuthChainA(b *Base) Protocol {
+	return &authChain{
+		Base:       b,
+		authData:   &authData{},
+		salt:       "auth_chain_a",
+		hmac:       tools.HmacMD5,
+		hashDigest: tools.SHA1Sum,
+		rnd:        authChainAGetRandLen,
+	}
+}
+
+func (a *authChain) initForConn(iv []byte) Protocol {
+	r := &authChain{
+		Base: &Base{
+			IV:       iv,
+			Key:      a.Key,
+			TCPMss:   a.TCPMss,
+			Overhead: a.Overhead,
+			Param:    a.Param,
+		},
+		recvInfo:   &recvInfo{recvID: 1, buffer: new(bytes.Buffer)},
+		authData:   a.authData,
+		salt:       a.salt,
+		hmac:       a.hmac,
+		hashDigest: a.hashDigest,
+		rnd:        a.rnd,
+	}
+	if r.salt == "auth_chain_b" {
+		initDataSize(r)
+	}
+	return r
+}
+
+func (a *authChain) GetProtocolOverhead() int {
+	return 4
+}
+
+func (a *authChain) SetOverhead(overhead int) {
+	a.Overhead = overhead
+}
+
+func (a *authChain) Decode(b []byte) ([]byte, int, error) {
+	a.buffer.Reset()
+	key := pool.Get(len(a.userKey) + 4)
+	defer pool.Put(key)
+	readSize := 0
+	copy(key, a.userKey)
+	for len(b) > 4 {
+		binary.LittleEndian.PutUint32(key[len(a.userKey):], a.recvID)
+		dataLen := (int)((uint(b[1]^a.lastServerHash[15]) << 8) + uint(b[0]^a.lastServerHash[14]))
+		randLen := a.getServerRandLen(dataLen, a.Overhead)
+		length := randLen + dataLen
+		if length >= 4096 {
+			return nil, 0, errAuthChainDataLengthError
+		}
+		length += 4
+		if length > len(b) {
+			break
+		}
+
+		hash := a.hmac(key, b[:length-2])
+		if !bytes.Equal(hash[:2], b[length-2:length]) {
+			return nil, 0, errAuthChainHMACError
+		}
+		var dataPos int
+		if dataLen > 0 && randLen > 0 {
+			dataPos = 2 + getRandStartPos(&a.randomServer, randLen)
+		} else {
+			dataPos = 2
+		}
+		d := pool.Get(dataLen)
+		a.dec.XORKeyStream(d, b[dataPos:dataPos+dataLen])
+		a.buffer.Write(d)
+		pool.Put(d)
+		if a.recvID == 1 {
+			a.TCPMss = int(binary.LittleEndian.Uint16(a.buffer.Next(2)))
+		}
+		a.lastServerHash = hash
+		a.recvID++
+		b = b[length:]
+		readSize += length
+	}
+	return a.buffer.Bytes(), readSize, nil
+}
+
+func (a *authChain) Encode(b []byte) ([]byte, error) {
+	a.buffer.Reset()
+	bSize := len(b)
+	offset := 0
+	if bSize > 0 && !a.headerSent {
+		headSize := 1200
+		if headSize > bSize {
+			headSize = bSize
+		}
+		a.buffer.Write(a.packAuthData(b[:headSize]))
+		offset += headSize
+		bSize -= headSize
+		a.headerSent = true
+	}
+	var unitSize = a.TCPMss - a.Overhead
+	for bSize > unitSize {
+		dataLen, randLength := a.packedDataLen(b[offset : offset+unitSize])
+		d := pool.Get(dataLen)
+		a.packData(d, b[offset:offset+unitSize], randLength)
+		a.buffer.Write(d)
+		pool.Put(d)
+		bSize -= unitSize
+		offset += unitSize
+	}
+	if bSize > 0 {
+		dataLen, randLength := a.packedDataLen(b[offset:])
+		d := pool.Get(dataLen)
+		a.packData(d, b[offset:], randLength)
+		a.buffer.Write(d)
+		pool.Put(d)
+	}
+	return a.buffer.Bytes(), nil
+}
+
+func (a *authChain) DecodePacket(b []byte) ([]byte, int, error) {
+	bSize := len(b)
+	if bSize < 9 {
+		return nil, 0, errAuthChainDataLengthError
+	}
+	h := a.hmac(a.userKey, b[:bSize-1])
+	if h[0] != b[bSize-1] {
+		return nil, 0, errAuthChainHMACError
+	}
+	hash := a.hmac(a.Key, b[bSize-8:bSize-1])
+	cipherKey := a.getRC4CipherKey(hash)
+	dec, _ := rc4.NewCipher(cipherKey)
+	randLength := udpGetRandLen(&a.randomServer, hash)
+	bSize -= 8 + randLength
+	dec.XORKeyStream(b, b[:bSize])
+	return b, bSize, nil
+}
+
+func (a *authChain) EncodePacket(b []byte) ([]byte, error) {
+	a.initUserKeyAndID()
+	authData := pool.Get(3)
+	defer pool.Put(authData)
+	rand.Read(authData)
+	hash := a.hmac(a.Key, authData)
+	uid := pool.Get(4)
+	defer pool.Put(uid)
+	for i := 0; i < 4; i++ {
+		uid[i] = a.uid[i] ^ hash[i]
+	}
+
+	cipherKey := a.getRC4CipherKey(hash)
+	enc, _ := rc4.NewCipher(cipherKey)
+	var buf bytes.Buffer
+	enc.XORKeyStream(b, b)
+	buf.Write(b)
+
+	randLength := udpGetRandLen(&a.randomClient, hash)
+	randBytes := pool.Get(randLength)
+	defer pool.Put(randBytes)
+	buf.Write(randBytes)
+
+	buf.Write(authData)
+	buf.Write(uid)
+
+	h := a.hmac(a.userKey, buf.Bytes())
+	buf.Write(h[:1])
+	return buf.Bytes(), nil
+}
+
+func (a *authChain) getRC4CipherKey(hash []byte) []byte {
+	base64UserKey := base64.StdEncoding.EncodeToString(a.userKey)
+	return a.calcRC4CipherKey(hash, base64UserKey)
+}
+
+func (a *authChain) calcRC4CipherKey(hash []byte, base64UserKey string) []byte {
+	password := pool.Get(len(base64UserKey) + base64.StdEncoding.EncodedLen(16))
+	defer pool.Put(password)
+	copy(password, base64UserKey)
+	base64.StdEncoding.Encode(password[len(base64UserKey):], hash[:16])
+	return core.Kdf(string(password), 16)
+}
+
+func (a *authChain) initUserKeyAndID() {
+	if a.userKey == nil {
+		params := strings.Split(a.Param, ":")
+		if len(params) >= 2 {
+			if userID, err := strconv.ParseUint(params[0], 10, 32); err == nil {
+				binary.LittleEndian.PutUint32(a.uid[:], uint32(userID))
+				a.userKey = []byte(params[1])[:len(a.userKey)]
+			}
+		}
+
+		if a.userKey == nil {
+			rand.Read(a.uid[:])
+			a.userKey = make([]byte, len(a.Key))
+			copy(a.userKey, a.Key)
+		}
+	}
+}
+
+func (a *authChain) getClientRandLen(dataLength int, overhead int) int {
