Merge pull request #174 from MetaCubeX/Alpha

Alpha
fix: no main result conn, will fail
2022-08-29 11:24:07 +08:00 · 2022-08-28 20:26:13 +08:00 · 2022-08-28 15:57:10 +08:00 · 2022-08-28 13:41:43 +08:00 · 2022-08-22 23:22:26 +08:00 · 2022-08-22 23:17:41 +08:00
168 changed files with 13138 additions and 1609 deletions
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@ -17,7 +17,7 @@ jobs:
        run: |
          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
        with:
          go-version: ${{ steps.version.outputs.go_version }}
--- a/8
+++ b/8
@ -147,3 +147,11 @@ lint:
 clean:
 	rm $(BINDIR)/*
 CLANG ?= clang-14
 CFLAGS := -O2 -g -Wall -Werror $(CFLAGS)
 ebpf: export BPF_CLANG := $(CLANG)
 ebpf: export BPF_CFLAGS := $(CFLAGS)
 ebpf:
 	cd component/ebpf/ && go generate ./...
--- a/README.md
+++ b/README.md
@ -251,8 +251,8 @@ User=clash-meta
 Group=clash-meta
 LimitNPROC=500
 LimitNOFILE=1000000
-CapabilityBoundingSet=cap_net_admin
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
-AmbientCapabilities=cap_net_admin
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
 Restart=always
 ExecStartPre=/usr/bin/sleep 1s
 ExecStart=/usr/local/bin/Clash-Meta -d /etc/Clash-Meta
@ -274,7 +274,7 @@ $ systemctl start Clash-Meta
 Clash add field `Process` to `Metadata` and prepare to get process name for Restful API `GET /connections`.
-To display process name in GUI please use [Dashboard For Meta](https://github.com/Clash-Mini/Dashboard).
+To display process name in GUI please use [Dashboard For Meta](https://github.com/MetaCubeX/clash-dashboard).
 ![img.png](https://github.com/Clash-Mini/Dashboard/raw/master/View/Dashboard-Process.png)
--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@ -11,7 +11,6 @@ import (
 	"net/http"
 	"net/netip"
 	"net/url"
 	"strings"
 	"time"
 	"go.uber.org/atomic"
@ -40,11 +39,6 @@ func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
 // DialContext implements C.ProxyAdapter
 func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	conn, err := p.ProxyAdapter.DialContext(ctx, metadata, opts...)
 	wasCancel := false
 	if err != nil {
 		wasCancel = strings.Contains(err.Error(), "operation was canceled")
 	}
 	p.alive.Store(err == nil || wasCancel)
 	return conn, err
 }
@ -58,7 +52,6 @@ func (p *Proxy) DialUDP(metadata *C.Metadata) (C.PacketConn, error) {
 // ListenPacketContext implements C.ProxyAdapter
 func (p *Proxy) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
 	pc, err := p.ProxyAdapter.ListenPacketContext(ctx, metadata, opts...)
 	p.alive.Store(err == nil)
 	return pc, err
 }
@ -151,25 +144,32 @@ func (p *Proxy) URLTest(ctx context.Context, url string) (t uint16, err error) {
 	}
 	client := http.Client{
 		Timeout:   30 * time.Second,
 		Transport: transport,
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 	}
 	defer client.CloseIdleConnections()
 	resp, err := client.Do(req)
 	if err != nil {
 		return
 	}
 	_ = resp.Body.Close()
 	if unifiedDelay {
-		start = time.Now()
+		second := time.Now()
 		resp, err = client.Do(req)
-		if err != nil {
+		if err == nil {
-			return
+			_ = resp.Body.Close()
 			start = second
 		}
 	}
-	_ = resp.Body.Close()
+
 	t = uint16(time.Since(start) / time.Millisecond)
 	return
 }
--- a/adapter/inbound/util.go
+++ b/adapter/inbound/util.go
@ -1,13 +1,13 @@
 package inbound
 import (
 	"github.com/Dreamacro/clash/common/nnip"
 	"net"
 	"net/http"
 	"net/netip"
 	"strconv"
 	"strings"
 	"github.com/Dreamacro/clash/common/nnip"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
@ -26,7 +26,8 @@ func parseSocksAddr(target socks5.Addr) *C.Metadata {
 		metadata.DstIP = nnip.IpToAddr(net.IP(target[1 : 1+net.IPv4len]))
 		metadata.DstPort = strconv.Itoa((int(target[1+net.IPv4len]) << 8) | int(target[1+net.IPv4len+1]))
 	case socks5.AtypIPv6:
-		metadata.DstIP = nnip.IpToAddr(net.IP(target[1 : 1+net.IPv6len]))
+		ip6, _ := netip.AddrFromSlice(target[1 : 1+net.IPv6len])
 		metadata.DstIP = ip6.Unmap()
 		metadata.DstPort = strconv.Itoa((int(target[1+net.IPv6len]) << 8) | int(target[1+net.IPv6len+1]))
 	}
--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@ -13,13 +13,14 @@ import (
 )
 type Base struct {
-	name  string
+	name   string
-	addr  string
+	addr   string
-	iface string
+	iface  string
-	tp    C.AdapterType
+	tp     C.AdapterType
-	udp   bool
+	udp    bool
-	rmark int
+	rmark  int
-	id    string
+	id     string
 	prefer C.DNSPrefer
 }
 // Name implements C.ProxyAdapter
@ -103,12 +104,25 @@ func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
 		opts = append(opts, dialer.WithRoutingMark(b.rmark))
 	}
 	switch b.prefer {
 	case C.IPv4Only:
 		opts = append(opts, dialer.WithOnlySingleStack(true))
 	case C.IPv6Only:
 		opts = append(opts, dialer.WithOnlySingleStack(false))
 	case C.IPv4Prefer:
 		opts = append(opts, dialer.WithPreferIPv4())
 	case C.IPv6Prefer:
 		opts = append(opts, dialer.WithPreferIPv6())
 	default:
 	}
 	return opts
 }
 type BasicOption struct {
 	Interface   string `proxy:"interface-name,omitempty" group:"interface-name,omitempty"`
 	RoutingMark int    `proxy:"routing-mark,omitempty" group:"routing-mark,omitempty"`
 	IPVersion   string `proxy:"ip-version,omitempty" group:"ip-version,omitempty"`
 }
 type BaseOption struct {
@ -118,16 +132,18 @@ type BaseOption struct {
 	UDP         bool
 	Interface   string
 	RoutingMark int
 	Prefer      C.DNSPrefer
 }
 func NewBase(opt BaseOption) *Base {
 	return &Base{
-		name:  opt.Name,
+		name:   opt.Name,
-		addr:  opt.Addr,
+		addr:   opt.Addr,
-		tp:    opt.Type,
+		tp:     opt.Type,
-		udp:   opt.UDP,
+		udp:    opt.UDP,
-		iface: opt.Interface,
+		iface:  opt.Interface,
-		rmark: opt.RoutingMark,
+		rmark:  opt.RoutingMark,
 		prefer: opt.Prefer,
 	}
 }
--- a/adapter/outbound/direct.go
+++ b/adapter/outbound/direct.go
@ -40,9 +40,10 @@ type directPacketConn struct {
 func NewDirect() *Direct {
 	return &Direct{
 		Base: &Base{
-			name: "DIRECT",
+			name:   "DIRECT",
-			tp:   C.Direct,
+			tp:     C.Direct,
-			udp:  true,
+			udp:    true,
 			prefer: C.DualStack,
 		},
 	}
 }
@ -50,9 +51,10 @@ func NewDirect() *Direct {
 func NewCompatible() *Direct {
 	return &Direct{
 		Base: &Base{
-			name: "COMPATIBLE",
+			name:   "COMPATIBLE",
-			tp:   C.Compatible,
+			tp:     C.Compatible,
-			udp:  true,
+			udp:    true,
 			prefer: C.DualStack,
 		},
 	}
 }
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@ -7,6 +7,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"io"
 	"net"
 	"net/http"
@ -35,6 +36,7 @@ type HttpOption struct {
 	TLS            bool              `proxy:"tls,omitempty"`
 	SNI            string            `proxy:"sni,omitempty"`
 	SkipCertVerify bool              `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint    string            `proxy:"fingerprint,omitempty"`
 	Headers        map[string]string `proxy:"headers,omitempty"`
 }
@ -126,30 +128,41 @@ func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
 	return fmt.Errorf("can not connect remote err code: %d", resp.StatusCode)
 }
-func NewHttp(option HttpOption) *Http {
+func NewHttp(option HttpOption) (*Http, error) {
 	var tlsConfig *tls.Config
 	if option.TLS {
 		sni := option.Server
 		if option.SNI != "" {
 			sni = option.SNI
 		}
-		tlsConfig = &tls.Config{
+		if len(option.Fingerprint) == 0 {
-			InsecureSkipVerify: option.SkipCertVerify,
+			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(&tls.Config{
-			ServerName:         sni,
+				InsecureSkipVerify: option.SkipCertVerify,
 				ServerName:         sni,
 			})
 		} else {
 			var err error
 			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(&tls.Config{
 				InsecureSkipVerify: option.SkipCertVerify,
 				ServerName:         sni,
 			}, option.Fingerprint); err != nil {
 				return nil, err
 			}
 		}
 	}
 	return &Http{
 		Base: &Base{
-			name:  option.Name,
+			name:   option.Name,
-			addr:  net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
+			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
-			tp:    C.Http,
+			tp:     C.Http,
-			iface: option.Interface,
+			iface:  option.Interface,
-			rmark: option.RoutingMark,
+			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		user:      option.UserName,
 		pass:      option.Password,
 		tlsConfig: tlsConfig,
 		option:    &option,
-	}
+	}, nil
 }
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@ -0,0 +1,309 @@
 package outbound
 import (
 	"context"
 	"crypto/sha256"
 	"crypto/tls"
 	"encoding/hex"
 	"encoding/pem"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/transport/hysteria/core"
 	"github.com/Dreamacro/clash/transport/hysteria/obfs"
 	"github.com/Dreamacro/clash/transport/hysteria/pmtud_fix"
 	"github.com/Dreamacro/clash/transport/hysteria/transport"
 	"github.com/lucas-clemente/quic-go"
 	"net"
 	"os"
 	"regexp"
 	"strconv"
 	"time"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	hyCongestion "github.com/Dreamacro/clash/transport/hysteria/congestion"
 	"github.com/lucas-clemente/quic-go/congestion"
 	M "github.com/sagernet/sing/common/metadata"
 )
 const (
 	mbpsToBps   = 125000
 	minSpeedBPS = 16384
 	DefaultStreamReceiveWindow     = 15728640 // 15 MB/s
 	DefaultConnectionReceiveWindow = 67108864 // 64 MB/s
 	DefaultMaxIncomingStreams      = 1024
 	DefaultALPN     = "hysteria"
 	DefaultProtocol = "udp"
 )
 var rateStringRegexp = regexp.MustCompile(`^(\d+)\s*([KMGT]?)([Bb])ps$`)
 type Hysteria struct {
 	*Base
 	client *core.Client
 }
 func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	hdc := hyDialerWithContext{
 		ctx: context.Background(),
 		hyDialer: func() (net.PacketConn, error) {
 			return dialer.ListenPacket(ctx, "udp", "", h.Base.DialOptions(opts...)...)
 		},
 		remoteAddr: func(addr string) (net.Addr, error) {
 			return resolveUDPAddrWithPrefer("udp", addr, h.prefer)
 		},
 	}
 	tcpConn, err := h.client.DialTCP(metadata.RemoteAddress(), &hdc)
 	if err != nil {
 		return nil, err
 	}
 	return NewConn(tcpConn, h), nil
 }
 func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
 	hdc := hyDialerWithContext{
 		ctx: context.Background(),
 		hyDialer: func() (net.PacketConn, error) {
 			return dialer.ListenPacket(ctx, "udp", "", h.Base.DialOptions(opts...)...)
 		},
 	}
 	udpConn, err := h.client.DialUDP(&hdc)
 	if err != nil {
 		return nil, err
 	}
 	return newPacketConn(&hyPacketConn{udpConn}, h), nil
 }
 type HysteriaOption struct {
 	BasicOption
 	Name                string `proxy:"name"`
 	Server              string `proxy:"server"`
 	Port                int    `proxy:"port"`
 	Protocol            string `proxy:"protocol,omitempty"`
 	Up                  string `proxy:"up"`
 	Down                string `proxy:"down"`
 	AuthString          string `proxy:"auth_str,omitempty"`
 	Obfs                string `proxy:"obfs,omitempty"`
 	SNI                 string `proxy:"sni,omitempty"`
 	SkipCertVerify      bool   `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string `proxy:"fingerprint,omitempty"`
 	ALPN                string `proxy:"alpn,omitempty"`
 	CustomCA            string `proxy:"ca,omitempty"`
 	CustomCAString      string `proxy:"ca_str,omitempty"`
 	ReceiveWindowConn   int    `proxy:"recv_window_conn,omitempty"`
 	ReceiveWindow       int    `proxy:"recv_window,omitempty"`
 	DisableMTUDiscovery bool   `proxy:"disable_mtu_discovery,omitempty"`
 }
 func (c *HysteriaOption) Speed() (uint64, uint64, error) {
 	var up, down uint64
 	up = stringToBps(c.Up)
 	if up == 0 {
 		return 0, 0, fmt.Errorf("invaild upload speed: %s", c.Up)
 	}
 	down = stringToBps(c.Down)
 	if down == 0 {
 		return 0, 0, fmt.Errorf("invaild download speed: %s", c.Down)
 	}
 	return up, down, nil
 }
 func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 	clientTransport := &transport.ClientTransport{
 		Dialer: &net.Dialer{
 			Timeout: 8 * time.Second,
 		},
 	}
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	serverName := option.Server
 	if option.SNI != "" {
 		serverName = option.SNI
 	}
 	tlsConfig := &tls.Config{
 		ServerName:         serverName,
 		InsecureSkipVerify: option.SkipCertVerify,
 		MinVersion:         tls.VersionTLS13,
 	}
 	var bs []byte
 	var err error
 	if len(option.CustomCA) > 0 {
 		bs, err = os.ReadFile(option.CustomCA)
 		if err != nil {
 			return nil, fmt.Errorf("hysteria %s load ca error: %w", addr, err)
 		}
 	} else if option.CustomCAString != "" {
 		bs = []byte(option.CustomCAString)
 	}
 	if len(bs) > 0 {
 		block, _ := pem.Decode(bs)
 		if block == nil {
 			return nil, fmt.Errorf("CA cert is not PEM")
 		}
 		fpBytes := sha256.Sum256(block.Bytes)
 		if len(option.Fingerprint) == 0 {
 			option.Fingerprint = hex.EncodeToString(fpBytes[:])
 		}
 	}
 	if len(option.Fingerprint) != 0 {
 		var err error
 		tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint)
 		if err != nil {
 			return nil, err
 		}
 	} else {
 		tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
 	}
 	if len(option.ALPN) > 0 {
 		tlsConfig.NextProtos = []string{option.ALPN}
 	} else {
 		tlsConfig.NextProtos = []string{DefaultALPN}
 	}
 	quicConfig := &quic.Config{
 		InitialStreamReceiveWindow:     uint64(option.ReceiveWindowConn),
 		MaxStreamReceiveWindow:         uint64(option.ReceiveWindowConn),
 		InitialConnectionReceiveWindow: uint64(option.ReceiveWindow),
 		MaxConnectionReceiveWindow:     uint64(option.ReceiveWindow),
 		KeepAlivePeriod:                10 * time.Second,
 		DisablePathMTUDiscovery:        option.DisableMTUDiscovery,
 		EnableDatagrams:                true,
 	}
 	if option.Protocol == "" {
 		option.Protocol = DefaultProtocol
 	}
 	if option.ReceiveWindowConn == 0 {
 		quicConfig.InitialStreamReceiveWindow = DefaultStreamReceiveWindow / 10
 		quicConfig.MaxStreamReceiveWindow = DefaultStreamReceiveWindow
 	}
 	if option.ReceiveWindow == 0 {
 		quicConfig.InitialConnectionReceiveWindow = DefaultConnectionReceiveWindow / 10
 		quicConfig.MaxConnectionReceiveWindow = DefaultConnectionReceiveWindow
 	}
 	if !quicConfig.DisablePathMTUDiscovery && pmtud_fix.DisablePathMTUDiscovery {
 		log.Infoln("hysteria: Path MTU Discovery is not yet supported on this platform")
 	}
 	var auth = []byte(option.AuthString)
 	var obfuscator obfs.Obfuscator
 	if len(option.Obfs) > 0 {
 		obfuscator = obfs.NewXPlusObfuscator([]byte(option.Obfs))
 	}
 	up, down, err := option.Speed()
 	if err != nil {
 		return nil, err
 	}
 	client, err := core.NewClient(
 		addr, option.Protocol, auth, tlsConfig, quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
 			return hyCongestion.NewBrutalSender(congestion.ByteCount(refBPS))
 		}, obfuscator,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("hysteria %s create error: %w", addr, err)
 	}
 	return &Hysteria{
 		Base: &Base{
 			name:   option.Name,
 			addr:   addr,
 			tp:     C.Hysteria,
 			udp:    true,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		client: client,
 	}, nil
 }
 func stringToBps(s string) uint64 {
 	if s == "" {
 		return 0
 	}
 	// when have not unit, use Mbps
 	if v, err := strconv.Atoi(s); err == nil {
 		return stringToBps(fmt.Sprintf("%d Mbps", v))
 	}
 	m := rateStringRegexp.FindStringSubmatch(s)
 	if m == nil {
 		return 0
 	}
 	var n uint64
 	switch m[2] {
 	case "K":
 		n = 1 << 10
 	case "M":
 		n = 1 << 20
 	case "G":
 		n = 1 << 30
 	case "T":
 		n = 1 << 40
 	default:
 		n = 1
 	}
 	v, _ := strconv.ParseUint(m[1], 10, 64)
 	n = v * n
 	if m[3] == "b" {
 		// Bits, need to convert to bytes
 		n = n >> 3
 	}
 	return n
 }
 type hyPacketConn struct {
 	core.UDPConn
 }
 func (c *hyPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
 	b, addrStr, err := c.UDPConn.ReadFrom()
 	if err != nil {
 		return
 	}
 	n = copy(p, b)
 	addr = M.ParseSocksaddr(addrStr).UDPAddr()
 	return
 }
 func (c *hyPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
 	err = c.UDPConn.WriteTo(p, M.SocksaddrFromNet(addr).String())
 	if err != nil {
 		return
 	}
 	n = len(p)
 	return
 }
 type hyDialerWithContext struct {
 	hyDialer   func() (net.PacketConn, error)
 	ctx        context.Context
 	remoteAddr func(host string) (net.Addr, error)
 }
 func (h *hyDialerWithContext) ListenPacket() (net.PacketConn, error) {
 	return h.hyDialer()
 }
 func (h *hyDialerWithContext) Context() context.Context {
 	return h.ctx
 }
 func (h *hyDialerWithContext) RemoteAddr(host string) (net.Addr, error) {
 	return h.remoteAddr(host)
 }
--- a/adapter/outbound/reject.go
+++ b/adapter/outbound/reject.go
@ -27,9 +27,10 @@ func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 func NewReject() *Reject {
 	return &Reject{
 		Base: &Base{
-			name: "REJECT",
+			name:   "REJECT",
-			tp:   C.Reject,
+			tp:     C.Reject,
-			udp:  true,
+			udp:    true,
 			prefer: C.DualStack,
 		},
 	}
 }
@ -37,9 +38,10 @@ func NewReject() *Reject {
 func NewPass() *Reject {
 	return &Reject{
 		Base: &Base{
-			name: "PASS",
+			name:   "PASS",
-			tp:   C.Pass,
+			tp:     C.Pass,
-			udp:  true,
+			udp:    true,
 			prefer: C.DualStack,
 		},
 	}
 }
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@ -7,19 +7,30 @@ import (
 	"net"
 	"strconv"
 	"github.com/Dreamacro/clash/common/pool"
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/shadowsocks/core"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"
 	"github.com/sagernet/sing-shadowsocks"
 	"github.com/sagernet/sing-shadowsocks/shadowimpl"
 	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/uot"
 )
 func init() {
 	buf.DefaultAllocator = pool.DefaultAllocator
 }
 type ShadowSocks struct {
 	*Base
-	cipher core.Cipher
+	method shadowsocks.Method
 	option *ShadowSocksOption
 	// obfs
 	obfsMode    string
 	obfsOption  *simpleObfsOption
@ -36,6 +47,7 @@ type ShadowSocksOption struct {
 	UDP        bool           `proxy:"udp,omitempty"`
 	Plugin     string         `proxy:"plugin,omitempty"`
 	PluginOpts map[string]any `proxy:"plugin-opts,omitempty"`
 	UDPOverTCP bool           `proxy:"udp-over-tcp,omitempty"`
 }
 type simpleObfsOption struct {
@ -48,6 +60,7 @@ type v2rayObfsOption struct {
 	Host           string            `obfs:"host,omitempty"`
 	Path           string            `obfs:"path,omitempty"`
 	TLS            bool              `obfs:"tls,omitempty"`
 	Fingerprint    string            `obfs:"fingerprint,omitempty"`
 	Headers        map[string]string `obfs:"headers,omitempty"`
 	SkipCertVerify bool              `obfs:"skip-cert-verify,omitempty"`
 	Mux            bool              `obfs:"mux,omitempty"`
@ -68,9 +81,11 @@ func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
 	}
-	c = ss.cipher.StreamConn(c)
+	if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
-	_, err := c.Write(serializesSocksAddr(metadata))
+		metadata.Host = uot.UOTMagicAddress
-	return c, err
+		metadata.DstPort = "443"
 	}
 	return ss.method.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 }
 // DialContext implements C.ProxyAdapter
@ -89,26 +104,43 @@ func (ss *ShadowSocks) DialContext(ctx context.Context, metadata *C.Metadata, op
 // ListenPacketContext implements C.ProxyAdapter
 func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
 	if ss.option.UDPOverTCP {
 		tcpConn, err := ss.DialContext(ctx, metadata, opts...)
 		if err != nil {
 			return nil, err
 		}
 		return newPacketConn(uot.NewClientConn(tcpConn), ss), nil
 	}
 	pc, err := dialer.ListenPacket(ctx, "udp", "", ss.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
 	}
-	addr, err := resolveUDPAddr("udp", ss.addr)
+	addr, err := resolveUDPAddrWithPrefer("udp", ss.addr, ss.prefer)
 	if err != nil {
 		pc.Close()
 		return nil, err
 	}
 	pc = ss.method.DialPacketConn(&bufio.BindPacketConn{PacketConn: pc, Addr: addr})
 	return newPacketConn(pc, ss), nil
 }
-	pc = ss.cipher.PacketConn(pc)
+// ListenPacketOnStreamConn implements C.ProxyAdapter
-	return newPacketConn(&ssPacketConn{PacketConn: pc, rAddr: addr}, ss), nil
+func (ss *ShadowSocks) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if ss.option.UDPOverTCP {
 		return newPacketConn(uot.NewClientConn(c), ss), nil
 	}
 	return nil, errors.New("no support")
 }
 // SupportUOT implements C.ProxyAdapter
 func (ss *ShadowSocks) SupportUOT() bool {
 	return ss.option.UDPOverTCP
 }
 func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
-	cipher := option.Cipher
+	method, err := shadowimpl.FetchMethod(option.Cipher, option.Password)
 	password := option.Password
 	ciph, err := core.PickCipher(cipher, nil, password)
 	if err != nil {
 		return nil, fmt.Errorf("ss %s initialize error: %w", addr, err)
 	}
@ -154,15 +186,17 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	return &ShadowSocks{
 		Base: &Base{
-			name:  option.Name,
+			name:   option.Name,
-			addr:  addr,
+			addr:   addr,
-			tp:    C.Shadowsocks,
+			tp:     C.Shadowsocks,
-			udp:   option.UDP,
+			udp:    option.UDP,
-			iface: option.Interface,
+			iface:  option.Interface,
-			rmark: option.RoutingMark,
+			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		cipher: ciph,
+		method: method,
 		option:      &option,
 		obfsMode:    obfsMode,
 		v2rayOption: v2rayOption,
 		obfsOption:  obfsOption,
--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@ -79,7 +79,7 @@ func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Me
 		return nil, err
 	}
-	addr, err := resolveUDPAddr("udp", ssr.addr)
+	addr, err := resolveUDPAddrWithPrefer("udp", ssr.addr, ssr.prefer)
 	if err != nil {
 		pc.Close()
 		return nil, err
@ -143,12 +143,13 @@ func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
 	return &ShadowSocksR{
 		Base: &Base{
-			name:  option.Name,
+			name:   option.Name,
-			addr:  addr,
+			addr:   addr,
-			tp:    C.ShadowsocksR,
+			tp:     C.ShadowsocksR,
-			udp:   option.UDP,
+			udp:    option.UDP,
-			iface: option.Interface,
+			iface:  option.Interface,
-			rmark: option.RoutingMark,
+			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		cipher:   coreCiph,
 		obfs:     obfs,
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@ -152,12 +152,13 @@ func NewSnell(option SnellOption) (*Snell, error) {
 	s := &Snell{
 		Base: &Base{
-			name:  option.Name,
+			name:   option.Name,
-			addr:  addr,
+			addr:   addr,
-			tp:    C.Snell,
+			tp:     C.Snell,
-			udp:   option.UDP,
+			udp:    option.UDP,
-			iface: option.Interface,
+			iface:  option.Interface,
-			rmark: option.RoutingMark,
+			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		psk:        psk,
 		obfsOption: obfsOption,
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"io"
 	"net"
 	"strconv"
@ -33,6 +34,7 @@ type Socks5Option struct {
 	TLS            bool   `proxy:"tls,omitempty"`
 	UDP            bool   `proxy:"udp,omitempty"`
 	SkipCertVerify bool   `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint    string `proxy:"fingerprint,omitempty"`
 }
 // StreamConn implements C.ProxyAdapter
@ -138,30 +140,40 @@ func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	return newPacketConn(&socksPacketConn{PacketConn: pc, rAddr: bindUDPAddr, tcpConn: c}, ss), nil
 }
-func NewSocks5(option Socks5Option) *Socks5 {
+func NewSocks5(option Socks5Option) (*Socks5, error) {
 	var tlsConfig *tls.Config
 	if option.TLS {
 		tlsConfig = &tls.Config{
 			InsecureSkipVerify: option.SkipCertVerify,
 			ServerName:         option.Server,
 		}
 		if len(option.Fingerprint) == 0 {
 			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
 		} else {
 			var err error
 			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
 				return nil, err
 			}
 		}
 	}
 	return &Socks5{
 		Base: &Base{
-			name:  option.Name,
+			name:   option.Name,
-			addr:  net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
+			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
-			tp:    C.Socks5,
+			tp:     C.Socks5,
-			udp:   option.UDP,
+			udp:    option.UDP,
-			iface: option.Interface,
+			iface:  option.Interface,
-			rmark: option.RoutingMark,
+			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		user:           option.UserName,
 		pass:           option.Password,
 		tls:            option.TLS,
 		skipCertVerify: option.SkipCertVerify,
 		tlsConfig:      tlsConfig,
-	}
+	}, nil
 }
 type socksPacketConn struct {
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"net"
 	"net/http"
 	"strconv"
@ -35,6 +36,7 @@ type TrojanOption struct {
 	ALPN           []string    `proxy:"alpn,omitempty"`
 	SNI            string      `proxy:"sni,omitempty"`
 	SkipCertVerify bool        `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint    string      `proxy:"fingerprint,omitempty"`
 	UDP            bool        `proxy:"udp,omitempty"`
 	Network        string      `proxy:"network,omitempty"`
 	GrpcOpts       GrpcOptions `proxy:"grpc-opts,omitempty"`
@ -188,6 +190,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		ServerName:     option.Server,
 		SkipCertVerify: option.SkipCertVerify,
 		FlowShow:       option.FlowShow,
 		Fingerprint:    option.Fingerprint,
 	}
 	if option.Network != "ws" && len(option.Flow) >= 16 {
@ -206,12 +209,13 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 	t := &Trojan{
 		Base: &Base{
-			name:  option.Name,
+			name:   option.Name,
-			addr:  addr,
+			addr:   addr,
-			tp:    C.Trojan,
+			tp:     C.Trojan,
-			udp:   option.UDP,
+			udp:    option.UDP,
-			iface: option.Interface,
+			iface:  option.Interface,
-			rmark: option.RoutingMark,
+			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		instance: trojan.New(tOption),
 		option:   &option,
@ -234,6 +238,15 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			ServerName:         tOption.ServerName,
 		}
 		if len(option.Fingerprint) == 0 {
 			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
 		} else {
 			var err error
 			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
 				return nil, err
 			}
 		}
 		if t.option.Flow != "" {
 			t.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
 		} else {
--- a/adapter/outbound/util.go
+++ b/adapter/outbound/util.go
@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	xtls "github.com/xtls/go"
 	"net"
 	"net/netip"
 	"strconv"
 	"sync"
 	"time"
@ -74,6 +75,60 @@ func resolveUDPAddr(network, address string) (*net.UDPAddr, error) {
 	return net.ResolveUDPAddr(network, net.JoinHostPort(ip.String(), port))
 }
 func resolveUDPAddrWithPrefer(network, address string, prefer C.DNSPrefer) (*net.UDPAddr, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ip netip.Addr
 	switch prefer {
 	case C.IPv4Only:
 		ip, err = resolver.ResolveIPv4ProxyServerHost(host)
 	case C.IPv6Only:
 		ip, err = resolver.ResolveIPv6ProxyServerHost(host)
 	case C.IPv6Prefer:
 		var ips []netip.Addr
 		ips, err = resolver.ResolveAllIPProxyServerHost(host)
 		var fallback netip.Addr
 		if err == nil {
 			for _, addr := range ips {
 				if addr.Is6() {
 					ip = addr
 					break
 				} else {
 					if !fallback.IsValid() {
 						fallback = addr
 					}
 				}
 			}
 			ip = fallback
 		}
 	default:
 		// C.IPv4Prefer, C.DualStack and other 
 		var ips []netip.Addr
 		ips, err = resolver.ResolveAllIPProxyServerHost(host)
 		var fallback netip.Addr
 		if err == nil {
 			for _, addr := range ips {
 				if addr.Is4() {
 					ip = addr
 					break
 				} else {
 					if !fallback.IsValid() {
 						fallback = addr
 					}
 				}
 			}
 			ip = fallback
 		}
 	}
 	if err != nil {
 		return nil, err
 	}
 	return net.ResolveUDPAddr(network, net.JoinHostPort(ip.String(), port))
 }
 func safeConnClose(c net.Conn, err error) {
 	if err != nil {
 		_ = c.Close()
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@ -6,6 +6,8 @@ import (
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"github.com/Dreamacro/clash/common/convert"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"io"
 	"net"
 	"net/http"
@ -54,6 +56,7 @@ type VlessOption struct {
 	WSPath         string            `proxy:"ws-path,omitempty"`
 	WSHeaders      map[string]string `proxy:"ws-headers,omitempty"`
 	SkipCertVerify bool              `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint    string            `proxy:"fingerprint,omitempty"`
 	ServerName     string            `proxy:"servername,omitempty"`
 }
@ -69,27 +72,39 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
 			Headers:             http.Header{},
 		}
 		if len(v.option.WSOpts.Headers) != 0 {
 			header := http.Header{}
 			for key, value := range v.option.WSOpts.Headers {
-				header.Add(key, value)
+				wsOpts.Headers.Add(key, value)
 			}
 			wsOpts.Headers = header
 		}
 		if v.option.TLS {
 			wsOpts.TLS = true
 			tlsConfig := &tls.Config{
 				MinVersion:         tls.VersionTLS12,
 				ServerName:         host,
 				InsecureSkipVerify: v.option.SkipCertVerify,
 				NextProtos:         []string{"http/1.1"},
 			}
-		wsOpts.TLS = true
+			if len(v.option.Fingerprint) == 0 {
-		wsOpts.TLSConfig = &tls.Config{
+				wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
-			MinVersion:         tls.VersionTLS12,
+			} else {
-			ServerName:         host,
+				wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
-			InsecureSkipVerify: v.option.SkipCertVerify,
+			}
-			NextProtos:         []string{"http/1.1"},
+
-		}
+			if v.option.ServerName != "" {
-		if v.option.ServerName != "" {
+				wsOpts.TLSConfig.ServerName = v.option.ServerName
-			wsOpts.TLSConfig.ServerName = v.option.ServerName
+			} else if host := wsOpts.Headers.Get("Host"); host != "" {
-		} else if host := wsOpts.Headers.Get("Host"); host != "" {
+				wsOpts.TLSConfig.ServerName = host
-			wsOpts.TLSConfig.ServerName = host
+			}
 		} else {
 			if host := wsOpts.Headers.Get("Host"); host == "" {
 				wsOpts.Headers.Set("Host", convert.RandHost())
 				convert.SetUserAgent(wsOpts.Headers)
 			}
 		}
 		c, err = vmess.StreamWebsocketConn(c, wsOpts)
 	case "http":
@ -146,6 +161,7 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 		xtlsOpts := vless.XTLSConfig{
 			Host:           host,
 			SkipCertVerify: v.option.SkipCertVerify,
 			FingerPrint:    v.option.Fingerprint,
 		}
 		if isH2 {
@ -162,6 +178,7 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 		tlsOpts := vmess.TLSConfig{
 			Host:           host,
 			SkipCertVerify: v.option.SkipCertVerify,
 			FingerPrint:    v.option.Fingerprint,
 		}
 		if isH2 {
@ -401,11 +418,12 @@ func NewVless(option VlessOption) (*Vless, error) {
 	v := &Vless{
 		Base: &Base{
-			name:  option.Name,
+			name:   option.Name,
-			addr:  net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
+			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
-			tp:    C.Vless,
+			tp:     C.Vless,
-			udp:   option.UDP,
+			udp:    option.UDP,
-			iface: option.Interface,
+			iface:  option.Interface,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		client: client,
 		option: &option,
@ -430,10 +448,10 @@ func NewVless(option VlessOption) (*Vless, error) {
 			ServiceName: v.option.GrpcOpts.GrpcServiceName,
 			Host:        v.option.ServerName,
 		}
-		tlsConfig := &tls.Config{
+		tlsConfig := tlsC.GetGlobalFingerprintTLCConfig(&tls.Config{
 			InsecureSkipVerify: v.option.SkipCertVerify,
 			ServerName:         v.option.ServerName,
-		}
+		})
 		if v.option.ServerName == "" {
 			host, _, _ := net.SplitHostPort(v.addr)
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@ -5,16 +5,21 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	vmess "github.com/sagernet/sing-vmess"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
-	"github.com/Dreamacro/clash/transport/vmess"
+	clashVMess "github.com/Dreamacro/clash/transport/vmess"
 	"github.com/sagernet/sing-vmess/packetaddr"
 	M "github.com/sagernet/sing/common/metadata"
 )
 type Vmess struct {
@ -30,25 +35,24 @@ type Vmess struct {
 type VmessOption struct {
 	BasicOption
-	Name           string       `proxy:"name"`
+	Name                string       `proxy:"name"`
-	Server         string       `proxy:"server"`
+	Server              string       `proxy:"server"`
-	Port           int          `proxy:"port"`
+	Port                int          `proxy:"port"`
-	UUID           string       `proxy:"uuid"`
+	UUID                string       `proxy:"uuid"`
-	AlterID        int          `proxy:"alterId"`
+	AlterID             int          `proxy:"alterId"`
-	Cipher         string       `proxy:"cipher"`
+	Cipher              string       `proxy:"cipher"`
-	UDP            bool         `proxy:"udp,omitempty"`
+	UDP                 bool         `proxy:"udp,omitempty"`
-	Network        string       `proxy:"network,omitempty"`
+	Network             string       `proxy:"network,omitempty"`
-	TLS            bool         `proxy:"tls,omitempty"`
+	TLS                 bool         `proxy:"tls,omitempty"`
-	SkipCertVerify bool         `proxy:"skip-cert-verify,omitempty"`
+	SkipCertVerify      bool         `proxy:"skip-cert-verify,omitempty"`
-	ServerName     string       `proxy:"servername,omitempty"`
+	Fingerprint         string       `proxy:"fingerprint,omitempty"`
-	HTTPOpts       HTTPOptions  `proxy:"http-opts,omitempty"`
+	ServerName          string       `proxy:"servername,omitempty"`
-	HTTP2Opts      HTTP2Options `proxy:"h2-opts,omitempty"`
+	HTTPOpts            HTTPOptions  `proxy:"http-opts,omitempty"`
-	GrpcOpts       GrpcOptions  `proxy:"grpc-opts,omitempty"`
+	HTTP2Opts           HTTP2Options `proxy:"h2-opts,omitempty"`
-	WSOpts         WSOptions    `proxy:"ws-opts,omitempty"`
+	GrpcOpts            GrpcOptions  `proxy:"grpc-opts,omitempty"`
-
+	WSOpts              WSOptions    `proxy:"ws-opts,omitempty"`
-	// TODO: compatible with VMESS WS older version configurations
+	PacketAddr          bool         `proxy:"packet-addr,omitempty"`
-	WSHeaders map[string]string `proxy:"ws-headers,omitempty"`
+	AuthenticatedLength bool         `proxy:"authenticated-length,omitempty"`
 	WSPath    string            `proxy:"ws-path,omitempty"`
 }
 type HTTPOptions struct {
@ -78,49 +82,52 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	switch v.option.Network {
 	case "ws":
 		if v.option.WSOpts.Path == "" {
 			v.option.WSOpts.Path = v.option.WSPath
 		}
 		if len(v.option.WSOpts.Headers) == 0 {
 			v.option.WSOpts.Headers = v.option.WSHeaders
 		}
 		host, port, _ := net.SplitHostPort(v.addr)
-		wsOpts := &vmess.WebsocketConfig{
+		wsOpts := &clashVMess.WebsocketConfig{
 			Host:                host,
 			Port:                port,
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
 			Headers:             http.Header{},
 		}
 		if len(v.option.WSOpts.Headers) != 0 {
 			header := http.Header{}
 			for key, value := range v.option.WSOpts.Headers {
-				header.Add(key, value)
+				wsOpts.Headers.Add(key, value)
 			}
 			wsOpts.Headers = header
 		}
 		if v.option.TLS {
 			wsOpts.TLS = true
-			wsOpts.TLSConfig = &tls.Config{
+			tlsConfig := &tls.Config{
 				ServerName:         host,
 				InsecureSkipVerify: v.option.SkipCertVerify,
 				NextProtos:         []string{"http/1.1"},
 			}
 			if len(v.option.Fingerprint) == 0 {
 				wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
 			} else {
 				var err error
 				if wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint); err != nil {
 					return nil, err
 				}
 			}
 			if v.option.ServerName != "" {
 				wsOpts.TLSConfig.ServerName = v.option.ServerName
 			} else if host := wsOpts.Headers.Get("Host"); host != "" {
 				wsOpts.TLSConfig.ServerName = host
 			}
 		}
-		c, err = vmess.StreamWebsocketConn(c, wsOpts)
+		c, err = clashVMess.StreamWebsocketConn(c, wsOpts)
 	case "http":
 		// readability first, so just copy default TLS logic
 		if v.option.TLS {
 			host, _, _ := net.SplitHostPort(v.addr)
-			tlsOpts := &vmess.TLSConfig{
+			tlsOpts := &clashVMess.TLSConfig{
 				Host:           host,
 				SkipCertVerify: v.option.SkipCertVerify,
 			}
@ -129,24 +136,24 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 				tlsOpts.Host = v.option.ServerName
 			}
-			c, err = vmess.StreamTLSConn(c, tlsOpts)
+			c, err = clashVMess.StreamTLSConn(c, tlsOpts)
 			if err != nil {
 				return nil, err
 			}
 		}
 		host, _, _ := net.SplitHostPort(v.addr)
-		httpOpts := &vmess.HTTPConfig{
+		httpOpts := &clashVMess.HTTPConfig{
 			Host:    host,
 			Method:  v.option.HTTPOpts.Method,
 			Path:    v.option.HTTPOpts.Path,
 			Headers: v.option.HTTPOpts.Headers,
 		}
-		c = vmess.StreamHTTPConn(c, httpOpts)
+		c = clashVMess.StreamHTTPConn(c, httpOpts)
 	case "h2":
 		host, _, _ := net.SplitHostPort(v.addr)
-		tlsOpts := vmess.TLSConfig{
+		tlsOpts := clashVMess.TLSConfig{
 			Host:           host,
 			SkipCertVerify: v.option.SkipCertVerify,
 			NextProtos:     []string{"h2"},
@ -156,24 +163,24 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			tlsOpts.Host = v.option.ServerName
 		}
-		c, err = vmess.StreamTLSConn(c, &tlsOpts)
+		c, err = clashVMess.StreamTLSConn(c, &tlsOpts)
 		if err != nil {
 			return nil, err
 		}
-		h2Opts := &vmess.H2Config{
+		h2Opts := &clashVMess.H2Config{
 			Hosts: v.option.HTTP2Opts.Host,
 			Path:  v.option.HTTP2Opts.Path,
 		}
-		c, err = vmess.StreamH2Conn(c, h2Opts)
+		c, err = clashVMess.StreamH2Conn(c, h2Opts)
 	case "grpc":
 		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
 	default:
 		// handle TLS
 		if v.option.TLS {
 			host, _, _ := net.SplitHostPort(v.addr)
-			tlsOpts := &vmess.TLSConfig{
+			tlsOpts := &clashVMess.TLSConfig{
 				Host:           host,
 				SkipCertVerify: v.option.SkipCertVerify,
 			}
@ -182,15 +189,18 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 				tlsOpts.Host = v.option.ServerName
 			}
-			c, err = vmess.StreamTLSConn(c, tlsOpts)
+			c, err = clashVMess.StreamTLSConn(c, tlsOpts)
 		}
 	}
 	if err != nil {
 		return nil, err
 	}
-
+	if metadata.NetWork == C.UDP {
-	return v.client.StreamConn(c, parseVmessAddr(metadata))
+		return v.client.DialPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 	} else {
 		return v.client.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 	}
 }
 // DialContext implements C.ProxyAdapter
@ -203,7 +213,7 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 		}
 		defer safeConnClose(c, err)
-		c, err = v.client.StreamConn(c, parseVmessAddr(metadata))
+		c, err = v.client.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 		if err != nil {
 			return nil, err
 		}
@ -233,6 +243,11 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		metadata.DstIP = ip
 	}
 	if v.option.PacketAddr {
 		metadata.Host = packetaddr.SeqPacketMagicAddress
 		metadata.DstPort = "443"
 	}
 	var c net.Conn
 	// gun transport
 	if v.transport != nil && len(opts) == 0 {
@ -242,7 +257,7 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		}
 		defer safeConnClose(c, err)
-		c, err = v.client.StreamConn(c, parseVmessAddr(metadata))
+		c, err = v.client.DialPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 	} else {
 		c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
 		if err != nil {
@ -258,11 +273,21 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		return nil, fmt.Errorf("new vmess client error: %v", err)
 	}
-	return v.ListenPacketOnStreamConn(c, metadata)
+	if v.option.PacketAddr {
 		return newPacketConn(&threadSafePacketConn{PacketConn: packetaddr.NewBindClient(c)}, v), nil
 	} else if pc, ok := c.(net.PacketConn); ok {
 		return newPacketConn(&threadSafePacketConn{PacketConn: pc}, v), nil
 	}
 	return newPacketConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
 }
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (v *Vmess) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if v.option.PacketAddr {
 		return newPacketConn(&threadSafePacketConn{PacketConn: packetaddr.NewBindClient(c)}, v), nil
 	} else if pc, ok := c.(net.PacketConn); ok {
 		return newPacketConn(&threadSafePacketConn{PacketConn: pc}, v), nil
 	}
 	return newPacketConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
 }
@ -273,14 +298,11 @@ func (v *Vmess) SupportUOT() bool {
 func NewVmess(option VmessOption) (*Vmess, error) {
 	security := strings.ToLower(option.Cipher)
-	client, err := vmess.NewClient(vmess.Config{
+	var options []vmess.ClientOption
-		UUID:     option.UUID,
+	if option.AuthenticatedLength {
-		AlterID:  uint16(option.AlterID),
+		options = append(options, vmess.ClientWithAuthenticatedLength())
-		Security: security,
+	}
-		HostName: option.Server,
+	client, err := vmess.NewClient(option.UUID, security, option.AlterID, options...)
