Chore: cache process name when resolve failed (#900)

* Refactor ssr stream cipher to expose iv and key

References:
https://github.com/Dreamacro/go-shadowsocks2
https://github.com/sh4d0wfiend/go-shadowsocksr2

* Implement ssr obfs

Reference:
https://github.com/mzz2017/shadowsocksR

* Implement ssr protocol

References:
https://github.com/mzz2017/shadowsocksR
https://github.com/shadowsocksRb/shadowsocksr-libev
https://github.com/shadowsocksr-backup/shadowsocksr

.github/ISSUE_TEMPLATE/bug_report.md

@@ -7,48 +7,54 @@ assignees: ''
 
 ---
 
-<!-- The English version is available. -->
+<!--
 感谢你向 Clash Core 提交 issue！
 在提交之前，请确认：
 
-- [ ] 我已经在 [Issue Tracker](……/) 中找过我要提出的问题
-- [ ] 这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 Openclash、Koolclash 等）的特定问题
-- [ ] 我已经使用 Clash core 的 dev 分支版本测试过，问题依旧存在
 - [ ] 如果你可以自己 debug 并解决的话，提交 PR 吧！
+- [ ] 我已经在 [Issue Tracker](……/) 中找过我要提出的问题
+- [ ] 我已经使用 dev 分支版本测试过，问题依旧存在
+- [ ] 我已经仔细看过 [Documentation](https://github.com/Dreamacro/clash/wiki/) 并无法自行解决问题
+- [ ] 这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题
 
 请注意，如果你并没有遵照这个 issue template 填写内容，我们将直接关闭这个 issue。
 
-<!--
-Thanks for submitting an issue towards the Clash core!
+Thanks for opening an issue towards the Clash core!
 But before so, please do the following checklist:
 
 - [ ] Is this something you can **debug and fix**? Send a pull request! Bug fixes and documentation fixes are welcome.
-- [ ] Your issue may already be reported! Please search on the [issue tracker](……/) before creating one.
+- [ ] I have searched on the [issue tracker](……/) for a related issue.
 - [ ] I have tested using the dev branch, and the issue still exists.
-- [ ] This is an issue related to the Clash core, not to the derivatives of Clash, like Openclash or Koolclash
+- [ ] I have read the [documentation](https://github.com/Dreamacro/clash/wiki/) and was unable to solve the issue
+- [ ] This is an issue of the Clash core *per se*, not to the derivatives of Clash, like OpenClash or KoolClash
 
-Please understand that we close issues that fail to follow the issue template.
+Please understand that we close issues that fail to follow this issue template.
 -->
 
-我都确认过了，我要继续提交。
-<!-- None of the above, create a bug report -->
 ------------------------------------------------------------------
 
+<!-- 
 请附上任何可以帮助我们解决这个问题的信息，如果我们收到的信息不足，我们将对这个 issue 加上 *Needs more information* 标记并在收到更多资讯之前关闭 issue。
-<!-- Make sure to add **all the information needed to understand the bug** so that someone can help. If the info is missing we'll add the 'Needs more information' label and close the issue until there is enough information. -->
+Make sure to add **all the information needed to understand the bug** so that someone can help. If the info is missing we'll add the 'Needs more information' label and close the issue until there is enough information.
+-->
 
-### clash core config
+### Clash config
 <!--
 在下方附上 Clash core 脱敏后配置文件的内容
 Paste the Clash core configuration below.
 -->
-```
+<details>
+  <summary>config.yaml</summary>
+
+```yaml
 ……
 ```
 
+</details>
+
 ### Clash log
 <!--
-在下方附上 Clash Core 的日志，log level 最好使用 DEBUG
+在下方附上 Clash Core 的日志，log level 使用 DEBUG
 Paste the Clash core log below with the log level set to `DEBUG`.
 -->
 ```
@@ -57,9 +63,7 @@ Paste the Clash core log below with the log level set to `DEBUG`.
 
 ### 环境 Environment
 
-* Clash Core 的操作系统 (the OS that the Clash core is running on)
-……
-* 使用者的操作系统 (the OS running on the client)
+* 操作系统 (the OS that the Clash core is running on)
 ……
 * 网路环境或拓扑 (network conditions/topology)
 ……
@@ -67,7 +71,7 @@ Paste the Clash core log below with the log level set to `DEBUG`.
 ……
 * ISP 有没有进行 DNS 污染 (is your ISP performing DNS pollution?)
 ……
-* 其他
+* 其他 (any other information that would be useful)
 ……
 
 ### 说明 Description
@@ -85,7 +89,7 @@ Paste the Clash core log below with the log level set to `DEBUG`.
 **我预期会发生……？**
 <!-- **Expected behavior:** [What you expected to happen] -->
 
-**实际上发生了什麽？**
+**实际上发生了什么？**
 <!-- **Actual behavior:** [What actually happened] -->
 
 ### 可能的解决方案 Possible Solution

.github/workflows/go.yml

@@ -9,7 +9,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.14.x
+          go-version: 1.15.x
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@v2

.github/workflows/stale.yml

@@ -0,0 +1,19 @@
+  
+name: Mark stale issues and pull requests
+
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  stale:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/stale@v1
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          stale-issue-message: 'This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days'
+          days-before-stale: 120
+          days-before-close: 5

README.md

@@ -19,372 +19,27 @@
 
 ## Features
 
-- Local HTTP/HTTPS/SOCKS server with/without authentication
-- VMess, Shadowsocks, Trojan (experimental), Snell protocol support for remote connections. UDP is supported.
-- Built-in DNS server that aims to minimize DNS pollution attacks, supports DoH/DoT upstream. Fake IP is also supported.
+- Local HTTP/HTTPS/SOCKS server with authentication support
+- VMess, Shadowsocks, Trojan, Snell protocol support for remote connections
+- Built-in DNS server that aims to minimize DNS pollution attack impact, supports DoH/DoT upstream and fake IP.
 - Rules based off domains, GEOIP, IP CIDR or ports to forward packets to different nodes
 - Remote groups allow users to implement powerful rules. Supports automatic fallback, load balancing or auto select node based off latency
 - Remote providers, allowing users to get node lists remotely instead of hardcoding in config
-- Netfilter TCP redirecting. You can deploy Clash on your Internet gateway with `iptables`.
-- Comprehensive HTTP API controller
+- Netfilter TCP redirecting. Deploy Clash on your Internet gateway with `iptables`.
+- Comprehensive HTTP RESTful API controller
 
-## Install
-
-Clash requires Go >= 1.13. You can build it from source:
-
-```sh
-$ go get -u -v github.com/Dreamacro/clash
-```
-
-Pre-built binaries are available here: [release](https://github.com/Dreamacro/clash/releases)  
-Pre-built Premium binaries are available here: [premium release](https://github.com/Dreamacro/clash/releases/tag/premium). Source is not currently available.
-
-Check Clash version with:
-
-```sh
-$ clash -v
-```
-
-## Daemonize Clash
-
-We recommend using third-party daemon management tools like PM2, Supervisor or the like to keep Clash running as a service. ([Wiki](https://github.com/Dreamacro/clash/wiki/Clash-as-a-daemon))
-
-In the case of [pm2](https://github.com/Unitech/pm2), start the daemon this way:
-
-```sh
-$ pm2 start clash
-```
-
-If you have Docker installed, it's recommended to deploy Clash directly using `docker-compose`: [run Clash in Docker](https://github.com/Dreamacro/clash/wiki/Run-clash-in-docker)
-
-## Config
-
-The default configuration directory is `$HOME/.config/clash`.
-
-The name of the configuration file is `config.yaml`.
-
-If you want to use another directory, use `-d` to control the configuration directory.
-
-For example, you can use the current directory as the configuration directory:
-
-```sh
-$ clash -d .
-```
-
-<details>
-  <summary>This is an example configuration file (click to expand)</summary>
-
-```yml
-# port of HTTP
-port: 7890
-
-# port of SOCKS5
-socks-port: 7891
-
-# (HTTP and SOCKS5 in one port)
-# mixed-port: 7890
-
-# redir port for Linux and macOS
-# redir-port: 7892
-
-allow-lan: false
-
-# Only applicable when setting allow-lan to true
-# "*": bind all IP addresses
-# 192.168.122.11: bind a single IPv4 address
-# "[aaaa::a8aa:ff:fe09:57d8]": bind a single IPv6 address
-# bind-address: "*"
-
-# ipv6: false # when ipv6 is false, each clash dial with ipv6, but it's not affect the response of the dns server, default is false
-
-# rule / global / direct (default is rule)
-mode: rule
-
-# set log level to stdout (default is info)
-# info / warning / error / debug / silent
-log-level: info
-
-# RESTful API for clash
-external-controller: 127.0.0.1:9090
-
-# you can put the static web resource (such as clash-dashboard) to a directory, and clash would serve in `${API}/ui`
-# input is a relative path to the configuration directory or an absolute path
-# external-ui: folder
-
-# Secret for RESTful API (Optional)
-# secret: ""
-
-# interface-name: en0 # outbound interface name
-
-# authentication of local SOCKS5/HTTP(S) server
-# authentication:
-#  - "user1:pass1"
-#  - "user2:pass2"
-
-# # hosts, support wildcard (e.g. *.clash.dev Even *.foo.*.example.com)
-# # static domain has a higher priority than wildcard domain (foo.example.com > *.example.com > .example.com)
-# # +.foo.com equal .foo.com and foo.com
-# hosts:
-#   '*.clash.dev': 127.0.0.1
-#   '.dev': 127.0.0.1
-#   'alpha.clash.dev': '::1'
-#   '+.foo.dev': 127.0.0.1
-
-# dns:
-  # enable: true # set true to enable dns (default is false)
-  # ipv6: false # it only affect the dns server response, default is false
-  # listen: 0.0.0.0:53
-  # # default-nameserver: # resolve dns nameserver host, should fill pure IP
-  # #   - 114.114.114.114
-  # #   - 8.8.8.8
-  # enhanced-mode: redir-host # or fake-ip
-  # # fake-ip-range: 198.18.0.1/16 # if you don't know what it is, don't change it
-  # fake-ip-filter: # fake ip white domain list
-  #   - '*.lan'
-  #   - localhost.ptlogin2.qq.com
-  # nameserver:
-  #   - 114.114.114.114
-  #   - tls://dns.rubyfish.cn:853 # dns over tls
-  #   - https://1.1.1.1/dns-query # dns over https
-  # fallback: # concurrent request with nameserver, fallback used when GEOIP country isn't CN
-  #   - tcp://1.1.1.1
-  # fallback-filter:
-  #   geoip: true # default
-  #   ipcidr: # ips in these subnets will be considered polluted
-  #     - 240.0.0.0/4
-
-proxies:
-  # shadowsocks
-  # The supported ciphers(encrypt methods):
-  #   aes-128-gcm aes-192-gcm aes-256-gcm
-  #   aes-128-cfb aes-192-cfb aes-256-cfb
-  #   aes-128-ctr aes-192-ctr aes-256-ctr
-  #   rc4-md5 chacha20-ietf xchacha20
-  #   chacha20-ietf-poly1305 xchacha20-ietf-poly1305
-  - name: "ss1"
-    type: ss
-    server: server
-    port: 443
-    cipher: chacha20-ietf-poly1305
-    password: "password"
-    # udp: true
-
-  - name: "ss2"
-    type: ss
-    server: server
-    port: 443
-    cipher: chacha20-ietf-poly1305
-    password: "password"
-    plugin: obfs
-    plugin-opts:
-      mode: tls # or http
-      # host: bing.com
-
-  - name: "ss3"
-    type: ss
-    server: server
-    port: 443
-    cipher: chacha20-ietf-poly1305
-    password: "password"
-    plugin: v2ray-plugin
-    plugin-opts:
-      mode: websocket # no QUIC now
-      # tls: true # wss
-      # skip-cert-verify: true
-      # host: bing.com
-      # path: "/"
-      # mux: true
-      # headers:
-      #   custom: value
-
-  # vmess
-  # cipher support auto/aes-128-gcm/chacha20-poly1305/none
-  - name: "vmess"
-    type: vmess
-    server: server
-    port: 443
-    uuid: uuid
-    alterId: 32
-    cipher: auto
-    # udp: true
-    # tls: true
-    # skip-cert-verify: true
-    # servername: example.com # priority over wss host
-    # network: ws
-    # ws-path: /path
-    # ws-headers:
-    #   Host: v2ray.com
-  
-  - name: "vmess-http"
-    type: vmess
-    server: server
-    port: 443
-    uuid: uuid
-    alterId: 32
-    cipher: auto
-    # udp: true
-    # network: http
-    # http-opts:
-    #   # method: "GET"
-    #   # path:
-    #   #   - '/'
-    #   #   - '/video'
-    #   # headers:
-    #   #   Connection:
-    #   #     - keep-alive
-
-  # socks5
-  - name: "socks"
-    type: socks5
-    server: server
-    port: 443
-    # username: username
-    # password: password
-    # tls: true
-    # skip-cert-verify: true
-    # udp: true
-
-  # http
-  - name: "http"
-    type: http
-    server: server
-    port: 443
-    # username: username
-    # password: password
-    # tls: true # https
-    # skip-cert-verify: true
-
-  # snell
-  - name: "snell"
-    type: snell
-    server: server
-    port: 44046
-    psk: yourpsk
-    # obfs-opts:
-      # mode: http # or tls
-      # host: bing.com
-
-  # trojan
-  - name: "trojan"
-    type: trojan
-    server: server
-    port: 443
-    password: yourpsk
-    # udp: true
-    # sni: example.com # aka server name
-    # alpn:
-    #   - h2
-    #   - http/1.1
-    # skip-cert-verify: true
-
-proxy-groups:
-  # relay chains the proxies. proxies shall not contain a relay. No UDP support.
-  # Traffic: clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
-  - name: "relay"
-    type: relay
-    proxies:
-      - http
-      - vmess
-      - ss1
-      - ss2
-
-  # url-test select which proxy will be used by benchmarking speed to a URL.
-  - name: "auto"
-    type: url-test
-    proxies:
-      - ss1
-      - ss2
-      - vmess1
-    # tolerance: 150
-    url: 'http://www.gstatic.com/generate_204'
-    interval: 300
-
-  # fallback select an available policy by priority. The availability is tested by accessing an URL, just like an auto url-test group.
-  - name: "fallback-auto"
-    type: fallback
-    proxies:
-      - ss1
-      - ss2
-      - vmess1
-    url: 'http://www.gstatic.com/generate_204'
-    interval: 300
-
-  # load-balance: The request of the same eTLD will be dial on the same proxy.
-  - name: "load-balance"
-    type: load-balance
-    proxies:
-      - ss1
-      - ss2
-      - vmess1
-    url: 'http://www.gstatic.com/generate_204'
-    interval: 300
-
-  # select is used for selecting proxy or proxy group
-  # you can use RESTful API to switch proxy, is recommended for use in GUI.
-  - name: Proxy
-    type: select
-    proxies:
-      - ss1
-      - ss2
-      - vmess1
-      - auto
-  
-  - name: UseProvider
-    type: select
-    use:
-      - provider1
-    proxies:
-      - Proxy
-      - DIRECT
-
-proxy-providers:
-  provider1:
-    type: http
-    url: "url"
-    interval: 3600
-    path: ./hk.yaml
-    health-check:
-      enable: true
-      interval: 600
-      url: http://www.gstatic.com/generate_204
-  test:
-    type: file
-    path: /test.yaml
-    health-check:
-      enable: true
-      interval: 36000
-      url: http://www.gstatic.com/generate_204
-
-rules:
-  - DOMAIN-SUFFIX,google.com,auto
-  - DOMAIN-KEYWORD,google,auto
-  - DOMAIN,google.com,auto
-  - DOMAIN-SUFFIX,ad.com,REJECT
-  # rename SOURCE-IP-CIDR and would remove after prerelease
-  - SRC-IP-CIDR,192.168.1.201/32,DIRECT
-  # optional param "no-resolve" for IP rules (GEOIP IP-CIDR)
-  - IP-CIDR,127.0.0.0/8,DIRECT
-  - GEOIP,CN,DIRECT
-  - DST-PORT,80,DIRECT
-  - SRC-PORT,7777,DIRECT
-  - MATCH,auto
-```
-</details>
-
-## Advanced
-[Provider](https://github.com/Dreamacro/clash/wiki/Provider)
-
-## Documentations
-https://clash.gitbook.io/
+## Getting Started
+Documentations are now moved to [GitHub Wiki](https://github.com/Dreamacro/clash/wiki).
 