+	return a.rnd(dataLength, &a.randomClient, a.lastClientHash, a.dataSizeList, a.dataSizeList2, overhead)
+}
+
+func (a *authChain) getServerRandLen(dataLength int, overhead int) int {
+	return a.rnd(dataLength, &a.randomServer, a.lastServerHash, a.dataSizeList, a.dataSizeList2, overhead)
+}
+
+func (a *authChain) packedDataLen(data []byte) (chunkLength, randLength int) {
+	dataLength := len(data)
+	randLength = a.getClientRandLen(dataLength, a.Overhead)
+	chunkLength = randLength + dataLength + 2 + 2
+	return
+}
+
+func (a *authChain) packData(outData []byte, data []byte, randLength int) {
+	dataLength := len(data)
+	outLength := randLength + dataLength + 2
+	outData[0] = byte(dataLength) ^ a.lastClientHash[14]
+	outData[1] = byte(dataLength>>8) ^ a.lastClientHash[15]
+
+	{
+		if dataLength > 0 {
+			randPart1Length := getRandStartPos(&a.randomClient, randLength)
+			rand.Read(outData[2 : 2+randPart1Length])
+			a.enc.XORKeyStream(outData[2+randPart1Length:], data)
+			rand.Read(outData[2+randPart1Length+dataLength : outLength])
+		} else {
+			rand.Read(outData[2 : 2+randLength])
+		}
+	}
+
+	userKeyLen := uint8(len(a.userKey))
+	key := pool.Get(int(userKeyLen + 4))
+	defer pool.Put(key)
+	copy(key, a.userKey)
+	a.chunkID++
+	binary.LittleEndian.PutUint32(key[userKeyLen:], a.chunkID)
+	a.lastClientHash = a.hmac(key, outData[:outLength])
+	copy(outData[outLength:], a.lastClientHash[:2])
+}
+
+const authHeadLength = 4 + 8 + 4 + 16 + 4
+
+func (a *authChain) packAuthData(data []byte) (outData []byte) {
+	outData = make([]byte, authHeadLength, authHeadLength+1500)
+	a.mutex.Lock()
+	defer a.mutex.Unlock()
+	a.connectionID++
+	if a.connectionID > 0xFF000000 {
+		rand.Read(a.clientID)
+		b := make([]byte, 4)
+		rand.Read(b)
+		a.connectionID = binary.LittleEndian.Uint32(b) & 0xFFFFFF
+	}
+	var key = make([]byte, len(a.IV)+len(a.Key))
+	copy(key, a.IV)
+	copy(key[len(a.IV):], a.Key)
+
+	encrypt := make([]byte, 20)
+	t := time.Now().Unix()
+	binary.LittleEndian.PutUint32(encrypt[:4], uint32(t))
+	copy(encrypt[4:8], a.clientID)
+	binary.LittleEndian.PutUint32(encrypt[8:], a.connectionID)
+	binary.LittleEndian.PutUint16(encrypt[12:], uint16(a.Overhead))
+	binary.LittleEndian.PutUint16(encrypt[14:], 0)
+
+	// first 12 bytes
+	{
+		rand.Read(outData[:4])
+		a.lastClientHash = a.hmac(key, outData[:4])
+		copy(outData[4:], a.lastClientHash[:8])
+	}
+	var base64UserKey string
+	// uid & 16 bytes auth data
+	{
+		a.initUserKeyAndID()
+		uid := make([]byte, 4)
+		for i := 0; i < 4; i++ {
+			uid[i] = a.uid[i] ^ a.lastClientHash[8+i]
+		}
+		base64UserKey = base64.StdEncoding.EncodeToString(a.userKey)
+		aesCipherKey := core.Kdf(base64UserKey+a.salt, 16)
+		block, err := aes.NewCipher(aesCipherKey)
+		if err != nil {
+			return
+		}
+		encryptData := make([]byte, 16)
+		iv := make([]byte, aes.BlockSize)
+		cbc := cipher.NewCBCEncrypter(block, iv)
+		cbc.CryptBlocks(encryptData, encrypt[:16])
+		copy(encrypt[:4], uid[:])
+		copy(encrypt[4:4+16], encryptData)
+	}
+	// final HMAC
+	{
+		a.lastServerHash = a.hmac(a.userKey, encrypt[:20])
+
+		copy(outData[12:], encrypt)
+		copy(outData[12+20:], a.lastServerHash[:4])
+	}
+
+	// init cipher
+	cipherKey := a.calcRC4CipherKey(a.lastClientHash, base64UserKey)
+	a.enc, _ = rc4.NewCipher(cipherKey)
+	a.dec, _ = rc4.NewCipher(cipherKey)
+
+	// data
+	chunkLength, randLength := a.packedDataLen(data)
+	if chunkLength <= 1500 {
+		outData = outData[:authHeadLength+chunkLength]
+	} else {
+		newOutData := make([]byte, authHeadLength+chunkLength)
+		copy(newOutData, outData[:authHeadLength])
+		outData = newOutData
+	}
+	a.packData(outData[authHeadLength:], data, randLength)
+	return
+}
+
+func getRandStartPos(random *shift128PlusContext, randLength int) int {
+	if randLength > 0 {
+		return int(random.Next() % 8589934609 % uint64(randLength))
+	}
+	return 0
+}
+
+func authChainAGetRandLen(dataLength int, random *shift128PlusContext, lastHash []byte, dataSizeList, dataSizeList2 []int, overhead int) int {
+	if dataLength > 1440 {
+		return 0
+	}
+	random.InitFromBinDatalen(lastHash[:16], dataLength)
+	if dataLength > 1300 {
+		return int(random.Next() % 31)
+	}
+	if dataLength > 900 {
+		return int(random.Next() % 127)
+	}
+	if dataLength > 400 {
+		return int(random.Next() % 521)
+	}
+	return int(random.Next() % 1021)
+}
+
+func udpGetRandLen(random *shift128PlusContext, lastHash []byte) int {
+	random.InitFromBin(lastHash[:16])
+	return int(random.Next() % 127)
+}
+
+type shift128PlusContext struct {
+	v [2]uint64
+}
+
+func (ctx *shift128PlusContext) InitFromBin(bin []byte) {
+	var fillBin [16]byte
+	copy(fillBin[:], bin)
+
+	ctx.v[0] = binary.LittleEndian.Uint64(fillBin[:8])
+	ctx.v[1] = binary.LittleEndian.Uint64(fillBin[8:])
+}
+
+func (ctx *shift128PlusContext) InitFromBinDatalen(bin []byte, datalen int) {
+	var fillBin [16]byte
+	copy(fillBin[:], bin)
+	binary.LittleEndian.PutUint16(fillBin[:2], uint16(datalen))
+
+	ctx.v[0] = binary.LittleEndian.Uint64(fillBin[:8])
+	ctx.v[1] = binary.LittleEndian.Uint64(fillBin[8:])
+
+	for i := 0; i < 4; i++ {
+		ctx.Next()
+	}
+}
+
+func (ctx *shift128PlusContext) Next() uint64 {
+	x := ctx.v[0]
+	y := ctx.v[1]
+	ctx.v[0] = y
+	x ^= x << 23
+	x ^= y ^ (x >> 17) ^ (y >> 26)
+	ctx.v[1] = x
+	return x + y
+}