 		Port:     strconv.Itoa(option.Port),
 		IsAead:   option.AlterID == 0,
 	})
 	if err != nil {
 		return nil, err
 	}
@ -294,12 +316,13 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 	v := &Vmess{
 		Base: &Base{
-			name:  option.Name,
+			name:   option.Name,
-			addr:  net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
+			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
-			tp:    C.Vmess,
+			tp:     C.Vmess,
-			udp:   option.UDP,
+			udp:    option.UDP,
-			iface: option.Interface,
+			iface:  option.Interface,
-			rmark: option.RoutingMark,
+			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		client: client,
 		option: &option,
@ -339,44 +362,29 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		v.gunConfig = gunConfig
 		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
 	}
 	return v, nil
 }
-func parseVmessAddr(metadata *C.Metadata) *vmess.DstAddr {
+type threadSafePacketConn struct {
-	var addrType byte
+	net.PacketConn
-	var addr []byte
+	access sync.Mutex
-	switch metadata.AddrType {
+}
 	case C.AtypIPv4:
 		addrType = byte(vmess.AtypIPv4)
 		addr = make([]byte, net.IPv4len)
 		copy(addr[:], metadata.DstIP.AsSlice())
 	case C.AtypIPv6:
 		addrType = byte(vmess.AtypIPv6)
 		addr = make([]byte, net.IPv6len)
 		copy(addr[:], metadata.DstIP.AsSlice())
 	case C.AtypDomainName:
 		addrType = byte(vmess.AtypDomainName)
 		addr = make([]byte, len(metadata.Host)+1)
 		addr[0] = byte(len(metadata.Host))
 		copy(addr[1:], []byte(metadata.Host))
 	}
-	port, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
+func (c *threadSafePacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
-	return &vmess.DstAddr{
+	c.access.Lock()
-		UDP:      metadata.NetWork == C.UDP,
+	defer c.access.Unlock()
-		AddrType: addrType,
+	return c.PacketConn.WriteTo(b, addr)
 		Addr:     addr,
 		Port:     uint(port),
 	}
 }
 type vmessPacketConn struct {
 	net.Conn
-	rAddr net.Addr
+	rAddr  net.Addr
 	access sync.Mutex
 }
 func (uc *vmessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
 	uc.access.Lock()
 	defer uc.access.Unlock()
 	return uc.Conn.Write(b)
 }
--- a/adapter/outboundgroup/fallback.go
+++ b/adapter/outboundgroup/fallback.go
@ -79,17 +79,23 @@ func (f *Fallback) Unwrap(metadata *C.Metadata) C.Proxy {
 func (f *Fallback) findAliveProxy(touch bool) C.Proxy {
 	proxies := f.GetProxies(touch)
-	al := proxies[0]
+	for _, proxy := range proxies {
-	for i := len(proxies) - 1; i > -1; i-- {
+		if len(f.selected) == 0 {
-		proxy := proxies[i]
+			if proxy.Alive() {
-		if proxy.Name() == f.selected && proxy.Alive() {
+				return proxy
-			return proxy
+			}
-		}
+		} else {
-		if proxy.Alive() {
+			if proxy.Name() == f.selected {
-			al = proxy
+				if proxy.Alive() {
 					return proxy
 				} else {
 					f.selected = ""
 				}
 			}
 		}
 	}
-	return al
+
 	return proxies[0]
 }
 func (f *Fallback) Set(name string) error {
--- a/adapter/outboundgroup/groupbase.go
+++ b/adapter/outboundgroup/groupbase.go
@ -19,12 +19,12 @@ type GroupBase struct {
 	*outbound.Base
 	filter        *regexp2.Regexp
 	providers     []provider.ProxyProvider
 	versions      sync.Map // map[string]uint
 	proxies       sync.Map // map[string][]C.Proxy
 	failedTestMux sync.Mutex
 	failedTimes   int
 	failedTime    time.Time
 	failedTesting *atomic.Bool
 	proxies       [][]C.Proxy
 	versions      []atomic.Uint32
 }
 type GroupBaseOption struct {
@ -38,12 +38,18 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 	if opt.filter != "" {
 		filter = regexp2.MustCompile(opt.filter, 0)
 	}
-	return &GroupBase{
+
 	gb := &GroupBase{
 		Base:          outbound.NewBase(opt.BaseOption),
 		filter:        filter,
 		providers:     opt.providers,
 		failedTesting: atomic.NewBool(false),
 	}
 	gb.proxies = make([][]C.Proxy, len(opt.providers))
 	gb.versions = make([]atomic.Uint32, len(opt.providers))
 	return gb
 }
 func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
@ -61,43 +67,44 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		return proxies
 	}
-	for _, pd := range gb.providers {
+	for i, pd := range gb.providers {
 		if touch {
 			pd.Touch()
 		}
 		if pd.VehicleType() == types.Compatible {
-			gb.proxies.Store(pd.Name(), pd.Proxies())
+			gb.versions[i].Store(pd.Version())
-			gb.versions.Store(pd.Name(), pd.Version())
+			gb.proxies[i] = pd.Proxies()
 			continue
 		}
-		if version, ok := gb.versions.Load(pd.Name()); !ok || version != pd.Version() {
+		version := gb.versions[i].Load()
 		if version != pd.Version() && gb.versions[i].CAS(version, pd.Version()) {
 			var (
 				proxies    []C.Proxy
 				newProxies []C.Proxy
 			)
 			proxies = pd.Proxies()
 			for _, p := range proxies {
 				if mat, _ := gb.filter.FindStringMatch(p.Name()); mat != nil {
 					newProxies = append(newProxies, p)
 				}
 			}
-			gb.proxies.Store(pd.Name(), newProxies)
+			gb.proxies[i] = newProxies
 			gb.versions.Store(pd.Name(), pd.Version())
 		}
 	}
 	var proxies []C.Proxy
-	gb.proxies.Range(func(key, value any) bool {
+	for _, p := range gb.proxies {
-		proxies = append(proxies, value.([]C.Proxy)...)
+		proxies = append(proxies, p...)
-		return true
+	}
-	})
+
 	if len(proxies) == 0 {
 		return append(proxies, tunnel.Proxies()["COMPATIBLE"])
 	}
 	return proxies
 }
@ -111,11 +118,11 @@ func (gb *GroupBase) URLTest(ctx context.Context, url string) (map[string]uint16
 		wg.Add(1)
 		go func() {
 			delay, err := proxy.URLTest(ctx, url)
 			lock.Lock()
 			if err == nil {
 				lock.Lock()
 				mp[proxy.Name()] = delay
 				lock.Unlock()
 			}
 			lock.Unlock()
 			wg.Done()
 		}()
@ -144,6 +151,7 @@ func (gb *GroupBase) onDialFailed() {
 			gb.failedTime = time.Now()
 		} else {
 			if time.Since(gb.failedTime) > gb.failedTimeoutInterval() {
 				gb.failedTimes = 0
 				return
 			}
--- a/adapter/outboundgroup/loadbalance.go
+++ b/adapter/outboundgroup/loadbalance.go
@ -29,10 +29,8 @@ type LoadBalance struct {
 var errStrategy = errors.New("unsupported strategy")
 func parseStrategy(config map[string]any) string {
-	if elm, ok := config["strategy"]; ok {
+	if strategy, ok := config["strategy"].(string); ok {
-		if strategy, ok := elm.(string); ok {
+		return strategy
 			return strategy
 		}
 	}
 	return "consistent-hashing"
 }
@ -145,6 +143,13 @@ func strategyConsistentHashing() strategyFn {
 			}
 		}
 		// when availability is poor, traverse the entire list to get the available nodes
 		for _, proxy := range proxies {
 			if proxy.Alive() {
 				return proxy
 			}
 		}
 		return proxies[0]
 	}
 }
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -40,14 +40,14 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
-		proxy = outbound.NewSocks5(*socksOption)
+		proxy, err = outbound.NewSocks5(*socksOption)
 	case "http":
 		httpOption := &outbound.HttpOption{}
 		err = decoder.Decode(mapping, httpOption)
 		if err != nil {
 			break
 		}
-		proxy = outbound.NewHttp(*httpOption)
+		proxy, err = outbound.NewHttp(*httpOption)
 	case "vmess":
 		vmessOption := &outbound.VmessOption{
 			HTTPOpts: outbound.HTTPOptions{
@ -81,6 +81,13 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy, err = outbound.NewTrojan(*trojanOption)
 	case "hysteria":
 		hyOption := &outbound.HysteriaOption{}
 		err = decoder.Decode(mapping, hyOption)
 		if err != nil {
 			break
 		}
 		proxy, err = outbound.NewHysteria(*hyOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
--- a/adapter/provider/healthcheck.go
+++ b/adapter/provider/healthcheck.go
@ -2,6 +2,7 @@ package provider
 import (
 	"context"
 	"github.com/Dreamacro/clash/common/singledo"
 	"time"
 	"github.com/Dreamacro/clash/common/batch"
@ -26,6 +27,7 @@ type HealthCheck struct {
 	lazy      bool
 	lastTouch *atomic.Int64
 	done      chan struct{}
 	singleDo  *singledo.Single[struct{}]
 }
 func (hc *HealthCheck) process() {
@ -63,17 +65,21 @@ func (hc *HealthCheck) touch() {
 }
 func (hc *HealthCheck) check() {
-	b, _ := batch.New[bool](context.Background(), batch.WithConcurrencyNum[bool](10))
+	_, _, _ = hc.singleDo.Do(func() (struct{}, error) {
-	for _, proxy := range hc.proxies {
+		b, _ := batch.New[bool](context.Background(), batch.WithConcurrencyNum[bool](10))
-		p := proxy
+		for _, proxy := range hc.proxies {
-		b.Go(p.Name(), func() (bool, error) {
+			p := proxy
-			ctx, cancel := context.WithTimeout(context.Background(), defaultURLTestTimeout)
+			b.Go(p.Name(), func() (bool, error) {
-			defer cancel()
+				ctx, cancel := context.WithTimeout(context.Background(), defaultURLTestTimeout)
-			_, _ = p.URLTest(ctx, hc.url)
+				defer cancel()
-			return false, nil
+				_, _ = p.URLTest(ctx, hc.url)
-		})
+				return false, nil
-	}
+			})
-	b.Wait()
+		}
 		b.Wait()
 		return struct{}{}, nil
 	})
 }
 func (hc *HealthCheck) close() {
@ -88,5 +94,6 @@ func NewHealthCheck(proxies []C.Proxy, url string, interval uint, lazy bool) *He
 		lazy:      lazy,
 		lastTouch: atomic.NewInt64(0),
 		done:      make(chan struct{}, 1),
 		singleDo:  singledo.NewSingle[struct{}](time.Second),
 	}
 }
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@ -3,6 +3,7 @@ package provider
 import (
 	"errors"
 	"fmt"
 	"github.com/Dreamacro/clash/component/resource"
 	"time"
 	"github.com/Dreamacro/clash/common/structure"
@ -51,9 +52,9 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	var vehicle types.Vehicle
 	switch schema.Type {
 	case "file":
-		vehicle = NewFileVehicle(path)
+		vehicle = resource.NewFileVehicle(path)
 	case "http":
-		vehicle = NewHTTPVehicle(schema.URL, path)
+		vehicle = resource.NewHTTPVehicle(schema.URL, path)
 	default:
 		return nil, fmt.Errorf("%w: %s", errVehicleType, schema.Type)
 	}
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@ -5,8 +5,8 @@ import (
 	"errors"
 	"fmt"
 	"github.com/Dreamacro/clash/common/convert"
 	"github.com/Dreamacro/clash/component/resource"
 	"github.com/dlclark/regexp2"
 	"math"
 	"runtime"
 	"time"
@ -31,10 +31,10 @@ type ProxySetProvider struct {
 }
 type proxySetProvider struct {
-	*fetcher[[]C.Proxy]
+	*resource.Fetcher[[]C.Proxy]
 	proxies     []C.Proxy
 	healthCheck *HealthCheck
-	version     uint
+	version     uint32
 }
 func (pp *proxySetProvider) MarshalJSON() ([]byte, error) {
@ -43,16 +43,16 @@ func (pp *proxySetProvider) MarshalJSON() ([]byte, error) {
 		"type":        pp.Type().String(),
 		"vehicleType": pp.VehicleType().String(),
 		"proxies":     pp.Proxies(),
-		"updatedAt":   pp.updatedAt,
+		"updatedAt":   pp.UpdatedAt,
 	})
 }
-func (pp *proxySetProvider) Version() uint {
+func (pp *proxySetProvider) Version() uint32 {
 	return pp.version
 }
 func (pp *proxySetProvider) Name() string {
-	return pp.name
+	return pp.Fetcher.Name()
 }
 func (pp *proxySetProvider) HealthCheck() {
@ -60,19 +60,19 @@ func (pp *proxySetProvider) HealthCheck() {
 }
 func (pp *proxySetProvider) Update() error {
-	elm, same, err := pp.fetcher.Update()
+	elm, same, err := pp.Fetcher.Update()
 	if err == nil && !same {
-		pp.onUpdate(elm)
+		pp.OnUpdate(elm)
 	}
 	return err
 }
 func (pp *proxySetProvider) Initial() error {
-	elm, err := pp.fetcher.Initial()
+	elm, err := pp.Fetcher.Initial()
 	if err != nil {
 		return err
 	}
-	pp.onUpdate(elm)
+	pp.OnUpdate(elm)
 	return nil
 }
@ -98,7 +98,7 @@ func (pp *proxySetProvider) setProxies(proxies []C.Proxy) {
 func stopProxyProvider(pd *ProxySetProvider) {
 	pd.healthCheck.close()
-	_ = pd.fetcher.Destroy()
+	_ = pd.Fetcher.Destroy()
 }
 func NewProxySetProvider(name string, interval time.Duration, filter string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
@ -116,8 +116,8 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, veh
 		healthCheck: hc,
 	}
-	fetcher := newFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, filterReg), proxiesOnUpdate(pd))
+	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, filterReg), proxiesOnUpdate(pd))
-	pd.fetcher = fetcher
+	pd.Fetcher = fetcher
 	wrapper := &ProxySetProvider{pd}
 	runtime.SetFinalizer(wrapper, stopProxyProvider)
@ -133,7 +133,7 @@ type compatibleProvider struct {
 	name        string
 	healthCheck *HealthCheck
 	proxies     []C.Proxy
-	version     uint
+	version     uint32
 }
 func (cp *compatibleProvider) MarshalJSON() ([]byte, error) {
@ -145,7 +145,7 @@ func (cp *compatibleProvider) MarshalJSON() ([]byte, error) {
 	})
 }
-func (cp *compatibleProvider) Version() uint {
+func (cp *compatibleProvider) Version() uint32 {
 	return cp.version
 }
@ -208,15 +208,11 @@ func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*Co
 func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
 	return func(elm []C.Proxy) {
 		pd.setProxies(elm)
-		if pd.version == math.MaxUint {
+		pd.version += 1
 			pd.version = 0
 		} else {
 			pd.version++
 		}
 	}
 }
-func proxiesParseAndFilter(filter string, filterReg *regexp2.Regexp) parser[[]C.Proxy] {
+func proxiesParseAndFilter(filter string, filterReg *regexp2.Regexp) resource.Parser[[]C.Proxy] {
 	return func(buf []byte) ([]C.Proxy, error) {
 		schema := &ProxySchema{}
--- a/common/convert/base64.go
+++ b/common/convert/base64.go
@ -0,0 +1,45 @@
 package convert
 import (
 	"encoding/base64"
 	"strings"
 )
 var (
 	encRaw = base64.RawStdEncoding
 	enc    = base64.StdEncoding
 )
 // DecodeBase64 try to decode content from the given bytes,
 // which can be in base64.RawStdEncoding, base64.StdEncoding or just plaintext.
 func DecodeBase64(buf []byte) []byte {
 	result, err := tryDecodeBase64(buf)
 	if err != nil {
 		return buf
 	}
 	return result
 }
 func tryDecodeBase64(buf []byte) ([]byte, error) {
 	dBuf := make([]byte, encRaw.DecodedLen(len(buf)))
 	n, err := encRaw.Decode(dBuf, buf)
 	if err != nil {
 		n, err = enc.Decode(dBuf, buf)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return dBuf[:n], nil
 }
 func urlSafe(data string) string {
 	return strings.NewReplacer("+", "-", "/", "_").Replace(data)
 }
 func decodeUrlSafe(data string) string {
 	dcBuf, err := base64.RawURLEncoding.DecodeString(data)
 	if err != nil {
 		return ""
 	}
 	return string(dcBuf)
 }
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@ -2,41 +2,16 @@ package convert
 import (
 	"bytes"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"net/url"
 	"strconv"
 	"strings"
 )
 var enc = base64.StdEncoding
 func DecodeBase64(buf []byte) ([]byte, error) {
 	dBuf := make([]byte, enc.DecodedLen(len(buf)))
 	n, err := enc.Decode(dBuf, buf)
 	if err != nil {
 		return nil, err
 	}
 	return dBuf[:n], nil
 }
 // DecodeBase64StringToString decode base64 string to string
 func DecodeBase64StringToString(s string) (string, error) {
 	dBuf, err := enc.DecodeString(s)
 	if err != nil {
 		return "", err
 	}
 	return string(dBuf), nil
 }
 // ConvertsV2Ray convert V2Ray subscribe proxies data to clash proxies config
 func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
-	data, err := DecodeBase64(buf)
+	data := DecodeBase64(buf)
 	if err != nil {
 		data = buf
 	}
 	arr := strings.Split(string(data), "\n")
@ -56,13 +31,46 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 		scheme = strings.ToLower(scheme)
 		switch scheme {
 		case "hysteria":
 			urlHysteria, err := url.Parse(line)
 			if err != nil {
 				continue
 			}
 			query := urlHysteria.Query()
 			name := uniqueName(names, urlHysteria.Fragment)
 			hysteria := make(map[string]any, 20)
 			hysteria["name"] = name
 			hysteria["type"] = scheme
 			hysteria["server"] = urlHysteria.Hostname()
 			hysteria["port"] = urlHysteria.Port()
 			hysteria["sni"] = query.Get("peer")
 			hysteria["obfs"] = query.Get("obfs")
 			hysteria["alpn"] = query.Get("alpn")
 			hysteria["auth_str"] = query.Get("auth")
 			hysteria["protocol"] = query.Get("protocol")
 			up := query.Get("up")
 			down := query.Get("down")
 			if up == "" {
 				up = query.Get("upmbps")
 			}
 			if down == "" {
 				down = query.Get("downmbps")
 			}
 			hysteria["down"] = down
 			hysteria["up"] = up
 			hysteria["skip-cert-verify"], _ = strconv.ParseBool(query.Get("insecure"))
 			proxies = append(proxies, hysteria)
 		case "trojan":
 			urlTrojan, err := url.Parse(line)
 			if err != nil {
 				continue
 			}
-			q := urlTrojan.Query()
+			query := urlTrojan.Query()
 			name := uniqueName(names, urlTrojan.Fragment)
 			trojan := make(map[string]any, 20)
@ -75,35 +83,70 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			trojan["udp"] = true
 			trojan["skip-cert-verify"] = false
-			sni := q.Get("sni")
+			sni := query.Get("sni")
 			if sni != "" {
 				trojan["sni"] = sni
 			}
-			network := strings.ToLower(q.Get("type"))
+			network := strings.ToLower(query.Get("type"))
 			if network != "" {
 				trojan["network"] = network
 			}
-			if network == "ws" {
+			switch network {
 			case "ws":
 				headers := make(map[string]any)
 				wsOpts := make(map[string]any)
 				headers["Host"] = RandHost()
 				headers["User-Agent"] = RandUserAgent()
-				wsOpts["path"] = q.Get("path")
+				wsOpts["path"] = query.Get("path")
 				wsOpts["headers"] = headers
 				trojan["ws-opts"] = wsOpts
 			case "grpc":
 				grpcOpts := make(map[string]any)
 				grpcOpts["grpc-service-name"] = query.Get("serviceName")
 				trojan["grpc-opts"] = grpcOpts
 			}
 			proxies = append(proxies, trojan)
-		case "vmess":
+
-			dcBuf, err := enc.DecodeString(body)
+		case "vless":
 			urlVLess, err := url.Parse(line)
 			if err != nil {
 				continue
 			}
 			query := urlVLess.Query()
 			vless := make(map[string]any, 20)
 			handleVShareLink(names, urlVLess, scheme, vless)
 			if flow := query.Get("flow"); flow != "" {
 				vless["flow"] = strings.ToLower(flow)
 			}
 			proxies = append(proxies, vless)
 		case "vmess":
 			// V2RayN-styled share link
 			// https://github.com/2dust/v2rayN/wiki/%E5%88%86%E4%BA%AB%E9%93%BE%E6%8E%A5%E6%A0%BC%E5%BC%8F%E8%AF%B4%E6%98%8E(ver-2)
 			dcBuf, err := tryDecodeBase64([]byte(body))
 			if err != nil {
 				// Xray VMessAEAD share link
 				urlVMess, err := url.Parse(line)
 				if err != nil {
 					continue
 				}
 				query := urlVMess.Query()
 				vmess := make(map[string]any, 20)
 				handleVShareLink(names, urlVMess, scheme, vmess)
 				vmess["alterId"] = 0
 				vmess["cipher"] = "auto"
 				if encryption := query.Get("encryption"); encryption != "" {
 					vmess["cipher"] = encryption
 				}
 				proxies = append(proxies, vmess)
 				continue
 			}
 			jsonDc := json.NewDecoder(bytes.NewReader(dcBuf))
 			values := make(map[string]any, 20)
@ -120,40 +163,85 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			vmess["server"] = values["add"]
 			vmess["port"] = values["port"]
 			vmess["uuid"] = values["id"]
-			vmess["alterId"] = values["aid"]
+			if alterId, ok := values["aid"]; ok {
-			vmess["cipher"] = "auto"
+				vmess["alterId"] = alterId
 			} else {
 				vmess["alterId"] = 0
 			}
 			vmess["udp"] = true
 			vmess["tls"] = false
 			vmess["skip-cert-verify"] = false
-			host := values["host"]
+			vmess["cipher"] = "auto"
-			network := strings.ToLower(values["net"].(string))
+			if cipher, ok := values["scy"]; ok && cipher != "" {
 				vmess["cipher"] = cipher
 			}
 			if sni, ok := values["sni"]; ok && sni != "" {
 				vmess["servername"] = sni
 			}
 			network := strings.ToLower(values["net"].(string))
 			if values["type"] == "http" {
 				network = "http"
 			} else if network == "http" {
 				network = "h2"
 			}
 			vmess["network"] = network
 			tls := strings.ToLower(values["tls"].(string))
-			if tls != "" && tls != "0" && tls != "null" {
+			if strings.HasSuffix(tls, "tls") {
 				if host != nil {
 					vmess["servername"] = host
 				}
 				vmess["tls"] = true
 			}
-			if network == "ws" {
+			switch network {
 			case "http":
 				headers := make(map[string]any)
 				httpOpts := make(map[string]any)
 				if host, ok := values["host"]; ok && host != "" {
 					headers["Host"] = []string{host.(string)}
 				}
 				httpOpts["path"] = []string{"/"}
 				if path, ok := values["path"]; ok && path != "" {
 					httpOpts["path"] = []string{path.(string)}
 				}
 				httpOpts["headers"] = headers
 				vmess["http-opts"] = httpOpts
 			case "h2":
 				headers := make(map[string]any)
 				h2Opts := make(map[string]any)
 				if host, ok := values["host"]; ok && host != "" {
 					headers["Host"] = []string{host.(string)}
 				}
 				h2Opts["path"] = values["path"]
 				h2Opts["headers"] = headers
 				vmess["h2-opts"] = h2Opts
 			case "ws":
 				headers := make(map[string]any)
 				wsOpts := make(map[string]any)
-
+				wsOpts["path"] = []string{"/"}
-				headers["Host"] = RandHost()
+				if host, ok := values["host"]; ok && host != "" {
-				headers["User-Agent"] = RandUserAgent()
+					headers["Host"] = host.(string)
-
+				}
-				if values["path"] != nil {
+				if path, ok := values["path"]; ok && path != "" {
-					wsOpts["path"] = values["path"]
+					wsOpts["path"] = path.(string)
 				}
 				wsOpts["headers"] = headers
 				vmess["ws-opts"] = wsOpts
 			case "grpc":
 				grpcOpts := make(map[string]any)
 				grpcOpts["grpc-service-name"] = values["path"]
 				vmess["grpc-opts"] = grpcOpts
 			}
 			proxies = append(proxies, vmess)
 		case "ss":
 			urlSS, err := url.Parse(line)
 			if err != nil {
@ -164,7 +252,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			port := urlSS.Port()
 			if port == "" {
-				dcBuf, err := enc.DecodeString(urlSS.Host)
+				dcBuf, err := encRaw.DecodeString(urlSS.Host)
 				if err != nil {
 					continue
 				}
@ -181,11 +269,10 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			)
 			if password, found = urlSS.User.Password(); !found {
-				dcBuf, err := enc.DecodeString(cipher)
+				dcBuf, _ := enc.DecodeString(cipher)
-				if err != nil {
+				if !strings.Contains(string(dcBuf), "2022-blake3") {
-					continue
+					dcBuf, _ = encRaw.DecodeString(cipher)
 				}
 				cipher, password, found = strings.Cut(string(dcBuf), ":")
 				if !found {
 					continue
@ -200,11 +287,19 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			ss["port"] = urlSS.Port()
 			ss["cipher"] = cipher
 			ss["password"] = password
 			query := urlSS.Query()
 			ss["udp"] = true
-
+			if strings.Contains(query.Get("plugin"), "obfs") {
 				obfsParams := strings.Split(query.Get("plugin"), ";")
 				ss["plugin"] = "obfs"
 				ss["plugin-opts"] = map[string]any{
 					"host": obfsParams[2][10:],
 					"mode": obfsParams[1][5:],
 				}
 			}
 			proxies = append(proxies, ss)
 		case "ssr":
-			dcBuf, err := enc.DecodeString(body)
+			dcBuf, err := encRaw.DecodeString(body)
 			if err != nil {
 				continue
 			}
@ -261,54 +356,6 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}
 			proxies = append(proxies, ssr)
 		case "vless":
 			urlVless, err := url.Parse(line)
 			if err != nil {
 				continue
 			}
 			q := urlVless.Query()
 			name := uniqueName(names, urlVless.Fragment)
 			vless := make(map[string]any, 20)
 			vless["name"] = name
 			vless["type"] = scheme
 			vless["server"] = urlVless.Hostname()
 			vless["port"] = urlVless.Port()
 			vless["uuid"] = urlVless.User.Username()
 			vless["udp"] = true
 			vless["skip-cert-verify"] = false
 			sni := q.Get("sni")
 			if sni != "" {
 				vless["servername"] = sni
 			}
 			flow := strings.ToLower(q.Get("flow"))
 			if flow != "" {
 				vless["flow"] = flow
 			}
 			network := strings.ToLower(q.Get("type"))
 			if network != "" {
 				vless["network"] = network
 			}
 			if network == "ws" {
 				headers := make(map[string]any)
 				wsOpts := make(map[string]any)
 				headers["Host"] = RandHost()
 				headers["User-Agent"] = RandUserAgent()
 				wsOpts["path"] = q.Get("path")
 				wsOpts["headers"] = headers
 				vless["ws-opts"] = wsOpts
 			}
 			proxies = append(proxies, vless)
 		}
 	}
@ -319,23 +366,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 	return proxies, nil
 }
 func urlSafe(data string) string {
 	return strings.ReplaceAll(strings.ReplaceAll(data, "+", "-"), "/", "_")
 }