 ## Credits
 
-[riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
-
-[v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
+* [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
+* [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
 
 ## License
 
+This software is released under the GPL-3.0 license.
+
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2FDreamacro%2Fclash.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2FDreamacro%2Fclash?ref=badge_large)
 
 ## TODO
@@ -393,4 +48,4 @@ https://clash.gitbook.io/
 - [x] Redir proxy
 - [x] UDP support
 - [x] Connection manager
-- ~~[ ] Event API~~
+- [ ] ~~Event API~~

adapters/outbound/base.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"net"
 	"net/http"
+	"sync/atomic"
 	"time"
 
 	"github.com/Dreamacro/clash/common/queue"
@@ -98,11 +99,11 @@ func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
 type Proxy struct {
 	C.ProxyAdapter
 	history *queue.Queue
-	alive   bool
+	alive   uint32
 }
 
 func (p *Proxy) Alive() bool {
-	return p.alive
+	return atomic.LoadUint32(&p.alive) > 0
 }
 
 func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
@@ -114,7 +115,7 @@ func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
 func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
 	conn, err := p.ProxyAdapter.DialContext(ctx, metadata)
 	if err != nil {
-		p.alive = false
+		atomic.StoreUint32(&p.alive, 0)
 	}
 	return conn, err
 }
@@ -131,7 +132,7 @@ func (p *Proxy) DelayHistory() []C.DelayHistory {
 // LastDelay return last history record. if proxy is not alive, return the max value of uint16.
 func (p *Proxy) LastDelay() (delay uint16) {
 	var max uint16 = 0xffff
-	if !p.alive {
+	if atomic.LoadUint32(&p.alive) == 0 {
 		return max
 	}
 
@@ -162,7 +163,11 @@ func (p *Proxy) MarshalJSON() ([]byte, error) {
 // URLTest get the delay for the specified URL
 func (p *Proxy) URLTest(ctx context.Context, url string) (t uint16, err error) {
 	defer func() {
-		p.alive = err == nil
+		if err == nil {
+			atomic.StoreUint32(&p.alive, 1)
+		} else {
+			atomic.StoreUint32(&p.alive, 0)
+		}
 		record := C.DelayHistory{Time: time.Now()}
 		if err == nil {
 			record.Delay = t
@@ -218,5 +223,5 @@ func (p *Proxy) URLTest(ctx context.Context, url string) (t uint16, err error) {
 }
 
 func NewProxy(adapter C.ProxyAdapter) *Proxy {
-	return &Proxy{adapter, queue.New(10), true}
+	return &Proxy{adapter, queue.New(10), 1}
 }

adapters/outbound/parser.go

@@ -24,6 +24,13 @@ func ParseProxy(mapping map[string]interface{}) (C.Proxy, error) {
 			break
 		}
 		proxy, err = NewShadowSocks(*ssOption)
+	case "ssr":
+		ssrOption := &ShadowSocksROption{}
+		err = decoder.Decode(mapping, ssrOption)
+		if err != nil {
+			break
+		}
+		proxy, err = NewShadowSocksR(*ssrOption)
 	case "socks5":
 		socksOption := &Socks5Option{}
 		err = decoder.Decode(mapping, socksOption)

adapters/outbound/shadowsocksr.go

@@ -0,0 +1,134 @@
+package outbound
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"strconv"
+
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/ssr/obfs"
+	"github.com/Dreamacro/clash/component/ssr/protocol"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/go-shadowsocks2/core"
+	"github.com/Dreamacro/go-shadowsocks2/shadowstream"
+)
+
+type ShadowSocksR struct {
+	*Base
+	cipher   *core.StreamCipher
+	obfs     obfs.Obfs
+	protocol protocol.Protocol
+}
+
+type ShadowSocksROption struct {
+	Name          string `proxy:"name"`
+	Server        string `proxy:"server"`
+	Port          int    `proxy:"port"`
+	Password      string `proxy:"password"`
+	Cipher        string `proxy:"cipher"`
+	Obfs          string `proxy:"obfs"`
+	ObfsParam     string `proxy:"obfs-param,omitempty"`
+	Protocol      string `proxy:"protocol"`
+	ProtocolParam string `proxy:"protocol-param,omitempty"`
+	UDP           bool   `proxy:"udp,omitempty"`
+}
+
+func (ssr *ShadowSocksR) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	c = obfs.NewConn(c, ssr.obfs)
+	c = ssr.cipher.StreamConn(c)
+	conn, ok := c.(*shadowstream.Conn)
+	if !ok {
+		return nil, fmt.Errorf("invalid connection type")
+	}
+	iv, err := conn.ObtainWriteIV()
+	if err != nil {
+		return nil, err
+	}
+	c = protocol.NewConn(c, ssr.protocol, iv)
+	_, err = c.Write(serializesSocksAddr(metadata))
+	return c, err
+}
+
+func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata) (C.Conn, error) {
+	c, err := dialer.DialContext(ctx, "tcp", ssr.addr)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", ssr.addr, err)
+	}
+	tcpKeepAlive(c)
+
+	c, err = ssr.StreamConn(c, metadata)
+	return NewConn(c, ssr), err
+}
+
+func (ssr *ShadowSocksR) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
+	pc, err := dialer.ListenPacket("udp", "")
+	if err != nil {
+		return nil, err
+	}
+
+	addr, err := resolveUDPAddr("udp", ssr.addr)
+	if err != nil {
+		return nil, err
+	}
+
+	pc = ssr.cipher.PacketConn(pc)
+	pc = protocol.NewPacketConn(pc, ssr.protocol)
+	return newPacketConn(&ssPacketConn{PacketConn: pc, rAddr: addr}, ssr), nil
+}
+
+func (ssr *ShadowSocksR) MarshalJSON() ([]byte, error) {
+	return json.Marshal(map[string]string{
+		"type": ssr.Type().String(),
+	})
+}
+
+func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
+	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	cipher := option.Cipher
+	password := option.Password
+	coreCiph, err := core.PickCipher(cipher, nil, password)
+	if err != nil {
+		return nil, fmt.Errorf("ssr %s initialize cipher error: %w", addr, err)
+	}
+	ciph, ok := coreCiph.(*core.StreamCipher)
+	if !ok {
+		return nil, fmt.Errorf("%s is not a supported stream cipher in ssr", cipher)
+	}
+
+	obfs, err := obfs.PickObfs(option.Obfs, &obfs.Base{
+		IVSize:  ciph.IVSize(),
+		Key:     ciph.Key,
+		HeadLen: 30,
+		Host:    option.Server,
+		Port:    option.Port,
+		Param:   option.ObfsParam,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("ssr %s initialize obfs error: %w", addr, err)
+	}
+
+	protocol, err := protocol.PickProtocol(option.Protocol, &protocol.Base{
+		IV:     nil,
+		Key:    ciph.Key,
+		TCPMss: 1460,
+		Param:  option.ProtocolParam,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("ssr %s initialize protocol error: %w", addr, err)
+	}
+	protocol.SetOverhead(obfs.GetObfsOverhead() + protocol.GetProtocolOverhead())
+
+	return &ShadowSocksR{
+		Base: &Base{
+			name: option.Name,
+			addr: addr,
+			tp:   C.ShadowsocksR,
+			udp:  option.UDP,
+		},
+		cipher:   ciph,
+		obfs:     obfs,
+		protocol: protocol,
+	}, nil
+}

adapters/outboundgroup/urltest.go

@@ -22,7 +22,6 @@ func urlTestWithTolerance(tolerance uint16) urlTestOption {
 type URLTest struct {
 	*outbound.Base
 	tolerance  uint16
-	lastDelay  uint16
 	fastNode   C.Proxy
 	single     *singledo.Single
 	fastSingle *singledo.Single
@@ -63,13 +62,6 @@ func (u *URLTest) proxies() []C.Proxy {
 
 func (u *URLTest) fast() C.Proxy {
 	elm, _, _ := u.fastSingle.Do(func() (interface{}, error) {
-		// tolerance
-		if u.tolerance != 0 && u.fastNode != nil {
-			if u.fastNode.LastDelay() < u.lastDelay+u.tolerance {
-				return u.fastNode, nil
-			}
-		}
-
 		proxies := u.proxies()
 		fast := proxies[0]
 		min := fast.LastDelay()
@@ -85,9 +77,12 @@ func (u *URLTest) fast() C.Proxy {
 			}
 		}
 
+		// tolerance
+		if u.fastNode == nil || u.fastNode.LastDelay() > fast.LastDelay() + u.tolerance {
 			u.fastNode = fast
-		u.lastDelay = fast.LastDelay()
-		return fast, nil
+		}
+
+		return u.fastNode, nil
 	})
 
 	return elm.(C.Proxy)

adapters/provider/fetcher.go

@@ -23,6 +23,7 @@ type fetcher struct {
 	vehicle   Vehicle
 	updatedAt *time.Time
 	ticker    *time.Ticker
+	done      chan struct{}
 	hash      [16]byte
 	parser    parser
 	onUpdate  func(interface{})
@@ -73,9 +74,11 @@ func (f *fetcher) Initial() (interface{}, error) {
 		}
 	}
 
+	if f.vehicle.Type() != File {
 		if err := safeWrite(f.vehicle.Path(), buf); err != nil {
 			return nil, err
 		}
+	}
 
 	f.hash = md5.Sum(buf)
 
@@ -117,13 +120,15 @@ func (f *fetcher) Update() (interface{}, bool, error) {
 
 func (f *fetcher) Destroy() error {
 	if f.ticker != nil {
-		f.ticker.Stop()
+		f.done <- struct{}{}
 	}
 	return nil
 }
 
 func (f *fetcher) pullLoop() {
-	for range f.ticker.C {
+	for {
+		select {
+		case <-f.ticker.C:
 			elm, same, err := f.Update()
 			if err != nil {
 				log.Warnln("[Provider] %s pull error: %s", f.Name(), err.Error())
@@ -139,6 +144,10 @@ func (f *fetcher) pullLoop() {
 			if f.onUpdate != nil {
 				f.onUpdate(elm)
 			}
+		case <-f.done:
+			f.ticker.Stop()
+			return
+		}
 	}
 }
 
@@ -165,6 +174,7 @@ func newFetcher(name string, interval time.Duration, vehicle Vehicle, parser par
 		ticker:   ticker,
 		vehicle:  vehicle,
 		parser:   parser,
+		done:     make(chan struct{}, 1),
 		onUpdate: onUpdate,
 	}
 }

common/observable/observable_test.go

@@ -1,8 +1,8 @@
 package observable
 
 import (
-	"runtime"
 	"sync"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -38,20 +38,20 @@ func TestObservable_MutilSubscribe(t *testing.T) {
 	src := NewObservable(iter)
 	ch1, _ := src.Subscribe()
 	ch2, _ := src.Subscribe()
-	count := 0
+	var count int32
 
 	var wg sync.WaitGroup
 	wg.Add(2)
 	waitCh := func(ch <-chan interface{}) {
 		for range ch {
-			count++
+			atomic.AddInt32(&count, 1)
 		}
 		wg.Done()
 	}
 	go waitCh(ch1)
 	go waitCh(ch2)
 	wg.Wait()
-	assert.Equal(t, count, 10)
+	assert.Equal(t, int32(10), count)
 }
 
 func TestObservable_UnSubscribe(t *testing.T) {
@@ -82,9 +82,6 @@ func TestObservable_UnSubscribeWithNotExistSubscription(t *testing.T) {
 }
 
 func TestObservable_SubscribeGoroutineLeak(t *testing.T) {
-	// waiting for other goroutine recycle
-	time.Sleep(120 * time.Millisecond)
-	init := runtime.NumGoroutine()
 	iter := iterator([]interface{}{1, 2, 3, 4, 5})
 	src := NewObservable(iter)
 	max := 100
@@ -107,6 +104,12 @@ func TestObservable_SubscribeGoroutineLeak(t *testing.T) {
 		go waitCh(ch)
 	}
 	wg.Wait()
-	now := runtime.NumGoroutine()
-	assert.Equal(t, init, now)
+
+	for _, sub := range list {
+		_, more := <-sub
+		assert.False(t, more)
+	}
+
+	_, more := <-list[0]
+	assert.False(t, more)
 }

common/singledo/singledo.go

@@ -44,9 +44,12 @@ func (s *Single) Do(fn func() (interface{}, error)) (v interface{}, err error, s
 	s.mux.Unlock()
 	call.val, call.err = fn()
 	call.wg.Done()
+
+	s.mux.Lock()
 	s.call = nil
 	s.result = &Result{call.val, call.err}
 	s.last = now
+	s.mux.Unlock()
 	return call.val, call.err, false
 }
 

common/singledo/singledo_test.go

@@ -2,6 +2,7 @@ package singledo
 
 import (
 	"sync"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -11,7 +12,7 @@ import (
 func TestBasic(t *testing.T) {
 	single := NewSingle(time.Millisecond * 30)
 	foo := 0
-	shardCount := 0
+	var shardCount int32 = 0
 	call := func() (interface{}, error) {
 		foo++
 		time.Sleep(time.Millisecond * 5)
@@ -25,7 +26,7 @@ func TestBasic(t *testing.T) {
 		go func() {
 			_, _, shard := single.Do(call)
 			if shard {
-				shardCount++
+				atomic.AddInt32(&shardCount, 1)
 			}
 			wg.Done()
 		}()
@@ -33,7 +34,7 @@ func TestBasic(t *testing.T) {
 
 	wg.Wait()
 	assert.Equal(t, 1, foo)
-	assert.Equal(t, 4, shardCount)
+	assert.Equal(t, int32(4), shardCount)
 }
 
 func TestTimer(t *testing.T) {

component/dialer/dialer.go

@@ -66,7 +66,7 @@ func DialContext(ctx context.Context, network, address string) (net.Conn, error)
 		}
 		return dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), port))
 	case "tcp", "udp":
-		return dualStackDailContext(ctx, network, address)
+		return dualStackDialContext(ctx, network, address)
 	default:
 		return nil, errors.New("network invalid")
 	}
@@ -88,7 +88,7 @@ func ListenPacket(network, address string) (net.PacketConn, error) {
 	return lc.ListenPacket(context.Background(), network, address)
 }
 
-func dualStackDailContext(ctx context.Context, network, address string) (net.Conn, error) {
+func dualStackDialContext(ctx context.Context, network, address string) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err

component/simple-obfs/http.go

@@ -28,6 +28,7 @@ func (ho *HTTPObfs) Read(b []byte) (int, error) {
 		n := copy(b, ho.buf[ho.offset:])
 		ho.offset += n
 		if ho.offset == len(ho.buf) {
+			pool.Put(ho.buf)
 			ho.buf = nil
 		}
 		return n, nil
@@ -67,7 +68,10 @@ func (ho *HTTPObfs) Write(b []byte) (int, error) {
 		req.Header.Set("User-Agent", fmt.Sprintf("curl/7.%d.%d", rand.Int()%54, rand.Int()%2))
 		req.Header.Set("Upgrade", "websocket")
 		req.Header.Set("Connection", "Upgrade")
+		req.Host = ho.host
+		if ho.port != "80" {
 			req.Host = fmt.Sprintf("%s:%s", ho.host, ho.port)
+		}
 		req.Header.Set("Sec-WebSocket-Key", base64.URLEncoding.EncodeToString(randBytes))
 		req.ContentLength = int64(len(b))
 		err := req.Write(ho.Conn)

component/snell/snell.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/binary"
 	"errors"
+	"fmt"
 	"io"
 	"net"
 	"sync"
@@ -49,10 +50,16 @@ func (s *Snell) Read(b []byte) (int, error) {
 	}
 
 	// CommandError
+	// 1 byte error code
 	if _, err := io.ReadFull(s.Conn, s.buffer[:]); err != nil {
 		return 0, err
 	}
+	errcode := int(s.buffer[0])
 
+	// 1 byte error message length
+	if _, err := io.ReadFull(s.Conn, s.buffer[:]); err != nil {
+		return 0, err
+	}
 	length := int(s.buffer[0])
 	msg := make([]byte, length)
 
@@ -60,7 +67,7 @@ func (s *Snell) Read(b []byte) (int, error) {
 		return 0, err
 	}
 
-	return 0, errors.New(string(msg))
+	return 0, fmt.Errorf("server reported code: %d, message: %s", errcode, string(msg))
 }
 
 func WriteHeader(conn net.Conn, host string, port uint) error {

component/ssr/obfs/base.go

@@ -0,0 +1,11 @@
+package obfs
+
+// Base information for obfs
+type Base struct {
+	IVSize  int
+	Key     []byte
+	HeadLen int
+	Host    string
+	Port    int
+	Param   string
+}

component/ssr/obfs/http_post.go

@@ -0,0 +1,9 @@
+package obfs
+
+func init() {
+	register("http_post", newHTTPPost)
+}
+
+func newHTTPPost(b *Base) Obfs {
+	return &httpObfs{Base: b, post: true}
+}

