refactor: udp

chore: reformat code
chore: add more shadowsocks tests
2022-06-09 21:16:42 +08:00 · 2022-06-09 21:08:46 +08:00 · 2022-06-09 18:10:31 +08:00 · 2022-06-09 18:05:45 +08:00 · 2022-06-09 17:59:17 +08:00 · 2022-06-09 17:59:17 +08:00
279 changed files with 10007 additions and 6110 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -1,76 +0,0 @@
-name: Bug report
-description: Create a report to help us improve
-title: "[Bug] "
-body:
-  - type: checkboxes
-    id: ensure
-    attributes:
-      label: Verify steps
-      description: "
-在提交之前，请确认
-Please verify that you've followed these steps
-"
-      options:
-        - label: "
-如果你可以自己 debug 并解决的话，提交 PR 吧
-Is this something you can **debug and fix**? Send a pull request! Bug fixes and documentation fixes are welcome.
-"
-          required: true
-        - label: "
-我已经在 [Issue Tracker](……/) 中找过我要提出的问题
-I have searched on the [issue tracker](……/) for a related issue.
-"
-          required: true
-        - label: "
-我已经使用 dev 分支版本测试过，问题依旧存在
-I have tested using the dev branch, and the issue still exists.
-"
-          required: true
-        - label: "
-我已经仔细看过 [Documentation](https://github.com/Dreamacro/clash/wiki/) 并无法自行解决问题
-I have read the [documentation](https://github.com/Dreamacro/clash/wiki/) and was unable to solve the issue.
-"
-          required: true
-        - label: "
-这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题
-This is an issue of the Clash core *per se*, not to the derivatives of Clash, like OpenClash or KoolClash.
-"
-          required: true
-  - type: input
-    attributes:
-      label: Clash version
-    validations:
-      required: true
-  - type: dropdown
-    id: os
-    attributes:
-      label: What OS are you seeing the problem on?
-      multiple: true
-      options:
-        - macOS
-        - Windows
-        - Linux
-        - OpenBSD/FreeBSD
-  - type: textarea
-    attributes:
-      render: yaml
-      label: "Clash config"
-      description: "
-在下方附上 Clash core 脱敏后配置文件的内容
-Paste the Clash core configuration below.
-"
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      render: shell
-      label: Clash log
-      description: "
-在下方附上 Clash Core 的日志，log level 使用 DEBUG
-Paste the Clash core log below with the log level set to `DEBUG`.
-"
-  - type: textarea
-    attributes:
-      label: Description
-    validations:
-      required: true
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -1,6 +0,0 @@
-blank_issues_enabled: false
-
-contact_links:
-  - name: Get help in GitHub Discussions
-    url: https://github.com/Dreamacro/clash/discussions
-    about: Have a question? Not sure if your issue affects everyone reproducibly? The quickest way to get help is on Clash's GitHub Discussions!
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@ -1,36 +0,0 @@
-name: Feature request
-description: Suggest an idea for this project
-title: "[Feature] "
-body:
-  - type: checkboxes
-    id: ensure
-    attributes:
-      label: Verify steps
-      description: "
-在提交之前，请确认
-Please verify that you've followed these steps
-"
-      options:
-        - label: "
-我已经在 [Issue Tracker](……/) 中找过我要提出的请求
-I have searched on the [issue tracker](……/) for a related feature request.
-"
-          required: true
-        - label: "
-我已经仔细看过 [Documentation](https://github.com/Dreamacro/clash/wiki/) 并无法自行解决问题
-I have read the [documentation](https://github.com/Dreamacro/clash/wiki/) and was unable to solve the issue.
-"
-          required: true
-  - type: textarea
-    attributes:
-      label: Description
-      description: 请详细、清晰地表达你要提出的论述，例如这个问题如何影响到你？你想实现什么功能？目前 Clash Core 的行为是什麽？
-    validations:
-      required: true
-  - type: textarea
-    attributes:
-      label: Possible Solution
-      description: "
-此项非必须，但是如果你有想法的话欢迎提出。
-Not obligatory, but suggest a fix/reason for the bug, or ideas how to implement the addition or change
-"
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -0,0 +1,20 @@
+name: Build All
+on:
+  workflow_dispatch:
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.18
+      - name: Check out code
+        uses: actions/checkout@v1
+      - name: Build
+        run: make all
+      - name: Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: bin/*
+          draft: true
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -1,29 +0,0 @@
-name: CodeQL
-
-on:
-  push:
-    branches: [ rm ]
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ['go']
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@ -0,0 +1,61 @@
+name: Docker
+
+on:
+  push:
+    branches:
+      - Beta
+    tags:
+      - "v*"
+env:
+  REGISTRY: docker.io
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          version: latest
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_ACCOUNT }}/${{secrets.DOCKERHUB_REPO}}
+
+      - name: Log into registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.DOCKER_HUB_USER }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          platforms: |
+            linux/386
+            linux/amd64
+            linux/arm64/v8
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -1,79 +0,0 @@
-name: Publish Docker Image
-on:
-  push:
-    branches:
-      - rm
-
-jobs:
-
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    steps:
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-        with:
-          platforms: all
-
-      - name: Set up docker buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-        with:
-          version: latest
-
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-      
-      - name: Login to Github Package
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: Dreamacro
-          password: ${{ secrets.PACKAGE_TOKEN }}
-
-      - name: Build dev branch and push
-        if: github.ref == 'refs/heads/dev'
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
-          push: true
-          tags: 'dreamacro/clash:dev,ghcr.io/dreamacro/clash:dev'
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-
-      - name: Get all docker tags
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: actions/github-script@v6
-        id: tags
-        with:
-          script: |
-            const ref = context.payload.ref.replace(/\/?refs\/tags\//, '')
-            const tags = [
-              'dreamacro/clash:latest',
-              `dreamacro/clash:${ref}`,
-              'ghcr.io/dreamacro/clash:latest',
-              `ghcr.io/dreamacro/clash:${ref}`
-            ]
-            return tags.join(',')
-          result-encoding: string
-
-      - name: Build release and push
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
-          push: true
-          tags: ${{steps.tags.outputs.result}}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@ -1,22 +0,0 @@
-name: Linter
-on: [push, pull_request]
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Get latest go version
-        id: version
-        run: |
-          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
-
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ steps.version.outputs.go_version }}
-
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
-        with:
-          version: latest
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@ -0,0 +1,70 @@
+name: Prerelease
+on:
+  push:
+    branches:
+      - Alpha
+      - Beta
+  pull_request:
+    branches:
+      - Alpha
+      - Beta
+jobs:
+  Build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get latest go version
+        id: version
+        run: |
+          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ steps.version.outputs.go_version }}
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+
+      - name: Cache go module
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+
+      - name: Test
+        if: ${{github.ref_name=='Beta'}}
+        run: |
+          go test ./...
+
+      - name: Build
+        if: success()
+        env:
+          NAME: Clash.Meta
+          BINDIR: bin
+        run: make -j$(($(nproc) + 1)) releases
+
+      - name: Delete current release assets
+        uses: andreaswilli/delete-release-assets-action@v2.0.0
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          tag: Prerelease-${{ github.ref_name }}
+          deleteOnlyFromDrafts: false
+
+      - name: Tag Repo
+        uses: richardsimko/update-tag@v1
+        with:
+          tag_name: Prerelease-${{ github.ref_name }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload Alpha
+        uses: softprops/action-gh-release@v1
+        if: ${{  success() }}
+        with:
+          tag: ${{ github.ref_name }}
+          tag_name: Prerelease-${{ github.ref_name }}
+          files: bin/*
+          prerelease: true
+          generate_release_notes: true
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -0,0 +1,44 @@
+name: Release
+on:
+  push:
+    tags:
+      - "v*"
+jobs:
+  Build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get latest go version
+        id: version
+        run: |
+          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ steps.version.outputs.go_version }}
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v3
+      - name: Cache go module
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Test
+        run: |
+          go test ./...
+      - name: Build
+        if: success()
+        env:
+          NAME: Clash.Meta
+          BINDIR: bin
+        run: make -j$(($(nproc) + 1)) releases
+
+      - name: Upload Release
+        uses: softprops/action-gh-release@v1
+        if: ${{ success() && startsWith(github.ref, 'refs/tags/')}}
+        with:
+          tag: ${{ github.ref }}
+          files: bin/*
+          generate_release_notes: true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -1,73 +0,0 @@
-name: Release
-on: [push]
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Get latest go version
-        id: version
-        run: |
-          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
-
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: ${{ steps.version.outputs.go_version }}
-
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
-
-      - name: Go cache paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Cache go module
-        uses: actions/cache@v2
-        with:
-          path: |
-            ${{ steps.go-cache-paths.outputs.go-mod }}
-            ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Get dependencies, run test
-        run: |
-          go test ./...
-
-      - name: Build
-        if: startsWith(github.ref, 'refs/tags/')
-        env:
-          NAME: clash
-          BINDIR: bin
-        run: make -j releases
-
-      #- name: Prepare upload
-      #  run: |
-      #    echo "FILE_DATE=_$(date +"%Y%m%d%H%M")" >> $GITHUB_ENV
-      #    echo "FILE_SHA=$(git describe --tags --always 2>/dev/null)" >> $GITHUB_ENV
-      #
-      #- name: Upload files to Artifacts
-      #  uses: actions/upload-artifact@v2
-      #  if: startsWith(github.ref, 'refs/tags/') == false
-      #  with:
-      #    name: clash_${{ env.FILE_SHA }}${{ env.FILE_DATE }}
-      #    path: |
-      #      bin/*
-
-      - name: Upload Release
-        uses: softprops/action-gh-release@v1
-        if: startsWith(github.ref, 'refs/tags/')
-        with:
-          files: bin/*
-          draft: true
-          prerelease: true
-          generate_release_notes: true
-
-      #- name: Delete workflow runs
-      #  uses: GitRML/delete-workflow-runs@main
-      #  with:
-      #    retain_days: 1
-      #    keep_minimum_runs: 2
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -1,19 +0,0 @@
-  
-name: Mark stale issues and pull requests
-
-on:
-  push:
-    branches:
-      - rm
-
-jobs:
-  stale:
-
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/stale@v5
-        with:
-          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days'
-          days-before-stale: 60
-          days-before-close: 5
--- a/.gitignore
+++ b/.gitignore
@ -23,3 +23,5 @@ vendor

 # test suite
 test/config/cache*
+/output
+/.vscode
--- a/28
+++ b/28
@ -1,18 +1,26 @@
 FROM golang:alpine as builder

 RUN apk add --no-cache make git && \
-    wget -O /Country.mmdb https://github.com/Dreamacro/maxmind-geoip/releases/latest/download/Country.mmdb
-WORKDIR /clash-src
-COPY --from=tonistiigi/xx:golang / /
+    mkdir /clash-config && \
+    wget -O /clash-config/Country.mmdb https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb && \
+    wget -O /clash-config/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat && \
+    wget -O /clash-config/geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
+
+
 COPY . /clash-src
-RUN go mod download && \
-    make docker && \
-    mv ./bin/clash-docker /clash
+WORKDIR /clash-src
+RUN go mod download &&\
+    make docker &&\
+    mv ./bin/Clash.Meta-docker /clash

 FROM alpine:latest
-LABEL org.opencontainers.image.source="https://github.com/Dreamacro/clash"
+LABEL org.opencontainers.image.source="https://github.com/MetaCubeX/Clash.Meta"

 RUN apk add --no-cache ca-certificates tzdata
-COPY --from=builder /Country.mmdb /root/.config/clash/
-COPY --from=builder /clash /
-ENTRYPOINT ["/clash"]
+
+VOLUME ["/root/.config/clash/"]
+
+COPY --from=builder /clash-config/ /root/.config/clash/
+COPY --from=builder /clash /clash
+RUN chmod +x /clash
+ENTRYPOINT [ "/clash" ]
--- a/74
+++ b/74
@ -1,6 +1,16 @@
-NAME=clash
+NAME=Clash.Meta
 BINDIR=bin
-VERSION=$(shell git describe --tags --always 2>/dev/null || echo "unknown version")
+BRANCH=$(shell git branch --show-current)
+ifeq ($(BRANCH),Alpha)
+VERSION=alpha-$(shell git rev-parse --short HEAD)
+else ifeq ($(BRANCH),Beta)
+VERSION=beta-$(shell git rev-parse --short HEAD)
+else ifeq ($(BRANCH),)
+VERSION=$(shell git describe --tags)
+else
+VERSION=$(shell git rev-parse --short HEAD)
+endif
+
 BUILDTIME=$(shell date -u)
 GOBUILD=CGO_ENABLED=0 go build -trimpath -ldflags '-X "github.com/Dreamacro/clash/constant.Version=$(VERSION)" \
 		-X "github.com/Dreamacro/clash/constant.BuildTime=$(BUILDTIME)" \
@ -8,44 +18,44 @@ GOBUILD=CGO_ENABLED=0 go build -trimpath -ldflags '-X "github.com/Dreamacro/clas

 PLATFORM_LIST = \
 	darwin-amd64 \
-	darwin-amd64-v3 \
 	darwin-arm64 \
-	linux-386 \
+	linux-amd64-compatible \
 	linux-amd64 \
-	linux-amd64-v3 \
 	linux-armv5 \
 	linux-armv6 \
 	linux-armv7 \
-	linux-armv8 \
+	linux-arm64 \
+	linux-mips64 \
+	linux-mips64le \
 	linux-mips-softfloat \
 	linux-mips-hardfloat \
 	linux-mipsle-softfloat \
 	linux-mipsle-hardfloat \
-	linux-mips64 \
-	linux-mips64le \
+	android-arm64 \
 	freebsd-386 \
 	freebsd-amd64 \
-	freebsd-amd64-v3 \
 	freebsd-arm64

