Chore: update dependencies

adapter/adapter.go

@@ -184,10 +184,9 @@ func urlToMetadata(rawURL string) (addr C.Metadata, err error) {
 	}
 
 	addr = C.Metadata{
-		AddrType: C.AtypDomainName,
-		Host:     u.Hostname(),
-		DstIP:    nil,
-		DstPort:  port,
+		Host:    u.Hostname(),
+		DstIP:   nil,
+		DstPort: port,
 	}
 	return
 }

adapter/inbound/util.go

@@ -11,9 +11,7 @@ import (
 )
 
 func parseSocksAddr(target socks5.Addr) *C.Metadata {
-	metadata := &C.Metadata{
-		AddrType: int(target[0]),
-	}
+	metadata := &C.Metadata{}
 
 	switch target[0] {
 	case socks5.AtypDomainName:
@@ -44,21 +42,13 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 	host = strings.TrimRight(host, ".")
 
 	metadata := &C.Metadata{
-		NetWork:  C.TCP,
-		AddrType: C.AtypDomainName,
-		Host:     host,
-		DstIP:    nil,
-		DstPort:  port,
+		NetWork: C.TCP,
+		Host:    host,
+		DstIP:   nil,
+		DstPort: port,
 	}
 
-	ip := net.ParseIP(host)
-	if ip != nil {
-		switch {
-		case ip.To4() == nil:
-			metadata.AddrType = C.AtypIPv6
-		default:
-			metadata.AddrType = C.AtypIPv4
-		}
+	if ip := net.ParseIP(host); ip != nil {
 		metadata.DstIP = ip
 	}
 

adapter/outbound/shadowsocks.go

@@ -10,11 +10,10 @@ import (
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/shadowsocks/core"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"
-
-	"github.com/Dreamacro/go-shadowsocks2/core"
 )
 
 type ShadowSocks struct {

adapter/outbound/shadowsocksr.go

@@ -8,12 +8,11 @@ import (
 
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/transport/shadowsocks/core"
+	"github.com/Dreamacro/clash/transport/shadowsocks/shadowaead"
+	"github.com/Dreamacro/clash/transport/shadowsocks/shadowstream"
 	"github.com/Dreamacro/clash/transport/ssr/obfs"
 	"github.com/Dreamacro/clash/transport/ssr/protocol"
-
-	"github.com/Dreamacro/go-shadowsocks2/core"
-	"github.com/Dreamacro/go-shadowsocks2/shadowaead"
-	"github.com/Dreamacro/go-shadowsocks2/shadowstream"
 )
 
 type ShadowSocksR struct {

adapter/outbound/util.go

@@ -20,10 +20,11 @@ func tcpKeepAlive(c net.Conn) {
 
 func serializesSocksAddr(metadata *C.Metadata) []byte {
 	var buf [][]byte
-	aType := uint8(metadata.AddrType)
+	addrType := metadata.AddrType()
+	aType := uint8(addrType)
 	p, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
 	port := []byte{uint8(p >> 8), uint8(p & 0xff)}
-	switch metadata.AddrType {
+	switch addrType {
 	case socks5.AtypDomainName:
 		len := uint8(len(metadata.Host))
 		host := []byte(metadata.Host)

adapter/outbound/vmess.go

@@ -14,6 +14,7 @@ import (
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
+	"github.com/Dreamacro/clash/transport/socks5"
 	"github.com/Dreamacro/clash/transport/vmess"
 
 	"golang.org/x/net/http2"
@@ -327,16 +328,16 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 func parseVmessAddr(metadata *C.Metadata) *vmess.DstAddr {
 	var addrType byte
 	var addr []byte
-	switch metadata.AddrType {
-	case C.AtypIPv4:
+	switch metadata.AddrType() {
+	case socks5.AtypIPv4:
 		addrType = byte(vmess.AtypIPv4)
 		addr = make([]byte, net.IPv4len)
 		copy(addr[:], metadata.DstIP.To4())
-	case C.AtypIPv6:
+	case socks5.AtypIPv6:
 		addrType = byte(vmess.AtypIPv6)
 		addr = make([]byte, net.IPv6len)
 		copy(addr[:], metadata.DstIP.To16())
-	case C.AtypDomainName:
+	case socks5.AtypDomainName:
 		addrType = byte(vmess.AtypDomainName)
 		addr = make([]byte, len(metadata.Host)+1)
 		addr[0] = byte(len(metadata.Host))

adapter/outboundgroup/loadbalance.go

@@ -30,10 +30,8 @@ type LoadBalance struct {
 var errStrategy = errors.New("unsupported strategy")
 
 func parseStrategy(config map[string]any) string {
-	if elm, ok := config["strategy"]; ok {
-		if strategy, ok := elm.(string); ok {
-			return strategy
-		}
+	if strategy, ok := config["strategy"].(string); ok {
+		return strategy
 	}
 	return "consistent-hashing"
 }
@@ -129,6 +127,13 @@ func strategyConsistentHashing() strategyFn {
 			}
 		}
 
+		// when availability is poor, traverse the entire list to get the available nodes
+		for _, proxy := range proxies {
+			if proxy.Alive() {
+				return proxy
+			}
+		}
+
 		return proxies[0]
 	}
 }

adapter/outboundgroup/urltest.go

@@ -125,10 +125,8 @@ func parseURLTestOption(config map[string]any) []urlTestOption {
 	opts := []urlTestOption{}
 
 	// tolerance
-	if elm, ok := config["tolerance"]; ok {
-		if tolerance, ok := elm.(int); ok {
-			opts = append(opts, urlTestWithTolerance(uint16(tolerance)))
-		}
+	if tolerance, ok := config["tolerance"].(int); ok {
+		opts = append(opts, urlTestWithTolerance(uint16(tolerance)))
 	}
 
 	return opts

adapter/outboundgroup/util.go

@@ -18,27 +18,24 @@ func addrToMetadata(rawAddress string) (addr *C.Metadata, err error) {
 	ip := net.ParseIP(host)
 	if ip == nil {
 		addr = &C.Metadata{
-			AddrType: C.AtypDomainName,
-			Host:     host,
-			DstIP:    nil,
-			DstPort:  port,
+			Host:    host,
+			DstIP:   nil,
+			DstPort: port,
 		}
 		return
 	} else if ip4 := ip.To4(); ip4 != nil {
 		addr = &C.Metadata{
-			AddrType: C.AtypIPv4,
-			Host:     "",
-			DstIP:    ip4,
-			DstPort:  port,
+			Host:    "",
+			DstIP:   ip4,
+			DstPort: port,
 		}
 		return
 	}
 
 	addr = &C.Metadata{
-		AddrType: C.AtypIPv6,
-		Host:     "",
-		DstIP:    ip,
-		DstPort:  port,
+		Host:    "",
+		DstIP:   ip,
+		DstPort: port,
 	}
 	return
 }

adapter/provider/provider.go

@@ -12,7 +12,7 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 const (
@@ -129,7 +129,7 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, veh
 
 		proxies := []C.Proxy{}
 		for idx, mapping := range schema.Proxies {
-			if name, ok := mapping["name"]; ok && len(filter) > 0 && !filterReg.MatchString(name.(string)) {
+			if name, ok := mapping["name"].(string); ok && len(filter) > 0 && !filterReg.MatchString(name) {
 				continue
 			}
 			proxy, err := adapter.ParseProxy(mapping)

common/net/relay.go

@@ -4,8 +4,6 @@ import (
 	"io"
 	"net"
 	"time"
-
-	"github.com/Dreamacro/clash/common/pool"
 )
 
 // Relay copies between left and right bidirectionally.
@@ -13,18 +11,14 @@ func Relay(leftConn, rightConn net.Conn) {
 	ch := make(chan error)
 
 	go func() {
-		buf := pool.Get(pool.RelayBufferSize)
 		// Wrapping to avoid using *net.TCPConn.(ReadFrom)
 		// See also https://github.com/Dreamacro/clash/pull/1209
-		_, err := io.CopyBuffer(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn}, buf)
-		pool.Put(buf)
+		_, err := io.Copy(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn})
 		leftConn.SetReadDeadline(time.Now())
 		ch <- err
 	}()
 
-	buf := pool.Get(pool.RelayBufferSize)
-	io.CopyBuffer(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn}, buf)
-	pool.Put(buf)
+	io.Copy(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn})
 	rightConn.SetReadDeadline(time.Now())
 	<-ch
 }

component/dialer/mark_linux.go

@@ -31,13 +31,13 @@ func bindMarkToControl(mark int, chain controlFn) controlFn {
 			}
 		}
 
-		return c.Control(func(fd uintptr) {
-			switch network {
-			case "tcp4", "udp4":
-				syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, mark)
-			case "tcp6", "udp6":
-				syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, mark)
-			}
+		var innerErr error
+		err = c.Control(func(fd uintptr) {
+			innerErr = syscall.SetsockoptInt(int(fd), syscall.SOL_SOCKET, syscall.SO_MARK, mark)
 		})
+		if innerErr != nil {
+			err = innerErr
+		}
+		return
 	}
 }

config/config.go

@@ -22,7 +22,7 @@ import (
 	R "github.com/Dreamacro/clash/rule"
 	T "github.com/Dreamacro/clash/tunnel"
 
-	"gopkg.in/yaml.v2"
+	"gopkg.in/yaml.v3"
 )
 
