[Chore] workflows

fix: dns over proxy may due to cancel request, but proxy live status is fine
2022-04-02 19:02:43 +08:00 · 2022-04-02 19:01:28 +08:00 · 2022-04-02 18:24:11 +08:00 · 2022-03-31 00:26:01 +08:00 · 2022-03-31 00:08:43 +08:00 · 2022-03-30 13:19:05 +08:00
228 changed files with 13862 additions and 966 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -1,76 +0,0 @@
-name: Bug report
-description: Create a report to help us improve
-title: "[Bug] "
-body:
-  - type: checkboxes
-    id: ensure
-    attributes:
-      label: Verify steps
-      description: "
-在提交之前，请确认
-Please verify that you've followed these steps
-"
-      options:
-        - label: "
-如果你可以自己 debug 并解决的话，提交 PR 吧
-Is this something you can **debug and fix**? Send a pull request! Bug fixes and documentation fixes are welcome.
-"
-          required: true
-        - label: "
-我已经在 [Issue Tracker](……/) 中找过我要提出的问题
-I have searched on the [issue tracker](……/) for a related issue.
-"
-          required: true
-        - label: "
-我已经使用 dev 分支版本测试过，问题依旧存在
-I have tested using the dev branch, and the issue still exists.
-"
-          required: true
-        - label: "
-我已经仔细看过 [Documentation](https://github.com/Dreamacro/clash/wiki/) 并无法自行解决问题
-I have read the [documentation](https://github.com/Dreamacro/clash/wiki/) and was unable to solve the issue.
-"
-          required: true
-        - label: "
-这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题
-This is an issue of the Clash core *per se*, not to the derivatives of Clash, like OpenClash or KoolClash.
-"
-          required: true
-  - type: input
-    attributes:
-      label: Clash version
-    validations:
-      required: true
-  - type: dropdown
-    id: os
-    attributes:
-      label: What OS are you seeing the problem on?
-      multiple: true
-      options:
-        - macOS
-        - Windows
-        - Linux
-        - OpenBSD/FreeBSD
-  - type: textarea
-    attributes:
-      render: yaml
-      label: "Clash config"
-      description: "
-在下方附上 Clash core 脱敏后配置文件的内容
-Paste the Clash core configuration below.
-"
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      render: shell
-      label: Clash log
-      description: "
-在下方附上 Clash Core 的日志，log level 使用 DEBUG
-Paste the Clash core log below with the log level set to `DEBUG`.
-"
-  - type: textarea
-    attributes:
-      label: Description
-    validations:
-      required: true
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -1,6 +0,0 @@
-blank_issues_enabled: false
-
-contact_links:
-  - name: Get help in GitHub Discussions
-    url: https://github.com/Dreamacro/clash/discussions
-    about: Have a question? Not sure if your issue affects everyone reproducibly? The quickest way to get help is on Clash's GitHub Discussions!
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@ -1,36 +0,0 @@
-name: Feature request
-description: Suggest an idea for this project
-title: "[Feature] "
-body:
-  - type: checkboxes
-    id: ensure
-    attributes:
-      label: Verify steps
-      description: "
-在提交之前，请确认
-Please verify that you've followed these steps
-"
-      options:
-        - label: "
-我已经在 [Issue Tracker](……/) 中找过我要提出的请求
-I have searched on the [issue tracker](……/) for a related feature request.
-"
-          required: true
-        - label: "
-我已经仔细看过 [Documentation](https://github.com/Dreamacro/clash/wiki/) 并无法自行解决问题
-I have read the [documentation](https://github.com/Dreamacro/clash/wiki/) and was unable to solve the issue.
-"
-          required: true
-  - type: textarea
-    attributes:
-      label: Description
-      description: 请详细、清晰地表达你要提出的论述，例如这个问题如何影响到你？你想实现什么功能？目前 Clash Core 的行为是什麽？
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      label: Possible Solution
-      description: "
-此项非必须，但是如果你有想法的话欢迎提出。
-Not obligatory, but suggest a fix/reason for the bug, or ideas how to implement the addition or change
-"
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -0,0 +1,20 @@
+name: Build All
+on:
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.18
+      - name: Check out code
+        uses: actions/checkout@v1
+      - name: Build
+        run: make all
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: bin/*
+          draft: true
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -1,30 +0,0 @@
-name: CodeQL
-
-on:
-  push:
-    branches: [master, dev]
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ['go']
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -1,76 +0,0 @@
-name: Publish Docker Image
-on:
-  push:
-    branches:
-      - dev
-    tags:
-      - '*'
-jobs:
-
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    steps:
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-        with:
-          platforms: all
-
-      - name: Set up docker buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          version: latest
-
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      
-      - name: Login to Github Package
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: Dreamacro
-          password: ${{ secrets.PACKAGE_TOKEN }}
-
-      - name: Build dev branch and push
-        if: github.ref == 'refs/heads/dev'
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
-          push: true
-          tags: 'dreamacro/clash:dev,ghcr.io/dreamacro/clash:dev'
-
-      - name: Get all docker tags
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: actions/github-script@v6
-        id: tags
-        with:
-          script: |
-            const ref = context.payload.ref.replace(/\/?refs\/tags\//, '')
-            const tags = [
-              'dreamacro/clash:latest',
-              `dreamacro/clash:${ref}`,
-              'ghcr.io/dreamacro/clash:latest',
-              `ghcr.io/dreamacro/clash:${ref}`
-            ]
-            return tags.join(',')
-          result-encoding: string
-
-      - name: Build release and push
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
-          push: true
-          tags: ${{steps.tags.outputs.result}}
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@ -1,22 +0,0 @@
-name: Linter
-on: [push, pull_request]
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Get latest go version
-        id: version
-        run: |
-          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
-
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ steps.version.outputs.go_version }}
-
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          version: latest
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -1,14 +1,14 @@
 name: Release
 on: [push]
 jobs:
-  build:
+  Feature-build:
+    if: ${{ !contains(github.event.head_commit.message, '[Skip CI]') }}
    runs-on: ubuntu-latest
    steps:
      - name: Get latest go version
        id: version
        run: |
          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
-
      - name: Setup Go
        uses: actions/setup-go@v2
        with:
@ -24,21 +24,48 @@ jobs:
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
-
-      - name: Get dependencies, run test
-        run: |
-          go test ./...
-
+      #      - name: Get dependencies, run test
+      #        run: |
+      #          go test ./...
      - name: Build
-        if: startsWith(github.ref, 'refs/tags/')
+        if: success()
        env:
-          NAME: clash
+          NAME: Clash.Meta
          BINDIR: bin
        run: make -j releases

+      - name: Delete current release assets
+        uses: andreaswilli/delete-release-assets-action@v2.0.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          tag: alpha
+          deleteOnlyFromDrafts: false
+
+      - name: Tag Repo
+        uses: richardsimko/update-tag@v1
+        with:
+          tag_name: v1.10.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
      - name: Upload Release
        uses: softprops/action-gh-release@v1
-        if: startsWith(github.ref, 'refs/tags/')
+        if: ${{ env.GIT_BRANCH == 'Meta' && success() }}
        with:
+          tag: ${{ github.ref }}
+          tag_name: v1.10.0
          files: bin/*
-          draft: true
+          prerelease: false
+
+      - name: send telegram message on push
+        uses: appleboy/telegram-action@master
+        with:
+          to: ${{ secrets.TTELEGRAM_CHAT_ID }}
+          token: ${{ secrets.TELEGRAM_TOKEN }}
+          message: |
+            ${{ github.actor }} created commit:
+            Commit message: ${{ github.event.commits[0].message }}
+
+            Repository: ${{ github.repository }}
+
+            See changes: https://github.com/${{ github.repository }}/commit/${{github.sha}}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -1,18 +0,0 @@
-  
-name: Mark stale issues and pull requests
-
-on:
-  schedule:
-    - cron: "30 1 * * *"
-
-jobs:
-  stale:
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/stale@v5
-        with:
-          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-          days-before-stale: 60
-          days-before-close: 5
--- a/.gitignore
+++ b/.gitignore
@ -23,3 +23,5 @@ vendor

 # test suite
 test/config/cache*
+/output
+/.vscode
--- a/79
+++ b/79
@ -1,5 +1,6 @@
-NAME=clash
+NAME=Clash.Meta
 BINDIR=bin
+BRANCH=$(shell git rev-parse --abbrev-ref HEAD)
 VERSION=$(shell git describe --tags || echo "unknown version")
 BUILDTIME=$(shell date -u)
 GOBUILD=CGO_ENABLED=0 go build -trimpath -ldflags '-X "github.com/Dreamacro/clash/constant.Version=$(VERSION)" \
@ -7,57 +8,70 @@ GOBUILD=CGO_ENABLED=0 go build -trimpath -ldflags '-X "github.com/Dreamacro/clas
 		-w -s -buildid='

 PLATFORM_LIST = \
-	darwin-amd64 \
-	darwin-amd64-v3 \
+	darwin-amd64v1 \
+	darwin-amd64v2 \
+	darwin-amd64v3 \
 	darwin-arm64 \
-	linux-386 \
-	linux-amd64 \
-	linux-amd64-v3 \
+	linux-amd64v1 \
+	linux-amd64v2 \
+	linux-amd64v3 \
 	linux-armv5 \
 	linux-armv6 \
 	linux-armv7 \
-	linux-armv8 \
+	linux-arm64 \
+	linux-mips64 \
+	linux-mips64le \
 	linux-mips-softfloat \
 	linux-mips-hardfloat \
 	linux-mipsle-softfloat \
 	linux-mipsle-hardfloat \
-	linux-mips64 \
-	linux-mips64le \
+	android-arm64 \
 	freebsd-386 \
 	freebsd-amd64 \
-	freebsd-amd64-v3 \
 	freebsd-arm64

 WINDOWS_ARCH_LIST = \
 	windows-386 \
-	windows-amd64 \
-	windows-amd64-v3 \
+	windows-amd64v1 \
+	windows-amd64v2 \
+	windows-amd64v3 \
 	windows-arm64 \
    windows-arm32v7

-all: linux-amd64 darwin-amd64 windows-amd64 # Most used
+all:linux-amd64 linux-arm64\
+	darwin-amd64 darwin-arm64\
+ 	windows-amd64 windows-arm64\

 docker:
 	$(GOBUILD) -o $(BINDIR)/$(NAME)-$@

-darwin-amd64:
-	GOARCH=amd64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
-
-darwin-amd64-v3:
+darwin-amd64v3:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

+darwin-amd64v2:
+	GOARCH=amd64 GOOS=darwin GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
+darwin-amd64v1:
+	GOARCH=amd64 GOOS=darwin GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 darwin-arm64:
 	GOARCH=arm64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 linux-386:
 	GOARCH=386 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

-linux-amd64:
-	GOARCH=amd64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
-
-linux-amd64-v3:
+linux-amd64v3:
 	GOARCH=amd64 GOOS=linux GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

+linux-amd64v2:
+	GOARCH=amd64 GOOS=linux GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
+linux-amd64v1:
+	GOARCH=amd64 GOOS=linux GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
+linux-arm64:
+	GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 linux-armv5:
 	GOARCH=arm GOOS=linux GOARM=5 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

@ -67,9 +81,6 @@ linux-armv6:
 linux-armv7:
 	GOARCH=arm GOOS=linux GOARM=7 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

-linux-armv8:
-	GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
-
 linux-mips-softfloat:
 	GOARCH=mips GOMIPS=softfloat GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

@ -88,13 +99,13 @@ linux-mips64:
 linux-mips64le:
 	GOARCH=mips64le GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

+android-arm64:
+	GOARCH=arm64 GOOS=android $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 freebsd-386:
 	GOARCH=386 GOOS=freebsd $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 freebsd-amd64:
-	GOARCH=amd64 GOOS=freebsd $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
-
-freebsd-amd64-v3:
 	GOARCH=amd64 GOOS=freebsd GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 freebsd-arm64:
@ -103,12 +114,15 @@ freebsd-arm64:
 windows-386:
 	GOARCH=386 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe

-windows-amd64:
-	GOARCH=amd64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
-
-windows-amd64-v3:
+windows-amd64v3:
 	GOARCH=amd64 GOOS=windows GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe

+windows-amd64v2:
+	GOARCH=amd64 GOOS=windows GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
+
+windows-amd64v1:
+	GOARCH=amd64 GOOS=windows GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
+
 windows-arm64:
 	GOARCH=arm64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe

@ -129,6 +143,9 @@ all-arch: $(PLATFORM_LIST) $(WINDOWS_ARCH_LIST)

 releases: $(gz_releases) $(zip_releases)

+vet:
+	go test ./...
+
 lint:
 	golangci-lint run ./...

--- a/Meta.png
+++ b/Meta.png
--- a/README.md
+++ b/README.md
@ -1,23 +1,20 @@
 <h1 align="center">
-  <img src="https://github.com/Dreamacro/clash/raw/master/docs/logo.png" alt="Clash" width="200">
-  <br>Clash<br>
+  <img src="Meta.png" alt="Meta Kennel" width="200">
+  <br>Meta Kernel<br>
 </h1>

-<h4 align="center">A rule-based tunnel in Go.</h4>
+<h3 align="center">Another Clash Kernel.</h3>

 <p align="center">
-  <a href="https://github.com/Dreamacro/clash/actions">
-    <img src="https://img.shields.io/github/workflow/status/Dreamacro/clash/Go?style=flat-square" alt="Github Actions">
-  </a>
-  <a href="https://goreportcard.com/report/github.com/Dreamacro/clash">
-    <img src="https://goreportcard.com/badge/github.com/Dreamacro/clash?style=flat-square">
+  <a href="https://goreportcard.com/report/github.com/Clash-Mini/Clash.Meta">
+    <img src="https://goreportcard.com/badge/github.com/Clash-Mini/Clash.Meta?style=flat-square">
  </a>
  <img src="https://img.shields.io/github/go-mod/go-version/Dreamacro/clash?style=flat-square">
-  <a href="https://github.com/Dreamacro/clash/releases">
-    <img src="https://img.shields.io/github/release/Dreamacro/clash/all.svg?style=flat-square">
+  <a href="https://github.com/Clash-Mini/Clash.Meta/releases">
+    <img src="https://img.shields.io/github/release/Clash-Mini/Clash.Meta/all.svg?style=flat-square">
  </a>
-  <a href="https://github.com/Dreamacro/clash/releases/tag/premium">
-    <img src="https://img.shields.io/badge/release-Premium-00b4f0?style=flat-square">
+  <a href="https://github.com/Clash-Mini/Clash.Meta">
+    <img src="https://img.shields.io/badge/release-Meta-00b4f0?style=flat-square">
  </a>
 </p>

@ -32,26 +29,267 @@
 - Netfilter TCP redirecting. Deploy Clash on your Internet gateway with `iptables`.
 - Comprehensive HTTP RESTful API controller

-## Premium Features
-
- TUN mode on macOS, Linux and Windows. [Doc](https://github.com/Dreamacro/clash/wiki/premium-core-features#tun-device)
- Match your tunnel by [Script](https://github.com/Dreamacro/clash/wiki/premium-core-features#script)
- [Rule Provider](https://github.com/Dreamacro/clash/wiki/premium-core-features#rule-providers)
-
 ## Getting Started
 Documentations are now moved to [GitHub Wiki](https://github.com/Dreamacro/clash/wiki).

-## Premium Release
-[Release](https://github.com/Dreamacro/clash/releases/tag/premium)
+## Advanced usage for this branch
+
+### DNS configuration
+
+Support `geosite` with `fallback-filter`.
+
+Restore `Redir remote resolution`.
+
+Support resolve ip with a `Proxy Tunnel`.
+
+```yaml
+proxy-groups:
+
+  - name: DNS
+    type: url-test
+    use:
+      - HK
+    url: http://cp.cloudflare.com
+    interval: 180
+    lazy: true
+```
+```yaml
+dns:
+  enable: true
+  use-hosts: true
+  ipv6: false
+  enhanced-mode: redir-host
+  fake-ip-range: 198.18.0.1/16
+  listen: 127.0.0.1:6868
+  default-nameserver:
+    - 119.29.29.29
+    - 114.114.114.114
+  nameserver:
+    - https://doh.pub/dns-query
+    - tls://223.5.5.5:853
+  fallback:
+    - 'https://1.0.0.1/dns-query#DNS'  # append the proxy adapter name or group name to the end of DNS URL with '#' prefix.
+    - 'tls://8.8.4.4:853#DNS'
+  fallback-filter:
+    geoip: false
+    geosite:
+      - gfw  # `geosite` filter only use fallback server to resolve ip, prevent DNS leaks to unsafe DNS providers.
+    domain:
+      - +.example.com
+    ipcidr:
+      - 0.0.0.0/32
+```
+
+### TUN configuration
+
+Supports macOS, Linux and Windows.
+
+Built-in [Wintun](https://www.wintun.net) driver.
+
+```yaml
+# Enable the TUN listener
+tun:
+  enable: true
+  stack: gvisor #  only gvisor
+  dns-hijack: 
+    - 0.0.0.0:53 # additional dns server listen on TUN
+  auto-route: true # auto set global route
+```
+### Rules configuration
+- Support rule `GEOSITE`.
+- Support rule-providers `RULE-SET`.
+- Support `multiport` condition for rule `SRC-PORT` and `DST-PORT`.
+- Support `network` condition for all rules.
+- Support source IPCIDR condition for all rules, just append to the end.
+- The `GEOSITE` databases via https://github.com/Loyalsoldier/v2ray-rules-dat.
+```yaml
+rules:
+
+  # network(tcp/udp) condition for all rules
+  - DOMAIN-SUFFIX,bilibili.com,DIRECT,tcp
+  - DOMAIN-SUFFIX,bilibili.com,REJECT,udp
+    
+  # multiport condition for rules SRC-PORT and DST-PORT
+  - DST-PORT,123/136/137-139,DIRECT,udp
+  
+  # rule GEOSITE
+  - GEOSITE,category-ads-all,REJECT
+  - GEOSITE,icloud@cn,DIRECT
+  - GEOSITE,apple@cn,DIRECT
+  - GEOSITE,apple-cn,DIRECT
+  - GEOSITE,microsoft@cn,DIRECT
+  - GEOSITE,facebook,PROXY
+  - GEOSITE,youtube,PROXY
+  - GEOSITE,geolocation-cn,DIRECT
+  - GEOSITE,geolocation-!cn,PROXY
+    
+  # source IPCIDR condition for all rules in gateway proxy
+  #- GEOSITE,geolocation-!cn,REJECT,192.168.1.88/32,192.168.1.99/32
+
+  - GEOIP,telegram,PROXY,no-resolve
+  - GEOIP,private,DIRECT,no-resolve
+  - GEOIP,cn,DIRECT
+  
+  - MATCH,PROXY
+```
+
+
+### Proxies configuration
+
+Active health detection `urltest / fallback` (based on tcp handshake, multiple failures within a limited time will actively trigger health detection to use the node)
+
+Support `Policy Group Filter`
+
+```yaml
+proxy-groups:
+
+  - name: 🚀 HK Group
+    type: select
+    use:
+      - ALL
+    filter: 'HK'
+
+  - name: 🚀 US Group
+    type: select
+    use:
+      - ALL
+    filter: 'US'
+
+proxy-providers:
+  ALL:
+    type: http
+    url: "xxxxx"
+    interval: 3600
+    path: "xxxxx"
+    health-check:
+      enable: true
+      interval: 600
+      url: http://www.gstatic.com/generate_204
+
+```
+
+
+
+Support outbound transport protocol `VLESS`.
+
+The XTLS support (TCP/UDP) transport by the XRAY-CORE.
+```yaml
+proxies:
+  - name: "vless"
+    type: vless
+    server: server
+    port: 443
+    uuid: uuid
+    servername: example.com # AKA SNI
+    # flow: xtls-rprx-direct # xtls-rprx-origin  # enable XTLS
+    # skip-cert-verify: true
+    
+  - name: "vless-ws"
+    type: vless
+    server: server
+    port: 443
+    uuid: uuid
+    tls: true
+    udp: true
+    network: ws
+    servername: example.com # priority over wss host
+    # skip-cert-verify: true
+    ws-opts:
+      path: /path
+      headers: { Host: example.com, Edge: "12a00c4.fm.huawei.com:82897" }
+
+  - name: "vless-grpc"
+    type: vless
+    server: server
+    port: 443
+    uuid: uuid
+    tls: true
+    udp: true
+    network: grpc
+    servername: example.com # priority over wss host
+    # skip-cert-verify: true
+    grpc-opts: 
+      grpc-service-name: grpcname
+```
+
+### IPTABLES configuration
+Work on Linux OS who's supported `iptables`
+
+```yaml
+# Enable the TPROXY listener
+tproxy-port: 9898
+
+iptables:
+  enable: true # default is false
+  inbound-interface: eth0 # detect the inbound interface, default is 'lo'
+```
+
+
+### General installation guide for Linux  
+ Create user given name `clash-meta`
+
+ Download and decompress pre-built binaries from [releases](https://github.com/MetaCubeX/Clash.Meta/releases)  
+
+ Rename executable file to `Clash-Meta` and move to `/usr/local/bin/` 
+
+ Create folder `/etc/Clash-Meta/` as working directory 
+
+
+
+Run Meta Kernel by user `clash-meta` as a daemon.
+
+Create the systemd configuration file at `/etc/systemd/system/Clash-Meta.service`:
+
+```
+[Unit]
+Description=Clash-Meta Daemon, Another Clash Kernel.
+After=network.target NetworkManager.service systemd-networkd.service iwd.service
+
+[Service]
+Type=simple
+User=clash-meta
+Group=clash-meta
+LimitNPROC=500
+LimitNOFILE=1000000
+CapabilityBoundingSet=cap_net_admin
+AmbientCapabilities=cap_net_admin
+Restart=always
+ExecStartPre=/usr/bin/sleep 1s
+ExecStart=/usr/local/bin/Clash-Meta -d /etc/Clash-Meta
+
+[Install]
+WantedBy=multi-user.target
+```
+Launch clashd on system startup with:
+```shell
+$ systemctl enable Clash-Meta
+```
+Launch clashd immediately with:
+
+```shell
+$ systemctl start Clash-Meta
+```
+
+### Display Process name
+
+Clash add field `Process` to `Metadata` and prepare to get process name for Restful API `GET /connections`.
+
+To display process name in GUI please use [Dashboard For Meta](https://github.com/Clash-Mini/Dashboard).
+
+![img.png](https://github.com/Clash-Mini/Dashboard/raw/master/View/Dashboard-Process.png)

 ## Development
-If you want to build an application that uses clash as a library, check out the the [GitHub Wiki](https://github.com/Dreamacro/clash/wiki/use-clash-as-a-library)
+
+If you want to build an application that uses clash as a library, check out the
+the [GitHub Wiki](https://github.com/Dreamacro/clash/wiki/use-clash-as-a-library)

 ## Credits

+* [Dreamacro/clash](https://github.com/Dreamacro/clash)
 * [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
 * [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
 * [WireGuard/wireguard-go](https://github.com/WireGuard/wireguard-go)
+* [yaling888/clash-plus-pro](https://github.com/yaling888/clash)

 ## License

--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"

 	"github.com/Dreamacro/clash/common/queue"
@ -16,6 +17,8 @@ import (
 	"go.uber.org/atomic"
 )

+var UnifiedDelay = atomic.NewBool(false)
+
 type Proxy struct {
 	C.ProxyAdapter
 	history *queue.Queue
@ -37,7 +40,11 @@ func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
 // DialContext implements C.ProxyAdapter
 func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	conn, err := p.ProxyAdapter.DialContext(ctx, metadata, opts...)
-	p.alive.Store(err == nil)
+	wasCancel := false
+	if err != nil {
+		wasCancel = strings.Contains(err.Error(), "operation was canceled")
+	}
+	p.alive.Store(err == nil || wasCancel)
 	return conn, err
 }

@ -114,6 +121,8 @@ func (p *Proxy) URLTest(ctx context.Context, url string) (t uint16, err error) {
 		}
 	}()

+	unifiedDelay := UnifiedDelay.Load()
+
 	addr, err := urlToMetadata(url)
 	if err != nil {
 		return
@ -150,11 +159,19 @@ func (p *Proxy) URLTest(ctx context.Context, url string) (t uint16, err error) {
 		},
 	}
 	defer client.CloseIdleConnections()
-
 	resp, err := client.Do(req)
 	if err != nil {
 		return
 	}
+
+	if unifiedDelay {
+		start = time.Now()
+		resp, err = client.Do(req)
+		if err != nil {
+			return
+		}
+	}
+
 	resp.Body.Close()
 	t = uint16(time.Since(start) / time.Millisecond)
 	return
--- a/adapter/inbound/socket.go
+++ b/adapter/inbound/socket.go
@ -20,3 +20,26 @@ func NewSocket(target socks5.Addr, conn net.Conn, source C.Type) *context.ConnCo

 	return context.NewConnContext(conn, metadata)
 }
+
+func NewInner(conn net.Conn, dst string, host string) *context.ConnContext {
+	metadata := &C.Metadata{}
+	metadata.NetWork = C.TCP
+	metadata.Type = C.INNER
+	metadata.DNSMode = C.DNSMapping
+	metadata.Host = host
+	metadata.AddrType = C.AtypDomainName
+	metadata.Process = C.ClashName
+	if ip, port, err := parseAddr(dst); err == nil {
+		metadata.DstPort = port
+		if host == "" {
+			metadata.DstIP = ip
+			if ip.To4() == nil {
+				metadata.AddrType = C.AtypIPv6
+			} else {
+				metadata.AddrType = C.AtypIPv4
+			}
+		}
+	}
+
+	return context.NewConnContext(conn, metadata)
+}
--- a/adapter/outbound/direct.go
+++ b/adapter/outbound/direct.go
@ -14,6 +14,7 @@ type Direct struct {

 // DialContext implements C.ProxyAdapter
 func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+	opts = append(opts, dialer.WithDirect())
 	c, err := dialer.DialContext(ctx, "tcp", metadata.RemoteAddress(), d.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
@ -24,6 +25,7 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...

 // ListenPacketContext implements C.ProxyAdapter
 func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+	opts = append(opts, dialer.WithDirect())
 	pc, err := dialer.ListenPacket(ctx, "udp", "", d.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
@ -44,3 +46,23 @@ func NewDirect() *Direct {
 		},
 	}
 }
+
+func NewCompatible() *Direct {
+	return &Direct{
+		Base: &Base{
+			name: "COMPATIBLE",
+			tp:   C.Compatible,
+			udp:  true,
+		},
+	}
+}
+
+func NewPass() *Direct {
+	return &Direct{
+		Base: &Base{
+			name: "Pass",
+			tp:   C.Pass,
+			udp:  true,
+		},
+	}
+}
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@ -12,6 +12,7 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/trojan"
+	"github.com/Dreamacro/clash/transport/vless"

 	"golang.org/x/net/http2"
 )
@ -40,6 +41,8 @@ type TrojanOption struct {
 	Network        string      `proxy:"network,omitempty"`
 	GrpcOpts       GrpcOptions `proxy:"grpc-opts,omitempty"`
 	WSOpts         WSOptions   `proxy:"ws-opts,omitempty"`
+	Flow           string      `proxy:"flow,omitempty"`
+	FlowShow       bool        `proxy:"flow-show,omitempty"`
 }

 func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
@ -82,6 +85,11 @@ func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error)
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}

+	c, err = t.instance.PresetXTLSConn(c)
+	if err != nil {
+		return nil, err
+	}
+
 	err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata))
 	return c, err
 }
@ -95,6 +103,12 @@ func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 			return nil, err
 		}

+		c, err = t.instance.PresetXTLSConn(c)
+		if err != nil {
+			c.Close()
+			return nil, err
+		}
+
 		if err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata)); err != nil {
 			c.Close()
 			return nil, err
@ -160,6 +174,17 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		ALPN:           option.ALPN,
 		ServerName:     option.Server,
 		SkipCertVerify: option.SkipCertVerify,
+		FlowShow:       option.FlowShow,
+	}
+
+	if option.Network != "ws" && len(option.Flow) >= 16 {
+		option.Flow = option.Flow[:16]
+		switch option.Flow {
+		case vless.XRO, vless.XRD, vless.XRS:
+			tOption.Flow = option.Flow
+		default:
+			return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
+		}
 	}

 	if option.SNI != "" {
@ -196,7 +221,12 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			ServerName:         tOption.ServerName,
 		}

+		if t.option.Flow != "" {
+			t.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
+		} else {
 			t.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
+		}
+
 		t.gunTLSConfig = tlsConfig
 		t.gunConfig = &gun.Config{
 			ServiceName: option.GrpcOpts.GrpcServiceName,
--- a/adapter/outbound/util.go
+++ b/adapter/outbound/util.go
@ -2,8 +2,11 @@ package outbound

 import (
 	"bytes"
+	"crypto/tls"
+	xtls "github.com/xtls/go"
 	"net"
 	"strconv"
+	"sync"
 	"time"

 	"github.com/Dreamacro/clash/component/resolver"
@ -11,6 +14,12 @@ import (
 	"github.com/Dreamacro/clash/transport/socks5"
 )

+var (
+	globalClientSessionCache  tls.ClientSessionCache
+	globalClientXSessionCache xtls.ClientSessionCache
+	once                      sync.Once
+)
+
 func tcpKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		tcp.SetKeepAlive(true)
@ -18,6 +27,20 @@ func tcpKeepAlive(c net.Conn) {
 	}
 }

+func getClientSessionCache() tls.ClientSessionCache {
+	once.Do(func() {
+		globalClientSessionCache = tls.NewLRUClientSessionCache(128)
+	})
+	return globalClientSessionCache
+}
+
+func getClientXSessionCache() xtls.ClientSessionCache {
+	once.Do(func() {
+		globalClientXSessionCache = xtls.NewLRUClientSessionCache(128)
+	})
+	return globalClientXSessionCache
+}
+
 func serializesSocksAddr(metadata *C.Metadata) []byte {
 	var buf [][]byte
 	aType := uint8(metadata.AddrType)
@ -44,7 +67,7 @@ func resolveUDPAddr(network, address string) (*net.UDPAddr, error) {
 		return nil, err
 	}