 func decodeUrlSafe(data string) string {
 	dcBuf, err := base64.URLEncoding.DecodeString(data)
 	if err != nil {
 		return ""
 	}
 	return string(dcBuf)
 }
 func uniqueName(names map[string]int, name string) string {
 	if index, ok := names[name]; ok {
 		index++
 		names[name] = index
-		name = name + "-" + fmt.Sprintf("%02d", index)
+		name = fmt.Sprintf("%s-%02d", name, index)
 	} else {
 		index = 0
 		names[name] = index
--- a/common/convert/util.go
+++ b/common/convert/util.go
@ -307,7 +307,10 @@ func RandUserAgent() string {
 	return userAgents[rand.Intn(uaLen)]
 }
-func SetUserAgent(req *http.Request) {
+func SetUserAgent(header http.Header) {
 	if header.Get("User-Agent") != "" {
 		return
 	}
 	userAgent := RandUserAgent()
-	req.Header.Set("User-Agent", userAgent)
+	header.Set("User-Agent", userAgent)
 }
--- a/common/convert/v.go
+++ b/common/convert/v.go
@ -0,0 +1,89 @@
 package convert
 import (
 	"net/url"
 	"strings"
 )
 func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy map[string]any) {
 	// Xray VMessAEAD / VLESS share link standard
 	// https://github.com/XTLS/Xray-core/discussions/716
 	query := url.Query()
 	proxy["name"] = uniqueName(names, url.Fragment)
 	proxy["type"] = scheme
 	proxy["server"] = url.Hostname()
 	proxy["port"] = url.Port()
 	proxy["uuid"] = url.User.Username()
 	proxy["udp"] = true
 	proxy["skip-cert-verify"] = false
 	proxy["tls"] = false
 	tls := strings.ToLower(query.Get("security"))
 	if strings.HasSuffix(tls, "tls") {
 		proxy["tls"] = true
 	}
 	if sni := query.Get("sni"); sni != "" {
 		proxy["servername"] = sni
 	}
 	network := strings.ToLower(query.Get("type"))
 	if network == "" {
 		network = "tcp"
 	}
 	fakeType := strings.ToLower(query.Get("headerType"))
 	if fakeType == "http" {
 		network = "http"
 	} else if network == "http" {
 		network = "h2"
 	}
 	proxy["network"] = network
 	switch network {
 	case "tcp":
 		if fakeType != "none" {
 			headers := make(map[string]any)
 			httpOpts := make(map[string]any)
 			httpOpts["path"] = []string{"/"}
 			if host := query.Get("host"); host != "" {
 				headers["Host"] = []string{host}
 			}
 			if method := query.Get("method"); method != "" {
 				httpOpts["method"] = method
 			}
 			if path := query.Get("path"); path != "" {
 				httpOpts["path"] = []string{path}
 			}
 			httpOpts["headers"] = headers
 			proxy["http-opts"] = httpOpts
 		}
 	case "http":
 		headers := make(map[string]any)
 		h2Opts := make(map[string]any)
 		h2Opts["path"] = []string{"/"}
 		if path := query.Get("path"); path != "" {
 			h2Opts["path"] = []string{path}
 		}
 		if host := query.Get("host"); host != "" {
 			h2Opts["host"] = []string{host}
 		}
 		h2Opts["headers"] = headers
 		proxy["h2-opts"] = h2Opts
 	case "ws":
 		headers := make(map[string]any)
 		wsOpts := make(map[string]any)
 		headers["User-Agent"] = RandUserAgent()
 		headers["Host"] = query.Get("host")
 		wsOpts["path"] = query.Get("path")
 		wsOpts["headers"] = headers
 		proxy["ws-opts"] = wsOpts
 	case "grpc":
 		grpcOpts := make(map[string]any)
 		grpcOpts["grpc-service-name"] = query.Get("serviceName")
 		proxy["grpc-opts"] = grpcOpts
 	}
 }
--- a/common/pool/alloc.go
+++ b/common/pool/alloc.go
@ -8,7 +8,7 @@ import (
 	"sync"
 )
-var defaultAllocator = NewAllocator()
+var DefaultAllocator = NewAllocator()
 // Allocator for incoming frames, optimized to prevent overwriting after zeroing
 type Allocator struct {
@ -52,8 +52,8 @@ func (alloc *Allocator) Put(buf []byte) error {
 		return errors.New("allocator Put() incorrect buffer size")
 	}
 	//lint:ignore SA6002 ignore temporarily
 	//nolint
 	//lint:ignore SA6002 ignore temporarily
 	alloc.buffers[bits].Put(buf)
 	return nil
 }
--- a/common/pool/pool.go
+++ b/common/pool/pool.go
@ -13,9 +13,9 @@ const (
 )
 func Get(size int) []byte {
-	return defaultAllocator.Get(size)
+	return DefaultAllocator.Get(size)
 }
 func Put(buf []byte) error {
-	return defaultAllocator.Put(buf)
+	return DefaultAllocator.Put(buf)
 }
--- a/common/singledo/singledo.go
+++ b/common/singledo/singledo.go
@ -25,7 +25,6 @@ type Result[T any] struct {
 }
 // Do single.Do likes sync.singleFlight
 //lint:ignore ST1008 it likes sync.singleFlight
 func (s *Single[T]) Do(fn func() (T, error)) (v T, err error, shared bool) {
 	s.mux.Lock()
 	now := time.Now()
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@ -4,11 +4,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
 	"github.com/Dreamacro/clash/component/resolver"
 	"go.uber.org/atomic"
 	"net"
 	"net/netip"
 	"strings"
 	"sync"
 	"github.com/Dreamacro/clash/component/resolver"
 )
 var (
@ -17,6 +18,8 @@ var (
 	actualDualStackDialContext = dualStackDialContext
 	tcpConcurrent              = false
 	DisableIPv6                = false
 	ErrorInvalidedNetworkStack = errors.New("invalided network stack")
 	ErrorDisableIPv6           = errors.New("IPv6 is disabled, dialer cancel")
 )
 func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
@ -33,13 +36,23 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 		o(opt)
 	}
 	if opt.network == 4 || opt.network == 6 {
 		if strings.Contains(network, "tcp") {
 			network = "tcp"
 		} else {
 			network = "udp"
 		}
 		network = fmt.Sprintf("%s%d", network, opt.network)
 	}
 	switch network {
 	case "tcp4", "tcp6", "udp4", "udp6":
 		return actualSingleDialContext(ctx, network, address, opt)
 	case "tcp", "udp":
 		return actualDualStackDialContext(ctx, network, address, opt)
 	default:
-		return nil, errors.New("network invalid")
+		return nil, ErrorInvalidedNetworkStack
 	}
 }
@ -105,7 +118,7 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	}
 	if DisableIPv6 && destination.Is6() {
-		return nil, fmt.Errorf("IPv6 is diabled, dialer cancel")
+		return nil, ErrorDisableIPv6
 	}
 	return dialer.DialContext(ctx, network, net.JoinHostPort(destination.String(), port))
@ -167,29 +180,35 @@ func dualStackDialContext(ctx context.Context, network, address string, opt *opt
 	go startRacer(ctx, network+"4", host, opt.direct, false)
 	go startRacer(ctx, network+"6", host, opt.direct, true)
-	for res := range results {
+	count := 2
-		if res.error == nil {
+	for i := 0; i < count; i++ {
-			return res.Conn, nil
+		select {
-		}
+		case res := <-results:
-
+			if res.error == nil {
-		if !res.ipv6 {
+				return res.Conn, nil
 			primary = res
 		} else {
 			fallback = res
 		}
 		if primary.done && fallback.done {
 			if primary.resolved {
 				return nil, primary.error
 			} else if fallback.resolved {
 				return nil, fallback.error
 			} else {
 				return nil, primary.error
 			}
 			if !res.ipv6 {
 				primary = res
 			} else {
 				fallback = res
 			}
 			if primary.done && fallback.done {
 				if primary.resolved {
 					return nil, primary.error
 				} else if fallback.resolved {
 					return nil, fallback.error
 				} else {
 					return nil, primary.error
 				}
 			}
 		case <-ctx.Done():
 			break
 		}
 	}
-	return nil, errors.New("never touched")
+	return nil, errors.New("dual stack tcp shake hands failed")
 }
 func concurrentDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
@ -199,13 +218,16 @@ func concurrentDualStackDialContext(ctx context.Context, network, address string
 	}
 	var ips []netip.Addr
 	if opt.direct {
 		ips, err = resolver.ResolveAllIP(host)
 	} else {
 		ips, err = resolver.ResolveAllIPProxyServerHost(host)
 	}
 	if err != nil {
 		return nil, err
 	}
 	return concurrentDialContext(ctx, network, ips, port, opt)
 }
@ -217,30 +239,49 @@ func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr
 		ip netip.Addr
 		net.Conn
 		error
-		resolved bool
+		isPrimary bool
 		done      bool
 	}
 	preferCount := atomic.NewInt32(0)
 	results := make(chan dialResult)
 	tcpRacer := func(ctx context.Context, ip netip.Addr) {
-		result := dialResult{ip: ip}
+		result := dialResult{ip: ip, done: true}
 		defer func() {
 			select {
 			case results <- result:
 			case <-returned:
 				if result.Conn != nil {
-					result.Conn.Close()
+					_ = result.Conn.Close()
 				}
 			}
 		}()
-
+		if strings.Contains(network, "tcp") {
-		v := "4"
+			network = "tcp"
-		if ip.Is6() {
+		} else {
-			v = "6"
+			network = "udp"
 		}
-		result.Conn, result.error = dialContext(ctx, network+v, ip, port, opt)
+		if ip.Is6() {
 			network += "6"
 			if opt.prefer != 4 {
 				result.isPrimary = true
 			}
 		}
 		if ip.Is4() {
 			network += "4"
 			if opt.prefer != 6 {
 				result.isPrimary = true
 			}
 		}
 		if result.isPrimary {
 			preferCount.Add(1)
 		}
 		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
 	}
 	for _, ip := range ips {
@ -248,17 +289,38 @@ func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr
 	}
 	connCount := len(ips)
-	for res := range results {
+	var fallback dialResult
-		connCount--
+	for i := 0; i < connCount; i++ {
-		if res.error == nil {
+		select {
-			return res.Conn, nil
+		case res := <-results:
-		}
+			if res.error == nil {
-
+				if res.isPrimary {
-		if connCount == 0 {
+					return res.Conn, nil
 				} else {
 					if !fallback.done || fallback.error != nil {
 						fallback = res
 					}
 				}
 			} else {
 				if res.isPrimary {
 					preferCount.Add(-1)
 					if preferCount.Load() == 0 && fallback.done && fallback.error == nil {
 						return fallback.Conn, nil
 					}
 				}
 			}
 		case <-ctx.Done():
 			if fallback.done && fallback.error == nil {
 				return fallback.Conn, nil
 			}
 			break
 		}
 	}
 	if fallback.done && fallback.error == nil {
 		return fallback.Conn, nil
 	}
 	return nil, fmt.Errorf("all ips %v tcp shake hands failed", ips)
 }
@ -291,25 +353,45 @@ func singleDialContext(ctx context.Context, network string, address string, opt
 }
 func concurrentSingleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
 	switch network {
 	case "tcp4", "udp4":
 		return concurrentIPv4DialContext(ctx, network, address, opt)
 	default:
 		return concurrentIPv6DialContext(ctx, network, address, opt)
 	}
 }
 func concurrentIPv4DialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ips []netip.Addr
-	switch network {
+	if !opt.direct {
-	case "tcp4", "udp4":
+		ips, err = resolver.ResolveAllIPv4ProxyServerHost(host)
-		if !opt.direct {
+	} else {
-			ips, err = resolver.ResolveAllIPv4ProxyServerHost(host)
+		ips, err = resolver.ResolveAllIPv4(host)
-		} else {
+	}
-			ips, err = resolver.ResolveAllIPv4(host)
+
-		}
+	if err != nil {
-	default:
+		return nil, err
-		if !opt.direct {
+	}
-			ips, err = resolver.ResolveAllIPv6ProxyServerHost(host)
+
-		} else {
+	return concurrentDialContext(ctx, network, ips, port, opt)
-			ips, err = resolver.ResolveAllIPv6(host)
+}
-		}
+
 func concurrentIPv6DialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ips []netip.Addr
 	if !opt.direct {
 		ips, err = resolver.ResolveAllIPv6ProxyServerHost(host)
 	} else {
 		ips, err = resolver.ResolveAllIPv6(host)
 	}
 	if err != nil {
--- a/component/dialer/options.go
+++ b/component/dialer/options.go
@ -1,6 +1,8 @@
 package dialer
-import "go.uber.org/atomic"
+import (
 	"go.uber.org/atomic"
 )
 var (
 	DefaultOptions     []Option
@ -13,6 +15,8 @@ type option struct {
 	addrReuse     bool
 	routingMark   int
 	direct        bool
 	network       int
 	prefer        int
 }
 type Option func(opt *option)
@ -40,3 +44,25 @@ func WithDirect() Option {
 		opt.direct = true
 	}
 }
 func WithPreferIPv4() Option {
 	return func(opt *option) {
 		opt.prefer = 4
 	}
 }
 func WithPreferIPv6() Option {
 	return func(opt *option) {
 		opt.prefer = 6
 	}
 }
 func WithOnlySingleStack(isIPv4 bool) Option {
 	return func(opt *option) {
 		if isIPv4 {
 			opt.network = 4
 		} else {
 			opt.network = 6
 		}
 	}
 }
--- a/component/ebpf/bpf/bpf_endian.h
+++ b/component/ebpf/bpf/bpf_endian.h
@ -0,0 +1,99 @@
 /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
 #ifndef __BPF_ENDIAN__
 #define __BPF_ENDIAN__
 /*
 * Isolate byte #n and put it into byte #m, for __u##b type.
 * E.g., moving byte #6 (nnnnnnnn) into byte #1 (mmmmmmmm) for __u64:
 * 1) xxxxxxxx nnnnnnnn xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx mmmmmmmm xxxxxxxx
 * 2) nnnnnnnn xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx mmmmmmmm xxxxxxxx 00000000
 * 3) 00000000 00000000 00000000 00000000 00000000 00000000 00000000 nnnnnnnn
 * 4) 00000000 00000000 00000000 00000000 00000000 00000000 nnnnnnnn 00000000
 */
 #define ___bpf_mvb(x, b, n, m) ((__u##b)(x) << (b-(n+1)*8) >> (b-8) << (m*8))
 #define ___bpf_swab16(x) ((__u16)(			\
 			  ___bpf_mvb(x, 16, 0, 1) |	\
 			  ___bpf_mvb(x, 16, 1, 0)))
 #define ___bpf_swab32(x) ((__u32)(			\
 			  ___bpf_mvb(x, 32, 0, 3) |	\
 			  ___bpf_mvb(x, 32, 1, 2) |	\
 			  ___bpf_mvb(x, 32, 2, 1) |	\
 			  ___bpf_mvb(x, 32, 3, 0)))
 #define ___bpf_swab64(x) ((__u64)(			\
 			  ___bpf_mvb(x, 64, 0, 7) |	\
 			  ___bpf_mvb(x, 64, 1, 6) |	\
 			  ___bpf_mvb(x, 64, 2, 5) |	\
 			  ___bpf_mvb(x, 64, 3, 4) |	\
 			  ___bpf_mvb(x, 64, 4, 3) |	\
 			  ___bpf_mvb(x, 64, 5, 2) |	\
 			  ___bpf_mvb(x, 64, 6, 1) |	\
 			  ___bpf_mvb(x, 64, 7, 0)))
 /* LLVM's BPF target selects the endianness of the CPU
 * it compiles on, or the user specifies (bpfel/bpfeb),
 * respectively. The used __BYTE_ORDER__ is defined by
 * the compiler, we cannot rely on __BYTE_ORDER from
 * libc headers, since it doesn't reflect the actual
 * requested byte order.
 *
 * Note, LLVM's BPF target has different __builtin_bswapX()
 * semantics. It does map to BPF_ALU | BPF_END | BPF_TO_BE
 * in bpfel and bpfeb case, which means below, that we map
 * to cpu_to_be16(). We could use it unconditionally in BPF
 * case, but better not rely on it, so that this header here
 * can be used from application and BPF program side, which
 * use different targets.
 */
 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
 # define __bpf_ntohs(x)			__builtin_bswap16(x)
 # define __bpf_htons(x)			__builtin_bswap16(x)
 # define __bpf_constant_ntohs(x)	___bpf_swab16(x)
 # define __bpf_constant_htons(x)	___bpf_swab16(x)
 # define __bpf_ntohl(x)			__builtin_bswap32(x)
 # define __bpf_htonl(x)			__builtin_bswap32(x)
 # define __bpf_constant_ntohl(x)	___bpf_swab32(x)
 # define __bpf_constant_htonl(x)	___bpf_swab32(x)
 # define __bpf_be64_to_cpu(x)		__builtin_bswap64(x)
 # define __bpf_cpu_to_be64(x)		__builtin_bswap64(x)
 # define __bpf_constant_be64_to_cpu(x)	___bpf_swab64(x)
 # define __bpf_constant_cpu_to_be64(x)	___bpf_swab64(x)
 #elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
 # define __bpf_ntohs(x)			(x)
 # define __bpf_htons(x)			(x)
 # define __bpf_constant_ntohs(x)	(x)
 # define __bpf_constant_htons(x)	(x)
 # define __bpf_ntohl(x)			(x)
 # define __bpf_htonl(x)			(x)
 # define __bpf_constant_ntohl(x)	(x)
 # define __bpf_constant_htonl(x)	(x)
 # define __bpf_be64_to_cpu(x)		(x)
 # define __bpf_cpu_to_be64(x)		(x)
 # define __bpf_constant_be64_to_cpu(x)  (x)
 # define __bpf_constant_cpu_to_be64(x)  (x)
 #else
 # error "Fix your compiler's __BYTE_ORDER__?!"
 #endif
 #define bpf_htons(x)				\
 	(__builtin_constant_p(x) ?		\
 	 __bpf_constant_htons(x) : __bpf_htons(x))
 #define bpf_ntohs(x)				\
 	(__builtin_constant_p(x) ?		\
 	 __bpf_constant_ntohs(x) : __bpf_ntohs(x))
 #define bpf_htonl(x)				\
 	(__builtin_constant_p(x) ?		\
 	 __bpf_constant_htonl(x) : __bpf_htonl(x))
 #define bpf_ntohl(x)				\
 	(__builtin_constant_p(x) ?		\
 	 __bpf_constant_ntohl(x) : __bpf_ntohl(x))
 #define bpf_cpu_to_be64(x)			\
 	(__builtin_constant_p(x) ?		\
 	 __bpf_constant_cpu_to_be64(x) : __bpf_cpu_to_be64(x))
 #define bpf_be64_to_cpu(x)			\
 	(__builtin_constant_p(x) ?		\
 	 __bpf_constant_be64_to_cpu(x) : __bpf_be64_to_cpu(x))
 #endif /* __BPF_ENDIAN__ */
--- a/component/ebpf/bpf/bpf_helper_defs.h
+++ b/component/ebpf/bpf/bpf_helper_defs.h
--- a/component/ebpf/bpf/bpf_helpers.h
+++ b/component/ebpf/bpf/bpf_helpers.h
@ -0,0 +1,262 @@
 /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
 #ifndef __BPF_HELPERS__
 #define __BPF_HELPERS__
 /*
 * Note that bpf programs need to include either
 * vmlinux.h (auto-generated from BTF) or linux/types.h
 * in advance since bpf_helper_defs.h uses such types
 * as __u64.
 */
 #include "bpf_helper_defs.h"
 #define __uint(name, val) int (*name)[val]
 #define __type(name, val) typeof(val) *name
 #define __array(name, val) typeof(val) *name[]
 /*
 * Helper macro to place programs, maps, license in
 * different sections in elf_bpf file. Section names
 * are interpreted by libbpf depending on the context (BPF programs, BPF maps,
 * extern variables, etc).
 * To allow use of SEC() with externs (e.g., for extern .maps declarations),
 * make sure __attribute__((unused)) doesn't trigger compilation warning.
 */
 #define SEC(name) \
 	_Pragma("GCC diagnostic push")					    \
 	_Pragma("GCC diagnostic ignored \"-Wignored-attributes\"")	    \
 	__attribute__((section(name), used))				    \
 	_Pragma("GCC diagnostic pop")					    \
 /* Avoid 'linux/stddef.h' definition of '__always_inline'. */
 #undef __always_inline
 #define __always_inline inline __attribute__((always_inline))
 #ifndef __noinline
 #define __noinline __attribute__((noinline))
 #endif
 #ifndef __weak
 #define __weak __attribute__((weak))
 #endif
 /*
 * Use __hidden attribute to mark a non-static BPF subprogram effectively
 * static for BPF verifier's verification algorithm purposes, allowing more
 * extensive and permissive BPF verification process, taking into account
 * subprogram's caller context.
 */
 #define __hidden __attribute__((visibility("hidden")))
 /* When utilizing vmlinux.h with BPF CO-RE, user BPF programs can't include
 * any system-level headers (such as stddef.h, linux/version.h, etc), and
 * commonly-used macros like NULL and KERNEL_VERSION aren't available through
 * vmlinux.h. This just adds unnecessary hurdles and forces users to re-define
 * them on their own. So as a convenience, provide such definitions here.
 */
 #ifndef NULL
 #define NULL ((void *)0)
 #endif
 #ifndef KERNEL_VERSION
 #define KERNEL_VERSION(a, b, c) (((a) << 16) + ((b) << 8) + ((c) > 255 ? 255 : (c)))
 #endif
 /*
 * Helper macros to manipulate data structures
 */
 #ifndef offsetof
 #define offsetof(TYPE, MEMBER)	((unsigned long)&((TYPE *)0)->MEMBER)
 #endif
 #ifndef container_of
 #define container_of(ptr, type, member)				\
 	({							\
 		void *__mptr = (void *)(ptr);			\
 		((type *)(__mptr - offsetof(type, member)));	\
 	})
 #endif
 /*
 * Helper macro to throw a compilation error if __bpf_unreachable() gets
 * built into the resulting code. This works given BPF back end does not
 * implement __builtin_trap(). This is useful to assert that certain paths
 * of the program code are never used and hence eliminated by the compiler.
 *
 * For example, consider a switch statement that covers known cases used by
 * the program. __bpf_unreachable() can then reside in the default case. If
 * the program gets extended such that a case is not covered in the switch
 * statement, then it will throw a build error due to the default case not
 * being compiled out.
 */
 #ifndef __bpf_unreachable
 # define __bpf_unreachable()	__builtin_trap()
 #endif
 /*
 * Helper function to perform a tail call with a constant/immediate map slot.
 */
 #if __clang_major__ >= 8 && defined(__bpf__)
 static __always_inline void
 bpf_tail_call_static(void *ctx, const void *map, const __u32 slot)
 {
 	if (!__builtin_constant_p(slot))
 		__bpf_unreachable();
 	/*
 	 * Provide a hard guarantee that LLVM won't optimize setting r2 (map
 	 * pointer) and r3 (constant map index) from _different paths_ ending
 	 * up at the _same_ call insn as otherwise we won't be able to use the
 	 * jmpq/nopl retpoline-free patching by the x86-64 JIT in the kernel
 	 * given they mismatch. See also d2e4c1e6c294 ("bpf: Constant map key
 	 * tracking for prog array pokes") for details on verifier tracking.
 	 *
 	 * Note on clobber list: we need to stay in-line with BPF calling
 	 * convention, so even if we don't end up using r0, r4, r5, we need
 	 * to mark them as clobber so that LLVM doesn't end up using them
 	 * before / after the call.
 	 */
 	asm volatile("r1 = %[ctx]\n\t"
 		     "r2 = %[map]\n\t"
 		     "r3 = %[slot]\n\t"
 		     "call 12"
 		     :: [ctx]"r"(ctx), [map]"r"(map), [slot]"i"(slot)
 		     : "r0", "r1", "r2", "r3", "r4", "r5");
 }
 #endif
 /*
 * Helper structure used by eBPF C program
 * to describe BPF map attributes to libbpf loader
 */
 struct bpf_map_def {
 	unsigned int type;
 	unsigned int key_size;
 	unsigned int value_size;
 	unsigned int max_entries;
 	unsigned int map_flags;
 };
 enum libbpf_pin_type {
 	LIBBPF_PIN_NONE,
 	/* PIN_BY_NAME: pin maps by name (in /sys/fs/bpf by default) */
 	LIBBPF_PIN_BY_NAME,
 };
 enum libbpf_tristate {
 	TRI_NO = 0,
 	TRI_YES = 1,
 	TRI_MODULE = 2,
 };
 #define __kconfig __attribute__((section(".kconfig")))
 #define __ksym __attribute__((section(".ksyms")))
 #ifndef ___bpf_concat
 #define ___bpf_concat(a, b) a ## b
 #endif
 #ifndef ___bpf_apply
 #define ___bpf_apply(fn, n) ___bpf_concat(fn, n)
 #endif
 #ifndef ___bpf_nth
 #define ___bpf_nth(_, _1, _2, _3, _4, _5, _6, _7, _8, _9, _a, _b, _c, N, ...) N
 #endif
 #ifndef ___bpf_narg
 #define ___bpf_narg(...) \
 	___bpf_nth(_, ##__VA_ARGS__, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0)
 #endif
 #define ___bpf_fill0(arr, p, x) do {} while (0)
 #define ___bpf_fill1(arr, p, x) arr[p] = x
 #define ___bpf_fill2(arr, p, x, args...) arr[p] = x; ___bpf_fill1(arr, p + 1, args)
 #define ___bpf_fill3(arr, p, x, args...) arr[p] = x; ___bpf_fill2(arr, p + 1, args)
 #define ___bpf_fill4(arr, p, x, args...) arr[p] = x; ___bpf_fill3(arr, p + 1, args)
 #define ___bpf_fill5(arr, p, x, args...) arr[p] = x; ___bpf_fill4(arr, p + 1, args)
 #define ___bpf_fill6(arr, p, x, args...) arr[p] = x; ___bpf_fill5(arr, p + 1, args)
 #define ___bpf_fill7(arr, p, x, args...) arr[p] = x; ___bpf_fill6(arr, p + 1, args)
 #define ___bpf_fill8(arr, p, x, args...) arr[p] = x; ___bpf_fill7(arr, p + 1, args)
 #define ___bpf_fill9(arr, p, x, args...) arr[p] = x; ___bpf_fill8(arr, p + 1, args)
 #define ___bpf_fill10(arr, p, x, args...) arr[p] = x; ___bpf_fill9(arr, p + 1, args)
 #define ___bpf_fill11(arr, p, x, args...) arr[p] = x; ___bpf_fill10(arr, p + 1, args)
 #define ___bpf_fill12(arr, p, x, args...) arr[p] = x; ___bpf_fill11(arr, p + 1, args)
 #define ___bpf_fill(arr, args...) \
 	___bpf_apply(___bpf_fill, ___bpf_narg(args))(arr, 0, args)
 /*
 * BPF_SEQ_PRINTF to wrap bpf_seq_printf to-be-printed values
 * in a structure.
 */
 #define BPF_SEQ_PRINTF(seq, fmt, args...)			\
 ({								\
 	static const char ___fmt[] = fmt;			\
 	unsigned long long ___param[___bpf_narg(args)];		\
 								\
 	_Pragma("GCC diagnostic push")				\
 	_Pragma("GCC diagnostic ignored \"-Wint-conversion\"")	\
 	___bpf_fill(___param, args);				\
 	_Pragma("GCC diagnostic pop")				\
 								\
 	bpf_seq_printf(seq, ___fmt, sizeof(___fmt),		\
 		       ___param, sizeof(___param));		\
 })
 /*
 * BPF_SNPRINTF wraps the bpf_snprintf helper with variadic arguments instead of
 * an array of u64.
 */
 #define BPF_SNPRINTF(out, out_size, fmt, args...)		\
 ({								\
 	static const char ___fmt[] = fmt;			\
 	unsigned long long ___param[___bpf_narg(args)];		\
 								\
 	_Pragma("GCC diagnostic push")				\
 	_Pragma("GCC diagnostic ignored \"-Wint-conversion\"")	\
 	___bpf_fill(___param, args);				\
 	_Pragma("GCC diagnostic pop")				\
 								\
 	bpf_snprintf(out, out_size, ___fmt,			\
 		     ___param, sizeof(___param));		\
 })
 #ifdef BPF_NO_GLOBAL_DATA
 #define BPF_PRINTK_FMT_MOD
 #else
 #define BPF_PRINTK_FMT_MOD static const
 #endif
 #define __bpf_printk(fmt, ...)				\
 ({							\
 	BPF_PRINTK_FMT_MOD char ____fmt[] = fmt;	\
 	bpf_trace_printk(____fmt, sizeof(____fmt),	\
 			 ##__VA_ARGS__);		\
 })
 /*
 * __bpf_vprintk wraps the bpf_trace_vprintk helper with variadic arguments
 * instead of an array of u64.