 // General config
@@ -477,6 +477,10 @@ func parseNameServer(servers []string) ([]dns.NameServer, error) {
 			return nil, fmt.Errorf("DNS NameServer[%d] format error: %s", idx, err.Error())
 		}
 
+		// parse with specific interface
+		// .e.g 10.0.0.1#en0
+		interfaceName := u.Fragment
+
 		var addr, dnsNetType string
 		switch u.Scheme {
 		case "udp":
@@ -506,8 +510,9 @@ func parseNameServer(servers []string) ([]dns.NameServer, error) {
 		nameservers = append(
 			nameservers,
 			dns.NameServer{
-				Net:  dnsNetType,
-				Addr: addr,
+				Net:       dnsNetType,
+				Addr:      addr,
+				Interface: interfaceName,
 			},
 		)
 	}

constant/metadata.go

@@ -4,14 +4,12 @@ import (
 	"encoding/json"
 	"net"
 	"strconv"
+
+	"github.com/Dreamacro/clash/transport/socks5"
 )
 
 // Socks addr type
 const (
-	AtypIPv4       = 1
-	AtypDomainName = 3
-	AtypIPv6       = 4
-
 	TCP NetWork = iota
 	UDP
 
@@ -69,7 +67,6 @@ type Metadata struct {
 	DstIP       net.IP  `json:"destinationIP"`
 	SrcPort     string  `json:"sourcePort"`
 	DstPort     string  `json:"destinationPort"`
-	AddrType    int     `json:"-"`
 	Host        string  `json:"host"`
 	DNSMode     DNSMode `json:"dnsMode"`
 	ProcessPath string  `json:"processPath"`
@@ -83,6 +80,17 @@ func (m *Metadata) SourceAddress() string {
 	return net.JoinHostPort(m.SrcIP.String(), m.SrcPort)
 }
 
+func (m *Metadata) AddrType() int {
+	switch true {
+	case m.Host != "" || m.DstIP == nil:
+		return socks5.AtypDomainName
+	case m.DstIP.To4() != nil:
+		return socks5.AtypIPv4
+	default:
+		return socks5.AtypIPv6
+	}
+}
+
 func (m *Metadata) Resolved() bool {
 	return m.DstIP != nil
 }
@@ -93,11 +101,6 @@ func (m *Metadata) Pure() *Metadata {
 	if m.DNSMode == DNSMapping && m.DstIP != nil {
 		copy := *m
 		copy.Host = ""
-		if copy.DstIP.To4() != nil {
-			copy.AddrType = AtypIPv4
-		} else {
-			copy.AddrType = AtypIPv6
-		}
 		return &copy
 	}
 

dns/doh.go

@@ -79,7 +79,7 @@ func (dc *dohClient) doRequest(req *http.Request) (msg *D.Msg, err error) {
 	return msg, err
 }
 
-func newDoHClient(url string, r *Resolver) *dohClient {
+func newDoHClient(url, iface string, r *Resolver) *dohClient {
 	return &dohClient{
 		url: url,
 		transport: &http.Transport{
@@ -95,7 +95,12 @@ func newDoHClient(url string, r *Resolver) *dohClient {
 					return nil, err
 				}
 
-				return dialer.DialContext(ctx, "tcp", net.JoinHostPort(ip.String(), port))
+				options := []dialer.Option{}
+				if iface != "" {
+					options = append(options, dialer.WithInterface(iface))
+				}
+
+				return dialer.DialContext(ctx, "tcp", net.JoinHostPort(ip.String(), port), options...)
 			},
 		},
 	}

dns/util.go

@@ -51,7 +51,7 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 	for _, s := range servers {
 		switch s.Net {
 		case "https":
-			ret = append(ret, newDoHClient(s.Addr, resolver))
+			ret = append(ret, newDoHClient(s.Addr, s.Interface, resolver))
 			continue
 		case "dhcp":
 			ret = append(ret, newDHCPClient(s.Addr))

go.mod

@@ -3,25 +3,24 @@ module github.com/Dreamacro/clash
 go 1.18
 
 require (
-	github.com/Dreamacro/go-shadowsocks2 v0.1.8
 	github.com/go-chi/chi/v5 v5.0.7
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.1
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/gorilla/websocket v1.5.0
 	github.com/insomniacslk/dhcp v0.0.0-20220504074936-1ca156eafb9f
-	github.com/miekg/dns v1.1.48
+	github.com/miekg/dns v1.1.50
 	github.com/oschwald/geoip2-golang v1.7.0
 	github.com/sirupsen/logrus v1.8.1
-	github.com/stretchr/testify v1.7.1
+	github.com/stretchr/testify v1.8.0
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/atomic v1.9.0
 	go.uber.org/automaxprocs v1.5.1
-	golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122
-	golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6
-	gopkg.in/yaml.v2 v2.4.0
+	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
+	golang.org/x/net v0.0.0-20220706163947-c90051bbdb60
+	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
+	golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
@@ -34,5 +33,4 @@ require (
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 )

go.sum

@@ -1,5 +1,3 @@
-github.com/Dreamacro/go-shadowsocks2 v0.1.8 h1:Ixejp5JscEc866gAvm/l6TFd7BOBvDviKgwb1quWw3g=
-github.com/Dreamacro/go-shadowsocks2 v0.1.8/go.mod h1:51y4Q6tJoCE7e8TmYXcQRqfoxPfE9Cvn79V6pB6Df7Y=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -39,8 +37,8 @@ github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcK
 github.com/mdlayher/netlink v1.1.1/go.mod h1:WTYpFb/WTvlRJAyKhZL5/uy69TDDpHHu2VZmb2XgV7o=
 github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
-github.com/miekg/dns v1.1.48 h1:Ucfr7IIVyMBz4lRE8qmGUuZ4Wt3/ZGu9hmcMT3Uu4tQ=
-github.com/miekg/dns v1.1.48/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
+github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
+github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/oschwald/geoip2-golang v1.7.0 h1:JW1r5AKi+vv2ujSxjKthySK3jo8w8oKWPyXsw+Qs/S8=
 github.com/oschwald/geoip2-golang v1.7.0/go.mod h1:mdI/C7iK7NVMcIDDtf4bCKMJ7r0o7UwGeCo9eiitCMQ=
 github.com/oschwald/maxminddb-golang v1.9.0 h1:tIk4nv6VT9OiPyrnDAfJS1s1xKDQMZOsGojab6EjC1Y=
@@ -53,11 +51,13 @@ github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c h1:BFvcl34IGnw8yvJi8hlqLFo9EshRInwWBs2M5fGWzQA=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
@@ -70,8 +70,8 @@ go.uber.org/automaxprocs v1.5.1/go.mod h1:BF4eumQw0P9GtnuxxovUd06vwm1o18oMzFtK66
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122 h1:NvGWuYG8dkDHFSKksI1P9faiVJ9rayE6l0+ouWVIDs8=
-golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -86,11 +86,12 @@ golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 h1:HVyaeDAYux4pnY+D/SiwmLOR36ewZ4iGQIIrtnuCjFA=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220706163947-c90051bbdb60 h1:8NSylCMxLW4JvserAndSgFL7aPli6A68yf0bYFTcWCM=
+golang.org/x/net v0.0.0-20220706163947-c90051bbdb60/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8=
+golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -111,8 +112,8 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6 h1:nonptSpoQ4vQjyraW20DXPAglgQfVnM9ZC6MmNLMR60=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e h1:CsOuNlbOuf0mzxJIefr6Q4uAUetRUwZE4qt7VfzP+xo=
+golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -131,8 +132,6 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1N
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

hub/executor/executor.go

@@ -130,6 +130,11 @@ func updateDNS(c *config.DNS) {
 		Policy:  c.NameServerPolicy,
 	}
 
+	// deprecated warnning
+	if cfg.EnhancedMode == C.DNSMapping {
+		log.Warnln("[DNS] %s is deprecated, please use %s instead", cfg.EnhancedMode.String(), C.DNSFakeIP.String())
+	}
+
 	r := dns.NewResolver(cfg)
 	m := dns.NewEnhancer(cfg)
 

listener/tproxy/packet.go

@@ -2,12 +2,13 @@ package tproxy
 
 import (
 	"net"
+	"net/netip"
 
 	"github.com/Dreamacro/clash/common/pool"
 )
 
 type packet struct {
-	lAddr *net.UDPAddr
+	lAddr netip.AddrPort
 	buf   []byte
 }
 
@@ -17,7 +18,7 @@ func (c *packet) Data() []byte {
 
 // WriteBack opens a new socket binding `addr` to write UDP packet back
 func (c *packet) WriteBack(b []byte, addr net.Addr) (n int, err error) {
-	tc, err := dialUDP("udp", addr.(*net.UDPAddr), c.lAddr)
+	tc, err := dialUDP("udp", addr.(*net.UDPAddr).AddrPort(), c.lAddr)
 	if err != nil {
 		n = 0
 		return
@@ -29,7 +30,7 @@ func (c *packet) WriteBack(b []byte, addr net.Addr) (n int, err error) {
 
 // LocalAddr returns the source IP/Port of UDP Packet
 func (c *packet) LocalAddr() net.Addr {
-	return c.lAddr
+	return &net.UDPAddr{IP: c.lAddr.Addr().AsSlice(), Port: int(c.lAddr.Port()), Zone: c.lAddr.Addr().Zone()}
 }
 
 func (c *packet) Drop() {

listener/tproxy/udp.go

@@ -2,6 +2,7 @@ package tproxy
 
 import (
 	"net"
+	"net/netip"
 