-	ip, err := resolver.ResolveIP(host)
+	ip, err := resolver.ResolveProxyServerHost(host)
 	if err != nil {
 		return nil, err
 	}
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@ -0,0 +1,446 @@
+package outbound
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strconv"
+	"sync"
+
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/component/resolver"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/gun"
+	"github.com/Dreamacro/clash/transport/vless"
+	"github.com/Dreamacro/clash/transport/vmess"
+
+	"golang.org/x/net/http2"
+)
+
+const (
+	// max packet length
+	maxLength = 1024 << 3
+)
+
+type Vless struct {
+	*Base
+	client *vless.Client
+	option *VlessOption
+
+	// for gun mux
+	gunTLSConfig *tls.Config
+	gunConfig    *gun.Config
+	transport    *http2.Transport
+}
+
+type VlessOption struct {
+	BasicOption
+	Name           string            `proxy:"name"`
+	Server         string            `proxy:"server"`
+	Port           int               `proxy:"port"`
+	UUID           string            `proxy:"uuid"`
+	Flow           string            `proxy:"flow,omitempty"`
+	FlowShow       bool              `proxy:"flow-show,omitempty"`
+	TLS            bool              `proxy:"tls,omitempty"`
+	UDP            bool              `proxy:"udp,omitempty"`
+	Network        string            `proxy:"network,omitempty"`
+	HTTPOpts       HTTPOptions       `proxy:"http-opts,omitempty"`
+	HTTP2Opts      HTTP2Options      `proxy:"h2-opts,omitempty"`
+	GrpcOpts       GrpcOptions       `proxy:"grpc-opts,omitempty"`
+	WSOpts         WSOptions         `proxy:"ws-opts,omitempty"`
+	WSPath         string            `proxy:"ws-path,omitempty"`
+	WSHeaders      map[string]string `proxy:"ws-headers,omitempty"`
+	SkipCertVerify bool              `proxy:"skip-cert-verify,omitempty"`
+	ServerName     string            `proxy:"servername,omitempty"`
+}
+
+func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+	var err error
+	switch v.option.Network {
+	case "ws":
+
+		host, port, _ := net.SplitHostPort(v.addr)
+		wsOpts := &vmess.WebsocketConfig{
+			Host:                host,
+			Port:                port,
+			Path:                v.option.WSOpts.Path,
+			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
+			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
+		}
+
+		if len(v.option.WSOpts.Headers) != 0 {
+			header := http.Header{}
+			for key, value := range v.option.WSOpts.Headers {
+				header.Add(key, value)
+			}
+			wsOpts.Headers = header
+		}
+
+		wsOpts.TLS = true
+		wsOpts.TLSConfig = &tls.Config{
+			MinVersion:         tls.VersionTLS12,
+			ServerName:         host,
+			InsecureSkipVerify: v.option.SkipCertVerify,
+			NextProtos:         []string{"http/1.1"},
+		}
+		if v.option.ServerName != "" {
+			wsOpts.TLSConfig.ServerName = v.option.ServerName
+		} else if host := wsOpts.Headers.Get("Host"); host != "" {
+			wsOpts.TLSConfig.ServerName = host
+		}
+		c, err = vmess.StreamWebsocketConn(c, wsOpts)
+	case "http":
+		// readability first, so just copy default TLS logic
+		c, err = v.streamTLSOrXTLSConn(c, false)
+		if err != nil {
+			return nil, err
+		}
+
+		host, _, _ := net.SplitHostPort(v.addr)
+		httpOpts := &vmess.HTTPConfig{
+			Host:    host,
+			Method:  v.option.HTTPOpts.Method,
+			Path:    v.option.HTTPOpts.Path,
+			Headers: v.option.HTTPOpts.Headers,
+		}
+
+		c = vmess.StreamHTTPConn(c, httpOpts)
+	case "h2":
+		c, err = v.streamTLSOrXTLSConn(c, true)
+		if err != nil {
+			return nil, err
+		}
+
+		h2Opts := &vmess.H2Config{
+			Hosts: v.option.HTTP2Opts.Host,
+			Path:  v.option.HTTP2Opts.Path,
+		}
+
+		c, err = vmess.StreamH2Conn(c, h2Opts)
+	case "grpc":
+		if v.isXTLSEnabled() {
+			c, err = gun.StreamGunWithXTLSConn(c, v.gunTLSConfig, v.gunConfig)
+		} else {
+			c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
+		}
+	default:
+		// default tcp network
+		// handle TLS And XTLS
+		c, err = v.streamTLSOrXTLSConn(c, false)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return v.client.StreamConn(c, parseVlessAddr(metadata))
+}
+
+func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error) {
+	host, _, _ := net.SplitHostPort(v.addr)
+
+	if v.isXTLSEnabled() {
+		xtlsOpts := vless.XTLSConfig{
+			Host:           host,
+			SkipCertVerify: v.option.SkipCertVerify,
+		}
+
+		if isH2 {
+			xtlsOpts.NextProtos = []string{"h2"}
+		}
+
+		if v.option.ServerName != "" {
+			xtlsOpts.Host = v.option.ServerName
+		}
+
+		return vless.StreamXTLSConn(conn, &xtlsOpts)
+
+	} else if v.option.TLS {
+		tlsOpts := vmess.TLSConfig{
+			Host:           host,
+			SkipCertVerify: v.option.SkipCertVerify,
+		}
+
+		if isH2 {
+			tlsOpts.NextProtos = []string{"h2"}
+		}
+
+		if v.option.ServerName != "" {
+			tlsOpts.Host = v.option.ServerName
+		}
+
+		return vmess.StreamTLSConn(conn, &tlsOpts)
+	}
+
+	return conn, nil
+}
+
+func (v *Vless) isXTLSEnabled() bool {
+	return v.client.Addons != nil
+}
+
+// DialContext implements C.ProxyAdapter
+func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
+	// gun transport
+	if v.transport != nil && len(opts) == 0 {
+		c, err := gun.StreamGunWithTransport(v.transport, v.gunConfig)
+		if err != nil {
+			return nil, err
+		}
+		defer safeConnClose(c, err)
+
+		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
+		if err != nil {
+			return nil, err
+		}
+
+		return NewConn(c, v), nil
+	}
+
+	c, err := dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
+	}
+	tcpKeepAlive(c)
+	defer safeConnClose(c, err)
+
+	c, err = v.StreamConn(c, metadata)
+	return NewConn(c, v), err
+}
+
+// ListenPacketContext implements C.ProxyAdapter
+func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+	// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+
+	var c net.Conn
+	// gun transport
+	if v.transport != nil && len(opts) == 0 {
+		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
+		if err != nil {
+			return nil, err
+		}
+		defer safeConnClose(c, err)
+
+		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
+	} else {
+		c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
+		if err != nil {
+			return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
+		}
+		tcpKeepAlive(c)
+		defer safeConnClose(c, err)
+
+		c, err = v.StreamConn(c, metadata)
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf("new vless client error: %v", err)
+	}
+
+	return newPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+}
+
+func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
+	var addrType byte
+	var addr []byte
+	switch metadata.AddrType {
+	case C.AtypIPv4:
+		addrType = byte(vless.AtypIPv4)
+		addr = make([]byte, net.IPv4len)
+		copy(addr[:], metadata.DstIP.To4())
+	case C.AtypIPv6:
+		addrType = byte(vless.AtypIPv6)
+		addr = make([]byte, net.IPv6len)
+		copy(addr[:], metadata.DstIP.To16())
+	case C.AtypDomainName:
+		addrType = byte(vless.AtypDomainName)
+		addr = make([]byte, len(metadata.Host)+1)
+		addr[0] = byte(len(metadata.Host))
+		copy(addr[1:], []byte(metadata.Host))
+	}
+
+	port, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
+	return &vless.DstAddr{
+		UDP:      metadata.NetWork == C.UDP,
+		AddrType: addrType,
+		Addr:     addr,
+		Port:     uint(port),
+	}
+}
+
+type vlessPacketConn struct {
+	net.Conn
+	rAddr  net.Addr
+	remain int
+	mux    sync.Mutex
+	cache  [2]byte
+}
+
+func (c *vlessPacketConn) writePacket(payload []byte) (int, error) {
+	binary.BigEndian.PutUint16(c.cache[:], uint16(len(payload)))
+
+	if _, err := c.Conn.Write(c.cache[:]); err != nil {
+		return 0, err
+	}
+
+	return c.Conn.Write(payload)
+}
+
+func (c *vlessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+	total := len(b)
+	if total == 0 {
+		return 0, nil
+	}
+
+	if total <= maxLength {
+		return c.writePacket(b)
+	}
+
+	offset := 0
+
+	for offset < total {
+		cursor := offset + maxLength
+		if cursor > total {
+			cursor = total
+		}
+
+		n, err := c.writePacket(b[offset:cursor])
+		if err != nil {
+			return offset + n, err
+		}
+
+		offset = cursor
+		if offset == total {
+			break
+		}
+	}
+
+	return total, nil
+}
+
+func (c *vlessPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
+	c.mux.Lock()
+	defer c.mux.Unlock()
+
+	if c.remain > 0 {
+		length := len(b)
+		if c.remain < length {
+			length = c.remain
+		}
+
+		n, err := c.Conn.Read(b[:length])
+		if err != nil {
+			return 0, c.rAddr, err
+		}
+
+		c.remain -= n
+		return n, c.rAddr, nil
+	}
+
+	if _, err := c.Conn.Read(b[:2]); err != nil {
+		return 0, c.rAddr, err
+	}
+
+	total := int(binary.BigEndian.Uint16(b[:2]))
+	if total == 0 {
+		return 0, c.rAddr, nil
+	}
+
+	length := len(b)
+	if length > total {
+		length = total
+	}
+
+	if _, err := io.ReadFull(c.Conn, b[:length]); err != nil {
+		return 0, c.rAddr, errors.New("read packet error")
+	}
+
+	c.remain = total - length
+
+	return length, c.rAddr, nil
+}
+
+func NewVless(option VlessOption) (*Vless, error) {
+	var addons *vless.Addons
+	if option.Network != "ws" && len(option.Flow) >= 16 {
+		option.Flow = option.Flow[:16]
+		switch option.Flow {
+		case vless.XRO, vless.XRD, vless.XRS:
+			addons = &vless.Addons{
+				Flow: option.Flow,
+			}
+		default:
+			return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
+		}
+	}
+
+	client, err := vless.NewClient(option.UUID, addons, option.FlowShow)
+	if err != nil {
+		return nil, err
+	}
+
+	v := &Vless{
+		Base: &Base{
+			name:  option.Name,
+			addr:  net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
+			tp:    C.Vless,
+			udp:   option.UDP,
+			iface: option.Interface,
+		},
+		client: client,
+		option: &option,
+	}
+
+	switch option.Network {
+	case "h2":
+		if len(option.HTTP2Opts.Host) == 0 {
+			option.HTTP2Opts.Host = append(option.HTTP2Opts.Host, "www.example.com")
+		}
+	case "grpc":
+		dialFn := func(network, addr string) (net.Conn, error) {
+			c, err := dialer.DialContext(context.Background(), "tcp", v.addr, v.Base.DialOptions()...)
+			if err != nil {
+				return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
+			}
+			tcpKeepAlive(c)
+			return c, nil
+		}
+
+		gunConfig := &gun.Config{
+			ServiceName: v.option.GrpcOpts.GrpcServiceName,
+			Host:        v.option.ServerName,
+		}
+		tlsConfig := &tls.Config{
+			InsecureSkipVerify: v.option.SkipCertVerify,
+			ServerName:         v.option.ServerName,
+		}
+
+		if v.option.ServerName == "" {
+			host, _, _ := net.SplitHostPort(v.addr)
+			tlsConfig.ServerName = host
+			gunConfig.Host = host
+		}
+
+		v.gunTLSConfig = tlsConfig
+		v.gunConfig = gunConfig
+		if v.isXTLSEnabled() {
+			v.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
+		} else {
+			v.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
+		}
+	}
+
+	return v, nil
+}
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@ -47,6 +47,10 @@ type VmessOption struct {
 	HTTP2Opts      HTTP2Options `proxy:"h2-opts,omitempty"`
 	GrpcOpts       GrpcOptions  `proxy:"grpc-opts,omitempty"`
 	WSOpts         WSOptions    `proxy:"ws-opts,omitempty"`
+
+	// TODO: compatible with VMESS WS older version configurations
+	WSHeaders map[string]string `proxy:"ws-headers,omitempty"`
+	WSPath    string            `proxy:"ws-path,omitempty"`
 }

 type HTTPOptions struct {
@ -76,6 +80,13 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	switch v.option.Network {
 	case "ws":
+		if v.option.WSOpts.Path == "" {
+			v.option.WSOpts.Path = v.option.WSPath
+		}
+		if len(v.option.WSOpts.Headers) == 0 {
+			v.option.WSOpts.Headers = v.option.WSHeaders
+		}
+
 		host, port, _ := net.SplitHostPort(v.addr)
 		wsOpts := &vmess.WebsocketConfig{
 			Host:                host,
--- a/adapter/outboundgroup/common.go
+++ b/adapter/outboundgroup/common.go
@ -1,6 +1,8 @@
 package outboundgroup

 import (
+	"github.com/Dreamacro/clash/tunnel"
+	"github.com/dlclark/regexp2"
 	"time"

 	C "github.com/Dreamacro/clash/constant"
@ -11,7 +13,7 @@ const (
 	defaultGetProxiesDuration = time.Second * 5
 )

-func getProvidersProxies(providers []provider.ProxyProvider, touch bool) []C.Proxy {
+func getProvidersProxies(providers []provider.ProxyProvider, touch bool, filter string) []C.Proxy {
 	proxies := []C.Proxy{}
 	for _, provider := range providers {
 		if touch {
@ -20,5 +22,34 @@ func getProvidersProxies(providers []provider.ProxyProvider, touch bool) []C.Pro
 			proxies = append(proxies, provider.Proxies()...)
 		}
 	}
+
+	var filterReg *regexp2.Regexp = nil
+	var matchedProxies []C.Proxy
+	if len(filter) > 0 {
+		//filterReg = regexp.MustCompile(filter)
+		filterReg = regexp2.MustCompile(filter, 0)
+		for _, p := range proxies {
+			if p.Type() < 8 {
+				matchedProxies = append(matchedProxies, p)
+			}
+
+			//if filterReg.MatchString(p.Name()) {
+			if mat, _ := filterReg.FindStringMatch(p.Name()); mat != nil {
+				matchedProxies = append(matchedProxies, p)
+			}
+		}
+
+		if len(matchedProxies) > 0 {
+			return matchedProxies
+		} else {
+			return append([]C.Proxy{}, tunnel.Proxies()["COMPATIBLE"])
+		}
+	} else {
+		if len(proxies) == 0 {
+			return append(proxies, tunnel.Proxies()["COMPATIBLE"])
+		} else {
 			return proxies
 		}
+	}
+
+}
--- a/adapter/outboundgroup/fallback.go
+++ b/adapter/outboundgroup/fallback.go
@ -3,6 +3,9 @@ package outboundgroup
 import (
 	"context"
 	"encoding/json"
+	"github.com/Dreamacro/clash/log"
+	"go.uber.org/atomic"
+	"time"

 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/singledo"
@ -14,8 +17,11 @@ import (
 type Fallback struct {
 	*outbound.Base
 	disableUDP  bool
+	filter      string
 	single      *singledo.Single
 	providers   []provider.ProxyProvider
+	failedTimes *atomic.Int32
+	failedTime  *atomic.Int64
 }

 func (f *Fallback) Now() string {
@ -29,7 +35,12 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 	c, err := proxy.DialContext(ctx, metadata, f.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(f)
+		f.failedTimes.Store(-1)
+		f.failedTime.Store(-1)
+	} else {
+		f.onDialFailed()
 	}
+
 	return c, err
 }

@ -39,10 +50,41 @@ func (f *Fallback) ListenPacketContext(ctx context.Context, metadata *C.Metadata
 	pc, err := proxy.ListenPacketContext(ctx, metadata, f.Base.DialOptions(opts...)...)
 	if err == nil {
 		pc.AppendToChains(f)
+		f.failedTimes.Store(-1)
+		f.failedTime.Store(-1)
+	} else {
+		f.onDialFailed()
 	}
+
 	return pc, err
 }

+func (f *Fallback) onDialFailed() {
+	if f.failedTime.Load() == -1 {
+		log.Warnln("%s first failed", f.Name())
+		now := time.Now().UnixMilli()
+		f.failedTime.Store(now)
+		f.failedTimes.Store(1)
+	} else {
+		if f.failedTime.Load()-time.Now().UnixMilli() > 5*time.Second.Milliseconds() {
+			f.failedTimes.Store(-1)
+			f.failedTime.Store(-1)
+		} else {
+			failedCount := f.failedTimes.Inc()
+			log.Warnln("%s failed count: %d", f.Name(), failedCount)
+			if failedCount >= 5 {
+				log.Warnln("because %s failed multiple times, active health check", f.Name())
+				for _, proxyProvider := range f.providers {
+					go proxyProvider.HealthCheck()
+				}
+
+				f.failedTimes.Store(-1)
+				f.failedTime.Store(-1)
+			}
+		}
+	}
+}
+
 // SupportUDP implements C.ProxyAdapter
 func (f *Fallback) SupportUDP() bool {
 	if f.disableUDP {
@ -55,7 +97,7 @@ func (f *Fallback) SupportUDP() bool {

 // MarshalJSON implements C.ProxyAdapter
 func (f *Fallback) MarshalJSON() ([]byte, error) {
-	var all []string
+	all := []string{}
 	for _, proxy := range f.proxies(false) {
 		all = append(all, proxy.Name())
 	}
@ -74,7 +116,7 @@ func (f *Fallback) Unwrap(metadata *C.Metadata) C.Proxy {

 func (f *Fallback) proxies(touch bool) []C.Proxy {
 	elm, _, _ := f.single.Do(func() (any, error) {
-		return getProvidersProxies(f.providers, touch), nil
+		return getProvidersProxies(f.providers, touch, f.filter), nil
 	})

 	return elm.([]C.Proxy)
@ -102,5 +144,8 @@ func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider)
 		single:      singledo.NewSingle(defaultGetProxiesDuration),
 		providers:   providers,
 		disableUDP:  option.DisableUDP,
+		filter:      option.Filter,
+		failedTimes: atomic.NewInt32(-1),
+		failedTime:  atomic.NewInt64(-1),
 	}
 }
--- a/adapter/outboundgroup/loadbalance.go
+++ b/adapter/outboundgroup/loadbalance.go
@ -23,6 +23,7 @@ type LoadBalance struct {
 	*outbound.Base
 	disableUDP bool
 	single     *singledo.Single
+	filter     string
 	providers  []provider.ProxyProvider
 	strategyFn strategyFn
 }
@ -141,7 +142,7 @@ func (lb *LoadBalance) Unwrap(metadata *C.Metadata) C.Proxy {

 func (lb *LoadBalance) proxies(touch bool) []C.Proxy {
 	elm, _, _ := lb.single.Do(func() (any, error) {
-		return getProvidersProxies(lb.providers, touch), nil
+		return getProvidersProxies(lb.providers, touch, lb.filter), nil
 	})

 	return elm.([]C.Proxy)
@ -149,7 +150,7 @@ func (lb *LoadBalance) proxies(touch bool) []C.Proxy {

 // MarshalJSON implements C.ProxyAdapter
 func (lb *LoadBalance) MarshalJSON() ([]byte, error) {
-	var all []string
+	all := []string{}
 	for _, proxy := range lb.proxies(false) {
 		all = append(all, proxy.Name())
 	}
@ -180,5 +181,6 @@ func NewLoadBalance(option *GroupCommonOption, providers []provider.ProxyProvide
 		providers:  providers,
 		strategyFn: strategyFn,
 		disableUDP: option.DisableUDP,
+		filter:     option.Filter,
 	}, nil
 }
--- a/adapter/outboundgroup/parser.go
+++ b/adapter/outboundgroup/parser.go
@ -29,6 +29,7 @@ type GroupCommonOption struct {
 	Interval   int      `group:"interval,omitempty"`
 	Lazy       bool     `group:"lazy,omitempty"`
 	DisableUDP bool     `group:"disable-udp,omitempty"`
+	Filter     string   `group:"filter,omitempty"`
 }

 func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, providersMap map[string]types.ProxyProvider) (C.ProxyAdapter, error) {
@ -95,6 +96,8 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 			return nil, err
 		}
 		providers = append(providers, list...)
+	} else {
+		groupOption.Filter = ""
 	}

 	var group C.ProxyAdapter
--- a/adapter/outboundgroup/relay.go
+++ b/adapter/outboundgroup/relay.go
@ -16,13 +16,14 @@ type Relay struct {
 	*outbound.Base
 	single    *singledo.Single
 	providers []provider.ProxyProvider
+	filter    string
 }

 // DialContext implements C.ProxyAdapter
 func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	var proxies []C.Proxy
 	for _, proxy := range r.proxies(metadata, true) {
-		if proxy.Type() != C.Direct {
+		if proxy.Type() != C.Direct && proxy.Type() != C.Compatible {
 			proxies = append(proxies, proxy)
 		}
 	}
@ -68,7 +69,7 @@ func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 // MarshalJSON implements C.ProxyAdapter
 func (r *Relay) MarshalJSON() ([]byte, error) {
-	var all []string
+	all := []string{}
 	for _, proxy := range r.rawProxies(false) {
 		all = append(all, proxy.Name())
 	}
@ -80,7 +81,7 @@ func (r *Relay) MarshalJSON() ([]byte, error) {

 func (r *Relay) rawProxies(touch bool) []C.Proxy {
 	elm, _, _ := r.single.Do(func() (any, error) {
-		return getProvidersProxies(r.providers, touch), nil
+		return getProvidersProxies(r.providers, touch, r.filter), nil
 	})

 	return elm.([]C.Proxy)
@ -110,5 +111,6 @@ func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Re
 		}),
 		single:    singledo.NewSingle(defaultGetProxiesDuration),
 		providers: providers,
+		filter:    option.Filter,
 	}
 }
--- a/adapter/outboundgroup/selector.go
+++ b/adapter/outboundgroup/selector.go
@ -17,6 +17,7 @@ type Selector struct {
 	disableUDP bool
 	single     *singledo.Single
 	selected   string
+	filter     string
 	providers  []provider.ProxyProvider
 }

@ -49,8 +50,8 @@ func (s *Selector) SupportUDP() bool {

 // MarshalJSON implements C.ProxyAdapter
 func (s *Selector) MarshalJSON() ([]byte, error) {
-	var all []string
-	for _, proxy := range getProvidersProxies(s.providers, false) {
+	all := []string{}
+	for _, proxy := range getProvidersProxies(s.providers, false, s.filter) {
 		all = append(all, proxy.Name())
 	}

@ -66,7 +67,7 @@ func (s *Selector) Now() string {
 }

 func (s *Selector) Set(name string) error {
-	for _, proxy := range getProvidersProxies(s.providers, false) {
+	for _, proxy := range getProvidersProxies(s.providers, false, s.filter) {
 		if proxy.Name() == name {
 			s.selected = name
 			s.single.Reset()
@ -78,13 +79,13 @@ func (s *Selector) Set(name string) error {
 }

 // Unwrap implements C.ProxyAdapter
-func (s *Selector) Unwrap(metadata *C.Metadata) C.Proxy {
+func (s *Selector) Unwrap(*C.Metadata) C.Proxy {
 	return s.selectedProxy(true)
 }

 func (s *Selector) selectedProxy(touch bool) C.Proxy {
 	elm, _, _ := s.single.Do(func() (any, error) {
-		proxies := getProvidersProxies(s.providers, touch)
+		proxies := getProvidersProxies(s.providers, touch, s.filter)
 		for _, proxy := range proxies {
 			if proxy.Name() == s.selected {
 				return proxy, nil
@ -98,7 +99,6 @@ func (s *Selector) selectedProxy(touch bool) C.Proxy {
 }

 func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider) *Selector {
-	selected := providers[0].Proxies()[0].Name()
 	return &Selector{
 		Base: outbound.NewBase(outbound.BaseOption{
 			Name:        option.Name,
@ -108,7 +108,8 @@ func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider)
 		}),
 		single:     singledo.NewSingle(defaultGetProxiesDuration),
 		providers:  providers,
-		selected:   selected,
+		selected:   "COMPATIBLE",
 		disableUDP: option.DisableUDP,
+		filter:     option.Filter,
 	}
 }
--- a/adapter/outboundgroup/urltest.go
+++ b/adapter/outboundgroup/urltest.go
@ -3,6 +3,8 @@ package outboundgroup
 import (
 	"context"
 	"encoding/json"
+	"github.com/Dreamacro/clash/log"
+	"go.uber.org/atomic"
 	"time"

 	"github.com/Dreamacro/clash/adapter/outbound"
@ -25,9 +27,12 @@ type URLTest struct {
 	tolerance   uint16
 	disableUDP  bool
 	fastNode    C.Proxy
+	filter      string
 	single      *singledo.Single
 	fastSingle  *singledo.Single
 	providers   []provider.ProxyProvider
+	failedTimes *atomic.Int32
+	failedTime  *atomic.Int64
 }

 func (u *URLTest) Now() string {
@ -39,6 +44,10 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 	c, err = u.fast(true).DialContext(ctx, metadata, u.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(u)
+		u.failedTimes.Store(-1)
+		u.failedTime.Store(-1)
+	} else {
+		u.onDialFailed()
 	}
 	return c, err
 }
@ -48,18 +57,22 @@ func (u *URLTest) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	pc, err := u.fast(true).ListenPacketContext(ctx, metadata, u.Base.DialOptions(opts...)...)
 	if err == nil {
 		pc.AppendToChains(u)
+		u.failedTimes.Store(-1)
+		u.failedTime.Store(-1)
+	} else {
+		u.onDialFailed()
 	}
 	return pc, err
 }

 // Unwrap implements C.ProxyAdapter
-func (u *URLTest) Unwrap(metadata *C.Metadata) C.Proxy {
+func (u *URLTest) Unwrap(*C.Metadata) C.Proxy {
 	return u.fast(true)
 }

 func (u *URLTest) proxies(touch bool) []C.Proxy {
 	elm, _, _ := u.single.Do(func() (any, error) {
-		return getProvidersProxies(u.providers, touch), nil
+		return getProvidersProxies(u.providers, touch, u.filter), nil
 	})

 	return elm.([]C.Proxy)
@ -110,7 +123,7 @@ func (u *URLTest) SupportUDP() bool {

 // MarshalJSON implements C.ProxyAdapter
 func (u *URLTest) MarshalJSON() ([]byte, error) {
-	var all []string
+	all := []string{}
 	for _, proxy := range u.proxies(false) {
 		all = append(all, proxy.Name())
 	}
@ -121,6 +134,32 @@ func (u *URLTest) MarshalJSON() ([]byte, error) {
 	})
 }

+func (u *URLTest) onDialFailed() {
+	if u.failedTime.Load() == -1 {
+		log.Warnln("%s first failed", u.Name())
+		now := time.Now().UnixMilli()
+		u.failedTime.Store(now)
+		u.failedTimes.Store(1)
+	} else {
+		if u.failedTime.Load()-time.Now().UnixMilli() > 5*1000 {
+			u.failedTimes.Store(-1)
+			u.failedTime.Store(-1)
+		} else {
+			failedCount := u.failedTimes.Inc()
+			log.Warnln("%s failed count: %d", u.Name(), failedCount)
+			if failedCount >= 5 {
+				log.Warnln("because %s failed multiple times, active health check", u.Name())
+				for _, proxyProvider := range u.providers {
+					go proxyProvider.HealthCheck()
+				}
+
+				u.failedTimes.Store(-1)
+				u.failedTime.Store(-1)
+			}
+		}
+	}
+}
+
 func parseURLTestOption(config map[string]any) []urlTestOption {
 	opts := []urlTestOption{}

@ -146,6 +185,9 @@ func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, o
 		fastSingle:  singledo.NewSingle(time.Second * 10),
 		providers:   providers,
 		disableUDP:  option.DisableUDP,
+		filter:      option.Filter,
+		failedTimes: atomic.NewInt32(-1),
+		failedTime:  atomic.NewInt64(-1),
 	}

 	for _, option := range options {
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -60,6 +60,13 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 			break
 		}
 		proxy, err = outbound.NewVmess(*vmessOption)
+	case "vless":
+		vlessOption := &outbound.VlessOption{}
+		err = decoder.Decode(mapping, vlessOption)
+		if err != nil {
+			break
+		}
+		proxy, err = outbound.NewVless(*vlessOption)
 	case "snell":
 		snellOption := &outbound.SnellOption{}
 		err = decoder.Decode(mapping, snellOption)
--- a/adapter/provider/healthcheck.go
+++ b/adapter/provider/healthcheck.go
@ -31,7 +31,13 @@ type HealthCheck struct {
 func (hc *HealthCheck) process() {
 	ticker := time.NewTicker(time.Duration(hc.interval) * time.Second)

-	go hc.check()
+	go func() {
+		t := time.NewTicker(30 * time.Second)
+		<-t.C
+		t.Stop()
+		hc.check()
+	}()
+
 	for {
 		select {
 		case <-ticker.C:
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"regexp"
+	"github.com/dlclark/regexp2"
 	"runtime"
 	"time"

@ -40,6 +40,7 @@ func (pp *proxySetProvider) MarshalJSON() ([]byte, error) {
 		"type":        pp.Type().String(),
 		"vehicleType": pp.VehicleType().String(),
 		"proxies":     pp.Proxies(),
+		//TODO maybe error because year value overflow
 		"updatedAt": pp.updatedAt,
 	})
 }
@ -67,6 +68,10 @@ func (pp *proxySetProvider) Initial() error {
 	}

 	pp.onUpdate(elm)
+	if pp.healthCheck.auto() {
+		go pp.healthCheck.process()
+	}
+
 	return nil
 }

@ -97,15 +102,12 @@ func stopProxyProvider(pd *ProxySetProvider) {
 }

 func NewProxySetProvider(name string, interval time.Duration, filter string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
-	filterReg, err := regexp.Compile(filter)
+	//filterReg, err := regexp.Compile(filter)
+	filterReg, err := regexp2.Compile(filter, 0)
 	if err != nil {
 		return nil, fmt.Errorf("invalid filter regex: %w", err)
 	}

-	if hc.auto() {
-		go hc.process()
-	}
-
 	pd := &proxySetProvider{
 		proxies:     []C.Proxy{},
 		healthCheck: hc,
@ -129,7 +131,9 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, veh

 		proxies := []C.Proxy{}
 		for idx, mapping := range schema.Proxies {
-			if name, ok := mapping["name"]; ok && len(filter) > 0 && !filterReg.MatchString(name.(string)) {
+			name, ok := mapping["name"]
+			mat, _ := filterReg.FindStringMatch(name.(string))
+			if ok && len(filter) > 0 && mat == nil {
 				continue
 			}
 			proxy, err := adapter.ParseProxy(mapping)
@ -190,6 +194,10 @@ func (cp *compatibleProvider) Update() error {
 }

 func (cp *compatibleProvider) Initial() error {
+	if cp.healthCheck.auto() {
+		go cp.healthCheck.process()
+	}
+
 	return nil
 }

@ -219,10 +227,6 @@ func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*Co
 		return nil, errors.New("provider need one proxy at least")
 	}

-	if hc.auto() {
-		go hc.process()
-	}
-
 	pd := &compatibleProvider{
 		name:        name,
 		proxies:     proxies,
--- a/adapter/provider/vehicle.go
+++ b/adapter/provider/vehicle.go
@ -2,6 +2,8 @@ package provider

 import (
 	"context"
+	"github.com/Dreamacro/clash/component/dialer"
+	"github.com/Dreamacro/clash/listener/inner"
 	"io"
 	"net"
 	"net/http"
@ -9,7 +11,7 @@ import (
 	"os"
 	"time"

-	"github.com/Dreamacro/clash/component/dialer"
+	netHttp "github.com/Dreamacro/clash/common/net"
 	types "github.com/Dreamacro/clash/constant/provider"
 )

@ -56,6 +58,8 @@ func (h *HTTPVehicle) Read() ([]byte, error) {
 	}

 	req, err := http.NewRequest(http.MethodGet, uri.String(), nil)
+	req.Header.Set("user-agent", netHttp.UA)
+
 	if err != nil {
 		return nil, err
 	}
@ -74,15 +78,22 @@ func (h *HTTPVehicle) Read() ([]byte, error) {
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			return dialer.DialContext(ctx, network, address)
+			conn := inner.HandleTcp(address, uri.Hostname())
+			return conn, nil
 		},
 	}

 	client := http.Client{Transport: transport}
 	resp, err := client.Do(req)
+	if err != nil {
+		transport.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) {
+			return dialer.DialContext(ctx, network, address)
+		}
+		resp, err = client.Do(req)
 		if err != nil {
 			return nil, err
 		}
+	}
 	defer resp.Body.Close()

 	buf, err := io.ReadAll(resp.Body)
--- a/common/cache/lrucache.go
+++ b/common/cache/lrucache.go
@ -216,6 +216,15 @@ func (c *LruCache) deleteElement(le *list.Element) {
 	}
 }