 */
 #define __bpf_vprintk(fmt, args...)				\
 ({								\
 	static const char ___fmt[] = fmt;			\
 	unsigned long long ___param[___bpf_narg(args)];		\
 								\
 	_Pragma("GCC diagnostic push")				\
 	_Pragma("GCC diagnostic ignored \"-Wint-conversion\"")	\
 	___bpf_fill(___param, args);				\
 	_Pragma("GCC diagnostic pop")				\
 								\
 	bpf_trace_vprintk(___fmt, sizeof(___fmt),		\
 			  ___param, sizeof(___param));		\
 })
 /* Use __bpf_printk when bpf_printk call has 3 or fewer fmt args
 * Otherwise use __bpf_vprintk
 */
 #define ___bpf_pick_printk(...) \
 	___bpf_nth(_, ##__VA_ARGS__, __bpf_vprintk, __bpf_vprintk, __bpf_vprintk,	\
 		   __bpf_vprintk, __bpf_vprintk, __bpf_vprintk, __bpf_vprintk,		\
 		   __bpf_vprintk, __bpf_vprintk, __bpf_printk /*3*/, __bpf_printk /*2*/,\
 		   __bpf_printk /*1*/, __bpf_printk /*0*/)
 /* Helper macro to print out debug messages */
 #define bpf_printk(fmt, args...) ___bpf_pick_printk(args)(fmt, ##args)
 #endif
--- a/component/ebpf/bpf/redir.c
+++ b/component/ebpf/bpf/redir.c
@ -0,0 +1,342 @@
 #include <stdint.h>
 #include <stdbool.h>
 //#include <linux/types.h>
 #include <linux/bpf.h>
 #include <linux/if_ether.h>
 //#include <linux/if_packet.h>
 //#include <linux/if_vlan.h>
 #include <linux/ip.h>
 #include <linux/in.h>
 #include <linux/tcp.h>
 //#include <linux/udp.h>
 #include <linux/pkt_cls.h>
 #include "bpf_endian.h"
 #include "bpf_helpers.h"
 #define IP_CSUM_OFF (ETH_HLEN + offsetof(struct iphdr, check))
 #define IP_DST_OFF (ETH_HLEN + offsetof(struct iphdr, daddr))
 #define IP_SRC_OFF (ETH_HLEN + offsetof(struct iphdr, saddr))
 #define IP_PROTO_OFF (ETH_HLEN + offsetof(struct iphdr, protocol))
 #define TCP_CSUM_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct tcphdr, check))
 #define TCP_SRC_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct tcphdr, source))
 #define TCP_DST_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct tcphdr, dest))
 //#define UDP_CSUM_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct udphdr, check))
 //#define UDP_SRC_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct udphdr, source))
 //#define UDP_DST_OFF (ETH_HLEN + sizeof(struct iphdr) + offsetof(struct udphdr, dest))
 #define IS_PSEUDO 0x10
 struct origin_info {
    __be32 ip;
    __be16 port;
    __u16  pad;
 };
 struct origin_info *origin_info_unused __attribute__((unused));
 struct redir_info {
    __be32 sip;
    __be32 dip;
    __be16 sport;
    __be16 dport;
 };
 struct redir_info *redir_info_unused __attribute__((unused));
 struct {
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
    __type(key, struct redir_info);
    __type(value, struct origin_info);
    __uint(max_entries, 65535);
    __uint(pinning, LIBBPF_PIN_BY_NAME);
 } pair_original_dst_map SEC(".maps");
 struct {
    __uint(type, BPF_MAP_TYPE_ARRAY);
    __type(key, __u32);
    __type(value, __u32);
    __uint(max_entries, 3);
    __uint(pinning, LIBBPF_PIN_BY_NAME);
 } redir_params_map SEC(".maps");
 static __always_inline int rewrite_ip(struct __sk_buff *skb, __be32 new_ip, bool is_dest) {
    int ret, off = 0, flags = IS_PSEUDO;
    __be32 old_ip;
    if (is_dest)
        ret = bpf_skb_load_bytes(skb, IP_DST_OFF, &old_ip, 4);
    else
        ret = bpf_skb_load_bytes(skb, IP_SRC_OFF, &old_ip, 4);
    if (ret < 0) {
        return ret;
    }
    off = TCP_CSUM_OFF;
 //    __u8 proto;
 //
 //    ret = bpf_skb_load_bytes(skb, IP_PROTO_OFF, &proto, 1);
 //    if (ret < 0) {
 //        return BPF_DROP;
 //    }
 //
 //    switch (proto) {
 //    case IPPROTO_TCP:
 //        off = TCP_CSUM_OFF;
 //        break;
 //
 //    case IPPROTO_UDP:
 //        off = UDP_CSUM_OFF;
 //        flags |= BPF_F_MARK_MANGLED_0;
 //        break;
 //
 //    case IPPROTO_ICMPV6:
 //        off = offsetof(struct icmp6hdr, icmp6_cksum);
 //        break;
 //    }
 //
 //    if (off) {
    ret = bpf_l4_csum_replace(skb, off, old_ip, new_ip, flags | sizeof(new_ip));
    if (ret < 0) {
        return ret;
    }
 //    }
    ret = bpf_l3_csum_replace(skb, IP_CSUM_OFF, old_ip, new_ip, sizeof(new_ip));
    if (ret < 0) {
        return ret;
    }
    if (is_dest)
        ret = bpf_skb_store_bytes(skb, IP_DST_OFF, &new_ip, sizeof(new_ip), 0);
    else
        ret = bpf_skb_store_bytes(skb, IP_SRC_OFF, &new_ip, sizeof(new_ip), 0);
    if (ret < 0) {
        return ret;
    }
    return 1;
 }
 static __always_inline int rewrite_port(struct __sk_buff *skb, __be16 new_port, bool is_dest) {
    int ret, off = 0;
    __be16 old_port;
    if (is_dest)
        ret = bpf_skb_load_bytes(skb, TCP_DST_OFF, &old_port, 2);
    else
        ret = bpf_skb_load_bytes(skb, TCP_SRC_OFF, &old_port, 2);
    if (ret < 0) {
        return ret;
    }
    off = TCP_CSUM_OFF;
    ret = bpf_l4_csum_replace(skb, off, old_port, new_port, sizeof(new_port));
    if (ret < 0) {
        return ret;
    }
    if (is_dest)
        ret = bpf_skb_store_bytes(skb, TCP_DST_OFF, &new_port, sizeof(new_port), 0);
    else
        ret = bpf_skb_store_bytes(skb, TCP_SRC_OFF, &new_port, sizeof(new_port), 0);
    if (ret < 0) {
        return ret;
    }
    return 1;
 }
 static __always_inline bool is_lan_ip(__be32 addr) {
    if (addr == 0xffffffff)
        return true;
    __u8 fist = (__u8)(addr & 0xff);
    if (fist == 127 || fist == 10)
        return true;
    __u8 second = (__u8)((addr >> 8) & 0xff);
    if (fist == 172 && second >= 16 && second <= 31)
        return true;
    if (fist == 192 && second == 168)
        return true;
    return false;
 }
 SEC("tc_clash_auto_redir_ingress")
 int tc_redir_ingress_func(struct __sk_buff *skb) {
    void *data          = (void *)(long)skb->data;
    void *data_end      = (void *)(long)skb->data_end;
    struct ethhdr *eth  = data;
    if ((void *)(eth + 1) > data_end)
        return TC_ACT_OK;
    if (eth->h_proto != bpf_htons(ETH_P_IP))
        return TC_ACT_OK;
    struct iphdr *iph = (struct iphdr *)(eth + 1);
    if ((void *)(iph + 1) > data_end)
        return TC_ACT_OK;
    __u32 key = 0, *route_index, *redir_ip, *redir_port;
    route_index = bpf_map_lookup_elem(&redir_params_map, &key);
    if (!route_index)
        return TC_ACT_OK;
    if (iph->protocol == IPPROTO_ICMP && *route_index != 0)
        return bpf_redirect(*route_index, 0);
    if (iph->protocol != IPPROTO_TCP)
        return TC_ACT_OK;
    struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
    if ((void *)(tcph + 1) > data_end)
        return TC_ACT_SHOT;
    key = 1;
    redir_ip = bpf_map_lookup_elem(&redir_params_map, &key);
    if (!redir_ip)
        return TC_ACT_OK;
    key = 2;
    redir_port = bpf_map_lookup_elem(&redir_params_map, &key);
    if (!redir_port)
        return TC_ACT_OK;
    __be32 new_ip   = bpf_htonl(*redir_ip);
    __be16 new_port = bpf_htonl(*redir_port) >> 16;
    __be32 old_ip   = iph->daddr;
    __be16 old_port = tcph->dest;
    if (old_ip == new_ip || is_lan_ip(old_ip) || bpf_ntohs(old_port) == 53) {
        return TC_ACT_OK;
    }
    struct redir_info p_key = {
        .sip = iph->saddr,
        .sport = tcph->source,
        .dip = new_ip,
        .dport = new_port,
    };
    if (tcph->syn && !tcph->ack) {
        struct origin_info origin = {
            .ip = old_ip,
            .port = old_port,
        };
        bpf_map_update_elem(&pair_original_dst_map, &p_key, &origin, BPF_NOEXIST);
        if (rewrite_ip(skb, new_ip, true) < 0) {
            return TC_ACT_SHOT;
        }
        if (rewrite_port(skb, new_port, true) < 0) {
            return TC_ACT_SHOT;
        }
    } else {
        struct origin_info *origin = bpf_map_lookup_elem(&pair_original_dst_map, &p_key);
        if (!origin) {
            return TC_ACT_OK;
        }
        if (rewrite_ip(skb, new_ip, true) < 0) {
            return TC_ACT_SHOT;
        }
        if (rewrite_port(skb, new_port, true) < 0) {
            return TC_ACT_SHOT;
        }
    }
    return TC_ACT_OK;
 }
 SEC("tc_clash_auto_redir_egress")
 int tc_redir_egress_func(struct __sk_buff *skb) {
    void *data          = (void *)(long)skb->data;
    void *data_end      = (void *)(long)skb->data_end;
    struct ethhdr *eth  = data;
    if ((void *)(eth + 1) > data_end)
        return TC_ACT_OK;
    if (eth->h_proto != bpf_htons(ETH_P_IP))
        return TC_ACT_OK;
    __u32 key = 0, *redir_ip, *redir_port; // *clash_mark
 //    clash_mark = bpf_map_lookup_elem(&redir_params_map, &key);
 //    if (clash_mark && *clash_mark != 0 && *clash_mark == skb->mark)
 //        return TC_ACT_OK;
    struct iphdr *iph = (struct iphdr *)(eth + 1);
    if ((void *)(iph + 1) > data_end)
        return TC_ACT_OK;
    if (iph->protocol != IPPROTO_TCP)
        return TC_ACT_OK;
    struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
    if ((void *)(tcph + 1) > data_end)
        return TC_ACT_SHOT;
    key = 1;
    redir_ip = bpf_map_lookup_elem(&redir_params_map, &key);
    if (!redir_ip)
        return TC_ACT_OK;
    key = 2;
    redir_port = bpf_map_lookup_elem(&redir_params_map, &key);
    if (!redir_port)
        return TC_ACT_OK;
    __be32 new_ip   = bpf_htonl(*redir_ip);
    __be16 new_port = bpf_htonl(*redir_port) >> 16;
    __be32 old_ip   = iph->saddr;
    __be16 old_port = tcph->source;
    if (old_ip != new_ip || old_port != new_port) {
        return TC_ACT_OK;
    }
    struct redir_info p_key = {
        .sip = iph->daddr,
        .sport = tcph->dest,
        .dip = iph->saddr,
        .dport = tcph->source,
    };
    struct origin_info *origin = bpf_map_lookup_elem(&pair_original_dst_map, &p_key);
    if (!origin) {
        return TC_ACT_OK;
    }
    if (tcph->fin && tcph->ack) {
        bpf_map_delete_elem(&pair_original_dst_map, &p_key);
    }
    if (rewrite_ip(skb, origin->ip, false) < 0) {
        return TC_ACT_SHOT;
    }
    if (rewrite_port(skb, origin->port, false) < 0) {
        return TC_ACT_SHOT;
    }
    return TC_ACT_OK;
 }
 char _license[] SEC("license") = "GPL";
--- a/component/ebpf/bpf/tc.c
+++ b/component/ebpf/bpf/tc.c
@ -0,0 +1,103 @@
 #include <stdbool.h>
 #include <linux/bpf.h>
 #include <linux/if_ether.h>
 #include <linux/ip.h>
 #include <linux/in.h>
 //#include <linux/tcp.h>
 //#include <linux/udp.h>
 #include <linux/pkt_cls.h>
 #include "bpf_endian.h"
 #include "bpf_helpers.h"
 struct {
    __uint(type, BPF_MAP_TYPE_ARRAY);
    __type(key, __u32);
    __type(value, __u32);
    __uint(max_entries, 2);
    __uint(pinning, LIBBPF_PIN_BY_NAME);
 } tc_params_map SEC(".maps");
 static __always_inline bool is_lan_ip(__be32 addr) {
    if (addr == 0xffffffff)
        return true;
    __u8 fist = (__u8)(addr & 0xff);
    if (fist == 127 || fist == 10)
        return true;
    __u8 second = (__u8)((addr >> 8) & 0xff);
    if (fist == 172 && second >= 16 && second <= 31)
        return true;
    if (fist == 192 && second == 168)
        return true;
    return false;
 }
 SEC("tc_clash_redirect_to_tun")
 int tc_tun_func(struct __sk_buff *skb) {
    void *data          = (void *)(long)skb->data;
    void *data_end      = (void *)(long)skb->data_end;
    struct ethhdr *eth  = data;
    if ((void *)(eth + 1) > data_end)
        return TC_ACT_OK;
    if (eth->h_proto == bpf_htons(ETH_P_ARP))
        return TC_ACT_OK;
    __u32 key = 0, *clash_mark, *tun_ifindex;
    clash_mark = bpf_map_lookup_elem(&tc_params_map, &key);
    if (!clash_mark)
        return TC_ACT_OK;
    if (skb->mark == *clash_mark)
        return TC_ACT_OK;
    if (eth->h_proto == bpf_htons(ETH_P_IP)) {
        struct iphdr *iph = (struct iphdr *)(eth + 1);
        if ((void *)(iph + 1) > data_end)
            return TC_ACT_OK;
        if (iph->protocol == IPPROTO_ICMP)
            return TC_ACT_OK;
        __be32 daddr = iph->daddr;
        if (is_lan_ip(daddr))
            return TC_ACT_OK;
 //        if (iph->protocol == IPPROTO_TCP) {
 //            struct tcphdr *tcph = (struct tcphdr *)(iph + 1);
 //            if ((void *)(tcph + 1) > data_end)
 //                return TC_ACT_OK;
 //
 //            __u16 source = bpf_ntohs(tcph->source);
 //            if (source == 22 || source == 80 || source == 443 || source == 8080 || source == 8443 || source == 9090 || (source >= 7890 && source <= 7895))
 //                return TC_ACT_OK;
 //        } else if (iph->protocol == IPPROTO_UDP) {
 //            struct udphdr *udph = (struct udphdr *)(iph + 1);
 //            if ((void *)(udph + 1) > data_end)
 //                return TC_ACT_OK;
 //
 //            __u16 source = bpf_ntohs(udph->source);
 //            if (source == 53 || (source >= 135 && source <= 139))
 //                return TC_ACT_OK;
 //        }
    }
    key = 1;
    tun_ifindex = bpf_map_lookup_elem(&tc_params_map, &key);
    if (!tun_ifindex)
        return TC_ACT_OK;
    //return bpf_redirect(*tun_ifindex, BPF_F_INGRESS); // __bpf_rx_skb
    return bpf_redirect(*tun_ifindex, 0); // __bpf_tx_skb / __dev_xmit_skb
 }
 char _license[] SEC("license") = "GPL";
--- a/component/ebpf/byteorder/byteorder.go
+++ b/component/ebpf/byteorder/byteorder.go
@ -0,0 +1,13 @@
 package byteorder
 import (
 	"net"
 )
 // NetIPv4ToHost32 converts an net.IP to a uint32 in host byte order. ip
 // must be a IPv4 address, otherwise the function will panic.
 func NetIPv4ToHost32(ip net.IP) uint32 {
 	ipv4 := ip.To4()
 	_ = ipv4[3] // Assert length of ipv4.
 	return Native.Uint32(ipv4)
 }
--- a/component/ebpf/byteorder/byteorder_bigendian.go
+++ b/component/ebpf/byteorder/byteorder_bigendian.go
@ -0,0 +1,12 @@
 //go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
 package byteorder
 import "encoding/binary"
 var Native binary.ByteOrder = binary.BigEndian
 func HostToNetwork16(u uint16) uint16 { return u }
 func HostToNetwork32(u uint32) uint32 { return u }
 func NetworkToHost16(u uint16) uint16 { return u }
 func NetworkToHost32(u uint32) uint32 { return u }
--- a/component/ebpf/byteorder/byteorder_littleendian.go
+++ b/component/ebpf/byteorder/byteorder_littleendian.go
@ -0,0 +1,15 @@
 //go:build 386 || amd64 || amd64p32 || arm || arm64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
 package byteorder
 import (
 	"encoding/binary"
 	"math/bits"
 )
 var Native binary.ByteOrder = binary.LittleEndian
 func HostToNetwork16(u uint16) uint16 { return bits.ReverseBytes16(u) }
 func HostToNetwork32(u uint32) uint32 { return bits.ReverseBytes32(u) }
 func NetworkToHost16(u uint16) uint16 { return bits.ReverseBytes16(u) }
 func NetworkToHost32(u uint32) uint32 { return bits.ReverseBytes32(u) }
--- a/component/ebpf/ebpf.go
+++ b/component/ebpf/ebpf.go
@ -0,0 +1,33 @@
 package ebpf
 import (
 	"net/netip"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
 type TcEBpfProgram struct {
 	pros    []C.EBpf
 	rawNICs []string
 }
 func (t *TcEBpfProgram) RawNICs() []string {
 	return t.rawNICs
 }
 func (t *TcEBpfProgram) Close() {
 	for _, p := range t.pros {
 		p.Close()
 	}
 }
 func (t *TcEBpfProgram) Lookup(srcAddrPort netip.AddrPort) (addr socks5.Addr, err error) {
 	for _, p := range t.pros {
 		addr, err = p.Lookup(srcAddrPort)
 		if err == nil {
 			return
 		}
 	}
 	return
 }
--- a/component/ebpf/ebpf_linux.go
+++ b/component/ebpf/ebpf_linux.go
@ -0,0 +1,114 @@
 //go:build !android
 package ebpf
 import (
 	"fmt"
 	"net/netip"
 	"github.com/vishvananda/netlink"
 	"github.com/Dreamacro/clash/common/cmd"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/ebpf/redir"
 	"github.com/Dreamacro/clash/component/ebpf/tc"
 	C "github.com/Dreamacro/clash/constant"
 )
 // NewTcEBpfProgram new redirect to tun ebpf program
 func NewTcEBpfProgram(ifaceNames []string, tunName string) (*TcEBpfProgram, error) {
 	tunIface, err := netlink.LinkByName(tunName)
 	if err != nil {
 		return nil, fmt.Errorf("lookup network iface %q: %w", tunName, err)
 	}
 	tunIndex := uint32(tunIface.Attrs().Index)
 	dialer.DefaultRoutingMark.Store(C.ClashTrafficMark)
 	ifMark := uint32(dialer.DefaultRoutingMark.Load())
 	var pros []C.EBpf
 	for _, ifaceName := range ifaceNames {
 		iface, err := netlink.LinkByName(ifaceName)
 		if err != nil {
 			return nil, fmt.Errorf("lookup network iface %q: %w", ifaceName, err)
 		}
 		if iface.Attrs().OperState != netlink.OperUp {
 			return nil, fmt.Errorf("network iface %q is down", ifaceName)
 		}
 		attrs := iface.Attrs()
 		index := attrs.Index
 		tcPro := tc.NewEBpfTc(ifaceName, index, ifMark, tunIndex)
 		if err = tcPro.Start(); err != nil {
 			return nil, err
 		}
 		pros = append(pros, tcPro)
 	}
 	systemSetting(ifaceNames...)
 	return &TcEBpfProgram{pros: pros, rawNICs: ifaceNames}, nil
 }
 // NewRedirEBpfProgram new auto redirect ebpf program
 func NewRedirEBpfProgram(ifaceNames []string, redirPort uint16, defaultRouteInterfaceName string) (*TcEBpfProgram, error) {
 	defaultRouteInterface, err := netlink.LinkByName(defaultRouteInterfaceName)
 	if err != nil {
 		return nil, fmt.Errorf("lookup network iface %q: %w", defaultRouteInterfaceName, err)
 	}
 	defaultRouteIndex := uint32(defaultRouteInterface.Attrs().Index)
 	var pros []C.EBpf
 	for _, ifaceName := range ifaceNames {
 		iface, err := netlink.LinkByName(ifaceName)
 		if err != nil {
 			return nil, fmt.Errorf("lookup network iface %q: %w", ifaceName, err)
 		}
 		attrs := iface.Attrs()
 		index := attrs.Index
 		addrs, err := netlink.AddrList(iface, netlink.FAMILY_V4)
 		if err != nil {
 			return nil, fmt.Errorf("lookup network iface %q address: %w", ifaceName, err)
 		}
 		if len(addrs) == 0 {
 			return nil, fmt.Errorf("network iface %q does not contain any ipv4 addresses", ifaceName)
 		}
 		address, _ := netip.AddrFromSlice(addrs[0].IP)
 		redirAddrPort := netip.AddrPortFrom(address, redirPort)
 		redirPro := redir.NewEBpfRedirect(ifaceName, index, 0, defaultRouteIndex, redirAddrPort)
 		if err = redirPro.Start(); err != nil {
 			return nil, err
 		}
 		pros = append(pros, redirPro)
 	}
 	systemSetting(ifaceNames...)
 	return &TcEBpfProgram{pros: pros, rawNICs: ifaceNames}, nil
 }
 func systemSetting(ifaceNames ...string) {
 	_, _ = cmd.ExecCmd("sysctl -w net.ipv4.ip_forward=1")
 	_, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.forwarding=1")
 	_, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.accept_local=1")
 	_, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.accept_redirects=1")
 	_, _ = cmd.ExecCmd("sysctl -w net.ipv4.conf.all.rp_filter=0")
 	for _, ifaceName := range ifaceNames {
 		_, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.forwarding=1", ifaceName))
 		_, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.accept_local=1", ifaceName))
 		_, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.accept_redirects=1", ifaceName))
 		_, _ = cmd.ExecCmd(fmt.Sprintf("sysctl -w net.ipv4.conf.%s.rp_filter=0", ifaceName))
 	}
 }
--- a/component/ebpf/ebpf_others.go
+++ b/component/ebpf/ebpf_others.go
@ -0,0 +1,17 @@
 //go:build !linux || android
 package ebpf
 import (
 	"fmt"
 )
 // NewTcEBpfProgram new ebpf tc program
 func NewTcEBpfProgram(_ []string, _ string) (*TcEBpfProgram, error) {
 	return nil, fmt.Errorf("system not supported")
 }
 // NewRedirEBpfProgram new ebpf redirect program
 func NewRedirEBpfProgram(_ []string, _ uint16, _ string) (*TcEBpfProgram, error) {
 	return nil, fmt.Errorf("system not supported")
 }
--- a/component/ebpf/redir/auto_redirect.go
+++ b/component/ebpf/redir/auto_redirect.go
@ -0,0 +1,216 @@
 //go:build linux
 package redir
 import (
 	"encoding/binary"
 	"fmt"
 	"io"
 	"net"
 	"net/netip"
 	"os"
 	"path/filepath"
 	"github.com/cilium/ebpf"
 	"github.com/cilium/ebpf/rlimit"
 	"github.com/vishvananda/netlink"
 	"golang.org/x/sys/unix"
 	"github.com/Dreamacro/clash/component/ebpf/byteorder"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../bpf/redir.c
 const (
 	mapKey1 uint32 = 0
 	mapKey2 uint32 = 1
 	mapKey3 uint32 = 2
 )
 type EBpfRedirect struct {
 	objs         io.Closer
 	originMap    *ebpf.Map
 	qdisc        netlink.Qdisc
 	filter       netlink.Filter
 	filterEgress netlink.Filter
 	ifName    string
 	ifIndex   int
 	ifMark    uint32
 	rtIndex   uint32
 	redirIp   uint32
 	redirPort uint16
 	bpfPath string
 }
 func NewEBpfRedirect(ifName string, ifIndex int, ifMark uint32, routeIndex uint32, redirAddrPort netip.AddrPort) *EBpfRedirect {
 	return &EBpfRedirect{
 		ifName:    ifName,
 		ifIndex:   ifIndex,
 		ifMark:    ifMark,
 		rtIndex:   routeIndex,
 		redirIp:   binary.BigEndian.Uint32(redirAddrPort.Addr().AsSlice()),
 		redirPort: redirAddrPort.Port(),
 	}
 }
 func (e *EBpfRedirect) Start() error {
 	if err := rlimit.RemoveMemlock(); err != nil {
 		return fmt.Errorf("remove memory lock: %w", err)
 	}
 	e.bpfPath = filepath.Join(C.BpfFSPath, e.ifName)
 	if err := os.MkdirAll(e.bpfPath, os.ModePerm); err != nil {
 		return fmt.Errorf("failed to create bpf fs subpath: %w", err)
 	}
 	var objs bpfObjects
 	if err := loadBpfObjects(&objs, &ebpf.CollectionOptions{
 		Maps: ebpf.MapOptions{
 			PinPath: e.bpfPath,
 		},
 	}); err != nil {
 		e.Close()
 		return fmt.Errorf("loading objects: %w", err)
 	}
 	e.objs = &objs
 	e.originMap = objs.bpfMaps.PairOriginalDstMap
 	if err := objs.bpfMaps.RedirParamsMap.Update(mapKey1, e.rtIndex, ebpf.UpdateAny); err != nil {
 		e.Close()
 		return fmt.Errorf("storing objects: %w", err)
 	}
 	if err := objs.bpfMaps.RedirParamsMap.Update(mapKey2, e.redirIp, ebpf.UpdateAny); err != nil {
 		e.Close()
 		return fmt.Errorf("storing objects: %w", err)
 	}
 	if err := objs.bpfMaps.RedirParamsMap.Update(mapKey3, uint32(e.redirPort), ebpf.UpdateAny); err != nil {
 		e.Close()
 		return fmt.Errorf("storing objects: %w", err)
 	}
 	attrs := netlink.QdiscAttrs{
 		LinkIndex: e.ifIndex,
 		Handle:    netlink.MakeHandle(0xffff, 0),
 		Parent:    netlink.HANDLE_CLSACT,
 	}
 	qdisc := &netlink.GenericQdisc{
 		QdiscAttrs: attrs,
 		QdiscType:  "clsact",
 	}
 	e.qdisc = qdisc
 	if err := netlink.QdiscAdd(qdisc); err != nil {
 		if os.IsExist(err) {
 			_ = netlink.QdiscDel(qdisc)
 			err = netlink.QdiscAdd(qdisc)
 		}
 		if err != nil {
 			e.Close()
 			return fmt.Errorf("cannot add clsact qdisc: %w", err)
 		}
 	}
 	filterAttrs := netlink.FilterAttrs{
 		LinkIndex: e.ifIndex,
 		Parent:    netlink.HANDLE_MIN_INGRESS,
 		Handle:    netlink.MakeHandle(0, 1),
 		Protocol:  unix.ETH_P_IP,
 		Priority:  0,
 	}
 	filter := &netlink.BpfFilter{
 		FilterAttrs:  filterAttrs,
 		Fd:           objs.bpfPrograms.TcRedirIngressFunc.FD(),
 		Name:         "clash-redir-ingress-" + e.ifName,
 		DirectAction: true,
 	}
 	if err := netlink.FilterAdd(filter); err != nil {
 		e.Close()
 		return fmt.Errorf("cannot attach ebpf object to filter ingress: %w", err)
 	}
 	e.filter = filter
 	filterAttrsEgress := netlink.FilterAttrs{
 		LinkIndex: e.ifIndex,
 		Parent:    netlink.HANDLE_MIN_EGRESS,
 		Handle:    netlink.MakeHandle(0, 1),
 		Protocol:  unix.ETH_P_IP,
 		Priority:  0,
 	}
 	filterEgress := &netlink.BpfFilter{
 		FilterAttrs:  filterAttrsEgress,
 		Fd:           objs.bpfPrograms.TcRedirEgressFunc.FD(),
 		Name:         "clash-redir-egress-" + e.ifName,
 		DirectAction: true,
 	}
 	if err := netlink.FilterAdd(filterEgress); err != nil {
 		e.Close()
 		return fmt.Errorf("cannot attach ebpf object to filter egress: %w", err)
 	}
 	e.filterEgress = filterEgress
 	return nil
 }
 func (e *EBpfRedirect) Close() {
 	if e.filter != nil {
 		_ = netlink.FilterDel(e.filter)
 	}
 	if e.filterEgress != nil {
 		_ = netlink.FilterDel(e.filterEgress)
 	}
 	if e.qdisc != nil {
 		_ = netlink.QdiscDel(e.qdisc)
 	}
 	if e.objs != nil {
 		_ = e.objs.Close()
 	}
 	_ = os.Remove(filepath.Join(e.bpfPath, "redir_params_map"))
 	_ = os.Remove(filepath.Join(e.bpfPath, "pair_original_dst_map"))
 }
 func (e *EBpfRedirect) Lookup(srcAddrPort netip.AddrPort) (socks5.Addr, error) {
 	rAddr := srcAddrPort.Addr().Unmap()
 	if rAddr.Is6() {
 		return nil, fmt.Errorf("remote address is ipv6")
 	}
 	srcIp := binary.BigEndian.Uint32(rAddr.AsSlice())
 	scrPort := srcAddrPort.Port()
 	key := bpfRedirInfo{
 		Sip:   byteorder.HostToNetwork32(srcIp),
 		Sport: byteorder.HostToNetwork16(scrPort),
 		Dip:   byteorder.HostToNetwork32(e.redirIp),
 		Dport: byteorder.HostToNetwork16(e.redirPort),
 	}
 	origin := bpfOriginInfo{}
 	err := e.originMap.Lookup(key, &origin)
 	if err != nil {
 		return nil, err
 	}
 	addr := make([]byte, net.IPv4len+3)
 	addr[0] = socks5.AtypIPv4
 	binary.BigEndian.PutUint32(addr[1:1+net.IPv4len], byteorder.NetworkToHost32(origin.Ip))               // big end
 	binary.BigEndian.PutUint16(addr[1+net.IPv4len:3+net.IPv4len], byteorder.NetworkToHost16(origin.Port)) // big end
 	return addr, nil
 }
--- a/component/ebpf/redir/bpf_bpfeb.go
+++ b/component/ebpf/redir/bpf_bpfeb.go
@ -0,0 +1,138 @@
 // Code generated by bpf2go; DO NOT EDIT.
 //go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
 // +build arm64be armbe mips mips64 mips64p32 ppc64 s390 s390x sparc sparc64
 package redir
 import (
 	"bytes"
 	_ "embed"
 	"fmt"
 	"io"
 	"github.com/cilium/ebpf"
 )
 type bpfOriginInfo struct {
 	Ip   uint32
 	Port uint16
 	Pad  uint16
 }
 type bpfRedirInfo struct {
 	Sip   uint32
 	Dip   uint32
 	Sport uint16
 	Dport uint16
 }
 // loadBpf returns the embedded CollectionSpec for bpf.
 func loadBpf() (*ebpf.CollectionSpec, error) {
 	reader := bytes.NewReader(_BpfBytes)
 	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
 	if err != nil {
 		return nil, fmt.Errorf("can't load bpf: %w", err)
 	}
 	return spec, err
 }
 // loadBpfObjects loads bpf and converts it into a struct.
 //
 // The following types are suitable as obj argument:
 //
 //     *bpfObjects
 //     *bpfPrograms
 //     *bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
 	spec, err := loadBpf()
 	if err != nil {
 		return err
 	}
 	return spec.LoadAndAssign(obj, opts)
 }
 // bpfSpecs contains maps and programs before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfSpecs struct {
 	bpfProgramSpecs
 	bpfMapSpecs
 }
 // bpfSpecs contains programs before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfProgramSpecs struct {
 	TcRedirEgressFunc  *ebpf.ProgramSpec `ebpf:"tc_redir_egress_func"`
 	TcRedirIngressFunc *ebpf.ProgramSpec `ebpf:"tc_redir_ingress_func"`
 }
 // bpfMapSpecs contains maps before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfMapSpecs struct {
 	PairOriginalDstMap *ebpf.MapSpec `ebpf:"pair_original_dst_map"`
 	RedirParamsMap     *ebpf.MapSpec `ebpf:"redir_params_map"`
 }
 // bpfObjects contains all objects after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfObjects struct {
 	bpfPrograms
 	bpfMaps
 }
 func (o *bpfObjects) Close() error {
 	return _BpfClose(
 		&o.bpfPrograms,
 		&o.bpfMaps,
 	)
 }
 // bpfMaps contains all maps after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfMaps struct {
 	PairOriginalDstMap *ebpf.Map `ebpf:"pair_original_dst_map"`
 	RedirParamsMap     *ebpf.Map `ebpf:"redir_params_map"`
 }
 func (m *bpfMaps) Close() error {
 	return _BpfClose(
 		m.PairOriginalDstMap,
 		m.RedirParamsMap,
 	)
 }
 // bpfPrograms contains all programs after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfPrograms struct {
 	TcRedirEgressFunc  *ebpf.Program `ebpf:"tc_redir_egress_func"`
 	TcRedirIngressFunc *ebpf.Program `ebpf:"tc_redir_ingress_func"`
 }
 func (p *bpfPrograms) Close() error {
 	return _BpfClose(
 		p.TcRedirEgressFunc,
 		p.TcRedirIngressFunc,
 	)
 }
 func _BpfClose(closers ...io.Closer) error {
 	for _, closer := range closers {
 		if err := closer.Close(); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // Do not access this directly.
 //go:embed bpf_bpfeb.o
 var _BpfBytes []byte
--- a/component/ebpf/redir/bpf_bpfeb.o
+++ b/component/ebpf/redir/bpf_bpfeb.o
--- a/component/ebpf/redir/bpf_bpfel.go
+++ b/component/ebpf/redir/bpf_bpfel.go
@ -0,0 +1,138 @@
 // Code generated by bpf2go; DO NOT EDIT.
 //go:build 386 || amd64 || amd64p32 || arm || arm64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
 // +build 386 amd64 amd64p32 arm arm64 mips64le mips64p32le mipsle ppc64le riscv64
 package redir
 import (
 	"bytes"
 	_ "embed"
 	"fmt"
 	"io"
 	"github.com/cilium/ebpf"
 )
 type bpfOriginInfo struct {
 	Ip   uint32
 	Port uint16
 	Pad  uint16
 }
 type bpfRedirInfo struct {
 	Sip   uint32
 	Dip   uint32
 	Sport uint16
 	Dport uint16
 }
 // loadBpf returns the embedded CollectionSpec for bpf.
 func loadBpf() (*ebpf.CollectionSpec, error) {
 	reader := bytes.NewReader(_BpfBytes)
 	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
 	if err != nil {
 		return nil, fmt.Errorf("can't load bpf: %w", err)
 	}
 	return spec, err
 }
 // loadBpfObjects loads bpf and converts it into a struct.
 //
 // The following types are suitable as obj argument:
 //
 //     *bpfObjects
 //     *bpfPrograms
 //     *bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
 	spec, err := loadBpf()
 	if err != nil {
 		return err
 	}
 	return spec.LoadAndAssign(obj, opts)
 }
 // bpfSpecs contains maps and programs before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfSpecs struct {
 	bpfProgramSpecs
 	bpfMapSpecs
 }
 // bpfSpecs contains programs before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfProgramSpecs struct {
 	TcRedirEgressFunc  *ebpf.ProgramSpec `ebpf:"tc_redir_egress_func"`
 	TcRedirIngressFunc *ebpf.ProgramSpec `ebpf:"tc_redir_ingress_func"`
 }
 // bpfMapSpecs contains maps before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfMapSpecs struct {
 	PairOriginalDstMap *ebpf.MapSpec `ebpf:"pair_original_dst_map"`
 	RedirParamsMap     *ebpf.MapSpec `ebpf:"redir_params_map"`
 }
 // bpfObjects contains all objects after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfObjects struct {
 	bpfPrograms
 	bpfMaps
 }
 func (o *bpfObjects) Close() error {
 	return _BpfClose(
 		&o.bpfPrograms,
 		&o.bpfMaps,
 	)
 }
 // bpfMaps contains all maps after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfMaps struct {
 	PairOriginalDstMap *ebpf.Map `ebpf:"pair_original_dst_map"`
 	RedirParamsMap     *ebpf.Map `ebpf:"redir_params_map"`
 }
 func (m *bpfMaps) Close() error {
 	return _BpfClose(
 		m.PairOriginalDstMap,
 		m.RedirParamsMap,
 	)
 }
 // bpfPrograms contains all programs after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfPrograms struct {
 	TcRedirEgressFunc  *ebpf.Program `ebpf:"tc_redir_egress_func"`
 	TcRedirIngressFunc *ebpf.Program `ebpf:"tc_redir_ingress_func"`
 }
 func (p *bpfPrograms) Close() error {
 	return _BpfClose(
 		p.TcRedirEgressFunc,
 		p.TcRedirIngressFunc,
 	)
 }
 func _BpfClose(closers ...io.Closer) error {
 	for _, closer := range closers {
 		if err := closer.Close(); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // Do not access this directly.
 //go:embed bpf_bpfel.o
 var _BpfBytes []byte
--- a/component/ebpf/redir/bpf_bpfel.o
+++ b/component/ebpf/redir/bpf_bpfel.o
--- a/component/ebpf/tc/bpf_bpfeb.go
+++ b/component/ebpf/tc/bpf_bpfeb.go
@ -0,0 +1,119 @@
 // Code generated by bpf2go; DO NOT EDIT.
 //go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
 // +build arm64be armbe mips mips64 mips64p32 ppc64 s390 s390x sparc sparc64
 package tc
 import (
 	"bytes"
 	_ "embed"
 	"fmt"
 	"io"
 	"github.com/cilium/ebpf"
 )
 // loadBpf returns the embedded CollectionSpec for bpf.
 func loadBpf() (*ebpf.CollectionSpec, error) {
 	reader := bytes.NewReader(_BpfBytes)
 	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
 	if err != nil {
 		return nil, fmt.Errorf("can't load bpf: %w", err)
 	}
 	return spec, err
 }
 // loadBpfObjects loads bpf and converts it into a struct.
 //
 // The following types are suitable as obj argument:
 //
 //     *bpfObjects
 //     *bpfPrograms
 //     *bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
 	spec, err := loadBpf()
 	if err != nil {
 		return err
 	}
 	return spec.LoadAndAssign(obj, opts)
 }
 // bpfSpecs contains maps and programs before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfSpecs struct {
 	bpfProgramSpecs
 	bpfMapSpecs
 }
 // bpfSpecs contains programs before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfProgramSpecs struct {
 	TcTunFunc *ebpf.ProgramSpec `ebpf:"tc_tun_func"`
 }
 // bpfMapSpecs contains maps before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfMapSpecs struct {
 	TcParamsMap *ebpf.MapSpec `ebpf:"tc_params_map"`
 }
 // bpfObjects contains all objects after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfObjects struct {
 	bpfPrograms
 	bpfMaps
 }
 func (o *bpfObjects) Close() error {
 	return _BpfClose(
 		&o.bpfPrograms,
 		&o.bpfMaps,
 	)
 }
 // bpfMaps contains all maps after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfMaps struct {
 	TcParamsMap *ebpf.Map `ebpf:"tc_params_map"`
 }
 func (m *bpfMaps) Close() error {
 	return _BpfClose(
 		m.TcParamsMap,
 	)
 }
 // bpfPrograms contains all programs after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfPrograms struct {
 	TcTunFunc *ebpf.Program `ebpf:"tc_tun_func"`
 }
 func (p *bpfPrograms) Close() error {
 	return _BpfClose(
 		p.TcTunFunc,
 	)
 }
 func _BpfClose(closers ...io.Closer) error {
 	for _, closer := range closers {
 		if err := closer.Close(); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // Do not access this directly.