 	"github.com/Dreamacro/clash/adapter/inbound"
 	"github.com/Dreamacro/clash/common/pool"
@@ -58,7 +59,7 @@ func NewUDP(addr string, in chan<- *inbound.PacketAdapter) (*UDPListener, error)
 		oob := make([]byte, 1024)
 		for {
 			buf := pool.Get(pool.UDPBufferSize)
-			n, oobn, _, lAddr, err := c.ReadMsgUDP(buf, oob)
+			n, oobn, _, lAddr, err := c.ReadMsgUDPAddrPort(buf, oob)
 			if err != nil {
 				pool.Put(buf)
 				if rl.closed {
@@ -67,19 +68,24 @@ func NewUDP(addr string, in chan<- *inbound.PacketAdapter) (*UDPListener, error)
 				continue
 			}
 
-			rAddr, err := getOrigDst(oob, oobn)
+			rAddr, err := getOrigDst(oob[:oobn])
 			if err != nil {
 				continue
 			}
-			handlePacketConn(l, in, buf[:n], lAddr, rAddr)
+
+			if rAddr.Addr().Is4() {
+				// try to unmap 4in6 address
+				lAddr = netip.AddrPortFrom(lAddr.Addr().Unmap(), lAddr.Port())
+			}
+			handlePacketConn(in, buf[:n], lAddr, rAddr)
 		}
 	}()
 
 	return rl, nil
 }
 
-func handlePacketConn(pc net.PacketConn, in chan<- *inbound.PacketAdapter, buf []byte, lAddr *net.UDPAddr, rAddr *net.UDPAddr) {
-	target := socks5.ParseAddrToSocksAddr(rAddr)
+func handlePacketConn(in chan<- *inbound.PacketAdapter, buf []byte, lAddr, rAddr netip.AddrPort) {
+	target := socks5.AddrFromStdAddrPort(rAddr)
 	pkt := &packet{
 		lAddr: lAddr,
 		buf:   buf,

listener/tproxy/udp_linux.go

@@ -3,13 +3,14 @@
 package tproxy
 
 import (
-	"encoding/binary"
-	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"os"
 	"strconv"
 	"syscall"
+
+	"golang.org/x/sys/unix"
 )
 
 const (
@@ -19,7 +20,7 @@ const (
 
 // dialUDP acts like net.DialUDP for transparent proxy.
 // It binds to a non-local address(`lAddr`).
-func dialUDP(network string, lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPConn, error) {
+func dialUDP(network string, lAddr, rAddr netip.AddrPort) (uc *net.UDPConn, err error) {
 	rSockAddr, err := udpAddrToSockAddr(rAddr)
 	if err != nil {
 		return nil, err
@@ -35,23 +36,25 @@ func dialUDP(network string, lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPCo
 		return nil, err
 	}
 
+	defer func() {
+		if err != nil {
+			syscall.Close(fd)
+		}
+	}()
+
 	if err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_REUSEADDR, 1); err != nil {
-		syscall.Close(fd)
 		return nil, err
 	}
 
 	if err = syscall.SetsockoptInt(fd, syscall.SOL_IP, syscall.IP_TRANSPARENT, 1); err != nil {
-		syscall.Close(fd)
 		return nil, err
 	}
 
 	if err = syscall.Bind(fd, lSockAddr); err != nil {
-		syscall.Close(fd)
 		return nil, err
 	}
 
 	if err = syscall.Connect(fd, rSockAddr); err != nil {
-		syscall.Close(fd)
 		return nil, err
 	}
 
@@ -60,35 +63,26 @@ func dialUDP(network string, lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPCo
 
 	c, err := net.FileConn(fdFile)
 	if err != nil {
-		syscall.Close(fd)
 		return nil, err
 	}
 
 	return c.(*net.UDPConn), nil
 }
 
-func udpAddrToSockAddr(addr *net.UDPAddr) (syscall.Sockaddr, error) {
-	switch {
-	case addr.IP.To4() != nil:
-		ip := [4]byte{}
-		copy(ip[:], addr.IP.To4())
-
-		return &syscall.SockaddrInet4{Addr: ip, Port: addr.Port}, nil
-
-	default:
-		ip := [16]byte{}
-		copy(ip[:], addr.IP.To16())
-
-		zoneID, err := strconv.ParseUint(addr.Zone, 10, 32)
-		if err != nil {
-			zoneID = 0
-		}
-
-		return &syscall.SockaddrInet6{Addr: ip, Port: addr.Port, ZoneId: uint32(zoneID)}, nil
+func udpAddrToSockAddr(addr netip.AddrPort) (syscall.Sockaddr, error) {
+	if addr.Addr().Is4() {
+		return &syscall.SockaddrInet4{Addr: addr.Addr().As4(), Port: int(addr.Port())}, nil
 	}
+
+	zoneID, err := strconv.ParseUint(addr.Addr().Zone(), 10, 32)
+	if err != nil {
+		zoneID = 0
+	}
+
+	return &syscall.SockaddrInet6{Addr: addr.Addr().As16(), Port: int(addr.Port()), ZoneId: uint32(zoneID)}, nil
 }
 
-func udpAddrFamily(net string, lAddr, rAddr *net.UDPAddr) int {
+func udpAddrFamily(net string, lAddr, rAddr netip.AddrPort) int {
 	switch net[len(net)-1] {
 	case '4':
 		return syscall.AF_INET
@@ -96,29 +90,35 @@ func udpAddrFamily(net string, lAddr, rAddr *net.UDPAddr) int {
 		return syscall.AF_INET6
 	}
 
-	if (lAddr == nil || lAddr.IP.To4() != nil) && (rAddr == nil || lAddr.IP.To4() != nil) {
+	if lAddr.Addr().Is4() && rAddr.Addr().Is4() {
 		return syscall.AF_INET
 	}
 	return syscall.AF_INET6
 }
 
-func getOrigDst(oob []byte, oobn int) (*net.UDPAddr, error) {
-	msgs, err := syscall.ParseSocketControlMessage(oob[:oobn])
+func getOrigDst(oob []byte) (netip.AddrPort, error) {
+	// oob contains socket control messages which we need to parse.
+	scms, err := unix.ParseSocketControlMessage(oob)
 	if err != nil {
-		return nil, err
+		return netip.AddrPort{}, fmt.Errorf("parse control message: %w", err)
 	}
 
-	for _, msg := range msgs {
-		if msg.Header.Level == syscall.SOL_IP && msg.Header.Type == syscall.IP_RECVORIGDSTADDR {
-			ip := net.IP(msg.Data[4:8])
-			port := binary.BigEndian.Uint16(msg.Data[2:4])
-			return &net.UDPAddr{IP: ip, Port: int(port)}, nil
-		} else if msg.Header.Level == syscall.SOL_IPV6 && msg.Header.Type == IPV6_RECVORIGDSTADDR {
-			ip := net.IP(msg.Data[8:24])
-			port := binary.BigEndian.Uint16(msg.Data[2:4])
-			return &net.UDPAddr{IP: ip, Port: int(port)}, nil
-		}
+	// retrieve the destination address from the SCM.
+	sa, err := unix.ParseOrigDstAddr(&scms[0])
+	if err != nil {
+		return netip.AddrPort{}, fmt.Errorf("retrieve destination: %w", err)
 	}
 
-	return nil, errors.New("cannot find origDst")
+	// encode the destination address into a cmsg.
+	var rAddr netip.AddrPort
+	switch v := sa.(type) {
+	case *unix.SockaddrInet4:
+		rAddr = netip.AddrPortFrom(netip.AddrFrom4(v.Addr), uint16(v.Port))
+	case *unix.SockaddrInet6:
+		rAddr = netip.AddrPortFrom(netip.AddrFrom16(v.Addr), uint16(v.Port))
+	default:
+		return netip.AddrPort{}, fmt.Errorf("unsupported address type: %T", v)
+	}
+
+	return rAddr, nil
 }

listener/tproxy/udp_other.go

@@ -5,12 +5,13 @@ package tproxy
 import (
 	"errors"
 	"net"
+	"net/netip"
 )
 
-func getOrigDst(oob []byte, oobn int) (*net.UDPAddr, error) {
-	return nil, errors.New("UDP redir not supported on current platform")
+func getOrigDst(oob []byte) (netip.AddrPort, error) {
+	return netip.AddrPort{}, errors.New("UDP redir not supported on current platform")
 }
 