 WINDOWS_ARCH_LIST = \
 	windows-386 \
+	windows-amd64-compatible \
 	windows-amd64 \
-	windows-amd64-v3 \
 	windows-arm64 \
-	windows-arm32v7
+    windows-arm32v7

-all: linux-amd64 darwin-amd64 windows-amd64 # Most used
+all:linux-amd64 linux-arm64\
+	darwin-amd64 darwin-arm64\
+ 	windows-amd64 windows-arm64\

 docker:
-	$(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 darwin-amd64:
-	GOARCH=amd64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
-
-darwin-amd64-v3:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

+darwin-amd64-compatible:
+	GOARCH=amd64 GOOS=darwin GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 darwin-arm64:
 	GOARCH=arm64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

@ -53,11 +63,14 @@ linux-386:
 	GOARCH=386 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 linux-amd64:
-	GOARCH=amd64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
-
-linux-amd64-v3:
 	GOARCH=amd64 GOOS=linux GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

+linux-amd64-compatible:
+	GOARCH=amd64 GOOS=linux GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
+linux-arm64:
+	GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 linux-armv5:
 	GOARCH=arm GOOS=linux GOARM=5 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

@ -67,9 +80,6 @@ linux-armv6:
 linux-armv7:
 	GOARCH=arm GOOS=linux GOARM=7 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

-linux-armv8:
-	GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
-
 linux-mips-softfloat:
 	GOARCH=mips GOMIPS=softfloat GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

@ -88,13 +98,13 @@ linux-mips64:
 linux-mips64le:
 	GOARCH=mips64le GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

+android-arm64:
+	GOARCH=arm64 GOOS=android $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+
 freebsd-386:
 	GOARCH=386 GOOS=freebsd $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 freebsd-amd64:
-	GOARCH=amd64 GOOS=freebsd $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
-
-freebsd-amd64-v3:
 	GOARCH=amd64 GOOS=freebsd GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@

 freebsd-arm64:
@ -104,11 +114,11 @@ windows-386:
 	GOARCH=386 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe

 windows-amd64:
-	GOARCH=amd64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
-
-windows-amd64-v3:
 	GOARCH=amd64 GOOS=windows GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe

+windows-amd64-compatible:
+	GOARCH=amd64 GOOS=windows GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
+
 windows-arm64:
 	GOARCH=arm64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe

@ -133,11 +143,7 @@ vet:
 	go test ./...

 lint:
-	GOOS=darwin golangci-lint run ./...
-	GOOS=windows golangci-lint run ./...
-	GOOS=linux golangci-lint run ./...
-	GOOS=freebsd golangci-lint run ./...
-	GOOS=openbsd golangci-lint run ./...
+	golangci-lint run ./...

 clean:
-	rm -rf $(BINDIR)/*
+	rm $(BINDIR)/*
--- a/Meta.png
+++ b/Meta.png
--- a/README.md
+++ b/README.md
@ -1,23 +1,20 @@
 <h1 align="center">
-  <img src="https://github.com/Dreamacro/clash/raw/master/docs/logo.png" alt="Clash" width="200">
-  <br>Clash<br>
+  <img src="Meta.png" alt="Meta Kennel" width="200">
+  <br>Meta Kernel<br>
 </h1>

-<h4 align="center">A rule-based tunnel in Go.</h4>
+<h3 align="center">Another Clash Kernel.</h3>

 <p align="center">
-  <a href="https://github.com/Dreamacro/clash/actions">
-    <img src="https://img.shields.io/github/workflow/status/Dreamacro/clash/Go?style=flat-square" alt="Github Actions">
-  </a>
-  <a href="https://goreportcard.com/report/github.com/Dreamacro/clash">
-    <img src="https://goreportcard.com/badge/github.com/Dreamacro/clash?style=flat-square">
+  <a href="https://goreportcard.com/report/github.com/Clash-Mini/Clash.Meta">
+    <img src="https://goreportcard.com/badge/github.com/Clash-Mini/Clash.Meta?style=flat-square">
  </a>
  <img src="https://img.shields.io/github/go-mod/go-version/Dreamacro/clash?style=flat-square">
-  <a href="https://github.com/yaling888/clash/releases">
-    <img src="https://img.shields.io/github/release/yaling888/clash/all.svg?style=flat-square">
+  <a href="https://github.com/Clash-Mini/Clash.Meta/releases">
+    <img src="https://img.shields.io/github/release/Clash-Mini/Clash.Meta/all.svg?style=flat-square">
  </a>
-  <a href="https://github.com/yaling888/clash/releases/tag/plus_pro">
-    <img src="https://img.shields.io/badge/release-Plus Pro-00b4f0?style=flat-square">
+  <a href="https://github.com/Clash-Mini/Clash.Meta">
+    <img src="https://img.shields.io/badge/release-Meta-00b4f0?style=flat-square">
  </a>
 </p>

@ -36,158 +33,85 @@
 Documentations are now moved to [GitHub Wiki](https://github.com/Dreamacro/clash/wiki).

 ## Advanced usage for this branch
-### General configuration
-```yaml
-sniffing: true # Sniff TLS SNI
-
-force-cert-verify: true # force verify TLS Certificate, prevent machine-in-the-middle attacks
-```
-
-### MITM configuration
-A root CA certificate is required, the 
-MITM proxy server will generate a CA certificate file and a CA private key file in your Clash home directory, you can use your own certificate replace it. 
-
-Need to install and trust the CA certificate on the client device, open this URL [http://mitm.clash/cert.crt](http://mitm.clash/cert.crt) by the web browser to install the CA certificate, the host name 'mitm.clash' was always been hijacked.
-
-NOTE: this feature cannot work on tls pinning
-
-WARNING: DO NOT USE THIS FEATURE TO BREAK LOCAL LAWS
-
-```yaml
-# Port of MITM proxy server on the local end
-mitm-port: 7894
-
-# Man-In-The-Middle attack
-mitm:
-  hosts: # use for others proxy type. E.g: TUN, socks
-    - +.example.com
-  rules: # rewrite rules
-    - '^https?://www\.example\.com/1 url reject' # The "reject" returns HTTP status code 404 with no content.
-    - '^https?://www\.example\.com/2 url reject-200' # The "reject-200" returns HTTP status code 200 with no content.
-    - '^https?://www\.example\.com/3 url reject-img' # The "reject-img" returns HTTP status code 200 with content of 1px png.
-    - '^https?://www\.example\.com/4 url reject-dict' # The "reject-dict" returns HTTP status code 200 with content of empty json object.
-    - '^https?://www\.example\.com/5 url reject-array' # The "reject-array" returns HTTP status code 200 with content of empty json array.
-    - '^https?://www\.example\.com/(6) url 302 https://www.example.com/new-$1'
-    - '^https?://www\.(example)\.com/7 url 307 https://www.$1.com/new-7'
-    - '^https?://www\.example\.com/8 url request-header (\r\n)User-Agent:.+(\r\n) request-header $1User-Agent: haha-wriohoh$2' # The "request-header" works for all the http headers not just one single header, so you can match two or more headers including CRLF in one regular expression.
-    - '^https?://www\.example\.com/9 url request-body "pos_2":\[.*\],"pos_3" request-body "pos_2":[{"xx": "xx"}],"pos_3"'
-    - '^https?://www\.example\.com/10 url response-header (\r\n)Tracecode:.+(\r\n) response-header $1Tracecode: 88888888888$2'
-    - '^https?://www\.example\.com/11 url response-body "errmsg":"ok" response-body "errmsg":"not-ok"'
-```

 ### DNS configuration
-Support resolve ip with a proxy tunnel or interface.

 Support `geosite` with `fallback-filter`.

-Use `curl -X POST controllerip:port/cache/fakeip/flush` to flush persistence fakeip
- ```yaml
- dns:
-   enable: true
-   use-hosts: true
-   ipv6: false
-   enhanced-mode: fake-ip
-   fake-ip-range: 198.18.0.1/16
-   listen: 127.0.0.1:6868
-   default-nameserver:
-     - 119.29.29.29
-     - 114.114.114.114
-   nameserver:
-     - https://doh.pub/dns-query
-     - tls://223.5.5.5:853
-   fallback:
-     - 'tls://8.8.4.4:853#proxy or interface'
-     - 'https://1.0.0.1/dns-query#Proxy'  # append the proxy adapter name to the end of DNS URL with '#' prefix.
-   fallback-filter:
-     geoip: false
-     geosite:
-       - gfw  # `geosite` filter only use fallback server to resolve ip, prevent DNS leaks to untrusted DNS providers.
-     domain:
-       - +.example.com
-     ipcidr:
-       - 0.0.0.0/32
- ```
+Restore `Redir remote resolution`.
+
+Support resolve ip with a `Proxy Tunnel`.
+
+```yaml
+proxy-groups:
+
+  - name: DNS
+    type: url-test
+    use:
+      - HK
+    url: http://cp.cloudflare.com
+    interval: 180
+    lazy: true
+```
+```yaml
+dns:
+  enable: true
+  use-hosts: true
+  ipv6: false
+  enhanced-mode: redir-host
+  fake-ip-range: 198.18.0.1/16
+  listen: 127.0.0.1:6868
+  default-nameserver:
+    - 119.29.29.29
+    - 114.114.114.114
+  nameserver:
+    - https://doh.pub/dns-query
+    - tls://223.5.5.5:853
+  fallback:
+    - 'https://1.0.0.1/dns-query#DNS'  # append the proxy adapter name or group name to the end of DNS URL with '#' prefix.
+    - 'tls://8.8.4.4:853#DNS'
+  fallback-filter:
+    geoip: false
+    geosite:
+      - gfw  # `geosite` filter only use fallback server to resolve ip, prevent DNS leaks to unsafe DNS providers.
+    domain:
+      - +.example.com
+    ipcidr:
+      - 0.0.0.0/32
+```

 ### TUN configuration
-Simply add the following to the main configuration:

-#### NOTE:
-> auto-route and auto-detect-interface only available on macOS, Windows and Linux, receive IPv4 traffic
+Supports macOS, Linux and Windows.
+
+Built-in [Wintun](https://www.wintun.net) driver.

 ```yaml
+# Enable the TUN listener
 tun:
  enable: true
-  stack: system # or gvisor
-  # device: tun://utun8 # or fd://xxx, it's optional
-  # dns-hijack:
-  #   - 8.8.8.8:53
-  #   - tcp://8.8.8.8:53
-  #   - any:53
-  #   - tcp://any:53
-  auto-route: true # auto set global route
-  auto-detect-interface: true # conflict with interface-name
-```
-or
-```yaml
-interface-name: en0
-
-tun:
-  enable: true
-  stack: system # or gvisor
-  # dns-hijack:
-  #   - 8.8.8.8:53
-  #   - tcp://8.8.8.8:53
+  stack: gvisor #  only gvisor
+  dns-hijack: 
+    - 0.0.0.0:53 # additional dns server listen on TUN
  auto-route: true # auto set global route
 ```
-It's recommended to use fake-ip mode for the DNS server.
-
-Clash needs elevated permission to create TUN device:
-```sh
-$ sudo ./clash
-```
-Then manually create the default route and DNS server. If your device already has some TUN device, Clash TUN might not work. In this case, fake-ip-filter may helpful.
-
-Enjoy! :)
-
-#### For Windows:
-```yaml
-tun:
-  enable: true
-  stack: gvisor # or system
-  dns-hijack:
-    - 198.18.0.2:53 # when `fake-ip-range` is 198.18.0.1/16, should hijack 198.18.0.2:53
-  auto-route: true # auto set global route for Windows
-  # It is recommended to use `interface-name`
-  auto-detect-interface: true # auto detect interface, conflict with `interface-name`
-```
-Finally, open the Clash
-
 ### Rules configuration
 - Support rule `GEOSITE`.
- Support rule `USER-AGENT`.
+- Support rule-providers `RULE-SET`.
 - Support `multiport` condition for rule `SRC-PORT` and `DST-PORT`.
 - Support `network` condition for all rules.
- Support `process` condition for all rules.
 - Support source IPCIDR condition for all rules, just append to the end.
-
-The `GEOIP` databases via [https://github.com/Loyalsoldier/geoip](https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb).
-
-The `GEOSITE` databases via [https://github.com/Loyalsoldier/v2ray-rules-dat](https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat).
+- The `GEOSITE` databases via https://github.com/Loyalsoldier/v2ray-rules-dat.
 ```yaml
 rules:
-  # network condition for all rules
-  - DOMAIN-SUFFIX,example.com,DIRECT,tcp
-  - DOMAIN-SUFFIX,example.com,REJECT,udp
-
-  # process condition for all rules (add 'P:' prefix)
-  - DOMAIN-SUFFIX,example.com,REJECT,P:Google Chrome Helper

+  # network(tcp/udp) condition for all rules
+  - DOMAIN-SUFFIX,bilibili.com,DIRECT,tcp
+  - DOMAIN-SUFFIX,bilibili.com,REJECT,udp
+    
  # multiport condition for rules SRC-PORT and DST-PORT
  - DST-PORT,123/136/137-139,DIRECT,udp
-
-  # USER-AGENT payload cannot include the comma character, '*' meaning any character.
-  - USER-AGENT,*example*,PROXY
-
+  
  # rule GEOSITE
  - GEOSITE,category-ads-all,REJECT
  - GEOSITE,icloud@cn,DIRECT
@ -198,113 +122,94 @@ rules:
  - GEOSITE,youtube,PROXY
  - GEOSITE,geolocation-cn,DIRECT
  - GEOSITE,geolocation-!cn,PROXY
-
+    
  # source IPCIDR condition for all rules in gateway proxy
  #- GEOSITE,geolocation-!cn,REJECT,192.168.1.88/32,192.168.1.99/32
-  
-  - GEOIP,telegram,PROXY,no-resolve
-  - GEOIP,lan,DIRECT,no-resolve
-  - GEOIP,cn,DIRECT

+  - GEOIP,telegram,PROXY,no-resolve
+  - GEOIP,private,DIRECT,no-resolve
+  - GEOIP,cn,DIRECT
+  
  - MATCH,PROXY
 ```

+
 ### Proxies configuration
-Support outbound protocol `VLESS`.