+func (c *LruCache) Clear() error {
+	c.mu.Lock()
+
+	c.cache = make(map[any]*list.Element)
+
+	c.mu.Unlock()
+	return nil
+}
+
 type entry struct {
 	key     any
 	value   any
--- a/common/cmd/cmd.go
+++ b/common/cmd/cmd.go
@ -0,0 +1,36 @@
+package cmd
+
+import (
+	"fmt"
+	"os/exec"
+	"strings"
+)
+
+func ExecCmd(cmdStr string) (string, error) {
+	args := splitArgs(cmdStr)
+
+	var cmd *exec.Cmd
+	if len(args) == 1 {
+		cmd = exec.Command(args[0])
+	} else {
+		cmd = exec.Command(args[0], args[1:]...)
+
+	}
+	prepareBackgroundCommand(cmd)
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("%v, %s", err, string(out))
+	}
+	return string(out), nil
+}
+
+func splitArgs(cmd string) []string {
+	args := strings.Split(cmd, " ")
+
+	// use in pipeline
+	if len(args) > 2 && strings.ContainsAny(cmd, "|") {
+		suffix := strings.Join(args[2:], " ")
+		args = append(args[:2], suffix)
+	}
+	return args
+}
--- a/common/cmd/cmd_other.go
+++ b/common/cmd/cmd_other.go
@ -0,0 +1,11 @@
+//go:build !windows
+
+package cmd
+
+import (
+	"os/exec"
+)
+
+func prepareBackgroundCommand(cmd *exec.Cmd) {
+
+}
--- a/common/cmd/cmd_test.go
+++ b/common/cmd/cmd_test.go
@ -0,0 +1,40 @@
+package cmd
+
+import (
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSplitArgs(t *testing.T) {
+	args := splitArgs("ls")
+	args1 := splitArgs("ls -la")
+	args2 := splitArgs("bash -c ls")
+	args3 := splitArgs("bash -c ls -lahF | grep 'cmd'")
+
+	assert.Equal(t, 1, len(args))
+	assert.Equal(t, 2, len(args1))
+	assert.Equal(t, 3, len(args2))
+	assert.Equal(t, 3, len(args3))
+}
+
+func TestExecCmd(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		_, err := ExecCmd("dir")
+		assert.Nil(t, err)
+		return
+	}
+
+	_, err := ExecCmd("ls")
+	_, err1 := ExecCmd("ls -la")
+	_, err2 := ExecCmd("bash -c ls")
+	_, err3 := ExecCmd("bash -c ls -la")
+	_, err4 := ExecCmd("bash -c ls -la | grep 'cmd'")
+
+	assert.Nil(t, err)
+	assert.Nil(t, err1)
+	assert.Nil(t, err2)
+	assert.Nil(t, err3)
+	assert.Nil(t, err4)
+}
--- a/common/cmd/cmd_windows.go
+++ b/common/cmd/cmd_windows.go
@ -0,0 +1,12 @@
+//go:build windows
+
+package cmd
+
+import (
+	"os/exec"
+	"syscall"
+)
+
+func prepareBackgroundCommand(cmd *exec.Cmd) {
+	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
+}
--- a/common/collections/stack.go
+++ b/common/collections/stack.go
@ -0,0 +1,56 @@
+package collections
+
+import "sync"
+
+type (
+	stack struct {
+		top    *node
+		length int
+		lock   *sync.RWMutex
+	}
+
+	node struct {
+		value interface{}
+		prev  *node
+	}
+)
+
+// NewStack Create a new stack
+func NewStack() *stack {
+	return &stack{nil, 0, &sync.RWMutex{}}
+}
+
+// Len Return the number of items in the stack
+func (this *stack) Len() int {
+	return this.length
+}
+
+// Peek View the top item on the stack
+func (this *stack) Peek() interface{} {
+	if this.length == 0 {
+		return nil
+	}
+	return this.top.value
+}
+
+// Pop the top item of the stack and return it
+func (this *stack) Pop() interface{} {
+	this.lock.Lock()
+	defer this.lock.Unlock()
+	if this.length == 0 {
+		return nil
+	}
+	n := this.top
+	this.top = n.prev
+	this.length--
+	return n.value
+}
+
+// Push a value onto the top of the stack
+func (this *stack) Push(value interface{}) {
+	this.lock.Lock()
+	defer this.lock.Unlock()
+	n := &node{value, this.top}
+	this.top = n
+	this.length++
+}
--- a/common/net/http.go
+++ b/common/net/http.go
@ -0,0 +1,5 @@
+package net
+
+const (
+	UA = "Clash"
+)
--- a/common/net/tcpip.go
+++ b/common/net/tcpip.go
@ -0,0 +1,46 @@
+package net
+
+import (
+	"fmt"
+	"net"
+	"strings"
+)
+
+func SplitNetworkType(s string) (string, string, error) {
+	var (
+		shecme   string
+		hostPort string
+	)
+	result := strings.Split(s, "://")
+	if len(result) == 2 {
+		shecme = result[0]
+		hostPort = result[1]
+	} else if len(result) == 1 {
+		hostPort = result[0]
+	} else {
+		return "", "", fmt.Errorf("tcp/udp style error")
+	}
+
+	if len(shecme) == 0 {
+		shecme = "udp"
+	}
+
+	if shecme != "tcp" && shecme != "udp" {
+		return "", "", fmt.Errorf("scheme should be tcp:// or udp://")
+	} else {
+		return shecme, hostPort, nil
+	}
+}
+
+func SplitHostPort(s string) (host, port string, hasPort bool, err error) {
+	temp := s
+	hasPort = true
+
+	if !strings.Contains(s, ":") && !strings.Contains(s, "]:") {
+		temp += ":0"
+		hasPort = false
+	}
+
+	host, port, err = net.SplitHostPort(temp)
+	return
+}
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@ -9,6 +9,19 @@ import (
 )

 func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
+	opt := &option{
+		interfaceName: DefaultInterface.Load(),
+		routingMark:   int(DefaultRoutingMark.Load()),
+	}
+
+	for _, o := range DefaultOptions {
+		o(opt)
+	}
+
+	for _, o := range options {
+		o(opt)
+	}
+
 	switch network {
 	case "tcp4", "tcp6", "udp4", "udp6":
 		host, port, err := net.SplitHostPort(address)
@ -19,17 +32,25 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 		var ip net.IP
 		switch network {
 		case "tcp4", "udp4":
+			if !opt.direct {
+				ip, err = resolver.ResolveIPv4ProxyServerHost(host)
+			} else {
 				ip, err = resolver.ResolveIPv4(host)
+			}
 		default:
+			if !opt.direct {
+				ip, err = resolver.ResolveIPv6ProxyServerHost(host)
+			} else {
 				ip, err = resolver.ResolveIPv6(host)
 			}
+		}
 		if err != nil {
 			return nil, err
 		}

-		return dialContext(ctx, network, ip, port, options)
+		return dialContext(ctx, network, ip, port, opt)
 	case "tcp", "udp":
-		return dualStackDialContext(ctx, network, address, options)
+		return dualStackDialContext(ctx, network, address, opt)
 	default:
 		return nil, errors.New("network invalid")
 	}
@ -67,20 +88,7 @@ func ListenPacket(ctx context.Context, network, address string, options ...Optio
 	return lc.ListenPacket(ctx, network, address)
 }

-func dialContext(ctx context.Context, network string, destination net.IP, port string, options []Option) (net.Conn, error) {
-	opt := &option{
-		interfaceName: DefaultInterface.Load(),
-		routingMark:   int(DefaultRoutingMark.Load()),
-	}
-
-	for _, o := range DefaultOptions {
-		o(opt)
-	}
-
-	for _, o := range options {
-		o(opt)
-	}
-
+func dialContext(ctx context.Context, network string, destination net.IP, port string, opt *option) (net.Conn, error) {
 	dialer := &net.Dialer{}
 	if opt.interfaceName != "" {
 		if err := bindIfaceToDialer(opt.interfaceName, dialer, network, destination); err != nil {
@ -94,7 +102,7 @@ func dialContext(ctx context.Context, network string, destination net.IP, port s
 	return dialer.DialContext(ctx, network, net.JoinHostPort(destination.String(), port))
 }

-func dualStackDialContext(ctx context.Context, network, address string, options []Option) (net.Conn, error) {
+func dualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
@ -113,7 +121,7 @@ func dualStackDialContext(ctx context.Context, network, address string, options
 	results := make(chan dialResult)
 	var primary, fallback dialResult

-	startRacer := func(ctx context.Context, network, host string, ipv6 bool) {
+	startRacer := func(ctx context.Context, network, host string, direct bool, ipv6 bool) {
 		result := dialResult{ipv6: ipv6, done: true}
 		defer func() {
 			select {
@ -127,20 +135,28 @@ func dualStackDialContext(ctx context.Context, network, address string, options

 		var ip net.IP
 		if ipv6 {
+			if !direct {
+				ip, result.error = resolver.ResolveIPv6ProxyServerHost(host)
+			} else {
 				ip, result.error = resolver.ResolveIPv6(host)
+			}
+		} else {
+			if !direct {
+				ip, result.error = resolver.ResolveIPv4ProxyServerHost(host)
 			} else {
 				ip, result.error = resolver.ResolveIPv4(host)
 			}
+		}
 		if result.error != nil {
 			return
 		}
 		result.resolved = true

-		result.Conn, result.error = dialContext(ctx, network, ip, port, options)
+		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
 	}

-	go startRacer(ctx, network+"4", host, false)
-	go startRacer(ctx, network+"6", host, true)
+	go startRacer(ctx, network+"4", host, opt.direct, false)
+	go startRacer(ctx, network+"6", host, opt.direct, true)

 	for res := range results {
 		if res.error == nil {
--- a/component/dialer/options.go
+++ b/component/dialer/options.go
@ -12,6 +12,7 @@ type option struct {
 	interfaceName string
 	addrReuse     bool
 	routingMark   int
+	direct        bool
 }

 type Option func(opt *option)
@ -33,3 +34,9 @@ func WithRoutingMark(mark int) Option {
 		opt.routingMark = mark
 	}
 }
+
+func WithDirect() Option {
+	return func(opt *option) {
+		opt.direct = true
+	}
+}
--- a/component/dialer/resolver.go
+++ b/component/dialer/resolver.go
@ -0,0 +1,28 @@
+package dialer
+
+import (
+	"context"
+	"net"
+)
+
+func init() {
+	// We must use this DialContext to query DNS
+	// when using net default resolver.
+	net.DefaultResolver.PreferGo = true
+	net.DefaultResolver.Dial = resolverDialContext
+}
+
+func resolverDialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	d := &net.Dialer{}
+
+	interfaceName := DefaultInterface.Load()
+
+	if interfaceName != "" {
+		dstIP := net.ParseIP(address)
+		if dstIP != nil {
+			bindIfaceToDialer(interfaceName, d, network, dstIP)
+		}
+	}
+
+	return d.DialContext(ctx, network, address)
+}
--- a/component/fakeip/cachefile.go
+++ b/component/fakeip/cachefile.go
@ -53,3 +53,8 @@ func (c *cachefileStore) Exist(ip net.IP) bool {
 // CloneTo implements store.CloneTo
 // already persistence
 func (c *cachefileStore) CloneTo(store store) {}
+
+// FlushFakeIP implements store.FlushFakeIP
+func (c *cachefileStore) FlushFakeIP() error {
+	return c.cache.FlushFakeIP()
+}
--- a/component/fakeip/memory.go
+++ b/component/fakeip/memory.go
@ -67,3 +67,8 @@ func (m *memoryStore) CloneTo(store store) {
 		m.cache.CloneTo(ms.cache)
 	}
 }
+
+// FlushFakeIP implements store.FlushFakeIP
+func (m *memoryStore) FlushFakeIP() error {
+	return m.cache.Clear()
+}
--- a/component/fakeip/pool.go
+++ b/component/fakeip/pool.go
@ -18,6 +18,7 @@ type store interface {
 	DelByIP(ip net.IP)
 	Exist(ip net.IP) bool
 	CloneTo(store)
+	FlushFakeIP() error
 }

 // Pool is a implementation about fake ip generator without storage
@ -25,6 +26,7 @@ type Pool struct {
 	max       uint32
 	min       uint32
 	gateway   uint32
+	broadcast uint32
 	offset    uint32
 	mux       sync.Mutex
 	host      *trie.DomainTrie
@ -82,6 +84,11 @@ func (p *Pool) Gateway() net.IP {
 	return uintToIP(p.gateway)
 }

+// Broadcast return broadcast ip
+func (p *Pool) Broadcast() net.IP {
+	return uintToIP(p.broadcast)
+}
+
 // IPNet return raw ipnet
 func (p *Pool) IPNet() *net.IPNet {
 	return p.ipnet
@ -114,6 +121,10 @@ func (p *Pool) get(host string) net.IP {
 	return ip
 }

+func (p *Pool) FlushFakeIP() error {
+	return p.store.FlushFakeIP()
+}
+
 func ipToUint(ip net.IP) uint32 {
 	v := uint32(ip[0]) << 24
 	v += uint32(ip[1]) << 16
@ -141,10 +152,10 @@ type Options struct {

 // New return Pool instance
 func New(options Options) (*Pool, error) {
-	min := ipToUint(options.IPNet.IP) + 2
+	min := ipToUint(options.IPNet.IP) + 3

 	ones, bits := options.IPNet.Mask.Size()
-	total := 1<<uint(bits-ones) - 2
+	total := 1<<uint(bits-ones) - 4

 	if total <= 0 {
 		return nil, errors.New("ipnet don't have valid ip")
@ -154,7 +165,8 @@ func New(options Options) (*Pool, error) {
 	pool := &Pool{
 		min:       min,
 		max:       max,
-		gateway: min - 1,
+		gateway:   min - 2,
+		broadcast: max + 1,
 		host:      options.Host,
 		ipnet:     options.IPNet,
 	}
--- a/component/fakeip/pool_test.go
+++ b/component/fakeip/pool_test.go
@ -49,7 +49,7 @@ func createCachefileStore(options Options) (*Pool, string, error) {
 }

 func TestPool_Basic(t *testing.T) {
-	_, ipnet, _ := net.ParseCIDR("192.168.0.1/29")
+	_, ipnet, _ := net.ParseCIDR("192.168.0.0/28")
 	pools, tempfile, err := createPools(Options{
 		IPNet: ipnet,
 		Size:  10,
@ -62,21 +62,22 @@ func TestPool_Basic(t *testing.T) {
 		last := pool.Lookup("bar.com")
 		bar, exist := pool.LookBack(last)

-		assert.True(t, first.Equal(net.IP{192, 168, 0, 2}))
-		assert.Equal(t, pool.Lookup("foo.com"), net.IP{192, 168, 0, 2})
-		assert.True(t, last.Equal(net.IP{192, 168, 0, 3}))
+		assert.True(t, first.Equal(net.IP{192, 168, 0, 3}))
+		assert.Equal(t, pool.Lookup("foo.com"), net.IP{192, 168, 0, 3})
+		assert.True(t, last.Equal(net.IP{192, 168, 0, 4}))
 		assert.True(t, exist)
 		assert.Equal(t, bar, "bar.com")
 		assert.Equal(t, pool.Gateway(), net.IP{192, 168, 0, 1})
+		assert.Equal(t, pool.Broadcast(), net.IP{192, 168, 0, 15})
 		assert.Equal(t, pool.IPNet().String(), ipnet.String())
-		assert.True(t, pool.Exist(net.IP{192, 168, 0, 3}))
-		assert.False(t, pool.Exist(net.IP{192, 168, 0, 4}))
+		assert.True(t, pool.Exist(net.IP{192, 168, 0, 4}))
+		assert.False(t, pool.Exist(net.IP{192, 168, 0, 5}))
 		assert.False(t, pool.Exist(net.ParseIP("::1")))
 	}
 }

 func TestPool_CycleUsed(t *testing.T) {
-	_, ipnet, _ := net.ParseCIDR("192.168.0.1/29")
+	_, ipnet, _ := net.ParseCIDR("192.168.0.16/28")
 	pools, tempfile, err := createPools(Options{
 		IPNet: ipnet,
 		Size:  10,
@ -87,7 +88,7 @@ func TestPool_CycleUsed(t *testing.T) {
 	for _, pool := range pools {
 		foo := pool.Lookup("foo.com")
 		bar := pool.Lookup("bar.com")
-		for i := 0; i < 3; i++ {
+		for i := 0; i < 9; i++ {
 			pool.Lookup(fmt.Sprintf("%d.com", i))
 		}
 		baz := pool.Lookup("baz.com")
@ -98,7 +99,7 @@ func TestPool_CycleUsed(t *testing.T) {
 }

 func TestPool_Skip(t *testing.T) {
-	_, ipnet, _ := net.ParseCIDR("192.168.0.1/30")
+	_, ipnet, _ := net.ParseCIDR("192.168.0.1/29")
 	tree := trie.New()
 	tree.Insert("example.com", tree)
 	pools, tempfile, err := createPools(Options{
@ -169,8 +170,8 @@ func TestPool_Clone(t *testing.T) {

 	first := pool.Lookup("foo.com")
 	last := pool.Lookup("bar.com")
-	assert.True(t, first.Equal(net.IP{192, 168, 0, 2}))
-	assert.True(t, last.Equal(net.IP{192, 168, 0, 3}))
+	assert.True(t, first.Equal(net.IP{192, 168, 0, 3}))
+	assert.True(t, last.Equal(net.IP{192, 168, 0, 4}))

 	newPool, _ := New(Options{
 		IPNet: ipnet,
@ -192,3 +193,59 @@ func TestPool_Error(t *testing.T) {