component/ssr/protocol/auth_chain_b.go

@@ -0,0 +1,72 @@
+package protocol
+
+import (
+	"sort"
+
+	"github.com/Dreamacro/clash/component/ssr/tools"
+)
+
+func init() {
+	register("auth_chain_b", newAuthChainB)
+}
+
+func newAuthChainB(b *Base) Protocol {
+	return &authChain{
+		Base:       b,
+		authData:   &authData{},
+		salt:       "auth_chain_b",
+		hmac:       tools.HmacMD5,
+		hashDigest: tools.SHA1Sum,
+		rnd:        authChainBGetRandLen,
+	}
+}
+
+func initDataSize(r *authChain) {
+	random := &r.randomServer
+	random.InitFromBin(r.Key)
+	len := random.Next()%8 + 4
+	r.dataSizeList = make([]int, len)
+	for i := 0; i < int(len); i++ {
+		r.dataSizeList[i] = int(random.Next() % 2340 % 2040 % 1440)
+	}
+	sort.Ints(r.dataSizeList)
+
+	len = random.Next()%16 + 8
+	r.dataSizeList2 = make([]int, len)
+	for i := 0; i < int(len); i++ {
+		r.dataSizeList2[i] = int(random.Next() % 2340 % 2040 % 1440)
+	}
+	sort.Ints(r.dataSizeList2)
+}
+
+func authChainBGetRandLen(dataLength int, random *shift128PlusContext, lastHash []byte, dataSizeList, dataSizeList2 []int, overhead int) int {
+	if dataLength > 1440 {
+		return 0
+	}
+	random.InitFromBinDatalen(lastHash[:16], dataLength)
+	pos := sort.Search(len(dataSizeList), func(i int) bool { return dataSizeList[i] > dataLength+overhead })
+	finalPos := uint64(pos) + random.Next()%uint64(len(dataSizeList))
+	if finalPos < uint64(len(dataSizeList)) {
+		return dataSizeList[finalPos] - dataLength - overhead
+	}
+
+	pos = sort.Search(len(dataSizeList2), func(i int) bool { return dataSizeList2[i] > dataLength+overhead })
+	finalPos = uint64(pos) + random.Next()%uint64(len(dataSizeList2))
+	if finalPos < uint64(len(dataSizeList2)) {
+		return dataSizeList2[finalPos] - dataLength - overhead
+	}
+	if finalPos < uint64(pos+len(dataSizeList2)-1) {
+		return 0
+	}
+
+	if dataLength > 1300 {
+		return int(random.Next() % 31)
+	}
+	if dataLength > 900 {
+		return int(random.Next() % 127)
+	}
+	if dataLength > 400 {
+		return int(random.Next() % 521)
+	}
+	return int(random.Next() % 1021)
+}