-Support `Trojan` with XTLS.
+Active health detection `urltest / fallback` (based on tcp handshake, multiple failures within a limited time will actively trigger health detection to use the node)

-Support relay `UDP` traffic.
+Support `Policy Group Filter`

-Support filtering proxy providers in proxy groups.
-
-Support custom http request header, prefix name and V2Ray subscription URL in proxy providers.
 ```yaml
-proxies:
-  # VLESS
-  - name: "vless-tls"
-    type: vless
-    server: server
-    port: 443
-    uuid: uuid
-    network: tcp
-    servername: example.com
-    udp: true
-    # skip-cert-verify: true
-  - name: "vless-xtls"
-    type: vless
-    server: server
-    port: 443
-    uuid: uuid
-    network: tcp
-    servername: example.com
-    flow: xtls-rprx-direct # or xtls-rprx-origin
-    # flow-show: true # print the XTLS direction log
-    # udp: true
-    # skip-cert-verify: true
-
-  # Trojan
-  - name: "trojan-xtls"
-    type: trojan
-    server: server
-    port: 443
-    password: yourpsk
-    network: tcp
-    flow: xtls-rprx-direct # or xtls-rprx-origin
-    # flow-show: true # print the XTLS direction log
-    # udp: true
-    # sni: example.com # aka server name
-    # skip-cert-verify: true
-
 proxy-groups:
-  # Relay chains the proxies. proxies shall not contain a relay.
-  # Support relay UDP traffic.
-  # Traffic: clash <-> ss1 <-> trojan <-> vmess <-> ss2 <-> Internet
-  - name: "relay-udp-over-tcp"
-    type: relay
-    proxies:
-      - ss1
-      - trojan
-      - vmess
-      - ss2

-  - name: "relay-raw-udp"
-    type: relay
-    proxies:
-      - ss1
-      - ss2
-      - ss3
-        
-  - name: "filtering-proxy-providers"
-    type: url-test
-    url: "http://www.gstatic.com/generate_204"
-    interval: 300
-    tolerance: 200
-    # lazy: true
-    filter: "XXX" # a regular expression
+  - name: 🚀 HK Group
+    type: select
    use:
-      - provider1
+      - ALL
+    filter: 'HK'
+
+  - name: 🚀 US Group
+    type: select
+    use:
+      - ALL
+    filter: 'US'

 proxy-providers:
-  provider1:
+  ALL:
    type: http
-    url: "url" # support V2Ray subscription URL
+    url: "xxxxx"
    interval: 3600
-    path: ./providers/provider1.yaml
-    # filter: "xxx"
-    # prefix-name: "XXX-"
-    header:  # custom http request header
-      User-Agent:
-        - "Clash/v1.10.6"
-    #   Accept:
-    #     - 'application/vnd.github.v3.raw'
-    #   Authorization:
-    #     - ' token xxxxxxxxxxx'
+    path: "xxxxx"
    health-check:
-      enable: false
-      interval: 1200
-      # lazy: false # default value is true
+      enable: true
+      interval: 600
      url: http://www.gstatic.com/generate_204
+
+```
+
+
+
+Support outbound transport protocol `VLESS`.
+
+The XTLS support (TCP/UDP) transport by the XRAY-CORE.
+```yaml
+proxies:
+  - name: "vless"
+    type: vless
+    server: server
+    port: 443
+    uuid: uuid
+    servername: example.com # AKA SNI
+    # flow: xtls-rprx-direct # xtls-rprx-origin  # enable XTLS
+    # skip-cert-verify: true
+    
+  - name: "vless-ws"
+    type: vless
+    server: server
+    port: 443
+    uuid: uuid
+    tls: true
+    udp: true
+    network: ws
+    servername: example.com # priority over wss host
+    # skip-cert-verify: true
+    ws-opts:
+      path: /path
+      headers: { Host: example.com, Edge: "12a00c4.fm.huawei.com:82897" }
+
+  - name: "vless-grpc"
+    type: vless
+    server: server
+    port: 443
+    uuid: uuid
+    tls: true
+    udp: true
+    network: grpc
+    servername: example.com # priority over wss host
+    # skip-cert-verify: true
+    grpc-opts: 
+      grpc-service-name: grpcname
 ```

 ### IPTABLES configuration
@ -318,61 +223,73 @@ iptables:
  enable: true # default is false
  inbound-interface: eth0 # detect the inbound interface, default is 'lo'
 ```
-Run Clash as a daemon.

-Create the systemd configuration file at /etc/systemd/system/clash.service:
-```sh
+
+### General installation guide for Linux  
+ Create user given name `clash-meta`
+
+ Download and decompress pre-built binaries from [releases](https://github.com/MetaCubeX/Clash.Meta/releases)  
+
+ Rename executable file to `Clash-Meta` and move to `/usr/local/bin/` 
+
+ Create folder `/etc/Clash-Meta/` as working directory 
+
+
+
+Run Meta Kernel by user `clash-meta` as a daemon.
+
+Create the systemd configuration file at `/etc/systemd/system/Clash-Meta.service`:
+
+```
 [Unit]
-Description=Clash daemon, A rule-based proxy in Go.
-After=network.target
+Description=Clash-Meta Daemon, Another Clash Kernel.
+After=network.target NetworkManager.service systemd-networkd.service iwd.service

 [Service]
 Type=simple
+User=clash-meta
+Group=clash-meta
+LimitNPROC=500
+LimitNOFILE=1000000
 CapabilityBoundingSet=cap_net_admin
+AmbientCapabilities=cap_net_admin
 Restart=always
-ExecStart=/usr/local/bin/clash -d /etc/clash
+ExecStartPre=/usr/bin/sleep 1s
+ExecStart=/usr/local/bin/Clash-Meta -d /etc/Clash-Meta

 [Install]
 WantedBy=multi-user.target
 ```
 Launch clashd on system startup with:
-```sh
-$ systemctl enable clash
+```shell
+$ systemctl enable Clash-Meta
 ```
 Launch clashd immediately with:
-```sh
-$ systemctl start clash
+
+```shell
+$ systemctl start Clash-Meta
 ```

 ### Display Process name
-To display process name online by click [http://yacd.clash-plus.cf](http://yacd.clash-plus.cf) for local API by Safari or [https://yacd.clash-plus.cf](https://yacd.clash-plus.cf) for local API by Chrome.

-You can download the [Dashboard](https://github.com/yaling888/yacd/archive/gh-pages.zip) into Clash home directory:
-```sh
-$ cd ~/.config/clash
-$ curl -LJ https://github.com/yaling888/yacd/archive/gh-pages.zip -o yacd-gh-pages.zip
-$ unzip yacd-gh-pages.zip
-$ mv yacd-gh-pages dashboard
-```
+Clash add field `Process` to `Metadata` and prepare to get process name for Restful API `GET /connections`.

-Add to config file:
-```yaml
-external-controller: 127.0.0.1:9090
-external-ui: dashboard
-```
-Open [http://127.0.0.1:9090/ui/](http://127.0.0.1:9090/ui/) by web browser.
+To display process name in GUI please use [Dashboard For Meta](https://github.com/Clash-Mini/Dashboard).

-## Plus Pro Release
-[Release](https://github.com/yaling888/clash/releases/tag/plus_pro)
+![img.png](https://github.com/Clash-Mini/Dashboard/raw/master/View/Dashboard-Process.png)

 ## Development
-If you want to build an application that uses clash as a library, check out the the [GitHub Wiki](https://github.com/Dreamacro/clash/wiki/use-clash-as-a-library)
+
+If you want to build an application that uses clash as a library, check out the
+the [GitHub Wiki](https://github.com/Dreamacro/clash/wiki/use-clash-as-a-library)

 ## Credits

+* [Dreamacro/clash](https://github.com/Dreamacro/clash)
 * [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
 * [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
 * [WireGuard/wireguard-go](https://github.com/WireGuard/wireguard-go)
+* [yaling888/clash-plus-pro](https://github.com/yaling888/clash)

 ## License

--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@ -8,15 +8,17 @@ import (
 	"net/http"
 	"net/netip"
 	"net/url"
+	"strings"
 	"time"

 	"github.com/Dreamacro/clash/common/queue"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
-
 	"go.uber.org/atomic"
 )

+var UnifiedDelay = atomic.NewBool(false)
+
 type Proxy struct {
 	C.ProxyAdapter
 	history *queue.Queue[C.DelayHistory]
@ -38,7 +40,11 @@ func (p *Proxy) Dial(metadata *C.Metadata) (C.Conn, error) {
 // DialContext implements C.ProxyAdapter
 func (p *Proxy) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
 	conn, err := p.ProxyAdapter.DialContext(ctx, metadata, opts...)
-	p.alive.Store(err == nil)
+	wasCancel := false
+	if err != nil {
+		wasCancel = strings.Contains(err.Error(), "operation was canceled")
+	}
+	p.alive.Store(err == nil || wasCancel)
 	return conn, err
 }

@ -111,6 +117,8 @@ func (p *Proxy) URLTest(ctx context.Context, url string) (t uint16, err error) {
 		}
 	}()

+	unifiedDelay := UnifiedDelay.Load()
+
 	addr, err := urlToMetadata(url)
 	if err != nil {
 		return
@ -149,11 +157,18 @@ func (p *Proxy) URLTest(ctx context.Context, url string) (t uint16, err error) {
 		},
 	}
 	defer client.CloseIdleConnections()
-
 	resp, err := client.Do(req)
 	if err != nil {
 		return
 	}
+
+	if unifiedDelay {
+		start = time.Now()
+		resp, err = client.Do(req)
+		if err != nil {
+			return
+		}
+	}
 	_ = resp.Body.Close()
 	t = uint16(time.Since(start) / time.Millisecond)
 	return
--- a/adapter/inbound/https.go
+++ b/adapter/inbound/https.go
@ -11,7 +11,7 @@ import (
 // NewHTTPS receive CONNECT request and return ConnContext
 func NewHTTPS(request *http.Request, conn net.Conn) *context.ConnContext {
 	metadata := parseHTTPAddr(request)
-	metadata.Type = C.HTTPCONNECT
+	metadata.Type = C.HTTPS
 	if ip, port, err := parseAddr(conn.RemoteAddr().String()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
--- a/adapter/inbound/mitm.go
+++ b/adapter/inbound/mitm.go
@ -1,22 +0,0 @@
-package inbound
-
-import (
-	"net"
-
-	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/context"
-	"github.com/Dreamacro/clash/transport/socks5"
-)
-
-// NewMitm receive mitm request and return MitmContext
-func NewMitm(target socks5.Addr, source net.Addr, userAgent string, conn net.Conn) *context.ConnContext {
-	metadata := parseSocksAddr(target)
-	metadata.NetWork = C.TCP
-	metadata.Type = C.MITM
-	metadata.UserAgent = userAgent
-	if ip, port, err := parseAddr(source.String()); err == nil {
-		metadata.SrcIP = ip
-		metadata.SrcPort = port
-	}
-	return context.NewConnContext(conn, metadata)
-}
--- a/adapter/inbound/packet.go
+++ b/adapter/inbound/packet.go
@ -2,7 +2,7 @@ package inbound

 import (
 	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/transport/socks5"
+	M "github.com/sagernet/sing/common/metadata"
 )

 // PacketAdapter is a UDP Packet adapter for socks/redir/tun
@ -17,8 +17,8 @@ func (s *PacketAdapter) Metadata() *C.Metadata {
 }

 // NewPacket is PacketAdapter generator
-func NewPacket(target socks5.Addr, packet C.UDPPacket, source C.Type) *PacketAdapter {
-	metadata := parseSocksAddr(target)
+func NewPacket(target M.Socksaddr, packet C.UDPPacket, source C.Type) *PacketAdapter {
+	metadata := socksAddrToMetadata(target)
 	metadata.NetWork = C.UDP
 	metadata.Type = source
 	if ip, port, err := parseAddr(packet.LocalAddr().String()); err == nil {
--- a/adapter/inbound/socket.go
+++ b/adapter/inbound/socket.go
@ -2,6 +2,7 @@ package inbound

 import (
 	"net"
+	"net/netip"

 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/context"
@ -13,9 +14,37 @@ func NewSocket(target socks5.Addr, conn net.Conn, source C.Type) *context.ConnCo
 	metadata := parseSocksAddr(target)
 	metadata.NetWork = C.TCP
 	metadata.Type = source
-	if ip, port, err := parseAddr(conn.RemoteAddr().String()); err == nil {
-		metadata.SrcIP = ip
-		metadata.SrcPort = port
+	remoteAddr := conn.RemoteAddr()
+	// Filter when net.Addr interface is nil
+	if remoteAddr != nil {
+		if ip, port, err := parseAddr(remoteAddr.String()); err == nil {
+			metadata.SrcIP = ip
+			metadata.SrcPort = port
+		}
+	}
+
+	return context.NewConnContext(conn, metadata)
+}
+
+func NewInner(conn net.Conn, dst string, host string) *context.ConnContext {
+	metadata := &C.Metadata{}
+	metadata.NetWork = C.TCP
+	metadata.Type = C.INNER
+	metadata.DNSMode = C.DNSMapping
+	metadata.Host = host
+	metadata.AddrType = C.AtypDomainName
+	metadata.Process = C.ClashName
+	if h, port, err := net.SplitHostPort(dst); err == nil {
+		metadata.DstPort = port
+		if host == "" {
+			if ip, err := netip.ParseAddr(h); err == nil {
+				metadata.DstIP = ip
+				metadata.AddrType = C.AtypIPv4
+				if ip.Is6() {
+					metadata.AddrType = C.AtypIPv6
+				}
+			}
+		}
 	}

 	return context.NewConnContext(conn, metadata)
--- a/adapter/inbound/util.go
+++ b/adapter/inbound/util.go
@ -10,8 +10,26 @@ import (
 	"github.com/Dreamacro/clash/common/nnip"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
+	M "github.com/sagernet/sing/common/metadata"
 )