 //go:embed bpf_bpfeb.o
 var _BpfBytes []byte
--- a/component/ebpf/tc/bpf_bpfeb.o
+++ b/component/ebpf/tc/bpf_bpfeb.o
--- a/component/ebpf/tc/bpf_bpfel.go
+++ b/component/ebpf/tc/bpf_bpfel.go
@ -0,0 +1,119 @@
 // Code generated by bpf2go; DO NOT EDIT.
 //go:build 386 || amd64 || amd64p32 || arm || arm64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
 // +build 386 amd64 amd64p32 arm arm64 mips64le mips64p32le mipsle ppc64le riscv64
 package tc
 import (
 	"bytes"
 	_ "embed"
 	"fmt"
 	"io"
 	"github.com/cilium/ebpf"
 )
 // loadBpf returns the embedded CollectionSpec for bpf.
 func loadBpf() (*ebpf.CollectionSpec, error) {
 	reader := bytes.NewReader(_BpfBytes)
 	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
 	if err != nil {
 		return nil, fmt.Errorf("can't load bpf: %w", err)
 	}
 	return spec, err
 }
 // loadBpfObjects loads bpf and converts it into a struct.
 //
 // The following types are suitable as obj argument:
 //
 //     *bpfObjects
 //     *bpfPrograms
 //     *bpfMaps
 //
 // See ebpf.CollectionSpec.LoadAndAssign documentation for details.
 func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
 	spec, err := loadBpf()
 	if err != nil {
 		return err
 	}
 	return spec.LoadAndAssign(obj, opts)
 }
 // bpfSpecs contains maps and programs before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfSpecs struct {
 	bpfProgramSpecs
 	bpfMapSpecs
 }
 // bpfSpecs contains programs before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfProgramSpecs struct {
 	TcTunFunc *ebpf.ProgramSpec `ebpf:"tc_tun_func"`
 }
 // bpfMapSpecs contains maps before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfMapSpecs struct {
 	TcParamsMap *ebpf.MapSpec `ebpf:"tc_params_map"`
 }
 // bpfObjects contains all objects after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfObjects struct {
 	bpfPrograms
 	bpfMaps
 }
 func (o *bpfObjects) Close() error {
 	return _BpfClose(
 		&o.bpfPrograms,
 		&o.bpfMaps,
 	)
 }
 // bpfMaps contains all maps after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfMaps struct {
 	TcParamsMap *ebpf.Map `ebpf:"tc_params_map"`
 }
 func (m *bpfMaps) Close() error {
 	return _BpfClose(
 		m.TcParamsMap,
 	)
 }
 // bpfPrograms contains all programs after they have been loaded into the kernel.
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfPrograms struct {
 	TcTunFunc *ebpf.Program `ebpf:"tc_tun_func"`
 }
 func (p *bpfPrograms) Close() error {
 	return _BpfClose(
 		p.TcTunFunc,
 	)
 }
 func _BpfClose(closers ...io.Closer) error {
 	for _, closer := range closers {
 		if err := closer.Close(); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // Do not access this directly.
 //go:embed bpf_bpfel.o
 var _BpfBytes []byte
--- a/component/ebpf/tc/bpf_bpfel.o
+++ b/component/ebpf/tc/bpf_bpfel.o
--- a/component/ebpf/tc/redirect_to_tun.go
+++ b/component/ebpf/tc/redirect_to_tun.go
@ -0,0 +1,147 @@
 //go:build linux
 package tc
 import (
 	"fmt"
 	"io"
 	"net/netip"
 	"os"
 	"path/filepath"
 	"github.com/cilium/ebpf"
 	"github.com/cilium/ebpf/rlimit"
 	"github.com/vishvananda/netlink"
 	"golang.org/x/sys/unix"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../bpf/tc.c
 const (
 	mapKey1 uint32 = 0
 	mapKey2 uint32 = 1
 )
 type EBpfTC struct {
 	objs   io.Closer
 	qdisc  netlink.Qdisc
 	filter netlink.Filter
 	ifName     string
 	ifIndex    int
 	ifMark     uint32
 	tunIfIndex uint32
 	bpfPath string
 }
 func NewEBpfTc(ifName string, ifIndex int, ifMark uint32, tunIfIndex uint32) *EBpfTC {
 	return &EBpfTC{
 		ifName:     ifName,
 		ifIndex:    ifIndex,
 		ifMark:     ifMark,
 		tunIfIndex: tunIfIndex,
 	}
 }
 func (e *EBpfTC) Start() error {
 	if err := rlimit.RemoveMemlock(); err != nil {
 		return fmt.Errorf("remove memory lock: %w", err)
 	}
 	e.bpfPath = filepath.Join(C.BpfFSPath, e.ifName)
 	if err := os.MkdirAll(e.bpfPath, os.ModePerm); err != nil {
 		return fmt.Errorf("failed to create bpf fs subpath: %w", err)
 	}
 	var objs bpfObjects
 	if err := loadBpfObjects(&objs, &ebpf.CollectionOptions{
 		Maps: ebpf.MapOptions{
 			PinPath: e.bpfPath,
 		},
 	}); err != nil {
 		e.Close()
 		return fmt.Errorf("loading objects: %w", err)
 	}
 	e.objs = &objs
 	if err := objs.bpfMaps.TcParamsMap.Update(mapKey1, e.ifMark, ebpf.UpdateAny); err != nil {
 		e.Close()
 		return fmt.Errorf("storing objects: %w", err)
 	}
 	if err := objs.bpfMaps.TcParamsMap.Update(mapKey2, e.tunIfIndex, ebpf.UpdateAny); err != nil {
 		e.Close()
 		return fmt.Errorf("storing objects: %w", err)
 	}
 	attrs := netlink.QdiscAttrs{
 		LinkIndex: e.ifIndex,
 		Handle:    netlink.MakeHandle(0xffff, 0),
 		Parent:    netlink.HANDLE_CLSACT,
 	}
 	qdisc := &netlink.GenericQdisc{
 		QdiscAttrs: attrs,
 		QdiscType:  "clsact",
 	}
 	e.qdisc = qdisc
 	if err := netlink.QdiscAdd(qdisc); err != nil {
 		if os.IsExist(err) {
 			_ = netlink.QdiscDel(qdisc)
 			err = netlink.QdiscAdd(qdisc)
 		}
 		if err != nil {
 			e.Close()
 			return fmt.Errorf("cannot add clsact qdisc: %w", err)
 		}
 	}
 	filterAttrs := netlink.FilterAttrs{
 		LinkIndex: e.ifIndex,
 		Parent:    netlink.HANDLE_MIN_EGRESS,
 		Handle:    netlink.MakeHandle(0, 1),
 		Protocol:  unix.ETH_P_ALL,
 		Priority:  1,
 	}
 	filter := &netlink.BpfFilter{
 		FilterAttrs:  filterAttrs,
 		Fd:           objs.bpfPrograms.TcTunFunc.FD(),
 		Name:         "clash-tc-" + e.ifName,
 		DirectAction: true,
 	}
 	if err := netlink.FilterAdd(filter); err != nil {
 		e.Close()
 		return fmt.Errorf("cannot attach ebpf object to filter: %w", err)
 	}
 	e.filter = filter
 	return nil
 }
 func (e *EBpfTC) Close() {
 	if e.filter != nil {
 		_ = netlink.FilterDel(e.filter)
 	}
 	if e.qdisc != nil {
 		_ = netlink.QdiscDel(e.qdisc)
 	}
 	if e.objs != nil {
 		_ = e.objs.Close()
 	}
 	_ = os.Remove(filepath.Join(e.bpfPath, "tc_params_map"))
 }
 func (e *EBpfTC) Lookup(_ netip.AddrPort) (socks5.Addr, error) {
 	return nil, fmt.Errorf("not supported")
 }
--- a/component/http/http.go
+++ b/component/http/http.go
@ -2,8 +2,8 @@ package http
 import (
 	"context"
 	"github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/listener/inner"
 	"github.com/Dreamacro/clash/log"
 	"io"
 	"net"
 	"net/http"
@ -52,10 +52,10 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
 			log.Infoln(urlRes.String())
 			conn := inner.HandleTcp(address, urlRes.Hostname())
 			return conn, nil
 		},
 		TLSClientConfig: tls.GetDefaultTLSConfig(),
 	}
 	client := http.Client{Transport: transport}
--- a/component/process/process.go
+++ b/component/process/process.go
@ -2,9 +2,6 @@ package process
 import (
 	"errors"
 	"github.com/Dreamacro/clash/common/nnip"
 	C "github.com/Dreamacro/clash/constant"
 	"net"
 	"net/netip"
 )
@ -12,8 +9,6 @@ var (
 	ErrInvalidNetwork     = errors.New("invalid network")
 	ErrPlatformNotSupport = errors.New("not support on this platform")
 	ErrNotFound           = errors.New("process not found")
 	enableFindProcess = true
 )
 const (
@ -21,10 +16,6 @@ const (
 	UDP = "udp"
 )
 func EnableFindProcess(e bool) {
 	enableFindProcess = e
 }
 func FindProcessName(network string, srcIP netip.Addr, srcPort int) (int32, string, error) {
 	return findProcessName(network, srcIP, srcPort)
 }
@ -36,51 +27,3 @@ func FindUid(network string, srcIP netip.Addr, srcPort int) (int32, error) {
 	}
 	return uid, nil
 }
 func ShouldFindProcess(metadata *C.Metadata) bool {
 	if !enableFindProcess ||
 		metadata.Process != "" ||
 		metadata.ProcessPath != "" {
 		return false
 	}
 	for _, ip := range localIPs {
 		if ip == metadata.SrcIP {
 			return true
 		}
 	}
 	return false
 }
 func AppendLocalIPs(ip ...netip.Addr) {
 	localIPs = append(ip, localIPs...)
 }
 func getLocalIPs() []netip.Addr {
 	ips := []netip.Addr{netip.IPv4Unspecified(), netip.IPv6Unspecified()}
 	netInterfaces, err := net.Interfaces()
 	if err != nil {
 		ips = append(ips, netip.AddrFrom4([4]byte{127, 0, 0, 1}), nnip.IpToAddr(net.IPv6loopback))
 		return ips
 	}
 	for i := 0; i < len(netInterfaces); i++ {
 		if (netInterfaces[i].Flags & net.FlagUp) != 0 {
 			adds, _ := netInterfaces[i].Addrs()
 			for _, address := range adds {
 				if ipNet, ok := address.(*net.IPNet); ok {
 					ips = append(ips, nnip.IpToAddr(ipNet.IP))
 				}
 			}
 		}
 	}
 	return ips
 }
 var localIPs []netip.Addr
 func init() {
 	localIPs = getLocalIPs()
 }
--- a/component/process/process_darwin.go
+++ b/component/process/process_darwin.go
@ -6,8 +6,6 @@ import (
 	"syscall"
 	"unsafe"
 	"github.com/Dreamacro/clash/common/nnip"
 	"golang.org/x/sys/unix"
 )
@ -50,6 +48,8 @@ func findProcessName(network string, ip netip.Addr, port int) (int32, string, er
 		// rup8(sizeof(xtcpcb_n))
 		itemSize += 208
 	}
 	var fallbackUDPProcess string
 	// skip the first xinpgen(24 bytes) block
 	for i := 24; i+itemSize <= len(buf); i += itemSize {
 		// offset of xinpcb_n and xsocket_n
@ -63,26 +63,37 @@ func findProcessName(network string, ip netip.Addr, port int) (int32, string, er
 		// xinpcb_n.inp_vflag
 		flag := buf[inp+44]
-		var srcIP netip.Addr
+		var (
 			srcIP     netip.Addr
 			srcIsIPv4 bool
 		)
 		switch {
 		case flag&0x1 > 0 && isIPv4:
 			// ipv4
-			srcIP = nnip.IpToAddr(buf[inp+76 : inp+80])
+			srcIP, _ = netip.AddrFromSlice(buf[inp+76 : inp+80])
 			srcIsIPv4 = true
 		case flag&0x2 > 0 && !isIPv4:
 			// ipv6
-			srcIP = nnip.IpToAddr(buf[inp+64 : inp+80])
+			srcIP, _ = netip.AddrFromSlice(buf[inp+64 : inp+80])
 		default:
 			continue
 		}
-		if ip != srcIP && (network == TCP || !srcIP.IsUnspecified()) {
+		if ip == srcIP {
-			continue
+			// xsocket_n.so_last_pid
 			pid := readNativeUint32(buf[so+68 : so+72])
 			pp, err := getExecPathFromPID(pid)
 			return -1, pp, err
 		}
-		// xsocket_n.so_last_pid
+		// udp packet connection may be not equal with srcIP
-		pid := readNativeUint32(buf[so+68 : so+72])
+		if network == UDP && srcIP.IsUnspecified() && isIPv4 == srcIsIPv4 {
-		pp, err := getExecPathFromPID(pid)
+			fallbackUDPProcess, _ = getExecPathFromPID(readNativeUint32(buf[so+68 : so+72]))
-		return -1, pp, err
+		}
 	}
 	if network == UDP && fallbackUDPProcess != "" {
 		return -1, fallbackUDPProcess, nil
 	}
 	return -1, "", ErrNotFound
--- a/component/process/process_linux.go
+++ b/component/process/process_linux.go
@ -39,6 +39,7 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string,
 	if err != nil {
 		return -1, "", err
 	}
 	pp, err := resolveProcessNameByProcSearch(inode, uid)
 	return uid, pp, err
 }
@ -110,7 +111,7 @@ func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32,
 		return 0, 0, fmt.Errorf("netlink message: NLMSG_ERROR")
 	}
-	inode, uid := unpackSocketDiagResponse(&message)
+	inode, uid := unpackSocketDiagResponse(&messages[0])
 	if inode < 0 || uid < 0 {
 		return 0, 0, fmt.Errorf("invalid inode(%d) or uid(%d)", inode, uid)
 	}
@ -197,7 +198,6 @@ func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
 			if err != nil {
 				continue
 			}
 			if runtime.GOOS == "android" {
 				if bytes.Equal(buffer[:n], socket) {
 					cmdline, err := os.ReadFile(path.Join(processPath, "cmdline"))
--- a/component/resolver/resolver.go
+++ b/component/resolver/resolver.go
@ -41,7 +41,6 @@ type Resolver interface {
 	ResolveIPv4(host string) (ip netip.Addr, err error)
 	ResolveIPv6(host string) (ip netip.Addr, err error)
 	ResolveAllIP(host string) (ip []netip.Addr, err error)
 	ResolveAllIPPrimaryIPv4(host string) (ips []netip.Addr, err error)
 	ResolveAllIPv4(host string) (ips []netip.Addr, err error)
 	ResolveAllIPv6(host string) (ips []netip.Addr, err error)
 }
@ -55,7 +54,7 @@ func ResolveIPv4WithResolver(host string, r Resolver) (netip.Addr, error) {
 	if ips, err := ResolveAllIPv4WithResolver(host, r); err == nil {
 		return ips[rand.Intn(len(ips))], nil
 	} else {
-		return netip.Addr{}, nil
+		return netip.Addr{}, err
 	}
 }
@ -74,10 +73,10 @@ func ResolveIPv6WithResolver(host string, r Resolver) (netip.Addr, error) {
 // ResolveIPWithResolver same as ResolveIP, but with a resolver
 func ResolveIPWithResolver(host string, r Resolver) (netip.Addr, error) {
-	if ips, err := ResolveAllIPPrimaryIPv4WithResolver(host, r); err == nil {
+	if ip, err := ResolveIPv4WithResolver(host, r); err == nil {
-		return ips[rand.Intn(len(ips))], nil
+		return ip, nil
 	} else {
-		return netip.Addr{}, err
+		return ResolveIPv6WithResolver(host, r)
 	}
 }
@ -95,7 +94,6 @@ func ResolveIPv4ProxyServerHost(host string) (netip.Addr, error) {
 			return ip, nil
 		}
 	}
 	return ResolveIPv4(host)
 }
@ -108,7 +106,6 @@ func ResolveIPv6ProxyServerHost(host string) (netip.Addr, error) {
 			return ip, nil
 		}
 	}
 	return ResolveIPv6(host)
 }
@ -121,7 +118,6 @@ func ResolveProxyServerHost(host string) (netip.Addr, error) {
 			return ip, err
 		}
 	}
 	return ResolveIP(host)
 }
@ -160,7 +156,6 @@ func ResolveAllIPv6WithResolver(host string, r Resolver) ([]netip.Addr, error) {
 		return []netip.Addr{netip.AddrFrom16(*(*[16]byte)(ipAddrs[rand.Intn(len(ipAddrs))]))}, nil
 	}
 	return []netip.Addr{}, ErrIPNotFound
 }
@ -173,7 +168,7 @@ func ResolveAllIPv4WithResolver(host string, r Resolver) ([]netip.Addr, error) {
 	ip, err := netip.ParseAddr(host)
 	if err == nil {
-		if ip.Is4() {
+		if ip.Is4() || ip.Is4In6() {
 			return []netip.Addr{ip}, nil
 		}
 		return []netip.Addr{}, ErrIPVersion
@ -200,7 +195,6 @@ func ResolveAllIPv4WithResolver(host string, r Resolver) ([]netip.Addr, error) {
 		return []netip.Addr{netip.AddrFrom4(*(*[4]byte)(ip))}, nil
 	}
 	return []netip.Addr{}, ErrIPNotFound
 }
@ -209,6 +203,11 @@ func ResolveAllIPWithResolver(host string, r Resolver) ([]netip.Addr, error) {
 		return []netip.Addr{node.Data}, nil
 	}
 	ip, err := netip.ParseAddr(host)
 	if err == nil {
 		return []netip.Addr{ip}, nil
 	}
 	if r != nil {
 		if DisableIPv6 {
 			return r.ResolveAllIPv4(host)
@ -219,11 +218,6 @@ func ResolveAllIPWithResolver(host string, r Resolver) ([]netip.Addr, error) {
 		return ResolveAllIPv4(host)
 	}
 	ip, err := netip.ParseAddr(host)
 	if err == nil {
 		return []netip.Addr{ip}, nil
 	}
 	if DefaultResolver == nil {
 		ipAddr, err := net.ResolveIPAddr("ip", host)
 		if err != nil {
@ -232,39 +226,6 @@ func ResolveAllIPWithResolver(host string, r Resolver) ([]netip.Addr, error) {
 		return []netip.Addr{nnip.IpToAddr(ipAddr.IP)}, nil
 	}
 	return []netip.Addr{}, ErrIPNotFound
 }
 func ResolveAllIPPrimaryIPv4WithResolver(host string, r Resolver) ([]netip.Addr, error) {
 	if node := DefaultHosts.Search(host); node != nil {
 		return []netip.Addr{node.Data}, nil
 	}
 	if r != nil {
 		if DisableIPv6 {
 			return r.ResolveAllIPv4(host)
 		}
 		return r.ResolveAllIPPrimaryIPv4(host)
 	} else if DisableIPv6 {
 		return ResolveAllIPv4(host)
 	}
 	ip, err := netip.ParseAddr(host)
 	if err == nil {
 		return []netip.Addr{ip}, nil
 	}
 	if DefaultResolver == nil {
 		ipAddr, err := net.ResolveIPAddr("ip", host)
 		if err != nil {
 			return []netip.Addr{}, err
 		}
 		return []netip.Addr{nnip.IpToAddr(ipAddr.IP)}, nil
 	}
 	return []netip.Addr{}, ErrIPNotFound
 }
@ -284,7 +245,6 @@ func ResolveAllIPv6ProxyServerHost(host string) ([]netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
 		return ResolveAllIPv6WithResolver(host, ProxyServerHostResolver)
 	}
 	return ResolveAllIPv6(host)
 }
@ -292,7 +252,6 @@ func ResolveAllIPv4ProxyServerHost(host string) ([]netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
 		return ResolveAllIPv4WithResolver(host, ProxyServerHostResolver)
 	}
 	return ResolveAllIPv4(host)
 }
@ -300,6 +259,5 @@ func ResolveAllIPProxyServerHost(host string) ([]netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
 		return ResolveAllIPWithResolver(host, ProxyServerHostResolver)
 	}
 	return ResolveAllIP(host)
 }
--- a/component/resource/fetcher.go
+++ b/component/resource/fetcher.go
@ -1,4 +1,4 @@
-package provider
+package resource
 import (
 	"bytes"
@ -16,45 +16,45 @@ var (
 	dirMode  os.FileMode = 0o755
 )
-type parser[V any] func([]byte) (V, error)
+type Parser[V any] func([]byte) (V, error)
-type fetcher[V any] struct {
+type Fetcher[V any] struct {
-	name      string
+	resourceType string
-	vehicle   types.Vehicle
+	name         string
-	updatedAt *time.Time
+	vehicle      types.Vehicle
-	ticker    *time.Ticker
+	UpdatedAt    *time.Time
-	done      chan struct{}
+	ticker       *time.Ticker
-	hash      [16]byte
+	done         chan struct{}
-	parser    parser[V]
+	hash         [16]byte
-	interval  time.Duration
+	parser       Parser[V]
-	onUpdate  func(V)
+	interval     time.Duration
 	OnUpdate     func(V)
 }
-func (f *fetcher[V]) Name() string {
+func (f *Fetcher[V]) Name() string {
 	return f.name
 }
-func (f *fetcher[V]) VehicleType() types.VehicleType {
+func (f *Fetcher[V]) VehicleType() types.VehicleType {
 	return f.vehicle.Type()
 }
-func (f *fetcher[V]) Initial() (V, error) {
+func (f *Fetcher[V]) Initial() (V, error) {
 	var (
-		buf     []byte
+		buf         []byte
-		err     error
+		err         error
-		isLocal bool
+		isLocal     bool
 		forceUpdate bool
 	)
 	if stat, fErr := os.Stat(f.vehicle.Path()); fErr == nil {
 		buf, err = os.ReadFile(f.vehicle.Path())
 		modTime := stat.ModTime()
-		f.updatedAt = &modTime
+		f.UpdatedAt = &modTime
 		isLocal = true
 		if f.interval != 0 && modTime.Add(f.interval).Before(time.Now()) {
-			defer func() {
+			log.Infoln("[Provider] %s not updated for a long time, force refresh", f.Name())
-				log.Infoln("[Provider] %s's proxies not updated for a long time, force refresh", f.Name())
+			forceUpdate = true
 				go f.Update()
 			}()
 		}
 	} else {
 		buf, err = f.vehicle.Read()
@ -64,7 +64,21 @@ func (f *fetcher[V]) Initial() (V, error) {
 		return getZero[V](), err
 	}
-	proxies, err := f.parser(buf)
+	var contents V
 	if forceUpdate {
 		var forceBuf []byte
 		if forceBuf, err = f.vehicle.Read(); err == nil {
 			if contents, err = f.parser(forceBuf); err == nil {
 				isLocal = false
 				buf = forceBuf
 			}
 		}
 	}
 	if err != nil || !forceUpdate {
 		contents, err = f.parser(buf)
 	}
 	if err != nil {
 		if !isLocal {
 			return getZero[V](), err
@ -76,7 +90,7 @@ func (f *fetcher[V]) Initial() (V, error) {
 			return getZero[V](), err
 		}
-		proxies, err = f.parser(buf)
+		contents, err = f.parser(buf)
 		if err != nil {
 			return getZero[V](), err
 		}
@ -92,15 +106,15 @@ func (f *fetcher[V]) Initial() (V, error) {
 	f.hash = md5.Sum(buf)
-	// pull proxies automatically
+	// pull contents automatically
 	if f.ticker != nil {
 		go f.pullLoop()
 	}
-	return proxies, nil
+	return contents, nil
 }
-func (f *fetcher[V]) Update() (V, bool, error) {
+func (f *Fetcher[V]) Update() (V, bool, error) {
 	buf, err := f.vehicle.Read()
 	if err != nil {
 		return getZero[V](), false, err
@ -109,12 +123,12 @@ func (f *fetcher[V]) Update() (V, bool, error) {
 	now := time.Now()
 	hash := md5.Sum(buf)
 	if bytes.Equal(f.hash[:], hash[:]) {
-		f.updatedAt = &now
+		f.UpdatedAt = &now
-		os.Chtimes(f.vehicle.Path(), now, now)
+		_ = os.Chtimes(f.vehicle.Path(), now, now)
 		return getZero[V](), true, nil
 	}
-	proxies, err := f.parser(buf)
+	contents, err := f.parser(buf)
 	if err != nil {
 		return getZero[V](), false, err
 	}
@ -125,20 +139,20 @@ func (f *fetcher[V]) Update() (V, bool, error) {
 		}
 	}
-	f.updatedAt = &now
+	f.UpdatedAt = &now
 	f.hash = hash
-	return proxies, false, nil
+	return contents, false, nil
 }
-func (f *fetcher[V]) Destroy() error {
+func (f *Fetcher[V]) Destroy() error {
 	if f.ticker != nil {
 		f.done <- struct{}{}
 	}
 	return nil
 }
-func (f *fetcher[V]) pullLoop() {
+func (f *Fetcher[V]) pullLoop() {
 	for {
 		select {
 		case <-f.ticker.C:
@ -149,13 +163,13 @@ func (f *fetcher[V]) pullLoop() {
 			}
 			if same {
-				log.Debugln("[Provider] %s's proxies doesn't change", f.Name())
+				log.Debugln("[Provider] %s's content doesn't change", f.Name())
 				continue
 			}
-			log.Infoln("[Provider] %s's proxies update", f.Name())
+			log.Infoln("[Provider] %s's content update", f.Name())
-			if f.onUpdate != nil {
+			if f.OnUpdate != nil {
-				f.onUpdate(elm)
+				f.OnUpdate(elm)
 			}
 		case <-f.done:
 			f.ticker.Stop()
@ -176,19 +190,20 @@ func safeWrite(path string, buf []byte) error {
 	return os.WriteFile(path, buf, fileMode)
 }
-func newFetcher[V any](name string, interval time.Duration, vehicle types.Vehicle, parser parser[V], onUpdate func(V)) *fetcher[V] {
+func NewFetcher[V any](name string, interval time.Duration, vehicle types.Vehicle, parser Parser[V], onUpdate func(V)) *Fetcher[V] {
 	var ticker *time.Ticker
 	if interval != 0 {
 		ticker = time.NewTicker(interval)
 	}
-	return &fetcher[V]{
+	return &Fetcher[V]{
 		name:     name,
 		ticker:   ticker,
 		vehicle:  vehicle,
 		parser:   parser,
 		done:     make(chan struct{}, 1),
-		onUpdate: onUpdate,
+		OnUpdate: onUpdate,
 		interval: interval,
 	}
 }
--- a/component/resource/vehicle.go
+++ b/component/resource/vehicle.go
@ -1,4 +1,4 @@
-package provider
+package resource
 import (
 	"context"
--- a/component/sniffer/dispatcher.go
+++ b/component/sniffer/dispatcher.go
@ -12,7 +12,6 @@ import (
 	CN "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 )
@ -84,8 +83,7 @@ func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string) {
 	metadata.AddrType = C.AtypDomainName
 	metadata.Host = host
-	metadata.DNSMode = C.DNSMapping
+	metadata.DNSMode = C.DNSNormal
 	resolver.InsertHostByIP(metadata.DstIP, host)
 }
 func (sd *SnifferDispatcher) Enable() bool {
--- a/component/sniffer/http_sniffer.go
+++ b/component/sniffer/http_sniffer.go
@ -3,6 +3,7 @@ package sniffer
 import (
 	"bytes"
 	"errors"
 	"fmt"
 	C "github.com/Dreamacro/clash/constant"
 	"net"
 	"strings"
@ -88,13 +89,32 @@ func SniffHTTP(b []byte) (*string, error) {
 			host, _, err := net.SplitHostPort(rawHost)
 			if err != nil {
 				if addrError, ok := err.(*net.AddrError); ok && strings.Contains(addrError.Err, "missing port") {
-					host = rawHost
+					return parseHost(rawHost)
 				} else {
 					return nil, err
 				}
 			}
 			if net.ParseIP(host) != nil {
 				return nil, fmt.Errorf("host is ip")
 			}
 			return &host, nil
 		}
 	}
 	return nil, ErrNoClue
 }
 func parseHost(host string) (*string, error) {
 	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
 		if net.ParseIP(host[1:len(host)-1]) != nil {
 			return nil, fmt.Errorf("host is ip")
 		}
 	}
 	if net.ParseIP(host) != nil {
 		return nil, fmt.Errorf("host is ip")
 	}
 	return &host, nil
 }
--- a/component/tls/config.go
+++ b/component/tls/config.go
@ -0,0 +1,140 @@
 package tls
 import (
 	"bytes"
 	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
 	"fmt"
 	xtls "github.com/xtls/go"
 	"sync"
 	"time"
 )
 var globalFingerprints [][32]byte
 var mutex sync.Mutex
 func verifyPeerCertificateAndFingerprints(fingerprints [][32]byte, insecureSkipVerify bool) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 		if insecureSkipVerify {
 			return nil
 		}
 		var preErr error
 		for i := range rawCerts {
 			rawCert := rawCerts[i]
 			cert, err := x509.ParseCertificate(rawCert)
 			if err == nil {
 				opts := x509.VerifyOptions{
 					CurrentTime: time.Now(),
 				}
 				if _, err := cert.Verify(opts); err == nil {
 					return nil
 				} else {
 					fingerprint := sha256.Sum256(cert.Raw)
 					for _, fp := range fingerprints {
 						if bytes.Equal(fingerprint[:], fp[:]) {
 							return nil
 						}
 					}
 					preErr = err
 				}
 			}
 		}
 		return preErr
 	}
 }
 func AddCertFingerprint(fingerprint string) error {
 	fpByte, err2 := convertFingerprint(fingerprint)
 	if err2 != nil {
 		return err2
 	}
 	mutex.Lock()
 	globalFingerprints = append(globalFingerprints, *fpByte)
 	mutex.Unlock()
 	return nil
 }
 func convertFingerprint(fingerprint string) (*[32]byte, error) {
 	fpByte, err := hex.DecodeString(fingerprint)
 	if err != nil {
 		return nil, err
 	}
 	if len(fpByte) != 32 {
 		return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")
 	}
 	return (*[32]byte)(fpByte), nil
 }
 func GetDefaultTLSConfig() *tls.Config {
 	return GetGlobalFingerprintTLCConfig(nil)
 }
 // GetSpecifiedFingerprintTLSConfig specified fingerprint
 func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
 	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
 		return nil, err
 	} else {
 		if tlsConfig == nil {
 			return &tls.Config{
 				InsecureSkipVerify:    true,
 				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints([][32]byte{*fingerprintBytes}, false),
 			}, nil
 		} else {
 			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints([][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
 			tlsConfig.InsecureSkipVerify = true
 			return tlsConfig, nil
 		}
 	}
 }
 func GetGlobalFingerprintTLCConfig(tlsConfig *tls.Config) *tls.Config {
 	if tlsConfig == nil {
 		return &tls.Config{
 			InsecureSkipVerify:    true,
 			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(globalFingerprints, false),
 		}
 	}
 	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(globalFingerprints, tlsConfig.InsecureSkipVerify)
 	tlsConfig.InsecureSkipVerify = true
 	return tlsConfig
 }
 // GetSpecifiedFingerprintXTLSConfig specified fingerprint
 func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint string) (*xtls.Config, error) {
 	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
 		return nil, err
 	} else {
 		if tlsConfig == nil {
 			return &xtls.Config{
 				InsecureSkipVerify:    true,
 				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints([][32]byte{*fingerprintBytes}, false),
 			}, nil
 		} else {
 			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints([][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
 			tlsConfig.InsecureSkipVerify = true
 			return tlsConfig, nil
 		}
 	}
 }
 func GetGlobalFingerprintXTLCConfig(tlsConfig *xtls.Config) *xtls.Config {
 	if tlsConfig == nil {
 		return &xtls.Config{
 			InsecureSkipVerify:    true,