component/ssr/protocol/auth_sha1_v4.go

@@ -0,0 +1,253 @@
+package protocol
+
+import (
+	"bytes"
+	"encoding/binary"
+	"hash/adler32"
+	"hash/crc32"
+	"math/rand"
+	"time"
+
+	"github.com/Dreamacro/clash/common/pool"
+	"github.com/Dreamacro/clash/component/ssr/tools"
+)
+
+type authSHA1V4 struct {
+	*Base
+	*authData
+	headerSent bool
+	buffer     bytes.Buffer
+}
+
+func init() {
+	register("auth_sha1_v4", newAuthSHA1V4)
+}
+
+func newAuthSHA1V4(b *Base) Protocol {
+	return &authSHA1V4{Base: b, authData: &authData{}}
+}
+
+func (a *authSHA1V4) initForConn(iv []byte) Protocol {
+	return &authSHA1V4{
+		Base: &Base{
+			IV:       iv,
+			Key:      a.Key,
+			TCPMss:   a.TCPMss,
+			Overhead: a.Overhead,
+			Param:    a.Param,
+		},
+		authData: a.authData,
+	}
+}
+
+func (a *authSHA1V4) GetProtocolOverhead() int {
+	return 7
+}
+
+func (a *authSHA1V4) SetOverhead(overhead int) {
+	a.Overhead = overhead
+}
+
+func (a *authSHA1V4) Decode(b []byte) ([]byte, int, error) {
+	a.buffer.Reset()
+	bSize := len(b)
+	originalSize := bSize
+	for bSize > 4 {
+		crc := crc32.ChecksumIEEE(b[:2]) & 0xFFFF
+		if binary.LittleEndian.Uint16(b[2:4]) != uint16(crc) {
+			return nil, 0, errAuthSHA1v4CRC32Error
+		}
+		length := int(binary.BigEndian.Uint16(b[:2]))
+		if length >= 8192 || length < 8 {
+			return nil, 0, errAuthSHA1v4DataLengthError
+		}
+		if length > bSize {
+			break
+		}
+
+		if adler32.Checksum(b[:length-4]) == binary.LittleEndian.Uint32(b[length-4:]) {
+			pos := int(b[4])
+			if pos != 0xFF {
+				pos += 4
+			} else {
+				pos = int(binary.BigEndian.Uint16(b[5:5+2])) + 4
+			}
+			retSize := length - pos - 4
+			a.buffer.Write(b[pos : pos+retSize])
+			bSize -= length
+			b = b[length:]
+		} else {
+			return nil, 0, errAuthSHA1v4IncorrectChecksum
+		}
+	}
+	return a.buffer.Bytes(), originalSize - bSize, nil
+}
+
+func (a *authSHA1V4) Encode(b []byte) ([]byte, error) {
+	a.buffer.Reset()
+	bSize := len(b)
+	offset := 0
+	if !a.headerSent && bSize > 0 {
+		headSize := getHeadSize(b, 30)
+		if headSize > bSize {
+			headSize = bSize
+		}
+		a.buffer.Write(a.packAuthData(b[:headSize]))
+		offset += headSize
+		bSize -= headSize
+		a.headerSent = true
+	}
+	const blockSize = 4096
+	for bSize > blockSize {
+		packSize, randSize := a.packedDataSize(b[offset : offset+blockSize])
+		pack := pool.Get(packSize)
+		a.packData(b[offset:offset+blockSize], pack, randSize)
+		a.buffer.Write(pack)
+		pool.Put(pack)
+		offset += blockSize
+		bSize -= blockSize
+	}
+	if bSize > 0 {
+		packSize, randSize := a.packedDataSize(b[offset:])
+		pack := pool.Get(packSize)
+		a.packData(b[offset:], pack, randSize)
+		a.buffer.Write(pack)
+		pool.Put(pack)
+	}
+	return a.buffer.Bytes(), nil
+}
+
+func (a *authSHA1V4) DecodePacket(b []byte) ([]byte, int, error) {
+	return b, len(b), nil
+}
+
+func (a *authSHA1V4) EncodePacket(b []byte) ([]byte, error) {
+	return b, nil
+}
+
+func (a *authSHA1V4) packedDataSize(data []byte) (packSize, randSize int) {
+	dataSize := len(data)
+	randSize = 1
+	if dataSize <= 1300 {
+		if dataSize > 400 {
+			randSize += rand.Intn(128)
+		} else {
+			randSize += rand.Intn(1024)
+		}
+	}
+	packSize = randSize + dataSize + 8
+	return
+}
+
+func (a *authSHA1V4) packData(data, ret []byte, randSize int) {
+	dataSize := len(data)
+	retSize := len(ret)
+	// 0~1, ret size
+	binary.BigEndian.PutUint16(ret[:2], uint16(retSize&0xFFFF))
+	// 2~3, crc of ret size
+	crc := crc32.ChecksumIEEE(ret[:2]) & 0xFFFF
+	binary.LittleEndian.PutUint16(ret[2:4], uint16(crc))
+	// 4, rand size
+	if randSize < 128 {
+		ret[4] = uint8(randSize & 0xFF)
+	} else {
+		ret[4] = uint8(0xFF)
+		binary.BigEndian.PutUint16(ret[5:7], uint16(randSize&0xFFFF))
+	}
+	// (rand size+4)~(ret size-4), data
+	if dataSize > 0 {
+		copy(ret[randSize+4:], data)
+	}
+	// (ret size-4)~end, adler32 of full data
+	adler := adler32.Checksum(ret[:retSize-4])
+	binary.LittleEndian.PutUint32(ret[retSize-4:], adler)
+}
+
+func (a *authSHA1V4) packAuthData(data []byte) (ret []byte) {
+	dataSize := len(data)
+	randSize := 1
+	if dataSize <= 1300 {
+		if dataSize > 400 {
+			randSize += rand.Intn(128)
+		} else {
+			randSize += rand.Intn(1024)
+		}
+	}
+	dataOffset := randSize + 4 + 2
+	retSize := dataOffset + dataSize + 12 + tools.HmacSHA1Len
+	ret = make([]byte, retSize)
+	a.mutex.Lock()
+	defer a.mutex.Unlock()
+	a.connectionID++
+	if a.connectionID > 0xFF000000 {
+		a.clientID = nil
+	}
+	if len(a.clientID) == 0 {
+		a.clientID = make([]byte, 8)
+		rand.Read(a.clientID)
+		b := make([]byte, 4)
+		rand.Read(b)
+		a.connectionID = binary.LittleEndian.Uint32(b) & 0xFFFFFF
+	}
+	// 0~1, ret size
+	binary.BigEndian.PutUint16(ret[:2], uint16(retSize&0xFFFF))
+
+	// 2~6, crc of (ret size+salt+key)
+	salt := []byte("auth_sha1_v4")
+	crcData := make([]byte, len(salt)+len(a.Key)+2)
+	copy(crcData[:2], ret[:2])
+	copy(crcData[2:], salt)
+	copy(crcData[2+len(salt):], a.Key)
+	crc := crc32.ChecksumIEEE(crcData) & 0xFFFFFFFF
+	// 2~6, crc of (ret size+salt+key)
+	binary.LittleEndian.PutUint32(ret[2:], crc)
+	// 6~(rand size+6), rand numbers
+	rand.Read(ret[dataOffset-randSize : dataOffset])
+	// 6, rand size
+	if randSize < 128 {
+		ret[6] = byte(randSize & 0xFF)
+	} else {
+		// 6, magic number 0xFF
+		ret[6] = 0xFF
+		// 7~8, rand size
+		binary.BigEndian.PutUint16(ret[7:9], uint16(randSize&0xFFFF))
+	}
+	// rand size+6~(rand size+10), time stamp
+	now := time.Now().Unix()
+	binary.LittleEndian.PutUint32(ret[dataOffset:dataOffset+4], uint32(now))
+	// rand size+10~(rand size+14), client ID
+	copy(ret[dataOffset+4:dataOffset+4+4], a.clientID[:4])
+	// rand size+14~(rand size+18), connection ID
+	binary.LittleEndian.PutUint32(ret[dataOffset+8:dataOffset+8+4], a.connectionID)
+	// rand size+18~(rand size+18)+data length, data
+	copy(ret[dataOffset+12:], data)
+
+	key := make([]byte, len(a.IV)+len(a.Key))
+	copy(key, a.IV)
+	copy(key[len(a.IV):], a.Key)
+
+	h := tools.HmacSHA1(key, ret[:retSize-tools.HmacSHA1Len])
+	// (ret size-10)~(ret size)/(rand size)+18+data length~end, hmac
+	copy(ret[retSize-tools.HmacSHA1Len:], h[:tools.HmacSHA1Len])
+	return ret
+}
+
+func getHeadSize(data []byte, defaultValue int) int {
+	if data == nil || len(data) < 2 {
+		return defaultValue
+	}
+	headType := data[0] & 0x07
+	switch headType {
+	case 1:
+		// IPv4 1+4+2
+		return 7
+	case 4:
+		// IPv6 1+16+2
+		return 19
+	case 3:
+		// domain name, variant length
+		return 4 + int(data[1])
+	}
+
+	return defaultValue
+}