 	assert.Error(t, err)
 }
+
+func TestPool_FlushFileCache(t *testing.T) {
+	_, ipnet, _ := net.ParseCIDR("192.168.0.1/28")
+	pools, tempfile, err := createPools(Options{
+		IPNet: ipnet,
+		Size:  10,
+	})
+	assert.Nil(t, err)
+	defer os.Remove(tempfile)
+
+	for _, pool := range pools {
+		foo := pool.Lookup("foo.com")
+		bar := pool.Lookup("baz.com")
+		bax := pool.Lookup("baz.com")
+		fox := pool.Lookup("foo.com")
+
+		err = pool.FlushFakeIP()
+		assert.Nil(t, err)
+
+		baz := pool.Lookup("foo.com")
+		next := pool.Lookup("baz.com")
+		nero := pool.Lookup("foo.com")
+
+		assert.Equal(t, foo, fox)
+		assert.NotEqual(t, foo, baz)
+		assert.Equal(t, bar, bax)
+		assert.NotEqual(t, bar, next)
+		assert.Equal(t, baz, nero)
+	}
+}
+
+func TestPool_FlushMemoryCache(t *testing.T) {
+	_, ipnet, _ := net.ParseCIDR("192.168.0.1/28")
+	pool, _ := New(Options{
+		IPNet: ipnet,
+		Size:  10,
+	})
+
+	foo := pool.Lookup("foo.com")
+	bar := pool.Lookup("baz.com")
+	bax := pool.Lookup("baz.com")
+	fox := pool.Lookup("foo.com")
+
+	err := pool.FlushFakeIP()
+	assert.Nil(t, err)
+
+	baz := pool.Lookup("foo.com")
+	next := pool.Lookup("baz.com")
+	nero := pool.Lookup("foo.com")
+
+	assert.Equal(t, foo, fox)
+	assert.NotEqual(t, foo, baz)
+	assert.Equal(t, bar, bax)
+	assert.NotEqual(t, bar, next)
+	assert.Equal(t, baz, nero)
+}
--- a/component/geodata/attr.go
+++ b/component/geodata/attr.go
@ -0,0 +1,51 @@
+package geodata
+
+import (
+	"strings"
+
+	"github.com/Dreamacro/clash/component/geodata/router"
+)
+
+type AttributeList struct {
+	matcher []AttributeMatcher
+}
+
+func (al *AttributeList) Match(domain *router.Domain) bool {
+	for _, matcher := range al.matcher {
+		if !matcher.Match(domain) {
+			return false
+		}
+	}
+	return true
+}
+
+func (al *AttributeList) IsEmpty() bool {
+	return len(al.matcher) == 0
+}
+
+func parseAttrs(attrs []string) *AttributeList {
+	al := new(AttributeList)
+	for _, attr := range attrs {
+		trimmedAttr := strings.ToLower(strings.TrimSpace(attr))
+		if len(trimmedAttr) == 0 {
+			continue
+		}
+		al.matcher = append(al.matcher, BooleanMatcher(trimmedAttr))
+	}
+	return al
+}
+
+type AttributeMatcher interface {
+	Match(*router.Domain) bool
+}
+
+type BooleanMatcher string
+
+func (m BooleanMatcher) Match(domain *router.Domain) bool {
+	for _, attr := range domain.Attribute {
+		if strings.EqualFold(attr.GetKey(), string(m)) {
+			return true
+		}
+	}
+	return false
+}
--- a/component/geodata/geodata.go
+++ b/component/geodata/geodata.go
@ -0,0 +1,87 @@
+package geodata
+
+import (
+	"errors"
+	"fmt"
+	C "github.com/Dreamacro/clash/constant"
+	"strings"
+
+	"github.com/Dreamacro/clash/component/geodata/router"
+	"github.com/Dreamacro/clash/log"
+)
+
+type loader struct {
+	LoaderImplementation
+}
+
+func (l *loader) LoadGeoSite(list string) ([]*router.Domain, error) {
+	return l.LoadGeoSiteWithAttr(C.GeositeName, list)
+}
+
+func (l *loader) LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error) {
+	parts := strings.Split(siteWithAttr, "@")
+	if len(parts) == 0 {
+		return nil, errors.New("empty rule")
+	}
+	list := strings.TrimSpace(parts[0])
+	attrVal := parts[1:]
+
+	if len(list) == 0 {
+		return nil, fmt.Errorf("empty listname in rule: %s", siteWithAttr)
+	}
+
+	domains, err := l.LoadSite(file, list)
+	if err != nil {
+		return nil, err
+	}
+
+	attrs := parseAttrs(attrVal)
+	if attrs.IsEmpty() {
+		if strings.Contains(siteWithAttr, "@") {
+			log.Warnln("empty attribute list: %s", siteWithAttr)
+		}
+		return domains, nil
+	}
+
+	filteredDomains := make([]*router.Domain, 0, len(domains))
+	hasAttrMatched := false
+	for _, domain := range domains {
+		if attrs.Match(domain) {
+			hasAttrMatched = true
+			filteredDomains = append(filteredDomains, domain)
+		}
+	}
+	if !hasAttrMatched {
+		log.Warnln("attribute match no rule: geosite: %s", siteWithAttr)
+	}
+
+	return filteredDomains, nil
+}
+
+func (l *loader) LoadGeoIP(country string) ([]*router.CIDR, error) {
+	return l.LoadIP(C.GeoipName, country)
+}
+
+var loaders map[string]func() LoaderImplementation
+
+func RegisterGeoDataLoaderImplementationCreator(name string, loader func() LoaderImplementation) {
+	if loaders == nil {
+		loaders = map[string]func() LoaderImplementation{}
+	}
+	loaders[name] = loader
+}
+
+func getGeoDataLoaderImplementation(name string) (LoaderImplementation, error) {
+	if geoLoader, ok := loaders[name]; ok {
+		return geoLoader(), nil
+	}
+	return nil, fmt.Errorf("unable to locate GeoData loader %s", name)
+}
+
+func GetGeoDataLoader(name string) (Loader, error) {
+	loadImpl, err := getGeoDataLoaderImplementation(name)
+	if err == nil {
+		return &loader{loadImpl}, nil
+	}
+	return nil, err
+}
--- a/component/geodata/geodataproto.go
+++ b/component/geodata/geodataproto.go
@ -0,0 +1,17 @@
+package geodata
+
+import (
+	"github.com/Dreamacro/clash/component/geodata/router"
+)
+
+type LoaderImplementation interface {
+	LoadSite(filename, list string) ([]*router.Domain, error)
+	LoadIP(filename, country string) ([]*router.CIDR, error)
+}
+
+type Loader interface {
+	LoaderImplementation
+	LoadGeoSite(list string) ([]*router.Domain, error)
+	LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error)
+	LoadGeoIP(country string) ([]*router.CIDR, error)
+}
--- a/component/geodata/memconservative/cache.go
+++ b/component/geodata/memconservative/cache.go
@ -0,0 +1,142 @@
+package memconservative
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/Dreamacro/clash/component/geodata/router"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
+	"google.golang.org/protobuf/proto"
+)
+
+type GeoIPCache map[string]*router.GeoIP
+
+func (g GeoIPCache) Has(key string) bool {
+	return !(g.Get(key) == nil)
+}
+
+func (g GeoIPCache) Get(key string) *router.GeoIP {
+	if g == nil {
+		return nil
+	}
+	return g[key]
+}
+
+func (g GeoIPCache) Set(key string, value *router.GeoIP) {
+	if g == nil {
+		g = make(map[string]*router.GeoIP)
+	}
+	g[key] = value
+}
+
+func (g GeoIPCache) Unmarshal(filename, code string) (*router.GeoIP, error) {
+	asset := C.Path.GetAssetLocation(filename)
+	idx := strings.ToLower(asset + ":" + code)
+	if g.Has(idx) {
+		return g.Get(idx), nil
+	}
+
+	geoipBytes, err := Decode(asset, code)
+	switch err {
+	case nil:
+		var geoip router.GeoIP
+		if err := proto.Unmarshal(geoipBytes, &geoip); err != nil {
+			return nil, err
+		}
+		g.Set(idx, &geoip)
+		return &geoip, nil
+
+	case errCodeNotFound:
+		return nil, fmt.Errorf("country code %s%s%s", code, " not found in ", filename)
+
+	case errFailedToReadBytes, errFailedToReadExpectedLenBytes,
+		errInvalidGeodataFile, errInvalidGeodataVarintLength:
+		log.Warnln("failed to decode geoip file: %s%s", filename, ", fallback to the original ReadFile method")
+		geoipBytes, err = os.ReadFile(asset)
+		if err != nil {
+			return nil, err
+		}
+		var geoipList router.GeoIPList
+		if err := proto.Unmarshal(geoipBytes, &geoipList); err != nil {
+			return nil, err
+		}
+		for _, geoip := range geoipList.GetEntry() {
+			if strings.EqualFold(code, geoip.GetCountryCode()) {
+				g.Set(idx, geoip)
+				return geoip, nil
+			}
+		}
+
+	default:
+		return nil, err
+	}
+
+	return nil, fmt.Errorf("country code %s%s%s", code, " not found in ", filename)
+}
+
+type GeoSiteCache map[string]*router.GeoSite
+
+func (g GeoSiteCache) Has(key string) bool {
+	return !(g.Get(key) == nil)
+}
+
+func (g GeoSiteCache) Get(key string) *router.GeoSite {
+	if g == nil {
+		return nil
+	}
+	return g[key]
+}
+
+func (g GeoSiteCache) Set(key string, value *router.GeoSite) {
+	if g == nil {
+		g = make(map[string]*router.GeoSite)
+	}
+	g[key] = value
+}
+
+func (g GeoSiteCache) Unmarshal(filename, code string) (*router.GeoSite, error) {
+	asset := C.Path.GetAssetLocation(filename)
+	idx := strings.ToLower(asset + ":" + code)
+	if g.Has(idx) {
+		return g.Get(idx), nil
+	}
+
+	geositeBytes, err := Decode(asset, code)
+	switch err {
+	case nil:
+		var geosite router.GeoSite
+		if err := proto.Unmarshal(geositeBytes, &geosite); err != nil {
+			return nil, err
+		}
+		g.Set(idx, &geosite)
+		return &geosite, nil
+
+	case errCodeNotFound:
+		return nil, fmt.Errorf("list %s%s%s", code, " not found in ", filename)
+
+	case errFailedToReadBytes, errFailedToReadExpectedLenBytes,
+		errInvalidGeodataFile, errInvalidGeodataVarintLength:
+		log.Warnln("failed to decode geoip file: %s%s", filename, ", fallback to the original ReadFile method")
+		geositeBytes, err = os.ReadFile(asset)
+		if err != nil {
+			return nil, err
+		}
+		var geositeList router.GeoSiteList
+		if err := proto.Unmarshal(geositeBytes, &geositeList); err != nil {
+			return nil, err
+		}
+		for _, geosite := range geositeList.GetEntry() {
+			if strings.EqualFold(code, geosite.GetCountryCode()) {
+				g.Set(idx, geosite)
+				return geosite, nil
+			}
+		}
+
+	default:
+		return nil, err
+	}
+
+	return nil, fmt.Errorf("list %s%s%s", code, " not found in ", filename)
+}
--- a/component/geodata/memconservative/decode.go
+++ b/component/geodata/memconservative/decode.go
@ -0,0 +1,107 @@
+package memconservative
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"google.golang.org/protobuf/encoding/protowire"
+)
+
+var (
+	errFailedToReadBytes            = errors.New("failed to read bytes")
+	errFailedToReadExpectedLenBytes = errors.New("failed to read expected length of bytes")
+	errInvalidGeodataFile           = errors.New("invalid geodata file")
+	errInvalidGeodataVarintLength   = errors.New("invalid geodata varint length")
+	errCodeNotFound                 = errors.New("code not found")
+)
+
+func emitBytes(f io.ReadSeeker, code string) ([]byte, error) {
+	count := 1
+	isInner := false
+	tempContainer := make([]byte, 0, 5)
+
+	var result []byte
+	var advancedN uint64 = 1
+	var geoDataVarintLength, codeVarintLength, varintLenByteLen uint64 = 0, 0, 0
+
+Loop:
+	for {
+		container := make([]byte, advancedN)
+		bytesRead, err := f.Read(container)
+		if err == io.EOF {
+			return nil, errCodeNotFound
+		}
+		if err != nil {
+			return nil, errFailedToReadBytes
+		}
+		if bytesRead != len(container) {
+			return nil, errFailedToReadExpectedLenBytes
+		}
+
+		switch count {
+		case 1, 3: // data type ((field_number << 3) | wire_type)
+			if container[0] != 10 { // byte `0A` equals to `10` in decimal
+				return nil, errInvalidGeodataFile
+			}
+			advancedN = 1
+			count++
+		case 2, 4: // data length
+			tempContainer = append(tempContainer, container...)
+			if container[0] > 127 { // max one-byte-length byte `7F`(0FFF FFFF) equals to `127` in decimal
+				advancedN = 1
+				goto Loop
+			}
+			lenVarint, n := protowire.ConsumeVarint(tempContainer)
+			if n < 0 {
+				return nil, errInvalidGeodataVarintLength
+			}
+			tempContainer = nil
+			if !isInner {
+				isInner = true
+				geoDataVarintLength = lenVarint
+				advancedN = 1
+			} else {
+				isInner = false
+				codeVarintLength = lenVarint
+				varintLenByteLen = uint64(n)
+				advancedN = codeVarintLength
+			}
+			count++
+		case 5: // data value
+			if strings.EqualFold(string(container), code) {
+				count++
+				offset := -(1 + int64(varintLenByteLen) + int64(codeVarintLength))
+				_, _ = f.Seek(offset, 1)        // back to the start of GeoIP or GeoSite varint
+				advancedN = geoDataVarintLength // the number of bytes to be read in next round
+			} else {
+				count = 1
+				offset := int64(geoDataVarintLength) - int64(codeVarintLength) - int64(varintLenByteLen) - 1
+				_, _ = f.Seek(offset, 1) // skip the unmatched GeoIP or GeoSite varint
+				advancedN = 1            // the next round will be the start of another GeoIPList or GeoSiteList
+			}
+		case 6: // matched GeoIP or GeoSite varint
+			result = container
+			break Loop
+		}
+	}
+	return result, nil
+}
+
+func Decode(filename, code string) ([]byte, error) {
+	f, err := os.Open(filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %s, base error: %s", filename, err.Error())
+	}
+	defer func(f *os.File) {
+		_ = f.Close()
+	}(f)
+
+	geoBytes, err := emitBytes(f, code)
+	if err != nil {
+		return nil, err
+	}
+	return geoBytes, nil
+}
--- a/component/geodata/memconservative/memc.go
+++ b/component/geodata/memconservative/memc.go
@ -0,0 +1,40 @@
+package memconservative
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/Dreamacro/clash/component/geodata"
+	"github.com/Dreamacro/clash/component/geodata/router"
+)
+
+type memConservativeLoader struct {
+	geoipcache   GeoIPCache
+	geositecache GeoSiteCache
+}
+
+func (m *memConservativeLoader) LoadIP(filename, country string) ([]*router.CIDR, error) {
+	defer runtime.GC()
+	geoip, err := m.geoipcache.Unmarshal(filename, country)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode geodata file: %s, base error: %s", filename, err.Error())
+	}
+	return geoip.Cidr, nil
+}
+
+func (m *memConservativeLoader) LoadSite(filename, list string) ([]*router.Domain, error) {
+	defer runtime.GC()
+	geosite, err := m.geositecache.Unmarshal(filename, list)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode geodata file: %s, base error: %s", filename, err.Error())
+	}
+	return geosite.Domain, nil
+}
+
+func newMemConservativeLoader() geodata.LoaderImplementation {
+	return &memConservativeLoader{make(map[string]*router.GeoIP), make(map[string]*router.GeoSite)}
+}
+
+func init() {
+	geodata.RegisterGeoDataLoaderImplementationCreator("memconservative", newMemConservativeLoader)
+}
--- a/component/geodata/package_info.go
+++ b/component/geodata/package_info.go
@ -0,0 +1,4 @@
+// Modified from: https://github.com/v2fly/v2ray-core/tree/master/infra/conf/geodata
+// License: MIT
+
+package geodata
--- a/component/geodata/router/condition.go
+++ b/component/geodata/router/condition.go
@ -0,0 +1,350 @@
+package router
+
+import (
+	"encoding/binary"
+	"fmt"
+	"net"
+	"sort"
+	"strings"
+
+	"github.com/Dreamacro/clash/component/geodata/strmatcher"
+)
+
+var matcherTypeMap = map[Domain_Type]strmatcher.Type{
+	Domain_Plain:  strmatcher.Substr,
+	Domain_Regex:  strmatcher.Regex,
+	Domain_Domain: strmatcher.Domain,
+	Domain_Full:   strmatcher.Full,
+}
+
+func domainToMatcher(domain *Domain) (strmatcher.Matcher, error) {
+	matcherType, f := matcherTypeMap[domain.Type]
+	if !f {
+		return nil, fmt.Errorf("unsupported domain type %v", domain.Type)
+	}
+
+	matcher, err := matcherType.New(domain.Value)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create domain matcher, base error: %s", err.Error())
+	}
+
+	return matcher, nil
+}
+
+type DomainMatcher struct {
+	matchers strmatcher.IndexMatcher
+}
+
+func NewMphMatcherGroup(domains []*Domain) (*DomainMatcher, error) {
+	g := strmatcher.NewMphMatcherGroup()
+	for _, d := range domains {
+		matcherType, f := matcherTypeMap[d.Type]
+		if !f {
+			return nil, fmt.Errorf("unsupported domain type %v", d.Type)
+		}
+		_, err := g.AddPattern(d.Value, matcherType)
+		if err != nil {
+			return nil, err
+		}
+	}
+	g.Build()
+	return &DomainMatcher{
+		matchers: g,
+	}, nil
+}
+
+// NewDomainMatcher new domain matcher.
+func NewDomainMatcher(domains []*Domain) (*DomainMatcher, error) {
+	g := new(strmatcher.MatcherGroup)
+	for _, d := range domains {
+		m, err := domainToMatcher(d)
+		if err != nil {
+			return nil, err
+		}
+		g.Add(m)
+	}
+
+	return &DomainMatcher{
+		matchers: g,
+	}, nil
+}
+
+func (m *DomainMatcher) ApplyDomain(domain string) bool {
+	return len(m.matchers.Match(strings.ToLower(domain))) > 0
+}
+
+// CIDRList is an alias of []*CIDR to provide sort.Interface.
+type CIDRList []*CIDR
+
+// Len implements sort.Interface.
+func (l *CIDRList) Len() int {
+	return len(*l)
+}
+
+// Less implements sort.Interface.
+func (l *CIDRList) Less(i int, j int) bool {
+	ci := (*l)[i]
+	cj := (*l)[j]
+
+	if len(ci.Ip) < len(cj.Ip) {
+		return true
+	}
+
+	if len(ci.Ip) > len(cj.Ip) {
+		return false
+	}
+
+	for k := 0; k < len(ci.Ip); k++ {
+		if ci.Ip[k] < cj.Ip[k] {
+			return true
+		}
+
+		if ci.Ip[k] > cj.Ip[k] {
+			return false
+		}
+	}
+
+	return ci.Prefix < cj.Prefix
+}
+
+// Swap implements sort.Interface.
+func (l *CIDRList) Swap(i int, j int) {
+	(*l)[i], (*l)[j] = (*l)[j], (*l)[i]
+}
+
+type ipv6 struct {
+	a uint64
+	b uint64
+}
+
+type GeoIPMatcher struct {
+	countryCode  string
+	reverseMatch bool
+	ip4          []uint32
+	prefix4      []uint8
+	ip6          []ipv6
+	prefix6      []uint8
+}
+
+func normalize4(ip uint32, prefix uint8) uint32 {
+	return (ip >> (32 - prefix)) << (32 - prefix)
+}
+
+func normalize6(ip ipv6, prefix uint8) ipv6 {
+	if prefix <= 64 {
+		ip.a = (ip.a >> (64 - prefix)) << (64 - prefix)
+		ip.b = 0
+	} else {
+		ip.b = (ip.b >> (128 - prefix)) << (128 - prefix)
+	}
+	return ip
+}
+
+func (m *GeoIPMatcher) Init(cidrs []*CIDR) error {
+	ip4Count := 0
+	ip6Count := 0
+
+	for _, cidr := range cidrs {
+		ip := cidr.Ip
+		switch len(ip) {
+		case 4:
+			ip4Count++
+		case 16:
+			ip6Count++
+		default:
+			return fmt.Errorf("unexpect ip length: %d", len(ip))
+		}
+	}
+
+	cidrList := CIDRList(cidrs)
+	sort.Sort(&cidrList)
+
+	m.ip4 = make([]uint32, 0, ip4Count)
+	m.prefix4 = make([]uint8, 0, ip4Count)
+	m.ip6 = make([]ipv6, 0, ip6Count)
+	m.prefix6 = make([]uint8, 0, ip6Count)
+
+	for _, cidr := range cidrs {
+		ip := cidr.Ip
+		prefix := uint8(cidr.Prefix)
+		switch len(ip) {
+		case 4:
+			m.ip4 = append(m.ip4, normalize4(binary.BigEndian.Uint32(ip), prefix))
+			m.prefix4 = append(m.prefix4, prefix)
+		case 16:
+			ip6 := ipv6{
+				a: binary.BigEndian.Uint64(ip[0:8]),
+				b: binary.BigEndian.Uint64(ip[8:16]),
+			}
+			ip6 = normalize6(ip6, prefix)
+
+			m.ip6 = append(m.ip6, ip6)
+			m.prefix6 = append(m.prefix6, prefix)
+		}
+	}
+
+	return nil
+}
+
+func (m *GeoIPMatcher) SetReverseMatch(isReverseMatch bool) {
+	m.reverseMatch = isReverseMatch
+}
+
+func (m *GeoIPMatcher) match4(ip uint32) bool {
+	if len(m.ip4) == 0 {
+		return false
+	}
+
+	if ip < m.ip4[0] {
+		return false
+	}
+
+	size := uint32(len(m.ip4))
+	l := uint32(0)
+	r := size
+	for l < r {
+		x := ((l + r) >> 1)
+		if ip < m.ip4[x] {
+			r = x
+			continue
+		}
+
+		nip := normalize4(ip, m.prefix4[x])
+		if nip == m.ip4[x] {
+			return true
+		}
+
+		l = x + 1
+	}
+
+	return l > 0 && normalize4(ip, m.prefix4[l-1]) == m.ip4[l-1]
+}
+
+func less6(a ipv6, b ipv6) bool {
+	return a.a < b.a || (a.a == b.a && a.b < b.b)
+}
+
+func (m *GeoIPMatcher) match6(ip ipv6) bool {
+	if len(m.ip6) == 0 {
+		return false
+	}
+
+	if less6(ip, m.ip6[0]) {
+		return false
+	}
+
+	size := uint32(len(m.ip6))
+	l := uint32(0)
+	r := size
+	for l < r {
+		x := (l + r) / 2
+		if less6(ip, m.ip6[x]) {
+			r = x
+			continue
+		}
+
+		if normalize6(ip, m.prefix6[x]) == m.ip6[x] {
+			return true
+		}
+
+		l = x + 1
+	}
+
+	return l > 0 && normalize6(ip, m.prefix6[l-1]) == m.ip6[l-1]
+}
+
+// Match returns true if the given ip is included by the GeoIP.
+func (m *GeoIPMatcher) Match(ip net.IP) bool {
+	switch len(ip) {
+	case 4:
+		if m.reverseMatch {
+			return !m.match4(binary.BigEndian.Uint32(ip))
+		}
+		return m.match4(binary.BigEndian.Uint32(ip))
+	case 16:
+		if m.reverseMatch {
+			return !m.match6(ipv6{
+				a: binary.BigEndian.Uint64(ip[0:8]),
+				b: binary.BigEndian.Uint64(ip[8:16]),
+			})
+		}
+		return m.match6(ipv6{
+			a: binary.BigEndian.Uint64(ip[0:8]),
+			b: binary.BigEndian.Uint64(ip[8:16]),
+		})
+	default:
+		return false
+	}
+}
+
+// GeoIPMatcherContainer is a container for GeoIPMatchers. It keeps unique copies of GeoIPMatcher by country code.
+type GeoIPMatcherContainer struct {
+	matchers []*GeoIPMatcher
+}
+
+// Add adds a new GeoIP set into the container.
+// If the country code of GeoIP is not empty, GeoIPMatcherContainer will try to find an existing one, instead of adding a new one.
+func (c *GeoIPMatcherContainer) Add(geoip *GeoIP) (*GeoIPMatcher, error) {
+	if len(geoip.CountryCode) > 0 {
+		for _, m := range c.matchers {
+			if m.countryCode == geoip.CountryCode && m.reverseMatch == geoip.ReverseMatch {
+				return m, nil
+			}
+		}
+	}
+
+	m := &GeoIPMatcher{
+		countryCode:  geoip.CountryCode,
+		reverseMatch: geoip.ReverseMatch,
+	}
+	if err := m.Init(geoip.Cidr); err != nil {
+		return nil, err
+	}
+	if len(geoip.CountryCode) > 0 {
+		c.matchers = append(c.matchers, m)
+	}
+	return m, nil
+}
+
+var globalGeoIPContainer GeoIPMatcherContainer
+
+type MultiGeoIPMatcher struct {
+	matchers []*GeoIPMatcher
+}
+
+func NewGeoIPMatcher(geoip *GeoIP) (*GeoIPMatcher, error) {
+	matcher, err := globalGeoIPContainer.Add(geoip)
+	if err != nil {
+		return nil, err
+	}
+
+	return matcher, nil
+}
+
+func (m *MultiGeoIPMatcher) ApplyIp(ip net.IP) bool {
+
+	for _, matcher := range m.matchers {
+		if matcher.Match(ip) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func NewMultiGeoIPMatcher(geoips []*GeoIP) (*MultiGeoIPMatcher, error) {
+	var matchers []*GeoIPMatcher
+	for _, geoip := range geoips {
+		matcher, err := globalGeoIPContainer.Add(geoip)
+		if err != nil {
+			return nil, err
+		}
+		matchers = append(matchers, matcher)
+	}
+
+	matcher := &MultiGeoIPMatcher{
+		matchers: matchers,
+	}
+
+	return matcher, nil
+}
--- a/component/geodata/router/config.pb.go
+++ b/component/geodata/router/config.pb.go
@ -0,0 +1,725 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.0
+// 	protoc        v3.19.1
+// source: component/geodata/router/config.proto
+
+package router
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// Type of domain value.
+type Domain_Type int32
+
+const (
+	// The value is used as is.
+	Domain_Plain Domain_Type = 0
+	// The value is used as a regular expression.
+	Domain_Regex Domain_Type = 1
+	// The value is a root domain.
+	Domain_Domain Domain_Type = 2
+	// The value is a domain.
+	Domain_Full Domain_Type = 3
+)
+
+// Enum value maps for Domain_Type.
+var (
+	Domain_Type_name = map[int32]string{
+		0: "Plain",
+		1: "Regex",
+		2: "Domain",
+		3: "Full",
+	}
+	Domain_Type_value = map[string]int32{
+		"Plain":  0,
+		"Regex":  1,
+		"Domain": 2,
+		"Full":   3,
+	}
+)
+
+func (x Domain_Type) Enum() *Domain_Type {
+	p := new(Domain_Type)
+	*p = x
+	return p
+}
+
+func (x Domain_Type) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (Domain_Type) Descriptor() protoreflect.EnumDescriptor {
+	return file_component_geodata_router_config_proto_enumTypes[0].Descriptor()
+}
+
+func (Domain_Type) Type() protoreflect.EnumType {
+	return &file_component_geodata_router_config_proto_enumTypes[0]
+}
+
+func (x Domain_Type) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use Domain_Type.Descriptor instead.
+func (Domain_Type) EnumDescriptor() ([]byte, []int) {
+	return file_component_geodata_router_config_proto_rawDescGZIP(), []int{0, 0}
+}
+
+// Domain for routing decision.
+type Domain struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Domain matching type.
+	Type Domain_Type `protobuf:"varint,1,opt,name=type,proto3,enum=clash.component.geodata.router.Domain_Type" json:"type,omitempty"`
+	// Domain value.
+	Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
+	// Attributes of this domain. May be used for filtering.
+	Attribute []*Domain_Attribute `protobuf:"bytes,3,rep,name=attribute,proto3" json:"attribute,omitempty"`
+}
+
+func (x *Domain) Reset() {
+	*x = Domain{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_component_geodata_router_config_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Domain) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Domain) ProtoMessage() {}
+
+func (x *Domain) ProtoReflect() protoreflect.Message {
+	mi := &file_component_geodata_router_config_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Domain.ProtoReflect.Descriptor instead.
+func (*Domain) Descriptor() ([]byte, []int) {
+	return file_component_geodata_router_config_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Domain) GetType() Domain_Type {
+	if x != nil {
+		return x.Type
+	}
+	return Domain_Plain
+}
+
+func (x *Domain) GetValue() string {
+	if x != nil {
+		return x.Value
+	}
+	return ""
+}
+
+func (x *Domain) GetAttribute() []*Domain_Attribute {
+	if x != nil {
+		return x.Attribute
+	}
+	return nil
+}
+
+// IP for routing decision, in CIDR form.
+type CIDR struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// IP address, should be either 4 or 16 bytes.
+	Ip []byte `protobuf:"bytes,1,opt,name=ip,proto3" json:"ip,omitempty"`
+	// Number of leading ones in the network mask.
+	Prefix uint32 `protobuf:"varint,2,opt,name=prefix,proto3" json:"prefix,omitempty"`
+}
+
+func (x *CIDR) Reset() {
+	*x = CIDR{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_component_geodata_router_config_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *CIDR) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CIDR) ProtoMessage() {}
+
+func (x *CIDR) ProtoReflect() protoreflect.Message {
+	mi := &file_component_geodata_router_config_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CIDR.ProtoReflect.Descriptor instead.
+func (*CIDR) Descriptor() ([]byte, []int) {
+	return file_component_geodata_router_config_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *CIDR) GetIp() []byte {
+	if x != nil {
+		return x.Ip
+	}
+	return nil
+}
+
+func (x *CIDR) GetPrefix() uint32 {
+	if x != nil {
+		return x.Prefix
+	}
+	return 0
+}
+
+type GeoIP struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	CountryCode  string  `protobuf:"bytes,1,opt,name=country_code,json=countryCode,proto3" json:"country_code,omitempty"`
+	Cidr         []*CIDR `protobuf:"bytes,2,rep,name=cidr,proto3" json:"cidr,omitempty"`
+	ReverseMatch bool    `protobuf:"varint,3,opt,name=reverse_match,json=reverseMatch,proto3" json:"reverse_match,omitempty"`
+}
+
+func (x *GeoIP) Reset() {
+	*x = GeoIP{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_component_geodata_router_config_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GeoIP) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoIP) ProtoMessage() {}
+
+func (x *GeoIP) ProtoReflect() protoreflect.Message {
+	mi := &file_component_geodata_router_config_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoIP.ProtoReflect.Descriptor instead.
+func (*GeoIP) Descriptor() ([]byte, []int) {
+	return file_component_geodata_router_config_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *GeoIP) GetCountryCode() string {
+	if x != nil {
+		return x.CountryCode
+	}
+	return ""
+}
+
+func (x *GeoIP) GetCidr() []*CIDR {
+	if x != nil {
+		return x.Cidr
+	}
+	return nil
+}
+
+func (x *GeoIP) GetReverseMatch() bool {
+	if x != nil {
+		return x.ReverseMatch
+	}
+	return false
+}
+
+type GeoIPList struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Entry []*GeoIP `protobuf:"bytes,1,rep,name=entry,proto3" json:"entry,omitempty"`
+}
+
+func (x *GeoIPList) Reset() {
+	*x = GeoIPList{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_component_geodata_router_config_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GeoIPList) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoIPList) ProtoMessage() {}
+
+func (x *GeoIPList) ProtoReflect() protoreflect.Message {
+	mi := &file_component_geodata_router_config_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoIPList.ProtoReflect.Descriptor instead.
+func (*GeoIPList) Descriptor() ([]byte, []int) {
+	return file_component_geodata_router_config_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *GeoIPList) GetEntry() []*GeoIP {
+	if x != nil {
+		return x.Entry
+	}
+	return nil
+}
+
+type GeoSite struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	CountryCode string    `protobuf:"bytes,1,opt,name=country_code,json=countryCode,proto3" json:"country_code,omitempty"`
+	Domain      []*Domain `protobuf:"bytes,2,rep,name=domain,proto3" json:"domain,omitempty"`
+}
+
+func (x *GeoSite) Reset() {
+	*x = GeoSite{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_component_geodata_router_config_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GeoSite) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoSite) ProtoMessage() {}
+
+func (x *GeoSite) ProtoReflect() protoreflect.Message {
+	mi := &file_component_geodata_router_config_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoSite.ProtoReflect.Descriptor instead.
+func (*GeoSite) Descriptor() ([]byte, []int) {
+	return file_component_geodata_router_config_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *GeoSite) GetCountryCode() string {
+	if x != nil {
+		return x.CountryCode
+	}
+	return ""
+}
+
+func (x *GeoSite) GetDomain() []*Domain {
+	if x != nil {
+		return x.Domain
+	}
+	return nil
+}
+
+type GeoSiteList struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Entry []*GeoSite `protobuf:"bytes,1,rep,name=entry,proto3" json:"entry,omitempty"`
+}
+
+func (x *GeoSiteList) Reset() {
+	*x = GeoSiteList{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_component_geodata_router_config_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GeoSiteList) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoSiteList) ProtoMessage() {}
+
+func (x *GeoSiteList) ProtoReflect() protoreflect.Message {
+	mi := &file_component_geodata_router_config_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoSiteList.ProtoReflect.Descriptor instead.
+func (*GeoSiteList) Descriptor() ([]byte, []int) {
+	return file_component_geodata_router_config_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *GeoSiteList) GetEntry() []*GeoSite {
+	if x != nil {
+		return x.Entry
+	}
+	return nil
+}
+
+type Domain_Attribute struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
+	// Types that are assignable to TypedValue:
+	//	*Domain_Attribute_BoolValue
+	//	*Domain_Attribute_IntValue
+	TypedValue isDomain_Attribute_TypedValue `protobuf_oneof:"typed_value"`
+}
+
+func (x *Domain_Attribute) Reset() {
+	*x = Domain_Attribute{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_component_geodata_router_config_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Domain_Attribute) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Domain_Attribute) ProtoMessage() {}
+
+func (x *Domain_Attribute) ProtoReflect() protoreflect.Message {
+	mi := &file_component_geodata_router_config_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Domain_Attribute.ProtoReflect.Descriptor instead.
+func (*Domain_Attribute) Descriptor() ([]byte, []int) {
+	return file_component_geodata_router_config_proto_rawDescGZIP(), []int{0, 0}
+}
+
+func (x *Domain_Attribute) GetKey() string {
+	if x != nil {
+		return x.Key
+	}
+	return ""
+}
+
+func (m *Domain_Attribute) GetTypedValue() isDomain_Attribute_TypedValue {
+	if m != nil {
+		return m.TypedValue
+	}
+	return nil
+}
+
+func (x *Domain_Attribute) GetBoolValue() bool {
+	if x, ok := x.GetTypedValue().(*Domain_Attribute_BoolValue); ok {
+		return x.BoolValue
+	}
+	return false
+}
+
+func (x *Domain_Attribute) GetIntValue() int64 {
+	if x, ok := x.GetTypedValue().(*Domain_Attribute_IntValue); ok {
+		return x.IntValue
+	}
+	return 0
+}
+
+type isDomain_Attribute_TypedValue interface {
+	isDomain_Attribute_TypedValue()
+}
+
+type Domain_Attribute_BoolValue struct {
+	BoolValue bool `protobuf:"varint,2,opt,name=bool_value,json=boolValue,proto3,oneof"`
+}
+
+type Domain_Attribute_IntValue struct {
+	IntValue int64 `protobuf:"varint,3,opt,name=int_value,json=intValue,proto3,oneof"`
+}
+
+func (*Domain_Attribute_BoolValue) isDomain_Attribute_TypedValue() {}
+
+func (*Domain_Attribute_IntValue) isDomain_Attribute_TypedValue() {}
+
+var File_component_geodata_router_config_proto protoreflect.FileDescriptor
+
+var file_component_geodata_router_config_proto_rawDesc = []byte{
+	0x0a, 0x25, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x2f, 0x67, 0x65, 0x6f, 0x64,
+	0x61, 0x74, 0x61, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1e, 0x63, 0x6c, 0x61, 0x73, 0x68, 0x2e, 0x63,
+	0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x2e, 0x67, 0x65, 0x6f, 0x64, 0x61, 0x74, 0x61,
+	0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x22, 0xd1, 0x02, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61,
+	0x69, 0x6e, 0x12, 0x3f, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x2b, 0x2e, 0x63, 0x6c, 0x61, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65,
+	0x6e, 0x74, 0x2e, 0x67, 0x65, 0x6f, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65,
+	0x72, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74,
+	0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x4e, 0x0a, 0x09, 0x61, 0x74, 0x74,
+	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x63,
+	0x6c, 0x61, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x2e, 0x67,
+	0x65, 0x6f, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x44, 0x6f,
+	0x6d, 0x61, 0x69, 0x6e, 0x2e, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x09,
+	0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x1a, 0x6c, 0x0a, 0x09, 0x41, 0x74, 0x74,
+	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x1f, 0x0a, 0x0a, 0x62, 0x6f, 0x6f, 0x6c,
+	0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x48, 0x00, 0x52, 0x09,
+	0x62, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x1d, 0x0a, 0x09, 0x69, 0x6e, 0x74,