 			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(globalFingerprints, false),
 		}
 	}
 	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(globalFingerprints, tlsConfig.InsecureSkipVerify)
 	tlsConfig.InsecureSkipVerify = true
 	return tlsConfig
 }
--- a/config/config.go
+++ b/config/config.go
@ -36,7 +36,7 @@ import (
 	"github.com/Dreamacro/clash/log"
 	T "github.com/Dreamacro/clash/tunnel"
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 // General config
@ -55,6 +55,7 @@ type General struct {
 	EnableProcess bool         `json:"enable-process"`
 	Tun           Tun          `json:"tun"`
 	Sniffing      bool         `json:"sniffing"`
 	EBpf          EBpf         `json:"-"`
 }
 // Inbound config
@ -67,6 +68,7 @@ type Inbound struct {
 	Authentication []string `json:"authentication"`
 	AllowLan       bool     `json:"allow-lan"`
 	BindAddress    string   `json:"bind-address"`
 	InboundTfo     bool     `json:"inbound-tfo"`
 }
 // Controller config
@ -79,6 +81,7 @@ type Controller struct {
 // DNS config
 type DNS struct {
 	Enable                bool             `yaml:"enable"`
 	PreferH3              bool             `yaml:"prefer-h3"`
 	IPv6                  bool             `yaml:"ipv6"`
 	NameServer            []dns.NameServer `yaml:"nameserver"`
 	Fallback              []dns.NameServer `yaml:"fallback"`
@ -116,6 +119,7 @@ type Tun struct {
 	AutoRoute           bool             `yaml:"auto-route" json:"auto-route"`
 	AutoDetectInterface bool             `yaml:"auto-detect-interface" json:"auto-detect-interface"`
 	TunAddressPrefix    netip.Prefix     `yaml:"-" json:"-"`
 	RedirectToTun       []string         `yaml:"-" json:"-"`
 }
 // IPTables config
@ -135,7 +139,9 @@ type Sniffer struct {
 }
 // Experimental config
-type Experimental struct{}
+type Experimental struct {
 	Fingerprints []string `yaml:"fingerprints"`
 }
 // Config is clash config manager
 type Config struct {
@ -156,6 +162,7 @@ type Config struct {
 type RawDNS struct {
 	Enable                bool              `yaml:"enable"`
 	PreferH3              bool              `yaml:"prefer-h3"`
 	IPv6                  bool              `yaml:"ipv6"`
 	UseHosts              bool              `yaml:"use-hosts"`
 	NameServer            []string          `yaml:"nameserver"`
@ -185,6 +192,7 @@ type RawTun struct {
 	DNSHijack           []string   `yaml:"dns-hijack" json:"dns-hijack"`
 	AutoRoute           bool       `yaml:"auto-route" json:"auto-route"`
 	AutoDetectInterface bool       `yaml:"auto-detect-interface"`
 	RedirectToTun       []string   `yaml:"-" json:"-"`
 }
 type RawConfig struct {
@ -193,6 +201,7 @@ type RawConfig struct {
 	RedirPort          int          `yaml:"redir-port"`
 	TProxyPort         int          `yaml:"tproxy-port"`
 	MixedPort          int          `yaml:"mixed-port"`
 	InboundTfo         bool         `yaml:"inbound-tfo"`
 	Authentication     []string     `yaml:"authentication"`
 	AllowLan           bool         `yaml:"allow-lan"`
 	BindAddress        string       `yaml:"bind-address"`
@ -216,6 +225,7 @@ type RawConfig struct {
 	Hosts         map[string]string         `yaml:"hosts"`
 	DNS           RawDNS                    `yaml:"dns"`
 	Tun           RawTun                    `yaml:"tun"`
 	EBpf          EBpf                      `yaml:"ebpf"`
 	IPTables      IPTables                  `yaml:"iptables"`
 	Experimental  Experimental              `yaml:"experimental"`
 	Profile       Profile                   `yaml:"profile"`
@ -239,6 +249,18 @@ type RawSniffer struct {
 	Ports       []string `yaml:"port-whitelist" json:"port-whitelist"`
 }
 // EBpf config
 type EBpf struct {
 	RedirectToTun []string `yaml:"redirect-to-tun" json:"redirect-to-tun"`
 	AutoRedir     []string `yaml:"auto-redir" json:"auto-redir"`
 }
 var (
 	GroupsList             = list.New()
 	ProxiesList            = list.New()
 	ParsingProxiesCallback func(groupsList *list.List, proxiesList *list.List)
 )
 // Parse config
 func Parse(buf []byte) (*Config, error) {
 	rawCfg, err := UnmarshalRawConfig(buf)
@ -254,6 +276,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 	rawCfg := &RawConfig{
 		AllowLan:       false,
 		BindAddress:    "*",
 		IPv6:           true,
 		Mode:           T.Rule,
 		GeodataMode:    C.GeodataMode,
 		GeodataLoader:  "memconservative",
@ -265,7 +288,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		Proxy:          []map[string]any{},
 		ProxyGroup:     []map[string]any{},
 		TCPConcurrent:  false,
-		EnableProcess:  true,
+		EnableProcess:  false,
 		Tun: RawTun{
 			Enable:              false,
 			Device:              "",
@ -274,6 +297,10 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			AutoRoute:           false,
 			AutoDetectInterface: false,
 		},
 		EBpf: EBpf{
 			RedirectToTun: []string{},
 			AutoRedir:     []string{},
 		},
 		IPTables: IPTables{
 			Enable:           false,
 			InboundInterface: "lo",
@ -281,6 +308,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		},
 		DNS: RawDNS{
 			Enable:       false,
 			IPv6:         false,
 			UseHosts:     true,
 			EnhancedMode: C.DNSMapping,
 			FakeIPRange:  "198.18.0.1/16",
@ -401,7 +429,7 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 			return nil, fmt.Errorf("external-ui: %s not exist", externalUI)
 		}
 	}
-
+	cfg.Tun.RedirectToTun = cfg.EBpf.RedirectToTun
 	return &General{
 		Inbound: Inbound{
 			Port:        cfg.Port,
@ -411,6 +439,7 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 			MixedPort:   cfg.MixedPort,
 			AllowLan:    cfg.AllowLan,
 			BindAddress: cfg.BindAddress,
 			InboundTfo:  cfg.InboundTfo,
 		},
 		Controller: Controller{
 			ExternalController: cfg.ExternalController,
@ -427,6 +456,7 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 		GeodataLoader: cfg.GeodataLoader,
 		TCPConcurrent: cfg.TCPConcurrent,
 		EnableProcess: cfg.EnableProcess,
 		EBpf:          cfg.EBpf,
 	}, nil
 }
@ -524,7 +554,12 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 		[]providerTypes.ProxyProvider{pd},
 	)
 	proxies["GLOBAL"] = adapter.NewProxy(global)
-
+	ProxiesList = proxiesList
 	GroupsList = groupsList
 	if ParsingProxiesCallback != nil {
 		// refresh tray menu
 		go ParsingProxiesCallback(GroupsList, ProxiesList)
 	}
 	return proxies, providersMap, nil
 }
@ -647,7 +682,8 @@ func parseNameServer(servers []string) ([]dns.NameServer, error) {
 			return nil, fmt.Errorf("DNS NameServer[%d] format error: %s", idx, err.Error())
 		}
-		var addr, dnsNetType string
+		var addr, dnsNetType, proxyAdapter string
 		params := map[string]string{}
 		switch u.Scheme {
 		case "udp":
 			addr, err = hostWithDefaultPort(u.Host, "53")
@ -662,11 +698,25 @@ func parseNameServer(servers []string) ([]dns.NameServer, error) {
 			clearURL := url.URL{Scheme: "https", Host: u.Host, Path: u.Path}
 			addr = clearURL.String()
 			dnsNetType = "https" // DNS over HTTPS
 			if len(u.Fragment) != 0 {
 				for _, s := range strings.Split(u.Fragment, "&") {
 					arr := strings.Split(s, "=")
 					if len(arr) == 0 {
 						continue
 					} else if len(arr) == 1 {
 						proxyAdapter = arr[0]
 					} else if len(arr) == 2 {
 						params[arr[0]] = arr[1]
 					} else {
 						params[arr[0]] = strings.Join(arr[1:], "=")
 					}
 				}
 			}
 		case "dhcp":
 			addr = u.Host
 			dnsNetType = "dhcp" // UDP from DHCP
 		case "quic":
-			addr, err = hostWithDefaultPort(u.Host, "784")
+			addr, err = hostWithDefaultPort(u.Host, "853")
 			dnsNetType = "quic" // DNS over QUIC
 		default:
 			return nil, fmt.Errorf("DNS NameServer[%d] unsupport scheme: %s", idx, u.Scheme)
@ -681,8 +731,9 @@ func parseNameServer(servers []string) ([]dns.NameServer, error) {
 			dns.NameServer{
 				Net:          dnsNetType,
 				Addr:         addr,
-				ProxyAdapter: u.Fragment,
+				ProxyAdapter: proxyAdapter,
 				Interface:    dialer.DefaultInterface,
 				Params:       params,
 			},
 		)
 	}
@ -764,6 +815,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.R
 	dnsCfg := &DNS{
 		Enable:       cfg.Enable,
 		Listen:       cfg.Listen,
 		PreferH3:     cfg.PreferH3,
 		IPv6:         cfg.IPv6,
 		EnhancedMode: cfg.EnhancedMode,
 		FallbackFilter: FallbackFilter{
@ -799,8 +851,10 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.R
 		host, _, err := net.SplitHostPort(ns.Addr)
 		if err != nil || net.ParseIP(host) == nil {
 			u, err := url.Parse(ns.Addr)
-			if err != nil || net.ParseIP(u.Host) == nil {
+			if err == nil && net.ParseIP(u.Host) == nil {
-				return nil, errors.New("default nameserver should be pure IP")
+				if ip, _, err := net.SplitHostPort(u.Host); err != nil || net.ParseIP(ip) == nil {
 					return nil, errors.New("default nameserver should be pure IP")
 				}
 			}
 		}
 	}
@ -918,6 +972,7 @@ func parseTun(rawTun RawTun, general *General, dnsCfg *DNS) (*Tun, error) {
 		AutoRoute:           rawTun.AutoRoute,
 		AutoDetectInterface: rawTun.AutoDetectInterface,
 		TunAddressPrefix:    tunAddressPrefix,
 		RedirectToTun:       rawTun.RedirectToTun,
 	}, nil
 }
@ -928,7 +983,8 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 	var ports []utils.Range[uint16]
 	if len(snifferRaw.Ports) == 0 {
-		ports = append(ports, *utils.NewRange[uint16](0, 65535))
+		ports = append(ports, *utils.NewRange[uint16](80, 80))
 		ports = append(ports, *utils.NewRange[uint16](443, 443))
 	} else {
 		for _, portRange := range snifferRaw.Ports {
 			portRaws := strings.Split(portRange, "-")
--- a/config/updateGeo.go
+++ b/config/updateGeo.go
@ -6,8 +6,9 @@ import (
 	_ "github.com/Dreamacro/clash/component/geodata/standard"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/oschwald/geoip2-golang"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"os"
 	"runtime"
 )
@ -72,9 +73,9 @@ func downloadForBytes(url string) ([]byte, error) {
 	}
 	defer resp.Body.Close()
-	return ioutil.ReadAll(resp.Body)
+	return io.ReadAll(resp.Body)
 }
 func saveFile(bytes []byte, path string) error {
-	return ioutil.WriteFile(path, bytes, 0o644)
+	return os.WriteFile(path, bytes, 0o644)
 }
--- a/constant/adapters.go
+++ b/constant/adapters.go
@ -30,6 +30,7 @@ const (
 	Vmess
 	Vless
 	Trojan
 	Hysteria
 )
 const (
@ -161,6 +162,8 @@ func (at AdapterType) String() string {
 		return "Vless"
 	case Trojan:
 		return "Trojan"
 	case Hysteria:
 		return "Hysteria"
 	case Relay:
 		return "Relay"
--- a/constant/dns.go
+++ b/constant/dns.go
@ -68,3 +68,46 @@ func (e DNSMode) String() string {
 		return "unknown"
 	}
 }
 type DNSPrefer int
 const (
 	DualStack DNSPrefer = iota
 	IPv4Only
 	IPv6Only
 	IPv4Prefer
 	IPv6Prefer
 )
 var dnsPreferMap = map[string]DNSPrefer{
 	DualStack.String():  DualStack,
 	IPv4Only.String():   IPv4Only,
 	IPv6Only.String():   IPv6Only,
 	IPv4Prefer.String(): IPv4Prefer,
 	IPv6Prefer.String(): IPv6Prefer,
 }
 func (d DNSPrefer) String() string {
 	switch d {
 	case DualStack:
 		return "dual"
 	case IPv4Only:
 		return "ipv4"
 	case IPv6Only:
 		return "ipv6"
 	case IPv4Prefer:
 		return "ipv4-prefer"
 	case IPv6Prefer:
 		return "ipv6-prefer"
 	default:
 		return "dual"
 	}
 }
 func NewDNSPrefer(prefer string) DNSPrefer {
 	if p, ok := dnsPreferMap[prefer]; ok {
 		return p
 	} else {
 		return DualStack
 	}
 }
--- a/constant/ebpf.go
+++ b/constant/ebpf.go
@ -0,0 +1,20 @@
 package constant
 import (
 	"net/netip"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
 const (
 	BpfFSPath = "/sys/fs/bpf/clash"
 	TcpAutoRedirPort = 't'<<8 | 'r'<<0
 	ClashTrafficMark = 'c'<<24 | 'l'<<16 | 't'<<8 | 'm'<<0
 )
 type EBpf interface {
 	Start() error
 	Close()
 	Lookup(srcAddrPort netip.AddrPort) (socks5.Addr, error)
 }
--- a/constant/path.go
+++ b/constant/path.go
@ -1,7 +1,6 @@
 package constant
 import (
 	"io/ioutil"
 	"os"
 	P "path"
 	"path/filepath"
@ -58,7 +57,7 @@ func (p *path) Resolve(path string) string {
 }
 func (p *path) MMDB() string {
-	files, err := ioutil.ReadDir(p.homeDir)
+	files, err := os.ReadDir(p.homeDir)
 	if err != nil {
 		return ""
 	}
@ -85,7 +84,7 @@ func (p *path) Cache() string {
 }
 func (p *path) GeoIP() string {
-	files, err := ioutil.ReadDir(p.homeDir)
+	files, err := os.ReadDir(p.homeDir)
 	if err != nil {
 		return ""
 	}
@ -104,7 +103,7 @@ func (p *path) GeoIP() string {
 }
 func (p *path) GeoSite() string {
-	files, err := ioutil.ReadDir(p.homeDir)
+	files, err := os.ReadDir(p.homeDir)
 	if err != nil {
 		return ""
 	}
--- a/constant/provider/interface.go
+++ b/constant/provider/interface.go
@ -68,7 +68,7 @@ type ProxyProvider interface {
 	Proxies() []C.Proxy
 	Touch()
 	HealthCheck()
-	Version() uint
+	Version() uint32
 }
 // Rule Type
--- a/constant/rule.go
+++ b/constant/rule.go
@ -83,6 +83,4 @@ type Rule interface {
 	Payload() string
 	ShouldResolveIP() bool
 	ShouldFindProcess() bool
 	RuleExtra() *RuleExtra
 	SetRuleExtra(re *RuleExtra)
 }
--- a/constant/rule_extra.go
+++ b/constant/rule_extra.go
@ -1,48 +1,9 @@
 package constant
 import (
 	"net/netip"
 	"strings"
 	"github.com/Dreamacro/clash/component/geodata/router"
 )
 type RuleExtra struct {
 	Network      NetWork
 	SourceIPs    []*netip.Prefix
 	ProcessNames []string
 }
 func (re *RuleExtra) NotMatchNetwork(network NetWork) bool {
 	return re.Network != ALLNet && re.Network != network
 }
 func (re *RuleExtra) NotMatchSourceIP(srcIP netip.Addr) bool {
 	if re.SourceIPs == nil {
 		return false
 	}
 	for _, ips := range re.SourceIPs {
 		if ips.Contains(srcIP) {
 			return false
 		}
 	}
 	return true
 }
 func (re *RuleExtra) NotMatchProcessName(processName string) bool {
 	if re.ProcessNames == nil {
 		return false
 	}
 	for _, pn := range re.ProcessNames {
 		if strings.EqualFold(pn, processName) {
 			return false
 		}
 	}
 	return true
 }
 type RuleGeoSite interface {
 	GetDomainMatcher() *router.DomainMatcher
 }
--- a/context/conn.go
+++ b/context/conn.go
@ -1,9 +1,9 @@
 package context
 import (
 	CN "github.com/Dreamacro/clash/common/net"
 	"net"
 	CN "github.com/Dreamacro/clash/common/net"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/gofrs/uuid"
 )
@ -16,6 +16,7 @@ type ConnContext struct {
 func NewConnContext(conn net.Conn, metadata *C.Metadata) *ConnContext {
 	id, _ := uuid.NewV4()
 	return &ConnContext{
 		id:       id,
 		metadata: metadata,
--- a/dns/client.go
+++ b/dns/client.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"go.uber.org/atomic"
 	"net"
 	"net/netip"
@ -77,7 +78,7 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 	ch := make(chan result, 1)
 	go func() {
 		if strings.HasSuffix(c.Client.Net, "tls") {
-			conn = tls.Client(conn, c.Client.TLSConfig)
+			conn = tls.Client(conn, tlsC.GetGlobalFingerprintTLCConfig(c.Client.TLSConfig))
 		}
 		msg, _, err := c.Client.ExchangeWithConn(m, &D.Conn{
--- a/dns/doh.go
+++ b/dns/doh.go
@ -3,14 +3,18 @@ package dns
 import (
 	"bytes"
 	"context"
 	"crypto/tls"
 	"fmt"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"github.com/lucas-clemente/quic-go"
 	"github.com/lucas-clemente/quic-go/http3"
 	D "github.com/miekg/dns"
 	"io"
 	"net"
 	"net/http"
-
+	"strconv"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	D "github.com/miekg/dns"
 )
 const (
@ -19,9 +23,8 @@ const (
 )
 type dohClient struct {
-	url          string
+	url       string
-	proxyAdapter string
+	transport http.RoundTripper
 	transport    *http.Transport
 }
 func (dc *dohClient) Exchange(m *D.Msg) (msg *D.Msg, err error) {
@ -63,28 +66,75 @@ func (dc *dohClient) newRequest(m *D.Msg) (*http.Request, error) {
 	return req, nil
 }
-func (dc *dohClient) doRequest(req *http.Request) (*D.Msg, error) {
+func (dc *dohClient) doRequest(req *http.Request) (msg *D.Msg, err error) {
 	client := &http.Client{Transport: dc.transport}
 	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()
 	buf, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
-	msg := &D.Msg{}
+	msg = &D.Msg{}
 	err = msg.Unpack(buf)
 	return msg, err
 }
-func newDoHClient(url string, r *Resolver, proxyAdapter string) *dohClient {
+func newDoHClient(url string, r *Resolver, params map[string]string, proxyAdapter string) *dohClient {
-	return &dohClient{
+	useH3 := params["h3"] == "true"
-		url:          url,
+	TLCConfig := tlsC.GetDefaultTLSConfig()
-		proxyAdapter: proxyAdapter,
+	var transport http.RoundTripper
-		transport: &http.Transport{
+	if useH3 {
 		transport = &http3.RoundTripper{
 			Dial: func(ctx context.Context, addr string, tlsCfg *tls.Config, cfg *quic.Config) (quic.EarlyConnection, error) {
 				host, port, err := net.SplitHostPort(addr)
 				if err != nil {
 					return nil, err
 				}
 				ip, err := resolver.ResolveIPWithResolver(host, r)
 				if err != nil {
 					return nil, err
 				}
 				portInt, err := strconv.Atoi(port)
 				if err != nil {
 					return nil, err
 				}
 				udpAddr := net.UDPAddr{
 					IP:   net.ParseIP(ip.String()),
 					Port: portInt,
 				}
 				var conn net.PacketConn
 				if proxyAdapter == "" {
 					conn, err = dialer.ListenPacket(ctx, "udp", "")
 					if err != nil {
 						return nil, err
 					}
 				} else {
 					if wrapConn, err := dialContextExtra(ctx, proxyAdapter, "udp", ip, port); err == nil {
 						if pc, ok := wrapConn.(*wrapPacketConn); ok {
 							conn = pc
 						} else {
 							return nil, fmt.Errorf("conn isn't wrapPacketConn")
 						}
 					} else {
 						return nil, err
 					}
 				}
 				return quic.DialEarlyContext(ctx, conn, &udpAddr, host, tlsCfg, cfg)
 			},
 			TLSClientConfig: TLCConfig,
 		}
 	} else {
 		transport = &http.Transport{
 			ForceAttemptHTTP2: true,
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				host, port, err := net.SplitHostPort(addr)
@ -103,6 +153,12 @@ func newDoHClient(url string, r *Resolver, proxyAdapter string) *dohClient {
 					return dialContextExtra(ctx, proxyAdapter, "tcp", ip, port)
 				}
 			},
-		},
+			TLSClientConfig: TLCConfig,
 		}
 	}
 	return &dohClient{
 		url:       url,
 		transport: transport,
 	}
 }
--- a/dns/doq.go
+++ b/dns/doq.go
@ -7,26 +7,28 @@ import (
 	"fmt"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"github.com/lucas-clemente/quic-go"
 	"net"
 	"strconv"
 	"sync"
 	"time"
 	"github.com/Dreamacro/clash/log"
 	"github.com/lucas-clemente/quic-go"
 	D "github.com/miekg/dns"
 )
-const NextProtoDQ = "doq-i00"
+const NextProtoDQ = "doq"
 var bytesPool = sync.Pool{New: func() interface{} { return &bytes.Buffer{} }}
 type quicClient struct {
 	addr         string
 	r            *Resolver
-	session      quic.Connection
+	connection   quic.Connection
 	proxyAdapter string
-	sync.RWMutex // protects session and bytesPool
+	udp          net.PacketConn
 	sync.RWMutex // protects connection and bytesPool
 }
 func newDOQ(r *Resolver, addr, proxyAdapter string) *quicClient {
@ -90,65 +92,68 @@ func isActive(s quic.Connection) bool {
 	}
 }
-// getSession - opens or returns an existing quic.Connection
+// getConnection - opens or returns an existing quic.Connection
-// useCached - if true and cached session exists, return it right away
+// useCached - if true and cached connection exists, return it right away
-// otherwise - forcibly creates a new session
+// otherwise - forcibly creates a new connection
-func (dc *quicClient) getSession() (quic.Connection, error) {
+func (dc *quicClient) getConnection(ctx context.Context) (quic.Connection, error) {
-	var session quic.Connection
+	var connection quic.Connection
 	dc.RLock()
-	session = dc.session
+	connection = dc.connection
-	if session != nil && isActive(session) {
+
 	if connection != nil && isActive(connection) {
 		dc.RUnlock()
-		return session, nil
+		return connection, nil
 	}
 	if session != nil {
 		// we're recreating the session, let's create a new one
 		_ = session.CloseWithError(0, "")
 	}
 	dc.RUnlock()
 	dc.Lock()
 	defer dc.Unlock()
-
+	connection = dc.connection
-	var err error
+	if connection != nil {
-	session, err = dc.openSession()
+		if isActive(connection) {
-	if err != nil {
+			return connection, nil
-		// This does not look too nice, but QUIC (or maybe quic-go)
+		} else {
-		// doesn't seem stable enough.
+			_ = connection.CloseWithError(quic.ApplicationErrorCode(0), "")
 		// Maybe retransmissions aren't fully implemented in quic-go?
 		// Anyways, the simple solution is to make a second try when
 		// it fails to open the QUIC session.
 		session, err = dc.openSession()
 		if err != nil {
 			return nil, err
 		}
 	}
-	dc.session = session
+
-	return session, nil
+	var err error
 	connection, err = dc.openConnection(ctx)
 	dc.connection = connection
 	return connection, err
 }
-func (dc *quicClient) openSession() (quic.Connection, error) {
+func (dc *quicClient) openConnection(ctx context.Context) (quic.Connection, error) {
-	tlsConfig := &tls.Config{
+	if dc.udp != nil {
-		InsecureSkipVerify: true,
+		_ = dc.udp.Close()
 		NextProtos: []string{
 			"http/1.1", "h2", NextProtoDQ,
 		},
 		SessionTicketsDisabled: false,
 	}
 	tlsConfig := tlsC.GetGlobalFingerprintTLCConfig(
 		&tls.Config{
 			InsecureSkipVerify: false,
 			NextProtos: []string{
 				NextProtoDQ,
 			},
 			SessionTicketsDisabled: false,
 		})
 	quicConfig := &quic.Config{
 		ConnectionIDLength:   12,
 		HandshakeIdleTimeout: time.Second * 8,
 		MaxIncomingStreams:   4,
-		MaxIdleTimeout:       time.Second * 45,
+		KeepAlivePeriod:      10 * time.Second,
 		MaxIdleTimeout:       time.Second * 120,
 	}
-	log.Debugln("opening session to %s", dc.addr)
+	log.Debugln("opening new connection to %s", dc.addr)
 	var (
 		udp net.PacketConn
 		err error
 	)
 	host, port, err := net.SplitHostPort(dc.addr)
 	if err != nil {
 		return nil, err
 	}
@ -162,34 +167,35 @@ func (dc *quicClient) openSession() (quic.Connection, error) {
 	udpAddr := net.UDPAddr{IP: ip.AsSlice(), Port: p}
 	if dc.proxyAdapter == "" {
-		udp, err = dialer.ListenPacket(context.Background(), "udp", "")
+		udp, err = dialer.ListenPacket(ctx, "udp", "")
 		if err != nil {
 			return nil, err
 		}
 	} else {
-		conn, err := dialContextExtra(context.Background(), dc.proxyAdapter, "udp", ip, port)
+		conn, err := dialContextExtra(ctx, dc.proxyAdapter, "udp", ip, port)
 		if err != nil {
 			return nil, err
 		}
 		wrapConn, ok := conn.(*wrapPacketConn)
 		if !ok {
-			return nil, fmt.Errorf("quio create packet failed")
+			return nil, fmt.Errorf("quic create packet failed")
 		}
 		udp = wrapConn
 	}
-	session, err := quic.Dial(udp, &udpAddr, host, tlsConfig, quicConfig)
+	session, err := quic.DialContext(ctx, udp, &udpAddr, host, tlsConfig, quicConfig)
 	if err != nil {
-		return nil, fmt.Errorf("failed to open QUIC session: %w", err)
+		return nil, fmt.Errorf("failed to open QUIC connection: %w", err)
 	}
 	dc.udp = udp
 	return session, nil
 }
 func (dc *quicClient) openStream(ctx context.Context) (quic.Stream, error) {
-	session, err := dc.getSession()
+	session, err := dc.getConnection(ctx)
 	if err != nil {
 		return nil, err
 	}
--- a/dns/resolver.go
+++ b/dns/resolver.go
@ -88,7 +88,7 @@ func (r *Resolver) ResolveAllIP(host string) (ips []netip.Addr, err error) {
 			return nil, resolver.ErrIPNotFound
 		}
 		ips = append(ips, ipv6s...)
-	case <-time.After(1 * time.Millisecond):
+	case <-time.After(30 * time.Millisecond):
 		// wait ipv6 result
 	}
@ -354,6 +354,7 @@ type NameServer struct {
 	Addr         string
 	Interface    *atomic.String
 	ProxyAdapter string
 	Params       map[string]string
 }
 type FallbackFilter struct {
--- a/dns/util.go
+++ b/dns/util.go
@ -59,7 +59,7 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 	for _, s := range servers {
 		switch s.Net {
 		case "https":
-			ret = append(ret, newDoHClient(s.Addr, resolver, s.ProxyAdapter))
+			ret = append(ret, newDoHClient(s.Addr, resolver, s.Params, s.ProxyAdapter))
 			continue
 		case "dhcp":
 			ret = append(ret, newDHCPClient(s.Addr))
@ -74,8 +74,6 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 			Client: &D.Client{
 				Net: s.Net,
 				TLSConfig: &tls.Config{
 					// alpn identifier, see https://tools.ietf.org/html/draft-hoffman-dprive-dns-tls-alpn-00#page-6
 					NextProtos: []string{"dns"},
 					ServerName: host,
 				},
 				UDPSize: 4096,
@ -143,18 +141,18 @@ func (wpc *wrapPacketConn) RemoteAddr() net.Addr {
 	return wpc.rAddr
 }
-func dialContextExtra(ctx context.Context, adapterName string, network string, dstIP netip.Addr, port string, opts ...dialer.Option) (net.Conn, error) {
+func (wpc *wrapPacketConn) LocalAddr() net.Addr {
-	adapter, ok := tunnel.Proxies()[adapterName]
+	if wpc.PacketConn.LocalAddr() == nil {
-	if !ok {
+		return &net.UDPAddr{IP: net.IPv4zero, Port: 0}
-		opts = append(opts, dialer.WithInterface(adapterName))
+	} else {
-		adapter, _ = tunnel.Proxies()[tunnel.Direct.String()]
+		return wpc.PacketConn.LocalAddr()
 	}
 }
 func dialContextExtra(ctx context.Context, adapterName string, network string, dstIP netip.Addr, port string, opts ...dialer.Option) (net.Conn, error) {
 	networkType := C.TCP
 	if network == "udp" {
-		if !adapter.SupportUDP() {
+
 			return nil, fmt.Errorf("proxy adapter [%s] UDP is not supported", adapterName)
 		}
 		networkType = C.UDP
 	}
@ -171,6 +169,29 @@ func dialContextExtra(ctx context.Context, adapterName string, network string, d
 		DstPort:  port,
 	}
 	adapter, ok := tunnel.Proxies()[adapterName]
 	if !ok {
 		opts = append(opts, dialer.WithInterface(adapterName))
 		if C.TCP == networkType {
 			return dialer.DialContext(ctx, network, dstIP.String()+":"+port, opts...)
 		} else {
 			packetConn, err := dialer.ListenPacket(ctx, network, dstIP.String()+":"+port, opts...)
 			if err != nil {
 				return nil, err
 			}
 			return &wrapPacketConn{
 				PacketConn: packetConn,
 				rAddr:      metadata.UDPAddr(),
 			}, nil
 		}
 	}
 	if networkType == C.UDP && !adapter.SupportUDP() {
 		return nil, fmt.Errorf("proxy adapter [%s] UDP is not supported", adapterName)
 	}
 	if networkType == C.UDP {
 		packetConn, err := adapter.ListenPacketContext(ctx, metadata, opts...)