+func socksAddrToMetadata(addr M.Socksaddr) *C.Metadata {
+	metadata := &C.Metadata{}
+	switch addr.Family() {
+	case M.AddressFamilyIPv4:
+		metadata.AddrType = C.AtypIPv4
+		metadata.DstIP = addr.Addr
+	case M.AddressFamilyIPv6:
+		metadata.AddrType = C.AtypIPv6
+		metadata.DstIP = addr.Addr
+	case M.AddressFamilyFqdn:
+		metadata.AddrType = C.AtypDomainName
+		metadata.Host = addr.Fqdn
+	}
+	metadata.DstPort = strconv.Itoa(int(addr.Port))
+	return metadata
+}
+
 func parseSocksAddr(target socks5.Addr) *C.Metadata {
 	metadata := &C.Metadata{
 		AddrType: int(target[0]),
--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@ -4,11 +4,16 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
-	"io"
 	"net"
+	"strings"

 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
+	"github.com/gofrs/uuid"
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
 )

 type Base struct {
@ -18,6 +23,7 @@ type Base struct {
 	tp    C.AdapterType
 	udp   bool
 	rmark int
+	id    string
 }

 // Name implements C.ProxyAdapter
@ -25,26 +31,49 @@ func (b *Base) Name() string {
 	return b.name
 }

+// Id implements C.ProxyAdapter
+func (b *Base) Id() string {
+	if b.id == "" {
+		id, err := uuid.NewV6()
+		if err != nil {
+			b.id = b.name
+		} else {
+			b.id = id.String()
+		}
+	}
+
+	return b.id
+}
+
 // Type implements C.ProxyAdapter
 func (b *Base) Type() C.AdapterType {
 	return b.tp
 }

 // StreamConn implements C.ProxyAdapter
-func (b *Base) StreamConn(c net.Conn, _ *C.Metadata) (net.Conn, error) {
+func (b *Base) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	return c, errors.New("no support")
 }

-// StreamPacketConn implements C.ProxyAdapter
-func (b *Base) StreamPacketConn(c net.Conn, _ *C.Metadata) (net.Conn, error) {
-	return c, errors.New("no support")
+func (b *Base) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+	return nil, errors.New("no support")
 }

 // ListenPacketContext implements C.ProxyAdapter
-func (b *Base) ListenPacketContext(_ context.Context, _ *C.Metadata, _ ...dialer.Option) (C.PacketConn, error) {
+func (b *Base) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
 	return nil, errors.New("no support")
 }

+// ListenPacketOnStreamConn implements C.ProxyAdapter
+func (b *Base) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	return nil, errors.New("no support")
+}
+
+// SupportUOT implements C.ProxyAdapter
+func (b *Base) SupportUOT() bool {
+	return false
+}
+
 // SupportUDP implements C.ProxyAdapter
 func (b *Base) SupportUDP() bool {
 	return b.udp
@ -54,6 +83,7 @@ func (b *Base) SupportUDP() bool {
 func (b *Base) MarshalJSON() ([]byte, error) {
 	return json.Marshal(map[string]string{
 		"type": b.Type().String(),
+		"id":   b.Id(),
 	})
 }

@ -63,7 +93,7 @@ func (b *Base) Addr() string {
 }

 // Unwrap implements C.ProxyAdapter
-func (b *Base) Unwrap(_ *C.Metadata) C.Proxy {
+func (b *Base) Unwrap(metadata *C.Metadata) C.Proxy {
 	return nil
 }

@ -107,7 +137,12 @@ func NewBase(opt BaseOption) *Base {

 type conn struct {
 	net.Conn
-	chain C.Chain
+	chain                   C.Chain
+	actualRemoteDestination string
+}
+
+func (c *conn) RemoteDestination() string {
+	return c.actualRemoteDestination
 }

 // Chains implements C.Connection
@ -121,12 +156,18 @@ func (c *conn) AppendToChains(a C.ProxyAdapter) {
 }

 func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
-	return &conn{c, []string{a.Name()}}
+	return &conn{c, []string{a.Name()}, parseRemoteDestination(a.Addr())}
 }

 type packetConn struct {
 	net.PacketConn
-	chain C.Chain
+	nc                      N.PacketConn
+	chain                   C.Chain
+	actualRemoteDestination string
+}
+
+func (c *packetConn) RemoteDestination() string {
+	return c.actualRemoteDestination
 }

 // Chains implements C.Connection
@ -139,40 +180,32 @@ func (c *packetConn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }

-func NewPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
-	return &packetConn{pc, []string{a.Name()}}
+func (c *packetConn) ReadPacket(buffer *buf.Buffer) (addr M.Socksaddr, err error) {
+	return c.nc.ReadPacket(buffer)
 }

-type wrapConn struct {
-	net.PacketConn
+func (c *packetConn) WritePacket(buffer *buf.Buffer, addr M.Socksaddr) error {
+	return c.nc.WritePacket(buffer, addr)
 }

-func (*wrapConn) Read([]byte) (int, error) {
-	return 0, io.EOF
+func newPacketConn(pc net.PacketConn, a C.ProxyAdapter) C.PacketConn {
+	var nc N.PacketConn
+	if n, isNc := pc.(N.PacketConn); isNc {
+		nc = n
+	} else {
+		nc = &bufio.PacketConnWrapper{PacketConn: pc}
+	}
+	return &packetConn{pc, nc, []string{a.Name()}, parseRemoteDestination(a.Addr())}
 }

-func (*wrapConn) Write([]byte) (int, error) {
-	return 0, io.EOF
-}
-
-func (*wrapConn) RemoteAddr() net.Addr {
-	return nil
-}
-
-func WrapConn(packetConn net.PacketConn) net.Conn {
-	return &wrapConn{
-		PacketConn: packetConn,
+func parseRemoteDestination(addr string) string {
+	if dst, _, err := net.SplitHostPort(addr); err == nil {
+		return dst
+	} else {
+		if addrError, ok := err.(*net.AddrError); ok && strings.Contains(addrError.Err, "missing port") {
+			return dst
+		} else {
+			return ""
+		}
 	}
 }
-
-func IsPacketConn(c net.Conn) bool {
-	if _, ok := c.(net.PacketConn); !ok {
-		return false
-	}
-
-	if ua, ok := c.LocalAddr().(*net.UnixAddr); ok {
-		return ua.Net == "unixgram"
-	}
-
-	return true
-}
--- a/adapter/outbound/direct.go
+++ b/adapter/outbound/direct.go
@ -3,7 +3,6 @@ package outbound
 import (
 	"context"
 	"net"
-	"net/netip"

 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
@ -20,26 +19,18 @@ func (d *Direct) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 	if err != nil {
 		return nil, err
 	}
-
 	tcpKeepAlive(c)
-
-	if !metadata.Resolved() && c.RemoteAddr() != nil {
-		if h, _, err := net.SplitHostPort(c.RemoteAddr().String()); err == nil {
-			metadata.DstIP = netip.MustParseAddr(h)
-		}
-	}
-
 	return NewConn(c, d), nil
 }

 // ListenPacketContext implements C.ProxyAdapter
-func (d *Direct) ListenPacketContext(ctx context.Context, _ *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+func (d *Direct) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
 	opts = append(opts, dialer.WithDirect())
 	pc, err := dialer.ListenPacket(ctx, "udp", "", d.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, err
 	}
-	return NewPacketConn(&directPacketConn{pc}, d), nil
+	return newPacketConn(&directPacketConn{pc}, d), nil
 }

 type directPacketConn struct {
@ -55,3 +46,13 @@ func NewDirect() *Direct {
 		},
 	}
 }
+
+func NewCompatible() *Direct {
+	return &Direct{
+		Base: &Base{
+			name: "COMPATIBLE",
+			tp:   C.Compatible,
+			udp:  true,
+		},
+	}
+}
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@ -22,18 +22,20 @@ type Http struct {
 	user      string
 	pass      string
 	tlsConfig *tls.Config
+	option    *HttpOption
 }

 type HttpOption struct {
 	BasicOption
-	Name           string `proxy:"name"`
-	Server         string `proxy:"server"`
-	Port           int    `proxy:"port"`
-	UserName       string `proxy:"username,omitempty"`
-	Password       string `proxy:"password,omitempty"`
-	TLS            bool   `proxy:"tls,omitempty"`
-	SNI            string `proxy:"sni,omitempty"`
-	SkipCertVerify bool   `proxy:"skip-cert-verify,omitempty"`
+	Name           string            `proxy:"name"`
+	Server         string            `proxy:"server"`
+	Port           int               `proxy:"port"`
+	UserName       string            `proxy:"username,omitempty"`
+	Password       string            `proxy:"password,omitempty"`
+	TLS            bool              `proxy:"tls,omitempty"`
+	SNI            string            `proxy:"sni,omitempty"`
+	SkipCertVerify bool              `proxy:"skip-cert-verify,omitempty"`
+	Headers        map[string]string `proxy:"headers,omitempty"`
 }

 // StreamConn implements C.ProxyAdapter
@ -84,15 +86,18 @@ func (h *Http) shakeHand(metadata *C.Metadata, rw io.ReadWriter) error {
 		},
 	}

+	// 增加headers
+	if len(h.option.Headers) != 0 {
+		for key, value := range h.option.Headers {
+			req.Header.Add(key, value)
+		}
+	}
+
 	if h.user != "" && h.pass != "" {
 		auth := h.user + ":" + h.pass
 		req.Header.Add("Proxy-Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(auth)))
 	}