-func dialUDP(network string, lAddr *net.UDPAddr, rAddr *net.UDPAddr) (*net.UDPConn, error) {
+func dialUDP(network string, lAddr, rAddr netip.AddrPort) (*net.UDPConn, error) {
 	return nil, errors.New("UDP redir not supported on current platform")
 }

rule/domain.go

@@ -16,9 +16,6 @@ func (d *Domain) RuleType() C.RuleType {
 }
 
 func (d *Domain) Match(metadata *C.Metadata) bool {
-	if metadata.AddrType != C.AtypDomainName {
-		return false
-	}
 	return metadata.Host == d.domain
 }
 

rule/domain_keyword.go

@@ -16,11 +16,7 @@ func (dk *DomainKeyword) RuleType() C.RuleType {
 }
 
 func (dk *DomainKeyword) Match(metadata *C.Metadata) bool {
-	if metadata.AddrType != C.AtypDomainName {
-		return false
-	}
-	domain := metadata.Host
-	return strings.Contains(domain, dk.keyword)
+	return strings.Contains(metadata.Host, dk.keyword)
 }
 
 func (dk *DomainKeyword) Adapter() string {

rule/domain_suffix.go

@@ -16,9 +16,6 @@ func (ds *DomainSuffix) RuleType() C.RuleType {
 }
 
 func (ds *DomainSuffix) Match(metadata *C.Metadata) bool {
-	if metadata.AddrType != C.AtypDomainName {
-		return false
-	}
 	domain := metadata.Host
 	return strings.HasSuffix(domain, "."+ds.suffix) || domain == ds.suffix
 }

rule/process.go

@@ -14,7 +14,11 @@ type Process struct {
 }
 
 func (ps *Process) RuleType() C.RuleType {
-	return C.Process
+	if ps.nameOnly {
+		return C.Process
+	}
+
+	return C.ProcessPath
 }
 
 func (ps *Process) Match(metadata *C.Metadata) bool {

test/go.mod

@@ -4,17 +4,16 @@ go 1.18
 
 require (
 	github.com/Dreamacro/clash v1.10.6
-	github.com/docker/docker v20.10.16+incompatible
+	github.com/docker/docker v20.10.17+incompatible
 	github.com/docker/go-connections v0.4.0
 	github.com/miekg/dns v1.1.49
-	github.com/stretchr/testify v1.7.1
-	golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2
+	github.com/stretchr/testify v1.7.2
+	golang.org/x/net v0.0.0-20220617184016-355a448f1bc9
 )
 
 replace github.com/Dreamacro/clash => ../
 
 require (
-	github.com/Dreamacro/go-shadowsocks2 v0.1.8 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
@@ -36,16 +35,15 @@ require (
 	github.com/u-root/uio v0.0.0-20210528114334-82958018845c // indirect
 	go.etcd.io/bbolt v1.3.6 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
-	golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122 // indirect
+	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e // indirect
 	golang.org/x/mod v0.4.2 // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6 // indirect
+	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f // indirect
+	golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 // indirect
 	golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.1.0 // indirect
 )

test/go.sum

@@ -1,7 +1,5 @@
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 h1:UQHMgLO+TxOElx5B5HZ4hJQsoJ/PvUvKRhJHDQXO8P8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Dreamacro/go-shadowsocks2 v0.1.8 h1:Ixejp5JscEc866gAvm/l6TFd7BOBvDviKgwb1quWw3g=
-github.com/Dreamacro/go-shadowsocks2 v0.1.8/go.mod h1:51y4Q6tJoCE7e8TmYXcQRqfoxPfE9Cvn79V6pB6Df7Y=
 github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -10,8 +8,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
 github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v20.10.16+incompatible h1:2Db6ZR/+FUR3hqPMwnogOPHFn405crbpxvWzKovETOQ=
-github.com/docker/docker v20.10.16+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v20.10.17+incompatible h1:JYCuMrWaVNophQTOrMMoSwudOVEfcegoZZrleKc1xwE=
+github.com/docker/docker v20.10.17+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
@@ -83,8 +81,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
+github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c h1:BFvcl34IGnw8yvJi8hlqLFo9EshRInwWBs2M5fGWzQA=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -97,8 +95,8 @@ go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122 h1:NvGWuYG8dkDHFSKksI1P9faiVJ9rayE6l0+ouWVIDs8=
-golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM=
+golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
@@ -117,13 +115,14 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2 h1:NWy5+hlRbC7HK+PmcXVUmW1IMyFce7to56IUvhUFm7Y=
-golang.org/x/net v0.0.0-20220520000938-2e3eb7b945c2/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220617184016-355a448f1bc9 h1:Yqz/iviulwKwAREEeUd3nbBFn0XuyJqkoft2IlrvOhc=
+golang.org/x/net v0.0.0-20220617184016-355a448f1bc9/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f h1:Ax0t5p6N38Ga0dThY21weqDEyz2oklo4IvDkpigvkD8=
+golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -147,8 +146,8 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6 h1:nonptSpoQ4vQjyraW20DXPAglgQfVnM9ZC6MmNLMR60=
-golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c h1:aFV+BgZ4svzjfabn8ERpuB4JI4N6/rdy1iusx77G3oU=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -174,11 +173,9 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8T
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.1.0 h1:rVV8Tcg/8jHUkPUorwjaMTtemIMVXfIPKiOqnhEhakk=
 gotest.tools/v3 v3.1.0/go.mod h1:fHy7eyTmJFO5bQbUsEGQ1v4m2J3Jz9eWL54TP2/ZuYQ=

transport/shadowsocks/README.md

@@ -0,0 +1,5 @@
+## Embedded go-shadowsocks2
+
+from https://github.com/Dreamacro/go-shadowsocks2
+
+origin https://github.com/riobard/go-shadowsocks2

transport/shadowsocks/core/cipher.go

@@ -0,0 +1,164 @@
+package core
+
+import (
+	"crypto/md5"
+	"errors"
+	"net"
+	"sort"
+	"strings"
+
+	"github.com/Dreamacro/clash/transport/shadowsocks/shadowaead"
+	"github.com/Dreamacro/clash/transport/shadowsocks/shadowstream"
+)
+
+type Cipher interface {
+	StreamConnCipher
+	PacketConnCipher
+}
+
+type StreamConnCipher interface {
+	StreamConn(net.Conn) net.Conn
+}
+
+type PacketConnCipher interface {
+	PacketConn(net.PacketConn) net.PacketConn
+}
+
+// ErrCipherNotSupported occurs when a cipher is not supported (likely because of security concerns).
+var ErrCipherNotSupported = errors.New("cipher not supported")
+
+const (
+	aeadAes128Gcm         = "AEAD_AES_128_GCM"
+	aeadAes192Gcm         = "AEAD_AES_192_GCM"
+	aeadAes256Gcm         = "AEAD_AES_256_GCM"
+	aeadChacha20Poly1305  = "AEAD_CHACHA20_POLY1305"
+	aeadXChacha20Poly1305 = "AEAD_XCHACHA20_POLY1305"
+)
+
+// List of AEAD ciphers: key size in bytes and constructor
+var aeadList = map[string]struct {
+	KeySize int
+	New     func([]byte) (shadowaead.Cipher, error)
+}{
+	aeadAes128Gcm:         {16, shadowaead.AESGCM},
+	aeadAes192Gcm:         {24, shadowaead.AESGCM},
+	aeadAes256Gcm:         {32, shadowaead.AESGCM},
+	aeadChacha20Poly1305:  {32, shadowaead.Chacha20Poly1305},
+	aeadXChacha20Poly1305: {32, shadowaead.XChacha20Poly1305},
+}
+
+// List of stream ciphers: key size in bytes and constructor
+var streamList = map[string]struct {
+	KeySize int
+	New     func(key []byte) (shadowstream.Cipher, error)
+}{
+	"RC4-MD5":       {16, shadowstream.RC4MD5},
+	"AES-128-CTR":   {16, shadowstream.AESCTR},
+	"AES-192-CTR":   {24, shadowstream.AESCTR},
+	"AES-256-CTR":   {32, shadowstream.AESCTR},
+	"AES-128-CFB":   {16, shadowstream.AESCFB},
+	"AES-192-CFB":   {24, shadowstream.AESCFB},
+	"AES-256-CFB":   {32, shadowstream.AESCFB},
+	"CHACHA20-IETF": {32, shadowstream.Chacha20IETF},
+	"XCHACHA20":     {32, shadowstream.Xchacha20},
+}
+
+// ListCipher returns a list of available cipher names sorted alphabetically.
+func ListCipher() []string {
+	var l []string
+	for k := range aeadList {
+		l = append(l, k)
+	}
+	for k := range streamList {
+		l = append(l, k)
+	}
+	sort.Strings(l)
+	return l
+}
+
+// PickCipher returns a Cipher of the given name. Derive key from password if given key is empty.
+func PickCipher(name string, key []byte, password string) (Cipher, error) {
+	name = strings.ToUpper(name)
+
+	switch name {
+	case "DUMMY":
+		return &dummy{}, nil
+	case "CHACHA20-IETF-POLY1305":
+		name = aeadChacha20Poly1305
+	case "XCHACHA20-IETF-POLY1305":
+		name = aeadXChacha20Poly1305
+	case "AES-128-GCM":
+		name = aeadAes128Gcm
+	case "AES-192-GCM":
+		name = aeadAes192Gcm
+	case "AES-256-GCM":
+		name = aeadAes256Gcm
+	}
+
+	if choice, ok := aeadList[name]; ok {
+		if len(key) == 0 {
+			key = Kdf(password, choice.KeySize)
+		}
+		if len(key) != choice.KeySize {
+			return nil, shadowaead.KeySizeError(choice.KeySize)
+		}
+		aead, err := choice.New(key)
+		return &AeadCipher{Cipher: aead, Key: key}, err
+	}
+
+	if choice, ok := streamList[name]; ok {
+		if len(key) == 0 {
+			key = Kdf(password, choice.KeySize)
+		}
+		if len(key) != choice.KeySize {
+			return nil, shadowstream.KeySizeError(choice.KeySize)
+		}
+		ciph, err := choice.New(key)
+		return &StreamCipher{Cipher: ciph, Key: key}, err
+	}
+
+	return nil, ErrCipherNotSupported
+}
+
+type AeadCipher struct {
+	shadowaead.Cipher
+
+	Key []byte
+}
+
+func (aead *AeadCipher) StreamConn(c net.Conn) net.Conn { return shadowaead.NewConn(c, aead) }
+func (aead *AeadCipher) PacketConn(c net.PacketConn) net.PacketConn {
+	return shadowaead.NewPacketConn(c, aead)
+}
+
+type StreamCipher struct {
+	shadowstream.Cipher
+
+	Key []byte
+}
+
+func (ciph *StreamCipher) StreamConn(c net.Conn) net.Conn { return shadowstream.NewConn(c, ciph) }
+func (ciph *StreamCipher) PacketConn(c net.PacketConn) net.PacketConn {
+	return shadowstream.NewPacketConn(c, ciph)
+}
+
+// dummy cipher does not encrypt
+
+type dummy struct{}
+
+func (dummy) StreamConn(c net.Conn) net.Conn             { return c }
+func (dummy) PacketConn(c net.PacketConn) net.PacketConn { return c }
+
+// key-derivation function from original Shadowsocks
+func Kdf(password string, keyLen int) []byte {
+	var b, prev []byte
+	h := md5.New()
+	for len(b) < keyLen {
+		h.Write(prev)
+		h.Write([]byte(password))
+		b = h.Sum(b)
+		prev = b[len(b)-h.Size():]
+		h.Reset()
+	}
+	return b[:keyLen]
+}