component/ssr/obfs/http_simple.go

@@ -0,0 +1,402 @@
+package obfs
+
+import (
+	"bytes"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"math/rand"
+	"strings"
+)
+
+type httpObfs struct {
+	*Base
+	firstRequest  bool
+	firstResponse bool
+	post          bool
+}
+
+func init() {
+	register("http_simple", newHTTPSimple)
+}
+
+func newHTTPSimple(b *Base) Obfs {
+	return &httpObfs{Base: b}
+}
+
+func (h *httpObfs) initForConn() Obfs {
+	return &httpObfs{
+		Base:          h.Base,
+		firstRequest:  true,
+		firstResponse: true,
+		post:          h.post,
+	}
+}
+
+func (h *httpObfs) GetObfsOverhead() int {
+	return 0
+}
+
+func (h *httpObfs) Decode(b []byte) ([]byte, bool, error) {
+	if h.firstResponse {
+		idx := bytes.Index(b, []byte("\r\n\r\n"))
+		if idx == -1 {
+			return nil, false, io.EOF
+		}
+		h.firstResponse = false
+		return b[idx+4:], false, nil
+	}
+	return b, false, nil
+}
+
+func (h *httpObfs) Encode(b []byte) ([]byte, error) {
+	if h.firstRequest {
+		bSize := len(b)
+		var headData []byte
+
+		if headSize := h.IVSize + h.HeadLen; bSize-headSize > 64 {
+			headData = make([]byte, headSize+rand.Intn(64))
+		} else {
+			headData = make([]byte, bSize)
+		}
+		copy(headData, b[:len(headData)])
+		host := h.Host
+		var customHead string
+
+		if len(h.Param) > 0 {
+			customHeads := strings.Split(h.Param, "#")
+			if len(customHeads) > 2 {
+				customHeads = customHeads[:2]
+			}
+			customHosts := h.Param
+			if len(customHeads) > 1 {
+				customHosts = customHeads[0]
+				customHead = customHeads[1]
+			}
+			hosts := strings.Split(customHosts, ",")
+			if len(hosts) > 0 {
+				host = strings.TrimSpace(hosts[rand.Intn(len(hosts))])
+			}
+		}
+
+		method := "GET /"
+		if h.post {
+			method = "POST /"
+		}
+		requestPathIndex := rand.Intn(len(requestPath)/2) * 2
+		httpBuf := fmt.Sprintf("%s%s%s%s HTTP/1.1\r\nHost: %s:%d\r\n",
+			method,
+			requestPath[requestPathIndex],
+			data2URLEncode(headData),
+			requestPath[requestPathIndex+1],
+			host, h.Port)
+		if len(customHead) > 0 {
+			httpBuf = httpBuf + strings.Replace(customHead, "\\n", "\r\n", -1) + "\r\n\r\n"
+		} else {
+			var contentType string
+			if h.post {
+				contentType = "Content-Type: multipart/form-data; boundary=" + boundary() + "\r\n"
+			}
+			httpBuf = httpBuf + "User-agent: " + requestUserAgent[rand.Intn(len(requestUserAgent))] + "\r\n" +
+				"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +
+				"Accept-Language: en-US,en;q=0.8\r\n" +
+				"Accept-Encoding: gzip, deflate\r\n" +
+				contentType +
+				"DNT: 1\r\n" +
+				"Connection: keep-alive\r\n" +
+				"\r\n"
+		}
+
+		var encoded []byte
+		if len(headData) < bSize {
+			encoded = make([]byte, len(httpBuf)+(bSize-len(headData)))
+			copy(encoded, []byte(httpBuf))
+			copy(encoded[len(httpBuf):], b[len(headData):])
+		} else {
+			encoded = []byte(httpBuf)
+		}
+		h.firstRequest = false
+		return encoded, nil
+	}
+
+	return b, nil
+}
+
+func data2URLEncode(data []byte) (ret string) {
+	for i := 0; i < len(data); i++ {
+		ret = fmt.Sprintf("%s%%%s", ret, hex.EncodeToString([]byte{data[i]}))
+	}
+	return
+}
+
+func boundary() (ret string) {
+	set := "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+	for i := 0; i < 32; i++ {
+		ret = fmt.Sprintf("%s%c", ret, set[rand.Intn(len(set))])
+	}
+	return
+}
+
+var (
+	requestPath = []string{
+		"", "",
+		"login.php?redir=", "",
+		"register.php?code=", "",
+		"?keyword=", "",
+		"search?src=typd&q=", "&lang=en",
+		"s?ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&ch=&bar=&wd=", "&rn=",
+		"post.php?id=", "&goto=view.php",
+	}
+	requestUserAgent = []string{
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; Moto C Build/NRD90M.059) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532M Build/MMB29T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/55.0.2883.91 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1.1; SM-J120M Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; Moto G (5) Build/NPPS25.137-93-14) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-G570M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0; CAM-L03 Build/HUAWEICAM-L03) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3",
+		"Mozilla/5.0 (Linux; Android 8.0.0; FIG-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.1 Safari/533.2",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36",
+		"Mozilla/5.0 (X11; Datanyze; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1.1; SM-J111M Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36",
+		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-J700M Build/MMB29K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36",
+		"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Slackware/Chrome/12.0.742.100 Safari/534.30",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+		"Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 8.0.0; WAS-LX3 Build/HUAWEIWAS-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.1805 Safari/537.36 MVisionPlayer/1.0.0.0",
+		"Mozilla/5.0 (Linux; Android 7.0; TRT-LX3 Build/HUAWEITRT-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0; vivo 1610 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 4.4.2; de-de; SAMSUNG GT-I9195 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36",
+		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 8.0.0; ANE-LX3 Build/HUAWEIANE-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (X11; U; Linux i586; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.1 Safari/533.2",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-G610M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.80 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-J500M Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.44 Safari/534.7",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.104 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0; vivo 1606 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-G610M Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.1; vivo 1716 Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.93 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-G570M Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0; MYA-L22 Build/HUAWEIMYA-L22) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1; A1601 Build/LMY47I) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; TRT-LX2 Build/HUAWEITRT-LX2; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/59.0.3071.125 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.17 (KHTML, like Gecko) Chrome/10.0.649.0 Safari/534.17",
+		"Mozilla/5.0 (Linux; Android 6.0; CAM-L21 Build/HUAWEICAM-L21; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
+		"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.3 Safari/534.24",
+		"Mozilla/5.0 (Linux; Android 7.1.2; Redmi 4X Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 4.4.2; SM-G7102 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1; HUAWEI CUN-L22 Build/HUAWEICUN-L22; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1.1; A37fw Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-J730GM Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-G610F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.1.2; Redmi Note 5A Build/N2G47H; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; Redmi Note 4 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36",
+		"Mozilla/5.0 (Unknown; Linux) AppleWebKit/538.1 (KHTML, like Gecko) Chrome/v1.0.0 Safari/538.1",
+		"Mozilla/5.0 (Linux; Android 7.0; BLL-L22 Build/HUAWEIBLL-L22) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.0; SM-J710F Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532M Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.1.1; CPH1723 Build/N6F26Q) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 8.0.0; FIG-LX3 Build/HUAWEIFIG-LX3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 6.1; de-DE) AppleWebKit/534.17 (KHTML, like Gecko) Chrome/10.0.649.0 Safari/534.17",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.63 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 7.1; Mi A1 Build/N2G47H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+		"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36 MVisionPlayer/1.0.0.0",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 5.1; A37f Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; CPH1607 Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/63.0.3239.111 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36",
+		"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; vivo 1603 Build/MMB29M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.83 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532M Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; Redmi 4A Build/MMB29M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.116 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.71 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.64 Safari/537.31",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0.1; SM-G532G Build/MMB29T) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.83 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36",
+		"Mozilla/5.0 (Linux; Android 6.0; vivo 1713 Build/MRA58K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.124 Mobile Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36",
+		"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36",
+	}
+)

component/ssr/obfs/obfs.go

@@ -0,0 +1,37 @@
+package obfs
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+)
+
+var (
+	errTLS12TicketAuthIncorrectMagicNumber = errors.New("tls1.2_ticket_auth incorrect magic number")
+	errTLS12TicketAuthTooShortData         = errors.New("tls1.2_ticket_auth too short data")
+	errTLS12TicketAuthHMACError            = errors.New("tls1.2_ticket_auth hmac verifying failed")
+)
+
+// Obfs provides methods for decoding and encoding
+type Obfs interface {
+	initForConn() Obfs
+	GetObfsOverhead() int
+	Decode(b []byte) ([]byte, bool, error)
+	Encode(b []byte) ([]byte, error)
+}
+
+type obfsCreator func(b *Base) Obfs
+
+var obfsList = make(map[string]obfsCreator)
+
+func register(name string, c obfsCreator) {
+	obfsList[name] = c
+}
+
+// PickObfs returns an obfs of the given name
+func PickObfs(name string, b *Base) (Obfs, error) {
+	if obfsCreator, ok := obfsList[strings.ToLower(name)]; ok {
+		return obfsCreator(b), nil
+	}
+	return nil, fmt.Errorf("Obfs %s not supported", name)
+}

component/ssr/obfs/plain.go

@@ -0,0 +1,25 @@
+package obfs
+
+type plain struct{}
+
+func init() {
+	register("plain", newPlain)
+}
+
+func newPlain(b *Base) Obfs {
+	return &plain{}
+}
+
+func (p *plain) initForConn() Obfs { return &plain{} }
+
+func (p *plain) GetObfsOverhead() int {
+	return 0
+}
+
+func (p *plain) Encode(b []byte) ([]byte, error) {
+	return b, nil
+}
+
+func (p *plain) Decode(b []byte) ([]byte, bool, error) {
+	return b, false, nil
+}

component/ssr/obfs/random_head.go

@@ -0,0 +1,75 @@
+package obfs
+
+import (
+	"encoding/binary"
+	"hash/crc32"
+	"math/rand"
+)
+
+type randomHead struct {
+	*Base
+	firstRequest  bool
+	firstResponse bool
+	headerSent    bool
+	buffer        []byte
+}
+
+func init() {
+	register("random_head", newRandomHead)
+}
+
+func newRandomHead(b *Base) Obfs {
+	return &randomHead{Base: b}
+}
+
+func (r *randomHead) initForConn() Obfs {
+	return &randomHead{
+		Base:          r.Base,
+		firstRequest:  true,
+		firstResponse: true,
+	}
+}
+
+func (r *randomHead) GetObfsOverhead() int {
+	return 0
+}
+
+func (r *randomHead) Encode(b []byte) (encoded []byte, err error) {
+	if !r.firstRequest {
+		return b, nil
+	}
+
+	bSize := len(b)
+	if r.headerSent {
+		if bSize > 0 {
+			d := make([]byte, len(r.buffer)+bSize)
+			copy(d, r.buffer)
+			copy(d[len(r.buffer):], b)
+			r.buffer = d
+		} else {
+			encoded = r.buffer
+			r.buffer = nil
+			r.firstRequest = false
+		}
+	} else {
+		size := rand.Intn(96) + 8
+		encoded = make([]byte, size)
+		rand.Read(encoded)
+		crc := (0xFFFFFFFF - crc32.ChecksumIEEE(encoded[:size-4])) & 0xFFFFFFFF
+		binary.LittleEndian.PutUint32(encoded[size-4:], crc)
+
+		d := make([]byte, bSize)
+		copy(d, b)
+		r.buffer = d
+	}
+	r.headerSent = true
+	return encoded, nil
+}
+
+func (r *randomHead) Decode(b []byte) ([]byte, bool, error) {
+	if r.firstResponse {
+		r.firstResponse = false
+		return b, true, nil
+	}
+	return b, false, nil
+}

component/ssr/obfs/stream.go

@@ -0,0 +1,72 @@
+package obfs
+
+import (
+	"net"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+// NewConn wraps a stream-oriented net.Conn with obfs decoding/encoding
+func NewConn(c net.Conn, o Obfs) net.Conn {
+	return &Conn{Conn: c, Obfs: o.initForConn()}
+}
+
+// Conn represents an obfs connection
+type Conn struct {
+	net.Conn
+	Obfs
+	buf    []byte
+	offset int
+}
+
+func (c *Conn) Read(b []byte) (int, error) {
+	if c.buf != nil {
+		n := copy(b, c.buf[c.offset:])
+		c.offset += n
+		if c.offset == len(c.buf) {
+			pool.Put(c.buf)
+			c.buf = nil
+		}
+		return n, nil
+	}
+
+	buf := pool.Get(pool.RelayBufferSize)
+	defer pool.Put(buf)
+	n, err := c.Conn.Read(buf)
+	if err != nil {
+		return 0, err
+	}
+	decoded, sendback, err := c.Decode(buf[:n])
+	// decoded may be part of buf
+	decodedData := pool.Get(len(decoded))
+	copy(decodedData, decoded)
+	if err != nil {
+		pool.Put(decodedData)
+		return 0, err
+	}
+	if sendback {
+		c.Write(nil)
+		pool.Put(decodedData)
+		return 0, nil
+	}
+	n = copy(b, decodedData)
+	if len(decodedData) > len(b) {
+		c.buf = decodedData
+		c.offset = n
+	} else {
+		pool.Put(decodedData)
+	}
+	return n, err
+}
+
+func (c *Conn) Write(b []byte) (int, error) {
+	encoded, err := c.Encode(b)
+	if err != nil {
+		return 0, err
+	}
+	_, err = c.Conn.Write(encoded)
+	if err != nil {
+		return 0, err
+	}
+	return len(b), nil
+}

component/ssr/obfs/tls12_ticket_auth.go

@@ -0,0 +1,291 @@
+package obfs
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"log"
+	"math/rand"
+	"strings"
+	"time"
+
+	"github.com/Dreamacro/clash/common/pool"
+	"github.com/Dreamacro/clash/component/ssr/tools"
+)
+
+type tlsAuthData struct {
+	localClientID [32]byte
+}
+
+type tls12Ticket struct {
+	*Base
+	*tlsAuthData
+	handshakeStatus int
+	sendSaver       bytes.Buffer
+	recvBuffer      bytes.Buffer
+	buffer          bytes.Buffer
+}
+
+func init() {
+	register("tls1.2_ticket_auth", newTLS12Ticket)
+	register("tls1.2_ticket_fastauth", newTLS12Ticket)
+}
+
+func newTLS12Ticket(b *Base) Obfs {
+	return &tls12Ticket{
+		Base: b,
+	}
+}
+
+func (t *tls12Ticket) initForConn() Obfs {
+	r := &tls12Ticket{
+		Base:        t.Base,
+		tlsAuthData: &tlsAuthData{},
+	}
+	rand.Read(r.localClientID[:])
+	return r
+}
+
+func (t *tls12Ticket) GetObfsOverhead() int {
+	return 5
+}
+
+func (t *tls12Ticket) Decode(b []byte) ([]byte, bool, error) {
+	if t.handshakeStatus == -1 {
+		return b, false, nil
+	}
+	t.buffer.Reset()
+	if t.handshakeStatus == 8 {
+		t.recvBuffer.Write(b)
+		for t.recvBuffer.Len() > 5 {
+			var h [5]byte
+			t.recvBuffer.Read(h[:])
+			if !bytes.Equal(h[:3], []byte{0x17, 0x3, 0x3}) {
+				log.Println("incorrect magic number", h[:3], ", 0x170303 is expected")
+				return nil, false, errTLS12TicketAuthIncorrectMagicNumber
+			}
+			size := int(binary.BigEndian.Uint16(h[3:5]))
+			if t.recvBuffer.Len() < size {
+				// 不够读，下回再读吧
+				unread := t.recvBuffer.Bytes()
+				t.recvBuffer.Reset()
+				t.recvBuffer.Write(h[:])
+				t.recvBuffer.Write(unread)
+				break
+			}
+			d := pool.Get(size)
+			t.recvBuffer.Read(d)
+			t.buffer.Write(d)
+			pool.Put(d)
+		}
+		return t.buffer.Bytes(), false, nil
+	}
+
+	if len(b) < 11+32+1+32 {
+		return nil, false, errTLS12TicketAuthTooShortData
+	}
+
+	hash := t.hmacSHA1(b[11 : 11+22])
+
+	if !hmac.Equal(b[33:33+tools.HmacSHA1Len], hash) {
+		return nil, false, errTLS12TicketAuthHMACError
+	}
+	return nil, true, nil
+}
+
+func (t *tls12Ticket) Encode(b []byte) ([]byte, error) {
+	t.buffer.Reset()
+	switch t.handshakeStatus {
+	case 8:
+		if len(b) < 1024 {
+			d := []byte{0x17, 0x3, 0x3, 0, 0}
+			binary.BigEndian.PutUint16(d[3:5], uint16(len(b)&0xFFFF))
+			t.buffer.Write(d)
+			t.buffer.Write(b)
+			return t.buffer.Bytes(), nil
+		}
+		start := 0
+		var l int
+		for len(b)-start > 2048 {
+			l = rand.Intn(4096) + 100
+			if l > len(b)-start {
+				l = len(b) - start
+			}
+			packData(&t.buffer, b[start:start+l])
+			start += l
+		}
+		if len(b)-start > 0 {
+			l = len(b) - start
+			packData(&t.buffer, b[start:start+l])
+		}
+		return t.buffer.Bytes(), nil
+	case 1:
+		if len(b) > 0 {
+			if len(b) < 1024 {
+				packData(&t.sendSaver, b)
+			} else {
+				start := 0
+				var l int
+				for len(b)-start > 2048 {
+					l = rand.Intn(4096) + 100
+					if l > len(b)-start {
+						l = len(b) - start
+					}
+					packData(&t.buffer, b[start:start+l])
+					start += l
+				}
+				if len(b)-start > 0 {
+					l = len(b) - start
+					packData(&t.buffer, b[start:start+l])
+				}
+				io.Copy(&t.sendSaver, &t.buffer)
+			}
+			return []byte{}, nil
+		}
+		hmacData := make([]byte, 43)
+		handshakeFinish := []byte("\x14\x03\x03\x00\x01\x01\x16\x03\x03\x00\x20")
+		copy(hmacData, handshakeFinish)
+		rand.Read(hmacData[11:33])
+		h := t.hmacSHA1(hmacData[:33])
+		copy(hmacData[33:], h)
+		t.buffer.Write(hmacData)
+		io.Copy(&t.buffer, &t.sendSaver)
+		t.handshakeStatus = 8
+		return t.buffer.Bytes(), nil
+	case 0:
+		tlsData0 := []byte("\x00\x1c\xc0\x2b\xc0\x2f\xcc\xa9\xcc\xa8\xcc\x14\xcc\x13\xc0\x0a\xc0\x14\xc0\x09\xc0\x13\x00\x9c\x00\x35\x00\x2f\x00\x0a\x01\x00")
+		tlsData1 := []byte("\xff\x01\x00\x01\x00")
+		tlsData2 := []byte("\x00\x17\x00\x00\x00\x23\x00\xd0")
+		// tlsData3 := []byte("\x00\x0d\x00\x16\x00\x14\x06\x01\x06\x03\x05\x01\x05\x03\x04\x01\x04\x03\x03\x01\x03\x03\x02\x01\x02\x03\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x12\x00\x00\x75\x50\x00\x00\x00\x0b\x00\x02\x01\x00\x00\x0a\x00\x06\x00\x04\x00\x17\x00\x18\x00\x15\x00\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+		tlsData3 := []byte("\x00\x0d\x00\x16\x00\x14\x06\x01\x06\x03\x05\x01\x05\x03\x04\x01\x04\x03\x03\x01\x03\x03\x02\x01\x02\x03\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x12\x00\x00\x75\x50\x00\x00\x00\x0b\x00\x02\x01\x00\x00\x0a\x00\x06\x00\x04\x00\x17\x00\x18")
+
+		var tlsData [2048]byte
+		tlsDataLen := 0
+		copy(tlsData[0:], tlsData1)
+		tlsDataLen += len(tlsData1)
+		sni := t.sni(t.getHost())
+		copy(tlsData[tlsDataLen:], sni)
+		tlsDataLen += len(sni)
+		copy(tlsData[tlsDataLen:], tlsData2)
+		tlsDataLen += len(tlsData2)
+		ticketLen := rand.Intn(164)*2 + 64
+		tlsData[tlsDataLen-1] = uint8(ticketLen & 0xff)
+		tlsData[tlsDataLen-2] = uint8(ticketLen >> 8)
+		//ticketLen := 208
+		rand.Read(tlsData[tlsDataLen : tlsDataLen+ticketLen])
+		tlsDataLen += ticketLen
+		copy(tlsData[tlsDataLen:], tlsData3)
+		tlsDataLen += len(tlsData3)
+
+		length := 11 + 32 + 1 + 32 + len(tlsData0) + 2 + tlsDataLen
+		encodedData := make([]byte, length)
+		pdata := length - tlsDataLen
+		l := tlsDataLen
+		copy(encodedData[pdata:], tlsData[:tlsDataLen])
+		encodedData[pdata-1] = uint8(tlsDataLen)
+		encodedData[pdata-2] = uint8(tlsDataLen >> 8)
+		pdata -= 2
+		l += 2
+		copy(encodedData[pdata-len(tlsData0):], tlsData0)
+		pdata -= len(tlsData0)
+		l += len(tlsData0)
+		copy(encodedData[pdata-32:], t.localClientID[:])
+		pdata -= 32
+		l += 32
+		encodedData[pdata-1] = 0x20
+		pdata--
+		l++
+		copy(encodedData[pdata-32:], t.packAuthData())
+		pdata -= 32
+		l += 32
+		encodedData[pdata-1] = 0x3
+		encodedData[pdata-2] = 0x3 // tls version
+		pdata -= 2
+		l += 2
+		encodedData[pdata-1] = uint8(l)
+		encodedData[pdata-2] = uint8(l >> 8)
+		encodedData[pdata-3] = 0
+		encodedData[pdata-4] = 1
+		pdata -= 4
+		l += 4
+		encodedData[pdata-1] = uint8(l)
+		encodedData[pdata-2] = uint8(l >> 8)
+		pdata -= 2
+		l += 2
+		encodedData[pdata-1] = 0x1
+		encodedData[pdata-2] = 0x3 // tls version
+		pdata -= 2
+		l += 2
+		encodedData[pdata-1] = 0x16 // tls handshake
+		pdata--
+		l++
+		packData(&t.sendSaver, b)
+		t.handshakeStatus = 1
+		return encodedData, nil
+	default:
+		return nil, fmt.Errorf("unexpected handshake status: %d", t.handshakeStatus)
+	}
+}
+
+func (t *tls12Ticket) hmacSHA1(data []byte) []byte {
+	key := make([]byte, len(t.Key)+32)
+	copy(key, t.Key)
+	copy(key[len(t.Key):], t.localClientID[:])
+
+	sha1Data := tools.HmacSHA1(key, data)
+	return sha1Data[:tools.HmacSHA1Len]
+}
+
+func (t *tls12Ticket) sni(u string) []byte {
+	bURL := []byte(u)
+	length := len(bURL)
+	ret := make([]byte, length+9)
+	copy(ret[9:9+length], bURL)
+	binary.BigEndian.PutUint16(ret[7:], uint16(length&0xFFFF))
+	length += 3
+	binary.BigEndian.PutUint16(ret[4:], uint16(length&0xFFFF))
+	length += 2
+	binary.BigEndian.PutUint16(ret[2:], uint16(length&0xFFFF))
+	return ret
+}
+
+func (t *tls12Ticket) getHost() string {
+	host := t.Host
+	if len(t.Param) > 0 {
+		hosts := strings.Split(t.Param, ",")
+		if len(hosts) > 0 {
+
+			host = hosts[rand.Intn(len(hosts))]
+			host = strings.TrimSpace(host)
+		}
+	}
+	if len(host) > 0 && host[len(host)-1] >= byte('0') && host[len(host)-1] <= byte('9') && len(t.Param) == 0 {
+		host = ""
+	}
+	return host
+}
+
+func (t *tls12Ticket) packAuthData() (ret []byte) {
+	retSize := 32
+	ret = make([]byte, retSize)
+
+	now := time.Now().Unix()
+	binary.BigEndian.PutUint32(ret[:4], uint32(now))
+
+	rand.Read(ret[4 : 4+18])
+
+	hash := t.hmacSHA1(ret[:retSize-tools.HmacSHA1Len])
+	copy(ret[retSize-tools.HmacSHA1Len:], hash)
+
+	return
+}
+
+func packData(buffer *bytes.Buffer, suffix []byte) {
+	d := []byte{0x17, 0x3, 0x3, 0, 0}
+	binary.BigEndian.PutUint16(d[3:5], uint16(len(suffix)&0xFFFF))
+	buffer.Write(d)
+	buffer.Write(suffix)
+	return
+}