-	if metadata.Type == C.MITM {
-		req.Header.Set("Origin-Request-Source-Address", metadata.SourceAddress())
-	}
-
 	if err := req.Write(rw); err != nil {
 		return err
 	}
@ -145,5 +150,6 @@ func NewHttp(option HttpOption) *Http {
 		user:      option.UserName,
 		pass:      option.Password,
 		tlsConfig: tlsConfig,
+		option:    &option,
 	}
 }
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@ -0,0 +1,270 @@
+package outbound
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"regexp"
+	"strconv"
+	"time"
+
+	"github.com/Dreamacro/clash/component/dialer"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/log"
+	"github.com/lucas-clemente/quic-go"
+	"github.com/lucas-clemente/quic-go/congestion"
+	M "github.com/sagernet/sing/common/metadata"
+	hyCongestion "github.com/tobyxdd/hysteria/pkg/congestion"
+	"github.com/tobyxdd/hysteria/pkg/core"
+	"github.com/tobyxdd/hysteria/pkg/obfs"
+	"github.com/tobyxdd/hysteria/pkg/pmtud_fix"
+	"github.com/tobyxdd/hysteria/pkg/transport"
+)
+
+const (
+	mbpsToBps   = 125000
+	minSpeedBPS = 16384
+
+	DefaultStreamReceiveWindow     = 15728640 // 15 MB/s
+	DefaultConnectionReceiveWindow = 67108864 // 64 MB/s
+	DefaultMaxIncomingStreams      = 1024
+
+	DefaultALPN     = "hysteria"
+	DefaultProtocol = "udp"
+)
+
+var rateStringRegexp = regexp.MustCompile(`^(\d+)\s*([KMGT]?)([Bb])ps$`)
+
+type Hysteria struct {
+	*Base
+
+	client          *core.Client
+	clientTransport *transport.ClientTransport
+}
+
+func (h *Hysteria) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
+	tcpConn, err := h.client.DialTCP(metadata.RemoteAddress(), hyDialer(func() (net.PacketConn, error) {
+		return dialer.ListenPacket(ctx, "udp", "", h.Base.DialOptions(opts...)...)
+	}))
+	if err != nil {
+		return nil, err
+	}
+	return NewConn(tcpConn, h), nil
+}
+
+func (h *Hysteria) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
+	udpConn, err := h.client.DialUDP(hyDialer(func() (net.PacketConn, error) {
+		return dialer.ListenPacket(ctx, "udp", "", h.Base.DialOptions(opts...)...)
+	}))
+	if err != nil {
+		return nil, err
+	}
+	return newPacketConn(&hyPacketConn{udpConn}, h), nil
+}
+
+type HysteriaOption struct {
+	BasicOption
+	Name                string `proxy:"name"`
+	Server              string `proxy:"server"`
+	Port                int    `proxy:"port"`
+	Protocol            string `proxy:"protocol,omitempty"`
+	Up                  string `proxy:"up,omitempty"`
+	UpMbps              int    `proxy:"up_mbps,omitempty"`
+	Down                string `proxy:"down,omitempty"`
+	DownMbps            int    `proxy:"down_mbps,omitempty"`
+	Auth                string `proxy:"auth,omitempty"`
+	AuthString          string `proxy:"auth_str,omitempty"`
+	Obfs                string `proxy:"obfs,omitempty"`
+	SNI                 string `proxy:"sni,omitempty"`
+	SkipCertVerify      bool   `proxy:"skip-cert-verify,omitempty"`
+	ALPN                string `proxy:"alpn,omitempty"`
+	CustomCA            string `proxy:"ca,omitempty"`
+	CustomCAString      string `proxy:"ca_str,omitempty"`
+	ReceiveWindowConn   int    `proxy:"recv_window_conn,omitempty"`
+	ReceiveWindow       int    `proxy:"recv_window,omitempty"`
+	DisableMTUDiscovery bool   `proxy:"disable_mtu_discovery,omitempty"`
+}
+
+func (c *HysteriaOption) Speed() (uint64, uint64, error) {
+	var up, down uint64
+	if len(c.Up) > 0 {
+		up = stringToBps(c.Up)
+		if up == 0 {
+			return 0, 0, errors.New("invalid speed format")
+		}
+	} else {
+		up = uint64(c.UpMbps) * mbpsToBps
+	}
+	if len(c.Down) > 0 {
+		down = stringToBps(c.Down)
+		if down == 0 {
+			return 0, 0, errors.New("invalid speed format")
+		}
+	} else {
+		down = uint64(c.DownMbps) * mbpsToBps
+	}
+	return up, down, nil
+}
+
+func NewHysteria(option HysteriaOption) (*Hysteria, error) {
+	clientTransport := &transport.ClientTransport{
+		Dialer: &net.Dialer{
+			Timeout: 8 * time.Second,
+		},
+	}
+
+	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
+	serverName := option.Server
+	if option.SNI != "" {
+		serverName = option.Server
+	}
+	tlsConfig := &tls.Config{
+		ServerName:         serverName,
+		InsecureSkipVerify: option.SkipCertVerify,
+		MinVersion:         tls.VersionTLS13,
+	}
+	if len(option.ALPN) > 0 {
+		tlsConfig.NextProtos = []string{option.ALPN}
+	} else {
+		tlsConfig.NextProtos = []string{DefaultALPN}
+	}
+	if len(option.CustomCA) > 0 {
+		bs, err := ioutil.ReadFile(option.CustomCA)
+		if err != nil {
+			return nil, fmt.Errorf("hysteria %s load ca error: %w", addr, err)
+		}
+		cp := x509.NewCertPool()
+		if !cp.AppendCertsFromPEM(bs) {
+			return nil, fmt.Errorf("hysteria %s failed to parse ca_str", addr)
+		}
+		tlsConfig.RootCAs = cp
+	} else if option.CustomCAString != "" {
+		cp := x509.NewCertPool()
+		if !cp.AppendCertsFromPEM([]byte(option.CustomCAString)) {
+			return nil, fmt.Errorf("hysteria %s failed to parse ca_str", addr)
+		}
+		tlsConfig.RootCAs = cp
+	}
+	quicConfig := &quic.Config{
+		InitialStreamReceiveWindow:     uint64(option.ReceiveWindowConn),
+		MaxStreamReceiveWindow:         uint64(option.ReceiveWindowConn),
+		InitialConnectionReceiveWindow: uint64(option.ReceiveWindow),
+		MaxConnectionReceiveWindow:     uint64(option.ReceiveWindow),
+		KeepAlive:                      true,
+		DisablePathMTUDiscovery:        option.DisableMTUDiscovery,
+		EnableDatagrams:                true,
+	}
+	if option.Protocol == "" {
+		option.Protocol = DefaultProtocol
+	}
+	if option.ReceiveWindowConn == 0 {
+		quicConfig.InitialStreamReceiveWindow = DefaultStreamReceiveWindow
+		quicConfig.MaxStreamReceiveWindow = DefaultStreamReceiveWindow
+	}
+	if option.ReceiveWindow == 0 {
+		quicConfig.InitialConnectionReceiveWindow = DefaultConnectionReceiveWindow
+		quicConfig.MaxConnectionReceiveWindow = DefaultConnectionReceiveWindow
+	}
+	if !quicConfig.DisablePathMTUDiscovery && pmtud_fix.DisablePathMTUDiscovery {
+		log.Infoln("hysteria: Path MTU Discovery is not yet supported on this platform")
+	}
+	var auth []byte
+	if option.Auth != "" {
+		authBytes, err := base64.StdEncoding.DecodeString(option.Auth)
+		if err != nil {
+			return nil, fmt.Errorf("hysteria %s parse auth error: %w", addr, err)
+		}
+		auth = authBytes
+	} else {
+		auth = []byte(option.AuthString)
+	}
+	var obfuscator obfs.Obfuscator
+	if len(option.Obfs) > 0 {
+		obfuscator = obfs.NewXPlusObfuscator([]byte(option.Obfs))
+	}
+	up, down, _ := option.Speed()
+	client, err := core.NewClient(
+		addr, option.Protocol, auth, tlsConfig, quicConfig, clientTransport, up, down, func(refBPS uint64) congestion.CongestionControl {
+			return hyCongestion.NewBrutalSender(congestion.ByteCount(refBPS))
+		}, obfuscator,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("hysteria %s create error: %w", addr, err)
+	}
+	return &Hysteria{
+		Base: &Base{
+			name:  option.Name,
+			addr:  addr,
+			tp:    C.Hysteria,
+			udp:   true,
+			iface: option.Interface,
+			rmark: option.RoutingMark,
+		},
+		client:          client,
+		clientTransport: clientTransport,
+	}, nil
+}
+
+func stringToBps(s string) uint64 {
+	if s == "" {
+		return 0
+	}
+	m := rateStringRegexp.FindStringSubmatch(s)
+	if m == nil {
+		return 0
+	}
+	var n uint64
+	switch m[2] {
+	case "K":
+		n = 1 << 10
+	case "M":
+		n = 1 << 20
+	case "G":
+		n = 1 << 30
+	case "T":
+		n = 1 << 40
+	default:
+		n = 1
+	}
+	v, _ := strconv.ParseUint(m[1], 10, 64)
+	n = v * n
+	if m[3] == "b" {
+		// Bits, need to convert to bytes
+		n = n >> 3
+	}
+	return n
+}
+
+type hyPacketConn struct {
+	core.UDPConn
+}
+
+func (c *hyPacketConn) ReadFrom(p []byte) (n int, addr net.Addr, err error) {
+	b, addrStr, err := c.UDPConn.ReadFrom()
+	if err != nil {
+		return
+	}
+	n = copy(p, b)
+	addr = M.ParseSocksaddr(addrStr).UDPAddr()
+	return
+}
+
+func (c *hyPacketConn) WriteTo(p []byte, addr net.Addr) (n int, err error) {
+	err = c.UDPConn.WriteTo(p, M.SocksaddrFromNet(addr).String())
+	if err != nil {
+		return
+	}
+	n = len(p)
+	return
+}
+
+type hyDialer func() (net.PacketConn, error)
+
+func (h hyDialer) ListenPacket() (net.PacketConn, error) {
+	return h()
+}
--- a/adapter/outbound/mitm.go
+++ b/adapter/outbound/mitm.go
@ -1,50 +0,0 @@
-package outbound
-
-import (
-	"context"
-	"net"
-	"time"
-
-	"github.com/Dreamacro/clash/component/dialer"
-	C "github.com/Dreamacro/clash/constant"
-)
-
-type Mitm struct {
-	*Base
-	serverAddr      *net.TCPAddr
-	httpProxyClient *Http
-}
-
-// DialContext implements C.ProxyAdapter
-func (m *Mitm) DialContext(_ context.Context, metadata *C.Metadata, _ ...dialer.Option) (C.Conn, error) {
-	c, err := net.DialTCP("tcp", nil, m.serverAddr)
-	if err != nil {
-		return nil, err
-	}
-
-	_ = c.SetKeepAlive(true)
-	_ = c.SetKeepAlivePeriod(60 * time.Second)
-	_ = c.SetLinger(0)
-
-	metadata.Type = C.MITM
-
-	hc, err := m.httpProxyClient.StreamConn(c, metadata)
-	if err != nil {
-		_ = c.Close()
-		return nil, err
-	}
-
-	return NewConn(hc, m), nil
-}
-
-func NewMitm(serverAddr string) *Mitm {
-	tcpAddr, _ := net.ResolveTCPAddr("tcp", serverAddr)
-	return &Mitm{
-		Base: &Base{
-			name: "Mitm",
-			tp:   C.Mitm,
-		},
-		serverAddr:      tcpAddr,
-		httpProxyClient: NewHttp(HttpOption{}),
-	}
-}
--- a/adapter/outbound/reject.go
+++ b/adapter/outbound/reject.go
@ -6,49 +6,22 @@ import (
 	"net"
 	"time"

-	"github.com/Dreamacro/clash/common/cache"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 )

-const (
-	rejectCountLimit = 50
-	rejectDelay      = time.Second * 35
-)
-
-var rejectCounter = cache.NewLRUCache[string, int](cache.WithAge[string, int](15), cache.WithStale[string, int](false), cache.WithSize[string, int](512))
-
 type Reject struct {
 	*Base
 }

 // DialContext implements C.ProxyAdapter
 func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	key := metadata.RemoteAddress()
-
-	count, existed := rejectCounter.Get(key)
-	if !existed {
-		count = 0
-	}
-
-	count = count + 1
-
-	rejectCounter.Set(key, count)
-
-	if count > rejectCountLimit {
-		c, _ := net.Pipe()
-
-		_ = c.SetDeadline(time.Now().Add(rejectDelay))
-
-		return NewConn(c, r), nil
-	}
-
 	return NewConn(&nopConn{}, r), nil
 }

 // ListenPacketContext implements C.ProxyAdapter
 func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	return NewPacketConn(&nopPacketConn{}, r), nil
+	return newPacketConn(&nopPacketConn{}, r), nil
 }

 func NewReject() *Reject {
@ -61,6 +34,16 @@ func NewReject() *Reject {
 	}
 }

+func NewPass() *Reject {
+	return &Reject{
+		Base: &Base{
+			name: "PASS",
+			tp:   C.Pass,
+			udp:  true,
+		},
+	}
+}
+
 type nopConn struct{}

 func (rw *nopConn) Read(b []byte) (int, error) {
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@ -10,15 +10,18 @@ import (
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/transport/shadowsocks/core"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"
+	"github.com/sagernet/sing-shadowsocks"
+	"github.com/sagernet/sing-shadowsocks/shadowimpl"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
 )

 type ShadowSocks struct {
 	*Base
-	cipher core.Cipher
+	method shadowsocks.Method

 	// obfs
 	obfsMode    string
@ -68,24 +71,7 @@ func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
 	}
-	c = ss.cipher.StreamConn(c)
-	_, err := c.Write(serializesSocksAddr(metadata))
-	return c, err
-}
-
-// StreamPacketConn implements C.ProxyAdapter
-func (ss *ShadowSocks) StreamPacketConn(c net.Conn, _ *C.Metadata) (net.Conn, error) {
-	if !IsPacketConn(c) {
-		return c, fmt.Errorf("%s connect error: can not convert net.Conn to net.PacketConn", ss.addr)
-	}
-
-	addr, err := resolveUDPAddr("udp", ss.addr)
-	if err != nil {
-		return c, err
-	}
-
-	pc := ss.cipher.PacketConn(c.(net.PacketConn))
-	return WrapConn(&ssPacketConn{PacketConn: pc, rAddr: addr}), nil
+	return ss.method.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 }

 // DialContext implements C.ProxyAdapter
@ -109,20 +95,18 @@ func (ss *ShadowSocks) ListenPacketContext(ctx context.Context, metadata *C.Meta
 		return nil, err
 	}

-	c, err := ss.StreamPacketConn(WrapConn(pc), metadata)
+	addr, err := resolveUDPAddr("udp", ss.addr)
 	if err != nil {
-		_ = pc.Close()
+		pc.Close()
 		return nil, err
 	}
-
-	return NewPacketConn(c.(net.PacketConn), ss), nil
+	pc = ss.method.DialPacketConn(&bufio.BindPacketConn{PacketConn: pc, Addr: addr})
+	return newPacketConn(pc, ss), nil
 }

 func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
-	cipher := option.Cipher
-	password := option.Password
-	ciph, err := core.PickCipher(cipher, nil, password)
+	method, err := shadowimpl.FetchMethod(option.Cipher, option.Password)
 	if err != nil {
 		return nil, fmt.Errorf("ss %s initialize error: %w", addr, err)
 	}
@ -175,7 +159,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			iface: option.Interface,
 			rmark: option.RoutingMark,
 		},
-		cipher: ciph,
+		method: method,

 		obfsMode:    obfsMode,
 		v2rayOption: v2rayOption,
--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@ -58,22 +58,6 @@ func (ssr *ShadowSocksR) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn,
 	return c, err
 }

-// StreamPacketConn implements C.ProxyAdapter
-func (ssr *ShadowSocksR) StreamPacketConn(c net.Conn, _ *C.Metadata) (net.Conn, error) {
-	if !IsPacketConn(c) {
-		return c, fmt.Errorf("%s connect error: can not convert net.Conn to net.PacketConn", ssr.addr)
-	}
-
-	addr, err := resolveUDPAddr("udp", ssr.addr)
-	if err != nil {
-		return c, err
-	}
-
-	pc := ssr.cipher.PacketConn(c.(net.PacketConn))
-	pc = ssr.protocol.PacketConn(pc)
-	return WrapConn(&ssPacketConn{PacketConn: pc, rAddr: addr}), nil
-}
-
 // DialContext implements C.ProxyAdapter
 func (ssr *ShadowSocksR) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	c, err := dialer.DialContext(ctx, "tcp", ssr.addr, ssr.Base.DialOptions(opts...)...)
@ -95,13 +79,15 @@ func (ssr *ShadowSocksR) ListenPacketContext(ctx context.Context, metadata *C.Me
 		return nil, err
 	}

-	c, err := ssr.StreamPacketConn(WrapConn(pc), metadata)
+	addr, err := resolveUDPAddr("udp", ssr.addr)
 	if err != nil {
-		_ = pc.Close()
+		pc.Close()
 		return nil, err
 	}

-	return NewPacketConn(c.(net.PacketConn), ssr), nil
+	pc = ssr.cipher.PacketConn(pc)
+	pc = ssr.protocol.PacketConn(pc)
+	return newPacketConn(&ssPacketConn{PacketConn: pc, rAddr: addr}, ssr), nil
 }

 func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@ -53,23 +53,15 @@ func streamConn(c net.Conn, option streamOption) *snell.Snell {
 // StreamConn implements C.ProxyAdapter
 func (s *Snell) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
+	if metadata.NetWork == C.UDP {
+		err := snell.WriteUDPHeader(c, s.version)
+		return c, err
+	}
 	port, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
 	err := snell.WriteHeader(c, metadata.String(), uint(port), s.version)
 	return c, err
 }