 		if err != nil {
--- a/docs/config.yaml
+++ b/docs/config.yaml
@ -0,0 +1,540 @@
 # port: 7890 # HTTP(S) 代理服务器端口
 # socks-port: 7891 # SOCKS5 代理端口
 mixed-port: 10801 # HTTP(S) 和 SOCKS 代理混合端口
 # redir-port: 7892 # 透明代理端口，用于 Linux 和 MacOS
 # Transparent proxy server port for Linux (TProxy TCP and TProxy UDP)
 # tproxy-port: 7893
 allow-lan: true # 允许局域网连接
 bind-address: "*" # 绑定IP地址，仅作用于 allow-lan 为 true，'*'表示所有地址
 mode: rule
 log-level: debug # 日志等级 silent/error/warning/info/debug
 ipv6: true # 开启 IPv6 总开关，关闭阻断所有 IPv6 链接和屏蔽 DNS 请求 AAAA 记录
 external-controller: 0.0.0.0:9093 # RESTful API 监听地址
 # secret: "123456" # `Authorization: Bearer ${secret}`
 # tcp-concurrent: true # TCP并发连接所有IP, 将使用最快握手的TCP
 external-ui: /path/to/ui/folder # 配置WEB UI目录，使用http://{{external-controller}}/ui 访问
 # interface-name: en0 # 设置出口网卡
 # routing-mark: 6666 # 配置 fwmark 仅用于Linux
 experimental:
  # 具体配置待定
  # 证书指纹,SHA256格式,补充校验TLS证书
  # 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
  fingerprints:
    - "8F111FA9AD3CD8E917A118522CAC39EA33741B3BBE73F91CECE548D5CCB0E5E8" # 忽略大小写
 # 类似于 /etc/hosts, 仅支持配置单个 IP
 hosts:
 # '*.clash.dev': 127.0.0.1
 # '.dev': 127.0.0.1
 # 'alpha.clash.dev': '::1'
 # Tun 配置
 tun:
  enable: false
  stack: system # gvisor
  dns-hijack:
    - 198.18.0.2:53 # 需要劫持的 DNS
  # auto-detect-interface: true # 自动识别出口网卡
  # auto-route: true # 配置路由表
 #ebpf配置
 ebpf:
  auto-redir: # redirect 模式，仅支持 TCP
    - eth0
  redirect-to-tun: # UDP+TCP 使用该功能请勿启用 auto-route
    - eth0
 # 嗅探域名 可选配置
 sniffer:
  enable: false
  # 需要嗅探协议
  sniffing:
    - tls
    - http
  # 强制对此域名进行嗅探
  force-domain:
    - +.v2ex.com
  # 仅对白名单中的端口进行嗅探，默认为 443，80
  port-whitelist:
    - "80"
    - "443"
    # - 8000-9999
 profile:
  # 存储select选择记录
  store-selected: false
  # 持久化fake-ip
  store-fake-ip: true
 # DNS配置
 dns:
  enable: false # 关闭将使用系统 DNS
  listen: 0.0.0.0:53 # 开启 DNS 服务器监听
  # ipv6: false # false 将返回 AAAA 的空结果
  # 用于解析 nameserver，fallback 以及其他DNS服务器配置的，DNS 服务域名
  # 只能使用纯 IP 地址，可使用加密 DNS
  default-nameserver:
    - 114.114.114.114
    - 8.8.8.8
    - tls://1.12.12.12:853
    - tls://223.5.5.5:853
  enhanced-mode: fake-ip # or redir-host
  fake-ip-range: 198.18.0.1/16 # fake-ip 池设置
  # use-hosts: true # 查询 hosts
  # 配置不使用fake-ip的域名
  # fake-ip-filter:
  #   - '*.lan'
  #   - localhost.ptlogin2.qq.com
  # DNS主要域名配置
  # 支持 UDP，TCP，DoT，DoH，DoQ
  # 这部分为主要 DNS 配置，影响所有直连，确保使用对大陆解析精准的 DNS
  nameserver:
    - 114.114.114.114 # default value
    - 8.8.8.8 # default value
    - tls://223.5.5.5:853 # DNS over TLS
    - https://doh.pub/dns-query # DNS over HTTPS
    - https://dns.alidns.com/dns-query#h3=true # 强制HTTP/3
    - https://mozilla.cloudflare-dns.com/dns-query#DNS&h3=true # 指定策略组和使用 HTTP/3
    - dhcp://en0 # dns from dhcp
    - quic://dns.adguard.com:784 # DNS over QUIC
    # - '8.8.8.8#en0' # 兼容指定DNS出口网卡
  # 当配置 fallback 时，会查询 nameserver 中返回的 IP 是否为 CN，非必要配置
  # 当不是 CN，则使用 fallback 中的 DNS 查询结果
  # 确保配置 fallback 时能够正常查询
  # fallback:
  #   - tcp://1.1.1.1
  #   - 'tcp://1.1.1.1#ProxyGroupName' # 指定 DNS 过代理查询，ProxyGroupName 为策略组名或节点名，过代理配置优先于配置出口网卡，当找不到策略组或节点名则设置为出口网卡
  # 专用于节点域名解析的 DNS 服务器，非必要配置项
  # 配置服务器若查询失败将使用 nameserver，非并发查询
  # proxy-server-nameserver:
  # - https://dns.google/dns-query
  # - tls://one.one.one.one
  # 配置 fallback 使用条件
  # fallback-filter:
  #   geoip: true # 配置是否使用 geoip
  #   geoip-code: CN # 当 nameserver 域名的 IP 查询 geoip 库为 CN 时，不使用 fallback 中的 DNS 查询结果
  #   配置强制 fallback，优先于 IP 判断，具体分类自行查看 geosite 库
  #   geosite:
  #     - gfw
  #   配置不需要使用 fallback 的 IP CIDR
  #   ipcidr:
  #     - 240.0.0.0/4
  #   domain:
  #     - '+.google.com'
  #     - '+.facebook.com'
  #     - '+.youtube.com'
  # 配置查询域名使用的 DNS 服务器
  # nameserver-policy:
  #   'www.baidu.com': '114.114.114.114'
  #   '+.internal.crop.com': '10.0.0.1'
 proxies:
  # Shadowsocks
  # cipher支持:
  #   aes-128-gcm aes-192-gcm aes-256-gcm
  #   aes-128-cfb aes-192-cfb aes-256-cfb
  #   aes-128-ctr aes-192-ctr aes-256-ctr
  #   rc4-md5 chacha20-ietf xchacha20
  #   chacha20-ietf-poly1305 xchacha20-ietf-poly1305
  #   2022-blake3-aes-128-gcm 2022-blake3-aes-256-gcm 2022-blake3-chacha20-poly1305
  - name: "ss1"
    type: ss
    server: server
    port: 443
    cipher: chacha20-ietf-poly1305
    password: "password"
    # udp: true
    # udp-over-tcp: false
    # ip-version: ipv4 # 设置节点使用 IP 版本，可选：dual，ipv4，ipv6，ipv4-prefer，ipv6-prefer。默认使用 dual
                       # ipv4：仅使用 IPv4  ipv6：仅使用 IPv6
                       # ipv4-prefer：优先使用 IPv4 对于 TCP 会进行双栈解析，并发链接但是优先使用 IPv4 链接,
                       # UDP 则为双栈解析，获取结果中的第一个 IPv4
                       # ipv6-prefer 同 ipv4-prefer
                       # 现有协议都支持此参数
  - name: "ss2"
    type: ss
    server: server
    port: 443
    cipher: chacha20-ietf-poly1305
    password: "password"
    plugin: obfs
    plugin-opts:
      mode: tls # or http
      # host: bing.com
  - name: "ss3"
    type: ss
    server: server
    port: 443
    cipher: chacha20-ietf-poly1305
    password: "password"
    plugin: v2ray-plugin
    plugin-opts:
      mode: websocket # no QUIC now
      # tls: true # wss
      # fingerprint: xxxx
      # skip-cert-verify: true
      # host: bing.com
      # path: "/"
      # mux: true
      # headers:
      #   custom: value
  # vmess
  # cipher支持 auto/aes-128-gcm/chacha20-poly1305/none
  - name: "vmess"
    type: vmess
    server: server
    port: 443
    uuid: uuid
    alterId: 32
    cipher: auto
    # udp: true
    # tls: true
    # fingerprint: xxxx
    # skip-cert-verify: true
    # servername: example.com # priority over wss host
    # network: ws
    # ws-opts:
    #   path: /path
    #   headers:
    #     Host: v2ray.com
    #   max-early-data: 2048
    #   early-data-header-name: Sec-WebSocket-Protocol
  - name: "vmess-h2"
    type: vmess
    server: server
    port: 443
    uuid: uuid
    alterId: 32
    cipher: auto
    network: h2
    tls: true
    # fingerprint: xxxx
    h2-opts:
      host:
        - http.example.com
        - http-alt.example.com
      path: /
  - name: "vmess-http"
    type: vmess
    server: server
    port: 443
    uuid: uuid
    alterId: 32
    cipher: auto
    # udp: true
    # network: http
    # http-opts:
    #   # method: "GET"
    #   # path:
    #   #   - '/'
    #   #   - '/video'
    #   # headers:
    #   #   Connection:
    #   #     - keep-alive
    # ip-version: ipv4 # 设置使用 IP 类型偏好，可选：ipv4，ipv6，dual，默认值：dual
  - name: vmess-grpc
    server: server
    port: 443
    type: vmess
    uuid: uuid
    alterId: 32
    cipher: auto
    network: grpc
    tls: true
    # fingerprint: xxxx
    servername: example.com
    # skip-cert-verify: true
    grpc-opts:
      grpc-service-name: "example"
    # ip-version: ipv4
  # socks5
  - name: "socks"
    type: socks5
    server: server
    port: 443
    # username: username
    # password: password
    # tls: true
    # fingerprint: xxxx
    # skip-cert-verify: true
    # udp: true
    # ip-version: ipv6
  # http
  - name: "http"
    type: http
    server: server
    port: 443
    # username: username
    # password: password
    # tls: true # https
    # skip-cert-verify: true
    # sni: custom.com
    # fingerprint: xxxx # 同 experimental.fingerprints 使用 sha256 指纹，配置协议独立的指纹，将忽略 experimental.fingerprints
    # ip-version: dual
  # Snell
  # Beware that there's currently no UDP support yet
  - name: "snell"
    type: snell
    server: server
    port: 44046
    psk: yourpsk
    # version: 2
    # obfs-opts:
    # mode: http # or tls
    # host: bing.com
  # Trojan
  - name: "trojan"
    type: trojan
    server: server
    port: 443
    password: yourpsk
    # fingerprint: xxxx
    # udp: true
    # sni: example.com # aka server name
    # alpn:
    #   - h2
    #   - http/1.1
    # skip-cert-verify: true
  - name: trojan-grpc
    server: server
    port: 443
    type: trojan
    password: "example"
    network: grpc
    sni: example.com
    # skip-cert-verify: true
    # fingerprint: xxxx
    udp: true
    grpc-opts:
      grpc-service-name: "example"
  - name: trojan-ws
    server: server
    port: 443
    type: trojan
    password: "example"
    network: ws
    sni: example.com
    # skip-cert-verify: true
    # fingerprint: xxxx
    udp: true
    # ws-opts:
    # path: /path
    # headers:
    #   Host: example.com
  - name: "trojan-xtls"
    type: trojan
    server: server
    port: 443
    password: yourpsk
    flow: "xtls-rprx-direct" # xtls-rprx-origin xtls-rprx-direct
    flow-show: true
    # udp: true
    # sni: example.com # aka server name
    # skip-cert-verify: true
    # fingerprint: xxxx
  # vless
  - name: "vless-tcp"
    type: vless
    server: server
    port: 443
    uuid: uuid
    network: tcp
    servername: example.com # AKA SNI
    # flow: xtls-rprx-direct # xtls-rprx-origin  # enable XTLS
    # skip-cert-verify: true
    # fingerprint: xxxx
  - name: "vless-ws"
    type: vless
    server: server
    port: 443
    uuid: uuid
    udp: true
    tls: true
    network: ws
    servername: example.com # priority over wss host
    # skip-cert-verify: true
    # fingerprint: xxxx
    ws-opts:
      path: "/"
      headers:
        Host: example.com
  - name: "hysteria"
    type: hysteria
    server: server.com
    port: 443
    auth_str: yourpassword
    # obfs: obfs_str
    # alpn: h3
    protocol: udp # 支持 udp/wechat-video/faketcp
    up: "30 Mbps" # 若不写单位，默认为 Mbps
    down: "200 Mbps" # 若不写单位，默认为 Mbps
    #sni: server.com
    #skip-cert-verify: false
    #recv_window_conn: 12582912
    #recv_window: 52428800
    #ca: "./my.ca"
    #ca_str: "xyz"
    #disable_mtu_discovery: false
    # fingerprint: xxxx
  # ShadowsocksR
  # The supported ciphers (encryption methods): all stream ciphers in ss
  # The supported obfses:
  #   plain http_simple http_post
  #   random_head tls1.2_ticket_auth tls1.2_ticket_fastauth
  # The supported supported protocols:
  #   origin auth_sha1_v4 auth_aes128_md5
  #   auth_aes128_sha1 auth_chain_a auth_chain_b
  - name: "ssr"
    type: ssr
    server: server
    port: 443
    cipher: chacha20-ietf
    password: "password"
    obfs: tls1.2_ticket_auth
    protocol: auth_sha1_v4
    # obfs-param: domain.tld
    # protocol-param: "#"
    # udp: true
 proxy-groups:
  # 代理链，若落地协议支持 UDP over TCP 则可支持 UDP
  # Traffic: clash <-> http <-> vmess <-> ss1 <-> ss2 <-> Internet
  - name: "relay"
    type: relay
    proxies:
      - http
      - vmess
      - ss1
      - ss2
  # url-test 将按照 url 测试结果使用延迟最低节点
  - name: "auto"
    type: url-test
    proxies:
      - ss1
      - ss2
      - vmess1
    # tolerance: 150
    # lazy: true
    url: "http://www.gstatic.com/generate_204"
    interval: 300
  # fallback 将按照 url 测试结果按照节点顺序选择
  - name: "fallback-auto"
    type: fallback
    proxies:
      - ss1
      - ss2
      - vmess1
    url: "http://www.gstatic.com/generate_204"
    interval: 300
  # load-balance 将按照算法随机选择节点
  - name: "load-balance"
    type: load-balance
    proxies:
      - ss1
      - ss2
      - vmess1
    url: "http://www.gstatic.com/generate_204"
    interval: 300
    # strategy: consistent-hashing # 可选 round-robin 和 sticky-sessions
  # select 用户自行选择节点
  - name: Proxy
    type: select
    # disable-udp: true
    proxies:
      - ss1
      - ss2
      - vmess1
      - auto
  # 配置指定 interface-name 和 fwmark 的 DIRECT
  - name: en1
    type: select
    interface-name: en1
    routing-mark: 6667
    proxies:
      - DIRECT
  - name: UseProvider
    type: select
    filter: "HK|TW" # 正则表达式，过滤 provider1 中节点名包含 HK 或 TW
    use:
      - provider1
    proxies:
      - Proxy
      - DIRECT
 # Clash 格式的节点或支持 *ray 的分享格式
 proxy-providers:
  provider1:
    type: http
    url: "url"
    interval: 3600
    path: ./provider1.yaml
    health-check:
      enable: true
      interval: 600
      # lazy: true
      url: http://www.gstatic.com/generate_204
  test:
    type: file
    path: /test.yaml
    health-check:
      enable: true
      interval: 36000
      url: http://www.gstatic.com/generate_204
 rule-providers:
  rule1:
    behavior: classical # domain ipcidr
    interval: 259200
    path: /path/to/save/file.yaml
    type: http
    url: "url"
  rule2:
    behavior: classical
    interval: 259200
    path: /path/to/save/file.yaml
    type: file
 rules:
  - RULE-SET,rule1,REJECT
  - DOMAIN-SUFFIX,baidu.com,DIRECT
  - DOMAIN-KEYWORD,google,ss1
  - IP-CIDR,1.1.1.1/32,ss1
  - IP-CIDR6,2409::/64,DIRECT
--- a/go.mod
+++ b/go.mod
@ -1,48 +1,63 @@
 module github.com/Dreamacro/clash
-go 1.18
+go 1.19
 require (
 	github.com/cilium/ebpf v0.9.1
 	github.com/coreos/go-iptables v0.6.0
 	github.com/database64128/tfo-go v1.1.0
 	github.com/dlclark/regexp2 v1.4.0
 	github.com/go-chi/chi/v5 v5.0.7
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.1
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/google/gopacket v1.1.19
 	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f
-	github.com/lucas-clemente/quic-go v0.27.0
+	github.com/lucas-clemente/quic-go v0.27.2
 	github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40
 	github.com/miekg/dns v1.1.49
 	github.com/oschwald/geoip2-golang v1.7.0
 	github.com/sagernet/sing v0.0.0-20220627234642-a817f7084d9c
 	github.com/sagernet/sing-shadowsocks v0.0.0-20220627234717-689e0165ef2c
 	github.com/sagernet/sing-vmess v0.0.0-20220616051646-3d3fc5d01eec
 	github.com/sirupsen/logrus v1.8.1
-	github.com/stretchr/testify v1.7.1
+	github.com/stretchr/testify v1.7.2
-	github.com/vishvananda/netlink v1.2.0-beta.0.20220404152918-5e915e014938
+	github.com/vishvananda/netlink v1.2.1-beta.2
 	github.com/xtls/go v0.0.0-20210920065950-d4af136d3672
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/atomic v1.9.0
 	go.uber.org/automaxprocs v1.5.1
 	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
-	golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf
+	golang.org/x/exp v0.0.0-20220608143224-64259d1afd70
-	golang.org/x/net v0.0.0-20220526153639-5463443f8c37
+	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e
-	golang.org/x/sync v0.0.0-20220513210516-0976fa681c29
+	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
-	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a
+	golang.org/x/sys v0.0.0-20220712014510-0a85c31ab51e
 	golang.org/x/time v0.0.0-20220411224347-583f2d630306
-	golang.zx2c4.com/wireguard v0.0.0-20220407013110-ef5c587f782d
+	golang.zx2c4.com/wireguard v0.0.0-20220601130007-6a08d81f6bc4
 	golang.zx2c4.com/wireguard/windows v0.5.4-0.20220328111914-004c22c5647e
 	google.golang.org/protobuf v1.28.0
-	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
-	gvisor.dev/gvisor v0.0.0-20220527053002-8ab279227ac8
+	gvisor.dev/gvisor v0.0.0-20220810234332-45096a971e66
 )
 replace github.com/vishvananda/netlink => github.com/MetaCubeX/netlink v1.2.0-beta.0.20220529072258-d6853f887820
 replace github.com/lucas-clemente/quic-go => github.com/tobyxdd/quic-go v0.28.1-0.20220706211558-7780039ad599
 require (
 	github.com/cheekybits/genny v1.0.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/kr/pretty v0.2.1 // indirect
+	github.com/klauspost/cpuid/v2 v2.0.12 // indirect
 	github.com/marten-seemann/qpack v0.2.1 // indirect
 	github.com/marten-seemann/qtls-go1-16 v0.1.5 // indirect
-	github.com/marten-seemann/qtls-go1-17 v0.1.1 // indirect
+	github.com/marten-seemann/qtls-go1-17 v0.1.2 // indirect
-	github.com/marten-seemann/qtls-go1-18 v0.1.1 // indirect
+	github.com/marten-seemann/qtls-go1-18 v0.1.2 // indirect
 	github.com/marten-seemann/qtls-go1-19 v0.1.0-beta.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/oschwald/maxminddb-golang v1.9.0 // indirect
@ -52,10 +67,9 @@ require (
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
 	golang.org/x/text v0.3.8-0.20220124021120-d1c84af989ab // indirect
 	golang.org/x/tools v0.1.10 // indirect
-	golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f // indirect
+	golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	lukechampine.com/blake3 v1.1.7 // indirect
 )
 replace github.com/vishvananda/netlink v1.2.0-beta.0.20220404152918-5e915e014938 => github.com/MetaCubeX/netlink v1.2.0-beta.0.20220529072258-d6853f887820
--- a/go.sum
+++ b/go.sum
@ -16,8 +16,14 @@ github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBT
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
 github.com/cheekybits/genny v1.0.0 h1:uGGa4nei+j20rOSeDeP5Of12XVm7TGUd4dJA9RDitfE=
 github.com/cheekybits/genny v1.0.0/go.mod h1:+tQajlRqAUrPI7DOSpB0XAqZYtQakVtB7wXkRAgjxjQ=
 github.com/cilium/ebpf v0.9.1 h1:64sn2K3UKw8NbP/blsixRpF3nXuyhz/VjRlRzvlBRu4=
 github.com/cilium/ebpf v0.9.1/go.mod h1:+OhNOIXx/Fnu1IE8bJz2dzOA+VSfyTfdNUVdlQnxUFY=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
 github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/database64128/tfo-go v1.1.0 h1:VO0polyGNSAmr99nYw9GQeMz7ZOcQ/QbjlTwniHwfTQ=
 github.com/database64128/tfo-go v1.1.0/go.mod h1:95pOT8bnV3P2Lmu9upHNWFHz6dYGJ9cr7pnb0tGQAG8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -27,6 +33,7 @@ github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25Kn
 github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/francoispqt/gojay v1.2.13/go.mod h1:ehT5mTG4ua4581f1++1WLG0vPdaA9HaiDsoyrBGkyDY=
 github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
@ -75,6 +82,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
@ -84,6 +93,8 @@ github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWm
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
 github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
 github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f h1:l1QCwn715k8nYkj4Ql50rzEog3WnMdrd4YYMMwemxEo=
@ -97,24 +108,29 @@ github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCV
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.12 h1:p9dKCg8i4gmOxtv35DvrYoWqYzQrvEVdjQ762Y0OqZE=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
+github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/lucas-clemente/quic-go v0.27.0 h1:v6WY87q9zD4dKASbG8hy/LpzAVNzEQzw8sEIeloJsc4=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/lucas-clemente/quic-go v0.27.0/go.mod h1:AzgQoPda7N+3IqMMMkywBKggIFo2KT6pfnlrQ2QieeI=
+github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc=
 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40/go.mod h1:vy1vK6wD6j7xX6O6hXe621WabdtNkou2h7uRtTfRMyg=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/marten-seemann/qpack v0.2.1 h1:jvTsT/HpCn2UZJdP+UUB53FfUUgeOyG5K1ns0OJOGVs=
 github.com/marten-seemann/qpack v0.2.1/go.mod h1:F7Gl5L1jIgN1D11ucXefiuJS9UMVP2opoCp2jDKb7wc=
 github.com/marten-seemann/qtls-go1-16 v0.1.5 h1:o9JrYPPco/Nukd/HpOHMHZoBDXQqoNtUCmny98/1uqQ=
 github.com/marten-seemann/qtls-go1-16 v0.1.5/go.mod h1:gNpI2Ol+lRS3WwSOtIUUtRwZEQMXjYK+dQSBFbethAk=
-github.com/marten-seemann/qtls-go1-17 v0.1.1 h1:DQjHPq+aOzUeh9/lixAGunn6rIOQyWChPSI4+hgW7jc=
+github.com/marten-seemann/qtls-go1-17 v0.1.2 h1:JADBlm0LYiVbuSySCHeY863dNkcpMmDR7s0bLKJeYlQ=
-github.com/marten-seemann/qtls-go1-17 v0.1.1/go.mod h1:C2ekUKcDdz9SDWxec1N/MvcXBpaX9l3Nx67XaR84L5s=
+github.com/marten-seemann/qtls-go1-17 v0.1.2/go.mod h1:C2ekUKcDdz9SDWxec1N/MvcXBpaX9l3Nx67XaR84L5s=
-github.com/marten-seemann/qtls-go1-18 v0.1.1 h1:qp7p7XXUFL7fpBvSS1sWD+uSqPvzNQK43DH+/qEkj0Y=
+github.com/marten-seemann/qtls-go1-18 v0.1.2 h1:JH6jmzbduz0ITVQ7ShevK10Av5+jBEKAHMntXmIV7kM=
-github.com/marten-seemann/qtls-go1-18 v0.1.1/go.mod h1:mJttiymBAByA49mhlNZZGrH5u1uXYZJ+RW28Py7f4m4=
+github.com/marten-seemann/qtls-go1-18 v0.1.2/go.mod h1:mJttiymBAByA49mhlNZZGrH5u1uXYZJ+RW28Py7f4m4=
 github.com/marten-seemann/qtls-go1-19 v0.1.0-beta.1 h1:7m/WlWcSROrcK5NxuXaxYD32BZqe/LEEnBrWcH/cOqQ=
 github.com/marten-seemann/qtls-go1-19 v0.1.0-beta.1/go.mod h1:5HTDWtVudo/WFsHKRNuOhWlbdjrfs5JHrYb0wIJqGpI=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7/go.mod h1:U6ZQobyTjI/tJyq2HG+i/dfSoFUt8/aZCM+GKtmFk/Y=
 github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
@ -157,7 +173,14 @@ github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/sagernet/sing v0.0.0-20220627234642-a817f7084d9c h1:98QC0wtaD648MFPw82KaT1O9LloQgR4ZyIDtNtsno8Y=
 github.com/sagernet/sing v0.0.0-20220627234642-a817f7084d9c/go.mod h1:I67R/q5f67xDExL2kL3RLIP7kGJBOPkYXkpRAykgC+E=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220627234717-689e0165ef2c h1:Jhgjyb2jXL4GtwJec6/kgeTqaQXsvMiNX2wAkGOSD3I=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220627234717-689e0165ef2c/go.mod h1:ng5pxdNnKZWlxzZTXRqWeY0ftzhScPZmjgJGJeRuPYY=
 github.com/sagernet/sing-vmess v0.0.0-20220616051646-3d3fc5d01eec h1:jUSfKmyL6K9O2TvIvcVacZ4eNXHYbNSfdph+DRPyVlU=
 github.com/sagernet/sing-vmess v0.0.0-20220616051646-3d3fc5d01eec/go.mod h1:jDZ8fJgOea7Y7MMHWgfqwLBVLnhtW2zuxS5wjtDaB84=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/shurcooL/component v0.0.0-20170202220835-f88ec8f54cc4/go.mod h1:XhFIlyj5a1fBNx5aJTbKoIq0mNaPvOagO+HjB3EtxrY=
 github.com/shurcooL/events v0.0.0-20181021180414-410e4ca65f48/go.mod h1:5u70Mqkb5O5cxEA8nxTsgrgLehJeAw6Oc4Ab1c/P1HM=
@ -192,9 +215,11 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
+github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA=
 github.com/tobyxdd/quic-go v0.28.1-0.20220706211558-7780039ad599 h1:We+z04jRpTGxFggeGWf+GbinhlIk1I1kMMEgujhUfiA=
 github.com/tobyxdd/quic-go v0.28.1-0.20220706211558-7780039ad599/go.mod h1:oGz5DKK41cJt5+773+BSO9BXDsREY4HLf7+0odGAPO0=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
 github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 h1:hl6sK6aFgTLISijk6xIzeqnPzQcsLqqvL6vEfTPinME=
 github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
@ -225,11 +250,13 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM=
 golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf h1:oXVg4h2qJDd9htKxb5SCpFBHLipW6hXmL3qpUixS2jw=
+golang.org/x/exp v0.0.0-20220608143224-64259d1afd70 h1:8uGxpY2cLF9H/NSHUiEWUIBZqIcsMzMWIMPCCUkyYgc=
-golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf/go.mod h1:yh0Ynu2b5ZUe3MQfp2nM0ecK7wsgouWTDN0FNeJuIys=
+golang.org/x/exp v0.0.0-20220608143224-64259d1afd70/go.mod h1:yh0Ynu2b5ZUe3MQfp2nM0ecK7wsgouWTDN0FNeJuIys=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 h1:kQgndtyPBW/JIYERgdxfwMYh3AVStj88WQTlNDi2a+o=
@ -258,8 +285,8 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220526153639-5463443f8c37 h1:lUkvobShwKsOesNfWWlCS5q7fnbG1MEliIzwu886fn8=
+golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e h1:TsQ7F31D3bUCLeqPT0u+yjp1guoArKaNKmCr22PYgTQ=
-golang.org/x/net v0.0.0-20220526153639-5463443f8c37/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@ -272,8 +299,8 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 h1:w8s32wxx3sY+OjLlv9qltkLU5yvJzxjjgiHWLjdIcw4=
+golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8=
-golang.org/x/sync v0.0.0-20220513210516-0976fa681c29/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181029174526-d69651ed3497/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -309,14 +336,17 @@ golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220712014510-0a85c31ab51e h1:NHvCuwuS43lGnYhten69ZWqi2QOj/CiDNcKbVqwVoew=
 golang.org/x/sys v0.0.0-20220712014510-0a85c31ab51e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8-0.20220124021120-d1c84af989ab h1:eHo2TTVBaAPw9lDGK2Gb9GyPMXT6g7O63W6sx3ylbzU=
 golang.org/x/text v0.3.8-0.20220124021120-d1c84af989ab/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -331,6 +361,7 @@ golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
@ -340,12 +371,12 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f h1:GGU+dLjvlC3qDwqYgL6UgRmHXhOOgns0bZu2Ty5mm6U=
+golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df h1:5Pf6pFKu98ODmgnpvkJ3kFUOQGGLIzLIkbzUHp47618=
-golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20220407013110-ef5c587f782d h1:q4JksJ2n0fmbXC0Aj0eOs6E0AcPqnKglxWXWFqGD6x0=
+golang.zx2c4.com/wireguard v0.0.0-20220601130007-6a08d81f6bc4 h1:QlbNZ9SwDAepRQwgeWHLi3rfEMo/kVEU4SmgsNM7HmQ=
-golang.zx2c4.com/wireguard v0.0.0-20220407013110-ef5c587f782d/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U=
+golang.zx2c4.com/wireguard v0.0.0-20220601130007-6a08d81f6bc4/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U=
 golang.zx2c4.com/wireguard/windows v0.5.4-0.20220328111914-004c22c5647e h1:yV04h6Tx19uDR6LvuEbR19cDU+3QrB9LuGjtF7F5G0w=
 golang.zx2c4.com/wireguard/windows v0.5.4-0.20220328111914-004c22c5647e/go.mod h1:1CeiatTZwcwSFA3cAtMm8CQoroviTldnxd7DOgM/vI4=
 google.golang.org/api v0.0.0-20180910000450-7ca32eb868bf/go.mod h1:4mhQ8q/RsB7i+udVvVy5NUi08OU8ZlA0gRVgrF7VFY0=
@ -375,8 +406,9 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
@ -391,10 +423,12 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 grpc.go4.org v0.0.0-20170609214715-11d0a25b4919/go.mod h1:77eQGdRu53HpSqPFJFmuJdjuHRquDANNeA4x7B8WQ9o=
-gvisor.dev/gvisor v0.0.0-20220527053002-8ab279227ac8 h1:K6RgHqNR+9t3sKVsfRFsvXryRL5kL6wtBPU5aPt1jLY=
+gvisor.dev/gvisor v0.0.0-20220810234332-45096a971e66 h1:GrHxpIMY0lHZ3Q8rp3m4iOb0pJsnCQ/5AHaN9SXE69E=
-gvisor.dev/gvisor v0.0.0-20220527053002-8ab279227ac8/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
+gvisor.dev/gvisor v0.0.0-20220810234332-45096a971e66/go.mod h1:TIvkJD0sxe8pIob3p6T8IzxXunlp6yfgktvTNp+DGNM=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 lukechampine.com/blake3 v1.1.7 h1:GgRMhmdsuK8+ii6UZFDL8Nb+VyMwadAgcJyfYHxG6n0=
 lukechampine.com/blake3 v1.1.7/go.mod h1:tkKEOtDkNtklkXtLNEOGNq5tcV90tJiA1vAA12R78LA=
 sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck=
 sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0=
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@ -2,7 +2,7 @@ package executor
 import (
 	"fmt"
-	"github.com/Dreamacro/clash/component/process"
+	"github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/listener/inner"
 	"net/netip"
 	"os"
@ -73,7 +73,7 @@ func ParseWithBytes(buf []byte) (*config.Config, error) {
 func ApplyConfig(cfg *config.Config, force bool) {
 	mux.Lock()
 	defer mux.Unlock()
-
+	preUpdateExperimental(cfg)
 	updateUsers(cfg.Users)
 	updateProxies(cfg.Proxies, cfg.Providers)
 	updateRules(cfg.Rules, cfg.RuleProviders)
@ -127,7 +127,17 @@ func GetGeneral() *config.General {
 	return general
 }
-func updateExperimental(c *config.Config) {}
+func updateExperimental(c *config.Config) {
 	runtime.GC()
 }
 func preUpdateExperimental(c *config.Config) {
 	for _, fingerprint := range c.Experimental.Fingerprints {
 		if err := tls.AddCertFingerprint(fingerprint); err != nil {
 			log.Warnln("fingerprint[%s] is err, %s", fingerprint, err.Error())
 		}
 	}
 }
 func updateDNS(c *config.DNS, generalIPv6 bool) {
 	if !c.Enable {
@ -250,6 +260,7 @@ func loadProxyProvider(proxyProviders map[string]provider.ProxyProvider) {
 func updateTun(tun *config.Tun) {
 	P.ReCreateTun(tun, tunnel.TCPIn(), tunnel.UDPIn())
 	P.ReCreateRedirToTun(tun.RedirectToTun)
 }
 func updateSniffer(sniffer *config.Sniffer) {
@ -273,9 +284,8 @@ func updateSniffer(sniffer *config.Sniffer) {
 }
 func updateGeneral(general *config.General, force bool) {
 	log.SetLevel(general.LogLevel)
 	process.EnableFindProcess(general.EnableProcess)
 	tunnel.SetMode(general.Mode)
 	tunnel.SetAlwaysFindProcess(general.EnableProcess)
 	dialer.DisableIPv6 = !general.IPv6
 	if !dialer.DisableIPv6 {
 		log.Infoln("Use IPv6")
@ -315,12 +325,15 @@ func updateGeneral(general *config.General, force bool) {
 	bindAddress := general.BindAddress
 	P.SetBindAddress(bindAddress)
 	P.SetInboundTfo(general.InboundTfo)
 	tcpIn := tunnel.TCPIn()
 	udpIn := tunnel.UDPIn()
 	P.ReCreateHTTP(general.Port, tcpIn)
 	P.ReCreateSocks(general.SocksPort, tcpIn, udpIn)
 	P.ReCreateRedir(general.RedirPort, tcpIn, udpIn)
 	P.ReCreateAutoRedir(general.EBpf.AutoRedir, tcpIn, udpIn)
 	P.ReCreateTProxy(general.TProxyPort, tcpIn, udpIn)
 	P.ReCreateMixed(general.MixedPort, tcpIn, udpIn)
 }
--- a/hub/route/configs.go
+++ b/hub/route/configs.go
@ -46,6 +46,7 @@ type configSchema struct {
 	IPv6          *bool              `json:"ipv6"`
 	Sniffing      *bool              `json:"sniffing"`
 	TcpConcurrent *bool              `json:"tcp-concurrent"`
 	InterfaceName *string            `json:"interface-name"`
 }
 func getConfigs(w http.ResponseWriter, r *http.Request) {
@ -85,6 +86,10 @@ func patchConfigs(w http.ResponseWriter, r *http.Request) {
 		dialer.SetDial(*general.TcpConcurrent)
 	}
 	if general.InterfaceName != nil {
 		dialer.DefaultInterface.Store(*general.InterfaceName)
 	}
 	ports := P.GetPorts()
 	tcpIn := tunnel.TCPIn()
--- a/hub/route/groups.go
+++ b/hub/route/groups.go
@ -64,7 +64,7 @@ func getGroupDelay(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), time.Millisecond*time.Duration(timeout))
+	ctx, cancel := context.WithTimeout(r.Context(), time.Millisecond*time.Duration(timeout))
 	defer cancel()
 	dm, err := group.URLTest(ctx, url)
--- a/hub/route/provider.go
+++ b/hub/route/provider.go
@ -98,8 +98,8 @@ func updateRuleProvider(w http.ResponseWriter, r *http.Request) {
 	if err := provider.Update(); err != nil {
 		render.Status(r, http.StatusServiceUnavailable)
 		render.JSON(w, r, newError(err.Error()))
 		return
 	}
 	render.NoContent(w, r)
 }
--- a/listener/autoredir/tcp.go
+++ b/listener/autoredir/tcp.go
@ -0,0 +1,86 @@
 package autoredir
 import (
 	"net"
 	"net/netip"
 	"github.com/Dreamacro/clash/adapter/inbound"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
 type Listener struct {
 	listener   net.Listener
 	addr       string
 	closed     bool
 	lookupFunc func(netip.AddrPort) (socks5.Addr, error)
 }
 // RawAddress implements C.Listener
 func (l *Listener) RawAddress() string {
 	return l.addr
 }
 // Address implements C.Listener
 func (l *Listener) Address() string {
 	return l.listener.Addr().String()
 }
 // Close implements C.Listener
 func (l *Listener) Close() error {
 	l.closed = true
 	return l.listener.Close()
 }
 func (l *Listener) TCPAddr() netip.AddrPort {
 	return l.listener.Addr().(*net.TCPAddr).AddrPort()
 }
 func (l *Listener) SetLookupFunc(lookupFunc func(netip.AddrPort) (socks5.Addr, error)) {
 	l.lookupFunc = lookupFunc
 }
 func (l *Listener) handleRedir(conn net.Conn, in chan<- C.ConnContext) {
 	if l.lookupFunc == nil {
 		log.Errorln("[Auto Redirect] lookup function is nil")
 		return
 	}
 	target, err := l.lookupFunc(conn.RemoteAddr().(*net.TCPAddr).AddrPort())
 	if err != nil {
 		log.Warnln("[Auto Redirect] %v", err)
 		_ = conn.Close()
 		return
 	}
 	_ = conn.(*net.TCPConn).SetKeepAlive(true)
 	in <- inbound.NewSocket(target, conn, C.REDIR)
 }
 func New(addr string, in chan<- C.ConnContext) (*Listener, error) {
 	l, err := net.Listen("tcp", addr)
 	if err != nil {
 		return nil, err
 	}
 	rl := &Listener{
 		listener: l,
 		addr:     addr,
 	}
 	go func() {
 		for {
 			c, err := l.Accept()
 			if err != nil {
 				if rl.closed {
 					break
 				}
 				continue
 			}
 			go rl.handleRedir(c, in)
 		}
 	}()
 	return rl, nil
 }
--- a/listener/http/server.go
+++ b/listener/http/server.go
@ -1,6 +1,8 @@
 package http
 import (
 	"context"
 	"github.com/database64128/tfo-go"
 	"net"
 	"time"
@ -30,12 +32,16 @@ func (l *Listener) Close() error {
 	return l.listener.Close()
 }
-func New(addr string, in chan<- C.ConnContext) (*Listener, error) {
+func New(addr string, inboundTfo bool, in chan<- C.ConnContext) (*Listener, error) {
-	return NewWithAuthenticate(addr, in, true)
+	return NewWithAuthenticate(addr, in, true, inboundTfo)
 }
-func NewWithAuthenticate(addr string, in chan<- C.ConnContext, authenticate bool) (*Listener, error) {
+func NewWithAuthenticate(addr string, in chan<- C.ConnContext, authenticate bool, inboundTfo bool) (*Listener, error) {
-	l, err := net.Listen("tcp", addr)
+	lc := tfo.ListenConfig{
 		DisableTFO: !inboundTfo,
 	}
 	l, err := lc.Listen(context.Background(), "tcp", addr)
 	if err != nil {
 		return nil, err
 	}
--- a/listener/http/upgrade.go
+++ b/listener/http/upgrade.go
@ -15,7 +15,15 @@ import (
 )
 func isUpgradeRequest(req *http.Request) bool {
-	return strings.EqualFold(req.Header.Get("Connection"), "Upgrade")
+	for _, header := range req.Header["Connection"] {
 		for _, elm := range strings.Split(header, ",") {
 			if strings.EqualFold(strings.TrimSpace(elm), "Upgrade") {
 				return true
 			}
 		}
 	}
 	return false
 }
 func handleUpgrade(localConn net.Conn, source net.Addr, request *http.Request, in chan<- C.ConnContext) (resp *http.Response) {
--- a/listener/listener.go
+++ b/listener/listener.go
@ -2,8 +2,11 @@ package proxy
 import (
 	"fmt"
 	"github.com/Dreamacro/clash/component/ebpf"
 	"github.com/Dreamacro/clash/listener/autoredir"
 	"github.com/Dreamacro/clash/listener/inner"
 	"github.com/Dreamacro/clash/listener/tun/ipstack/commons"
 	"golang.org/x/exp/slices"
 	"net"
 	"sort"
 	"strconv"
@ -26,6 +29,7 @@ var (
 	allowLan    = false
 	bindAddress = "*"
 	lastTunConf *config.Tun
 	inboundTfo  = false
 	socksListener     *socks.Listener
 	socksUDPListener  *socks.UDPListener
@ -37,14 +41,19 @@ var (
 	mixedListener     *mixed.Listener
 	mixedUDPLister    *socks.UDPListener
 	tunStackListener  ipstack.Stack
 	autoRedirListener *autoredir.Listener
 	autoRedirProgram  *ebpf.TcEBpfProgram
 	tcProgram         *ebpf.TcEBpfProgram
 	// lock for recreate function
-	socksMux  sync.Mutex
+	socksMux     sync.Mutex
-	httpMux   sync.Mutex
+	httpMux      sync.Mutex
-	redirMux  sync.Mutex
+	redirMux     sync.Mutex
-	tproxyMux sync.Mutex
+	tproxyMux    sync.Mutex
-	mixedMux  sync.Mutex
+	mixedMux     sync.Mutex
-	tunMux    sync.Mutex
+	tunMux       sync.Mutex
 	autoRedirMux sync.Mutex
 	tcMux        sync.Mutex
 )
 type Ports struct {
@ -80,6 +89,10 @@ func SetBindAddress(host string) {
 	bindAddress = host
 }
 func SetInboundTfo(itfo bool) {
 	inboundTfo = itfo
 }
 func NewInner(tcpIn chan<- C.ConnContext) {
 	inner.New(tcpIn)
 }
@ -109,7 +122,7 @@ func ReCreateHTTP(port int, tcpIn chan<- C.ConnContext) {
 		return
 	}
-	httpListener, err = http.New(addr, tcpIn)
+	httpListener, err = http.New(addr, inboundTfo, tcpIn)
 	if err != nil {
 		log.Errorln("Start HTTP server error: %s", err.Error())
 		return
@ -160,7 +173,7 @@ func ReCreateSocks(port int, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.P
 		return
 	}
-	tcpListener, err := socks.New(addr, tcpIn)
+	tcpListener, err := socks.New(addr, inboundTfo, tcpIn)
 	if err != nil {
 		return
 	}
@ -310,7 +323,7 @@ func ReCreateMixed(port int, tcpIn chan<- C.ConnContext, udpIn chan<- *inbound.P
 		return
 	}
-	mixedListener, err = mixed.New(addr, tcpIn)
+	mixedListener, err = mixed.New(addr, inboundTfo, tcpIn)
 	if err != nil {
 		return
 	}
@ -351,6 +364,93 @@ func ReCreateTun(tunConf *config.Tun, tcpIn chan<- C.ConnContext, udpIn chan<- *
 	lastTunConf = tunConf
 }
 func ReCreateRedirToTun(ifaceNames []string) {
 	tcMux.Lock()
 	defer tcMux.Unlock()
 	nicArr := ifaceNames
 	slices.Sort(nicArr)
 	nicArr = slices.Compact(nicArr)
 	if tcProgram != nil {
 		tcProgram.Close()
 		tcProgram = nil
 	}
 	if len(nicArr) == 0 {
 		return
 	}
 	if lastTunConf == nil || !lastTunConf.Enable {
 		return
 	}
 	program, err := ebpf.NewTcEBpfProgram(nicArr, lastTunConf.Device)
 	if err != nil {
 		log.Errorln("Attached tc ebpf program error: %v", err)
 		return
 	}
 	tcProgram = program
 	log.Infoln("Attached tc ebpf program to interfaces %v", tcProgram.RawNICs())
 }
 func ReCreateAutoRedir(ifaceNames []string, tcpIn chan<- C.ConnContext, _ chan<- *inbound.PacketAdapter) {
 	autoRedirMux.Lock()
 	defer autoRedirMux.Unlock()
 	var err error
 	defer func() {
 		if err != nil {
 			if autoRedirListener != nil {
 				_ = autoRedirListener.Close()
 				autoRedirListener = nil
 			}
 			if autoRedirProgram != nil {
 				autoRedirProgram.Close()
 				autoRedirProgram = nil
 			}
 			log.Errorln("Start auto redirect server error: %s", err.Error())
 		}
 	}()
 	nicArr := ifaceNames
 	slices.Sort(nicArr)
 	nicArr = slices.Compact(nicArr)
 	if autoRedirListener != nil && autoRedirProgram != nil {
 		_ = autoRedirListener.Close()
 		autoRedirProgram.Close()
 		autoRedirListener = nil
 		autoRedirProgram = nil
 	}
 	if len(nicArr) == 0 {
 		return
 	}
 	defaultRouteInterfaceName, err := commons.GetAutoDetectInterface()
 	if err != nil {
 		return
 	}
 	addr := genAddr("*", C.TcpAutoRedirPort, true)
 	autoRedirListener, err = autoredir.New(addr, tcpIn)
 	if err != nil {
 		return
 	}
 	autoRedirProgram, err = ebpf.NewRedirEBpfProgram(nicArr, autoRedirListener.TCPAddr().Port(), defaultRouteInterfaceName)
 	if err != nil {
 		return
 	}
 	autoRedirListener.SetLookupFunc(autoRedirProgram.Lookup)
 	log.Infoln("Auto redirect proxy listening at: %s, attached tc ebpf program to interfaces %v", autoRedirListener.Address(), autoRedirProgram.RawNICs())
 }
 // GetPorts return the ports of proxy servers
 func GetPorts() *Ports {
 	ports := &Ports{}
--- a/listener/mixed/mixed.go
+++ b/listener/mixed/mixed.go
@ -1,6 +1,8 @@
 package mixed
 import (
 	"context"
 	"github.com/database64128/tfo-go"
 	"net"
 	"time"
@ -36,8 +38,11 @@ func (l *Listener) Close() error {
 	return l.listener.Close()
 }
-func New(addr string, in chan<- C.ConnContext) (*Listener, error) {
+func New(addr string, inboundTfo bool, in chan<- C.ConnContext) (*Listener, error) {
-	l, err := net.Listen("tcp", addr)
+	lc := tfo.ListenConfig{
 		DisableTFO: !inboundTfo,
 	}
 	l, err := lc.Listen(context.Background(), "tcp", addr)
 	if err != nil {
 		return nil, err
 	}
--- a/listener/socks/tcp.go
+++ b/listener/socks/tcp.go
@ -1,6 +1,8 @@
 package socks
 import (
 	"context"
 	"github.com/database64128/tfo-go"
 	"io"
 	"net"
@ -34,8 +36,11 @@ func (l *Listener) Close() error {
 	return l.listener.Close()
 }
-func New(addr string, in chan<- C.ConnContext) (*Listener, error) {
+func New(addr string, inboundTfo bool, in chan<- C.ConnContext) (*Listener, error) {
-	l, err := net.Listen("tcp", addr)
+	lc := tfo.ListenConfig{
 		DisableTFO: !inboundTfo,
 	}
 	l, err := lc.Listen(context.Background(), "tcp", addr)
 	if err != nil {
 		return nil, err
 	}
--- a/listener/tun/device/fdbased/open_linux.go
+++ b/listener/tun/device/fdbased/open_linux.go
@ -1,12 +1,7 @@
 package fdbased
 import (
 	"fmt"
 	"github.com/Dreamacro/clash/listener/tun/device"
 	"gvisor.dev/gvisor/pkg/tcpip/link/fdbased"
 	"gvisor.dev/gvisor/pkg/tcpip/link/rawfile"
 )
 func open(fd int, mtu uint32) (device.Device, error) {
@ -16,17 +11,7 @@ func open(fd int, mtu uint32) (device.Device, error) {
 }
 func (f *FD) useEndpoint() error {
-	ep, err := fdbased.New(&fdbased.Options{
+	return f.newLinuxEp()
 		FDs: []int{f.fd},
 		MTU: f.mtu,
 		// TUN only, ignore ethernet header.