component/ssr/protocol/auth_aes128_md5.go

@@ -0,0 +1,310 @@
+package protocol
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/base64"
+	"encoding/binary"
+	"math/rand"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/Dreamacro/clash/common/pool"
+	"github.com/Dreamacro/clash/component/ssr/tools"
+	"github.com/Dreamacro/go-shadowsocks2/core"
+)
+
+type authAES128 struct {
+	*Base
+	*recvInfo
+	*authData
+	hasSentHeader bool
+	packID        uint32
+	userKey       []byte
+	uid           [4]byte
+	salt          string
+	hmac          hmacMethod
+	hashDigest    hashDigestMethod
+}
+
+func init() {
+	register("auth_aes128_md5", newAuthAES128MD5)
+}
+
+func newAuthAES128MD5(b *Base) Protocol {
+	return &authAES128{
+		Base:       b,
+		authData:   &authData{},
+		salt:       "auth_aes128_md5",
+		hmac:       tools.HmacMD5,
+		hashDigest: tools.MD5Sum,
+	}
+}
+
+func (a *authAES128) initForConn(iv []byte) Protocol {
+	return &authAES128{
+		Base: &Base{
+			IV:       iv,
+			Key:      a.Key,
+			TCPMss:   a.TCPMss,
+			Overhead: a.Overhead,
+			Param:    a.Param,
+		},
+		recvInfo:   &recvInfo{recvID: 1, buffer: new(bytes.Buffer)},
+		authData:   a.authData,
+		packID:     1,
+		salt:       a.salt,
+		hmac:       a.hmac,
+		hashDigest: a.hashDigest,
+	}
+}
+
+func (a *authAES128) GetProtocolOverhead() int {
+	return 9
+}
+
+func (a *authAES128) SetOverhead(overhead int) {
+	a.Overhead = overhead
+}
+
+func (a *authAES128) Decode(b []byte) ([]byte, int, error) {
+	a.buffer.Reset()
+	bSize := len(b)
+	readSize := 0
+	key := pool.Get(len(a.userKey) + 4)
+	defer pool.Put(key)
+	copy(key, a.userKey)
+	for bSize > 4 {
+		binary.LittleEndian.PutUint32(key[len(key)-4:], a.recvID)
+
+		h := a.hmac(key, b[:2])
+		if !bytes.Equal(h[:2], b[2:4]) {
+			return nil, 0, errAuthAES128IncorrectMAC
+		}
+
+		length := int(binary.LittleEndian.Uint16(b[:2]))
+		if length >= 8192 || length < 8 {
+			return nil, 0, errAuthAES128DataLengthError
+		}
+		if length > bSize {
+			break
+		}
+
+		h = a.hmac(key, b[:length-4])
+		if !bytes.Equal(h[:4], b[length-4:length]) {
+			return nil, 0, errAuthAES128IncorrectChecksum
+		}
+
+		a.recvID++
+		pos := int(b[4])
+		if pos < 255 {
+			pos += 4
+		} else {
+			pos = int(binary.LittleEndian.Uint16(b[5:7])) + 4
+		}
+
+		if pos > length-4 {
+			return nil, 0, errAuthAES128PositionTooLarge
+		}
+		a.buffer.Write(b[pos : length-4])
+		b = b[length:]
+		bSize -= length
+		readSize += length
+	}
+	return a.buffer.Bytes(), readSize, nil
+}
+
+func (a *authAES128) Encode(b []byte) ([]byte, error) {
+	a.buffer.Reset()
+	bSize := len(b)
+	offset := 0
+	if bSize > 0 && !a.hasSentHeader {
+		authSize := bSize
+		if authSize > 1200 {
+			authSize = 1200
+		}
+		a.hasSentHeader = true
+		a.buffer.Write(a.packAuthData(b[:authSize]))
+		bSize -= authSize
+		offset += authSize
+	}
+	const blockSize = 4096
+	for bSize > blockSize {
+		packSize, randSize := a.packedDataSize(b[offset : offset+blockSize])
+		pack := pool.Get(packSize)
+		a.packData(b[offset:offset+blockSize], pack, randSize)
+		a.buffer.Write(pack)
+		pool.Put(pack)
+		bSize -= blockSize
+		offset += blockSize
+	}
+	if bSize > 0 {
+		packSize, randSize := a.packedDataSize(b[offset:])
+		pack := pool.Get(packSize)
+		a.packData(b[offset:], pack, randSize)
+		a.buffer.Write(pack)
+		pool.Put(pack)
+	}
+	return a.buffer.Bytes(), nil
+}
+
+func (a *authAES128) DecodePacket(b []byte) ([]byte, int, error) {
+	bSize := len(b)
+	h := a.hmac(a.Key, b[:bSize-4])
+	if !bytes.Equal(h[:4], b[bSize-4:]) {
+		return nil, 0, errAuthAES128IncorrectMAC
+	}
+	return b[:bSize-4], bSize - 4, nil
+}
+
+func (a *authAES128) EncodePacket(b []byte) ([]byte, error) {
+	a.initUserKeyAndID()
+
+	var buf bytes.Buffer
+	buf.Write(b)
+	buf.Write(a.uid[:])
+	h := a.hmac(a.userKey, buf.Bytes())
+	buf.Write(h[:4])
+	return buf.Bytes(), nil
+}
+
+func (a *authAES128) initUserKeyAndID() {
+	if a.userKey == nil {
+		params := strings.Split(a.Param, ":")
+		if len(params) >= 2 {
+			if userID, err := strconv.ParseUint(params[0], 10, 32); err == nil {
+				binary.LittleEndian.PutUint32(a.uid[:], uint32(userID))
+				a.userKey = a.hashDigest([]byte(params[1]))
+			}
+		}
+
+		if a.userKey == nil {
+			rand.Read(a.uid[:])
+			a.userKey = make([]byte, len(a.Key))
+			copy(a.userKey, a.Key)
+		}
+	}
+}
+
+func (a *authAES128) packedDataSize(data []byte) (packSize, randSize int) {
+	dataSize := len(data)
+	randSize = 1
+	if dataSize <= 1200 {
+		if a.packID > 4 {
+			randSize += rand.Intn(32)
+		} else {
+			if dataSize > 900 {
+				randSize += rand.Intn(128)
+			} else {
+				randSize += rand.Intn(512)
+			}
+		}
+	}
+	packSize = randSize + dataSize + 8
+	return
+}
+
+func (a *authAES128) packData(data, ret []byte, randSize int) {
+	dataSize := len(data)
+	retSize := len(ret)
+	// 0~1, ret_size
+	binary.LittleEndian.PutUint16(ret[0:], uint16(retSize&0xFFFF))
+	// 2~3, hmac
+	key := pool.Get(len(a.userKey) + 4)
+	defer pool.Put(key)
+	copy(key, a.userKey)
+	binary.LittleEndian.PutUint32(key[len(key)-4:], a.packID)
+	h := a.hmac(key, ret[:2])
+	copy(ret[2:4], h[:2])
+	// 4~rand_size+4, rand number
+	rand.Read(ret[4 : 4+randSize])
+	// 4, rand_size
+	if randSize < 128 {
+		ret[4] = byte(randSize & 0xFF)
+	} else {
+		// 4, magic number 0xFF
+		ret[4] = 0xFF
+		// 5~6, rand_size
+		binary.LittleEndian.PutUint16(ret[5:], uint16(randSize&0xFFFF))
+	}
+	// rand_size+4~ret_size-4, data
+	if dataSize > 0 {
+		copy(ret[randSize+4:], data)
+	}
+	a.packID++
+	h = a.hmac(key, ret[:retSize-4])
+	copy(ret[retSize-4:], h[:4])
+}
+
+func (a *authAES128) packAuthData(data []byte) (ret []byte) {
+	dataSize := len(data)
+	var randSize int
+
+	if dataSize > 400 {
+		randSize = rand.Intn(512)
+	} else {
+		randSize = rand.Intn(1024)
+	}
+
+	dataOffset := randSize + 16 + 4 + 4 + 7
+	retSize := dataOffset + dataSize + 4
+	ret = make([]byte, retSize)
+	encrypt := make([]byte, 24)
+	key := make([]byte, len(a.IV)+len(a.Key))
+	copy(key, a.IV)
+	copy(key[len(a.IV):], a.Key)
+
+	rand.Read(ret[dataOffset-randSize:])
+	a.mutex.Lock()
+	defer a.mutex.Unlock()
+	a.connectionID++
+	if a.connectionID > 0xFF000000 {
+		a.clientID = nil
+	}
+	if len(a.clientID) == 0 {
+		a.clientID = make([]byte, 8)
+		rand.Read(a.clientID)
+		b := make([]byte, 4)
+		rand.Read(b)
+		a.connectionID = binary.LittleEndian.Uint32(b) & 0xFFFFFF
+	}
+	copy(encrypt[4:], a.clientID)
+	binary.LittleEndian.PutUint32(encrypt[8:], a.connectionID)
+
+	now := time.Now().Unix()
+	binary.LittleEndian.PutUint32(encrypt[:4], uint32(now))
+
+	binary.LittleEndian.PutUint16(encrypt[12:], uint16(retSize&0xFFFF))
+	binary.LittleEndian.PutUint16(encrypt[14:], uint16(randSize&0xFFFF))
+
+	a.initUserKeyAndID()
+
+	aesCipherKey := core.Kdf(base64.StdEncoding.EncodeToString(a.userKey)+a.salt, 16)
+	block, err := aes.NewCipher(aesCipherKey)
+	if err != nil {
+		return nil
+	}
+	encryptData := make([]byte, 16)
+	iv := make([]byte, aes.BlockSize)
+	cbc := cipher.NewCBCEncrypter(block, iv)
+	cbc.CryptBlocks(encryptData, encrypt[:16])
+	copy(encrypt[:4], a.uid[:])
+	copy(encrypt[4:4+16], encryptData)
+
+	h := a.hmac(key, encrypt[:20])
+	copy(encrypt[20:], h[:4])
+
+	rand.Read(ret[:1])
+	h = a.hmac(key, ret[:1])
+	copy(ret[1:], h[:7-1])
+
+	copy(ret[7:], encrypt)
+	copy(ret[dataOffset:], data)
+
+	h = a.hmac(a.userKey, ret[:retSize-4])
+	copy(ret[retSize-4:], h[:4])
+
+	return
+}

component/ssr/protocol/auth_aes128_sha1.go

@@ -0,0 +1,22 @@
+package protocol
+
+import (
+	"bytes"
+
+	"github.com/Dreamacro/clash/component/ssr/tools"
+)
+
+func init() {
+	register("auth_aes128_sha1", newAuthAES128SHA1)
+}
+
+func newAuthAES128SHA1(b *Base) Protocol {
+	return &authAES128{
+		Base:       b,
+		recvInfo:   &recvInfo{buffer: new(bytes.Buffer)},
+		authData:   &authData{},
+		salt:       "auth_aes128_sha1",
+		hmac:       tools.HmacSHA1,
+		hashDigest: tools.SHA1Sum,
+	}
+}