component/ssr/protocol/base.go

@@ -0,0 +1,10 @@
+package protocol
+
+// Base information for protocol
+type Base struct {
+	IV       []byte
+	Key      []byte
+	TCPMss   int
+	Overhead int
+	Param    string
+}

component/ssr/protocol/origin.go

@@ -0,0 +1,36 @@
+package protocol
+
+type origin struct{ *Base }
+
+func init() {
+	register("origin", newOrigin)
+}
+
+func newOrigin(b *Base) Protocol {
+	return &origin{}
+}
+
+func (o *origin) initForConn(iv []byte) Protocol { return &origin{} }
+
+func (o *origin) GetProtocolOverhead() int {
+	return 0
+}
+
+func (o *origin) SetOverhead(overhead int) {
+}
+
+func (o *origin) Decode(b []byte) ([]byte, int, error) {
+	return b, len(b), nil
+}
+
+func (o *origin) Encode(b []byte) ([]byte, error) {
+	return b, nil
+}
+
+func (o *origin) DecodePacket(b []byte) ([]byte, int, error) {
+	return b, len(b), nil
+}
+
+func (o *origin) EncodePacket(b []byte) ([]byte, error) {
+	return b, nil
+}

component/ssr/protocol/packet.go

@@ -0,0 +1,42 @@
+package protocol
+
+import (
+	"net"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+// NewPacketConn returns a net.NewPacketConn with protocol decoding/encoding
+func NewPacketConn(pc net.PacketConn, p Protocol) net.PacketConn {
+	return &PacketConn{PacketConn: pc, Protocol: p.initForConn(nil)}
+}
+
+// PacketConn represents a protocol packet connection
+type PacketConn struct {
+	net.PacketConn
+	Protocol
+}
+
+func (c *PacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+	buf := pool.Get(pool.RelayBufferSize)
+	defer pool.Put(buf)
+	buf, err := c.EncodePacket(b)
+	if err != nil {
+		return 0, err
+	}
+	_, err = c.PacketConn.WriteTo(buf, addr)
+	return len(b), err
+}
+
+func (c *PacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
+	n, addr, err := c.PacketConn.ReadFrom(b)
+	if err != nil {
+		return n, addr, err
+	}
+	bb, length, err := c.DecodePacket(b[:n])
+	if err != nil {
+		return n, addr, err
+	}
+	copy(b, bb)
+	return length, addr, err
+}