transport/shadowsocks/shadowaead/cipher.go

@@ -0,0 +1,94 @@
+package shadowaead
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/sha1"
+	"io"
+	"strconv"
+
+	"golang.org/x/crypto/chacha20poly1305"
+	"golang.org/x/crypto/hkdf"
+)
+
+type Cipher interface {
+	KeySize() int
+	SaltSize() int
+	Encrypter(salt []byte) (cipher.AEAD, error)
+	Decrypter(salt []byte) (cipher.AEAD, error)
+}
+
+type KeySizeError int
+
+func (e KeySizeError) Error() string {
+	return "key size error: need " + strconv.Itoa(int(e)) + " bytes"
+}
+
+func hkdfSHA1(secret, salt, info, outkey []byte) {
+	r := hkdf.New(sha1.New, secret, salt, info)
+	if _, err := io.ReadFull(r, outkey); err != nil {
+		panic(err) // should never happen
+	}
+}
+
+type metaCipher struct {
+	psk      []byte
+	makeAEAD func(key []byte) (cipher.AEAD, error)
+}
+
+func (a *metaCipher) KeySize() int { return len(a.psk) }
+func (a *metaCipher) SaltSize() int {
+	if ks := a.KeySize(); ks > 16 {
+		return ks
+	}
+	return 16
+}
+
+func (a *metaCipher) Encrypter(salt []byte) (cipher.AEAD, error) {
+	subkey := make([]byte, a.KeySize())
+	hkdfSHA1(a.psk, salt, []byte("ss-subkey"), subkey)
+	return a.makeAEAD(subkey)
+}
+
+func (a *metaCipher) Decrypter(salt []byte) (cipher.AEAD, error) {
+	subkey := make([]byte, a.KeySize())
+	hkdfSHA1(a.psk, salt, []byte("ss-subkey"), subkey)
+	return a.makeAEAD(subkey)
+}
+
+func aesGCM(key []byte) (cipher.AEAD, error) {
+	blk, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	return cipher.NewGCM(blk)
+}
+
+// AESGCM creates a new Cipher with a pre-shared key. len(psk) must be
+// one of 16, 24, or 32 to select AES-128/196/256-GCM.
+func AESGCM(psk []byte) (Cipher, error) {
+	switch l := len(psk); l {
+	case 16, 24, 32: // AES 128/196/256
+	default:
+		return nil, aes.KeySizeError(l)
+	}
+	return &metaCipher{psk: psk, makeAEAD: aesGCM}, nil
+}
+
+// Chacha20Poly1305 creates a new Cipher with a pre-shared key. len(psk)
+// must be 32.
+func Chacha20Poly1305(psk []byte) (Cipher, error) {
+	if len(psk) != chacha20poly1305.KeySize {
+		return nil, KeySizeError(chacha20poly1305.KeySize)
+	}
+	return &metaCipher{psk: psk, makeAEAD: chacha20poly1305.New}, nil
+}
+
+// XChacha20Poly1305 creates a new Cipher with a pre-shared key. len(psk)
+// must be 32.
+func XChacha20Poly1305(psk []byte) (Cipher, error) {
+	if len(psk) != chacha20poly1305.KeySize {
+		return nil, KeySizeError(chacha20poly1305.KeySize)
+	}
+	return &metaCipher{psk: psk, makeAEAD: chacha20poly1305.NewX}, nil
+}

transport/shadowsocks/shadowaead/packet.go

@@ -0,0 +1,95 @@
+package shadowaead
+
+import (
+	"crypto/rand"
+	"errors"
+	"io"
+	"net"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+// ErrShortPacket means that the packet is too short for a valid encrypted packet.
+var ErrShortPacket = errors.New("short packet")
+
+var _zerononce [128]byte // read-only. 128 bytes is more than enough.
+
+// Pack encrypts plaintext using Cipher with a randomly generated salt and
+// returns a slice of dst containing the encrypted packet and any error occurred.
+// Ensure len(dst) >= ciph.SaltSize() + len(plaintext) + aead.Overhead().
+func Pack(dst, plaintext []byte, ciph Cipher) ([]byte, error) {
+	saltSize := ciph.SaltSize()
+	salt := dst[:saltSize]
+	if _, err := rand.Read(salt); err != nil {
+		return nil, err
+	}
+	aead, err := ciph.Encrypter(salt)
+	if err != nil {
+		return nil, err
+	}
+	if len(dst) < saltSize+len(plaintext)+aead.Overhead() {
+		return nil, io.ErrShortBuffer
+	}
+	b := aead.Seal(dst[saltSize:saltSize], _zerononce[:aead.NonceSize()], plaintext, nil)
+	return dst[:saltSize+len(b)], nil
+}
+
+// Unpack decrypts pkt using Cipher and returns a slice of dst containing the decrypted payload and any error occurred.
+// Ensure len(dst) >= len(pkt) - aead.SaltSize() - aead.Overhead().
+func Unpack(dst, pkt []byte, ciph Cipher) ([]byte, error) {
+	saltSize := ciph.SaltSize()
+	if len(pkt) < saltSize {
+		return nil, ErrShortPacket
+	}
+	salt := pkt[:saltSize]
+	aead, err := ciph.Decrypter(salt)
+	if err != nil {
+		return nil, err
+	}
+	if len(pkt) < saltSize+aead.Overhead() {
+		return nil, ErrShortPacket
+	}
+	if saltSize+len(dst)+aead.Overhead() < len(pkt) {
+		return nil, io.ErrShortBuffer
+	}
+	b, err := aead.Open(dst[:0], _zerononce[:aead.NonceSize()], pkt[saltSize:], nil)
+	return b, err
+}
+
+type PacketConn struct {
+	net.PacketConn
+	Cipher
+}
+
+const maxPacketSize = 64 * 1024
+
+// NewPacketConn wraps a net.PacketConn with cipher
+func NewPacketConn(c net.PacketConn, ciph Cipher) *PacketConn {
+	return &PacketConn{PacketConn: c, Cipher: ciph}
+}
+
+// WriteTo encrypts b and write to addr using the embedded PacketConn.
+func (c *PacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+	buf := pool.Get(maxPacketSize)
+	defer pool.Put(buf)
+	buf, err := Pack(buf, b, c)
+	if err != nil {
+		return 0, err
+	}
+	_, err = c.PacketConn.WriteTo(buf, addr)
+	return len(b), err
+}
+
+// ReadFrom reads from the embedded PacketConn and decrypts into b.
+func (c *PacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
+	n, addr, err := c.PacketConn.ReadFrom(b)
+	if err != nil {
+		return n, addr, err
+	}
+	bb, err := Unpack(b[c.Cipher.SaltSize():], b[:n], c)
+	if err != nil {
+		return n, addr, err
+	}
+	copy(b, bb)
+	return len(bb), addr, err
+}