+	0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x48, 0x00, 0x52, 0x08,
+	0x69, 0x6e, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x0d, 0x0a, 0x0b, 0x74, 0x79, 0x70, 0x65,
+	0x64, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x32, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12,
+	0x09, 0x0a, 0x05, 0x50, 0x6c, 0x61, 0x69, 0x6e, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x52, 0x65,
+	0x67, 0x65, 0x78, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x10,
+	0x02, 0x12, 0x08, 0x0a, 0x04, 0x46, 0x75, 0x6c, 0x6c, 0x10, 0x03, 0x22, 0x2e, 0x0a, 0x04, 0x43,
+	0x49, 0x44, 0x52, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52,
+	0x02, 0x69, 0x70, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x0d, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x89, 0x01, 0x0a, 0x05,
+	0x47, 0x65, 0x6f, 0x49, 0x50, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x72, 0x79,
+	0x5f, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6f, 0x75,
+	0x6e, 0x74, 0x72, 0x79, 0x43, 0x6f, 0x64, 0x65, 0x12, 0x38, 0x0a, 0x04, 0x63, 0x69, 0x64, 0x72,
+	0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x63, 0x6c, 0x61, 0x73, 0x68, 0x2e, 0x63,
+	0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x2e, 0x67, 0x65, 0x6f, 0x64, 0x61, 0x74, 0x61,
+	0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x43, 0x49, 0x44, 0x52, 0x52, 0x04, 0x63, 0x69,
+	0x64, 0x72, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x76, 0x65, 0x72, 0x73, 0x65, 0x5f, 0x6d, 0x61,
+	0x74, 0x63, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x72, 0x65, 0x76, 0x65, 0x72,
+	0x73, 0x65, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x22, 0x48, 0x0a, 0x09, 0x47, 0x65, 0x6f, 0x49, 0x50,
+	0x4c, 0x69, 0x73, 0x74, 0x12, 0x3b, 0x0a, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18, 0x01, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x63, 0x6c, 0x61, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x70,
+	0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x2e, 0x67, 0x65, 0x6f, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x72, 0x6f,
+	0x75, 0x74, 0x65, 0x72, 0x2e, 0x47, 0x65, 0x6f, 0x49, 0x50, 0x52, 0x05, 0x65, 0x6e, 0x74, 0x72,
+	0x79, 0x22, 0x6c, 0x0a, 0x07, 0x47, 0x65, 0x6f, 0x53, 0x69, 0x74, 0x65, 0x12, 0x21, 0x0a, 0x0c,
+	0x63, 0x6f, 0x75, 0x6e, 0x74, 0x72, 0x79, 0x5f, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0b, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x72, 0x79, 0x43, 0x6f, 0x64, 0x65, 0x12,
+	0x3e, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x26, 0x2e, 0x63, 0x6c, 0x61, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e,
+	0x74, 0x2e, 0x67, 0x65, 0x6f, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72,
+	0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x22,
+	0x4c, 0x0a, 0x0b, 0x47, 0x65, 0x6f, 0x53, 0x69, 0x74, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x3d,
+	0x0a, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e,
+	0x63, 0x6c, 0x61, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x2e,
+	0x67, 0x65, 0x6f, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x47,
+	0x65, 0x6f, 0x53, 0x69, 0x74, 0x65, 0x52, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x42, 0x7c, 0x0a,
+	0x22, 0x63, 0x6f, 0x6d, 0x2e, 0x63, 0x6c, 0x61, 0x73, 0x68, 0x2e, 0x63, 0x6f, 0x6d, 0x70, 0x6f,
+	0x6e, 0x65, 0x6e, 0x74, 0x2e, 0x67, 0x65, 0x6f, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x72, 0x6f, 0x75,
+	0x74, 0x65, 0x72, 0x50, 0x01, 0x5a, 0x33, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f,
+	0x6d, 0x2f, 0x44, 0x72, 0x65, 0x61, 0x6d, 0x61, 0x63, 0x72, 0x6f, 0x2f, 0x63, 0x6c, 0x61, 0x73,
+	0x68, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x2f, 0x67, 0x65, 0x6f, 0x64,
+	0x61, 0x74, 0x61, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0xaa, 0x02, 0x1e, 0x43, 0x6c, 0x61,
+	0x73, 0x68, 0x2e, 0x43, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x2e, 0x47, 0x65, 0x6f,
+	0x64, 0x61, 0x74, 0x61, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x33,
+}
+
+var (
+	file_component_geodata_router_config_proto_rawDescOnce sync.Once
+	file_component_geodata_router_config_proto_rawDescData = file_component_geodata_router_config_proto_rawDesc
+)
+
+func file_component_geodata_router_config_proto_rawDescGZIP() []byte {
+	file_component_geodata_router_config_proto_rawDescOnce.Do(func() {
+		file_component_geodata_router_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_component_geodata_router_config_proto_rawDescData)
+	})
+	return file_component_geodata_router_config_proto_rawDescData
+}
+
+var file_component_geodata_router_config_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_component_geodata_router_config_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_component_geodata_router_config_proto_goTypes = []interface{}{
+	(Domain_Type)(0),         // 0: clash.component.geodata.router.Domain.Type
+	(*Domain)(nil),           // 1: clash.component.geodata.router.Domain
+	(*CIDR)(nil),             // 2: clash.component.geodata.router.CIDR
+	(*GeoIP)(nil),            // 3: clash.component.geodata.router.GeoIP
+	(*GeoIPList)(nil),        // 4: clash.component.geodata.router.GeoIPList
+	(*GeoSite)(nil),          // 5: clash.component.geodata.router.GeoSite
+	(*GeoSiteList)(nil),      // 6: clash.component.geodata.router.GeoSiteList
+	(*Domain_Attribute)(nil), // 7: clash.component.geodata.router.Domain.Attribute
+}
+var file_component_geodata_router_config_proto_depIdxs = []int32{
+	0, // 0: clash.component.geodata.router.Domain.type:type_name -> clash.component.geodata.router.Domain.Type
+	7, // 1: clash.component.geodata.router.Domain.attribute:type_name -> clash.component.geodata.router.Domain.Attribute
+	2, // 2: clash.component.geodata.router.GeoIP.cidr:type_name -> clash.component.geodata.router.CIDR
+	3, // 3: clash.component.geodata.router.GeoIPList.entry:type_name -> clash.component.geodata.router.GeoIP
+	1, // 4: clash.component.geodata.router.GeoSite.domain:type_name -> clash.component.geodata.router.Domain
+	5, // 5: clash.component.geodata.router.GeoSiteList.entry:type_name -> clash.component.geodata.router.GeoSite
+	6, // [6:6] is the sub-list for method output_type
+	6, // [6:6] is the sub-list for method input_type
+	6, // [6:6] is the sub-list for extension type_name
+	6, // [6:6] is the sub-list for extension extendee
+	0, // [0:6] is the sub-list for field type_name
+}
+
+func init() { file_component_geodata_router_config_proto_init() }
+func file_component_geodata_router_config_proto_init() {
+	if File_component_geodata_router_config_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_component_geodata_router_config_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Domain); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_component_geodata_router_config_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*CIDR); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_component_geodata_router_config_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GeoIP); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_component_geodata_router_config_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GeoIPList); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_component_geodata_router_config_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GeoSite); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_component_geodata_router_config_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GeoSiteList); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_component_geodata_router_config_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Domain_Attribute); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	file_component_geodata_router_config_proto_msgTypes[6].OneofWrappers = []interface{}{
+		(*Domain_Attribute_BoolValue)(nil),
+		(*Domain_Attribute_IntValue)(nil),
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_component_geodata_router_config_proto_rawDesc,
+			NumEnums:      1,
+			NumMessages:   7,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_component_geodata_router_config_proto_goTypes,
+		DependencyIndexes: file_component_geodata_router_config_proto_depIdxs,
+		EnumInfos:         file_component_geodata_router_config_proto_enumTypes,
+		MessageInfos:      file_component_geodata_router_config_proto_msgTypes,
+	}.Build()
+	File_component_geodata_router_config_proto = out.File
+	file_component_geodata_router_config_proto_rawDesc = nil
+	file_component_geodata_router_config_proto_goTypes = nil
+	file_component_geodata_router_config_proto_depIdxs = nil
+}
--- a/component/geodata/router/config.proto
+++ b/component/geodata/router/config.proto
@ -0,0 +1,68 @@
+syntax = "proto3";
+
+package clash.component.geodata.router;
+option csharp_namespace = "Clash.Component.Geodata.Router";
+option go_package = "github.com/Dreamacro/clash/component/geodata/router";
+option java_package = "com.clash.component.geodata.router";
+option java_multiple_files = true;
+
+// Domain for routing decision.
+message Domain {
+  // Type of domain value.
+  enum Type {
+    // The value is used as is.
+    Plain = 0;
+    // The value is used as a regular expression.
+    Regex = 1;
+    // The value is a root domain.
+    Domain = 2;
+    // The value is a domain.
+    Full = 3;
+  }
+
+  // Domain matching type.
+  Type type = 1;
+
+  // Domain value.
+  string value = 2;
+
+  message Attribute {
+    string key = 1;
+
+    oneof typed_value {
+      bool bool_value = 2;
+      int64 int_value = 3;
+    }
+  }
+
+  // Attributes of this domain. May be used for filtering.
+  repeated Attribute attribute = 3;
+}
+
+// IP for routing decision, in CIDR form.
+message CIDR {
+  // IP address, should be either 4 or 16 bytes.
+  bytes ip = 1;
+
+  // Number of leading ones in the network mask.
+  uint32 prefix = 2;
+}
+
+message GeoIP {
+  string country_code = 1;
+  repeated CIDR cidr = 2;
+  bool reverse_match = 3;
+}
+
+message GeoIPList {
+  repeated GeoIP entry = 1;
+}
+
+message GeoSite {
+  string country_code = 1;
+  repeated Domain domain = 2;
+}
+
+message GeoSiteList {
+  repeated GeoSite entry = 1;
+}
--- a/component/geodata/standard/standard.go
+++ b/component/geodata/standard/standard.go
@ -0,0 +1,84 @@
+package standard
+
+import (
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"github.com/Dreamacro/clash/component/geodata"
+	"github.com/Dreamacro/clash/component/geodata/router"
+	C "github.com/Dreamacro/clash/constant"
+
+	"google.golang.org/protobuf/proto"
+)
+
+func ReadFile(path string) ([]byte, error) {
+	reader, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer func(reader *os.File) {
+		_ = reader.Close()
+	}(reader)
+
+	return io.ReadAll(reader)
+}
+
+func ReadAsset(file string) ([]byte, error) {
+	return ReadFile(C.Path.GetAssetLocation(file))
+}
+
+func loadIP(filename, country string) ([]*router.CIDR, error) {
+	geoipBytes, err := ReadAsset(filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %s, base error: %s", filename, err.Error())
+	}
+	var geoipList router.GeoIPList
+	if err := proto.Unmarshal(geoipBytes, &geoipList); err != nil {
+		return nil, err
+	}
+
+	for _, geoip := range geoipList.Entry {
+		if strings.EqualFold(geoip.CountryCode, country) {
+			return geoip.Cidr, nil
+		}
+	}
+
+	return nil, fmt.Errorf("country not found in %s%s%s", filename, ": ", country)
+}
+
+func loadSite(filename, list string) ([]*router.Domain, error) {
+	geositeBytes, err := ReadAsset(filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %s, base error: %s", filename, err.Error())
+	}
+	var geositeList router.GeoSiteList
+	if err := proto.Unmarshal(geositeBytes, &geositeList); err != nil {
+		return nil, err
+	}
+
+	for _, site := range geositeList.Entry {
+		if strings.EqualFold(site.CountryCode, list) {
+			return site.Domain, nil
+		}
+	}
+
+	return nil, fmt.Errorf("list not found in %s%s%s", filename, ": ", list)
+}
+
+type standardLoader struct{}
+
+func (d standardLoader) LoadSite(filename, list string) ([]*router.Domain, error) {
+	return loadSite(filename, list)
+}
+
+func (d standardLoader) LoadIP(filename, country string) ([]*router.CIDR, error) {
+	return loadIP(filename, country)
+}
+
+func init() {
+	geodata.RegisterGeoDataLoaderImplementationCreator("standard", func() geodata.LoaderImplementation {
+		return standardLoader{}
+	})
+}
--- a/component/geodata/strmatcher/ac_automaton_matcher.go
+++ b/component/geodata/strmatcher/ac_automaton_matcher.go
@ -0,0 +1,241 @@
+package strmatcher
+
+import (
+	"container/list"
+)
+
+const validCharCount = 53
+
+type MatchType struct {
+	matchType Type
+	exist     bool
+}
+
+const (
+	TrieEdge bool = true
+	FailEdge bool = false
+)
+
+type Edge struct {
+	edgeType bool
+	nextNode int
+}
+
+type ACAutomaton struct {
+	trie   [][validCharCount]Edge
+	fail   []int
+	exists []MatchType
+	count  int
+}
+
+func newNode() [validCharCount]Edge {
+	var s [validCharCount]Edge
+	for i := range s {
+		s[i] = Edge{
+			edgeType: FailEdge,
+			nextNode: 0,
+		}
+	}
+	return s
+}
+
+var char2Index = []int{
+	'A':  0,
+	'a':  0,
+	'B':  1,
+	'b':  1,
+	'C':  2,
+	'c':  2,
+	'D':  3,
+	'd':  3,
+	'E':  4,
+	'e':  4,
+	'F':  5,
+	'f':  5,
+	'G':  6,
+	'g':  6,
+	'H':  7,
+	'h':  7,
+	'I':  8,
+	'i':  8,
+	'J':  9,
+	'j':  9,
+	'K':  10,
+	'k':  10,
+	'L':  11,
+	'l':  11,
+	'M':  12,
+	'm':  12,
+	'N':  13,
+	'n':  13,
+	'O':  14,
+	'o':  14,
+	'P':  15,
+	'p':  15,
+	'Q':  16,
+	'q':  16,
+	'R':  17,
+	'r':  17,
+	'S':  18,
+	's':  18,
+	'T':  19,
+	't':  19,
+	'U':  20,
+	'u':  20,
+	'V':  21,
+	'v':  21,
+	'W':  22,
+	'w':  22,
+	'X':  23,
+	'x':  23,
+	'Y':  24,
+	'y':  24,
+	'Z':  25,
+	'z':  25,
+	'!':  26,
+	'$':  27,
+	'&':  28,
+	'\'': 29,
+	'(':  30,
+	')':  31,
+	'*':  32,
+	'+':  33,
+	',':  34,
+	';':  35,
+	'=':  36,
+	':':  37,
+	'%':  38,
+	'-':  39,
+	'.':  40,
+	'_':  41,
+	'~':  42,
+	'0':  43,
+	'1':  44,
+	'2':  45,
+	'3':  46,
+	'4':  47,
+	'5':  48,
+	'6':  49,
+	'7':  50,
+	'8':  51,
+	'9':  52,
+}
+
+func NewACAutomaton() *ACAutomaton {
+	ac := new(ACAutomaton)
+	ac.trie = append(ac.trie, newNode())
+	ac.fail = append(ac.fail, 0)
+	ac.exists = append(ac.exists, MatchType{
+		matchType: Full,
+		exist:     false,
+	})
+	return ac
+}
+
+func (ac *ACAutomaton) Add(domain string, t Type) {
+	node := 0
+	for i := len(domain) - 1; i >= 0; i-- {
+		idx := char2Index[domain[i]]
+		if ac.trie[node][idx].nextNode == 0 {
+			ac.count++
+			if len(ac.trie) < ac.count+1 {
+				ac.trie = append(ac.trie, newNode())
+				ac.fail = append(ac.fail, 0)
+				ac.exists = append(ac.exists, MatchType{
+					matchType: Full,
+					exist:     false,
+				})
+			}
+			ac.trie[node][idx] = Edge{
+				edgeType: TrieEdge,
+				nextNode: ac.count,
+			}
+		}
+		node = ac.trie[node][idx].nextNode
+	}
+	ac.exists[node] = MatchType{
+		matchType: t,
+		exist:     true,
+	}
+	switch t {
+	case Domain:
+		ac.exists[node] = MatchType{
+			matchType: Full,
+			exist:     true,
+		}
+		idx := char2Index['.']
+		if ac.trie[node][idx].nextNode == 0 {
+			ac.count++
+			if len(ac.trie) < ac.count+1 {
+				ac.trie = append(ac.trie, newNode())
+				ac.fail = append(ac.fail, 0)
+				ac.exists = append(ac.exists, MatchType{
+					matchType: Full,
+					exist:     false,
+				})
+			}
+			ac.trie[node][idx] = Edge{
+				edgeType: TrieEdge,
+				nextNode: ac.count,
+			}
+		}
+		node = ac.trie[node][idx].nextNode
+		ac.exists[node] = MatchType{
+			matchType: t,
+			exist:     true,
+		}
+	default:
+		break
+	}
+}
+
+func (ac *ACAutomaton) Build() {
+	queue := list.New()
+	for i := 0; i < validCharCount; i++ {
+		if ac.trie[0][i].nextNode != 0 {
+			queue.PushBack(ac.trie[0][i])
+		}
+	}
+	for {
+		front := queue.Front()
+		if front == nil {
+			break
+		} else {
+			node := front.Value.(Edge).nextNode
+			queue.Remove(front)
+			for i := 0; i < validCharCount; i++ {
+				if ac.trie[node][i].nextNode != 0 {
+					ac.fail[ac.trie[node][i].nextNode] = ac.trie[ac.fail[node]][i].nextNode
+					queue.PushBack(ac.trie[node][i])
+				} else {
+					ac.trie[node][i] = Edge{
+						edgeType: FailEdge,
+						nextNode: ac.trie[ac.fail[node]][i].nextNode,
+					}
+				}
+			}
+		}
+	}
+}
+
+func (ac *ACAutomaton) Match(s string) bool {
+	node := 0
+	fullMatch := true
+	// 1. the match string is all through trie edge. FULL MATCH or DOMAIN
+	// 2. the match string is through a fail edge. NOT FULL MATCH
+	// 2.1 Through a fail edge, but there exists a valid node. SUBSTR
+	for i := len(s) - 1; i >= 0; i-- {
+		idx := char2Index[s[i]]
+		fullMatch = fullMatch && ac.trie[node][idx].edgeType
+		node = ac.trie[node][idx].nextNode
+		switch ac.exists[node].matchType {
+		case Substr:
+			return true
+		case Domain:
+			if fullMatch {
+				return true
+			}
+		}
+	}
+	return fullMatch && ac.exists[node].exist
+}
--- a/component/geodata/strmatcher/domain_matcher.go
+++ b/component/geodata/strmatcher/domain_matcher.go
@ -0,0 +1,98 @@
+package strmatcher
+
+import "strings"
+
+func breakDomain(domain string) []string {
+	return strings.Split(domain, ".")
+}
+
+type node struct {
+	values []uint32
+	sub    map[string]*node
+}
+
+// DomainMatcherGroup is a IndexMatcher for a large set of Domain matchers.
+// Visible for testing only.
+type DomainMatcherGroup struct {
+	root *node
+}
+
+func (g *DomainMatcherGroup) Add(domain string, value uint32) {
+	if g.root == nil {
+		g.root = new(node)
+	}
+
+	current := g.root
+	parts := breakDomain(domain)
+	for i := len(parts) - 1; i >= 0; i-- {
+		part := parts[i]
+		if current.sub == nil {
+			current.sub = make(map[string]*node)
+		}
+		next := current.sub[part]
+		if next == nil {
+			next = new(node)
+			current.sub[part] = next
+		}
+		current = next
+	}
+
+	current.values = append(current.values, value)
+}
+
+func (g *DomainMatcherGroup) addMatcher(m domainMatcher, value uint32) {
+	g.Add(string(m), value)
+}
+
+func (g *DomainMatcherGroup) Match(domain string) []uint32 {
+	if domain == "" {
+		return nil
+	}
+
+	current := g.root
+	if current == nil {
+		return nil
+	}
+
+	nextPart := func(idx int) int {
+		for i := idx - 1; i >= 0; i-- {
+			if domain[i] == '.' {
+				return i
+			}
+		}
+		return -1
+	}
+
+	matches := [][]uint32{}
+	idx := len(domain)
+	for {
+		if idx == -1 || current.sub == nil {
+			break
+		}
+
+		nidx := nextPart(idx)
+		part := domain[nidx+1 : idx]
+		next := current.sub[part]
+		if next == nil {
+			break
+		}
+		current = next
+		idx = nidx
+		if len(current.values) > 0 {
+			matches = append(matches, current.values)
+		}
+	}
+	switch len(matches) {
+	case 0:
+		return nil
+	case 1:
+		return matches[0]
+	default:
+		result := []uint32{}
+		for idx := range matches {
+			// Insert reversely, the subdomain that matches further ranks higher
+			result = append(result, matches[len(matches)-1-idx]...)
+		}
+		return result
+	}
+}
--- a/component/geodata/strmatcher/full_matcher.go
+++ b/component/geodata/strmatcher/full_matcher.go
@ -0,0 +1,25 @@
+package strmatcher
+
+type FullMatcherGroup struct {
+	matchers map[string][]uint32
+}
+
+func (g *FullMatcherGroup) Add(domain string, value uint32) {
+	if g.matchers == nil {
+		g.matchers = make(map[string][]uint32)
+	}
+
+	g.matchers[domain] = append(g.matchers[domain], value)
+}
+
+func (g *FullMatcherGroup) addMatcher(m fullMatcher, value uint32) {
+	g.Add(string(m), value)
+}
+
+func (g *FullMatcherGroup) Match(str string) []uint32 {
+	if g.matchers == nil {
+		return nil
+	}
+
+	return g.matchers[str]
+}
--- a/component/geodata/strmatcher/matchers.go
+++ b/component/geodata/strmatcher/matchers.go
@ -0,0 +1,52 @@
+package strmatcher
+
+import (
+	"regexp"
+	"strings"
+)
+
+type fullMatcher string
+
+func (m fullMatcher) Match(s string) bool {
+	return string(m) == s
+}
+
+func (m fullMatcher) String() string {
+	return "full:" + string(m)
+}
+
+type substrMatcher string
+
+func (m substrMatcher) Match(s string) bool {
+	return strings.Contains(s, string(m))
+}
+
+func (m substrMatcher) String() string {
+	return "keyword:" + string(m)
+}
+
+type domainMatcher string
+
+func (m domainMatcher) Match(s string) bool {
+	pattern := string(m)
+	if !strings.HasSuffix(s, pattern) {
+		return false
+	}
+	return len(s) == len(pattern) || s[len(s)-len(pattern)-1] == '.'
+}
+
+func (m domainMatcher) String() string {
+	return "domain:" + string(m)
+}
+
+type regexMatcher struct {
+	pattern *regexp.Regexp
+}
+
+func (m *regexMatcher) Match(s string) bool {
+	return m.pattern.MatchString(s)
+}
+
+func (m *regexMatcher) String() string {
+	return "regexp:" + m.pattern.String()
+}
--- a/component/geodata/strmatcher/mph_matcher.go
+++ b/component/geodata/strmatcher/mph_matcher.go
@ -0,0 +1,304 @@
+package strmatcher
+
+import (
+	"math/bits"
+	"regexp"
+	"sort"
+	"strings"
+	"unsafe"
+)
+
+// PrimeRK is the prime base used in Rabin-Karp algorithm.
+const PrimeRK = 16777619
+
+// calculate the rolling murmurHash of given string
+func RollingHash(s string) uint32 {
+	h := uint32(0)
+	for i := len(s) - 1; i >= 0; i-- {
+		h = h*PrimeRK + uint32(s[i])
+	}
+	return h
+}
+
+// A MphMatcherGroup is divided into three parts:
+// 1. `full` and `domain` patterns are matched by Rabin-Karp algorithm and minimal perfect hash table;
+// 2. `substr` patterns are matched by ac automaton;
+// 3. `regex` patterns are matched with the regex library.
+type MphMatcherGroup struct {
+	ac            *ACAutomaton
+	otherMatchers []matcherEntry
+	rules         []string
+	level0        []uint32
+	level0Mask    int
+	level1        []uint32
+	level1Mask    int
+	count         uint32
+	ruleMap       *map[string]uint32
+}
+
+func (g *MphMatcherGroup) AddFullOrDomainPattern(pattern string, t Type) {
+	h := RollingHash(pattern)
+	switch t {
+	case Domain:
+		(*g.ruleMap)["."+pattern] = h*PrimeRK + uint32('.')
+		fallthrough
+	case Full:
+		(*g.ruleMap)[pattern] = h
+	default:
+	}
+}
+
+func NewMphMatcherGroup() *MphMatcherGroup {
+	return &MphMatcherGroup{
+		ac:            nil,
+		otherMatchers: nil,
+		rules:         nil,
+		level0:        nil,
+		level0Mask:    0,
+		level1:        nil,
+		level1Mask:    0,
+		count:         1,
+		ruleMap:       &map[string]uint32{},
+	}
+}
+
+// AddPattern adds a pattern to MphMatcherGroup
+func (g *MphMatcherGroup) AddPattern(pattern string, t Type) (uint32, error) {
+	switch t {
+	case Substr:
+		if g.ac == nil {
+			g.ac = NewACAutomaton()
+		}
+		g.ac.Add(pattern, t)
+	case Full, Domain:
+		pattern = strings.ToLower(pattern)
+		g.AddFullOrDomainPattern(pattern, t)
+	case Regex:
+		r, err := regexp.Compile(pattern)
+		if err != nil {
+			return 0, err
+		}
+		g.otherMatchers = append(g.otherMatchers, matcherEntry{
+			m:  &regexMatcher{pattern: r},
+			id: g.count,
+		})
+	default:
+		panic("Unknown type")
+	}
+	return g.count, nil
+}
+
+// Build builds a minimal perfect hash table and ac automaton from insert rules
+func (g *MphMatcherGroup) Build() {
+	if g.ac != nil {
+		g.ac.Build()
+	}
+	keyLen := len(*g.ruleMap)
+	if keyLen == 0 {
+		keyLen = 1
+		(*g.ruleMap)["empty___"] = RollingHash("empty___")
+	}
+	g.level0 = make([]uint32, nextPow2(keyLen/4))
+	g.level0Mask = len(g.level0) - 1
+	g.level1 = make([]uint32, nextPow2(keyLen))
+	g.level1Mask = len(g.level1) - 1
+	sparseBuckets := make([][]int, len(g.level0))
+	var ruleIdx int
+	for rule, hash := range *g.ruleMap {
+		n := int(hash) & g.level0Mask
+		g.rules = append(g.rules, rule)
+		sparseBuckets[n] = append(sparseBuckets[n], ruleIdx)
+		ruleIdx++
+	}
+	g.ruleMap = nil
+	var buckets []indexBucket
+	for n, vals := range sparseBuckets {
+		if len(vals) > 0 {
+			buckets = append(buckets, indexBucket{n, vals})
+		}
+	}
+	sort.Sort(bySize(buckets))
+
+	occ := make([]bool, len(g.level1))
+	var tmpOcc []int
+	for _, bucket := range buckets {
+		seed := uint32(0)
+		for {
+			findSeed := true
+			tmpOcc = tmpOcc[:0]
+			for _, i := range bucket.vals {
+				n := int(strhashFallback(unsafe.Pointer(&g.rules[i]), uintptr(seed))) & g.level1Mask
+				if occ[n] {
+					for _, n := range tmpOcc {
+						occ[n] = false
+					}
+					seed++
+					findSeed = false
+					break
+				}
+				occ[n] = true
+				tmpOcc = append(tmpOcc, n)
+				g.level1[n] = uint32(i)
+			}
+			if findSeed {
+				g.level0[bucket.n] = seed
+				break
+			}
+		}
+	}
+}
+
+func nextPow2(v int) int {
+	if v <= 1 {
+		return 1
+	}
+	const MaxUInt = ^uint(0)
+	n := (MaxUInt >> bits.LeadingZeros(uint(v))) + 1
+	return int(n)
+}
+
+// Lookup searches for s in t and returns its index and whether it was found.
+func (g *MphMatcherGroup) Lookup(h uint32, s string) bool {
+	i0 := int(h) & g.level0Mask
+	seed := g.level0[i0]
+	i1 := int(strhashFallback(unsafe.Pointer(&s), uintptr(seed))) & g.level1Mask
+	n := g.level1[i1]
+	return s == g.rules[int(n)]
+}
+
+// Match implements IndexMatcher.Match.
+func (g *MphMatcherGroup) Match(pattern string) []uint32 {
+	result := []uint32{}
+	hash := uint32(0)
+	for i := len(pattern) - 1; i >= 0; i-- {
+		hash = hash*PrimeRK + uint32(pattern[i])
+		if pattern[i] == '.' {
+			if g.Lookup(hash, pattern[i:]) {
+				result = append(result, 1)
+				return result
+			}
+		}
+	}
+	if g.Lookup(hash, pattern) {
+		result = append(result, 1)
+		return result
+	}
+	if g.ac != nil && g.ac.Match(pattern) {
+		result = append(result, 1)
+		return result
+	}
+	for _, e := range g.otherMatchers {
+		if e.m.Match(pattern) {
+			result = append(result, e.id)
+			return result
+		}
+	}
+	return nil
+}
+
+type indexBucket struct {
+	n    int
+	vals []int
+}
+
+type bySize []indexBucket
+
+func (s bySize) Len() int           { return len(s) }
+func (s bySize) Less(i, j int) bool { return len(s[i].vals) > len(s[j].vals) }
+func (s bySize) Swap(i, j int)      { s[i], s[j] = s[j], s[i] }
+
+type stringStruct struct {
+	str unsafe.Pointer
+	len int
+}
+
+func strhashFallback(a unsafe.Pointer, h uintptr) uintptr {
+	x := (*stringStruct)(a)
+	return memhashFallback(x.str, h, uintptr(x.len))
+}
+
+const (
+	// Constants for multiplication: four random odd 64-bit numbers.
+	m1 = 16877499708836156737
+	m2 = 2820277070424839065
+	m3 = 9497967016996688599
+	m4 = 15839092249703872147
+)
+
+var hashkey = [4]uintptr{1, 1, 1, 1}
+
+func memhashFallback(p unsafe.Pointer, seed, s uintptr) uintptr {
+	h := uint64(seed + s*hashkey[0])
+tail:
+	switch {
+	case s == 0:
+	case s < 4:
+		h ^= uint64(*(*byte)(p))
+		h ^= uint64(*(*byte)(add(p, s>>1))) << 8
+		h ^= uint64(*(*byte)(add(p, s-1))) << 16
+		h = rotl31(h*m1) * m2
+	case s <= 8:
+		h ^= uint64(readUnaligned32(p))
+		h ^= uint64(readUnaligned32(add(p, s-4))) << 32
+		h = rotl31(h*m1) * m2
+	case s <= 16:
+		h ^= readUnaligned64(p)
+		h = rotl31(h*m1) * m2
+		h ^= readUnaligned64(add(p, s-8))
+		h = rotl31(h*m1) * m2
+	case s <= 32:
+		h ^= readUnaligned64(p)
+		h = rotl31(h*m1) * m2
+		h ^= readUnaligned64(add(p, 8))
+		h = rotl31(h*m1) * m2
+		h ^= readUnaligned64(add(p, s-16))
+		h = rotl31(h*m1) * m2
+		h ^= readUnaligned64(add(p, s-8))
+		h = rotl31(h*m1) * m2
+	default:
+		v1 := h
+		v2 := uint64(seed * hashkey[1])
+		v3 := uint64(seed * hashkey[2])
+		v4 := uint64(seed * hashkey[3])
+		for s >= 32 {
+			v1 ^= readUnaligned64(p)
+			v1 = rotl31(v1*m1) * m2
+			p = add(p, 8)
+			v2 ^= readUnaligned64(p)
+			v2 = rotl31(v2*m2) * m3
+			p = add(p, 8)
+			v3 ^= readUnaligned64(p)
+			v3 = rotl31(v3*m3) * m4
+			p = add(p, 8)
+			v4 ^= readUnaligned64(p)
+			v4 = rotl31(v4*m4) * m1
+			p = add(p, 8)
+			s -= 32
+		}
+		h = v1 ^ v2 ^ v3 ^ v4
+		goto tail
+	}
+
+	h ^= h >> 29
+	h *= m3
+	h ^= h >> 32
+	return uintptr(h)
+}
+
+func add(p unsafe.Pointer, x uintptr) unsafe.Pointer {
+	return unsafe.Pointer(uintptr(p) + x)
+}
+
+func readUnaligned32(p unsafe.Pointer) uint32 {
+	q := (*[4]byte)(p)
+	return uint32(q[0]) | uint32(q[1])<<8 | uint32(q[2])<<16 | uint32(q[3])<<24
+}
+
+func rotl31(x uint64) uint64 {
+	return (x << 31) | (x >> (64 - 31))
+}
+
+func readUnaligned64(p unsafe.Pointer) uint64 {
+	q := (*[8]byte)(p)
+	return uint64(q[0]) | uint64(q[1])<<8 | uint64(q[2])<<16 | uint64(q[3])<<24 | uint64(q[4])<<32 | uint64(q[5])<<40 | uint64(q[6])<<48 | uint64(q[7])<<56
+}
--- a/component/geodata/strmatcher/package_info.go
+++ b/component/geodata/strmatcher/package_info.go
@ -0,0 +1,4 @@
+// Modified from: https://github.com/v2fly/v2ray-core/tree/master/common/strmatcher
+// License: MIT
+
+package strmatcher
--- a/component/geodata/strmatcher/strmatcher.go
+++ b/component/geodata/strmatcher/strmatcher.go
@ -0,0 +1,107 @@
+package strmatcher
+
+import (
+	"regexp"
+)
+
+// Matcher is the interface to determine a string matches a pattern.
+type Matcher interface {
+	// Match returns true if the given string matches a predefined pattern.
+	Match(string) bool
+	String() string
+}
+
+// Type is the type of the matcher.
+type Type byte
+
+const (
+	// Full is the type of matcher that the input string must exactly equal to the pattern.
+	Full Type = iota
+	// Substr is the type of matcher that the input string must contain the pattern as a sub-string.
+	Substr
+	// Domain is the type of matcher that the input string must be a sub-domain or itself of the pattern.
+	Domain
+	// Regex is the type of matcher that the input string must matches the regular-expression pattern.
+	Regex
+)
+
+// New creates a new Matcher based on the given pattern.
+func (t Type) New(pattern string) (Matcher, error) {
+	// 1. regex matching is case-sensitive
+	switch t {
+	case Full:
+		return fullMatcher(pattern), nil
+	case Substr:
+		return substrMatcher(pattern), nil
+	case Domain:
+		return domainMatcher(pattern), nil
+	case Regex:
+		r, err := regexp.Compile(pattern)
+		if err != nil {
+			return nil, err
+		}
+		return &regexMatcher{
+			pattern: r,
+		}, nil
+	default:
+		panic("Unknown type")
+	}
+}
+
+// IndexMatcher is the interface for matching with a group of matchers.
+type IndexMatcher interface {
+	// Match returns the index of a matcher that matches the input. It returns empty array if no such matcher exists.
+	Match(input string) []uint32
+}
+
+type matcherEntry struct {
+	m  Matcher
+	id uint32
+}
+
+// MatcherGroup is an implementation of IndexMatcher.
+// Empty initialization works.
+type MatcherGroup struct {
+	count         uint32
+	fullMatcher   FullMatcherGroup
+	domainMatcher DomainMatcherGroup
+	otherMatchers []matcherEntry
+}
+
+// Add adds a new Matcher into the MatcherGroup, and returns its index. The index will never be 0.
+func (g *MatcherGroup) Add(m Matcher) uint32 {
+	g.count++
+	c := g.count
+
+	switch tm := m.(type) {
+	case fullMatcher:
+		g.fullMatcher.addMatcher(tm, c)
+	case domainMatcher:
+		g.domainMatcher.addMatcher(tm, c)
+	default:
+		g.otherMatchers = append(g.otherMatchers, matcherEntry{
+			m:  m,
+			id: c,
+		})
+	}
+
+	return c
+}
+
+// Match implements IndexMatcher.Match.
+func (g *MatcherGroup) Match(pattern string) []uint32 {
+	result := []uint32{}
+	result = append(result, g.fullMatcher.Match(pattern)...)
+	result = append(result, g.domainMatcher.Match(pattern)...)
+	for _, e := range g.otherMatchers {
+		if e.m.Match(pattern) {
+			result = append(result, e.id)
+		}
+	}
+	return result
+}
+
+// Size returns the number of matchers in the MatcherGroup.
+func (g *MatcherGroup) Size() uint32 {
+	return g.count
+}
--- a/component/geodata/utils.go
+++ b/component/geodata/utils.go
@ -0,0 +1,81 @@
+package geodata
+
+import (
+	"github.com/Dreamacro/clash/component/geodata/router"
+	C "github.com/Dreamacro/clash/constant"
+	"strings"
+)
+
+var geoLoaderName = "memconservative"
+
+//  geoLoaderName = "standard"
+
+func LoaderName() string {
+	return geoLoaderName
+}
+
+func SetLoader(newLoader string) {
+	geoLoaderName = newLoader
+}
+
+func Verify(name string) bool {
+	switch name {
+	case C.GeositeName:
+		_, _, err := LoadGeoSiteMatcher("CN")
+		return err == nil
+	case C.GeoipName:
+		_, _, err := LoadGeoIPMatcher("CN")
+		return err == nil
+	default:
+		return false
+	}
+}
+
+func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error) {
+	geoLoader, err := GetGeoDataLoader(geoLoaderName)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	domains, err := geoLoader.LoadGeoSite(countryCode)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	/**
+	linear: linear algorithm
+	matcher, err := router.NewDomainMatcher(domains)
+	mph：minimal perfect hash algorithm
+	*/
+	matcher, err := router.NewMphMatcherGroup(domains)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return matcher, len(domains), nil
+}
+
+func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) {
+	geoLoader, err := GetGeoDataLoader(geoLoaderName)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	records, err := geoLoader.LoadGeoIP(strings.ReplaceAll(country, "!", ""))
+	if err != nil {
+		return nil, 0, err
+	}
+
+	geoIP := &router.GeoIP{
+		CountryCode:  country,
+		Cidr:         records,
+		ReverseMatch: strings.Contains(country, "!"),
+	}
+
+	matcher, err := router.NewGeoIPMatcher(geoIP)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return matcher, len(records), nil
+}
--- a/component/mmdb/mmdb.go
+++ b/component/mmdb/mmdb.go
@ -1,12 +1,11 @@
 package mmdb