component/ssr/protocol/protocol.go

@@ -0,0 +1,63 @@
+package protocol
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"strings"
+	"sync"
+)
+
+var (
+	errAuthAES128IncorrectMAC      = errors.New("auth_aes128_* post decrypt incorrect mac")
+	errAuthAES128DataLengthError   = errors.New("auth_aes128_* post decrypt length mismatch")
+	errAuthAES128IncorrectChecksum = errors.New("auth_aes128_* post decrypt incorrect checksum")
+	errAuthAES128PositionTooLarge  = errors.New("auth_aes128_* post decrypt position is too large")
+	errAuthSHA1v4CRC32Error        = errors.New("auth_sha1_v4 post decrypt data crc32 error")
+	errAuthSHA1v4DataLengthError   = errors.New("auth_sha1_v4 post decrypt data length error")
+	errAuthSHA1v4IncorrectChecksum = errors.New("auth_sha1_v4 post decrypt incorrect checksum")
+	errAuthChainDataLengthError    = errors.New("auth_chain_* post decrypt length mismatch")
+	errAuthChainHMACError          = errors.New("auth_chain_* post decrypt hmac error")
+)
+
+type authData struct {
+	clientID     []byte
+	connectionID uint32
+	mutex        sync.Mutex
+}
+
+type recvInfo struct {
+	recvID uint32
+	buffer *bytes.Buffer
+}
+
+type hmacMethod func(key []byte, data []byte) []byte
+type hashDigestMethod func(data []byte) []byte
+type rndMethod func(dataSize int, random *shift128PlusContext, lastHash []byte, dataSizeList, dataSizeList2 []int, overhead int) int
+
+// Protocol provides methods for decoding, encoding and iv setting
+type Protocol interface {
+	initForConn(iv []byte) Protocol
+	GetProtocolOverhead() int
+	SetOverhead(int)
+	Decode([]byte) ([]byte, int, error)
+	Encode([]byte) ([]byte, error)
+	DecodePacket([]byte) ([]byte, int, error)
+	EncodePacket([]byte) ([]byte, error)
+}
+
+type protocolCreator func(b *Base) Protocol
+
+var protocolList = make(map[string]protocolCreator)
+
+func register(name string, c protocolCreator) {
+	protocolList[name] = c
+}
+
+// PickProtocol returns a protocol of the given name
+func PickProtocol(name string, b *Base) (Protocol, error) {
+	if protocolCreator, ok := protocolList[strings.ToLower(name)]; ok {
+		return protocolCreator(b), nil
+	}
+	return nil, fmt.Errorf("Protocol %s not supported", name)
+}

component/ssr/protocol/stream.go

@@ -0,0 +1,68 @@
+package protocol
+
+import (
+	"bytes"
+	"net"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+// NewConn wraps a stream-oriented net.Conn with protocol decoding/encoding
+func NewConn(c net.Conn, p Protocol, iv []byte) net.Conn {
+	return &Conn{Conn: c, Protocol: p.initForConn(iv)}
+}
+
+// Conn represents a protocol connection
+type Conn struct {
+	net.Conn
+	Protocol
+	buf          []byte
+	offset       int
+	underDecoded bytes.Buffer
+}
+
+func (c *Conn) Read(b []byte) (int, error) {
+	if c.buf != nil {
+		n := copy(b, c.buf[c.offset:])
+		c.offset += n
+		if c.offset == len(c.buf) {
+			c.buf = nil
+		}
+		return n, nil
+	}
+	buf := pool.Get(pool.RelayBufferSize)
+	defer pool.Put(buf)
+	n, err := c.Conn.Read(buf)
+	if err != nil {
+		return 0, err
+	}
+	c.underDecoded.Write(buf[:n])
+	underDecoded := c.underDecoded.Bytes()
+	decoded, length, err := c.Decode(underDecoded)
+	if err != nil {
+		c.underDecoded.Reset()
+		return 0, nil
+	}
+	if length == 0 {
+		return 0, nil
+	}
+	c.underDecoded.Next(length)
+	n = copy(b, decoded)
+	if len(decoded) > len(b) {
+		c.buf = decoded
+		c.offset = n
+	}
+	return n, nil
+}
+
+func (c *Conn) Write(b []byte) (int, error) {
+	encoded, err := c.Encode(b)
+	if err != nil {
+		return 0, err
+	}
+	_, err = c.Conn.Write(encoded)
+	if err != nil {
+		return 0, err
+	}
+	return len(b), nil
+}

component/ssr/tools/encrypt.go

@@ -0,0 +1,33 @@
+package tools
+
+import (
+	"crypto/hmac"
+	"crypto/md5"
+	"crypto/sha1"
+)
+
+const HmacSHA1Len = 10
+
+func HmacMD5(key, data []byte) []byte {
+	hmacMD5 := hmac.New(md5.New, key)
+	hmacMD5.Write(data)
+	return hmacMD5.Sum(nil)[:16]
+}
+
+func HmacSHA1(key, data []byte) []byte {
+	hmacSHA1 := hmac.New(sha1.New, key)
+	hmacSHA1.Write(data)
+	return hmacSHA1.Sum(nil)[:20]
+}
+
+func MD5Sum(b []byte) []byte {
+	h := md5.New()
+	h.Write(b)
+	return h.Sum(nil)
+}
+
+func SHA1Sum(b []byte) []byte {
+	h := sha1.New()
+	h.Write(b)
+	return h.Sum(nil)
+}

component/trie/domain.go

@@ -0,0 +1,135 @@
+package trie
+
+import (
+	"errors"
+	"strings"
+)
+
+const (
+	wildcard        = "*"
+	dotWildcard     = ""
+	complexWildcard = "+"
+	domainStep      = "."
+)
+
+var (
+	// ErrInvalidDomain means insert domain is invalid
+	ErrInvalidDomain = errors.New("invalid domain")
+)
+
+// DomainTrie contains the main logic for adding and searching nodes for domain segments.
+// support wildcard domain (e.g *.google.com)
+type DomainTrie struct {
+	root *Node
+}
+
+func validAndSplitDomain(domain string) ([]string, bool) {
+	if domain != "" && domain[len(domain)-1] == '.' {
+		return nil, false
+	}
+
+	parts := strings.Split(domain, domainStep)
+	if len(parts) == 1 {
+		if parts[0] == "" {
+			return nil, false
+		}
+
+		return parts, true
+	}
+
+	for _, part := range parts[1:] {
+		if part == "" {
+			return nil, false
+		}
+	}
+
+	return parts, true
+}
+
+// Insert adds a node to the trie.
+// Support
+// 1. www.example.com
+// 2. *.example.com
+// 3. subdomain.*.example.com
+// 4. .example.com
+// 5. +.example.com
+func (t *DomainTrie) Insert(domain string, data interface{}) error {
+	parts, valid := validAndSplitDomain(domain)
+	if !valid {
+		return ErrInvalidDomain
+	}
+
+	if parts[0] == complexWildcard {
+		t.insert(parts[1:], data)
+		parts[0] = dotWildcard
+		t.insert(parts, data)
+	} else {
+		t.insert(parts, data)
+	}
+
+	return nil
+}
+
+func (t *DomainTrie) insert(parts []string, data interface{}) {
+	node := t.root
+	// reverse storage domain part to save space
+	for i := len(parts) - 1; i >= 0; i-- {
+		part := parts[i]
+		if !node.hasChild(part) {
+			node.addChild(part, newNode(nil))
+		}
+
+		node = node.getChild(part)
+	}
+
+	node.Data = data
+}
+
+// Search is the most important part of the Trie.
+// Priority as:
+// 1. static part
+// 2. wildcard domain
+// 2. dot wildcard domain
+func (t *DomainTrie) Search(domain string) *Node {
+	parts, valid := validAndSplitDomain(domain)
+	if !valid || parts[0] == "" {
+		return nil
+	}
+
+	n := t.search(t.root, parts)
+
+	if n == nil || n.Data == nil {
+		return nil
+	}
+
+	return n
+}
+
+func (t *DomainTrie) search(node *Node, parts []string) *Node {
+	if len(parts) == 0 {
+		return node
+	}
+
+	if c := node.getChild(parts[len(parts)-1]); c != nil {
+		if n := t.search(c, parts[:len(parts)-1]); n != nil {
+			return n
+		}
+	}
+
+	if c := node.getChild(wildcard); c != nil {
+		if n := t.search(c, parts[:len(parts)-1]); n != nil {
+			return n
+		}
+	}
+
+	if c := node.getChild(dotWildcard); c != nil {
+		return c
+	}
+
+	return nil
+}
+
+// New returns a new, empty Trie.
+func New() *DomainTrie {
+	return &DomainTrie{root: newNode(nil)}
+}