-// StreamPacketConn implements C.ProxyAdapter
-func (s *Snell) StreamPacketConn(c net.Conn, _ *C.Metadata) (net.Conn, error) {
-	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})
-
-	err := snell.WriteUDPHeader(c, s.version)
-	if err != nil {
-		return c, err
-	}
-
-	return WrapConn(snell.PacketConn(c)), nil
-}
-
 // DialContext implements C.ProxyAdapter
 func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	if s.version == snell.Version2 && len(opts) == 0 {
@ -80,7 +72,7 @@ func (s *Snell) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 		port, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
 		if err = snell.WriteHeader(c, metadata.String(), uint(port), s.version); err != nil {
-			_ = c.Close()
+			c.Close()
 			return nil, err
 		}
 		return NewConn(c, s), err
@ -105,14 +97,26 @@ func (s *Snell) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		return nil, err
 	}
 	tcpKeepAlive(c)
+	c = streamConn(c, streamOption{s.psk, s.version, s.addr, s.obfsOption})

-	pc, err := s.StreamPacketConn(c, metadata)
+	err = snell.WriteUDPHeader(c, s.version)
 	if err != nil {
-		_ = c.Close()
 		return nil, err
 	}

-	return NewPacketConn(pc.(net.PacketConn), s), nil
+	pc := snell.PacketConn(c)
+	return newPacketConn(pc, s), nil
+}
+
+// ListenPacketOnStreamConn implements C.ProxyAdapter
+func (s *Snell) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	pc := snell.PacketConn(c)
+	return newPacketConn(pc, s), nil
+}
+
+// SupportUOT implements C.ProxyAdapter
+func (s *Snell) SupportUOT() bool {
+	return true
 }

 func NewSnell(option SnellOption) (*Snell, error) {
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@ -37,59 +37,12 @@ type Socks5Option struct {

 // StreamConn implements C.ProxyAdapter
 func (ss *Socks5) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	var err error
-	c, _, err = ss.streamConn(c, metadata)
-
-	return c, err
-}
-
-func (ss *Socks5) StreamSocks5PacketConn(c net.Conn, pc net.PacketConn, metadata *C.Metadata) (net.PacketConn, error) {
-	if c == nil {
-		return pc, fmt.Errorf("%s connect error: parameter net.Conn is nil", ss.addr)
-	}
-
-	if pc == nil {
-		return pc, fmt.Errorf("%s connect error: parameter net.PacketConn is nil", ss.addr)
-	}
-
-	cc, bindAddr, err := ss.streamConn(c, metadata)
-	if err != nil {
-		return pc, err
-	}
-
-	c = cc
-
-	go func() {
-		_, _ = io.Copy(io.Discard, c)
-		_ = c.Close()
-		// A UDP association terminates when the TCP connection that the UDP
-		// ASSOCIATE request arrived on terminates. RFC1928
-		_ = pc.Close()
-	}()
-
-	// Support unspecified UDP bind address.
-	bindUDPAddr := bindAddr.UDPAddr()
-	if bindUDPAddr == nil {
-		return pc, errors.New("invalid UDP bind address")
-	} else if bindUDPAddr.IP.IsUnspecified() {
-		serverAddr, err := resolveUDPAddr("udp", ss.Addr())
-		if err != nil {
-			return pc, err
-		}
-
-		bindUDPAddr.IP = serverAddr.IP
-	}
-
-	return &socksPacketConn{PacketConn: pc, rAddr: bindUDPAddr, tcpConn: c}, nil
-}
-
-func (ss *Socks5) streamConn(c net.Conn, metadata *C.Metadata) (_ net.Conn, bindAddr socks5.Addr, err error) {
 	if ss.tls {
 		cc := tls.Client(c, ss.tlsConfig)
 		err := cc.Handshake()
 		c = cc
 		if err != nil {
-			return c, nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
+			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
 	}

@ -100,14 +53,10 @@ func (ss *Socks5) streamConn(c net.Conn, metadata *C.Metadata) (_ net.Conn, bind
 			Password: ss.pass,
 		}
 	}
-
-	if metadata.NetWork == C.UDP {
-		bindAddr, err = socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdUDPAssociate, user)
-	} else {
-		bindAddr, err = socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdConnect, user)
+	if _, err := socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdConnect, user); err != nil {
+		return nil, err
 	}
-
-	return c, bindAddr, err
+	return c, nil
 }

 // DialContext implements C.ProxyAdapter
@ -132,24 +81,61 @@ func (ss *Socks5) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 func (ss *Socks5) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
 	c, err := dialer.DialContext(ctx, "tcp", ss.addr, ss.Base.DialOptions(opts...)...)
 	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
+		err = fmt.Errorf("%s connect error: %w", ss.addr, err)
+		return
+	}
+
+	if ss.tls {
+		cc := tls.Client(c, ss.tlsConfig)
+		err = cc.Handshake()
+		c = cc
 	}

 	defer safeConnClose(c, err)

+	tcpKeepAlive(c)
+	var user *socks5.User
+	if ss.user != "" {
+		user = &socks5.User{
+			Username: ss.user,
+			Password: ss.pass,
+		}
+	}
+
+	bindAddr, err := socks5.ClientHandshake(c, serializesSocksAddr(metadata), socks5.CmdUDPAssociate, user)
+	if err != nil {
+		err = fmt.Errorf("client hanshake error: %w", err)
+		return
+	}
+
 	pc, err := dialer.ListenPacket(ctx, "udp", "", ss.Base.DialOptions(opts...)...)
 	if err != nil {
 		return
 	}

-	tcpKeepAlive(c)
+	go func() {
+		io.Copy(io.Discard, c)
+		c.Close()
+		// A UDP association terminates when the TCP connection that the UDP
+		// ASSOCIATE request arrived on terminates. RFC1928
+		pc.Close()
+	}()

-	pc, err = ss.StreamSocks5PacketConn(c, pc, metadata)
-	if err != nil {
+	// Support unspecified UDP bind address.
+	bindUDPAddr := bindAddr.UDPAddr()
+	if bindUDPAddr == nil {
+		err = errors.New("invalid UDP bind address")
 		return
+	} else if bindUDPAddr.IP.IsUnspecified() {
+		serverAddr, err := resolveUDPAddr("udp", ss.Addr())
+		if err != nil {
+			return nil, err
+		}
+
+		bindUDPAddr.IP = serverAddr.IP
 	}

-	return NewPacketConn(pc, ss), nil
+	return newPacketConn(&socksPacketConn{PacketConn: pc, rAddr: bindUDPAddr, tcpConn: c}, ss), nil
 }

 func NewSocks5(option Socks5Option) *Socks5 {
@ -213,6 +199,6 @@ func (uc *socksPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
 }

 func (uc *socksPacketConn) Close() error {
-	_ = uc.tcpConn.Close()
+	uc.tcpConn.Close()
 	return uc.PacketConn.Close()
 }
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@ -13,8 +13,6 @@ import (
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/trojan"
 	"github.com/Dreamacro/clash/transport/vless"
-
-	"golang.org/x/net/http2"
 )

 type Trojan struct {
@ -25,7 +23,7 @@ type Trojan struct {
 	// for gun mux
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
-	transport    *http2.Transport
+	transport    *gun.TransportWrap
 }

 type TrojanOption struct {
@ -72,7 +70,8 @@ func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
 	return t.instance.StreamConn(c)
 }

-func (t *Trojan) trojanStream(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
+// StreamConn implements C.ProxyAdapter
+func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	if t.transport != nil {
 		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig)
@ -84,63 +83,43 @@ func (t *Trojan) trojanStream(c net.Conn, metadata *C.Metadata) (net.Conn, error
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}

-	c, err = t.instance.PrepareXTLSConn(c)
+	c, err = t.instance.PresetXTLSConn(c)
 	if err != nil {
-		return c, err
+		return nil, err
 	}

 	if metadata.NetWork == C.UDP {
 		err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 		return c, err
 	}
-
 	err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata))
 	return c, err
 }

-// StreamConn implements C.ProxyAdapter
-func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	return t.trojanStream(c, metadata)
-}
-
-// StreamPacketConn implements C.ProxyAdapter
-func (t *Trojan) StreamPacketConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	var err error
-	c, err = t.trojanStream(c, metadata)
-	if err != nil {
-		return c, err
-	}
-
-	pc := t.instance.PacketConn(c)
-	return WrapConn(pc), nil
-}
-
 // DialContext implements C.ProxyAdapter
 func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	var c net.Conn
-
 	// gun transport
 	if t.transport != nil && len(opts) == 0 {
-		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
+		c, err := gun.StreamGunWithTransport(t.transport, t.gunConfig)
 		if err != nil {
 			return nil, err
 		}

-		defer safeConnClose(c, err)
-
-		c, err = t.instance.PrepareXTLSConn(c)
+		c, err = t.instance.PresetXTLSConn(c)
 		if err != nil {
+			c.Close()
 			return nil, err
 		}

 		if err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata)); err != nil {
+			c.Close()
 			return nil, err
 		}

 		return NewConn(c, t), nil
 	}

-	c, err = dialer.DialContext(ctx, "tcp", t.addr, t.Base.DialOptions(opts...)...)
+	c, err := dialer.DialContext(ctx, "tcp", t.addr, t.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 	}
@ -160,44 +139,44 @@ func (t *Trojan) DialContext(ctx context.Context, metadata *C.Metadata, opts ...
 func (t *Trojan) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
 	var c net.Conn

-	// gun transport
+	// grpc transport
 	if t.transport != nil && len(opts) == 0 {
 		c, err = gun.StreamGunWithTransport(t.transport, t.gunConfig)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 		}
-
 		defer safeConnClose(c, err)
-
-		c, err = t.instance.PrepareXTLSConn(c)
+	} else {
+		c, err = dialer.DialContext(ctx, "tcp", t.addr, t.Base.DialOptions(opts...)...)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 		}
-
-		if err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata)); err != nil {
-			return nil, err
+		defer safeConnClose(c, err)
+		tcpKeepAlive(c)
+		c, err = t.plainStream(c)
+		if err != nil {
+			return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
 		}
-
-		pc := t.instance.PacketConn(c)
-
-		return NewPacketConn(pc, t), nil
 	}

-	c, err = dialer.DialContext(ctx, "tcp", t.addr, t.Base.DialOptions(opts...)...)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", t.addr, err)
-	}
-
-	tcpKeepAlive(c)
-
-	defer safeConnClose(c, err)
-
-	c, err = t.StreamPacketConn(c, metadata)
+	err = t.instance.WriteHeader(c, trojan.CommandUDP, serializesSocksAddr(metadata))
 	if err != nil {
 		return nil, err
 	}

-	return NewPacketConn(c.(net.PacketConn), t), nil
+	pc := t.instance.PacketConn(c)
+	return newPacketConn(pc, t), err
+}
+
+// ListenPacketOnStreamConn implements C.ProxyAdapter
+func (t *Trojan) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	pc := t.instance.PacketConn(c)
+	return newPacketConn(pc, t), err
+}
+
+// SupportUOT implements C.ProxyAdapter
+func (t *Trojan) SupportUOT() bool {
+	return true
 }

 func NewTrojan(option TrojanOption) (*Trojan, error) {
--- a/adapter/outbound/util.go
+++ b/adapter/outbound/util.go
@ -2,23 +2,45 @@ package outbound

 import (
 	"bytes"
+	"crypto/tls"
 	"net"
 	"strconv"
+	"sync"
 	"time"

 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
+	xtls "github.com/xtls/go"
+)
+
+var (
+	globalClientSessionCache  tls.ClientSessionCache
+	globalClientXSessionCache xtls.ClientSessionCache
+	once                      sync.Once
 )

 func tcpKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		_ = tcp.SetKeepAlive(true)
 		_ = tcp.SetKeepAlivePeriod(30 * time.Second)
-		_ = tcp.SetLinger(0)
 	}
 }

+func getClientSessionCache() tls.ClientSessionCache {
+	once.Do(func() {
+		globalClientSessionCache = tls.NewLRUClientSessionCache(128)
+	})
+	return globalClientSessionCache
+}
+
+func getClientXSessionCache() xtls.ClientSessionCache {
+	once.Do(func() {
+		globalClientXSessionCache = xtls.NewLRUClientSessionCache(128)
+	})
+	return globalClientXSessionCache
+}
+
 func serializesSocksAddr(metadata *C.Metadata) []byte {
 	var buf [][]byte
 	aType := uint8(metadata.AddrType)
@ -53,7 +75,7 @@ func resolveUDPAddr(network, address string) (*net.UDPAddr, error) {
 }

 func safeConnClose(c net.Conn, err error) {
-	if err != nil && c != nil {
+	if err != nil {
 		_ = c.Close()
 	}
 }
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@ -12,14 +12,13 @@ import (
 	"strconv"
 	"sync"

+	"github.com/Dreamacro/clash/common/convert"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/vless"
 	"github.com/Dreamacro/clash/transport/vmess"
-
-	"golang.org/x/net/http2"
 )

 const (
@ -35,7 +34,7 @@ type Vless struct {
 	// for gun mux
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
-	transport    *http2.Transport
+	transport    *gun.TransportWrap
 }

 type VlessOption struct {
@ -46,6 +45,7 @@ type VlessOption struct {
 	UUID           string            `proxy:"uuid"`
 	Flow           string            `proxy:"flow,omitempty"`
 	FlowShow       bool              `proxy:"flow-show,omitempty"`
+	TLS            bool              `proxy:"tls,omitempty"`
 	UDP            bool              `proxy:"udp,omitempty"`
 	Network        string            `proxy:"network,omitempty"`
 	HTTPOpts       HTTPOptions       `proxy:"http-opts,omitempty"`
@ -58,17 +58,10 @@ type VlessOption struct {
 	ServerName     string            `proxy:"servername,omitempty"`
 }