transport/shadowsocks/shadowaead/stream.go

@@ -0,0 +1,285 @@
+package shadowaead
+
+import (
+	"crypto/cipher"
+	"crypto/rand"
+	"errors"
+	"io"
+	"net"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+const (
+	// payloadSizeMask is the maximum size of payload in bytes.
+	payloadSizeMask = 0x3FFF    // 16*1024 - 1
+	bufSize         = 17 * 1024 // >= 2+aead.Overhead()+payloadSizeMask+aead.Overhead()
+)
+
+var ErrZeroChunk = errors.New("zero chunk")
+
+type Writer struct {
+	io.Writer
+	cipher.AEAD
+	nonce [32]byte // should be sufficient for most nonce sizes
+}
+
+// NewWriter wraps an io.Writer with authenticated encryption.
+func NewWriter(w io.Writer, aead cipher.AEAD) *Writer { return &Writer{Writer: w, AEAD: aead} }
+
+// Write encrypts p and writes to the embedded io.Writer.
+func (w *Writer) Write(p []byte) (n int, err error) {
+	buf := pool.Get(bufSize)
+	defer pool.Put(buf)
+	nonce := w.nonce[:w.NonceSize()]
+	tag := w.Overhead()
+	off := 2 + tag
+
+	// compatible with snell
+	if len(p) == 0 {
+		buf = buf[:off]
+		buf[0], buf[1] = byte(0), byte(0)
+		w.Seal(buf[:0], nonce, buf[:2], nil)
+		increment(nonce)
+		_, err = w.Writer.Write(buf)
+		return
+	}
+
+	for nr := 0; n < len(p) && err == nil; n += nr {
+		nr = payloadSizeMask
+		if n+nr > len(p) {
+			nr = len(p) - n
+		}
+		buf = buf[:off+nr+tag]
+		buf[0], buf[1] = byte(nr>>8), byte(nr) // big-endian payload size
+		w.Seal(buf[:0], nonce, buf[:2], nil)
+		increment(nonce)
+		w.Seal(buf[:off], nonce, p[n:n+nr], nil)
+		increment(nonce)
+		_, err = w.Writer.Write(buf)
+	}
+	return
+}
+
+// ReadFrom reads from the given io.Reader until EOF or error, encrypts and
+// writes to the embedded io.Writer. Returns number of bytes read from r and
+// any error encountered.
+func (w *Writer) ReadFrom(r io.Reader) (n int64, err error) {
+	buf := pool.Get(bufSize)
+	defer pool.Put(buf)
+	nonce := w.nonce[:w.NonceSize()]
+	tag := w.Overhead()
+	off := 2 + tag
+	for {
+		nr, er := r.Read(buf[off : off+payloadSizeMask])
+		n += int64(nr)
+		buf[0], buf[1] = byte(nr>>8), byte(nr)
+		w.Seal(buf[:0], nonce, buf[:2], nil)
+		increment(nonce)
+		w.Seal(buf[:off], nonce, buf[off:off+nr], nil)
+		increment(nonce)
+		if _, ew := w.Writer.Write(buf[:off+nr+tag]); ew != nil {
+			err = ew
+			return
+		}
+		if er != nil {
+			if er != io.EOF { // ignore EOF as per io.ReaderFrom contract
+				err = er
+			}
+			return
+		}
+	}
+}
+
+type Reader struct {
+	io.Reader
+	cipher.AEAD
+	nonce [32]byte // should be sufficient for most nonce sizes
+	buf   []byte   // to be put back into bufPool
+	off   int      // offset to unconsumed part of buf
+}
+
+// NewReader wraps an io.Reader with authenticated decryption.
+func NewReader(r io.Reader, aead cipher.AEAD) *Reader { return &Reader{Reader: r, AEAD: aead} }
+
+// Read and decrypt a record into p. len(p) >= max payload size + AEAD overhead.
+func (r *Reader) read(p []byte) (int, error) {
+	nonce := r.nonce[:r.NonceSize()]
+	tag := r.Overhead()
+
+	// decrypt payload size
+	p = p[:2+tag]
+	if _, err := io.ReadFull(r.Reader, p); err != nil {
+		return 0, err
+	}
+	_, err := r.Open(p[:0], nonce, p, nil)
+	increment(nonce)
+	if err != nil {
+		return 0, err
+	}
+
+	// decrypt payload
+	size := (int(p[0])<<8 + int(p[1])) & payloadSizeMask
+	if size == 0 {
+		return 0, ErrZeroChunk
+	}
+
+	p = p[:size+tag]
+	if _, err := io.ReadFull(r.Reader, p); err != nil {
+		return 0, err
+	}
+	_, err = r.Open(p[:0], nonce, p, nil)
+	increment(nonce)
+	if err != nil {
+		return 0, err
+	}
+	return size, nil
+}
+
+// Read reads from the embedded io.Reader, decrypts and writes to p.
+func (r *Reader) Read(p []byte) (int, error) {
+	if r.buf == nil {
+		if len(p) >= payloadSizeMask+r.Overhead() {
+			return r.read(p)
+		}
+		b := pool.Get(bufSize)
+		n, err := r.read(b)
+		if err != nil {
+			return 0, err
+		}
+		r.buf = b[:n]
+		r.off = 0
+	}
+
+	n := copy(p, r.buf[r.off:])
+	r.off += n
+	if r.off == len(r.buf) {
+		pool.Put(r.buf[:cap(r.buf)])
+		r.buf = nil
+	}
+	return n, nil
+}
+
+// WriteTo reads from the embedded io.Reader, decrypts and writes to w until
+// there's no more data to write or when an error occurs. Return number of
+// bytes written to w and any error encountered.
+func (r *Reader) WriteTo(w io.Writer) (n int64, err error) {
+	if r.buf == nil {
+		r.buf = pool.Get(bufSize)
+		r.off = len(r.buf)
+	}
+
+	for {
+		for r.off < len(r.buf) {
+			nw, ew := w.Write(r.buf[r.off:])
+			r.off += nw
+			n += int64(nw)
+			if ew != nil {
+				if r.off == len(r.buf) {
+					pool.Put(r.buf[:cap(r.buf)])
+					r.buf = nil
+				}
+				err = ew
+				return
+			}
+		}
+
+		nr, er := r.read(r.buf)
+		if er != nil {
+			if er != io.EOF {
+				err = er
+			}
+			return
+		}
+		r.buf = r.buf[:nr]
+		r.off = 0
+	}
+}
+
+// increment little-endian encoded unsigned integer b. Wrap around on overflow.
+func increment(b []byte) {
+	for i := range b {
+		b[i]++
+		if b[i] != 0 {
+			return
+		}
+	}
+}
+
+type Conn struct {
+	net.Conn
+	Cipher
+	r *Reader
+	w *Writer
+}
+
+// NewConn wraps a stream-oriented net.Conn with cipher.
+func NewConn(c net.Conn, ciph Cipher) *Conn { return &Conn{Conn: c, Cipher: ciph} }
+
+func (c *Conn) initReader() error {
+	salt := make([]byte, c.SaltSize())
+	if _, err := io.ReadFull(c.Conn, salt); err != nil {
+		return err
+	}
+
+	aead, err := c.Decrypter(salt)
+	if err != nil {
+		return err
+	}
+
+	c.r = NewReader(c.Conn, aead)
+	return nil
+}
+
+func (c *Conn) Read(b []byte) (int, error) {
+	if c.r == nil {
+		if err := c.initReader(); err != nil {
+			return 0, err
+		}
+	}
+	return c.r.Read(b)
+}
+
+func (c *Conn) WriteTo(w io.Writer) (int64, error) {
+	if c.r == nil {
+		if err := c.initReader(); err != nil {
+			return 0, err
+		}
+	}
+	return c.r.WriteTo(w)
+}
+
+func (c *Conn) initWriter() error {
+	salt := make([]byte, c.SaltSize())
+	if _, err := rand.Read(salt); err != nil {
+		return err
+	}
+	aead, err := c.Encrypter(salt)
+	if err != nil {
+		return err
+	}
+	_, err = c.Conn.Write(salt)
+	if err != nil {
+		return err
+	}
+	c.w = NewWriter(c.Conn, aead)
+	return nil
+}
+
+func (c *Conn) Write(b []byte) (int, error) {
+	if c.w == nil {
+		if err := c.initWriter(); err != nil {
+			return 0, err
+		}
+	}
+	return c.w.Write(b)
+}
+
+func (c *Conn) ReadFrom(r io.Reader) (int64, error) {
+	if c.w == nil {
+		if err := c.initWriter(); err != nil {
+			return 0, err
+		}
+	}
+	return c.w.ReadFrom(r)
+}