component/trie/domain_test.go

@@ -0,0 +1,99 @@
+package trie
+
+import (
+	"net"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var localIP = net.IP{127, 0, 0, 1}
+
+func TestTrie_Basic(t *testing.T) {
+	tree := New()
+	domains := []string{
+		"example.com",
+		"google.com",
+		"localhost",
+	}
+
+	for _, domain := range domains {
+		tree.Insert(domain, localIP)
+	}
+
+	node := tree.Search("example.com")
+	assert.NotNil(t, node)
+	assert.True(t, node.Data.(net.IP).Equal(localIP))
+	assert.NotNil(t, tree.Insert("", localIP))
+	assert.Nil(t, tree.Search(""))
+	assert.NotNil(t, tree.Search("localhost"))
+	assert.Nil(t, tree.Search("www.google.com"))
+}
+
+func TestTrie_Wildcard(t *testing.T) {
+	tree := New()
+	domains := []string{
+		"*.example.com",
+		"sub.*.example.com",
+		"*.dev",
+		".org",
+		".example.net",
+		".apple.*",
+		"+.foo.com",
+		"+.stun.*.*",
+		"+.stun.*.*.*",
+		"+.stun.*.*.*.*",
+		"stun.l.google.com",
+	}
+
+	for _, domain := range domains {
+		tree.Insert(domain, localIP)
+	}
+
+	assert.NotNil(t, tree.Search("sub.example.com"))
+	assert.NotNil(t, tree.Search("sub.foo.example.com"))
+	assert.NotNil(t, tree.Search("test.org"))
+	assert.NotNil(t, tree.Search("test.example.net"))
+	assert.NotNil(t, tree.Search("test.apple.com"))
+	assert.NotNil(t, tree.Search("test.foo.com"))
+	assert.NotNil(t, tree.Search("foo.com"))
+	assert.NotNil(t, tree.Search("global.stun.website.com"))
+	assert.Nil(t, tree.Search("foo.sub.example.com"))
+	assert.Nil(t, tree.Search("foo.example.dev"))
+	assert.Nil(t, tree.Search("example.com"))
+}
+
+func TestTrie_Priority(t *testing.T) {
+	tree := New()
+	domains := []string{
+		".dev",
+		"example.dev",
+		"*.example.dev",
+		"test.example.dev",
+	}
+
+	assertFn := func(domain string, data int) {
+		node := tree.Search(domain)
+		assert.NotNil(t, node)
+		assert.Equal(t, data, node.Data)
+	}
+
+	for idx, domain := range domains {
+		tree.Insert(domain, idx)
+	}
+
+	assertFn("test.dev", 0)
+	assertFn("foo.bar.dev", 0)
+	assertFn("example.dev", 1)
+	assertFn("foo.example.dev", 2)
+	assertFn("test.example.dev", 3)
+}
+
+func TestTrie_Boundary(t *testing.T) {
+	tree := New()
+	tree.Insert("*.dev", localIP)
+
+	assert.NotNil(t, tree.Insert(".", localIP))
+	assert.NotNil(t, tree.Insert("..dev", localIP))
+	assert.Nil(t, tree.Search("dev"))
+}