 import (
+	"github.com/oschwald/geoip2-golang"
 	"sync"

 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
-
-	"github.com/oschwald/geoip2-golang"
 )

 var (
--- a/component/pool/pool_test.go
+++ b/component/pool/pool_test.go
@ -34,7 +34,7 @@ func TestPool_MaxSize(t *testing.T) {
 	size := 5
 	pool := New(g, WithSize(size))

-	items := []any{}
+	var items []any

 	for i := 0; i < size; i++ {
 		item, _ := pool.Get()
--- a/component/process/process.go
+++ b/component/process/process.go
@ -3,6 +3,8 @@ package process
 import (
 	"errors"
 	"net"
+
+	C "github.com/Dreamacro/clash/constant"
 )

 var (
@ -19,3 +21,49 @@ const (
 func FindProcessName(network string, srcIP net.IP, srcPort int) (string, error) {
 	return findProcessName(network, srcIP, srcPort)
 }
+
+func ShouldFindProcess(metadata *C.Metadata) bool {
+	if metadata.Process != "" {
+		return false
+	}
+	for _, ip := range localIPs {
+		if ip.Equal(metadata.SrcIP) {
+			return true
+		}
+	}
+	return false
+}
+
+func AppendLocalIPs(ip ...net.IP) {
+	localIPs = append(ip, localIPs...)
+}
+
+func getLocalIPs() []net.IP {
+	ips := []net.IP{net.IPv4zero, net.IPv6zero}
+
+	netInterfaces, err := net.Interfaces()
+	if err != nil {
+		ips = append(ips, net.IPv4(127, 0, 0, 1), net.IPv6loopback)
+		return ips
+	}
+
+	for i := 0; i < len(netInterfaces); i++ {
+		if (netInterfaces[i].Flags & net.FlagUp) != 0 {
+			adds, _ := netInterfaces[i].Addrs()
+
+			for _, address := range adds {
+				if ipNet, ok := address.(*net.IPNet); ok {
+					ips = append(ips, ipNet.IP)
+				}
+			}
+		}
+	}
+
+	return ips
+}
+
+var localIPs []net.IP
+
+func init() {
+	localIPs = getLocalIPs()
+}
--- a/component/process/process_android.go
+++ b/component/process/process_android.go
@ -0,0 +1,230 @@
+package process
+
+import (
+	"bytes"
+	"encoding/binary"
+	"fmt"
+	"net"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"unicode"
+	"unsafe"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+// from https://github.com/vishvananda/netlink/blob/bca67dfc8220b44ef582c9da4e9172bf1c9ec973/nl/nl_linux.go#L52-L62
+var nativeEndian = func() binary.ByteOrder {
+	var x uint32 = 0x01020304
+	if *(*byte)(unsafe.Pointer(&x)) == 0x01 {
+		return binary.BigEndian
+	}
+
+	return binary.LittleEndian
+}()
+
+const (
+	sizeOfSocketDiagRequest = syscall.SizeofNlMsghdr + 8 + 48
+	socketDiagByFamily      = 20
+	pathProc                = "/proc"
+)
+
+func findProcessName(network string, ip net.IP, srcPort int) (string, error) {
+	inode, uid, err := resolveSocketByNetlink(network, ip, srcPort)
+	if err != nil {
+		return "", err
+	}
+
+	return resolveProcessNameByProcSearch(inode, uid)
+}
+
+func resolveSocketByNetlink(network string, ip net.IP, srcPort int) (int32, int32, error) {
+	var family byte
+	var protocol byte
+
+	switch network {
+	case TCP:
+		protocol = syscall.IPPROTO_TCP
+	case UDP:
+		protocol = syscall.IPPROTO_UDP
+	default:
+		return 0, 0, ErrInvalidNetwork
+	}
+
+	if ip.To4() != nil {
+		family = syscall.AF_INET
+	} else {
+		family = syscall.AF_INET6
+	}
+
+	req := packSocketDiagRequest(family, protocol, ip, uint16(srcPort))
+
+	socket, err := syscall.Socket(syscall.AF_NETLINK, syscall.SOCK_DGRAM, syscall.NETLINK_INET_DIAG)
+	if err != nil {
+		return 0, 0, fmt.Errorf("dial netlink: %w", err)
+	}
+	defer syscall.Close(socket)
+
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_SNDTIMEO, &syscall.Timeval{Usec: 100})
+	syscall.SetsockoptTimeval(socket, syscall.SOL_SOCKET, syscall.SO_RCVTIMEO, &syscall.Timeval{Usec: 100})
+
+	if err := syscall.Connect(socket, &syscall.SockaddrNetlink{
+		Family: syscall.AF_NETLINK,
+		Pad:    0,
+		Pid:    0,
+		Groups: 0,
+	}); err != nil {
+		return 0, 0, err
+	}
+
+	if _, err := syscall.Write(socket, req); err != nil {
+		return 0, 0, fmt.Errorf("write request: %w", err)
+	}
+
+	rb := pool.Get(pool.RelayBufferSize)
+	defer pool.Put(rb)
+
+	n, err := syscall.Read(socket, rb)
+	if err != nil {
+		return 0, 0, fmt.Errorf("read response: %w", err)
+	}
+
+	messages, err := syscall.ParseNetlinkMessage(rb[:n])
+	if err != nil {
+		return 0, 0, fmt.Errorf("parse netlink message: %w", err)
+	} else if len(messages) == 0 {
+		return 0, 0, fmt.Errorf("unexcepted netlink response")
+	}
+
+	message := messages[0]
+	if message.Header.Type&syscall.NLMSG_ERROR != 0 {
+		return 0, 0, fmt.Errorf("netlink message: NLMSG_ERROR")
+	}
+
+	uid, inode := unpackSocketDiagResponse(&messages[0])
+	if uid < 0 || inode < 0 {
+		return 0, 0, fmt.Errorf("invalid uid(%d) or inode(%d)", uid, inode)
+	}
+
+	return uid, inode, nil
+}
+
+func packSocketDiagRequest(family, protocol byte, source net.IP, sourcePort uint16) []byte {
+	s := make([]byte, 16)
+
+	if v4 := source.To4(); v4 != nil {
+		copy(s, v4)
+	} else {
+		copy(s, source)
+	}
+
+	buf := make([]byte, sizeOfSocketDiagRequest)
+
+	nativeEndian.PutUint32(buf[0:4], sizeOfSocketDiagRequest)
+	nativeEndian.PutUint16(buf[4:6], socketDiagByFamily)
+	nativeEndian.PutUint16(buf[6:8], syscall.NLM_F_REQUEST|syscall.NLM_F_DUMP)
+	nativeEndian.PutUint32(buf[8:12], 0)
+	nativeEndian.PutUint32(buf[12:16], 0)
+
+	buf[16] = family
+	buf[17] = protocol
+	buf[18] = 0
+	buf[19] = 0
+	nativeEndian.PutUint32(buf[20:24], 0xFFFFFFFF)
+
+	binary.BigEndian.PutUint16(buf[24:26], sourcePort)
+	binary.BigEndian.PutUint16(buf[26:28], 0)
+
+	copy(buf[28:44], s)
+	copy(buf[44:60], net.IPv6zero)
+
+	nativeEndian.PutUint32(buf[60:64], 0)
+	nativeEndian.PutUint64(buf[64:72], 0xFFFFFFFFFFFFFFFF)
+
+	return buf
+}
+
+func unpackSocketDiagResponse(msg *syscall.NetlinkMessage) (inode, uid int32) {
+	if len(msg.Data) < 72 {
+		return 0, 0
+	}
+
+	data := msg.Data
+
+	uid = int32(nativeEndian.Uint32(data[64:68]))
+	inode = int32(nativeEndian.Uint32(data[68:72]))
+
+	return
+}
+
+func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
+	files, err := os.ReadDir(pathProc)
+	if err != nil {
+		return "", err
+	}
+
+	buffer := make([]byte, syscall.PathMax)
+	socket := []byte(fmt.Sprintf("socket:[%d]", inode))
+
+	for _, f := range files {
+		if !f.IsDir() || !isPid(f.Name()) {
+			continue
+		}
+
+		info, err := f.Info()
+		if err != nil {
+			return "", err
+		}
+		if info.Sys().(*syscall.Stat_t).Uid != uint32(uid) {
+			continue
+		}
+
+		processPath := path.Join(pathProc, f.Name())
+		fdPath := path.Join(processPath, "fd")
+
+		fds, err := os.ReadDir(fdPath)
+		if err != nil {
+			continue
+		}
+
+		for _, fd := range fds {
+			n, err := syscall.Readlink(path.Join(fdPath, fd.Name()), buffer)
+			if err != nil {
+				continue
+			}
+
+			if bytes.Equal(buffer[:n], socket) {
+				cmdline, err := os.ReadFile(path.Join(processPath, "cmdline"))
+				if err != nil {
+					return "", err
+				}
+
+				return splitCmdline(cmdline), nil
+			}
+		}
+	}
+
+	return "", fmt.Errorf("process of uid(%d),inode(%d) not found", uid, inode)
+}
+
+func splitCmdline(cmdline []byte) string {
+	cmdline = bytes.Trim(cmdline, " ")
+
+	idx := bytes.IndexFunc(cmdline, func(r rune) bool {
+		return unicode.IsControl(r) || unicode.IsSpace(r)
+	})
+
+	if idx == -1 {
+		return filepath.Base(string(cmdline))
+	}
+	return filepath.Base(string(cmdline[:idx]))
+}
+
+func isPid(s string) bool {
+	return strings.IndexFunc(s, func(r rune) bool {
+		return !unicode.IsDigit(r)
+	}) == -1
+}
--- a/component/process/process_darwin.go
+++ b/component/process/process_darwin.go
@ -69,7 +69,7 @@ func findProcessName(network string, ip net.IP, port int) (string, error) {
 			continue
 		}

-		if !ip.Equal(srcIP) {
+		if !ip.Equal(srcIP) && (network == TCP || !srcIP.IsUnspecified()) {
 			continue
 		}

--- a/component/process/process_linux.go
+++ b/component/process/process_linux.go
@ -1,3 +1,5 @@
+//go:build !android
+
 package process

 import (
--- a/component/process/process_windows.go
+++ b/component/process/process_windows.go
@ -174,7 +174,7 @@ func newSearcher(isV4, isTCP bool) *searcher {
 func getTransportTable(fn uintptr, family int, class int) ([]byte, error) {
 	for size, buf := uint32(8), make([]byte, 8); ; {
 		ptr := unsafe.Pointer(&buf[0])
-		err, _, _ := syscall.Syscall6(fn, 6, uintptr(ptr), uintptr(unsafe.Pointer(&size)), 0, uintptr(family), uintptr(class), 0)
+		err, _, _ := syscall.SyscallN(fn, uintptr(ptr), uintptr(unsafe.Pointer(&size)), 0, uintptr(family), uintptr(class), 0)

 		switch err {
 		case 0:
@ -209,8 +209,8 @@ func getExecPathFromPID(pid uint32) (string, error) {

 	buf := make([]uint16, syscall.MAX_LONG_PATH)
 	size := uint32(len(buf))
-	r1, _, err := syscall.Syscall6(
-		queryProcName, 4,
+	r1, _, err := syscall.SyscallN(
+		queryProcName,
 		uintptr(h),
 		uintptr(1),
 		uintptr(unsafe.Pointer(&buf[0])),
--- a/component/profile/cachefile/cache.go
+++ b/component/profile/cachefile/cache.go
@ -132,6 +132,17 @@ func (c *CacheFile) GetFakeip(key []byte) []byte {
 	return bucket.Get(key)
 }

+func (c *CacheFile) FlushFakeIP() error {
+	err := c.DB.Batch(func(t *bbolt.Tx) error {
+		bucket := t.Bucket(bucketFakeip)
+		if bucket == nil {
+			return nil
+		}
+		return t.DeleteBucket(bucketFakeip)
+	})
+	return err
+}
+
 func (c *CacheFile) Close() error {
 	return c.DB.Close()
 }
--- a/component/resolver/enhancer.go
+++ b/component/resolver/enhancer.go
@ -10,8 +10,10 @@ type Enhancer interface {
 	FakeIPEnabled() bool
 	MappingEnabled() bool
 	IsFakeIP(net.IP) bool
+	IsFakeBroadcastIP(net.IP) bool
 	IsExistFakeIP(net.IP) bool
 	FindHostByIP(net.IP) (string, bool)
+	FlushFakeIP() error
 }

 func FakeIPEnabled() bool {
@ -38,6 +40,14 @@ func IsFakeIP(ip net.IP) bool {
 	return false
 }

+func IsFakeBroadcastIP(ip net.IP) bool {
+	if mapper := DefaultHostMapper; mapper != nil {
+		return mapper.IsFakeBroadcastIP(ip)
+	}
+
+	return false
+}
+
 func IsExistFakeIP(ip net.IP) bool {
 	if mapper := DefaultHostMapper; mapper != nil {
 		return mapper.IsExistFakeIP(ip)
@ -53,3 +63,10 @@ func FindHostByIP(ip net.IP) (string, bool) {

 	return "", false
 }
+
+func FlushFakeIP() error {
+	if mapper := DefaultHostMapper; mapper != nil {
+		return mapper.FlushFakeIP()
+	}
+	return nil
+}
--- a/component/resolver/patch.go
+++ b/component/resolver/patch.go
@ -0,0 +1,18 @@
+package resolver
+
+import D "github.com/miekg/dns"
+
+var DefaultLocalServer LocalServer
+
+type LocalServer interface {
+	ServeMsg(msg *D.Msg) (*D.Msg, error)
+}
+
+// ServeMsg with a dns.Msg, return resolve dns.Msg
+func ServeMsg(msg *D.Msg) (*D.Msg, error) {
+	if server := DefaultLocalServer; server != nil {
+		return server.ServeMsg(msg)
+	}
+
+	return nil, ErrIPNotFound
+}
--- a/component/resolver/resolver.go
+++ b/component/resolver/resolver.go
@ -15,6 +15,9 @@ var (
 	// DefaultResolver aim to resolve ip
 	DefaultResolver Resolver

+	// ProxyServerHostResolver resolve ip to proxies server host
+	ProxyServerHostResolver Resolver
+
 	// DisableIPv6 means don't resolve ipv6 host
 	// default value is true
 	DisableIPv6 = true
@ -40,6 +43,10 @@ type Resolver interface {

 // ResolveIPv4 with a host, return ipv4
 func ResolveIPv4(host string) (net.IP, error) {
+	return ResolveIPv4WithResolver(host, DefaultResolver)
+}
+
+func ResolveIPv4WithResolver(host string, r Resolver) (net.IP, error) {
 	if node := DefaultHosts.Search(host); node != nil {
 		if ip := node.Data.(net.IP).To4(); ip != nil {
 			return ip, nil
@ -54,10 +61,11 @@ func ResolveIPv4(host string) (net.IP, error) {
 		return nil, ErrIPVersion
 	}

-	if DefaultResolver != nil {
-		return DefaultResolver.ResolveIPv4(host)
+	if r != nil {
+		return r.ResolveIPv4(host)
 	}

+	if DefaultResolver == nil {
 		ctx, cancel := context.WithTimeout(context.Background(), DefaultDNSTimeout)
 		defer cancel()
 		ipAddrs, err := net.DefaultResolver.LookupIP(ctx, "ip4", host)
@ -70,8 +78,15 @@ func ResolveIPv4(host string) (net.IP, error) {
 		return ipAddrs[rand.Intn(len(ipAddrs))], nil
 	}

+	return nil, ErrIPNotFound
+}
+
 // ResolveIPv6 with a host, return ipv6
 func ResolveIPv6(host string) (net.IP, error) {
+	return ResolveIPv6WithResolver(host, DefaultResolver)
+}
+
+func ResolveIPv6WithResolver(host string, r Resolver) (net.IP, error) {
 	if DisableIPv6 {
 		return nil, ErrIPv6Disabled
 	}
@ -90,10 +105,11 @@ func ResolveIPv6(host string) (net.IP, error) {
 		return nil, ErrIPVersion
 	}

-	if DefaultResolver != nil {
-		return DefaultResolver.ResolveIPv6(host)
+	if r != nil {
+		return r.ResolveIPv6(host)
 	}

+	if DefaultResolver == nil {
 		ctx, cancel := context.WithTimeout(context.Background(), DefaultDNSTimeout)
 		defer cancel()
 		ipAddrs, err := net.DefaultResolver.LookupIP(ctx, "ip6", host)
@ -106,6 +122,9 @@ func ResolveIPv6(host string) (net.IP, error) {
 		return ipAddrs[rand.Intn(len(ipAddrs))], nil
 	}

+	return nil, ErrIPNotFound
+}
+
 // ResolveIPWithResolver same as ResolveIP, but with a resolver
 func ResolveIPWithResolver(host string, r Resolver) (net.IP, error) {
 	if node := DefaultHosts.Search(host); node != nil {
@ -126,6 +145,7 @@ func ResolveIPWithResolver(host string, r Resolver) (net.IP, error) {
 		return ip, nil
 	}

+	if DefaultResolver == nil {
 		ipAddr, err := net.ResolveIPAddr("ip", host)
 		if err != nil {
 			return nil, err
@ -134,7 +154,34 @@ func ResolveIPWithResolver(host string, r Resolver) (net.IP, error) {
 		return ipAddr.IP, nil
 	}

+	return nil, ErrIPNotFound
+}
+
 // ResolveIP with a host, return ip
 func ResolveIP(host string) (net.IP, error) {
 	return ResolveIPWithResolver(host, DefaultResolver)
 }
+
+// ResolveIPv4ProxyServerHost proxies server host only
+func ResolveIPv4ProxyServerHost(host string) (net.IP, error) {
+	if ProxyServerHostResolver != nil {
+		return ResolveIPv4WithResolver(host, ProxyServerHostResolver)
+	}
+	return ResolveIPv4(host)
+}
+
+// ResolveIPv6ProxyServerHost proxies server host only
+func ResolveIPv6ProxyServerHost(host string) (net.IP, error) {
+	if ProxyServerHostResolver != nil {
+		return ResolveIPv6WithResolver(host, ProxyServerHostResolver)
+	}
+	return ResolveIPv6(host)
+}
+
+// ResolveProxyServerHost proxies server host only
+func ResolveProxyServerHost(host string) (net.IP, error) {
+	if ProxyServerHostResolver != nil {
+		return ResolveIPWithResolver(host, ProxyServerHostResolver)
+	}
+	return ResolveIP(host)
+}
--- a/component/trie/ipcidr_node.go
+++ b/component/trie/ipcidr_node.go
@ -0,0 +1,44 @@
+package trie
+
+import "errors"
+
+var (
+	ErrorOverMaxValue = errors.New("the value don't over max value")
+)
+
+type IpCidrNode struct {
+	Mark     bool
+	child    map[uint32]*IpCidrNode
+	maxValue uint32
+}
+
+func NewIpCidrNode(mark bool, maxValue uint32) *IpCidrNode {
+	ipCidrNode := &IpCidrNode{
+		Mark:     mark,
+		child:    map[uint32]*IpCidrNode{},
+		maxValue: maxValue,
+	}
+
+	return ipCidrNode
+}
+
+func (n *IpCidrNode) addChild(value uint32) error {
+	if value > n.maxValue {
+		return ErrorOverMaxValue
+	}
+
+	n.child[value] = NewIpCidrNode(false, n.maxValue)
+	return nil
+}
+
+func (n *IpCidrNode) hasChild(value uint32) bool {
+	return n.getChild(value) != nil
+}
+
+func (n *IpCidrNode) getChild(value uint32) *IpCidrNode {
+	if value <= n.maxValue {
+		return n.child[value]
+	}
+
+	return nil
+}
--- a/component/trie/ipcidr_trie.go
+++ b/component/trie/ipcidr_trie.go
@ -0,0 +1,255 @@
+package trie
+
+import (
+	"github.com/Dreamacro/clash/log"
+	"net"
+)
+
+type IPV6 bool
+
+const (
+	ipv4GroupMaxValue = 0xFF
+	ipv6GroupMaxValue = 0xFFFF
+)
+
+type IpCidrTrie struct {
+	ipv4Trie *IpCidrNode
+	ipv6Trie *IpCidrNode
+}
+
+func NewIpCidrTrie() *IpCidrTrie {
+	return &IpCidrTrie{
+		ipv4Trie: NewIpCidrNode(false, ipv4GroupMaxValue),
+		ipv6Trie: NewIpCidrNode(false, ipv6GroupMaxValue),
+	}
+}
+
+func (trie *IpCidrTrie) AddIpCidr(ipCidr *net.IPNet) error {
+	subIpCidr, subCidr, isIpv4, err := ipCidrToSubIpCidr(ipCidr)
+	if err != nil {
+		return err
+	}
+
+	for _, sub := range subIpCidr {
+		addIpCidr(trie, isIpv4, sub, subCidr/8)
+	}
+
+	return nil
+}
+
+func (trie *IpCidrTrie) AddIpCidrForString(ipCidr string) error {
+	_, ipNet, err := net.ParseCIDR(ipCidr)
+	if err != nil {
+		return err
+	}
+
+	return trie.AddIpCidr(ipNet)
+}
+
+func (trie *IpCidrTrie) IsContain(ip net.IP) bool {
+	ip, isIpv4 := checkAndConverterIp(ip)
+	if ip == nil {
+		return false
+	}
+
+	var groupValues []uint32
+	var ipCidrNode *IpCidrNode
+
+	if isIpv4 {
+		ipCidrNode = trie.ipv4Trie
+		for _, group := range ip {
+			groupValues = append(groupValues, uint32(group))
+		}
+	} else {
+		ipCidrNode = trie.ipv6Trie
+		for i := 0; i < len(ip); i += 2 {
+			groupValues = append(groupValues, getIpv6GroupValue(ip[i], ip[i+1]))
+		}
+	}
+
+	return search(ipCidrNode, groupValues) != nil
+}
+
+func (trie *IpCidrTrie) IsContainForString(ipString string) bool {
+	return trie.IsContain(net.ParseIP(ipString))
+}
+
+func ipCidrToSubIpCidr(ipNet *net.IPNet) ([]net.IP, int, bool, error) {
+	maskSize, _ := ipNet.Mask.Size()
+	var (
+		ipList      []net.IP
+		newMaskSize int
+		isIpv4      bool
+		err         error
+	)
+
+	ip, isIpv4 := checkAndConverterIp(ipNet.IP)
+	ipList, newMaskSize, err = subIpCidr(ip, maskSize, isIpv4)
+
+	return ipList, newMaskSize, isIpv4, err
+}
+
+func subIpCidr(ip net.IP, maskSize int, isIpv4 bool) ([]net.IP, int, error) {
+	var subIpCidrList []net.IP
+	groupSize := 8
+	if !isIpv4 {
+		groupSize = 16
+	}
+
+	if maskSize%groupSize == 0 {
+		return append(subIpCidrList, ip), maskSize, nil
+	}
+
+	lastByteMaskSize := maskSize % 8
+	lastByteMaskIndex := maskSize / 8
+	subIpCidrNum := 0xFF >> lastByteMaskSize
+	for i := 0; i <= subIpCidrNum; i++ {
+		subIpCidr := make([]byte, len(ip))
+		copy(subIpCidr, ip)
+		subIpCidr[lastByteMaskIndex] += byte(i)
+		subIpCidrList = append(subIpCidrList, subIpCidr)
+	}
+
+	newMaskSize := (lastByteMaskIndex + 1) * 8
+	if !isIpv4 {
+		newMaskSize = (lastByteMaskIndex/2 + 1) * 16
+	}
+
+	return subIpCidrList, newMaskSize, nil
+}
+
+func addIpCidr(trie *IpCidrTrie, isIpv4 bool, ip net.IP, groupSize int) {
+	if isIpv4 {
+		addIpv4Cidr(trie, ip, groupSize)
+	} else {
+		addIpv6Cidr(trie, ip, groupSize)
+	}
+}
+
+func addIpv4Cidr(trie *IpCidrTrie, ip net.IP, groupSize int) {
+	preNode := trie.ipv4Trie
+	node := preNode.getChild(uint32(ip[0]))
+	if node == nil {
+		err := preNode.addChild(uint32(ip[0]))
+		if err != nil {
+			return
+		}
+
+		node = preNode.getChild(uint32(ip[0]))
+	}
+
+	for i := 1; i < groupSize; i++ {
+		if node.Mark {
+			return
+		}
+
+		groupValue := uint32(ip[i])
+		if !node.hasChild(groupValue) {
+			err := node.addChild(groupValue)
+			if err != nil {
+				log.Errorln(err.Error())
+			}
+		}
+
+		preNode = node
+		node = node.getChild(groupValue)
+		if node == nil {
+			err := preNode.addChild(uint32(ip[i-1]))
+			if err != nil {
+				return
+			}
+
+			node = preNode.getChild(uint32(ip[i-1]))
+		}
+	}
+
+	node.Mark = true
+	cleanChild(node)
+}
+
+func addIpv6Cidr(trie *IpCidrTrie, ip net.IP, groupSize int) {
+	preNode := trie.ipv6Trie
+	node := preNode.getChild(getIpv6GroupValue(ip[0], ip[1]))
+	if node == nil {
+		err := preNode.addChild(getIpv6GroupValue(ip[0], ip[1]))
+		if err != nil {
+			return
+		}
+
+		node = preNode.getChild(getIpv6GroupValue(ip[0], ip[1]))
+	}
+
+	for i := 2; i < groupSize; i += 2 {
+		if node.Mark {
+			return
+		}
+
+		groupValue := getIpv6GroupValue(ip[i], ip[i+1])
+		if !node.hasChild(groupValue) {
+			err := node.addChild(groupValue)
+			if err != nil {
+				log.Errorln(err.Error())
+			}
+		}
+
+		preNode = node
+		node = node.getChild(groupValue)
+		if node == nil {
+			err := preNode.addChild(getIpv6GroupValue(ip[i-2], ip[i-1]))
+			if err != nil {
+				return
+			}
+
+			node = preNode.getChild(getIpv6GroupValue(ip[i-2], ip[i-1]))
+		}
+	}
+
+	node.Mark = true
+	cleanChild(node)
+}
+
+func getIpv6GroupValue(high, low byte) uint32 {
+	return (uint32(high) << 8) | uint32(low)
+}
+
+func cleanChild(node *IpCidrNode) {
+	for i := uint32(0); i < uint32(len(node.child)); i++ {
+		delete(node.child, i)
+	}
+}
+
+func search(root *IpCidrNode, groupValues []uint32) *IpCidrNode {
+	node := root.getChild(groupValues[0])
+	if node == nil || node.Mark {
+		return node
+	}
+
+	for _, value := range groupValues[1:] {
+		if !node.hasChild(value) {
+			return nil
+		}
+
+		node = node.getChild(value)
+
+		if node == nil || node.Mark {
+			return node
+		}
+	}
+
+	return nil
+}
+
+// return net.IP To4 or To16 and is ipv4
+func checkAndConverterIp(ip net.IP) (net.IP, bool) {
+	ipResult := ip.To4()
+	if ipResult == nil {
+		ipResult = ip.To16()
+		if ipResult == nil {
+			return nil, false
+		}
+
+		return ipResult, false
+	}
+
+	return ipResult, true
+}
--- a/component/trie/trie_test.go
+++ b/component/trie/trie_test.go
@ -0,0 +1,100 @@
+package trie
+
+import (
+	"net"
+	"testing"
+)
+import "github.com/stretchr/testify/assert"
+
+func TestIpv4AddSuccess(t *testing.T) {
+	trie := NewIpCidrTrie()
+	err := trie.AddIpCidrForString("10.0.0.2/16")
+	assert.Equal(t, nil, err)
+}
+
+func TestIpv4AddFail(t *testing.T) {
+	trie := NewIpCidrTrie()
+	err := trie.AddIpCidrForString("333.00.23.2/23")
+	assert.IsType(t, new(net.ParseError), err)
+
+	err = trie.AddIpCidrForString("22.3.34.2/222")
+	assert.IsType(t, new(net.ParseError), err)
+
+	err = trie.AddIpCidrForString("2.2.2.2")
+	assert.IsType(t, new(net.ParseError), err)
+}
+
+func TestIpv4Search(t *testing.T) {
+	trie := NewIpCidrTrie()
+	// Boundary testing
+	assert.NoError(t, trie.AddIpCidrForString("149.154.160.0/20"))
+	assert.Equal(t, true, trie.IsContainForString("149.154.160.0"))
+	assert.Equal(t, true, trie.IsContainForString("149.154.175.255"))
+	assert.Equal(t, false, trie.IsContainForString("149.154.176.0"))
+	assert.Equal(t, false, trie.IsContainForString("149.154.159.255"))
+
+	assert.NoError(t, trie.AddIpCidrForString("129.2.36.0/16"))
+	assert.NoError(t, trie.AddIpCidrForString("10.2.36.0/18"))
+	assert.NoError(t, trie.AddIpCidrForString("16.2.23.0/24"))
+	assert.NoError(t, trie.AddIpCidrForString("11.2.13.2/26"))
+	assert.NoError(t, trie.AddIpCidrForString("55.5.6.3/8"))
+	assert.NoError(t, trie.AddIpCidrForString("66.23.25.4/6"))
+
+	assert.Equal(t, true, trie.IsContainForString("129.2.3.65"))
+	assert.Equal(t, false, trie.IsContainForString("15.2.3.1"))
+	assert.Equal(t, true, trie.IsContainForString("11.2.13.1"))
+	assert.Equal(t, true, trie.IsContainForString("55.0.0.0"))
+	assert.Equal(t, true, trie.IsContainForString("64.0.0.0"))
+	assert.Equal(t, false, trie.IsContainForString("128.0.0.0"))
+
+	assert.Equal(t, false, trie.IsContain(net.ParseIP("22")))
+	assert.Equal(t, false, trie.IsContain(net.ParseIP("")))
+
+}
+
+func TestIpv6AddSuccess(t *testing.T) {
+	trie := NewIpCidrTrie()
+	err := trie.AddIpCidrForString("2001:0db8:02de:0000:0000:0000:0000:0e13/32")
+	assert.Equal(t, nil, err)
+
+	err = trie.AddIpCidrForString("2001:1db8:f2de::0e13/18")
+	assert.Equal(t, nil, err)
+}
+
+func TestIpv6AddFail(t *testing.T) {
+	trie := NewIpCidrTrie()
+	err := trie.AddIpCidrForString("2001::25de::cade/23")
+	assert.IsType(t, new(net.ParseError), err)
+
+	err = trie.AddIpCidrForString("2001:0fa3:25de::cade/222")
+	assert.IsType(t, new(net.ParseError), err)
+
+	err = trie.AddIpCidrForString("2001:0fa3:25de::cade")
+	assert.IsType(t, new(net.ParseError), err)
+}
+
+func TestIpv6Search(t *testing.T) {
+	trie := NewIpCidrTrie()
+
+	// Boundary testing
+	assert.NoError(t, trie.AddIpCidrForString("2a0a:f280::/32"))
+	assert.Equal(t, true, trie.IsContainForString("2a0a:f280:0000:0000:0000:0000:0000:0000"))
+	assert.Equal(t, true, trie.IsContainForString("2a0a:f280:ffff:ffff:ffff:ffff:ffff:ffff"))
+	assert.Equal(t, false, trie.IsContainForString("2a0a:f279:ffff:ffff:ffff:ffff:ffff:ffff"))
+	assert.Equal(t, false, trie.IsContainForString("2a0a:f281:0000:0000:0000:0000:0000:0000"))
+
+	assert.NoError(t, trie.AddIpCidrForString("2001:b28:f23d:f001::e/128"))
+	assert.NoError(t, trie.AddIpCidrForString("2001:67c:4e8:f002::e/12"))
+	assert.NoError(t, trie.AddIpCidrForString("2001:b28:f23d:f003::e/96"))
+	assert.NoError(t, trie.AddIpCidrForString("2001:67c:4e8:f002::a/32"))
+	assert.NoError(t, trie.AddIpCidrForString("2001:67c:4e8:f004::a/60"))
+	assert.NoError(t, trie.AddIpCidrForString("2001:b28:f23f:f005::a/64"))
+	assert.Equal(t, true, trie.IsContainForString("2001:b28:f23d:f001::e"))
+	assert.Equal(t, false, trie.IsContainForString("2222::fff2"))
+	assert.Equal(t, true, trie.IsContainForString("2000::ffa0"))
+	assert.Equal(t, true, trie.IsContainForString("2001:b28:f23f:f005:5662::"))
+	assert.Equal(t, true, trie.IsContainForString("2001:67c:4e8:9666::1213"))
+
+	assert.Equal(t, false, trie.IsContain(net.ParseIP("22233:22")))
+
+}
--- a/config/config.go
+++ b/config/config.go
@ -1,25 +1,34 @@
 package config

 import (
+	"container/list"
 	"errors"
 	"fmt"
+	R "github.com/Dreamacro/clash/rule"
+	RP "github.com/Dreamacro/clash/rule/provider"
 	"net"
+	"net/netip"
 	"net/url"
 	"os"
+	"runtime"
 	"strings"
+	"time"