component/ssr/protocol/auth_chain_a.go

@@ -0,0 +1,428 @@
+package protocol
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rc4"
+	"encoding/base64"
+	"encoding/binary"
+	"math/rand"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/Dreamacro/clash/common/pool"
+	"github.com/Dreamacro/clash/component/ssr/tools"
+	"github.com/Dreamacro/go-shadowsocks2/core"
+)
+
+type authChain struct {
+	*Base
+	*recvInfo
+	*authData
+	randomClient   shift128PlusContext
+	randomServer   shift128PlusContext
+	enc            cipher.Stream
+	dec            cipher.Stream
+	headerSent     bool
+	lastClientHash []byte
+	lastServerHash []byte
+	userKey        []byte
+	uid            [4]byte
+	salt           string
+	hmac           hmacMethod
+	hashDigest     hashDigestMethod
+	rnd            rndMethod
+	dataSizeList   []int
+	dataSizeList2  []int
+	chunkID        uint32
+}
+
+func init() {
+	register("auth_chain_a", newAuthChainA)
+}
+
+func newAuthChainA(b *Base) Protocol {
+	return &authChain{
+		Base:       b,
+		authData:   &authData{},
+		salt:       "auth_chain_a",
+		hmac:       tools.HmacMD5,
+		hashDigest: tools.SHA1Sum,
+		rnd:        authChainAGetRandLen,
+	}
+}
+
+func (a *authChain) initForConn(iv []byte) Protocol {
+	r := &authChain{
+		Base: &Base{
+			IV:       iv,
+			Key:      a.Key,
+			TCPMss:   a.TCPMss,
+			Overhead: a.Overhead,
+			Param:    a.Param,
+		},
+		recvInfo:   &recvInfo{recvID: 1, buffer: new(bytes.Buffer)},
+		authData:   a.authData,
+		salt:       a.salt,
+		hmac:       a.hmac,
+		hashDigest: a.hashDigest,
+		rnd:        a.rnd,
+	}
+	if r.salt == "auth_chain_b" {
+		initDataSize(r)
+	}
+	return r
+}
+
+func (a *authChain) GetProtocolOverhead() int {
+	return 4
+}
+
+func (a *authChain) SetOverhead(overhead int) {
+	a.Overhead = overhead
+}
+
+func (a *authChain) Decode(b []byte) ([]byte, int, error) {
+	a.buffer.Reset()
+	key := pool.Get(len(a.userKey) + 4)
+	defer pool.Put(key)
+	readSize := 0
+	copy(key, a.userKey)
+	for len(b) > 4 {
+		binary.LittleEndian.PutUint32(key[len(a.userKey):], a.recvID)
+		dataLen := (int)((uint(b[1]^a.lastServerHash[15]) << 8) + uint(b[0]^a.lastServerHash[14]))
+		randLen := a.getServerRandLen(dataLen, a.Overhead)
+		length := randLen + dataLen
+		if length >= 4096 {
+			return nil, 0, errAuthChainDataLengthError
+		}
+		length += 4
+		if length > len(b) {
+			break
+		}
+
+		hash := a.hmac(key, b[:length-2])
+		if !bytes.Equal(hash[:2], b[length-2:length]) {
+			return nil, 0, errAuthChainHMACError
+		}
+		var dataPos int
+		if dataLen > 0 && randLen > 0 {
+			dataPos = 2 + getRandStartPos(&a.randomServer, randLen)
+		} else {
+			dataPos = 2
+		}
+		d := pool.Get(dataLen)
+		a.dec.XORKeyStream(d, b[dataPos:dataPos+dataLen])
+		a.buffer.Write(d)
+		pool.Put(d)
+		if a.recvID == 1 {
+			a.TCPMss = int(binary.LittleEndian.Uint16(a.buffer.Next(2)))
+		}
+		a.lastServerHash = hash
+		a.recvID++
+		b = b[length:]
+		readSize += length
+	}
+	return a.buffer.Bytes(), readSize, nil
+}
+
+func (a *authChain) Encode(b []byte) ([]byte, error) {
+	a.buffer.Reset()
+	bSize := len(b)
+	offset := 0
+	if bSize > 0 && !a.headerSent {
+		headSize := 1200
+		if headSize > bSize {
+			headSize = bSize
+		}
+		a.buffer.Write(a.packAuthData(b[:headSize]))
+		offset += headSize
+		bSize -= headSize
+		a.headerSent = true
+	}
+	var unitSize = a.TCPMss - a.Overhead
+	for bSize > unitSize {
+		dataLen, randLength := a.packedDataLen(b[offset : offset+unitSize])
+		d := pool.Get(dataLen)
+		a.packData(d, b[offset:offset+unitSize], randLength)
+		a.buffer.Write(d)
+		pool.Put(d)
+		bSize -= unitSize
+		offset += unitSize
+	}
+	if bSize > 0 {
+		dataLen, randLength := a.packedDataLen(b[offset:])
+		d := pool.Get(dataLen)
+		a.packData(d, b[offset:], randLength)
+		a.buffer.Write(d)
+		pool.Put(d)
+	}
+	return a.buffer.Bytes(), nil
+}
+
+func (a *authChain) DecodePacket(b []byte) ([]byte, int, error) {
+	bSize := len(b)
+	if bSize < 9 {
+		return nil, 0, errAuthChainDataLengthError
+	}
+	h := a.hmac(a.userKey, b[:bSize-1])
+	if h[0] != b[bSize-1] {
+		return nil, 0, errAuthChainHMACError
+	}
+	hash := a.hmac(a.Key, b[bSize-8:bSize-1])
+	cipherKey := a.getRC4CipherKey(hash)
+	dec, _ := rc4.NewCipher(cipherKey)
+	randLength := udpGetRandLen(&a.randomServer, hash)
+	bSize -= 8 + randLength
+	dec.XORKeyStream(b, b[:bSize])
+	return b, bSize, nil
+}
+
+func (a *authChain) EncodePacket(b []byte) ([]byte, error) {
+	a.initUserKeyAndID()
+	authData := pool.Get(3)
+	defer pool.Put(authData)
+	rand.Read(authData)
+	hash := a.hmac(a.Key, authData)
+	uid := pool.Get(4)
+	defer pool.Put(uid)
+	for i := 0; i < 4; i++ {
+		uid[i] = a.uid[i] ^ hash[i]
+	}
+
+	cipherKey := a.getRC4CipherKey(hash)
+	enc, _ := rc4.NewCipher(cipherKey)
+	var buf bytes.Buffer
+	enc.XORKeyStream(b, b)
+	buf.Write(b)
+
+	randLength := udpGetRandLen(&a.randomClient, hash)
+	randBytes := pool.Get(randLength)
+	defer pool.Put(randBytes)
+	buf.Write(randBytes)
+
+	buf.Write(authData)
+	buf.Write(uid)
+
+	h := a.hmac(a.userKey, buf.Bytes())
+	buf.Write(h[:1])
+	return buf.Bytes(), nil
+}
+
+func (a *authChain) getRC4CipherKey(hash []byte) []byte {
+	base64UserKey := base64.StdEncoding.EncodeToString(a.userKey)
+	return a.calcRC4CipherKey(hash, base64UserKey)
+}
+
+func (a *authChain) calcRC4CipherKey(hash []byte, base64UserKey string) []byte {
+	password := pool.Get(len(base64UserKey) + base64.StdEncoding.EncodedLen(16))
+	defer pool.Put(password)
+	copy(password, base64UserKey)
+	base64.StdEncoding.Encode(password[len(base64UserKey):], hash[:16])
+	return core.Kdf(string(password), 16)
+}
+
+func (a *authChain) initUserKeyAndID() {
+	if a.userKey == nil {
+		params := strings.Split(a.Param, ":")
+		if len(params) >= 2 {
+			if userID, err := strconv.ParseUint(params[0], 10, 32); err == nil {
+				binary.LittleEndian.PutUint32(a.uid[:], uint32(userID))
+				a.userKey = []byte(params[1])[:len(a.userKey)]
+			}
+		}
+
+		if a.userKey == nil {
+			rand.Read(a.uid[:])
+			a.userKey = make([]byte, len(a.Key))
+			copy(a.userKey, a.Key)
+		}
+	}
+}
+
+func (a *authChain) getClientRandLen(dataLength int, overhead int) int {
+	return a.rnd(dataLength, &a.randomClient, a.lastClientHash, a.dataSizeList, a.dataSizeList2, overhead)
+}
+
+func (a *authChain) getServerRandLen(dataLength int, overhead int) int {
+	return a.rnd(dataLength, &a.randomServer, a.lastServerHash, a.dataSizeList, a.dataSizeList2, overhead)
+}
+
+func (a *authChain) packedDataLen(data []byte) (chunkLength, randLength int) {
+	dataLength := len(data)
+	randLength = a.getClientRandLen(dataLength, a.Overhead)
+	chunkLength = randLength + dataLength + 2 + 2
+	return
+}
+
+func (a *authChain) packData(outData []byte, data []byte, randLength int) {
+	dataLength := len(data)
+	outLength := randLength + dataLength + 2
+	outData[0] = byte(dataLength) ^ a.lastClientHash[14]
+	outData[1] = byte(dataLength>>8) ^ a.lastClientHash[15]
+
+	{
+		if dataLength > 0 {
+			randPart1Length := getRandStartPos(&a.randomClient, randLength)
+			rand.Read(outData[2 : 2+randPart1Length])
+			a.enc.XORKeyStream(outData[2+randPart1Length:], data)
+			rand.Read(outData[2+randPart1Length+dataLength : outLength])
+		} else {
+			rand.Read(outData[2 : 2+randLength])
+		}
+	}
+
+	userKeyLen := uint8(len(a.userKey))
+	key := pool.Get(int(userKeyLen + 4))
+	defer pool.Put(key)
+	copy(key, a.userKey)
+	a.chunkID++
+	binary.LittleEndian.PutUint32(key[userKeyLen:], a.chunkID)
+	a.lastClientHash = a.hmac(key, outData[:outLength])
+	copy(outData[outLength:], a.lastClientHash[:2])
+	return
+}
+
+const authHeadLength = 4 + 8 + 4 + 16 + 4
+
+func (a *authChain) packAuthData(data []byte) (outData []byte) {
+	outData = make([]byte, authHeadLength, authHeadLength+1500)
+	a.mutex.Lock()
+	defer a.mutex.Unlock()
+	a.connectionID++
+	if a.connectionID > 0xFF000000 {
+		rand.Read(a.clientID)
+		b := make([]byte, 4)
+		rand.Read(b)
+		a.connectionID = binary.LittleEndian.Uint32(b) & 0xFFFFFF
+	}
+	var key = make([]byte, len(a.IV)+len(a.Key))
+	copy(key, a.IV)
+	copy(key[len(a.IV):], a.Key)
+
+	encrypt := make([]byte, 20)
+	t := time.Now().Unix()
+	binary.LittleEndian.PutUint32(encrypt[:4], uint32(t))
+	copy(encrypt[4:8], a.clientID)
+	binary.LittleEndian.PutUint32(encrypt[8:], a.connectionID)
+	binary.LittleEndian.PutUint16(encrypt[12:], uint16(a.Overhead))
+	binary.LittleEndian.PutUint16(encrypt[14:], 0)
+
+	// first 12 bytes
+	{
+		rand.Read(outData[:4])
+		a.lastClientHash = a.hmac(key, outData[:4])
+		copy(outData[4:], a.lastClientHash[:8])
+	}
+	var base64UserKey string
+	// uid & 16 bytes auth data
+	{
+		a.initUserKeyAndID()
+		uid := make([]byte, 4)
+		for i := 0; i < 4; i++ {
+			uid[i] = a.uid[i] ^ a.lastClientHash[8+i]
+		}
+		base64UserKey = base64.StdEncoding.EncodeToString(a.userKey)
+		aesCipherKey := core.Kdf(base64UserKey+a.salt, 16)
+		block, err := aes.NewCipher(aesCipherKey)
+		if err != nil {
+			return
+		}
+		encryptData := make([]byte, 16)
+		iv := make([]byte, aes.BlockSize)
+		cbc := cipher.NewCBCEncrypter(block, iv)
+		cbc.CryptBlocks(encryptData, encrypt[:16])
+		copy(encrypt[:4], uid[:])
+		copy(encrypt[4:4+16], encryptData)
+	}
+	// final HMAC
+	{
+		a.lastServerHash = a.hmac(a.userKey, encrypt[:20])
+
+		copy(outData[12:], encrypt)
+		copy(outData[12+20:], a.lastServerHash[:4])
+	}
+
+	// init cipher
+	cipherKey := a.calcRC4CipherKey(a.lastClientHash, base64UserKey)
+	a.enc, _ = rc4.NewCipher(cipherKey)
+	a.dec, _ = rc4.NewCipher(cipherKey)
+
+	// data
+	chunkLength, randLength := a.packedDataLen(data)
+	if chunkLength <= 1500 {
+		outData = outData[:authHeadLength+chunkLength]
+	} else {
+		newOutData := make([]byte, authHeadLength+chunkLength)
+		copy(newOutData, outData[:authHeadLength])
+		outData = newOutData
+	}
+	a.packData(outData[authHeadLength:], data, randLength)
+	return
+}
+
+func getRandStartPos(random *shift128PlusContext, randLength int) int {
+	if randLength > 0 {
+		return int(random.Next() % 8589934609 % uint64(randLength))
+	}
+	return 0
+}
+
+func authChainAGetRandLen(dataLength int, random *shift128PlusContext, lastHash []byte, dataSizeList, dataSizeList2 []int, overhead int) int {
+	if dataLength > 1440 {
+		return 0
+	}
+	random.InitFromBinDatalen(lastHash[:16], dataLength)
+	if dataLength > 1300 {
+		return int(random.Next() % 31)
+	}
+	if dataLength > 900 {
+		return int(random.Next() % 127)
+	}
+	if dataLength > 400 {
+		return int(random.Next() % 521)
+	}
+	return int(random.Next() % 1021)
+}
+
+func udpGetRandLen(random *shift128PlusContext, lastHash []byte) int {
+	random.InitFromBin(lastHash[:16])
+	return int(random.Next() % 127)
+}
+
+type shift128PlusContext struct {
+	v [2]uint64
+}
+
+func (ctx *shift128PlusContext) InitFromBin(bin []byte) {
+	var fillBin [16]byte
+	copy(fillBin[:], bin)
+
+	ctx.v[0] = binary.LittleEndian.Uint64(fillBin[:8])
+	ctx.v[1] = binary.LittleEndian.Uint64(fillBin[8:])
+}
+
+func (ctx *shift128PlusContext) InitFromBinDatalen(bin []byte, datalen int) {
+	var fillBin [16]byte
+	copy(fillBin[:], bin)
+	binary.LittleEndian.PutUint16(fillBin[:2], uint16(datalen))
+
+	ctx.v[0] = binary.LittleEndian.Uint64(fillBin[:8])
+	ctx.v[1] = binary.LittleEndian.Uint64(fillBin[8:])
+
+	for i := 0; i < 4; i++ {
+		ctx.Next()
+	}
+}
+
+func (ctx *shift128PlusContext) Next() uint64 {
+	x := ctx.v[0]
+	y := ctx.v[1]
+	ctx.v[0] = y
+	x ^= x << 23
+	x ^= y ^ (x >> 17) ^ (y >> 26)
+	ctx.v[1] = x
+	return x + y
+}

component/ssr/protocol/auth_chain_b.go

@@ -0,0 +1,72 @@
+package protocol
+
+import (
+	"sort"
+
+	"github.com/Dreamacro/clash/component/ssr/tools"
+)
+
+func init() {
+	register("auth_chain_b", newAuthChainB)
+}
+
+func newAuthChainB(b *Base) Protocol {
+	return &authChain{
+		Base:       b,
+		authData:   &authData{},
+		salt:       "auth_chain_b",
+		hmac:       tools.HmacMD5,
+		hashDigest: tools.SHA1Sum,
+		rnd:        authChainBGetRandLen,
+	}
+}
+
+func initDataSize(r *authChain) {
+	random := &r.randomServer
+	random.InitFromBin(r.Key)
+	len := random.Next()%8 + 4
+	r.dataSizeList = make([]int, len)
+	for i := 0; i < int(len); i++ {
+		r.dataSizeList[i] = int(random.Next() % 2340 % 2040 % 1440)
+	}
+	sort.Ints(r.dataSizeList)
+
+	len = random.Next()%16 + 8
+	r.dataSizeList2 = make([]int, len)
+	for i := 0; i < int(len); i++ {
+		r.dataSizeList2[i] = int(random.Next() % 2340 % 2040 % 1440)
+	}
+	sort.Ints(r.dataSizeList2)
+}
+
+func authChainBGetRandLen(dataLength int, random *shift128PlusContext, lastHash []byte, dataSizeList, dataSizeList2 []int, overhead int) int {
+	if dataLength > 1440 {
+		return 0
+	}
+	random.InitFromBinDatalen(lastHash[:16], dataLength)
+	pos := sort.Search(len(dataSizeList), func(i int) bool { return dataSizeList[i] > dataLength+overhead })
+	finalPos := uint64(pos) + random.Next()%uint64(len(dataSizeList))
+	if finalPos < uint64(len(dataSizeList)) {
+		return dataSizeList[finalPos] - dataLength - overhead
+	}
+
+	pos = sort.Search(len(dataSizeList2), func(i int) bool { return dataSizeList2[i] > dataLength+overhead })
+	finalPos = uint64(pos) + random.Next()%uint64(len(dataSizeList2))
+	if finalPos < uint64(len(dataSizeList2)) {
+		return dataSizeList2[finalPos] - dataLength - overhead
+	}
+	if finalPos < uint64(pos+len(dataSizeList2)-1) {
+		return 0
+	}
+
+	if dataLength > 1300 {
+		return int(random.Next() % 31)
+	}
+	if dataLength > 900 {
+		return int(random.Next() % 127)
+	}
+	if dataLength > 400 {
+		return int(random.Next() % 521)
+	}
+	return int(random.Next() % 1021)
+}

component/ssr/protocol/auth_sha1_v4.go

@@ -0,0 +1,253 @@
+package protocol
+
+import (
+	"bytes"
+	"encoding/binary"
+	"hash/adler32"
+	"hash/crc32"
+	"math/rand"
+	"time"
+
+	"github.com/Dreamacro/clash/common/pool"
+	"github.com/Dreamacro/clash/component/ssr/tools"
+)
+
+type authSHA1V4 struct {
+	*Base
+	*authData
+	headerSent bool
+	buffer     bytes.Buffer
+}
+
+func init() {
+	register("auth_sha1_v4", newAuthSHA1V4)
+}
+
+func newAuthSHA1V4(b *Base) Protocol {
+	return &authSHA1V4{Base: b, authData: &authData{}}
+}
+
+func (a *authSHA1V4) initForConn(iv []byte) Protocol {
+	return &authSHA1V4{
+		Base: &Base{
+			IV:       iv,
+			Key:      a.Key,
+			TCPMss:   a.TCPMss,
+			Overhead: a.Overhead,
+			Param:    a.Param,
+		},
+		authData: a.authData,
+	}
+}
+
+func (a *authSHA1V4) GetProtocolOverhead() int {
+	return 7
+}
+
+func (a *authSHA1V4) SetOverhead(overhead int) {
+	a.Overhead = overhead
+}
+
+func (a *authSHA1V4) Decode(b []byte) ([]byte, int, error) {
+	a.buffer.Reset()
+	bSize := len(b)
+	originalSize := bSize
+	for bSize > 4 {
+		crc := crc32.ChecksumIEEE(b[:2]) & 0xFFFF
+		if binary.LittleEndian.Uint16(b[2:4]) != uint16(crc) {
+			return nil, 0, errAuthSHA1v4CRC32Error
+		}
+		length := int(binary.BigEndian.Uint16(b[:2]))
+		if length >= 8192 || length < 8 {
+			return nil, 0, errAuthSHA1v4DataLengthError
+		}
+		if length > bSize {
+			break
+		}
+
+		if adler32.Checksum(b[:length-4]) == binary.LittleEndian.Uint32(b[length-4:]) {
+			pos := int(b[4])
+			if pos != 0xFF {
+				pos += 4
+			} else {
+				pos = int(binary.BigEndian.Uint16(b[5:5+2])) + 4
+			}
+			retSize := length - pos - 4
+			a.buffer.Write(b[pos : pos+retSize])
+			bSize -= length
+			b = b[length:]
+		} else {
+			return nil, 0, errAuthSHA1v4IncorrectChecksum
+		}
+	}
+	return a.buffer.Bytes(), originalSize - bSize, nil
+}
+
+func (a *authSHA1V4) Encode(b []byte) ([]byte, error) {
+	a.buffer.Reset()
+	bSize := len(b)
+	offset := 0
+	if !a.headerSent && bSize > 0 {
+		headSize := getHeadSize(b, 30)
+		if headSize > bSize {
+			headSize = bSize
+		}
+		a.buffer.Write(a.packAuthData(b[:headSize]))
+		offset += headSize
+		bSize -= headSize
+		a.headerSent = true
+	}
+	const blockSize = 4096
+	for bSize > blockSize {
+		packSize, randSize := a.packedDataSize(b[offset : offset+blockSize])
+		pack := pool.Get(packSize)
+		a.packData(b[offset:offset+blockSize], pack, randSize)
+		a.buffer.Write(pack)
+		pool.Put(pack)
+		offset += blockSize
+		bSize -= blockSize
+	}
+	if bSize > 0 {
+		packSize, randSize := a.packedDataSize(b[offset:])
+		pack := pool.Get(packSize)
+		a.packData(b[offset:], pack, randSize)
+		a.buffer.Write(pack)
+		pool.Put(pack)
+	}
+	return a.buffer.Bytes(), nil
+}
+
+func (a *authSHA1V4) DecodePacket(b []byte) ([]byte, int, error) {
+	return b, len(b), nil
+}
+
+func (a *authSHA1V4) EncodePacket(b []byte) ([]byte, error) {
+	return b, nil
+}
+
+func (a *authSHA1V4) packedDataSize(data []byte) (packSize, randSize int) {
+	dataSize := len(data)
+	randSize = 1
+	if dataSize <= 1300 {
+		if dataSize > 400 {
+			randSize += rand.Intn(128)
+		} else {
+			randSize += rand.Intn(1024)
+		}
+	}
+	packSize = randSize + dataSize + 8
+	return
+}
+
+func (a *authSHA1V4) packData(data, ret []byte, randSize int) {
+	dataSize := len(data)
+	retSize := len(ret)
+	// 0~1, ret size
+	binary.BigEndian.PutUint16(ret[:2], uint16(retSize&0xFFFF))
+	// 2~3, crc of ret size
+	crc := crc32.ChecksumIEEE(ret[:2]) & 0xFFFF
+	binary.LittleEndian.PutUint16(ret[2:4], uint16(crc))
+	// 4, rand size
+	if randSize < 128 {
+		ret[4] = uint8(randSize & 0xFF)
+	} else {
+		ret[4] = uint8(0xFF)
+		binary.BigEndian.PutUint16(ret[5:7], uint16(randSize&0xFFFF))
+	}
+	// (rand size+4)~(ret size-4), data
+	if dataSize > 0 {
+		copy(ret[randSize+4:], data)
+	}
+	// (ret size-4)~end, adler32 of full data
+	adler := adler32.Checksum(ret[:retSize-4])
+	binary.LittleEndian.PutUint32(ret[retSize-4:], adler)
+}
+
+func (a *authSHA1V4) packAuthData(data []byte) (ret []byte) {
+	dataSize := len(data)
+	randSize := 1
+	if dataSize <= 1300 {
+		if dataSize > 400 {
+			randSize += rand.Intn(128)
+		} else {
+			randSize += rand.Intn(1024)
+		}
+	}
+	dataOffset := randSize + 4 + 2
+	retSize := dataOffset + dataSize + 12 + tools.HmacSHA1Len
+	ret = make([]byte, retSize)
+	a.mutex.Lock()
+	defer a.mutex.Unlock()
+	a.connectionID++
+	if a.connectionID > 0xFF000000 {
+		a.clientID = nil
+	}
+	if len(a.clientID) == 0 {
+		a.clientID = make([]byte, 8)
+		rand.Read(a.clientID)
+		b := make([]byte, 4)
+		rand.Read(b)
+		a.connectionID = binary.LittleEndian.Uint32(b) & 0xFFFFFF
+	}
+	// 0~1, ret size
+	binary.BigEndian.PutUint16(ret[:2], uint16(retSize&0xFFFF))
+
+	// 2~6, crc of (ret size+salt+key)
+	salt := []byte("auth_sha1_v4")
+	crcData := make([]byte, len(salt)+len(a.Key)+2)
+	copy(crcData[:2], ret[:2])
+	copy(crcData[2:], salt)
+	copy(crcData[2+len(salt):], a.Key)
+	crc := crc32.ChecksumIEEE(crcData) & 0xFFFFFFFF
+	// 2~6, crc of (ret size+salt+key)
+	binary.LittleEndian.PutUint32(ret[2:], crc)
+	// 6~(rand size+6), rand numbers
+	rand.Read(ret[dataOffset-randSize : dataOffset])
+	// 6, rand size
+	if randSize < 128 {
+		ret[6] = byte(randSize & 0xFF)
+	} else {
+		// 6, magic number 0xFF
+		ret[6] = 0xFF
+		// 7~8, rand size
+		binary.BigEndian.PutUint16(ret[7:9], uint16(randSize&0xFFFF))
+	}
+	// rand size+6~(rand size+10), time stamp
+	now := time.Now().Unix()
+	binary.LittleEndian.PutUint32(ret[dataOffset:dataOffset+4], uint32(now))
+	// rand size+10~(rand size+14), client ID
+	copy(ret[dataOffset+4:dataOffset+4+4], a.clientID[:4])
+	// rand size+14~(rand size+18), connection ID
+	binary.LittleEndian.PutUint32(ret[dataOffset+8:dataOffset+8+4], a.connectionID)
+	// rand size+18~(rand size+18)+data length, data
+	copy(ret[dataOffset+12:], data)
+
+	key := make([]byte, len(a.IV)+len(a.Key))
+	copy(key, a.IV)
+	copy(key[len(a.IV):], a.Key)
+
+	h := tools.HmacSHA1(key, ret[:retSize-tools.HmacSHA1Len])
+	// (ret size-10)~(ret size)/(rand size)+18+data length~end, hmac
+	copy(ret[retSize-tools.HmacSHA1Len:], h[:tools.HmacSHA1Len])
+	return ret
+}
+
+func getHeadSize(data []byte, defaultValue int) int {
+	if data == nil || len(data) < 2 {
+		return defaultValue
+	}
+	headType := data[0] & 0x07
+	switch headType {
+	case 1:
+		// IPv4 1+4+2
+		return 7
+	case 4:
+		// IPv6 1+16+2
+		return 19
+	case 3:
+		// domain name, variant length
+		return 4 + int(data[1])
+	}
+
+	return defaultValue
+}