-// StreamConn implements C.ProxyAdapter
 func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	switch v.option.Network {
 	case "ws":
-		if v.option.WSOpts.Path == "" {
-			v.option.WSOpts.Path = v.option.WSPath
-		}
-		if len(v.option.WSOpts.Headers) == 0 {
-			v.option.WSOpts.Headers = v.option.WSHeaders
-		}

 		host, port, _ := net.SplitHostPort(v.addr)
 		wsOpts := &vmess.WebsocketConfig{
@ -98,8 +91,10 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			wsOpts.TLSConfig.ServerName = v.option.ServerName
 		} else if host := wsOpts.Headers.Get("Host"); host != "" {
 			wsOpts.TLSConfig.ServerName = host
+		} else {
+			wsOpts.Headers.Set("Host", convert.RandHost())
+			convert.SetUserAgent(wsOpts.Headers)
 		}
-
 		c, err = vmess.StreamWebsocketConn(c, wsOpts)
 	case "http":
 		// readability first, so just copy default TLS logic
@ -148,26 +143,6 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	return v.client.StreamConn(c, parseVlessAddr(metadata))
 }

-// StreamPacketConn implements C.ProxyAdapter
-func (v *Vless) StreamPacketConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(metadata.Host)
-		if err != nil {
-			return nil, errors.New("can't resolve ip")
-		}
-		metadata.DstIP = ip
-	}
-
-	var err error
-	c, err = v.StreamConn(c, metadata)
-	if err != nil {
-		return nil, fmt.Errorf("new vmess client error: %v", err)
-	}
-
-	return WrapConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}), nil
-}
-
 func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error) {
 	host, _, _ := net.SplitHostPort(v.addr)

@ -187,7 +162,7 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)

 		return vless.StreamXTLSConn(conn, &xtlsOpts)

-	} else {
+	} else if v.option.TLS {
 		tlsOpts := vmess.TLSConfig{
 			Host:           host,
 			SkipCertVerify: v.option.SkipCertVerify,
@ -203,6 +178,8 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)

 		return vmess.StreamTLSConn(conn, &tlsOpts)
 	}
+
+	return conn, nil
 }

 func (v *Vless) isXTLSEnabled() bool {
@ -240,18 +217,18 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 // ListenPacketContext implements C.ProxyAdapter
 func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+	// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+
 	var c net.Conn
 	// gun transport
 	if v.transport != nil && len(opts) == 0 {
-		// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
-		if !metadata.Resolved() {
-			ip, err := resolver.ResolveIP(metadata.Host)
-			if err != nil {
-				return nil, errors.New("can't resolve ip")
-			}
-			metadata.DstIP = ip
-		}
-
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@ -259,27 +236,32 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		defer safeConnClose(c, err)

 		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
+	} else {
+		c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
 		if err != nil {
-			return nil, fmt.Errorf("new vless client error: %v", err)
+			return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 		}
+		tcpKeepAlive(c)
+		defer safeConnClose(c, err)

-		return NewPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+		c, err = v.StreamConn(c, metadata)
 	}

-	c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
-	}
-
-	tcpKeepAlive(c)
-	defer safeConnClose(c, err)
-
-	c, err = v.StreamPacketConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("new vless client error: %v", err)
 	}

-	return NewPacketConn(c.(net.PacketConn), v), nil
+	return v.ListenPacketOnStreamConn(c, metadata)
+}
+
+// ListenPacketOnStreamConn implements C.ProxyAdapter
+func (v *Vless) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	return newPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+}
+
+// SupportUOT implements C.ProxyAdapter
+func (v *Vless) SupportUOT() bool {
+	return true
 }

 func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
@ -287,18 +269,18 @@ func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
 	var addr []byte
 	switch metadata.AddrType {
 	case C.AtypIPv4:
-		addrType = byte(vless.AtypIPv4)
+		addrType = vless.AtypIPv4
 		addr = make([]byte, net.IPv4len)
 		copy(addr[:], metadata.DstIP.AsSlice())
 	case C.AtypIPv6:
-		addrType = byte(vless.AtypIPv6)
+		addrType = vless.AtypIPv6
 		addr = make([]byte, net.IPv6len)
 		copy(addr[:], metadata.DstIP.AsSlice())
 	case C.AtypDomainName:
-		addrType = byte(vless.AtypDomainName)
+		addrType = vless.AtypDomainName
 		addr = make([]byte, len(metadata.Host)+1)
 		addr[0] = byte(len(metadata.Host))
-		copy(addr[1:], []byte(metadata.Host))
+		copy(addr[1:], metadata.Host)
 	}

 	port, _ := strconv.ParseUint(metadata.DstPort, 10, 16)
@ -313,29 +295,40 @@ func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
 type vlessPacketConn struct {
 	net.Conn
 	rAddr  net.Addr
-	cache  [2]byte
 	remain int
 	mux    sync.Mutex
+	cache  [2]byte
 }

-func (vc *vlessPacketConn) WriteTo(b []byte, _ net.Addr) (int, error) {
+func (c *vlessPacketConn) writePacket(payload []byte) (int, error) {
+	binary.BigEndian.PutUint16(c.cache[:], uint16(len(payload)))
+
+	if _, err := c.Conn.Write(c.cache[:]); err != nil {
+		return 0, err
+	}
+
+	return c.Conn.Write(payload)
+}
+
+func (c *vlessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
 	total := len(b)
 	if total == 0 {
 		return 0, nil
 	}

-	if total < maxLength {
-		return vc.writePacket(b)
+	if total <= maxLength {
+		return c.writePacket(b)
 	}

 	offset := 0
-	for {
+
+	for offset < total {
 		cursor := offset + maxLength
 		if cursor > total {
 			cursor = total
 		}

-		n, err := vc.writePacket(b[offset:cursor])
+		n, err := c.writePacket(b[offset:cursor])
 		if err != nil {
 			return offset + n, err
 		}
@ -349,33 +342,32 @@ func (vc *vlessPacketConn) WriteTo(b []byte, _ net.Addr) (int, error) {
 	return total, nil
 }

-func (vc *vlessPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
-	vc.mux.Lock()
-	defer vc.mux.Unlock()
+func (c *vlessPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
+	c.mux.Lock()
+	defer c.mux.Unlock()

-	if vc.remain != 0 {
+	if c.remain > 0 {
 		length := len(b)
-		if length > vc.remain {
-			length = vc.remain
+		if c.remain < length {
+			length = c.remain
 		}

-		n, err := vc.Conn.Read(b[:length])
+		n, err := c.Conn.Read(b[:length])
 		if err != nil {
-			return 0, vc.rAddr, err
+			return 0, c.rAddr, err
 		}

-		vc.remain -= n
-
-		return n, vc.rAddr, nil
+		c.remain -= n
+		return n, c.rAddr, nil
 	}

-	if _, err := vc.Conn.Read(b[:2]); err != nil {
-		return 0, vc.rAddr, err
+	if _, err := c.Conn.Read(b[:2]); err != nil {
+		return 0, c.rAddr, err
 	}

 	total := int(binary.BigEndian.Uint16(b[:2]))
 	if total == 0 {
-		return 0, vc.rAddr, nil
+		return 0, c.rAddr, nil
 	}

 	length := len(b)
@ -383,23 +375,13 @@ func (vc *vlessPacketConn) ReadFrom(b []byte) (int, net.Addr, error) {
 		length = total
 	}

-	if _, err := io.ReadFull(vc.Conn, b[:length]); err != nil {
-		return 0, vc.rAddr, errors.New("read packet error")
+	if _, err := io.ReadFull(c.Conn, b[:length]); err != nil {
+		return 0, c.rAddr, errors.New("read packet error")
 	}

-	vc.remain = total - length
+	c.remain = total - length

-	return length, vc.rAddr, nil
-}
-
-func (vc *vlessPacketConn) writePacket(payload []byte) (int, error) {
-	binary.BigEndian.PutUint16(vc.cache[:], uint16(len(payload)))
-
-	if _, err := vc.Conn.Write(vc.cache[:]); err != nil {
-		return 0, err
-	}
-
-	return vc.Conn.Write(payload)
+	return length, c.rAddr, nil
 }

 func NewVless(option VlessOption) (*Vless, error) {
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@ -3,6 +3,7 @@ package outbound
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"net"
 	"net/http"
@ -15,8 +16,6 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/vmess"
-
-	"golang.org/x/net/http2"
 )

 type Vmess struct {
@ -27,7 +26,7 @@ type Vmess struct {
 	// for gun mux
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
-	transport    *http2.Transport
+	transport    *gun.TransportWrap
 }

 type VmessOption struct {
@ -80,21 +79,15 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	switch v.option.Network {
 	case "ws":
-		if v.option.WSOpts.Path == "" {
-			v.option.WSOpts.Path = v.option.WSPath
-		}
-		if len(v.option.WSOpts.Headers) == 0 {
-			v.option.WSOpts.Headers = v.option.WSHeaders
-		}

 		host, port, _ := net.SplitHostPort(v.addr)
 		wsOpts := &vmess.WebsocketConfig{
 			Host:                host,
 			Port:                port,
-			Headers:             http.Header{},
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
+			Headers:             make(http.Header),
 		}

 		if len(v.option.WSOpts.Headers) != 0 {
@ -116,9 +109,7 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 				wsOpts.TLSConfig.ServerName = host
 			}
 		} else {
-			if wsOpts.Headers.Get("Host") == "" {
-				wsOpts.Headers.Set("Host", convert.RandHost())
-			}
+			wsOpts.Headers.Set("Host", convert.RandHost())
 			convert.SetUserAgent(wsOpts.Headers)
 		}
 		c, err = vmess.StreamWebsocketConn(c, wsOpts)
@ -139,6 +130,9 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			if err != nil {
 				return nil, err
 			}
+		} else {
+			http.Header(v.option.HTTPOpts.Headers).Set("Host", convert.RandHost())
+			convert.SetUserAgent(v.option.HTTPOpts.Headers)
 		}

 		host, _, _ := net.SplitHostPort(v.addr)
@ -199,26 +193,6 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	return v.client.StreamConn(c, parseVmessAddr(metadata))
 }

-// StreamPacketConn implements C.ProxyAdapter
-func (v *Vmess) StreamPacketConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
-	if !metadata.Resolved() {
-		ip, err := resolver.ResolveIP(metadata.Host)
-		if err != nil {
-			return c, fmt.Errorf("can't resolve ip: %w", err)
-		}
-		metadata.DstIP = ip
-	}
-
-	var err error
-	c, err = v.StreamConn(c, metadata)
-	if err != nil {
-		return c, fmt.Errorf("new vmess client error: %v", err)
-	}
-
-	return WrapConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}), nil
-}
-
 // DialContext implements C.ProxyAdapter
 func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
 	// gun transport
@ -250,18 +224,18 @@ func (v *Vmess) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d

 // ListenPacketContext implements C.ProxyAdapter
 func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	if !metadata.Resolved() {
+		ip, err := resolver.ResolveIP(metadata.Host)
+		if err != nil {
+			return nil, errors.New("can't resolve ip")
+		}
+		metadata.DstIP = ip
+	}
+
 	var c net.Conn
 	// gun transport
 	if v.transport != nil && len(opts) == 0 {
-		// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
-		if !metadata.Resolved() {
-			ip, err := resolver.ResolveIP(metadata.Host)
-			if err != nil {
-				return nil, fmt.Errorf("can't resolve ip: %w", err)
-			}
-			metadata.DstIP = ip
-		}
-
 		c, err = gun.StreamGunWithTransport(v.transport, v.gunConfig)
 		if err != nil {
 			return nil, err
@ -269,27 +243,32 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		defer safeConnClose(c, err)

 		c, err = v.client.StreamConn(c, parseVmessAddr(metadata))
+	} else {
+		c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
 		if err != nil {
-			return nil, fmt.Errorf("new vmess client error: %v", err)
+			return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 		}
+		tcpKeepAlive(c)
+		defer safeConnClose(c, err)

-		return NewPacketConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+		c, err = v.StreamConn(c, metadata)
 	}

-	c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
-	}
-
-	tcpKeepAlive(c)
-	defer safeConnClose(c, err)
-
-	c, err = v.StreamPacketConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("new vmess client error: %v", err)
 	}

-	return NewPacketConn(c.(net.PacketConn), v), nil
+	return v.ListenPacketOnStreamConn(c, metadata)
+}
+
+// ListenPacketOnStreamConn implements C.ProxyAdapter
+func (v *Vmess) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
+	return newPacketConn(&vmessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
+}
+
+// SupportUOT implements C.ProxyAdapter
+func (v *Vmess) SupportUOT() bool {
+	return true
 }

 func NewVmess(option VmessOption) (*Vmess, error) {
@ -397,7 +376,7 @@ type vmessPacketConn struct {
 	rAddr net.Addr
 }

-func (uc *vmessPacketConn) WriteTo(b []byte, _ net.Addr) (int, error) {
+func (uc *vmessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
 	return uc.Conn.Write(b)
 }

--- a/adapter/outboundgroup/common.go
+++ b/adapter/outboundgroup/common.go
@ -1,24 +0,0 @@
-package outboundgroup
-
-import (
-	"time"
-
-	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/constant/provider"
-)
-
-const (
-	defaultGetProxiesDuration = time.Second * 5
-)
-
-func getProvidersProxies(providers []provider.ProxyProvider, touch bool) []C.Proxy {
-	proxies := []C.Proxy{}
-	for _, provider := range providers {
-		if touch {
-			proxies = append(proxies, provider.ProxiesWithTouch()...)
-		} else {
-			proxies = append(proxies, provider.Proxies()...)
-		}
-	}
-	return proxies
-}
--- a/adapter/outboundgroup/fallback.go
+++ b/adapter/outboundgroup/fallback.go
@ -3,19 +3,20 @@ package outboundgroup
 import (
 	"context"
 	"encoding/json"
+	"errors"
+	"time"