transport/shadowsocks/shadowstream/cipher.go

@@ -0,0 +1,116 @@
+package shadowstream
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/md5"
+	"crypto/rc4"
+	"strconv"
+
+	"golang.org/x/crypto/chacha20"
+)
+
+// Cipher generates a pair of stream ciphers for encryption and decryption.
+type Cipher interface {
+	IVSize() int
+	Encrypter(iv []byte) cipher.Stream
+	Decrypter(iv []byte) cipher.Stream
+}
+
+type KeySizeError int
+
+func (e KeySizeError) Error() string {
+	return "key size error: need " + strconv.Itoa(int(e)) + " bytes"
+}
+
+// CTR mode
+type ctrStream struct{ cipher.Block }
+
+func (b *ctrStream) IVSize() int                       { return b.BlockSize() }
+func (b *ctrStream) Decrypter(iv []byte) cipher.Stream { return b.Encrypter(iv) }
+func (b *ctrStream) Encrypter(iv []byte) cipher.Stream { return cipher.NewCTR(b, iv) }
+
+func AESCTR(key []byte) (Cipher, error) {
+	blk, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	return &ctrStream{blk}, nil
+}
+
+// CFB mode
+type cfbStream struct{ cipher.Block }
+
+func (b *cfbStream) IVSize() int                       { return b.BlockSize() }
+func (b *cfbStream) Decrypter(iv []byte) cipher.Stream { return cipher.NewCFBDecrypter(b, iv) }
+func (b *cfbStream) Encrypter(iv []byte) cipher.Stream { return cipher.NewCFBEncrypter(b, iv) }
+
+func AESCFB(key []byte) (Cipher, error) {
+	blk, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+	return &cfbStream{blk}, nil
+}
+
+// IETF-variant of chacha20
+type chacha20ietfkey []byte
+
+func (k chacha20ietfkey) IVSize() int                       { return chacha20.NonceSize }
+func (k chacha20ietfkey) Decrypter(iv []byte) cipher.Stream { return k.Encrypter(iv) }
+func (k chacha20ietfkey) Encrypter(iv []byte) cipher.Stream {
+	ciph, err := chacha20.NewUnauthenticatedCipher(k, iv)
+	if err != nil {
+		panic(err) // should never happen
+	}
+	return ciph
+}
+
+func Chacha20IETF(key []byte) (Cipher, error) {
+	if len(key) != chacha20.KeySize {
+		return nil, KeySizeError(chacha20.KeySize)
+	}
+	return chacha20ietfkey(key), nil
+}
+
+type xchacha20key []byte
+
+func (k xchacha20key) IVSize() int                       { return chacha20.NonceSizeX }
+func (k xchacha20key) Decrypter(iv []byte) cipher.Stream { return k.Encrypter(iv) }
+func (k xchacha20key) Encrypter(iv []byte) cipher.Stream {
+	ciph, err := chacha20.NewUnauthenticatedCipher(k, iv)
+	if err != nil {
+		panic(err) // should never happen
+	}
+	return ciph
+}
+
+func Xchacha20(key []byte) (Cipher, error) {
+	if len(key) != chacha20.KeySize {
+		return nil, KeySizeError(chacha20.KeySize)
+	}
+	return xchacha20key(key), nil
+}
+
+type rc4Md5Key []byte
+
+func (k rc4Md5Key) IVSize() int {
+	return 16
+}
+
+func (k rc4Md5Key) Encrypter(iv []byte) cipher.Stream {
+	h := md5.New()
+	h.Write([]byte(k))
+	h.Write(iv)
+	rc4key := h.Sum(nil)
+	c, _ := rc4.NewCipher(rc4key)
+	return c
+}
+
+func (k rc4Md5Key) Decrypter(iv []byte) cipher.Stream {
+	return k.Encrypter(iv)
+}
+
+func RC4MD5(key []byte) (Cipher, error) {
+	return rc4Md5Key(key), nil
+}

transport/shadowsocks/shadowstream/packet.go

@@ -0,0 +1,79 @@
+package shadowstream
+
+import (
+	"crypto/rand"
+	"errors"
+	"io"
+	"net"
+
+	"github.com/Dreamacro/clash/common/pool"
+)
+
+// ErrShortPacket means the packet is too short to be a valid encrypted packet.
+var ErrShortPacket = errors.New("short packet")
+
+// Pack encrypts plaintext using stream cipher s and a random IV.
+// Returns a slice of dst containing random IV and ciphertext.
+// Ensure len(dst) >= s.IVSize() + len(plaintext).
+func Pack(dst, plaintext []byte, s Cipher) ([]byte, error) {
+	if len(dst) < s.IVSize()+len(plaintext) {
+		return nil, io.ErrShortBuffer
+	}
+	iv := dst[:s.IVSize()]
+	_, err := rand.Read(iv)
+	if err != nil {
+		return nil, err
+	}
+	s.Encrypter(iv).XORKeyStream(dst[len(iv):], plaintext)
+	return dst[:len(iv)+len(plaintext)], nil
+}
+
+// Unpack decrypts pkt using stream cipher s.
+// Returns a slice of dst containing decrypted plaintext.
+func Unpack(dst, pkt []byte, s Cipher) ([]byte, error) {
+	if len(pkt) < s.IVSize() {
+		return nil, ErrShortPacket
+	}
+	if len(dst) < len(pkt)-s.IVSize() {
+		return nil, io.ErrShortBuffer
+	}
+	iv := pkt[:s.IVSize()]
+	s.Decrypter(iv).XORKeyStream(dst, pkt[len(iv):])
+	return dst[:len(pkt)-len(iv)], nil
+}
+
+type PacketConn struct {
+	net.PacketConn
+	Cipher
+}
+
+// NewPacketConn wraps a net.PacketConn with stream cipher encryption/decryption.
+func NewPacketConn(c net.PacketConn, ciph Cipher) *PacketConn {
+	return &PacketConn{PacketConn: c, Cipher: ciph}
+}
+
+const maxPacketSize = 64 * 1024
+
+func (c *PacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
+	buf := pool.Get(maxPacketSize)
+	defer pool.Put(buf)
+	buf, err := Pack(buf, b, c.Cipher)
+	if err != nil {
+		return 0, err
+	}
+	_, err = c.PacketConn.WriteTo(buf, addr)
+	return len(b), err
+}
+
+func (c *PacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
+	n, addr, err := c.PacketConn.ReadFrom(b)
+	if err != nil {
+		return n, addr, err
+	}
+	bb, err := Unpack(b[c.IVSize():], b[:n], c.Cipher)
+	if err != nil {
+		return n, addr, err
+	}
+	copy(b, bb)
+	return len(bb), addr, err
+}

transport/shadowsocks/shadowstream/stream.go

@@ -0,0 +1,197 @@
+package shadowstream
+
+import (
+	"crypto/cipher"
+	"crypto/rand"
+	"io"
+	"net"
+)
+
+const bufSize = 2048
+
+type Writer struct {
+	io.Writer
+	cipher.Stream
+	buf [bufSize]byte
+}
+
+// NewWriter wraps an io.Writer with stream cipher encryption.
+func NewWriter(w io.Writer, s cipher.Stream) *Writer { return &Writer{Writer: w, Stream: s} }
+
+func (w *Writer) Write(p []byte) (n int, err error) {
+	buf := w.buf[:]
+	for nw := 0; n < len(p) && err == nil; n += nw {
+		end := n + len(buf)
+		if end > len(p) {
+			end = len(p)
+		}
+		w.XORKeyStream(buf, p[n:end])
+		nw, err = w.Writer.Write(buf[:end-n])
+	}
+	return
+}
+
+func (w *Writer) ReadFrom(r io.Reader) (n int64, err error) {
+	buf := w.buf[:]
+	for {
+		nr, er := r.Read(buf)
+		n += int64(nr)
+		b := buf[:nr]
+		w.XORKeyStream(b, b)
+		if _, err = w.Writer.Write(b); err != nil {
+			return
+		}
+		if er != nil {
+			if er != io.EOF { // ignore EOF as per io.ReaderFrom contract
+				err = er
+			}
+			return
+		}
+	}
+}
+
+type Reader struct {
+	io.Reader
+	cipher.Stream
+	buf [bufSize]byte
+}
+
+// NewReader wraps an io.Reader with stream cipher decryption.
+func NewReader(r io.Reader, s cipher.Stream) *Reader { return &Reader{Reader: r, Stream: s} }
+
+func (r *Reader) Read(p []byte) (n int, err error) {
+	n, err = r.Reader.Read(p)
+	if err != nil {
+		return 0, err
+	}
+	r.XORKeyStream(p, p[:n])
+	return
+}
+
+func (r *Reader) WriteTo(w io.Writer) (n int64, err error) {
+	buf := r.buf[:]
+	for {
+		nr, er := r.Reader.Read(buf)
+		if nr > 0 {
+			r.XORKeyStream(buf, buf[:nr])
+			nw, ew := w.Write(buf[:nr])
+			n += int64(nw)
+			if ew != nil {
+				err = ew
+				return
+			}
+		}
+		if er != nil {
+			if er != io.EOF { // ignore EOF as per io.Copy contract (using src.WriteTo shortcut)
+				err = er
+			}
+			return
+		}
+	}
+}
+
+// A Conn represents a Shadowsocks connection. It implements the net.Conn interface.
+type Conn struct {
+	net.Conn
+	Cipher
+	r       *Reader
+	w       *Writer
+	readIV  []byte
+	writeIV []byte
+}
+
+// NewConn wraps a stream-oriented net.Conn with stream cipher encryption/decryption.
+func NewConn(c net.Conn, ciph Cipher) *Conn { return &Conn{Conn: c, Cipher: ciph} }
+
+func (c *Conn) initReader() error {
+	if c.r == nil {
+		iv, err := c.ObtainReadIV()
+		if err != nil {
+			return err
+		}
+		c.r = NewReader(c.Conn, c.Decrypter(iv))
+	}
+	return nil
+}
+
+func (c *Conn) Read(b []byte) (int, error) {
+	if c.r == nil {
+		if err := c.initReader(); err != nil {
+			return 0, err
+		}
+	}
+	return c.r.Read(b)
+}
+
+func (c *Conn) WriteTo(w io.Writer) (int64, error) {
+	if c.r == nil {
+		if err := c.initReader(); err != nil {
+			return 0, err
+		}
+	}
+	return c.r.WriteTo(w)
+}
+
+func (c *Conn) initWriter() error {
+	if c.w == nil {
+		iv, err := c.ObtainWriteIV()
+		if err != nil {
+			return err
+		}
+		if _, err := c.Conn.Write(iv); err != nil {
+			return err
+		}
+		c.w = NewWriter(c.Conn, c.Encrypter(iv))
+	}
+	return nil
+}
+
+func (c *Conn) Write(b []byte) (int, error) {
+	if c.w == nil {
+		if err := c.initWriter(); err != nil {
+			return 0, err
+		}
+	}
+	return c.w.Write(b)
+}
+
+func (c *Conn) ReadFrom(r io.Reader) (int64, error) {
+	if c.w == nil {
+		if err := c.initWriter(); err != nil {
+			return 0, err
+		}
+	}
+	return c.w.ReadFrom(r)
+}
+
+func (c *Conn) ObtainWriteIV() ([]byte, error) {
+	if len(c.writeIV) == c.IVSize() {
+		return c.writeIV, nil
+	}
+
+	iv := make([]byte, c.IVSize())
+
+	if _, err := rand.Read(iv); err != nil {
+		return nil, err
+	}
+
+	c.writeIV = iv
+
+	return iv, nil
+}
+
+func (c *Conn) ObtainReadIV() ([]byte, error) {
+	if len(c.readIV) == c.IVSize() {
+		return c.readIV, nil
+	}
+
+	iv := make([]byte, c.IVSize())
+
+	if _, err := io.ReadFull(c.Conn, iv); err != nil {
+		return nil, err
+	}
+
+	c.readIV = iv
+
+	return iv, nil
+}