component/ssr/protocol/base.go

@@ -0,0 +1,10 @@
+package protocol
+
+// Base information for protocol
+type Base struct {
+	IV       []byte
+	Key      []byte
+	TCPMss   int
+	Overhead int
+	Param    string
+}

component/ssr/protocol/origin.go

@@ -0,0 +1,36 @@
+package protocol
+
+type origin struct{ *Base }
+
+func init() {
+	register("origin", newOrigin)
+}
+
+func newOrigin(b *Base) Protocol {
+	return &origin{}
+}
+
+func (o *origin) initForConn(iv []byte) Protocol { return &origin{} }
+
+func (o *origin) GetProtocolOverhead() int {
+	return 0
+}
+
+func (o *origin) SetOverhead(overhead int) {
+}
+
+func (o *origin) Decode(b []byte) ([]byte, int, error) {
+	return b, len(b), nil
+}
+
+func (o *origin) Encode(b []byte) ([]byte, error) {
+	return b, nil
+}
+
+func (o *origin) DecodePacket(b []byte) ([]byte, int, error) {
+	return b, len(b), nil
+}
+
+func (o *origin) EncodePacket(b []byte) ([]byte, error) {
+	return b, nil
+}

component/ssr/protocol/packet.go

@@ -0,0 +1,42 @@
+package protocol
+
+import (
+	"net"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+// NewPacketConn returns a net.NewPacketConn with protocol decoding/encoding
+func NewPacketConn(pc net.PacketConn, p Protocol) net.PacketConn {
+	return &PacketConn{PacketConn: pc, Protocol: p.initForConn(nil)}
+}
+
+// PacketConn represents a protocol packet connection
+type PacketConn struct {
+	net.PacketConn
+	Protocol
+}
+
+func (c *PacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+	buf := pool.Get(pool.RelayBufferSize)
+	defer pool.Put(buf)
+	buf, err := c.EncodePacket(b)
+	if err != nil {
+		return 0, err
+	}
+	_, err = c.PacketConn.WriteTo(buf, addr)
+	return len(b), err
+}
+
+func (c *PacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
+	n, addr, err := c.PacketConn.ReadFrom(b)
+	if err != nil {
+		return n, addr, err
+	}
+	bb, length, err := c.DecodePacket(b[:n])
+	if err != nil {
+		return n, addr, err
+	}
+	copy(b, bb)
+	return length, addr, err
+}

component/ssr/protocol/protocol.go

@@ -0,0 +1,63 @@
+package protocol
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"strings"
+	"sync"
+)
+
+var (
+	errAuthAES128IncorrectMAC      = errors.New("auth_aes128_* post decrypt incorrect mac")
+	errAuthAES128DataLengthError   = errors.New("auth_aes128_* post decrypt length mismatch")
+	errAuthAES128IncorrectChecksum = errors.New("auth_aes128_* post decrypt incorrect checksum")
+	errAuthAES128PositionTooLarge  = errors.New("auth_aes128_* post decrypt position is too large")
+	errAuthSHA1v4CRC32Error        = errors.New("auth_sha1_v4 post decrypt data crc32 error")
+	errAuthSHA1v4DataLengthError   = errors.New("auth_sha1_v4 post decrypt data length error")
+	errAuthSHA1v4IncorrectChecksum = errors.New("auth_sha1_v4 post decrypt incorrect checksum")
+	errAuthChainDataLengthError    = errors.New("auth_chain_* post decrypt length mismatch")
+	errAuthChainHMACError          = errors.New("auth_chain_* post decrypt hmac error")
+)
+
+type authData struct {
+	clientID     []byte
+	connectionID uint32
+	mutex        sync.Mutex
+}
+
+type recvInfo struct {
+	recvID uint32
+	buffer *bytes.Buffer
+}
+
+type hmacMethod func(key []byte, data []byte) []byte
+type hashDigestMethod func(data []byte) []byte
+type rndMethod func(dataSize int, random *shift128PlusContext, lastHash []byte, dataSizeList, dataSizeList2 []int, overhead int) int
+
+// Protocol provides methods for decoding, encoding and iv setting
+type Protocol interface {
+	initForConn(iv []byte) Protocol
+	GetProtocolOverhead() int
+	SetOverhead(int)
+	Decode([]byte) ([]byte, int, error)
+	Encode([]byte) ([]byte, error)
+	DecodePacket([]byte) ([]byte, int, error)
+	EncodePacket([]byte) ([]byte, error)
+}
+
+type protocolCreator func(b *Base) Protocol
+
+var protocolList = make(map[string]protocolCreator)
+
+func register(name string, c protocolCreator) {
+	protocolList[name] = c
+}
+
+// PickProtocol returns a protocol of the given name
+func PickProtocol(name string, b *Base) (Protocol, error) {
+	if protocolCreator, ok := protocolList[strings.ToLower(name)]; ok {
+		return protocolCreator(b), nil
+	}
+	return nil, fmt.Errorf("Protocol %s not supported", name)
+}

component/ssr/protocol/stream.go

@@ -0,0 +1,68 @@
+package protocol
+
+import (
+	"bytes"
+	"net"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+// NewConn wraps a stream-oriented net.Conn with protocol decoding/encoding
+func NewConn(c net.Conn, p Protocol, iv []byte) net.Conn {
+	return &Conn{Conn: c, Protocol: p.initForConn(iv)}
+}
+
+// Conn represents a protocol connection
+type Conn struct {
+	net.Conn
+	Protocol
+	buf          []byte
+	offset       int
+	underDecoded bytes.Buffer
+}
+
+func (c *Conn) Read(b []byte) (int, error) {
+	if c.buf != nil {
+		n := copy(b, c.buf[c.offset:])
+		c.offset += n
+		if c.offset == len(c.buf) {
+			c.buf = nil
+		}
+		return n, nil
+	}
+	buf := pool.Get(pool.RelayBufferSize)
+	defer pool.Put(buf)
+	n, err := c.Conn.Read(buf)
+	if err != nil {
+		return 0, err
+	}
+	c.underDecoded.Write(buf[:n])
+	underDecoded := c.underDecoded.Bytes()
+	decoded, length, err := c.Decode(underDecoded)
+	if err != nil {
+		c.underDecoded.Reset()
+		return 0, nil
+	}
+	if length == 0 {
+		return 0, nil
+	}
+	c.underDecoded.Next(length)
+	n = copy(b, decoded)
+	if len(decoded) > len(b) {
+		c.buf = decoded
+		c.offset = n
+	}
+	return n, nil
+}
+
+func (c *Conn) Write(b []byte) (int, error) {
+	encoded, err := c.Encode(b)
+	if err != nil {
+		return 0, err
+	}
+	_, err = c.Conn.Write(encoded)
+	if err != nil {
+		return 0, err
+	}
+	return len(b), nil
+}

component/ssr/tools/encrypt.go

@@ -0,0 +1,33 @@
+package tools
+
+import (
+	"crypto/hmac"
+	"crypto/md5"
+	"crypto/sha1"
+)
+
+const HmacSHA1Len = 10
+
+func HmacMD5(key, data []byte) []byte {
+	hmacMD5 := hmac.New(md5.New, key)
+	hmacMD5.Write(data)
+	return hmacMD5.Sum(nil)[:16]
+}
+
+func HmacSHA1(key, data []byte) []byte {
+	hmacSHA1 := hmac.New(sha1.New, key)
+	hmacSHA1.Write(data)
+	return hmacSHA1.Sum(nil)[:20]
+}
+
+func MD5Sum(b []byte) []byte {
+	h := md5.New()
+	h.Write(b)
+	return h.Sum(nil)
+}
+
+func SHA1Sum(b []byte) []byte {
+	h := sha1.New()
+	h.Write(b)
+	return h.Sum(nil)
+}

config/config.go

@@ -62,6 +62,7 @@ type DNS struct {
 	EnhancedMode      dns.EnhancedMode `yaml:"enhanced-mode"`
 	DefaultNameserver []dns.NameServer `yaml:"default-nameserver"`
 	FakeIPRange       *fakeip.Pool
+	Hosts             *trie.DomainTrie
 }
 
 // FallbackFilter config
@@ -88,6 +89,7 @@ type Config struct {
 type RawDNS struct {
 	Enable            bool              `yaml:"enable"`
 	IPv6              bool              `yaml:"ipv6"`
+	UseHosts          bool              `yaml:"use-hosts"`
 	NameServer        []string          `yaml:"nameserver"`
 	Fallback          []string          `yaml:"fallback"`
 	FallbackFilter    RawFallbackFilter `yaml:"fallback-filter"`
@@ -152,6 +154,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		ProxyGroup:     []map[string]interface{}{},
 		DNS: RawDNS{
 			Enable:      false,
+			UseHosts:    true,
 			FakeIPRange: "198.18.0.1/16",
 			FallbackFilter: RawFallbackFilter{
 				GeoIP:  true,
@@ -195,18 +198,18 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.Rules = rules
 
-	dnsCfg, err := parseDNS(rawCfg.DNS)
-	if err != nil {
-		return nil, err
-	}
-	config.DNS = dnsCfg
-
 	hosts, err := parseHosts(rawCfg)
 	if err != nil {
 		return nil, err
 	}
 	config.Hosts = hosts
 
+	dnsCfg, err := parseDNS(rawCfg.DNS, hosts)
+	if err != nil {
+		return nil, err
+	}
+	config.DNS = dnsCfg
+
 	config.Users = parseAuthentication(rawCfg.Authentication)
 
 	return config, nil
@@ -382,6 +385,10 @@ func parseRules(cfg *RawConfig, proxies map[string]C.Proxy) ([]C.Rule, error) {
 
 		parsed, parseErr := R.ParseRule(rule[0], payload, target, params)
 		if parseErr != nil {
+			if parseErr == R.ErrPlatformNotSupport {
+				log.Warnln("Rules[%d] [%s] don't support current OS, skip", idx, line)
+				continue
+			}
 			return nil, fmt.Errorf("Rules[%d] [%s] error: %s", idx, line, parseErr.Error())
 		}
 
@@ -490,7 +497,7 @@ func parseFallbackIPCIDR(ips []string) ([]*net.IPNet, error) {
 	return ipNets, nil
 }
 
-func parseDNS(cfg RawDNS) (*DNS, error) {
+func parseDNS(cfg RawDNS, hosts *trie.DomainTrie) (*DNS, error) {
 	if cfg.Enable && len(cfg.NameServer) == 0 {
 		return nil, fmt.Errorf("If DNS configuration is turned on, NameServer cannot be empty")
 	}
@@ -555,6 +562,10 @@ func parseDNS(cfg RawDNS) (*DNS, error) {
 		dnsCfg.FallbackFilter.IPCIDR = fallbackip
 	}
 
+	if cfg.UseHosts {
+		dnsCfg.Hosts = hosts
+	}
+
 	return dnsCfg, nil
 }
 

constant/adapters.go

@@ -13,6 +13,7 @@ const (
 	Reject
 
 	Shadowsocks
+	ShadowsocksR
 	Snell
 	Socks5
 	Http
@@ -100,6 +101,8 @@ func (at AdapterType) String() string {
 
 	case Shadowsocks:
 		return "Shadowsocks"
+	case ShadowsocksR:
+		return "ShadowsocksR"
 	case Snell:
 		return "Snell"
 	case Socks5:

constant/rule.go

@@ -10,6 +10,7 @@ const (
 	SrcIPCIDR
 	SrcPort
 	DstPort
+	Process
 	MATCH
 )
 
@@ -33,6 +34,8 @@ func (rt RuleType) String() string {
 		return "SrcPort"
 	case DstPort:
 		return "DstPort"
+	case Process:
+		return "Process"
 	case MATCH:
 		return "Match"
 	default:
@@ -45,5 +48,5 @@ type Rule interface {
 	Match(metadata *Metadata) bool
 	Adapter() string
 	Payload() string
-	NoResolveIP() bool
+	ShouldResolveIP() bool
 }

dns/middleware.go

@@ -1,9 +1,11 @@
 package dns
 
 import (
+	"net"
 	"strings"
 
 	"github.com/Dreamacro/clash/component/fakeip"
+	"github.com/Dreamacro/clash/component/trie"
 	"github.com/Dreamacro/clash/log"
 
 	D "github.com/miekg/dns"
@@ -12,6 +14,52 @@ import (
 type handler func(w D.ResponseWriter, r *D.Msg)
 type middleware func(next handler) handler
 
+func withHosts(hosts *trie.DomainTrie) middleware {
+	return func(next handler) handler {
+		return func(w D.ResponseWriter, r *D.Msg) {
+			q := r.Question[0]
+
+			if !isIPRequest(q) {
+				next(w, r)
+				return
+			}
+
+			record := hosts.Search(strings.TrimRight(q.Name, "."))
+			if record == nil {
+				next(w, r)
+				return
+			}
+
+			ip := record.Data.(net.IP)
+			msg := r.Copy()
+
+			if v4 := ip.To4(); v4 != nil && q.Qtype == D.TypeA {
+				rr := &D.A{}
+				rr.Hdr = D.RR_Header{Name: q.Name, Rrtype: D.TypeA, Class: D.ClassINET, Ttl: dnsDefaultTTL}
+				rr.A = v4
+
+				msg.Answer = []D.RR{rr}
+			} else if v6 := ip.To16(); v6 != nil && q.Qtype == D.TypeAAAA {
+				rr := &D.AAAA{}
+				rr.Hdr = D.RR_Header{Name: q.Name, Rrtype: D.TypeAAAA, Class: D.ClassINET, Ttl: dnsDefaultTTL}
+				rr.AAAA = v6
+
+				msg.Answer = []D.RR{rr}
+			} else {
+				next(w, r)
+				return
+			}
+
+			msg.SetRcode(r, D.RcodeSuccess)
+			msg.Authoritative = true
+			msg.RecursionAvailable = true
+
+			w.WriteMsg(msg)
+			return
+		}
+	}
+}
+
 func withFakeIP(fakePool *fakeip.Pool) middleware {
 	return func(next handler) handler {
 		return func(w D.ResponseWriter, r *D.Msg) {
@@ -100,6 +148,10 @@ func compose(middlewares []middleware, endpoint handler) handler {
 func newHandler(resolver *Resolver) handler {
 	middlewares := []middleware{}
 
+	if resolver.hosts != nil {
+		middlewares = append(middlewares, withHosts(resolver.hosts))
+	}
+
 	if resolver.FakeIPEnabled() {
 		middlewares = append(middlewares, withFakeIP(resolver.pool))
 	}

dns/resolver.go

@@ -14,6 +14,7 @@ import (
 	"github.com/Dreamacro/clash/common/picker"
 	"github.com/Dreamacro/clash/component/fakeip"
 	"github.com/Dreamacro/clash/component/resolver"
+	"github.com/Dreamacro/clash/component/trie"
 