 		EthernetHeader: false,
 	})
 	if err != nil {
 		return fmt.Errorf("create endpoint: %w", err)
 	}
 	f.LinkEndpoint = ep
 	return nil
 }
 func (f *FD) useIOBased() error {
@ -34,23 +19,9 @@ func (f *FD) useIOBased() error {
 }
 func (f *FD) Read(packet []byte) (int, error) {
-	n, gvErr := rawfile.BlockingRead(f.fd, packet)
+	return f.read(packet)
 	if gvErr != nil {
 		return 0, fmt.Errorf("read error: %s", gvErr.String())
 	}
 	return n, nil
 }
 func (f *FD) Write(packet []byte) (int, error) {
-	n := len(packet)
+	return f.write(packet)
 	if n == 0 {
 		return 0, nil
 	}
 	gvErr := rawfile.NonBlockingWrite(f.fd, packet)
 	if gvErr != nil {
 		return 0, fmt.Errorf("write error: %s", gvErr.String())
 	}
 	return n, nil
 }
--- a/listener/tun/device/fdbased/open_linux_gvisor.go
+++ b/listener/tun/device/fdbased/open_linux_gvisor.go
@ -0,0 +1,45 @@
 //go:build !no_gvisor && (linux || android)
 package fdbased
 import (
 	"fmt"
 	"gvisor.dev/gvisor/pkg/tcpip/link/fdbased"
 	"gvisor.dev/gvisor/pkg/tcpip/link/rawfile"
 )
 func (f *FD) newLinuxEp() error {
 	ep, err := fdbased.New(&fdbased.Options{
 		FDs: []int{f.fd},
 		MTU: f.mtu,
 		// TUN only, ignore ethernet header.
 		EthernetHeader: false,
 	})
 	if err != nil {
 		return fmt.Errorf("create endpoint: %w", err)
 	}
 	f.LinkEndpoint = ep
 	return nil
 }
 func (f *FD) read(packet []byte) (int, error) {
 	n, gvErr := rawfile.BlockingRead(f.fd, packet)
 	if gvErr != nil {
 		return 0, fmt.Errorf("read error: %s", gvErr.String())
 	}
 	return n, nil
 }
 func (f *FD) write(packet []byte) (int, error) {
 	n := len(packet)
 	if n == 0 {
 		return 0, nil
 	}
 	gvErr := rawfile.NonBlockingWrite(f.fd, packet)
 	if gvErr != nil {
 		return 0, fmt.Errorf("write error: %s", gvErr.String())
 	}
 	return n, nil
 }
--- a/listener/tun/device/fdbased/open_linux_no_gvisor.go
+++ b/listener/tun/device/fdbased/open_linux_no_gvisor.go
@ -0,0 +1,19 @@
 //go:build no_gvisor
 package fdbased
 import (
 	"fmt"
 )
 func (f *FD) newLinuxEp() error {
 	return fmt.Errorf("unsupported gvisor on the build")
 }
 func (f *FD) read(packet []byte) (int, error) {
 	return 0, fmt.Errorf("unsupported gvisor on the build")
 }
 func (f *FD) write(packet []byte) (int, error) {
 	return 0, fmt.Errorf("unsupported gvisor on the build")
 }
--- a/listener/tun/device/fdbased/open_others.go
+++ b/listener/tun/device/fdbased/open_others.go
@ -16,7 +16,7 @@ func open(fd int, mtu uint32) (device.Device, error) {
 }
 func (f *FD) useEndpoint() error {
-	return newEp(f)
+	return f.newEpOther()
 }
 func (f *FD) useIOBased() error {
--- a/listener/tun/device/fdbased/open_others_gvisor.go
+++ b/listener/tun/device/fdbased/open_others_gvisor.go
@ -9,7 +9,7 @@ import (
 	"github.com/Dreamacro/clash/listener/tun/device/iobased"
 )
-func newEp(f *FD) error {
+func (f *FD) newEpOther() error {
 	ep, err := iobased.New(os.NewFile(uintptr(f.fd), f.Name()), f.mtu, 0)
 	if err != nil {
 		return fmt.Errorf("create endpoint: %w", err)
--- a/listener/tun/device/fdbased/open_others_no_gvisor.go
+++ b/listener/tun/device/fdbased/open_others_no_gvisor.go
@ -6,6 +6,6 @@ import (
 	"fmt"
 )
-func newEp(f *FD) error {
+func (f *FD) newEpOther() error {
 	return fmt.Errorf("unsupported gvisor on the build")
 }
--- a/listener/tun/device/iobased/endpoint.go
+++ b/listener/tun/device/iobased/endpoint.go
@ -7,11 +7,12 @@ package iobased
 import (
 	"context"
 	"errors"
 	"gvisor.dev/gvisor/pkg/bufferv2"
 	"io"
 	"sync"
 	"github.com/Dreamacro/clash/common/pool"
 	"gvisor.dev/gvisor/pkg/tcpip"
 	"gvisor.dev/gvisor/pkg/tcpip/buffer"
 	"gvisor.dev/gvisor/pkg/tcpip/header"
 	"gvisor.dev/gvisor/pkg/tcpip/link/channel"
 	"gvisor.dev/gvisor/pkg/tcpip/stack"
@ -95,31 +96,44 @@ func (e *Endpoint) dispatchLoop(cancel context.CancelFunc) {
 	mtu := int(e.mtu)
 	for {
-		data := make([]byte, mtu)
+		data := pool.Get(mtu)
 		n, err := e.rw.Read(data)
 		if err != nil {
 			_ = pool.Put(data)
 			break
 		}
 		if n == 0 || n > mtu {
 			_ = pool.Put(data)
 			continue
 		}
 		if !e.IsAttached() {
 			_ = pool.Put(data)
 			continue /* unattached, drop packet */
 		}
-		pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
+		var p tcpip.NetworkProtocolNumber
 			Data: buffer.View(data[:n]).ToVectorisedView(),
 		})
 		switch header.IPVersion(data) {
 		case header.IPv4Version:
-			e.InjectInbound(header.IPv4ProtocolNumber, pkt)
+			p = header.IPv4ProtocolNumber
 		case header.IPv6Version:
-			e.InjectInbound(header.IPv6ProtocolNumber, pkt)
+			p = header.IPv6ProtocolNumber
 		default:
 			_ = pool.Put(data)
 			continue
 		}
 		pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
 			Payload: bufferv2.MakeWithData(data),
 			OnRelease: func() {
 				_ = pool.Put(data)
 			},
 		})
 		e.InjectInbound(p, pkt)
 		pkt.DecRef()
 	}
 }
@ -138,13 +152,14 @@ func (e *Endpoint) outboundLoop(ctx context.Context) {
 // writePacket writes outbound packets to the io.Writer.
 func (e *Endpoint) writePacket(pkt *stack.PacketBuffer) tcpip.Error {
-	defer pkt.DecRef()
+	pktView := pkt.ToView()
-	size := pkt.Size()
+	defer func() {
-	views := pkt.Views()
+		pktView.Release()
 		pkt.DecRef()
 	}()
-	vView := buffer.NewVectorisedView(size, views)
+	if _, err := e.rw.Write(pktView.AsSlice()); err != nil {
 	if _, err := e.rw.Write(vView.ToView()); err != nil {
 		return &tcpip.ErrInvalidEndpointState{}
 	}
 	return nil
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
zhudan	33abbdfd24	Merge pull request #174 from MetaCubeX/Alpha Alpha	2022-08-29 11:24:07 +08:00
Skyxim	af97922e94	fix: no main result conn, will fail	2022-08-28 20:26:13 +08:00
Skyxim	db94dc76b4	fix: udp default resolve ip	2022-08-28 15:57:10 +08:00
Skyxim	99effb051b	feat: add ip-version param	2022-08-28 13:41:43 +08:00
metacubex	42e489e199	Merge remote-tracking branch 'origin/Alpha' into Alpha # Conflicts: # component/sniffer/http_sniffer.go	2022-08-22 23:22:26 +08:00
metacubex	d3b88d1b4f	fix: ebpf support	2022-08-22 23:17:41 +08:00
Skyxim	ec318f1cc5	Chore: the default sniffing is changed to a standard port, and the sniffing result is only used for this connection.	2022-08-21 08:43:57 +08:00
MetaCubeX	6cfae6919f	Merge pull request #167 from H1JK/Alpha feat: Update Converter	2022-08-20 02:32:44 +08:00
Hellojack	b23a071050	feat: Converter VMessAEAD share link standard support	2022-08-19 22:00:22 +08:00
Hellojack	732e82e3d0	fix: Converter VMess security field typo	2022-08-19 21:17:44 +08:00
H1JK	fecbc7a091	chore: Clean converter code and add doc	2022-08-19 19:46:50 +08:00
metacubex	4b39362039	chore: Skip initial "lan" rules that load geoip	2022-08-17 12:42:33 +08:00
Skyxim	835cab58cf	fix: http sniffer skip ip	2022-08-17 12:41:36 +08:00
metacubex	9317dd610b	chore: Skip initial "lan" rules that load geoip	2022-08-17 00:33:03 +08:00
Skyxim	8dc56b56ad	fix: http sniffer skip ip	2022-08-16 22:59:53 +08:00
metacubex	4611fbfe0c	chore: disable tcp_test	2022-08-15 15:52:03 +08:00
metacubex	b725c91b05	chore: clean code	2022-08-15 15:46:07 +08:00
Skyxim	482062376e	fix: Temporarily delete marking node alive as false when error occurs	2022-08-13 18:25:28 +08:00
Skyxim	32fc990c68	fix: Unhandled dns resolve failure error	2022-08-13 16:47:24 +08:00
metacubex	dfeb901417	Fix: no_gviosr tags	2022-08-12 12:53:11 +08:00
metacubex	02933ae568	Fix: nil pointer	2022-08-12 12:49:35 +08:00
metacubex	4ca2d4146b	Merge remote-tracking branch 'origin/Alpha' into Alpha	2022-08-12 03:36:15 +08:00
metacubex	5d97a7f9ca	Chore: clean code	2022-08-12 03:35:49 +08:00
metacubex	6eab1f158a	Fixed: gViosr func	2022-08-12 03:34:59 +08:00
metacubex	65a289e16f	Chore: clean code	2022-08-12 03:04:58 +08:00
metacubex	637707e58f	Chore: Migration 1.19	2022-08-12 00:07:13 +08:00
metacubex	95e602bf3b	Chore: gVisor use bufferv2	2022-08-11 23:47:45 +08:00
metacubex	4ac192f520	Chore: update badges	2022-08-11 23:45:50 +08:00
Skyxim	473d0f74bd	fix: remove extra and the actual original IDNA domain name is no longer stored, for reduce memory	2022-08-11 21:50:16 +08:00
zhudan	93ea1248e3	Merge remote-tracking branch 'origin/Alpha' into Alpha	2022-08-08 10:28:18 +08:00
zhudan	97270dcbe0	rm EBpf tun && disable android ebpf	2022-08-08 10:21:16 +08:00
MetaCubeX	50cc274b2e	Merge pull request #151 from H1JK/update-converter2 fix: Converter error when VMess `aid` field not exists	2022-08-07 20:47:32 +08:00
Hellojack	3867329ef3	fix: Converter error when VMess `aid` field not exists	2022-08-07 20:43:11 +08:00
zhudan	2899a126fc	fix filepath undefined	2022-08-02 17:13:10 +08:00
Skyxim	5391425123	Merge branch 'dev' into Alpha	2022-08-01 22:13:46 +08:00
Skyxim	1e7af0bbc7	fix: repeat set http status	2022-08-01 22:12:36 +08:00
zhudan	dd67a8c8ba	Merge remote-tracking branch 'origin/Alpha' into Alpha	2022-08-01 18:07:09 +08:00
zhudan	28ba9c5efa	revert `9be70f67ca`	2022-08-01 18:06:09 +08:00
MetaCubeX	bb413ece49	Merge pull request #144 from zhudan/ebpf support ebpf	2022-08-01 17:20:14 +08:00
zhudan	31f4d20477	support ebpf	2022-07-29 09:08:35 +08:00
Skyxim	57a15088c2	update config demo	2022-07-25 09:27:31 +08:00
MetaCubeX	be6d55e5c4	Merge remote-tracking branch 'Meta/Alpha' into Alpha	2022-07-24 01:50:16 +08:00
MetaCubeX	09419d88af	fix process code	2022-07-24 01:50:10 +08:00
MetaCubeX	9c4bae6f23	fix process code	2022-07-24 01:38:00 +08:00
MetaCubeX	b74320008a	Merge remote-tracking branch 'Meta/Alpha' into Alpha	2022-07-24 01:37:06 +08:00
MetaCubeX	35b87e79a7	fix process code	2022-07-24 01:37:01 +08:00
MetaCubeX	9be70f67ca	fix process code	2022-07-24 01:34:22 +08:00
MetaCubeX	bb86098235	fix process code	2022-07-24 01:32:22 +08:00
MetaCubeX	dec32da262	clean code	2022-07-24 01:07:30 +08:00
Dreamacro	a33e511c12	Fix: macOS udp find process should use unspecified fallback	2022-07-24 00:10:01 +08:00
Dreamacro	d71a2ce61e	Fix: fakeip udp should not replace with another ip	2022-07-24 00:02:45 +08:00
Dreamacro	133bb2319f	Chore: load balance hash need to have fallback strategy	2022-07-23 23:59:13 +08:00
Dreamacro	7d84a47683	Chore: load balance hash need to have fallback strategy	2022-07-23 23:51:42 +08:00
Skyxim	38e6b81d07	Merge pull request #129 from zhudan/Alpha 入站增加TFO支持(默认不开启)	2022-07-22 06:32:34 -04:00
zhudan	143c5de51d	inbound tfo	2022-07-22 15:16:09 +08:00
Skyxim	3e424dea7b	refactor: DoH use fragment setting params	2022-07-21 21:40:28 +08:00
Skyxim	b0fd50453a	fix: DoT-ALPN error	2022-07-21 13:57:06 +08:00
Skyxim	fe3ad3724c	fix: resolver error handling exception	2022-07-21 09:02:58 +08:00
Skyxim	e1c6142851	fix: pure ip resolve	2022-07-20 22:59:04 +08:00
Skyxim	6e7002dbd3	chore: clean code	2022-07-20 17:15:19 +08:00
Skyxim	6a4063af0d	refactor: optimize nodes caching	2022-07-20 08:53:54 +08:00
Skyxim	6b636c051a	chore: Adjust the falling logic	2022-07-16 19:52:51 +08:00
Skyxim	9a035d3c51	fix: no_gvisor compile failed for target linux	2022-07-16 19:35:52 +08:00
Skyxim	850c52d07c	chore: log level should be setting after launched	2022-07-16 13:33:27 +08:00
Skyxim	10f8f5dd7b	chore: Increase idle timeout and add keep alive period	2022-07-15 21:57:50 +08:00
Skyxim	4e272ff066	fix: DoH retry HTTP/3	2022-07-15 21:54:57 +08:00
Skyxim	a73e690172	fix: DoQ closes udp immediately.	2022-07-15 21:54:02 +08:00
Skyxim	947d9d4560	chore: clean up code	2022-07-13 22:27:49 +08:00
Skyxim	179bc6ecdf	chore: clean up code	2022-07-13 22:20:14 +08:00
Skyxim	fbabcfce94	fix: CA params convert to fingerprint	2022-07-12 14:32:34 +08:00
Skyxim	3a92ad47e7	fix: default nameserver cannot use doh of pure IP	2022-07-12 13:05:59 +08:00
Skyxim	92a20a5362	chore: tcp conn error text	2022-07-11 22:29:35 +08:00
Skyxim	9565b5194c	chore: remove log	2022-07-11 22:18:24 +08:00
Skyxim	23b2f3b971	Merge branch 'provider' into Alpha	2022-07-11 22:17:56 +08:00
Skyxim	f93dd6052e	fix: default nameserver cannot use non-standard port of doh	2022-07-11 22:05:37 +08:00
Skyxim	80df572b18	refactor: Unified provider loading resources	2022-07-11 21:30:34 +08:00
Skyxim	0c64d7e56a	chore: fingerprint style	2022-07-11 13:44:27 +08:00
Skyxim	a8ce283727	feat: add fingerprint param	2022-07-11 13:42:28 +08:00
Skyxim	ab8e9e7d7a	fix: skip-cert-verify not work	2022-07-11 12:37:27 +08:00
Skyxim	dbce268692	feat: Prepare to specify the fingerprint function	2022-07-10 21:56:33 +08:00
Skyxim	fef9f95e65	feat: add fingerprint for tls verify	2022-07-10 20:44:24 +08:00
Skyxim	60e1947ed2	chore: upgrade dependencies for hysteria	2022-07-07 12:49:52 +08:00
Skyxim	5b35822945	Merge branch 'Alpha' into dev	2022-07-07 12:23:09 +08:00
Skyxim	0a76876764	fix: h3 of doh fall back logic	2022-07-06 21:25:25 +08:00
Skyxim	e382496e4c	Merge branch 'h3' into Alpha	2022-07-06 20:54:10 +08:00
Skyxim	0c91a4e0f3	refactor: h3 for doh	2022-07-06 20:53:34 +08:00
Skyxim	56fae0b1f5	chore: reduce wrapper	2022-07-05 21:00:41 +08:00
Skyxim	baee951657	fix: close idle connections	2022-07-04 20:38:07 +08:00
MetaCubeX	253dc24e40	chore: clash.mini hack.	2022-07-04 18:53:24 +08:00
Skyxim	503b1efd8a	fix: close transport with doh of h3	2022-07-03 23:01:49 +08:00
Skyxim	50f2ecbcb0	chore: upgrade dependencies	2022-07-03 22:58:03 +08:00
Skyxim	97e158989f	Merge branch 'h3' into Alpha # Conflicts: # go.mod	2022-07-03 22:55:26 +08:00
Skyxim	e732fbb414	chore: add prefer-h3 into config.yaml	2022-07-03 22:53:49 +08:00
Skyxim	f8a168e64d	Merge branch 'hy' into Alpha	2022-07-03 22:51:33 +08:00
Skyxim	e599621a32	fix: resolve ipv6 error in hysteria	2022-07-03 22:51:20 +08:00
Skyxim	59ab2083aa	feat: try h3 connect DOH, failed will fall back h2; turn on with dns.prefer-h3: true	2022-07-03 21:59:47 +08:00
Skyxim	2d7c4eda66	Merge branch 'hy' into Alpha	2022-07-03 18:27:14 +08:00
Skyxim	3cc1870aee	chore: embed hysteria, clean irrelevant codes, code from https://github.com/HyNetwork/hysteria	2022-07-03 18:26:46 +08:00
Skyxim	8eec86232c	chore: add config.yaml demo	2022-07-02 13:44:04 +08:00
Skyxim	10d2d14938	Merge branch 'Beta' into Meta # Conflicts: # rules/provider/classical_strategy.go	2022-07-02 10:41:41 +08:00
世界	8ce9737f3d	Update dependencies	2022-06-28 08:15:03 +08:00
世界	6b44178108	Fix concurrency vmess udp write	2022-06-28 08:12:56 +08:00
Skyxim	6664547f43	chore: upgrade dependencies	2022-06-26 22:37:59 +08:00
Skyxim	10383e2701	Merge branch 'dev' into Alpha	2022-06-26 21:53:03 +08:00
Skyxim	f4b9f2965f	fix: hysteria dial use external context	2022-06-26 21:52:22 +08:00
Skyxim	2ba933d16a	chore: hysteria params verify	2022-06-25 12:43:47 +08:00
Skyxim	669961e496	fix: proxy provider force update on init	2022-06-25 12:42:52 +08:00
Skyxim	f979491013	fix: tcp concurrent force close when context done	2022-06-25 09:16:53 +08:00
Skyxim	0d55b28805	chore: dns interface name	2022-06-25 09:16:51 +08:00
Skyxim	9c70e649ca	fix: disable doq skip verify cert	2022-06-25 09:16:49 +08:00
Skyxim	8c079bf5bc	fix: tcp concurrent force close when context done	2022-06-25 09:16:28 +08:00
Skyxim	2cdf4a0532	chore: RESTful test group use request context	2022-06-25 08:53:11 +08:00
Skyxim	4ba34ce672	chore: healthcheck only once check at same time	2022-06-25 08:53:04 +08:00
mrFq1	637f1b5aed	ClashX hack. (#102 )	2022-06-24 20:08:33 +08:00
MetaCubeX	56a87125e0	Merge remote-tracking branch 'Meta/Alpha' into Alpha # Conflicts: # common/convert/converter.go	2022-06-23 00:55:34 +08:00
MetaCubeX	6fedc8d942	fix: Converter for password of ss2022 fix: Converter for password of ss2022 fixup! fix: Converter for password of ss2022 and ws fix: Converter for password of ss2022 and ws	2022-06-23 00:54:58 +08:00
MetaCubeX	dbb834d964	fix: Converter for password of ss2022	2022-06-23 00:40:08 +08:00
MetaCubeX	449946cc15	fixup! fix: Converter for password of ss2022 and ws	2022-06-23 00:18:30 +08:00
MetaCubeX	c3671a154d	fix: Converter for password of ss2022 and ws	2022-06-22 22:18:13 +08:00
MetaCubeX	6874fb785b	Merge remote-tracking branch 'Meta/Alpha' into Alpha # Conflicts: # common/convert/converter.go	2022-06-21 00:29:57 +08:00
MetaCubeX	5141ddc96e	fix: Converter for vless/vmess/ss URI Scheme	2022-06-21 00:28:33 +08:00
MetaCubeX	6a03371731	fix: Converter for vless/vmess/ss URI Scheme	2022-06-21 00:18:34 +08:00
MetaCubeX	b658bb415b	chore: remove unused	2022-06-20 22:25:59 +08:00
MetaCubeX	85405a54c7	Merge remote-tracking branch 'Meta/Alpha' into Alpha # Conflicts: # go.mod # go.sum	2022-06-19 22:30:02 +08:00
世界	30a0834e72	chore: update shadowsocks	2022-06-19 22:26:17 +08:00
Skyxim	109a76e1fc	fix: url test http response not closed	2022-06-19 17:29:46 +08:00
Skyxim	c1a99b9be4	fix: IDNA domain match	2022-06-18 18:13:54 +08:00
Skyxim	bf55428954	style: rule provider strategy	2022-06-18 17:53:40 +08:00
Skyxim	5e55d6b08f	Merge branch 'Alpha' into dev	2022-06-18 17:30:49 +08:00
Skyxim	21098d2627	feat: RESTful api add interface-name field on patch config	2022-06-18 17:29:19 +08:00
wwqgtxx	8da67ba61c	Add shadowsocks uot in relay	2022-06-18 16:38:44 +08:00
Skyxim	54a0947bb4	fix: force update provider happen loopback	2022-06-18 16:05:09 +08:00
世界	a562b249a2	Add shadowsocks uot and test	2022-06-18 10:50:33 +08:00
世界	5af17f70b4	Fix buffered shadowsocks aead tcp request	2022-06-18 10:50:33 +08:00
Skyxim	ca5bb91977	Merge branch 'dev' into Alpha	2022-06-17 21:44:54 +08:00
Skyxim	bbac54433e	fix: resolve ipv4 of 4 in 6	2022-06-17 21:44:06 +08:00
世界	b6a5ec6490	fix: fix async conn usage	2022-06-16 10:21:20 +08:00
MetaCubeX	aaf700f0b5	chore: Allow VLESS protocol TLS to be FALSE	2022-06-16 01:20:33 +08:00
MetaCubeX	2ce89aca1e	Merge remote-tracking branch 'Meta/Alpha' into Alpha # Conflicts: # go.mod # go.sum	2022-06-16 01:13:33 +08:00
世界	efdf69022a	fix: fix async conn usage	2022-06-16 01:04:27 +08:00
MetaCubeX	d4d1d4cc2a	Merge remote-tracking branch 'Meta/Alpha' into Alpha	2022-06-16 01:01:03 +08:00
世界	a8c4900891	fix: fix async conn usage maybe	2022-06-16 00:49:30 +08:00
MetaCubeX	930a7af8e7	chore: hy URI Scheme 解析	2022-06-15 23:18:06 +08:00
bash99	77acd4ba8d	Update README.md add permissions for systemctl services clash-dashboard change to updated one	2022-06-15 19:22:18 +08:00
wwqgtxx	691cf1d8d6	Merge pull request #94 from bash99/Meta Update README.md	2022-06-15 19:15:51 +08:00
bash99	d1decb8e58	Update README.md add permissions for systemctl services clash-dashboard change to updated one	2022-06-15 14:00:05 +08:00
MetaCubeX	625c4a1079	Update util.go	2022-06-15 08:44:16 +08:00
MetaCubeX	341ef19099	fix: ss/ssr URI Scheme 解析问题	2022-06-15 03:20:58 +08:00
MetaCubeX	2563b20019	fix: ss/ssr URI Scheme 解析问题	2022-06-15 03:03:26 +08:00
Skyxim	1b3b5b4dfe	fix: find process error	2022-06-14 23:14:43 +08:00
Skyxim	2e6bdc5636	feat: add param general.enable-process, it will always find process or uid, default value is false	2022-06-14 23:08:07 +08:00
Skyxim	be298cfa16	refactor: finding process and uid should to find with match process or uid rule, reduce memory allocation	2022-06-14 22:52:56 +08:00
Skyxim	277e71b26a	chore: hysteria test	2022-06-14 21:05:52 +08:00
Skyxim	f7c903a586	Merge branch 'dev' into Alpha	2022-06-14 20:23:51 +08:00
Skyxim	ff4a5bef9b	fix: up/down of hysteria must be a valid value	2022-06-14 20:23:36 +08:00
世界	d8dc44e786	Refactor: vmess Add support for vmess length masking/packetaddr/authenticated length Add support for zero/aes-128-cfb protcol	2022-06-14 13:21:22 +08:00
Skyxim	c968104a19	fix: udp listen use udp4 when general.ipv6 is false; general.ipv6 default value is true	2022-06-14 12:36:05 +08:00
Skyxim	f7481ecadf	chore: delete DOQ meaningless ALPN	2022-06-12 23:17:26 +08:00
Skyxim	85c37b473a	fix: DOQ blocked dns return result because DOQ goroutine leak	2022-06-12 21:41:01 +08:00
Skyxim	23bc231df3	chore: doq default port change to 853, ALPN use doq	2022-06-12 17:53:11 +08:00
Skyxim	2146b605f7	refactor: deprecated params(up_mbps,down_mpbs,auth) in hysteria; up/down no use append unit equivalent up_mbps/down_mbps, default unit is Mbps; up/down become a required option.	2022-06-12 11:52:15 +08:00
Skyxim	8853e97b40	fix: sni invalid on hysteria	2022-06-12 00:00:42 +08:00
世界	099aa1e3c2	fix: disable unsafe buffer in windows by default ref: `f49cd6f979`	2022-06-10 15:51:34 +08:00
Skyxim	63fdb348db	fix: leak dns when domain in hosts list	2022-06-10 14:29:19 +08:00
Skyxim	81ee44f6c0	Merge branch 'rule' into A	2022-06-10 13:38:43 +08:00
Skyxim	130a3a261d	refactor: clear linkname,reduce cycle dependencies,transport init geosite function	2022-06-10 13:38:19 +08:00
MetaCubeX	94368f43eb	fix: Vmess URI Scheme 解析问题	2022-06-10 03:15:30 +08:00
世界	9a55213ddc	chore: add more shadowsocks tests	2022-06-09 18:10:31 +08:00
世界	5055542d61	chore: update dependencies	2022-06-09 18:05:45 +08:00
Dreamacro	23063ae0b9	fix: make CodeQL happy Dreamacro	2022-06-09 17:59:17 +08:00
Dreamacro	a7f9aa909a	fix: upgrade to yaml v3	2022-06-09 17:59:17 +08:00
Dreamacro	15ecc451f3	fix: benchmark read bytes	2022-06-09 17:58:15 +08:00
Dreamacro	186a4cfdf3	fix: test broken on opensource repo	2022-06-09 17:58:10 +08:00
Dreamacro	220ef9e2e2	chore: add benchmark r/w	2022-06-09 17:58:05 +08:00
Dreamacro	7079116aa8	chore: cleanup test code	2022-06-09 17:57:59 +08:00
Dreamacro	b9e6de45e6	chore: make linter happy	2022-06-09 17:57:53 +08:00
Kr328	d3503ff940	fix: fix upgrade header detect (#2134 )	2022-06-09 17:57:48 +08:00
Kaming Chan	c3f4e1ba2e	fix: add length check for ssr auth_aes128_sha1 (#2129 )	2022-06-09 17:57:41 +08:00
世界	695fb64fa8	fix: vmess ws	2022-06-09 16:23:15 +08:00
Skyxim	d32ab9ce74	fix: 规则匹配默认策略组返回错误	2022-06-09 13:52:02 +08:00
MetaCubeX	94648989b8	fix: hysteria URI Scheme 解析问题	2022-06-09 00:22:47 +08:00
MetaCubeX	07522d3c2e	chore: 修改test文件	2022-06-08 02:03:34 +08:00
MetaCubeX	c14c07d2e3	feat: 代理集支持 Hysteria 分享格式订阅解析	2022-06-08 01:50:14 +08:00
MetaCubeX	9511ccfe47	chore: refine code	2022-06-08 01:47:50 +08:00
adlyq	ed17a1bf23	fix: group filter touch provider	2022-06-07 17:19:25 +08:00
世界	2a4f2f3942	fix: hysteria dialer	2022-06-07 15:49:10 +08:00
世界	3254eaf51c	fix: hysteria parse auth	2022-06-07 15:24:46 +08:00
adlyq	7941bae141	fix: hysteria parse	2022-06-07 14:53:00 +08:00
世界	35a6666a84	feat: add hysteria	2022-06-07 13:46:54 +08:00
世界	73d5042774	fix: some test	2022-06-07 10:45:32 +08:00
世界	9126cbab91	fix: shadowsocks-2022 on 32-bit systems	2022-06-07 10:44:22 +08:00
MetaCubeX	f8366f6e42	fix: 代理集转换ws类型 feat: 新增grpc h2 http 等支持	2022-06-07 03:17:33 +08:00
Skyxim	100c9b94ba	Merge branch 'dev' into Alpha	2022-06-06 23:15:33 +08:00
Skyxim	8343c3597e	fix: doq maybe crash when use adapter	2022-06-06 21:45:08 +08:00
Skyxim	d31adafa11	Merge pull request #76 from nekohasekai/Alpha feat: add support for shadowsocks 2022 ciphers	2022-06-06 20:21:01 +08:00
世界	1acc6759e9	feat: add support for shadowsocks 2022 ciphers	2022-06-06 19:56:36 +08:00