 	"github.com/Dreamacro/clash/adapter"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/adapter/outboundgroup"
 	"github.com/Dreamacro/clash/adapter/provider"
 	"github.com/Dreamacro/clash/component/auth"
+	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/fakeip"
+	"github.com/Dreamacro/clash/component/geodata"
+	"github.com/Dreamacro/clash/component/geodata/router"
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
 	providerTypes "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/dns"
+	"github.com/Dreamacro/clash/listener/tun/ipstack/commons"
 	"github.com/Dreamacro/clash/log"
-	R "github.com/Dreamacro/clash/rule"
 	T "github.com/Dreamacro/clash/tunnel"

 	"gopkg.in/yaml.v2"
@ -30,13 +39,16 @@ type General struct {
 	Inbound
 	Controller
 	Mode          T.TunnelMode `json:"mode"`
+	UnifiedDelay  bool
 	LogLevel      log.LogLevel `json:"log-level"`
 	IPv6          bool         `json:"ipv6"`
 	Interface     string       `json:"-"`
 	RoutingMark   int          `json:"-"`
+	GeodataMode   bool         `json:"geodata-mode"`
+	GeodataLoader string       `json:"geodata-loader"`
 }

-// Inbound
+// Inbound config
 type Inbound struct {
 	Port           int      `json:"port"`
 	SocksPort      int      `json:"socks-port"`
@ -48,7 +60,7 @@ type Inbound struct {
 	BindAddress    string   `json:"bind-address"`
 }

-// Controller
+// Controller config
 type Controller struct {
 	ExternalController string `json:"-"`
 	ExternalUI         string `json:"-"`
@ -68,6 +80,7 @@ type DNS struct {
 	FakeIPRange           *fakeip.Pool
 	Hosts                 *trie.DomainTrie
 	NameServerPolicy      map[string]dns.NameServer
+	ProxyServerNameserver []dns.NameServer
 }

 // FallbackFilter config
@ -76,20 +89,51 @@ type FallbackFilter struct {
 	GeoIPCode string                  `yaml:"geoip-code"`
 	IPCIDR    []*net.IPNet            `yaml:"ipcidr"`
 	Domain    []string                `yaml:"domain"`
+	GeoSite   []*router.DomainMatcher `yaml:"geosite"`
 }

+var (
+	GroupsList             = list.New()
+	ProxiesList            = list.New()
+	ParsingProxiesCallback func(groupsList *list.List, proxiesList *list.List)
+)
+
 // Profile config
 type Profile struct {
 	StoreSelected bool `yaml:"store-selected"`
 	StoreFakeIP   bool `yaml:"store-fake-ip"`
 }

+// Tun config
+type Tun struct {
+	Enable    bool             `yaml:"enable" json:"enable"`
+	Device    string           `yaml:"device" json:"device"`
+	Stack     C.TUNStack       `yaml:"stack" json:"stack"`
+	DNSHijack []netip.AddrPort `yaml:"dns-hijack" json:"dns-hijack"`
+	AutoRoute bool             `yaml:"auto-route" json:"auto-route"`
+}
+
+// Script config
+type Script struct {
+	MainCode      string            `yaml:"code" json:"code"`
+	ShortcutsCode map[string]string `yaml:"shortcuts" json:"shortcuts"`
+}
+
+// IPTables config
+type IPTables struct {
+	Enable           bool     `yaml:"enable" json:"enable"`
+	InboundInterface string   `yaml:"inbound-interface" json:"inbound-interface"`
+	Bypass           []string `yaml:"bypass" json:"bypass"`
+}
+
 // Experimental config
 type Experimental struct{}

 // Config is clash config manager
 type Config struct {
 	General       *General
+	Tun           *Tun
+	IPTables      *IPTables
 	DNS           *DNS
 	Experimental  *Experimental
 	Hosts         *trie.DomainTrie
@ -98,6 +142,7 @@ type Config struct {
 	Users         []auth.AuthUser
 	Proxies       map[string]C.Proxy
 	Providers     map[string]providerTypes.ProxyProvider
+	RuleProviders map[string]*providerTypes.RuleProvider
 }

 type RawDNS struct {
@ -113,6 +158,7 @@ type RawDNS struct {
 	FakeIPFilter          []string          `yaml:"fake-ip-filter"`
 	DefaultNameserver     []string          `yaml:"default-nameserver"`
 	NameServerPolicy      map[string]string `yaml:"nameserver-policy"`
+	ProxyServerNameserver []string          `yaml:"proxy-server-nameserver"`
 }

 type RawFallbackFilter struct {
@ -120,6 +166,15 @@ type RawFallbackFilter struct {
 	GeoIPCode string   `yaml:"geoip-code"`
 	IPCIDR    []string `yaml:"ipcidr"`
 	Domain    []string `yaml:"domain"`
+	GeoSite   []string `yaml:"geosite"`
+}
+
+type RawTun struct {
+	Enable    bool       `yaml:"enable" json:"enable"`
+	Device    string     `yaml:"device" json:"device"`
+	Stack     C.TUNStack `yaml:"stack" json:"stack"`
+	DNSHijack []string   `yaml:"dns-hijack" json:"dns-hijack"`
+	AutoRoute bool       `yaml:"auto-route" json:"auto-route"`
 }

 type RawConfig struct {
@ -132,6 +187,7 @@ type RawConfig struct {
 	AllowLan           bool         `yaml:"allow-lan"`
 	BindAddress        string       `yaml:"bind-address"`
 	Mode               T.TunnelMode `yaml:"mode"`
+	UnifiedDelay       bool         `yaml:"unified-delay"`
 	LogLevel           log.LogLevel `yaml:"log-level"`
 	IPv6               bool         `yaml:"ipv6"`
 	ExternalController string       `yaml:"external-controller"`
@ -139,10 +195,15 @@ type RawConfig struct {
 	Secret             string       `yaml:"secret"`
 	Interface          string       `yaml:"interface-name"`
 	RoutingMark        int          `yaml:"routing-mark"`
+	GeodataMode        bool         `yaml:"geodata-mode"`
+	GeodataLoader      string       `yaml:"geodata-loader"`

 	ProxyProvider map[string]map[string]any `yaml:"proxy-providers"`
+	RuleProvider  map[string]map[string]any `yaml:"rule-providers"`
 	Hosts         map[string]string         `yaml:"hosts"`
 	DNS           RawDNS                    `yaml:"dns"`
+	Tun           RawTun                    `yaml:"tun"`
+	IPTables      IPTables                  `yaml:"iptables"`
 	Experimental  Experimental              `yaml:"experimental"`
 	Profile       Profile                   `yaml:"profile"`
 	Proxy         []map[string]any          `yaml:"proxies"`
@ -166,24 +227,52 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		AllowLan:       false,
 		BindAddress:    "*",
 		Mode:           T.Rule,
+		GeodataMode:    C.GeodataMode,
+		GeodataLoader:  "memconservative",
+		UnifiedDelay:   false,
 		Authentication: []string{},
 		LogLevel:       log.INFO,
 		Hosts:          map[string]string{},
 		Rule:           []string{},
 		Proxy:          []map[string]any{},
 		ProxyGroup:     []map[string]any{},
+		Tun: RawTun{
+			Enable:    false,
+			Device:    "",
+			Stack:     C.TunGvisor,
+			DNSHijack: []string{"0.0.0.0:53"}, // default hijack all dns query
+			AutoRoute: true,
+		},
+		IPTables: IPTables{
+			Enable:           false,
+			InboundInterface: "lo",
+			Bypass:           []string{},
+		},
 		DNS: RawDNS{
 			Enable:       false,
 			UseHosts:     true,
+			EnhancedMode: C.DNSMapping,
 			FakeIPRange:  "198.18.0.1/16",
 			FallbackFilter: RawFallbackFilter{
 				GeoIP:     true,
 				GeoIPCode: "CN",
 				IPCIDR:    []string{},
+				GeoSite:   []string{},
 			},
 			DefaultNameserver: []string{
 				"114.114.114.114",
+				"223.5.5.5",
 				"8.8.8.8",
+				"1.0.0.1",
+			},
+			NameServer: []string{
+				"https://doh.pub/dns-query",
+				"tls://223.5.5.5:853",
+			},
+			FakeIPFilter: []string{
+				"dns.msftnsci.com",
+				"www.msftnsci.com",
+				"www.msftconnecttest.com",
 			},
 		},
 		Profile: Profile{
@ -200,9 +289,11 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {

 func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	config := &Config{}
-
+	log.Infoln("Start initial configuration in progress") //Segment finished in xxm
+	startTime := time.Now()
 	config.Experimental = &rawCfg.Experimental
 	config.Profile = &rawCfg.Profile
+	config.IPTables = &rawCfg.IPTables

 	general, err := parseGeneral(rawCfg)
 	if err != nil {
@ -210,6 +301,14 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.General = general

+	tunCfg, err := parseTun(rawCfg.Tun, config.General)
+	if err != nil {
+		return nil, err
+	}
+	config.Tun = tunCfg
+
+	dialer.DefaultInterface.Store(config.General.Interface)
+
 	proxies, providers, err := parseProxies(rawCfg)
 	if err != nil {
 		return nil, err
@ -217,11 +316,12 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	config.Proxies = proxies
 	config.Providers = providers

-	rules, err := parseRules(rawCfg, proxies)
+	rules, ruleProviders, err := parseRules(rawCfg, proxies)
 	if err != nil {
 		return nil, err
 	}
 	config.Rules = rules
+	config.RuleProviders = ruleProviders

 	hosts, err := parseHosts(rawCfg)
 	if err != nil {
@ -229,7 +329,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.Hosts = hosts

-	dnsCfg, err := parseDNS(rawCfg, hosts)
+	dnsCfg, err := parseDNS(rawCfg, hosts, rules)
 	if err != nil {
 		return nil, err
 	}
@ -237,12 +337,14 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {

 	config.Users = parseAuthentication(rawCfg.Authentication)

+	elapsedTime := time.Since(startTime) / time.Millisecond                     // duration in ms
+	log.Infoln("Initial configuration complete, total time: %dms", elapsedTime) //Segment finished in xxm
 	return config, nil
 }

 func parseGeneral(cfg *RawConfig) (*General, error) {
 	externalUI := cfg.ExternalUI
-
+	geodata.SetLoader(cfg.GeodataLoader)
 	// checkout externalUI exist
 	if externalUI != "" {
 		externalUI = C.Path.Resolve(externalUI)
@ -267,24 +369,32 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 			ExternalUI:         cfg.ExternalUI,
 			Secret:             cfg.Secret,
 		},
+		UnifiedDelay:  cfg.UnifiedDelay,
 		Mode:          cfg.Mode,
 		LogLevel:      cfg.LogLevel,
 		IPv6:          cfg.IPv6,
 		Interface:     cfg.Interface,
 		RoutingMark:   cfg.RoutingMark,
+		GeodataMode:   cfg.GeodataMode,
+		GeodataLoader: cfg.GeodataLoader,
 	}, nil
 }

 func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[string]providerTypes.ProxyProvider, err error) {
 	proxies = make(map[string]C.Proxy)
 	providersMap = make(map[string]providerTypes.ProxyProvider)
-	proxyList := []string{}
 	proxiesConfig := cfg.Proxy
 	groupsConfig := cfg.ProxyGroup
 	providersConfig := cfg.ProxyProvider

+	var proxyList []string
+	_proxiesList := list.New()
+	_groupsList := list.New()
+
 	proxies["DIRECT"] = adapter.NewProxy(outbound.NewDirect())
 	proxies["REJECT"] = adapter.NewProxy(outbound.NewReject())
+	proxies["COMPATIBLE"] = adapter.NewProxy(outbound.NewCompatible())
+	proxies["PASS"] = adapter.NewProxy(outbound.NewPass())
 	proxyList = append(proxyList, "DIRECT", "REJECT")

 	// parse proxy
@ -299,6 +409,7 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 		}
 		proxies[proxy.Name()] = proxy
 		proxyList = append(proxyList, proxy.Name())
+		_proxiesList.PushBack(mapping)
 	}

 	// keep the original order of ProxyGroups in config file
@ -308,6 +419,7 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 			return nil, nil, fmt.Errorf("proxy group %d: missing name", idx)
 		}
 		proxyList = append(proxyList, groupName)
+		_groupsList.PushBack(mapping)
 	}

 	// check if any loop exists and sort the ProxyGroups
@ -329,13 +441,6 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 		providersMap[name] = pd
 	}

-	for _, provider := range providersMap {
-		log.Infoln("Start initial provider %s", provider.Name())
-		if err := provider.Initial(); err != nil {
-			return nil, nil, fmt.Errorf("initial proxy provider %s error: %w", provider.Name(), err)
-		}
-	}
-
 	// parse proxy group
 	for idx, mapping := range groupsConfig {
 		group, err := outboundgroup.ParseProxyGroup(mapping, proxies, providersMap)
@ -351,20 +456,11 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 		proxies[groupName] = adapter.NewProxy(group)
 	}

-	// initial compatible provider
-	for _, pd := range providersMap {
-		if pd.VehicleType() != providerTypes.Compatible {
+	var ps []C.Proxy
+	for _, v := range proxyList {
+		if proxies[v].Type() == C.Pass {
 			continue
 		}
-
-		log.Infoln("Start initial compatible provider %s", pd.Name())
-		if err := pd.Initial(); err != nil {
-			return nil, nil, err
-		}
-	}
-
-	ps := []C.Proxy{}
-	for _, v := range proxyList {
 		ps = append(ps, proxies[v])
 	}
 	hc := provider.NewHealthCheck(ps, "", 0, true)
@ -378,12 +474,32 @@ func parseProxies(cfg *RawConfig) (proxies map[string]C.Proxy, providersMap map[
 		[]providerTypes.ProxyProvider{pd},
 	)
 	proxies["GLOBAL"] = adapter.NewProxy(global)
+	ProxiesList = _proxiesList
+	GroupsList = _groupsList
+	if ParsingProxiesCallback != nil {
+		// refresh tray menu
+		go ParsingProxiesCallback(GroupsList, ProxiesList)
+	}
 	return proxies, providersMap, nil
 }

-func parseRules(cfg *RawConfig, proxies map[string]C.Proxy) ([]C.Rule, error) {
-	rules := []C.Rule{}
+func parseRules(cfg *RawConfig, proxies map[string]C.Proxy) ([]C.Rule, map[string]*providerTypes.RuleProvider, error) {
+	ruleProviders := map[string]*providerTypes.RuleProvider{}
+	log.Infoln("Geodata Loader mode: %s", geodata.LoaderName())
+	// parse rule provider
+	for name, mapping := range cfg.RuleProvider {
+		rp, err := RP.ParseRuleProvider(name, mapping)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		ruleProviders[name] = &rp
+		RP.SetRuleProvider(rp)
+	}
+
+	var rules []C.Rule
 	rulesConfig := cfg.Rule
+	mode := cfg.Mode

 	// parse rules
 	for idx, line := range rulesConfig {
@ -391,39 +507,62 @@ func parseRules(cfg *RawConfig, proxies map[string]C.Proxy) ([]C.Rule, error) {
 		var (
 			payload  string
 			target   string
-			params  = []string{}
+			params   []string
+			ruleName = strings.ToUpper(rule[0])
 		)

-		switch l := len(rule); {
-		case l == 2:
-			target = rule[1]
-		case l == 3:
-			payload = rule[1]
-			target = rule[2]
-		case l >= 4:
-			payload = rule[1]
-			target = rule[2]
-			params = rule[3:]
-		default:
-			return nil, fmt.Errorf("rules[%d] [%s] error: format invalid", idx, line)
+		if mode == T.Script && ruleName != "GEOSITE" {
+			continue
 		}

-		if _, ok := proxies[target]; !ok {
-			return nil, fmt.Errorf("rules[%d] [%s] error: proxy [%s] not found", idx, line, target)
+		l := len(rule)
+
+		if ruleName == "NOT" || ruleName == "OR" || ruleName == "AND" {
+			target = rule[l-1]
+			payload = strings.Join(rule[1:l-1], ",")
+		} else {
+			if l < 2 {
+				return nil, nil, fmt.Errorf("rules[%d] [%s] error: format invalid", idx, line)
+			}
+			if l < 4 {
+				rule = append(rule, make([]string, 4-l)...)
+			}
+			if ruleName == "MATCH" {
+				l = 2
+			}
+			if l >= 3 {
+				l = 3
+				payload = rule[1]
+			}
+			target = rule[l-1]
+			params = rule[l:]
+		}
+
+		if _, ok := proxies[target]; mode != T.Script && !ok {
+			return nil, nil, fmt.Errorf("rules[%d] [%s] error: proxy [%s] not found", idx, line, target)
 		}

-		rule = trimArr(rule)
 		params = trimArr(params)

-		parsed, parseErr := R.ParseRule(rule[0], payload, target, params)
+		if ruleName == "GEOSITE" {
+			if err := initGeoSite(); err != nil {
+				return nil, nil, fmt.Errorf("can't initial GeoSite: %s", err)
+			}
+			initMode = false
+		}
+		parsed, parseErr := R.ParseRule(ruleName, payload, target, params)
 		if parseErr != nil {
-			return nil, fmt.Errorf("rules[%d] [%s] error: %s", idx, line, parseErr.Error())
+			return nil, nil, fmt.Errorf("rules[%d] [%s] error: %s", idx, line, parseErr.Error())
 		}

+		if mode != T.Script {
 			rules = append(rules, parsed)
 		}
+	}

-	return rules, nil
+	runtime.GC()
+
+	return rules, ruleProviders, nil
 }

 func parseHosts(cfg *RawConfig) (*trie.DomainTrie, error) {
@ -440,7 +579,7 @@ func parseHosts(cfg *RawConfig) (*trie.DomainTrie, error) {
 			if ip == nil {
 				return nil, fmt.Errorf("%s is not a valid IP", ipStr)
 			}
-			tree.Insert(domain, ip)
+			_ = tree.Insert(domain, ip)
 		}
 	}

@ -465,7 +604,7 @@ func hostWithDefaultPort(host string, defPort string) (string, error) {
 }

 func parseNameServer(servers []string) ([]dns.NameServer, error) {
-	nameservers := []dns.NameServer{}
+	var nameservers []dns.NameServer

 	for idx, server := range servers {
 		// parse without scheme .e.g 8.8.8.8:53
@ -495,6 +634,9 @@ func parseNameServer(servers []string) ([]dns.NameServer, error) {
 		case "dhcp":
 			addr = u.Host
 			dnsNetType = "dhcp" // UDP from DHCP
+		case "quic":
+			addr, err = hostWithDefaultPort(u.Host, "784")
+			dnsNetType = "quic" // DNS over QUIC
 		default:
 			return nil, fmt.Errorf("DNS NameServer[%d] unsupport scheme: %s", idx, u.Scheme)
 		}
@ -508,6 +650,8 @@ func parseNameServer(servers []string) ([]dns.NameServer, error) {
 			dns.NameServer{
 				Net:          dnsNetType,
 				Addr:         addr,
+				ProxyAdapter: u.Fragment,
+				Interface:    dialer.DefaultInterface.Load(),
 			},
 		)
 	}
@ -532,7 +676,7 @@ func parseNameServerPolicy(nsPolicy map[string]string) (map[string]dns.NameServe
 }

 func parseFallbackIPCIDR(ips []string) ([]*net.IPNet, error) {
-	ipNets := []*net.IPNet{}
+	var ipNets []*net.IPNet

 	for idx, ip := range ips {
 		_, ipnet, err := net.ParseCIDR(ip)
@ -545,7 +689,42 @@ func parseFallbackIPCIDR(ips []string) ([]*net.IPNet, error) {
 	return ipNets, nil
 }

-func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie) (*DNS, error) {
+func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]*router.DomainMatcher, error) {
+	var sites []*router.DomainMatcher
+	if len(countries) > 0 {
+		if err := initGeoSite(); err != nil {
+			return nil, fmt.Errorf("can't initial GeoSite: %s", err)
+		}
+	}
+
+	for _, country := range countries {
+		found := false
+		for _, rule := range rules {
+			if rule.RuleType() == C.GEOSITE {
+				if strings.EqualFold(country, rule.Payload()) {
+					found = true
+					sites = append(sites, rule.(C.RuleGeoSite).GetDomainMatcher())
+					log.Infoln("Start initial GeoSite dns fallback filter from rule `%s`", country)
+				}
+			}
+		}
+
+		if !found {
+			matcher, recordsCount, err := geodata.LoadGeoSiteMatcher(country)
+			if err != nil {
+				return nil, err
+			}
+
+			sites = append(sites, matcher)
+
+			log.Infoln("Start initial GeoSite dns fallback filter `%s`, records: %d", country, recordsCount)
+		}
+	}
+	runtime.GC()
+	return sites, nil
+}
+
+func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie, rules []C.Rule) (*DNS, error) {
 	cfg := rawCfg.DNS
 	if cfg.Enable && len(cfg.NameServer) == 0 {
 		return nil, fmt.Errorf("if DNS configuration is turned on, NameServer cannot be empty")
@ -558,6 +737,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie) (*DNS, error) {
 		EnhancedMode: cfg.EnhancedMode,
 		FallbackFilter: FallbackFilter{
 			IPCIDR:  []*net.IPNet{},
+			GeoSite: []*router.DomainMatcher{},
 		},
 	}
 	var err error
@ -573,6 +753,10 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie) (*DNS, error) {
 		return nil, err
 	}

+	if dnsCfg.ProxyServerNameserver, err = parseNameServer(cfg.ProxyServerNameserver); err != nil {
+		return nil, err
+	}
+
 	if len(cfg.DefaultNameserver) == 0 {
 		return nil, errors.New("default nameserver should have at least one nameserver")
 	}
@ -598,7 +782,19 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie) (*DNS, error) {
 		if len(cfg.FakeIPFilter) != 0 {
 			host = trie.New()
 			for _, domain := range cfg.FakeIPFilter {
-				host.Insert(domain, true)
+				_ = host.Insert(domain, true)
+			}
+		}
+
+		if len(dnsCfg.Fallback) != 0 {
+			if host == nil {
+				host = trie.New()
+			}
+			for _, fb := range dnsCfg.Fallback {
+				if net.ParseIP(fb.Addr) != nil {
+					continue
+				}
+				_ = host.Insert(fb.Addr, true)
 			}
 		}

@ -615,12 +811,19 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie) (*DNS, error) {
 		dnsCfg.FakeIPRange = pool
 	}

+	if len(cfg.Fallback) != 0 {
 		dnsCfg.FallbackFilter.GeoIP = cfg.FallbackFilter.GeoIP
 		dnsCfg.FallbackFilter.GeoIPCode = cfg.FallbackFilter.GeoIPCode
 		if fallbackip, err := parseFallbackIPCIDR(cfg.FallbackFilter.IPCIDR); err == nil {
 			dnsCfg.FallbackFilter.IPCIDR = fallbackip
 		}
 		dnsCfg.FallbackFilter.Domain = cfg.FallbackFilter.Domain
+		fallbackGeoSite, err := parseFallbackGeoSite(cfg.FallbackFilter.GeoSite, rules)
+		if err != nil {
+			return nil, fmt.Errorf("load GeoSite dns fallback filter error, %w", err)
+		}
+		dnsCfg.FallbackFilter.GeoSite = fallbackGeoSite
+	}

 	if cfg.UseHosts {
 		dnsCfg.Hosts = hosts
@ -630,7 +833,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie) (*DNS, error) {
 }

 func parseAuthentication(rawRecords []string) []auth.AuthUser {
-	users := []auth.AuthUser{}
+	var users []auth.AuthUser
 	for _, line := range rawRecords {
 		if user, pass, found := strings.Cut(line, ":"); found {
 			users = append(users, auth.AuthUser{User: user, Pass: pass})
@ -638,3 +841,39 @@ func parseAuthentication(rawRecords []string) []auth.AuthUser {
 	}
 	return users
 }
+
+func parseTun(rawTun RawTun, general *General) (*Tun, error) {
+	if (rawTun.Enable || general.TProxyPort != 0) && general.Interface == "" {
+		autoDetectInterfaceName, err := commons.GetAutoDetectInterface()
+		if err != nil || autoDetectInterfaceName == "" {
+			log.Warnln("Can not find auto detect interface.[%s]", err)
+		} else {
+			log.Warnln("Auto detect interface: %s", autoDetectInterfaceName)
+		}
+
+		general.Interface = autoDetectInterfaceName
+	}
+
+	var dnsHijack []netip.AddrPort
+
+	for _, d := range rawTun.DNSHijack {
+		if _, after, ok := strings.Cut(d, "://"); ok {
+			d = after
+		}
+
+		addrPort, err := netip.ParseAddrPort(d)
+		if err != nil {
+			return nil, fmt.Errorf("parse dns-hijack url error: %w", err)
+		}
+
+		dnsHijack = append(dnsHijack, addrPort)
+	}
+
+	return &Tun{
+		Enable:    rawTun.Enable,
+		Device:    rawTun.Device,
+		Stack:     rawTun.Stack,
+		DNSHijack: dnsHijack,
+		AutoRoute: rawTun.AutoRoute,
+	}, nil
+}
--- a/config/initial.go
+++ b/config/initial.go
@ -2,17 +2,20 @@ package config

 import (
 	"fmt"
+	"github.com/Dreamacro/clash/component/geodata"
+	"github.com/Dreamacro/clash/component/mmdb"
 	"io"
 	"net/http"
 	"os"

-	"github.com/Dreamacro/clash/component/mmdb"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 )

+var initMode = true
+
 func downloadMMDB(path string) (err error) {
-	resp, err := http.Get("https://cdn.jsdelivr.net/gh/Dreamacro/maxmind-geoip@release/Country.mmdb")
+	resp, err := http.Get("https://raw.githubusercontents.com/Loyalsoldier/geoip/release/Country.mmdb")
 	if err != nil {
 		return
 	}
@ -28,7 +31,84 @@ func downloadMMDB(path string) (err error) {
 	return err
 }

-func initMMDB() error {
+func downloadGeoIP(path string) (err error) {
+	resp, err := http.Get("https://raw.githubusercontents.com/Loyalsoldier/v2ray-rules-dat/release/geoip.dat")
+	if err != nil {
+		return
+	}
+	defer resp.Body.Close()
+
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	_, err = io.Copy(f, resp.Body)
+
+	return err
+}
+
+func downloadGeoSite(path string) (err error) {
+	resp, err := http.Get("https://raw.githubusercontents.com/Loyalsoldier/v2ray-rules-dat/release/geosite.dat")
+	if err != nil {
+		return
+	}
+	defer resp.Body.Close()
+
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	_, err = io.Copy(f, resp.Body)
+
+	return err
+}
+
+func initGeoSite() error {
+	if _, err := os.Stat(C.Path.GeoSite()); os.IsNotExist(err) {
+		log.Infoln("Can't find GeoSite.dat, start download")
+		if err := downloadGeoSite(C.Path.GeoSite()); err != nil {
+			return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
+		}
+		log.Infoln("Download GeoSite.dat finish")
+	}
+	if initMode {
+		if !geodata.Verify(C.GeositeName) {
+			log.Warnln("GeoSite.dat invalid, remove and download")
+			if err := os.Remove(C.Path.GeoSite()); err != nil {
+				return fmt.Errorf("can't remove invalid GeoSite.dat: %s", err.Error())
+			}
+			if err := downloadGeoSite(C.Path.GeoSite()); err != nil {
+				return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
+			}
+		}
+	}
+	return nil
+}
+
+func initGeoIP() error {
+	if C.GeodataMode {
+		if _, err := os.Stat(C.Path.GeoIP()); os.IsNotExist(err) {
+			log.Infoln("Can't find GeoIP.dat, start download")
+			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
+				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
+			}
+			log.Infoln("Download GeoIP.dat finish")
+		}
+
+		if !geodata.Verify(C.GeoipName) {
+			log.Warnln("GeoIP.dat invalid, remove and download")
+			if err := os.Remove(C.Path.GeoIP()); err != nil {
+				return fmt.Errorf("can't remove invalid GeoIP.dat: %s", err.Error())
+			}
+			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
+				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
+			}
+		}
+		return nil
+	}
+
 	if _, err := os.Stat(C.Path.MMDB()); os.IsNotExist(err) {
 		log.Infoln("Can't find MMDB, start download")
 		if err := downloadMMDB(C.Path.MMDB()); err != nil {
@ -69,10 +149,20 @@ func Init(dir string) error {
 		f.Write([]byte(`mixed-port: 7890`))
 		f.Close()
 	}
-
-	// initial mmdb
-	if err := initMMDB(); err != nil {
-		return fmt.Errorf("can't initial MMDB: %w", err)
+	buf, _ := os.ReadFile(C.Path.Config())
+	rawCfg, err := UnmarshalRawConfig(buf)
+	if err != nil {
+		log.Errorln(err.Error())
+		fmt.Printf("configuration file %s test failed\n", C.Path.Config())
+		os.Exit(1)
 	}
+	if !C.GeodataMode {
+		C.GeodataMode = rawCfg.GeodataMode
+	}
+	// initial GeoIP
+	if err := initGeoIP(); err != nil {
+		return fmt.Errorf("can't initial GeoIP: %w", err)
+	}
+
 	return nil
 }
--- a/constant/adapters.go
+++ b/constant/adapters.go
@ -13,6 +13,14 @@ import (
 const (
 	Direct AdapterType = iota
 	Reject
+	Compatible
+	Pass
+
+	Relay
+	Selector
+	Fallback
+	URLTest
+	LoadBalance

 	Shadowsocks
 	ShadowsocksR
@ -20,13 +28,8 @@ const (
 	Socks5
 	Http
 	Vmess
+	Vless
 	Trojan
-
-	Relay
-	Selector
-	Fallback
-	URLTest
-	LoadBalance
 )

 const (
@ -128,7 +131,10 @@ func (at AdapterType) String() string {
 		return "Direct"
 	case Reject:
 		return "Reject"
-
+	case Compatible:
+		return "Compatible"
+	case Pass:
+		return "Pass"
 	case Shadowsocks:
 		return "Shadowsocks"
 	case ShadowsocksR:
@ -141,6 +147,8 @@ func (at AdapterType) String() string {
 		return "Http"
 	case Vmess:
 		return "Vmess"
+	case Vless:
+		return "Vless"
 	case Trojan:
 		return "Trojan"

--- a/constant/geodata.go
+++ b/constant/geodata.go
@ -0,0 +1,3 @@
+package constant
+
+var GeodataMode bool
--- a/constant/metadata.go
+++ b/constant/metadata.go
@ -2,6 +2,7 @@ package constant

 import (
 	"encoding/json"
+	"fmt"
 	"net"
 	"strconv"
 )
@ -14,6 +15,7 @@ const (

 	TCP NetWork = iota
 	UDP
+	ALLNet

 	HTTP Type = iota
 	HTTPCONNECT
@ -21,6 +23,8 @@ const (
 	SOCKS5
 	REDIR
 	TPROXY
+	TUN
+	INNER
 )

 type NetWork int
@ -28,9 +32,11 @@ type NetWork int
 func (n NetWork) String() string {
 	if n == TCP {
 		return "tcp"
-	}
+	} else if n == UDP {
 		return "udp"
 	}
+	return "all"
+}

 func (n NetWork) MarshalJSON() ([]byte, error) {
 	return json.Marshal(n.String())
@ -52,6 +58,10 @@ func (t Type) String() string {
 		return "Redir"
 	case TPROXY:
 		return "TProxy"
+	case TUN:
+		return "Tun"
+	case INNER:
+		return "Inner"
 	default:
 		return "Unknown"
 	}
@ -72,6 +82,7 @@ type Metadata struct {
 	AddrType    int     `json:"-"`
 	Host        string  `json:"host"`
 	DNSMode     DNSMode `json:"dnsMode"`
+	Process     string  `json:"process"`
 	ProcessPath string  `json:"processPath"`
 }

@ -83,6 +94,18 @@ func (m *Metadata) SourceAddress() string {
 	return net.JoinHostPort(m.SrcIP.String(), m.SrcPort)
 }