 	D "github.com/miekg/dns"
 	"golang.org/x/sync/singleflight"
@@ -37,6 +38,7 @@ type Resolver struct {
 	ipv6            bool
 	mapping         bool
 	fakeip          bool
+	hosts           *trie.DomainTrie
 	pool            *fakeip.Pool
 	main            []dnsClient
 	fallback        []dnsClient
@@ -115,11 +117,14 @@ func (r *Resolver) Exchange(m *D.Msg) (msg *D.Msg, err error) {
 func (r *Resolver) exchangeWithoutCache(m *D.Msg) (msg *D.Msg, err error) {
 	q := m.Question[0]
 
+	ret, err, shared := r.group.Do(q.String(), func() (result interface{}, err error) {
 		defer func() {
-		if msg == nil {
+			if err != nil {
 				return
 			}
 
+			msg := result.(*D.Msg)
+
 			putMsgToCache(r.lruCache, q.String(), msg)
 			if r.mapping || r.fakeip {
 				ips := r.msgToIP(msg)
@@ -129,7 +134,6 @@ func (r *Resolver) exchangeWithoutCache(m *D.Msg) (msg *D.Msg, err error) {
 			}
 		}()
 
-	ret, err, shared := r.group.Do(q.String(), func() (interface{}, error) {
 		isIPReq := isIPRequest(q)
 		if isIPReq {
 			return r.fallbackExchange(m)
@@ -306,6 +310,7 @@ type Config struct {
 	EnhancedMode   EnhancedMode
 	FallbackFilter FallbackFilter
 	Pool           *fakeip.Pool
+	Hosts          *trie.DomainTrie
 }
 
 func New(config Config) *Resolver {
@@ -321,6 +326,7 @@ func New(config Config) *Resolver {
 		mapping:  config.EnhancedMode == MAPPING,
 		fakeip:   config.EnhancedMode == FAKEIP,
 		pool:     config.Pool,
+		hosts:    config.Hosts,
 	}
 
 	if len(config.Fallback) != 0 {

go.mod

@@ -3,7 +3,7 @@ module github.com/Dreamacro/clash
 go 1.14
 
 require (
-	github.com/Dreamacro/go-shadowsocks2 v0.1.5
+	github.com/Dreamacro/go-shadowsocks2 v0.1.6-0.20200722122336-8e5c7db4f96a
 	github.com/eapache/queue v1.1.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/go-chi/cors v1.1.1
@@ -17,6 +17,7 @@ require (
 	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9
 	golang.org/x/net v0.0.0-20200602114024-627f9648deb9
 	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
+	golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd
 	gopkg.in/eapache/channels.v1 v1.1.0
 	gopkg.in/yaml.v2 v2.3.0
 )

go.sum

@@ -1,5 +1,5 @@
-github.com/Dreamacro/go-shadowsocks2 v0.1.5 h1:BizWSjmwzAyQoslz6YhJYMiAGT99j9cnm9zlxVr+kyI=
-github.com/Dreamacro/go-shadowsocks2 v0.1.5/go.mod h1:LSXCjyHesPY3pLjhwff1mQX72ItcBT/N2xNC685cYeU=
+github.com/Dreamacro/go-shadowsocks2 v0.1.6-0.20200722122336-8e5c7db4f96a h1:JhQFrFOkCpRB8qsN6PrzHFzjy/8iQpFFk5cbOiplh6s=
+github.com/Dreamacro/go-shadowsocks2 v0.1.6-0.20200722122336-8e5c7db4f96a/go.mod h1:LSXCjyHesPY3pLjhwff1mQX72ItcBT/N2xNC685cYeU=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

hub/executor/executor.go

@@ -113,6 +113,7 @@ func updateDNS(c *config.DNS) {
 		IPv6:         c.IPv6,
 		EnhancedMode: c.EnhancedMode,
 		Pool:         c.FakeIPRange,
+		Hosts:        c.Hosts,
 		FallbackFilter: dns.FallbackFilter{
 			GeoIP:  c.FallbackFilter.GeoIP,
 			IPCIDR: c.FallbackFilter.IPCIDR,

hub/route/connections.go

@@ -63,6 +63,7 @@ func getConnections(w http.ResponseWriter, r *http.Request) {
 	}
 
 	tick := time.NewTicker(time.Millisecond * time.Duration(interval))
+	defer tick.Stop()
 	for range tick.C {
 		if err := sendSnapshot(); err != nil {
 			break

hub/route/server.go

@@ -142,6 +142,7 @@ func traffic(w http.ResponseWriter, r *http.Request) {
 	}
 
 	tick := time.NewTicker(time.Second)
+	defer tick.Stop()
 	t := T.DefaultManager
 	buf := &bytes.Buffer{}
 	var err error

rules/base.go

@@ -7,6 +7,8 @@ import (
 var (
 	errPayload            = errors.New("payload error")
 	errParams             = errors.New("params error")
+	ErrPlatformNotSupport = errors.New("not support on this platform")
+	ErrInvalidNetwork     = errors.New("invalid network")
 
 	noResolve = "no-resolve"
 )

rules/domain.go

@@ -30,8 +30,8 @@ func (d *Domain) Payload() string {
 	return d.domain
 }
 
-func (d *Domain) NoResolveIP() bool {
-	return true
+func (d *Domain) ShouldResolveIP() bool {
+	return false
 }
 
 func NewDomain(domain string, adapter string) *Domain {

rules/domain_keyword.go

@@ -31,8 +31,8 @@ func (dk *DomainKeyword) Payload() string {
 	return dk.keyword
 }
 
-func (dk *DomainKeyword) NoResolveIP() bool {
-	return true
+func (dk *DomainKeyword) ShouldResolveIP() bool {
+	return false
 }
 
 func NewDomainKeyword(keyword string, adapter string) *DomainKeyword {

rules/domain_suffix.go

@@ -31,8 +31,8 @@ func (ds *DomainSuffix) Payload() string {
 	return ds.suffix
 }
 
-func (ds *DomainSuffix) NoResolveIP() bool {
-	return true
+func (ds *DomainSuffix) ShouldResolveIP() bool {
+	return false
 }
 
 func NewDomainSuffix(suffix string, adapter string) *DomainSuffix {

rules/final.go

@@ -24,8 +24,8 @@ func (f *Match) Payload() string {
 	return ""
 }
 
-func (f *Match) NoResolveIP() bool {
-	return true
+func (f *Match) ShouldResolveIP() bool {
+	return false
 }
 
 func NewMatch(adapter string) *Match {

rules/geoip.go

@@ -32,8 +32,8 @@ func (g *GEOIP) Payload() string {
 	return g.country
 }
 
-func (g *GEOIP) NoResolveIP() bool {
-	return g.noResolveIP
+func (g *GEOIP) ShouldResolveIP() bool {
+	return !g.noResolveIP
 }
 
 func NewGEOIP(country string, adapter string, noResolveIP bool) *GEOIP {

rules/ipcidr.go

@@ -50,8 +50,8 @@ func (i *IPCIDR) Payload() string {
 	return i.ipnet.String()
 }
 
-func (i *IPCIDR) NoResolveIP() bool {
-	return i.noResolveIP
+func (i *IPCIDR) ShouldResolveIP() bool {
+	return !i.noResolveIP
 }
 
 func NewIPCIDR(s string, adapter string, opts ...IPCIDROption) (*IPCIDR, error) {

rules/parser.go

@@ -31,6 +31,8 @@ func ParseRule(tp, payload, target string, params []string) (C.Rule, error) {
 		parsed, parseErr = NewPort(payload, target, true)
 	case "DST-PORT":
 		parsed, parseErr = NewPort(payload, target, false)
+	case "PROCESS-NAME":
+		parsed, parseErr = NewProcess(payload, target)
 	case "MATCH":
 		parsed = NewMatch(target)
 	default:

rules/port.go

@@ -34,8 +34,8 @@ func (p *Port) Payload() string {
 	return p.port
 }
 
-func (p *Port) NoResolveIP() bool {
-	return true
+func (p *Port) ShouldResolveIP() bool {
+	return false
 }
 
 func NewPort(port string, adapter string, isSource bool) (*Port, error) {

rules/process_darwin.go

@@ -0,0 +1,169 @@
+package rules
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"net"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/common/cache"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
+)
+
+// store process name for when dealing with multiple PROCESS-NAME rules
+var processCache = cache.NewLRUCache(cache.WithAge(2), cache.WithSize(64))
+
+type Process struct {
+	adapter string
+	process string
+}
+
+func (ps *Process) RuleType() C.RuleType {
+	return C.Process
+}
+
+func (ps *Process) Match(metadata *C.Metadata) bool {
+	key := fmt.Sprintf("%s:%s:%s", metadata.NetWork.String(), metadata.SrcIP.String(), metadata.SrcPort)
+	cached, hit := processCache.Get(key)
+	if !hit {
+		name, err := getExecPathFromAddress(metadata)
+		if err != nil {
+			log.Debugln("[%s] getExecPathFromAddress error: %s", C.Process.String(), err.Error())
+		}
+
+		processCache.Set(key, name)
+
+		cached = name
+	}
+
+	return strings.EqualFold(cached.(string), ps.process)
+}
+
+func (p *Process) Adapter() string {
+	return p.adapter
+}
+
+func (p *Process) Payload() string {
+	return p.process
+}
+
+func (p *Process) ShouldResolveIP() bool {
+	return false
+}
+
+func NewProcess(process string, adapter string) (*Process, error) {
+	return &Process{
+		adapter: adapter,
+		process: process,
+	}, nil
+}
+
+const (
+	procpidpathinfo     = 0xb
+	procpidpathinfosize = 1024
+	proccallnumpidinfo  = 0x2
+)
+
+func getExecPathFromPID(pid uint32) (string, error) {
+	buf := make([]byte, procpidpathinfosize)
+	_, _, errno := syscall.Syscall6(
+		syscall.SYS_PROC_INFO,
+		proccallnumpidinfo,
+		uintptr(pid),
+		procpidpathinfo,
+		0,
+		uintptr(unsafe.Pointer(&buf[0])),
+		procpidpathinfosize)
+	if errno != 0 {
+		return "", errno
+	}
+	firstZero := bytes.IndexByte(buf, 0)
+	if firstZero <= 0 {
+		return "", nil
+	}
+
+	return filepath.Base(string(buf[:firstZero])), nil
+}
+
+func getExecPathFromAddress(metadata *C.Metadata) (string, error) {
+	ip := metadata.SrcIP
+	port, err := strconv.Atoi(metadata.SrcPort)
+	if err != nil {
+		return "", err
+	}
+
+	var spath string
+	switch metadata.NetWork {
+	case C.TCP:
+		spath = "net.inet.tcp.pcblist_n"
+	case C.UDP:
+		spath = "net.inet.udp.pcblist_n"
+	default:
+		return "", ErrInvalidNetwork
+	}
+
+	isIPv4 := ip.To4() != nil
+
+	value, err := syscall.Sysctl(spath)
+	if err != nil {
+		return "", err
+	}
+
+	buf := []byte(value)
+
+	// from darwin-xnu/bsd/netinet/in_pcblist.c:get_pcblist_n
+	// size/offset are round up (aligned) to 8 bytes in darwin
+	// rup8(sizeof(xinpcb_n)) + rup8(sizeof(xsocket_n)) +
+	// 2 * rup8(sizeof(xsockbuf_n)) + rup8(sizeof(xsockstat_n))
+	itemSize := 384
+	if metadata.NetWork == C.TCP {
+		// rup8(sizeof(xtcpcb_n))
+		itemSize += 208
+	}
+	// skip the first and last xinpgen(24 bytes) block
+	for i := 24; i < len(buf)-24; i += itemSize {
+		// offset of xinpcb_n and xsocket_n
+		inp, so := i, i+104
+
+		srcPort := binary.BigEndian.Uint16(buf[inp+18 : inp+20])
+		if uint16(port) != srcPort {
+			continue
+		}
+
+		// xinpcb_n.inp_vflag
+		flag := buf[inp+44]
+
+		var srcIP net.IP
+		switch {
+		case flag&0x1 > 0 && isIPv4:
+			// ipv4
+			srcIP = net.IP(buf[inp+76 : inp+80])
+		case flag&0x2 > 0 && !isIPv4:
+			// ipv6
+			srcIP = net.IP(buf[inp+64 : inp+80])
+		default:
+			continue
+		}
+
+		if !ip.Equal(srcIP) {
+			continue
+		}
+
+		// xsocket_n.so_last_pid
+		pid := readNativeUint32(buf[so+68 : so+72])
+		return getExecPathFromPID(pid)
+	}
+
+	return "", errors.New("process not found")
+}
+
+func readNativeUint32(b []byte) uint32 {
+	return *(*uint32)(unsafe.Pointer(&b[0]))
+}

rules/process_freebsd_amd64.go

@@ -0,0 +1,187 @@
+package rules
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"net"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/common/cache"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
+)
+
+// store process name for when dealing with multiple PROCESS-NAME rules
+var processCache = cache.NewLRUCache(cache.WithAge(2), cache.WithSize(64))
+
+type Process struct {
+	adapter string
+	process string
+}
+
+func (ps *Process) RuleType() C.RuleType {
+	return C.Process
+}
+
+func (ps *Process) Match(metadata *C.Metadata) bool {
+	key := fmt.Sprintf("%s:%s:%s", metadata.NetWork.String(), metadata.SrcIP.String(), metadata.SrcPort)
+	cached, hit := processCache.Get(key)
+	if !hit {
+		name, err := getExecPathFromAddress(metadata)
+		if err != nil {
+			log.Debugln("[%s] getExecPathFromAddress error: %s", C.Process.String(), err.Error())
+		}
+
+		processCache.Set(key, name)
+
+		cached = name
+	}
+
+	return strings.EqualFold(cached.(string), ps.process)
+}
+
+func (p *Process) Adapter() string {
+	return p.adapter
+}
+
+func (p *Process) Payload() string {
+	return p.process
+}
+
+func (p *Process) ShouldResolveIP() bool {
+	return false
+}
+
+func NewProcess(process string, adapter string) (*Process, error) {
+	return &Process{
+		adapter: adapter,
+		process: process,
+	}, nil
+}
+
+func getExecPathFromPID(pid uint32) (string, error) {
+	buf := make([]byte, 2048)
+	size := uint64(len(buf))
+	// CTL_KERN, KERN_PROC, KERN_PROC_PATHNAME, pid
+	mib := [4]uint32{1, 14, 12, pid}
+
+	_, _, errno := syscall.Syscall6(
+		syscall.SYS___SYSCTL,
+		uintptr(unsafe.Pointer(&mib[0])),
+		uintptr(len(mib)),
+		uintptr(unsafe.Pointer(&buf[0])),
+		uintptr(unsafe.Pointer(&size)),
+		0,
+		0)
+	if errno != 0 || size == 0 {
+		return "", errno
+	}
+
+	return filepath.Base(string(buf[:size-1])), nil
+}
+
+func searchSocketPid(socket uint64) (uint32, error) {
+	value, err := syscall.Sysctl("kern.file")
+	if err != nil {
+		return 0, err
+	}
+
+	buf := []byte(value)
+
+	// struct xfile
+	itemSize := 128
+	for i := 0; i < len(buf); i += itemSize {
+		// xfile.xf_data
+		data := binary.BigEndian.Uint64(buf[i+56 : i+64])
+		if data == socket {
+			// xfile.xf_pid
+			pid := readNativeUint32(buf[i+8 : i+12])
+			return pid, nil
+		}
+	}
+	return 0, errors.New("pid not found")
+}
+
+func getExecPathFromAddress(metadata *C.Metadata) (string, error) {
+	ip := metadata.SrcIP
+	port, err := strconv.Atoi(metadata.SrcPort)
+	if err != nil {
+		return "", err
+	}
+
+	var spath string
+	var itemSize int
+	var inpOffset int
+	switch metadata.NetWork {
+	case C.TCP:
+		spath = "net.inet.tcp.pcblist"
+		// struct xtcpcb
+		itemSize = 744
+		inpOffset = 8
+	case C.UDP:
+		spath = "net.inet.udp.pcblist"
+		// struct xinpcb
+		itemSize = 400
+		inpOffset = 0
+	default:
+		return "", ErrInvalidNetwork
+	}
+
+	isIPv4 := ip.To4() != nil
+
+	value, err := syscall.Sysctl(spath)
+	if err != nil {
+		return "", err
+	}
+
+	buf := []byte(value)
+
+	// skip the first and last xinpgen(64 bytes) block
+	for i := 64; i < len(buf)-64; i += itemSize {
+		inp := i + inpOffset
+
+		srcPort := binary.BigEndian.Uint16(buf[inp+254 : inp+256])
+
+		if uint16(port) != srcPort {
+			continue
+		}
+
+		// xinpcb.inp_vflag
+		flag := buf[inp+392]
+
+		var srcIP net.IP
+		switch {
+		case flag&0x1 > 0 && isIPv4:
+			// ipv4
+			srcIP = net.IP(buf[inp+284 : inp+288])
+		case flag&0x2 > 0 && !isIPv4:
+			// ipv6
+			srcIP = net.IP(buf[inp+272 : inp+288])
+		default:
+			continue
+		}
+
+		if !ip.Equal(srcIP) {
+			continue
+		}
+
+		// xsocket.xso_so, interpreted as big endian anyway since it's only used for comparison
+		socket := binary.BigEndian.Uint64(buf[inp+16 : inp+24])
+		pid, err := searchSocketPid(socket)
+		if err != nil {
+			return "", err
+		}
+		return getExecPathFromPID(pid)
+	}
+
+	return "", errors.New("process not found")
+}
+
+func readNativeUint32(b []byte) uint32 {
+	return *(*uint32)(unsafe.Pointer(&b[0]))
+}