transport/snell/cipher.go

@@ -4,7 +4,8 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 
-	"github.com/Dreamacro/go-shadowsocks2/shadowaead"
+	"github.com/Dreamacro/clash/transport/shadowsocks/shadowaead"
+
 	"golang.org/x/crypto/argon2"
 	"golang.org/x/crypto/chacha20poly1305"
 )

transport/snell/pool.go

@@ -6,8 +6,7 @@ import (
 	"time"
 
 	"github.com/Dreamacro/clash/component/pool"
-
-	"github.com/Dreamacro/go-shadowsocks2/shadowaead"
+	"github.com/Dreamacro/clash/transport/shadowsocks/shadowaead"
 )
 
 type Pool struct {

transport/snell/snell.go

@@ -9,9 +9,8 @@ import (
 	"sync"
 
 	"github.com/Dreamacro/clash/common/pool"
+	"github.com/Dreamacro/clash/transport/shadowsocks/shadowaead"
 	"github.com/Dreamacro/clash/transport/socks5"
-
-	"github.com/Dreamacro/go-shadowsocks2/shadowaead"
 )
 
 const (

transport/socks5/socks5.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"io"
 	"net"
+	"net/netip"
 	"strconv"
 
 	"github.com/Dreamacro/clash/component/auth"
@@ -398,6 +399,21 @@ func ParseAddrToSocksAddr(addr net.Addr) Addr {
 	return parsed
 }
 
+func AddrFromStdAddrPort(addrPort netip.AddrPort) Addr {
+	addr := addrPort.Addr()
+	if addr.Is4() {
+		ip4 := addr.As4()
+		return []byte{AtypIPv4, ip4[0], ip4[1], ip4[2], ip4[3], byte(addrPort.Port() >> 8), byte(addrPort.Port())}
+	}
+
+	buf := make([]byte, 1+net.IPv6len+2)
+	buf[0] = AtypIPv6
+	copy(buf[1:], addr.AsSlice())
+	buf[1+net.IPv6len] = byte(addrPort.Port() >> 8)
+	buf[1+net.IPv6len+1] = byte(addrPort.Port())
+	return buf
+}
+
 // DecodeUDPPacket split `packet` to addr payload, and this function is mutable with `packet`
 func DecodeUDPPacket(packet []byte) (addr Addr, payload []byte, err error) {
 	if len(packet) < 5 {

transport/ssr/protocol/auth_chain_a.go

@@ -13,9 +13,8 @@ import (
 
 	"github.com/Dreamacro/clash/common/pool"
 	"github.com/Dreamacro/clash/log"
+	"github.com/Dreamacro/clash/transport/shadowsocks/core"
 	"github.com/Dreamacro/clash/transport/ssr/tools"
-
-	"github.com/Dreamacro/go-shadowsocks2/core"
 )
 
 func init() {

transport/ssr/protocol/base.go

@@ -12,8 +12,7 @@ import (
 
 	"github.com/Dreamacro/clash/common/pool"
 	"github.com/Dreamacro/clash/log"
-
-	"github.com/Dreamacro/go-shadowsocks2/core"
+	"github.com/Dreamacro/clash/transport/shadowsocks/core"
 )
 
 type Base struct {

tunnel/connection.go

@@ -3,26 +3,17 @@ package tunnel
 import (
 	"errors"
 	"net"
+	"net/netip"
 	"time"
 
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/pool"
-	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 )
 
 func handleUDPToRemote(packet C.UDPPacket, pc C.PacketConn, metadata *C.Metadata) error {
 	defer packet.Drop()
 
-	// local resolve UDP dns
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(metadata.Host)
-		if err != nil {
-			return err
-		}
-		metadata.DstIP = ip
-	}
-
 	addr := metadata.UDPAddr()
 	if addr == nil {
 		return errors.New("udp addr invalid")
@@ -37,7 +28,7 @@ func handleUDPToRemote(packet C.UDPPacket, pc C.PacketConn, metadata *C.Metadata
 	return nil
 }
 
-func handleUDPToLocal(packet C.UDPPacket, pc net.PacketConn, key string, fAddr net.Addr) {
+func handleUDPToLocal(packet C.UDPPacket, pc net.PacketConn, key string, oAddr, fAddr netip.Addr) {
 	buf := pool.Get(pool.UDPBufferSize)
 	defer pool.Put(buf)
 	defer natTable.Delete(key)
@@ -50,11 +41,16 @@ func handleUDPToLocal(packet C.UDPPacket, pc net.PacketConn, key string, fAddr n
 			return
 		}
 
-		if fAddr != nil {
-			from = fAddr
+		fromUDPAddr := from.(*net.UDPAddr)
+		if fAddr.IsValid() {
+			fromAddr, _ := netip.AddrFromSlice(fromUDPAddr.IP)
+			fromAddr.Unmap()
+			if oAddr == fromAddr {
+				fromUDPAddr.IP = fAddr.AsSlice()
+			}
 		}
 
-		_, err = packet.WriteBack(buf[:n], from)
+		_, err = packet.WriteBack(buf[:n], fromUDPAddr)
 		if err != nil {
 			return
 		}

tunnel/tunnel.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
 	"runtime"
 	"strconv"
 	"sync"
@@ -122,11 +123,6 @@ func preHandleMetadata(metadata *C.Metadata) error {
 	if ip := net.ParseIP(metadata.Host); ip != nil {
 		metadata.DstIP = ip
 		metadata.Host = ""
-		if ip.To4() != nil {
-			metadata.AddrType = C.AtypIPv4
-		} else {
-			metadata.AddrType = C.AtypIPv6
-		}
 	}
 
 	// preprocess enhanced-mode metadata
@@ -134,7 +130,6 @@ func preHandleMetadata(metadata *C.Metadata) error {
 		host, exist := resolver.FindHostByIP(metadata.DstIP)
 		if exist {
 			metadata.Host = host
-			metadata.AddrType = C.AtypDomainName
 			metadata.DNSMode = C.DNSMapping
 			if resolver.FakeIPEnabled() {
 				metadata.DstIP = nil
@@ -172,9 +167,10 @@ func handleUDPConn(packet *inbound.PacketAdapter) {
 	}
 
 	// make a fAddr if request ip is fakeip
-	var fAddr net.Addr
+	var fAddr netip.Addr
 	if resolver.IsExistFakeIP(metadata.DstIP) {
-		fAddr = metadata.UDPAddr()
+		fAddr, _ = netip.AddrFromSlice(metadata.DstIP)
+		fAddr = fAddr.Unmap()
 	}
 
 	if err := preHandleMetadata(metadata); err != nil {
@@ -182,6 +178,15 @@ func handleUDPConn(packet *inbound.PacketAdapter) {
 		return
 	}
 
+	// local resolve UDP dns
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(metadata.Host)
+		if err != nil {
+			return
+		}
+		metadata.DstIP = ip
+	}
+
 	key := packet.LocalAddr().String()
 
 	handle := func() bool {
@@ -246,7 +251,9 @@ func handleUDPConn(packet *inbound.PacketAdapter) {
 			log.Infoln("[UDP] %s --> %s doesn't match any rule using DIRECT", metadata.SourceAddress(), metadata.RemoteAddress())
 		}
 
-		go handleUDPToLocal(packet.UDPPacket, pc, key, fAddr)
+		oAddr, _ := netip.AddrFromSlice(metadata.DstIP)
+		oAddr = oAddr.Unmap()
+		go handleUDPToLocal(packet.UDPPacket, pc, key, oAddr, fAddr)
 
 		natTable.Set(key, pc)
 		handle()
@@ -333,9 +340,9 @@ func match(metadata *C.Metadata) (C.Proxy, C.Rule, error) {
 		if !processFound && rule.ShouldFindProcess() {
 			processFound = true
 
-			srcPort, err := strconv.Atoi(metadata.SrcPort)
+			srcPort, err := strconv.ParseUint(metadata.SrcPort, 10, 16)
 			if err == nil {
-				path, err := P.FindProcessName(metadata.NetWork.String(), metadata.SrcIP, srcPort)
+				path, err := P.FindProcessName(metadata.NetWork.String(), metadata.SrcIP, int(srcPort))
 				if err != nil {
 					log.Debugln("[Process] find process %s: %v", metadata.String(), err)
 				} else {