+func (m *Metadata) SourceDetail() string {
+	if m.Process != "" {
+		return fmt.Sprintf("%s(%s)", m.SourceAddress(), m.Process)
+	} else {
+		if m.Type == INNER {
+			return fmt.Sprintf("[Clash]")
+		}
+
+		return fmt.Sprintf("%s", m.SourceAddress())
+	}
+}
+
 func (m *Metadata) Resolved() bool {
 	return m.DstIP != nil
 }
--- a/constant/path.go
+++ b/constant/path.go
@ -1,13 +1,20 @@
 package constant

 import (
+	"io/ioutil"
 	"os"
 	P "path"
 	"path/filepath"
+	"strings"
 )

 const Name = "clash"

+var (
+	GeositeName = "GeoSite.dat"
+	GeoipName   = "GeoIP.dat"
+)
+
 // Path is used to get the configuration path
 var Path = func() *path {
 	homeDir, err := os.UserHomeDir()
@ -22,6 +29,7 @@ var Path = func() *path {
 type path struct {
 	homeDir    string
 	configFile string
+	scriptDir  string
 }

 // SetHomeDir is used to set the configuration path
@ -47,11 +55,25 @@ func (p *path) Resolve(path string) string {
 	if !filepath.IsAbs(path) {
 		return filepath.Join(p.HomeDir(), path)
 	}
-
 	return path
 }

 func (p *path) MMDB() string {
+	files, err := ioutil.ReadDir(p.homeDir)
+	if err != nil {
+		return ""
+	}
+	for _, fi := range files {
+		if fi.IsDir() {
+			// 目录则直接跳过
+			continue
+		} else {
+			if strings.EqualFold(fi.Name(), "Country.mmdb") {
+				GeoipName = fi.Name()
+				return P.Join(p.homeDir, fi.Name())
+			}
+		}
+	}
 	return P.Join(p.homeDir, "Country.mmdb")
 }

@ -62,3 +84,71 @@ func (p *path) OldCache() string {
 func (p *path) Cache() string {
 	return P.Join(p.homeDir, "cache.db")
 }
+
+func (p *path) GeoIP() string {
+	files, err := ioutil.ReadDir(p.homeDir)
+	if err != nil {
+		return ""
+	}
+	for _, fi := range files {
+		if fi.IsDir() {
+			// 目录则直接跳过
+			continue
+		} else {
+			if strings.EqualFold(fi.Name(), "GeoIP.dat") {
+				GeoipName = fi.Name()
+				return P.Join(p.homeDir, fi.Name())
+			}
+		}
+	}
+	return P.Join(p.homeDir, "GeoIP.dat")
+}
+
+func (p *path) GeoSite() string {
+	files, err := ioutil.ReadDir(p.homeDir)
+	if err != nil {
+		return ""
+	}
+	for _, fi := range files {
+		if fi.IsDir() {
+			// 目录则直接跳过
+			continue
+		} else {
+			if strings.EqualFold(fi.Name(), "GeoSite.dat") {
+				GeositeName = fi.Name()
+				return P.Join(p.homeDir, fi.Name())
+			}
+		}
+	}
+	return P.Join(p.homeDir, "GeoSite.dat")
+}
+
+func (p *path) ScriptDir() string {
+	if len(p.scriptDir) != 0 {
+		return p.scriptDir
+	}
+	if dir, err := os.MkdirTemp("", Name+"-"); err == nil {
+		p.scriptDir = dir
+	} else {
+		p.scriptDir = P.Join(os.TempDir(), Name)
+		_ = os.MkdirAll(p.scriptDir, 0o644)
+	}
+	return p.scriptDir
+}
+
+func (p *path) Script() string {
+	return P.Join(p.ScriptDir(), "clash_script.py")
+}
+
+func (p *path) GetAssetLocation(file string) string {
+	return P.Join(p.homeDir, file)
+}
+
+func (p *path) GetExecutableFullPath() string {
+	exePath, err := os.Executable()
+	if err != nil {
+		return "clash"
+	}
+	res, _ := filepath.EvalSymlinks(exePath)
+	return res
+}
--- a/constant/rule.go
+++ b/constant/rule.go
@ -5,6 +5,7 @@ const (
 	Domain RuleType = iota
 	DomainSuffix
 	DomainKeyword
+	GEOSITE
 	GEOIP
 	IPCIDR
 	SrcIPCIDR
@ -12,7 +13,13 @@ const (
 	DstPort
 	Process
 	ProcessPath
+	Script
+	RuleSet
+	Network
 	MATCH
+	AND
+	OR
+	NOT
 )

 type RuleType int
@ -25,6 +32,8 @@ func (rt RuleType) String() string {
 		return "DomainSuffix"
 	case DomainKeyword:
 		return "DomainKeyword"
+	case GEOSITE:
+		return "GeoSite"
 	case GEOIP:
 		return "GeoIP"
 	case IPCIDR:
@ -39,8 +48,20 @@ func (rt RuleType) String() string {
 		return "Process"
 	case ProcessPath:
 		return "ProcessPath"
+	case Script:
+		return "Script"
 	case MATCH:
 		return "Match"
+	case RuleSet:
+		return "RuleSet"
+	case Network:
+		return "Network"
+	case AND:
+		return "AND"
+	case OR:
+		return "OR"
+	case NOT:
+		return "NOT"
 	default:
 		return "Unknown"
 	}
@ -53,4 +74,6 @@ type Rule interface {
 	Payload() string
 	ShouldResolveIP() bool
 	ShouldFindProcess() bool
+	RuleExtra() *RuleExtra
+	SetRuleExtra(re *RuleExtra)
 }
--- a/constant/rule_extra.go
+++ b/constant/rule_extra.go
@ -0,0 +1,48 @@
+package constant
+
+import (
+	"net"
+	"strings"
+
+	"github.com/Dreamacro/clash/component/geodata/router"
+)
+
+type RuleExtra struct {
+	Network      NetWork
+	SourceIPs    []*net.IPNet
+	ProcessNames []string
+}
+
+func (re *RuleExtra) NotMatchNetwork(network NetWork) bool {
+	return re.Network != ALLNet && re.Network != network
+}
+
+func (re *RuleExtra) NotMatchSourceIP(srcIP net.IP) bool {
+	if re.SourceIPs == nil {
+		return false
+	}
+
+	for _, ips := range re.SourceIPs {
+		if ips.Contains(srcIP) {
+			return false
+		}
+	}
+	return true
+}
+
+func (re *RuleExtra) NotMatchProcessName(processName string) bool {
+	if re.ProcessNames == nil {
+		return false
+	}
+
+	for _, pn := range re.ProcessNames {
+		if strings.EqualFold(pn, processName) {
+			return false
+		}
+	}
+	return true
+}
+
+type RuleGeoSite interface {
+	GetDomainMatcher() *router.DomainMatcher
+}
--- a/constant/tun.go
+++ b/constant/tun.go
@ -0,0 +1,66 @@
+package constant
+
+import (
+	"encoding/json"
+	"errors"
+	"strings"
+)
+
+var StackTypeMapping = map[string]TUNStack{
+	strings.ToUpper(TunGvisor.String()): TunGvisor,
+	strings.ToUpper(TunSystem.String()): TunSystem,
+}
+
+const (
+	TunGvisor TUNStack = iota
+	TunSystem
+)
+
+type TUNStack int
+
+// UnmarshalYAML unserialize TUNStack with yaml
+func (e *TUNStack) UnmarshalYAML(unmarshal func(any) error) error {
+	var tp string
+	if err := unmarshal(&tp); err != nil {
+		return err
+	}
+	mode, exist := StackTypeMapping[strings.ToUpper(tp)]
+	if !exist {
+		return errors.New("invalid tun stack")
+	}
+	*e = mode
+	return nil
+}
+
+// MarshalYAML serialize TUNStack with yaml
+func (e TUNStack) MarshalYAML() (any, error) {
+	return e.String(), nil
+}
+
+// UnmarshalJSON unserialize TUNStack with json
+func (e *TUNStack) UnmarshalJSON(data []byte) error {
+	var tp string
+	json.Unmarshal(data, &tp)
+	mode, exist := StackTypeMapping[strings.ToUpper(tp)]
+	if !exist {
+		return errors.New("invalid tun stack")
+	}
+	*e = mode
+	return nil
+}
+
+// MarshalJSON serialize TUNStack with json
+func (e TUNStack) MarshalJSON() ([]byte, error) {
+	return json.Marshal(e.String())
+}
+
+func (e TUNStack) String() string {
+	switch e {
+	case TunGvisor:
+		return "gVisor"
+	case TunSystem:
+		return "System"
+	default:
+		return "unknown"
+	}
+}
--- a/constant/version.go
+++ b/constant/version.go
@ -1,6 +1,8 @@
 package constant

 var (
-	Version   = "unknown version"
+	Meta      = true
+	Version   = "1.10.0"
 	BuildTime = "unknown time"
+	ClashName = "Clash.Meta"
 )
--- a/dns/client.go
+++ b/dns/client.go
@ -19,6 +19,7 @@ type client struct {
 	port         string
 	host         string
 	iface        string
+	proxyAdapter string
 }

 func (c *client) Exchange(m *D.Msg) (*D.Msg, error) {
@ -30,15 +31,15 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 		ip  net.IP
 		err error
 	)
-	if c.r == nil {
-		// a default ip dns
 	if ip = net.ParseIP(c.host); ip == nil {
+		if c.r == nil {
 			return nil, fmt.Errorf("dns %s not a valid ip", c.host)
-		}
 		} else {
 			if ip, err = resolver.ResolveIPWithResolver(c.host, c.r); err != nil {
 				return nil, fmt.Errorf("use default dns resolve failed: %w", err)
 			}
+			c.host = ip.String()
+		}
 	}

 	network := "udp"
@ -50,7 +51,14 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 	if c.iface != "" {
 		options = append(options, dialer.WithInterface(c.iface))
 	}
-	conn, err := dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), c.port), options...)
+
+	var conn net.Conn
+	if c.proxyAdapter == "" {
+		conn, err = dialer.DialContext(ctx, network, net.JoinHostPort(ip.String(), c.port), options...)
+	} else {
+		conn, err = dialContextWithProxyAdapter(ctx, c.proxyAdapter, network, ip, c.port, options...)
+	}
+
 	if err != nil {
 		return nil, err
 	}
--- a/dns/doh.go
+++ b/dns/doh.go
@ -20,6 +20,7 @@ const (

 type dohClient struct {
 	url          string
+	proxyAdapter string
 	transport    *http.Transport
 }

@ -62,7 +63,7 @@ func (dc *dohClient) newRequest(m *D.Msg) (*http.Request, error) {
 	return req, nil
 }

-func (dc *dohClient) doRequest(req *http.Request) (msg *D.Msg, err error) {
+func (dc *dohClient) doRequest(req *http.Request) (*D.Msg, error) {
 	client := &http.Client{Transport: dc.transport}
 	resp, err := client.Do(req)
 	if err != nil {
@ -74,14 +75,15 @@ func (dc *dohClient) doRequest(req *http.Request) (msg *D.Msg, err error) {
 	if err != nil {
 		return nil, err
 	}
-	msg = &D.Msg{}
+	msg := &D.Msg{}
 	err = msg.Unpack(buf)
 	return msg, err
 }

-func newDoHClient(url string, r *Resolver) *dohClient {
+func newDoHClient(url string, r *Resolver, proxyAdapter string) *dohClient {
 	return &dohClient{
 		url:          url,
+		proxyAdapter: proxyAdapter,
 		transport: &http.Transport{
 			ForceAttemptHTTP2: true,
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
@ -95,7 +97,11 @@ func newDoHClient(url string, r *Resolver) *dohClient {
 					return nil, err
 				}

+				if proxyAdapter == "" {
 					return dialer.DialContext(ctx, "tcp", net.JoinHostPort(ip.String(), port))
+				} else {
+					return dialContextWithProxyAdapter(ctx, proxyAdapter, "tcp", ip, port)
+				}
 			},
 		},
 	}
--- a/dns/enhancer.go
+++ b/dns/enhancer.go
@ -40,7 +40,19 @@ func (h *ResolverEnhancer) IsFakeIP(ip net.IP) bool {
 	}

 	if pool := h.fakePool; pool != nil {
-		return pool.IPNet().Contains(ip) && !pool.Gateway().Equal(ip)
+		return pool.IPNet().Contains(ip) && !pool.Gateway().Equal(ip) && !pool.Broadcast().Equal(ip)
+	}
+
+	return false
+}
+
+func (h *ResolverEnhancer) IsFakeBroadcastIP(ip net.IP) bool {
+	if !h.FakeIPEnabled() {
+		return false
+	}
+
+	if pool := h.fakePool; pool != nil {
+		return pool.Broadcast().Equal(ip)
 	}

 	return false
@ -72,6 +84,13 @@ func (h *ResolverEnhancer) PatchFrom(o *ResolverEnhancer) {
 	}
 }

+func (h *ResolverEnhancer) FlushFakeIP() error {
+	if h.fakePool != nil {
+		return h.fakePool.FlushFakeIP()
+	}
+	return nil
+}
+
 func NewEnhancer(cfg Config) *ResolverEnhancer {
 	var fakePool *fakeip.Pool
 	var mapping *cache.LruCache
--- a/dns/filters.go
+++ b/dns/filters.go
@ -1,11 +1,14 @@
 package dns

 import (
-	"net"
-	"strings"
-
+	"github.com/Dreamacro/clash/component/geodata"
+	"github.com/Dreamacro/clash/component/geodata/router"
 	"github.com/Dreamacro/clash/component/mmdb"
 	"github.com/Dreamacro/clash/component/trie"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
+	"net"
+	"strings"
 )

 type fallbackIPFilter interface {
@ -16,11 +19,44 @@ type geoipFilter struct {
 	code string
 }

+var geoIPMatcher *router.GeoIPMatcher
+
 func (gf *geoipFilter) Match(ip net.IP) bool {
+	if !C.GeodataMode {
 		record, _ := mmdb.Instance().Country(ip)
 		return !strings.EqualFold(record.Country.IsoCode, gf.code) && !ip.IsPrivate()
 	}

+	if geoIPMatcher == nil {
+		countryCode := "cn"
+		geoLoader, err := geodata.GetGeoDataLoader(geodata.LoaderName())
+		if err != nil {
+			log.Errorln("[GeoIPFilter] GetGeoDataLoader error: %s", err.Error())
+			return false
+		}
+
+		records, err := geoLoader.LoadGeoIP(countryCode)
+		if err != nil {
+			log.Errorln("[GeoIPFilter] LoadGeoIP error: %s", err.Error())
+			return false
+		}
+
+		geoIP := &router.GeoIP{
+			CountryCode:  countryCode,
+			Cidr:         records,
+			ReverseMatch: false,
+		}
+
+		geoIPMatcher, err = router.NewGeoIPMatcher(geoIP)
+
+		if err != nil {
+			log.Errorln("[GeoIPFilter] NewGeoIPMatcher error: %s", err.Error())
+			return false
+		}
+	}
+	return !geoIPMatcher.Match(ip)
+}
+
 type ipnetFilter struct {
 	ipnet *net.IPNet
 }
@ -48,3 +84,16 @@ func NewDomainFilter(domains []string) *domainFilter {
 func (df *domainFilter) Match(domain string) bool {
 	return df.tree.Search(domain) != nil
 }
+
+type geoSiteFilter struct {
+	matchers []*router.DomainMatcher
+}
+
+func (gsf *geoSiteFilter) Match(domain string) bool {
+	for _, matcher := range gsf.matchers {
+		if matcher.ApplyDomain(domain) {
+			return true
+		}
+	}
+	return false
+}
--- a/dns/middleware.go
+++ b/dns/middleware.go
@ -172,7 +172,7 @@ func compose(middlewares []middleware, endpoint handler) handler {
 	return h
 }

-func newHandler(resolver *Resolver, mapper *ResolverEnhancer) handler {
+func NewHandler(resolver *Resolver, mapper *ResolverEnhancer) handler {
 	middlewares := []middleware{}

 	if resolver.hosts != nil {
--- a/dns/patch.go
+++ b/dns/patch.go
@ -0,0 +1,16 @@
+package dns
+
+import D "github.com/miekg/dns"
+
+type LocalServer struct {
+	handler handler
+}
+
+// ServeMsg implement resolver.LocalServer ResolveMsg
+func (s *LocalServer) ServeMsg(msg *D.Msg) (*D.Msg, error) {
+	return handlerWithContext(s.handler, msg)
+}
+
+func NewLocalServer(resolver *Resolver, mapper *ResolverEnhancer) *LocalServer {
+	return &LocalServer{handler: NewHandler(resolver, mapper)}
+}
--- a/dns/quic.go
+++ b/dns/quic.go
@ -0,0 +1,146 @@
+package dns
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/Dreamacro/clash/log"
+	"github.com/lucas-clemente/quic-go"
+	D "github.com/miekg/dns"
+)
+
+const NextProtoDQ = "doq-i00"
+
+var bytesPool = sync.Pool{New: func() interface{} { return &bytes.Buffer{} }}
+
+type quicClient struct {
+	addr         string
+	session      quic.Session
+	sync.RWMutex // protects session and bytesPool
+}
+
+func (dc *quicClient) Exchange(m *D.Msg) (msg *D.Msg, err error) {
+	return dc.ExchangeContext(context.Background(), m)
+}
+
+func (dc *quicClient) ExchangeContext(ctx context.Context, m *D.Msg) (msg *D.Msg, err error) {
+	stream, err := dc.openStream(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open new stream to %s", dc.addr)
+	}
+
+	buf, err := m.Pack()
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = stream.Write(buf)
+	if err != nil {
+		return nil, err
+	}
+
+	// The client MUST send the DNS query over the selected stream, and MUST
+	// indicate through the STREAM FIN mechanism that no further data will
+	// be sent on that stream.
+	// stream.Close() -- closes the write-direction of the stream.
+	_ = stream.Close()
+
+	respBuf := bytesPool.Get().(*bytes.Buffer)
+	defer bytesPool.Put(respBuf)
+	defer respBuf.Reset()
+
+	n, err := respBuf.ReadFrom(stream)
+	if err != nil && n == 0 {
+		return nil, err
+	}
+
+	reply := new(D.Msg)
+	err = reply.Unpack(respBuf.Bytes())
+	if err != nil {
+		return nil, err
+	}
+
+	return reply, nil
+}
+
+func isActive(s quic.Session) bool {
+	select {
+	case <-s.Context().Done():
+		return false
+	default:
+		return true
+	}
+}
+
+// getSession - opens or returns an existing quic.Session
+// useCached - if true and cached session exists, return it right away
+// otherwise - forcibly creates a new session
+func (dc *quicClient) getSession() (quic.Session, error) {
+	var session quic.Session
+	dc.RLock()
+	session = dc.session
+	if session != nil && isActive(session) {
+		dc.RUnlock()
+		return session, nil
+	}
+	if session != nil {
+		// we're recreating the session, let's create a new one
+		_ = session.CloseWithError(0, "")
+	}
+	dc.RUnlock()
+
+	dc.Lock()
+	defer dc.Unlock()
+
+	var err error
+	session, err = dc.openSession()
+	if err != nil {
+		// This does not look too nice, but QUIC (or maybe quic-go)
+		// doesn't seem stable enough.
+		// Maybe retransmissions aren't fully implemented in quic-go?
+		// Anyways, the simple solution is to make a second try when
+		// it fails to open the QUIC session.
+		session, err = dc.openSession()
+		if err != nil {
+			return nil, err
+		}
+	}
+	dc.session = session
+	return session, nil
+}
+
+func (dc *quicClient) openSession() (quic.Session, error) {
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: true,
+		NextProtos: []string{
+			"http/1.1", "h2", NextProtoDQ,
+		},
+		SessionTicketsDisabled: false,
+	}
+	quicConfig := &quic.Config{
+		ConnectionIDLength:   12,
+		HandshakeIdleTimeout: time.Second * 8,
+	}
+
+	log.Debugln("opening session to %s", dc.addr)
+	session, err := quic.DialAddrContext(context.Background(), dc.addr, tlsConfig, quicConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open QUIC session: %w", err)
+	}
+
+	return session, nil
+}
+
+func (dc *quicClient) openStream(ctx context.Context) (quic.Stream, error) {
+	session, err := dc.getSession()
+	if err != nil {
+		return nil, err
+	}
+
+	// open a new stream
+	return session.OpenStreamSync(ctx)
+}
--- a/dns/resolver.go
+++ b/dns/resolver.go
@ -12,6 +12,7 @@ import (
 	"github.com/Dreamacro/clash/common/cache"
 	"github.com/Dreamacro/clash/common/picker"
 	"github.com/Dreamacro/clash/component/fakeip"
+	"github.com/Dreamacro/clash/component/geodata/router"
 	"github.com/Dreamacro/clash/component/resolver"
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
@ -40,6 +41,7 @@ type Resolver struct {
 	group                 singleflight.Group
 	lruCache              *cache.LruCache
 	policy                *trie.DomainTrie
+	proxyServer           []dnsClient
 }

 // ResolveIP request with TypeA and TypeAAAA, priority return TypeA
@ -230,25 +232,23 @@ func (r *Resolver) ipExchange(ctx context.Context, m *D.Msg) (msg *D.Msg, err er

 	msgCh := r.asyncExchange(ctx, r.main, m)

-	if r.fallback == nil { // directly return if no fallback servers are available
+	if r.fallback == nil || len(r.fallback) == 0 { // directly return if no fallback servers are available
 		res := <-msgCh
 		msg, err = res.Msg, res.Error
 		return
 	}

-	fallbackMsg := r.asyncExchange(ctx, r.fallback, m)
 	res := <-msgCh
 	if res.Error == nil {
 		if ips := msgToIP(res.Msg); len(ips) != 0 {
 			if !r.shouldIPFallback(ips[0]) {
-				msg = res.Msg // no need to wait for fallback result
-				err = res.Error
-				return msg, err
+				msg, err = res.Msg, res.Error // no need to wait for fallback result
+				return
 			}
 		}
 	}

-	res = <-fallbackMsg
+	res = <-r.asyncExchange(ctx, r.fallback, m)
 	msg, err = res.Msg, res.Error
 	return
 }
@ -301,10 +301,16 @@ func (r *Resolver) asyncExchange(ctx context.Context, client []dnsClient, msg *D
 	return ch
 }

+// HasProxyServer has proxy server dns client
+func (r *Resolver) HasProxyServer() bool {
+	return len(r.main) > 0
+}
+
 type NameServer struct {
 	Net          string
 	Addr         string
 	Interface    string
+	ProxyAdapter string
 }

 type FallbackFilter struct {
@ -312,11 +318,13 @@ type FallbackFilter struct {
 	GeoIPCode string
 	IPCIDR    []*net.IPNet
 	Domain    []string
+	GeoSite   []*router.DomainMatcher
 }

 type Config struct {
 	Main, Fallback []NameServer
 	Default        []NameServer
+	ProxyServer    []NameServer
 	IPv6           bool
 	EnhancedMode   C.DNSMode
 	FallbackFilter FallbackFilter
@ -342,6 +350,10 @@ func NewResolver(config Config) *Resolver {
 		r.fallback = transform(config.Fallback, defaultResolver)
 	}

+	if len(config.ProxyServer) != 0 {
+		r.proxyServer = transform(config.ProxyServer, defaultResolver)
+	}
+
 	if len(config.Policy) != 0 {
 		r.policy = trie.New()
 		for domain, nameserver := range config.Policy {
@ -360,10 +372,28 @@ func NewResolver(config Config) *Resolver {
 	}
 	r.fallbackIPFilters = fallbackIPFilters

+	fallbackDomainFilters := []fallbackDomainFilter{}
 	if len(config.FallbackFilter.Domain) != 0 {
-		fallbackDomainFilters := []fallbackDomainFilter{NewDomainFilter(config.FallbackFilter.Domain)}
-		r.fallbackDomainFilters = fallbackDomainFilters
+		fallbackDomainFilters = append(fallbackDomainFilters, NewDomainFilter(config.FallbackFilter.Domain))
 	}

+	if len(config.FallbackFilter.GeoSite) != 0 {
+		fallbackDomainFilters = append(fallbackDomainFilters, &geoSiteFilter{
+			matchers: config.FallbackFilter.GeoSite,
+		})
+	}
+	r.fallbackDomainFilters = fallbackDomainFilters
+
+	return r
+}
+
+func NewProxyServerHostResolver(old *Resolver) *Resolver {
+	r := &Resolver{
+		ipv6:     old.ipv6,
+		main:     old.proxyServer,
+		lruCache: old.lruCache,
+		hosts:    old.hosts,
+		policy:   old.policy,
+	}
 	return r
 }
--- a/dns/server.go
+++ b/dns/server.go
@ -43,14 +43,14 @@ func handlerWithContext(handler handler, msg *D.Msg) (*D.Msg, error) {
 	return handler(ctx, msg)
 }

-func (s *Server) setHandler(handler handler) {
+func (s *Server) SetHandler(handler handler) {
 	s.handler = handler
 }

 func ReCreateServer(addr string, resolver *Resolver, mapper *ResolverEnhancer) {
 	if addr == address && resolver != nil {
-		handler := newHandler(resolver, mapper)
-		server.setHandler(handler)
+		handler := NewHandler(resolver, mapper)
+		server.SetHandler(handler)
 		return
 	}

@ -94,7 +94,7 @@ func ReCreateServer(addr string, resolver *Resolver, mapper *ResolverEnhancer) {
 	}

 	address = addr
-	handler := newHandler(resolver, mapper)
+	handler := NewHandler(resolver, mapper)
 	server = &Server{handler: handler}
 	server.Server = &D.Server{Addr: addr, PacketConn: p, Handler: server}

--- a/dns/util.go
+++ b/dns/util.go
@ -1,12 +1,17 @@
 package dns

 import (
+	"context"
 	"crypto/tls"
+	"fmt"
 	"net"
 	"time"

 	"github.com/Dreamacro/clash/common/cache"
+	"github.com/Dreamacro/clash/component/dialer"
+	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
+	"github.com/Dreamacro/clash/tunnel"

 	D "github.com/miekg/dns"
 )
@ -51,11 +56,14 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 	for _, s := range servers {
 		switch s.Net {
 		case "https":
-			ret = append(ret, newDoHClient(s.Addr, resolver))
+			ret = append(ret, newDoHClient(s.Addr, resolver, s.ProxyAdapter))
 			continue
 		case "dhcp":
 			ret = append(ret, newDHCPClient(s.Addr))
 			continue
+		case "quic":
+			ret = append(ret, &quicClient{addr: s.Addr})
+			continue
 		}

 		host, port, _ := net.SplitHostPort(s.Addr)
@ -74,6 +82,7 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 			host:         host,
 			iface:        s.Interface,
 			r:            resolver,
+			proxyAdapter: s.ProxyAdapter,
 		})
 	}
 	return ret
@ -104,3 +113,63 @@ func msgToIP(msg *D.Msg) []net.IP {

 	return ips
 }
+
+type wrapPacketConn struct {
+	net.PacketConn
+	rAddr net.Addr
+}
+
+func (wpc *wrapPacketConn) Read(b []byte) (n int, err error) {
+	n, _, err = wpc.PacketConn.ReadFrom(b)
+	return n, err
+}
+
+func (wpc *wrapPacketConn) Write(b []byte) (n int, err error) {
+	return wpc.PacketConn.WriteTo(b, wpc.rAddr)
+}
+
+func (wpc *wrapPacketConn) RemoteAddr() net.Addr {
+	return wpc.rAddr
+}
+
+func dialContextWithProxyAdapter(ctx context.Context, adapterName string, network string, dstIP net.IP, port string, opts ...dialer.Option) (net.Conn, error) {
+	adapter, ok := tunnel.Proxies()[adapterName]
+	if !ok {
+		return nil, fmt.Errorf("proxy adapter [%s] not found", adapterName)
+	}
+
+	networkType := C.TCP
+	if network == "udp" {
+		if !adapter.SupportUDP() {
+			return nil, fmt.Errorf("proxy adapter [%s] UDP is not supported", adapterName)
+		}
+		networkType = C.UDP
+	}
+
+	addrType := C.AtypIPv4
+	if dstIP.To4() == nil {
+		addrType = C.AtypIPv6
+	}
+
+	metadata := &C.Metadata{
+		NetWork:  networkType,
+		AddrType: addrType,
+		Host:     "",
+		DstIP:    dstIP,
+		DstPort:  port,
+	}
+
+	if networkType == C.UDP {
+		packetConn, err := adapter.ListenPacketContext(ctx, metadata, opts...)
+		if err != nil {
+			return nil, err
+		}
+
+		return &wrapPacketConn{
+			PacketConn: packetConn,
+			rAddr:      metadata.UDPAddr(),
+		}, nil
+	}
+
+	return adapter.DialContext(ctx, metadata, opts...)
+}
--- a/go.mod
+++ b/go.mod
@ -4,34 +4,56 @@ go 1.18

 require (
 	github.com/Dreamacro/go-shadowsocks2 v0.1.7
+	github.com/dlclark/regexp2 v1.4.0
 	github.com/go-chi/chi/v5 v5.0.7
 	github.com/go-chi/cors v1.2.0
 	github.com/go-chi/render v1.0.1
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/gorilla/websocket v1.5.0
 	github.com/insomniacslk/dhcp v0.0.0-20220119180841-3c283ff8b7dd
+	github.com/lucas-clemente/quic-go v0.26.0
 	github.com/miekg/dns v1.1.47
-	github.com/oschwald/geoip2-golang v1.6.1
+	github.com/oschwald/geoip2-golang v1.7.0
 	github.com/sirupsen/logrus v1.8.1
 	github.com/stretchr/testify v1.7.1
+	github.com/xtls/go v0.0.0-20210920065950-d4af136d3672
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/atomic v1.9.0
 	go.uber.org/automaxprocs v1.4.0
-	golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd
-	golang.org/x/net v0.0.0-20220225172249-27dd8689420f
+	golang.org/x/crypto v0.0.0-20220321153916-2c7772ba3064
+	golang.org/x/net v0.0.0-20220325170049-de3da57026de
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86
+	golang.org/x/sys v0.0.0-20220330033206-e17cdc41300f
+	golang.org/x/time v0.0.0-20220224211638-0e9765cccd65
+	golang.zx2c4.com/wireguard v0.0.0-20220318042302-193cf8d6a5d6
+	golang.zx2c4.com/wireguard/windows v0.5.4-0.20220317000008-6432784c2469
+	google.golang.org/protobuf v1.28.0
 	gopkg.in/yaml.v2 v2.4.0
+	gvisor.dev/gvisor v0.0.0-20220326024801-5d1f3d24cb84
 )

 require (
+	github.com/cheekybits/genny v1.0.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/oschwald/maxminddb-golang v1.8.0 // indirect
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
+	github.com/google/btree v1.0.1 // indirect
+	github.com/kr/pretty v0.2.1 // indirect
+	github.com/marten-seemann/qtls-go1-16 v0.1.5 // indirect
+	github.com/marten-seemann/qtls-go1-17 v0.1.1 // indirect
+	github.com/marten-seemann/qtls-go1-18 v0.1.1 // indirect
+	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/onsi/ginkgo v1.16.5 // indirect
+	github.com/oschwald/maxminddb-golang v1.9.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/u-root/uio v0.0.0-20210528114334-82958018845c // indirect
-	golang.org/x/mod v0.4.2 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2 // indirect
+	github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
+	golang.org/x/text v0.3.8-0.20220124021120-d1c84af989ab // indirect
+	golang.org/x/tools v0.1.10 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
 )
+
+replace golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 => github.com/MetaCubeX/wintun-go v0.0.0-20220319102620-bbc5e6b2015e
--- a/Show More
+++ b/Show More