component/trojan/trojan.go

@@ -0,0 +1,223 @@
+package trojan
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"crypto/tls"
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"io"
+	"net"
+	"sync"
+
+	"github.com/Dreamacro/clash/component/socks5"
+)
+
+const (
+	// max packet length
+	maxLength = 8192
+)
+
+var (
+	defaultALPN = []string{"h2", "http/1.1"}
+	crlf        = []byte{'\r', '\n'}
+
+	bufPool = sync.Pool{New: func() interface{} { return &bytes.Buffer{} }}
+)
+
+type Command = byte
+
+var (
+	CommandTCP byte = 1
+	CommandUDP byte = 3
+)
+
+type Option struct {
+	Password           string
+	ALPN               []string
+	ServerName         string
+	SkipCertVerify     bool
+	ClientSessionCache tls.ClientSessionCache
+}
+
+type Trojan struct {
+	option      *Option
+	hexPassword []byte
+}
+
+func (t *Trojan) StreamConn(conn net.Conn) (net.Conn, error) {
+	alpn := defaultALPN
+	if len(t.option.ALPN) != 0 {
+		alpn = t.option.ALPN
+	}
+
+	tlsConfig := &tls.Config{
+		NextProtos:         alpn,
+		MinVersion:         tls.VersionTLS12,
+		InsecureSkipVerify: t.option.SkipCertVerify,
+		ServerName:         t.option.ServerName,
+		ClientSessionCache: t.option.ClientSessionCache,
+	}
+
+	tlsConn := tls.Client(conn, tlsConfig)
+	if err := tlsConn.Handshake(); err != nil {
+		return nil, err
+	}
+
+	return tlsConn, nil
+}
+
+func (t *Trojan) WriteHeader(w io.Writer, command Command, socks5Addr []byte) error {
+	buf := bufPool.Get().(*bytes.Buffer)
+	defer bufPool.Put(buf)
+	defer buf.Reset()
+
+	buf.Write(t.hexPassword)
+	buf.Write(crlf)
+
+	buf.WriteByte(command)
+	buf.Write(socks5Addr)
+	buf.Write(crlf)
+
+	_, err := w.Write(buf.Bytes())
+	return err
+}
+
+func (t *Trojan) PacketConn(conn net.Conn) net.PacketConn {
+	return &PacketConn{
+		Conn: conn,
+	}
+}
+
+func writePacket(w io.Writer, socks5Addr, payload []byte) (int, error) {
+	buf := bufPool.Get().(*bytes.Buffer)
+	defer bufPool.Put(buf)
+	defer buf.Reset()
+
+	buf.Write(socks5Addr)
+	binary.Write(buf, binary.BigEndian, uint16(len(payload)))
+	buf.Write(crlf)
+	buf.Write(payload)
+
+	return w.Write(buf.Bytes())
+}
+
+func WritePacket(w io.Writer, socks5Addr, payload []byte) (int, error) {
+	if len(payload) <= maxLength {
+		return writePacket(w, socks5Addr, payload)
+	}
+
+	offset := 0
+	total := len(payload)
+	for {
+		cursor := offset + maxLength
+		if cursor > total {
+			cursor = total
+		}
+
+		n, err := writePacket(w, socks5Addr, payload[offset:cursor])
+		if err != nil {
+			return offset + n, err
+		}
+
+		offset = cursor
+		if offset == total {
+			break
+		}
+	}
+
+	return total, nil
+}
+
+func ReadPacket(r io.Reader, payload []byte) (net.Addr, int, int, error) {
+	addr, err := socks5.ReadAddr(r, payload)
+	if err != nil {
+		return nil, 0, 0, errors.New("read addr error")
+	}
+	uAddr := addr.UDPAddr()
+
+	if _, err = io.ReadFull(r, payload[:2]); err != nil {
+		return nil, 0, 0, errors.New("read length error")
+	}
+
+	total := int(binary.BigEndian.Uint16(payload[:2]))
+	if total > maxLength {
+		return nil, 0, 0, errors.New("packet invalid")
+	}
+
+	// read crlf
+	if _, err = io.ReadFull(r, payload[:2]); err != nil {
+		return nil, 0, 0, errors.New("read crlf error")
+	}
+
+	length := len(payload)
+	if total < length {
+		length = total
+	}
+
+	if _, err = io.ReadFull(r, payload[:length]); err != nil {
+		return nil, 0, 0, errors.New("read packet error")
+	}
+
+	return uAddr, length, total - length, nil
+}
+
+func New(option *Option) *Trojan {
+	return &Trojan{option, hexSha224([]byte(option.Password))}
+}
+
+type PacketConn struct {
+	net.Conn
+	remain int
+	rAddr  net.Addr
+	mux    sync.Mutex
+}
+
+func (pc *PacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+	return WritePacket(pc, socks5.ParseAddr(addr.String()), b)
+}
+
+func (pc *PacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
+	pc.mux.Lock()
+	defer pc.mux.Unlock()
+	if pc.remain != 0 {
+		length := len(b)
+		if pc.remain < length {
+			length = pc.remain
+		}
+
+		n, err := pc.Conn.Read(b[:length])
+		if err != nil {
+			return 0, nil, err
+		}
+
+		pc.remain -= n
+		addr := pc.rAddr
+		if pc.remain == 0 {
+			pc.rAddr = nil
+		}
+
+		return n, addr, nil
+	}
+
+	addr, n, remain, err := ReadPacket(pc.Conn, b)
+	if err != nil {
+		return 0, nil, err
+	}
+
+	if remain != 0 {
+		pc.remain = remain
+		pc.rAddr = addr
+	}
+
+	return n, addr, nil
+}
+
+func hexSha224(data []byte) []byte {
+	buf := make([]byte, 56)
+	hash := sha256.New224()
+	hash.Write(data)
+	hex.Encode(buf, hash.Sum(nil))
+	return buf
+}

component/v2ray-plugin/websocket.go

@@ -10,11 +10,14 @@ import (
 
 // Option is options of websocket obfs
 type Option struct {
-	Host      string
-	Path      string
-	Headers   map[string]string
-	TLSConfig *tls.Config
-	Mux       bool
+	Host           string
+	Port           string
+	Path           string
+	Headers        map[string]string
+	TLS            bool
+	SkipCertVerify bool
+	SessionCache   tls.ClientSessionCache
+	Mux            bool
 }
 
 // NewV2rayObfs return a HTTPObfs
@@ -25,15 +28,17 @@ func NewV2rayObfs(conn net.Conn, option *Option) (net.Conn, error) {
 	}
 
 	config := &vmess.WebsocketConfig{
-		Host:      option.Host,
-		Path:      option.Path,
-		TLS:       option.TLSConfig != nil,
-		Headers:   header,
-		TLSConfig: option.TLSConfig,
+		Host:           option.Host,
+		Port:           option.Port,
+		Path:           option.Path,
+		TLS:            option.TLS,
+		Headers:        header,
+		SkipCertVerify: option.SkipCertVerify,
+		SessionCache:   option.SessionCache,
 	}
 
 	var err error
-	conn, err = vmess.NewWebsocketConn(conn, config)
+	conn, err = vmess.StreamWebsocketConn(conn, config)
 	if err != nil {
 		return nil, err
 	}