rules/process_linux.go

@@ -0,0 +1,295 @@
+package rules
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/common/cache"
+	"github.com/Dreamacro/clash/common/pool"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
+)
+
+// from https://github.com/vishvananda/netlink/blob/bca67dfc8220b44ef582c9da4e9172bf1c9ec973/nl/nl_linux.go#L52-L62
+func init() {
+	var x uint32 = 0x01020304
+	if *(*byte)(unsafe.Pointer(&x)) == 0x01 {
+		nativeEndian = binary.BigEndian
+	} else {
+		nativeEndian = binary.LittleEndian
+	}
+}
+
+type SocketResolver func(metadata *C.Metadata) (inode, uid int, err error)
+type ProcessNameResolver func(inode, uid int) (name string, err error)
+
+// export for android
+var (
+	DefaultSocketResolver      SocketResolver      = resolveSocketByNetlink
+	DefaultProcessNameResolver ProcessNameResolver = resolveProcessNameByProcSearch
+)
+
+type Process struct {
+	adapter string
+	process string
+}
+
+func (p *Process) RuleType() C.RuleType {
+	return C.Process
+}
+
+func (p *Process) Match(metadata *C.Metadata) bool {
+	key := fmt.Sprintf("%s:%s:%s", metadata.NetWork.String(), metadata.SrcIP.String(), metadata.SrcPort)
+	cached, hit := processCache.Get(key)
+	if !hit {
+		processName, err := resolveProcessName(metadata)
+		if err != nil {
+			log.Debugln("[%s] Resolve process of %s failure: %s", C.Process.String(), key, err.Error())
+		}
+
+		processCache.Set(key, processName)
+
+		cached = processName
+	}
+
+	return strings.EqualFold(cached.(string), p.process)
+}
+
+func (p *Process) Adapter() string {
+	return p.adapter
+}
+
+func (p *Process) Payload() string {
+	return p.process
+}
+
+func (p *Process) ShouldResolveIP() bool {
+	return false
+}
+
+func NewProcess(process string, adapter string) (*Process, error) {
+	return &Process{
+		adapter: adapter,
+		process: process,
+	}, nil
+}
+
+const (
+	sizeOfSocketDiagRequest = syscall.SizeofNlMsghdr + 8 + 48
+	socketDiagByFamily      = 20
+	pathProc                = "/proc"
+)
+
+var nativeEndian binary.ByteOrder = binary.LittleEndian
+
+var processCache = cache.NewLRUCache(cache.WithAge(2), cache.WithSize(64))
+
+func resolveProcessName(metadata *C.Metadata) (string, error) {
+	inode, uid, err := DefaultSocketResolver(metadata)
+	if err != nil {
+		return "", err
+	}
+
+	return DefaultProcessNameResolver(inode, uid)
+}
+
+func resolveSocketByNetlink(metadata *C.Metadata) (int, int, error) {
+	var family byte
+	var protocol byte
+
+	switch metadata.NetWork {
+	case C.TCP:
+		protocol = syscall.IPPROTO_TCP
+	case C.UDP:
+		protocol = syscall.IPPROTO_UDP
+	default:
+		return 0, 0, ErrInvalidNetwork
+	}
+
+	if metadata.SrcIP.To4() != nil {
+		family = syscall.AF_INET
+	} else {
+		family = syscall.AF_INET6
+	}
+
+	srcPort, err := strconv.Atoi(metadata.SrcPort)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	req := packSocketDiagRequest(family, protocol, metadata.SrcIP, uint16(srcPort))
+
+	socket, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_INET_DIAG)
+	if err != nil {
+		return 0, 0, err
+	}
+	defer syscall.Close(socket)
+
+	syscall.SetNonblock(socket, true)
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, &syscall.Timeval{Usec: 50})
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, &syscall.Timeval{Usec: 50})
+
+	if err := syscall.Connect(socket, &syscall.SockaddrNetlink{
+		Family: syscall.AF_NETLINK,
+		Pad:    0,
+		Pid:    0,
+		Groups: 0,
+	}); err != nil {
+		return 0, 0, err
+	}
+
+	if _, err := syscall.Write(socket, req); err != nil {
+		return 0, 0, err
+	}
+
+	rb := pool.Get(pool.RelayBufferSize)
+	defer pool.Put(rb)
+
+	n, err := syscall.Read(socket, rb)
+	if err != nil {
+		return 0, 0, err
+	}
+
+	messages, err := syscall.ParseNetlinkMessage(rb[:n])
+	if err != nil {
+		return 0, 0, err
+	} else if len(messages) == 0 {
+		return 0, 0, io.ErrUnexpectedEOF
+	}
+
+	message := messages[0]
+	if message.Header.Type&syscall.NLMSG_ERROR != 0 {
+		return 0, 0, syscall.ESRCH
+	}
+
+	uid, inode := unpackSocketDiagResponse(&messages[0])
+
+	return int(uid), int(inode), nil
+}
+
+func packSocketDiagRequest(family, protocol byte, source net.IP, sourcePort uint16) []byte {
+	s := make([]byte, 16)
+
+	if v4 := source.To4(); v4 != nil {
+		copy(s, v4)
+	} else {
+		copy(s, source)
+	}
+
+	buf := make([]byte, sizeOfSocketDiagRequest)
+
+	nativeEndian.PutUint32(buf[0:4], sizeOfSocketDiagRequest)
+	nativeEndian.PutUint16(buf[4:6], socketDiagByFamily)
+	nativeEndian.PutUint16(buf[6:8], syscall.NLM_F_REQUEST|syscall.NLM_F_DUMP)
+	nativeEndian.PutUint32(buf[8:12], 0)
+	nativeEndian.PutUint32(buf[12:16], 0)
+
+	buf[16] = family
+	buf[17] = protocol
+	buf[18] = 0
+	buf[19] = 0
+	nativeEndian.PutUint32(buf[20:24], 0xFFFFFFFF)
+
+	binary.BigEndian.PutUint16(buf[24:26], sourcePort)
+	binary.BigEndian.PutUint16(buf[26:28], 0)
+
+	copy(buf[28:44], s)
+	copy(buf[44:60], net.IPv6zero)
+
+	nativeEndian.PutUint32(buf[60:64], 0)
+	nativeEndian.PutUint64(buf[64:72], 0xFFFFFFFFFFFFFFFF)
+
+	return buf
+}
+
+func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid uint32) {
+	if len(msg.Data) < 72 {
+		return 0, 0
+	}
+
+	data := msg.Data
+
+	uid = nativeEndian.Uint32(data[64:68])
+	inode = nativeEndian.Uint32(data[68:72])
+
+	return
+}
+
+func resolveProcessNameByProcSearch(inode, uid int) (string, error) {
+	files, err := ioutil.ReadDir(pathProc)
+	if err != nil {
+		return "", err
+	}
+
+	buffer := make([]byte, syscall.PathMax)
+	socket := []byte(fmt.Sprintf("socket:[%d]", inode))
+
+	for _, f := range files {
+		if !f.IsDir() || !isPid(f.Name()) {
+			continue
+		}
+
+		if f.Sys().(*syscall.Stat_t).Uid != uint32(uid) {
+			continue
+		}
+
+		processPath := path.Join(pathProc, f.Name())
+		fdPath := path.Join(processPath, "fd")
+
+		fds, err := ioutil.ReadDir(fdPath)
+		if err != nil {
+			continue
+		}
+
+		for _, fd := range fds {
+			n, err := syscall.Readlink(path.Join(fdPath, fd.Name()), buffer)
+			if err != nil {
+				continue
+			}
+
+			if bytes.Compare(buffer[:n], socket) == 0 {
+				cmdline, err := ioutil.ReadFile(path.Join(processPath, "cmdline"))
+				if err != nil {
+					return "", err
+				}
+
+				return splitCmdline(cmdline), nil
+			}
+		}
+	}
+
+	return "", syscall.ESRCH
+}
+
+func splitCmdline(cmdline []byte) string {
+	indexOfEndOfString := len(cmdline)
+
+	for i, c := range cmdline {
+		if c == 0 {
+			indexOfEndOfString = i
+			break
+		}
+	}
+
+	return filepath.Base(string(cmdline[:indexOfEndOfString]))
+}
+
+func isPid(s string) bool {
+	for _, s := range s {
+		if s < '0' || s > '9' {
+			return false
+		}
+	}
+
+	return true
+}

rules/process_other.go

@@ -0,0 +1,12 @@
+// +build !darwin,!linux,!windows
+// +build !freebsd !amd64
+
+package rules
+
+import (
+	C "github.com/Dreamacro/clash/constant"
+)
+
+func NewProcess(process string, adapter string) (C.Rule, error) {
+	return nil, ErrPlatformNotSupport
+}

rules/process_windows.go

@@ -0,0 +1,286 @@
+package rules
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/common/cache"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
+
+	"golang.org/x/sys/windows"
+)
+
+const (
+	tcpTableFunc      = "GetExtendedTcpTable"
+	tcpTablePidConn   = 4
+	udpTableFunc      = "GetExtendedUdpTable"
+	udpTablePid       = 1
+	queryProcNameFunc = "QueryFullProcessImageNameW"
+)
+
+var (
+	processCache = cache.NewLRUCache(cache.WithAge(2), cache.WithSize(64))
+	errNotFound  = errors.New("process not found")
+	matchMeta    = func(p *Process, m *C.Metadata) bool { return false }
+
+	getExTcpTable uintptr
+	getExUdpTable uintptr
+	queryProcName uintptr
+
+	once sync.Once
+)
+
+func initWin32API() error {
+	h, err := windows.LoadLibrary("iphlpapi.dll")
+	if err != nil {
+		return fmt.Errorf("LoadLibrary iphlpapi.dll failed: %s", err.Error())
+	}
+
+	getExTcpTable, err = windows.GetProcAddress(h, tcpTableFunc)
+	if err != nil {
+		return fmt.Errorf("GetProcAddress of %s failed: %s", tcpTableFunc, err.Error())
+	}
+
+	getExUdpTable, err = windows.GetProcAddress(h, udpTableFunc)
+	if err != nil {
+		return fmt.Errorf("GetProcAddress of %s failed: %s", udpTableFunc, err.Error())
+	}
+
+	h, err = windows.LoadLibrary("kernel32.dll")
+	if err != nil {
+		return fmt.Errorf("LoadLibrary kernel32.dll failed: %s", err.Error())
+	}
+
+	queryProcName, err = windows.GetProcAddress(h, queryProcNameFunc)
+	if err != nil {
+		return fmt.Errorf("GetProcAddress of %s failed: %s", queryProcNameFunc, err.Error())
+	}
+
+	return nil
+}
+
+type Process struct {
+	adapter string
+	process string
+}
+
+func (p *Process) RuleType() C.RuleType {
+	return C.Process
+}
+
+func (p *Process) Adapter() string {
+	return p.adapter
+}
+
+func (p *Process) Payload() string {
+	return p.process
+}
+
+func (p *Process) ShouldResolveIP() bool {
+	return false
+}
+
+func match(p *Process, metadata *C.Metadata) bool {
+	key := fmt.Sprintf("%s:%s:%s", metadata.NetWork.String(), metadata.SrcIP.String(), metadata.SrcPort)
+	cached, hit := processCache.Get(key)
+	if !hit {
+		processName, err := resolveProcessName(metadata)
+		if err != nil {
+			log.Debugln("[%s] Resolve process of %s failed: %s", C.Process.String(), key, err.Error())
+		}
+
+		processCache.Set(key, processName)
+		cached = processName
+	}
+	return strings.EqualFold(cached.(string), p.process)
+}
+
+func (p *Process) Match(metadata *C.Metadata) bool {
+	return matchMeta(p, metadata)
+}
+
+func NewProcess(process string, adapter string) (*Process, error) {
+	once.Do(func() {
+		err := initWin32API()
+		if err != nil {
+			log.Errorln("Initialize PROCESS-NAME failed: %s", err.Error())
+			log.Warnln("All PROCESS-NAMES rules will be skiped")
+			return
+		}
+		matchMeta = match
+	})
+	return &Process{
+		adapter: adapter,
+		process: process,
+	}, nil
+}
+
+func resolveProcessName(metadata *C.Metadata) (string, error) {
+	ip := metadata.SrcIP
+	family := windows.AF_INET
+	if ip.To4() == nil {
+		family = windows.AF_INET6
+	}
+
+	var class int
+	var fn uintptr
+	switch metadata.NetWork {
+	case C.TCP:
+		fn = getExTcpTable
+		class = tcpTablePidConn
+	case C.UDP:
+		fn = getExUdpTable
+		class = udpTablePid
+	default:
+		return "", ErrInvalidNetwork
+	}
+
+	srcPort, err := strconv.Atoi(metadata.SrcPort)
+	if err != nil {
+		return "", err
+	}
+
+	buf, err := getTransportTable(fn, family, class)
+	if err != nil {
+		return "", err
+	}
+
+	s := newSearcher(family == windows.AF_INET, metadata.NetWork == C.TCP)
+
+	pid, err := s.Search(buf, ip, uint16(srcPort))
+	if err != nil {
+		return "", err
+	}
+	return getExecPathFromPID(pid)
+}
+
+type searcher struct {
+	itemSize int
+	port     int
+	ip       int
+	ipSize   int
+	pid      int
+	tcpState int
+}
+
+func (s *searcher) Search(b []byte, ip net.IP, port uint16) (uint32, error) {
+	n := int(readNativeUint32(b[:4]))
+	itemSize := s.itemSize
+	for i := 0; i < n; i++ {
+		row := b[4+itemSize*i : 4+itemSize*(i+1)]
+
+		if s.tcpState >= 0 {
+			tcpState := readNativeUint32(row[s.tcpState : s.tcpState+4])
+			// MIB_TCP_STATE_ESTAB, only check established connections for TCP
+			if tcpState != 5 {
+				continue
+			}
+		}
+
+		// according to MSDN, only the lower 16 bits of dwLocalPort are used and the port number is in network endian.
+		// this field can be illustrated as follows depends on different machine endianess:
+		//     little endian: [ MSB LSB  0   0  ]   interpret as native uint32 is ((LSB<<8)|MSB)
+		//       big  endian: [  0   0  MSB LSB ]   interpret as native uint32 is ((MSB<<8)|LSB)
+		// so we need an syscall.Ntohs on the lower 16 bits after read the port as native uint32
+		srcPort := syscall.Ntohs(uint16(readNativeUint32(row[s.port : s.port+4])))
+		if srcPort != port {
+			continue
+		}
+
+		srcIP := net.IP(row[s.ip : s.ip+s.ipSize])
+		if !ip.Equal(srcIP) {
+			continue
+		}
+
+		pid := readNativeUint32(row[s.pid : s.pid+4])
+		return pid, nil
+	}
+	return 0, errNotFound
+}
+
+func newSearcher(isV4, isTCP bool) *searcher {
+	var itemSize, port, ip, ipSize, pid int
+	tcpState := -1
+	switch {
+	case isV4 && isTCP:
+		// struct MIB_TCPROW_OWNER_PID
+		itemSize, port, ip, ipSize, pid, tcpState = 24, 8, 4, 4, 20, 0
+	case isV4 && !isTCP:
+		// struct MIB_UDPROW_OWNER_PID
+		itemSize, port, ip, ipSize, pid = 12, 4, 0, 4, 8
+	case !isV4 && isTCP:
+		// struct MIB_TCP6ROW_OWNER_PID
+		itemSize, port, ip, ipSize, pid, tcpState = 56, 20, 0, 16, 52, 48
+	case !isV4 && !isTCP:
+		// struct MIB_UDP6ROW_OWNER_PID
+		itemSize, port, ip, ipSize, pid = 28, 20, 0, 16, 24
+	}
+
+	return &searcher{
+		itemSize: itemSize,
+		port:     port,
+		ip:       ip,
+		ipSize:   ipSize,
+		pid:      pid,
+		tcpState: tcpState,
+	}
+}
+
+func getTransportTable(fn uintptr, family int, class int) ([]byte, error) {
+	for size, buf := uint32(8), make([]byte, 8); ; {
+		ptr := unsafe.Pointer(&buf[0])
+		err, _, _ := syscall.Syscall6(fn, 6, uintptr(ptr), uintptr(unsafe.Pointer(&size)), 0, uintptr(family), uintptr(class), 0)
+
+		switch err {
+		case 0:
+			return buf, nil
+		case uintptr(syscall.ERROR_INSUFFICIENT_BUFFER):
+			buf = make([]byte, size)
+		default:
+			return nil, fmt.Errorf("syscall error: %d", err)
+		}
+	}
+}
+
+func readNativeUint32(b []byte) uint32 {
+	return *(*uint32)(unsafe.Pointer(&b[0]))
+}
+
+func getExecPathFromPID(pid uint32) (string, error) {
+	// kernel process starts with a colon in order to distinguish with normal processes
+	switch pid {
+	case 0:
+		// reserved pid for system idle process
+		return ":System Idle Process", nil
+	case 4:
+		// reserved pid for windows kernel image
+		return ":System", nil
+	}
+	h, err := windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, pid)
+	if err != nil {
+		return "", err
+	}
+	defer windows.CloseHandle(h)
+
+	buf := make([]uint16, syscall.MAX_LONG_PATH)
+	size := uint32(len(buf))
+	r1, _, err := syscall.Syscall6(
+		queryProcName, 4,
+		uintptr(h),
+		uintptr(1),
+		uintptr(unsafe.Pointer(&buf[0])),
+		uintptr(unsafe.Pointer(&size)),
+		0, 0)
+	if r1 == 0 {
+		return "", err
+	}
+	return filepath.Base(syscall.UTF16ToString(buf[:size])), nil
+}

tunnel/tunnel.go

@@ -218,7 +218,7 @@ func handleUDPConn(packet *inbound.PacketAdapter) {
 
 			switch true {
 			case rule != nil:
-				log.Infoln("[UDP] %s --> %v match %s using %s", metadata.SourceAddress(), metadata.String(), rule.RuleType().String(), rawPc.Chains().String())
+				log.Infoln("[UDP] %s --> %v match %s(%s) using %s", metadata.SourceAddress(), metadata.String(), rule.RuleType().String(), rule.Payload(), rawPc.Chains().String())
 			case mode == Global:
 				log.Infoln("[UDP] %s --> %v using GLOBAL", metadata.SourceAddress(), metadata.String())
 			case mode == Direct:
@@ -271,7 +271,7 @@ func handleTCPConn(localConn C.ServerAdapter) {
 
 	switch true {
 	case rule != nil:
-		log.Infoln("[TCP] %s --> %v match %s using %s", metadata.SourceAddress(), metadata.String(), rule.RuleType().String(), remoteConn.Chains().String())
+		log.Infoln("[TCP] %s --> %v match %s(%s) using %s", metadata.SourceAddress(), metadata.String(), rule.RuleType().String(), rule.Payload(), remoteConn.Chains().String())
 	case mode == Global:
 		log.Infoln("[TCP] %s --> %v using GLOBAL", metadata.SourceAddress(), metadata.String())
 	case mode == Direct:
@@ -289,7 +289,7 @@ func handleTCPConn(localConn C.ServerAdapter) {
 }
 
 func shouldResolveIP(rule C.Rule, metadata *C.Metadata) bool {
-	return !rule.NoResolveIP() && metadata.Host != "" && metadata.DstIP == nil
+	return rule.ShouldResolveIP() && metadata.Host != "" && metadata.DstIP == nil
 }
 
 func match(metadata *C.Metadata) (C.Proxy, C.Rule, error) {