 	"github.com/Dreamacro/clash/adapter/outbound"
-	"github.com/Dreamacro/clash/common/singledo"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 )

 type Fallback struct {
-	*outbound.Base
+	*GroupBase
 	disableUDP bool
-	single     *singledo.Single[[]C.Proxy]
-	providers  []provider.ProxyProvider
+	testUrl    string
+	selected   string
 }

 func (f *Fallback) Now() string {
@ -29,7 +30,11 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 	c, err := proxy.DialContext(ctx, metadata, f.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(f)
+		f.onDialSuccess()
+	} else {
+		f.onDialFailed()
 	}
+
 	return c, err
 }

@ -40,6 +45,7 @@ func (f *Fallback) ListenPacketContext(ctx context.Context, metadata *C.Metadata
 	if err == nil {
 		pc.AppendToChains(f)
 	}
+
 	return pc, err
 }

@ -55,8 +61,8 @@ func (f *Fallback) SupportUDP() bool {

 // MarshalJSON implements C.ProxyAdapter
 func (f *Fallback) MarshalJSON() ([]byte, error) {
-	var all []string
-	for _, proxy := range f.proxies(false) {
+	all := []string{}
+	for _, proxy := range f.GetProxies(false) {
 		all = append(all, proxy.Name())
 	}
 	return json.Marshal(map[string]any{
@ -72,35 +78,57 @@ func (f *Fallback) Unwrap(metadata *C.Metadata) C.Proxy {
 	return proxy
 }

-func (f *Fallback) proxies(touch bool) []C.Proxy {
-	elm, _, _ := f.single.Do(func() ([]C.Proxy, error) {
-		return getProvidersProxies(f.providers, touch), nil
-	})
-
-	return elm
+func (f *Fallback) findAliveProxy(touch bool) C.Proxy {
+	proxies := f.GetProxies(touch)
+	al := proxies[0]
+	for i := len(proxies) - 1; i > -1; i-- {
+		proxy := proxies[i]
+		if proxy.Name() == f.selected && proxy.Alive() {
+			return proxy
+		}
+		if proxy.Alive() {
+			al = proxy
+		}
+	}
+	return al
 }

-func (f *Fallback) findAliveProxy(touch bool) C.Proxy {
-	proxies := f.proxies(touch)
-	for _, proxy := range proxies {
-		if proxy.Alive() {
-			return proxy
+func (f *Fallback) Set(name string) error {
+	var p C.Proxy
+	for _, proxy := range f.GetProxies(false) {
+		if proxy.Name() == name {
+			p = proxy
+			break
 		}
 	}

-	return proxies[0]
+	if p == nil {
+		return errors.New("proxy not exist")
+	}
+
+	f.selected = name
+	if !p.Alive() {
+		ctx, cancel := context.WithTimeout(context.Background(), time.Millisecond*time.Duration(5000))
+		defer cancel()
+		_, _ = p.URLTest(ctx, f.testUrl)
+	}
+
+	return nil
 }

 func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider) *Fallback {
 	return &Fallback{
-		Base: outbound.NewBase(outbound.BaseOption{
-			Name:        option.Name,
-			Type:        C.Fallback,
-			Interface:   option.Interface,
-			RoutingMark: option.RoutingMark,
+		GroupBase: NewGroupBase(GroupBaseOption{
+			outbound.BaseOption{
+				Name:        option.Name,
+				Type:        C.Fallback,
+				Interface:   option.Interface,
+				RoutingMark: option.RoutingMark,
+			},
+			option.Filter,
+			providers,
 		}),
-		single:     singledo.NewSingle[[]C.Proxy](defaultGetProxiesDuration),
-		providers:  providers,
 		disableUDP: option.DisableUDP,
+		testUrl:    option.URL,
 	}
 }
--- a/adapter/outboundgroup/groupbase.go
+++ b/adapter/outboundgroup/groupbase.go
@ -0,0 +1,189 @@
+package outboundgroup
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/Dreamacro/clash/adapter/outbound"
+	C "github.com/Dreamacro/clash/constant"
+	types "github.com/Dreamacro/clash/constant/provider"
+	"github.com/Dreamacro/clash/constant/provider"
+	"github.com/Dreamacro/clash/log"
+	"github.com/Dreamacro/clash/tunnel"
+	"github.com/dlclark/regexp2"
+	"go.uber.org/atomic"
+)
+
+type GroupBase struct {
+	*outbound.Base
+	filter        *regexp2.Regexp
+	providers     []provider.ProxyProvider
+	versions      sync.Map // map[string]uint
+	proxies       sync.Map // map[string][]C.Proxy
+	failedTestMux sync.Mutex
+	failedTimes   int
+	failedTime    time.Time
+	failedTesting *atomic.Bool
+}
+
+type GroupBaseOption struct {
+	outbound.BaseOption
+	filter    string
+	providers []provider.ProxyProvider
+}
+
+func NewGroupBase(opt GroupBaseOption) *GroupBase {
+	var filter *regexp2.Regexp = nil
+	if opt.filter != "" {
+		filter = regexp2.MustCompile(opt.filter, 0)
+	}
+	return &GroupBase{
+		Base:          outbound.NewBase(opt.BaseOption),
+		filter:        filter,
+		providers:     opt.providers,
+		failedTesting: atomic.NewBool(false),
+	}
+}
+
+func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
+	if gb.filter == nil {
+		var proxies []C.Proxy
+		for _, pd := range gb.providers {
+			if touch {
+				pd.Touch()
+			}
+			proxies = append(proxies, pd.Proxies()...)
+		}
+		if len(proxies) == 0 {
+			return append(proxies, tunnel.Proxies()["COMPATIBLE"])
+		}
+		return proxies
+	}
+
+	for _, pd := range gb.providers {
+		if touch {
+			pd.Touch()
+		}
+
+		if pd.VehicleType() == types.Compatible {
+			gb.proxies.Store(pd.Name(), pd.Proxies())
+			gb.versions.Store(pd.Name(), pd.Version())
+			continue
+		}
+
+		if version, ok := gb.versions.Load(pd.Name()); !ok || version != pd.Version() {
+			var (
+				proxies    []C.Proxy
+				newProxies []C.Proxy
+			)
+
+			proxies = pd.Proxies()
+
+			for _, p := range proxies {
+				if mat, _ := gb.filter.FindStringMatch(p.Name()); mat != nil {
+					newProxies = append(newProxies, p)
+				}
+			}
+
+			gb.proxies.Store(pd.Name(), newProxies)
+			gb.versions.Store(pd.Name(), pd.Version())
+		}
+	}
+	var proxies []C.Proxy
+	gb.proxies.Range(func(key, value any) bool {
+		proxies = append(proxies, value.([]C.Proxy)...)
+		return true
+	})
+	if len(proxies) == 0 {
+		return append(proxies, tunnel.Proxies()["COMPATIBLE"])
+	}
+	return proxies
+}
+
+func (gb *GroupBase) URLTest(ctx context.Context, url string) (map[string]uint16, error) {
+	var wg sync.WaitGroup
+	var lock sync.Mutex
+	mp := map[string]uint16{}
+	proxies := gb.GetProxies(false)
+	for _, proxy := range proxies {
+		proxy := proxy
+		wg.Add(1)
+		go func() {
+			delay, err := proxy.URLTest(ctx, url)
+			lock.Lock()
+			if err == nil {
+				mp[proxy.Name()] = delay
+			}
+			lock.Unlock()
+
+			wg.Done()
+		}()
+	}
+	wg.Wait()
+
+	if len(mp) == 0 {
+		return mp, fmt.Errorf("get delay: all proxies timeout")
+	} else {
+		return mp, nil
+	}
+}
+
+func (gb *GroupBase) onDialFailed() {
+	if gb.failedTesting.Load() {
+		return
+	}
+
+	go func() {
+		gb.failedTestMux.Lock()
+		defer gb.failedTestMux.Unlock()
+
+		gb.failedTimes++
+		if gb.failedTimes == 1 {
+			log.Debugln("ProxyGroup: %s first failed", gb.Name())
+			gb.failedTime = time.Now()
+		} else {
+			if time.Since(gb.failedTime) > gb.failedTimeoutInterval() {
+				return
+			}
+
+			log.Debugln("ProxyGroup: %s failed count: %d", gb.Name(), gb.failedTimes)
+			if gb.failedTimes >= gb.maxFailedTimes() {
+				gb.failedTesting.Store(true)
+				log.Warnln("because %s failed multiple times, active health check", gb.Name())
+				wg := sync.WaitGroup{}
+				for _, proxyProvider := range gb.providers {
+					wg.Add(1)
+					proxyProvider := proxyProvider
+					go func() {
+						defer wg.Done()
+						proxyProvider.HealthCheck()
+					}()
+				}
+
+				wg.Wait()
+				gb.failedTesting.Store(false)
+				gb.failedTimes = 0
+			}
+		}
+	}()
+}
+
+func (gb *GroupBase) failedIntervalTime() int64 {
+	return 5 * time.Second.Milliseconds()
+}
+
+func (gb *GroupBase) onDialSuccess() {
+	if !gb.failedTesting.Load() {
+		gb.failedTimes = 0
+	}
+}
+
+func (gb *GroupBase) maxFailedTimes() int {
+	return 5
+}
+
+func (gb *GroupBase) failedTimeoutInterval() time.Duration {
+	return 5 * time.Second
+}
--- a/adapter/outboundgroup/loadbalance.go
+++ b/adapter/outboundgroup/loadbalance.go
@ -6,24 +6,22 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"time"

 	"github.com/Dreamacro/clash/adapter/outbound"
+	"github.com/Dreamacro/clash/common/cache"
 	"github.com/Dreamacro/clash/common/murmur3"
-	"github.com/Dreamacro/clash/common/singledo"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
-
 	"golang.org/x/net/publicsuffix"
 )

 type strategyFn = func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy

 type LoadBalance struct {
-	*outbound.Base
+	*GroupBase
 	disableUDP bool
-	single     *singledo.Single[[]C.Proxy]
-	providers  []provider.ProxyProvider
 	strategyFn strategyFn
 }

@ -39,6 +37,10 @@ func parseStrategy(config map[string]any) string {
 }

 func getKey(metadata *C.Metadata) string {
+	if metadata == nil {
+		return ""
+	}
+
 	if metadata.Host != "" {
 		// ip host
 		if ip := net.ParseIP(metadata.Host); ip != nil {
@ -57,6 +59,16 @@ func getKey(metadata *C.Metadata) string {
 	return metadata.DstIP.String()
 }

+func getKeyWithSrcAndDst(metadata *C.Metadata) string {
+	dst := getKey(metadata)
+	src := ""
+	if metadata != nil {
+		src = metadata.SrcIP.String()
+	}
+
+	return fmt.Sprintf("%s%s", src, dst)
+}
+
 func jumpHash(key uint64, buckets int32) int32 {
 	var b, j int64

@ -74,6 +86,9 @@ func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, op
 	defer func() {
 		if err == nil {
 			c.AppendToChains(lb)
+			lb.onDialSuccess()
+		} else {
+			lb.onDialFailed()
 		}
 	}()

@ -133,24 +148,51 @@ func strategyConsistentHashing() strategyFn {
 	}
 }

-// Unwrap implements C.ProxyAdapter
-func (lb *LoadBalance) Unwrap(metadata *C.Metadata) C.Proxy {
-	proxies := lb.proxies(true)
-	return lb.strategyFn(proxies, metadata)
+func strategyStickySessions() strategyFn {
+	ttl := time.Minute * 10
+	maxRetry := 5
+	lruCache := cache.NewLRUCache[uint64, int](
+		cache.WithAge[uint64, int](int64(ttl.Seconds())),
+		cache.WithSize[uint64, int](1000))
+	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+		key := uint64(murmur3.Sum32([]byte(getKeyWithSrcAndDst(metadata))))
+		length := len(proxies)
+		idx, has := lruCache.Get(key)
+		if !has {
+			idx = int(jumpHash(key+uint64(time.Now().UnixNano()), int32(length)))
+		}
+
+		nowIdx := idx
+		for i := 1; i < maxRetry; i++ {
+			proxy := proxies[nowIdx]
+			if proxy.Alive() {
+				if nowIdx != idx {
+					lruCache.Delete(key)
+					lruCache.Set(key, nowIdx)
+				}
+
+				return proxy
+			} else {
+				nowIdx = int(jumpHash(key+uint64(time.Now().UnixNano()), int32(length)))
+			}
+		}
+
+		lruCache.Delete(key)
+		lruCache.Set(key, 0)
+		return proxies[0]
+	}
 }

-func (lb *LoadBalance) proxies(touch bool) []C.Proxy {
-	elm, _, _ := lb.single.Do(func() ([]C.Proxy, error) {
-		return getProvidersProxies(lb.providers, touch), nil
-	})
-
-	return elm
+// Unwrap implements C.ProxyAdapter
+func (lb *LoadBalance) Unwrap(metadata *C.Metadata) C.Proxy {
+	proxies := lb.GetProxies(true)
+	return lb.strategyFn(proxies, metadata)
 }

 // MarshalJSON implements C.ProxyAdapter
 func (lb *LoadBalance) MarshalJSON() ([]byte, error) {
 	var all []string
-	for _, proxy := range lb.proxies(false) {
+	for _, proxy := range lb.GetProxies(false) {
 		all = append(all, proxy.Name())
 	}
 	return json.Marshal(map[string]any{
@ -166,18 +208,22 @@ func NewLoadBalance(option *GroupCommonOption, providers []provider.ProxyProvide
 		strategyFn = strategyConsistentHashing()
 	case "round-robin":
 		strategyFn = strategyRoundRobin()
+	case "sticky-sessions":
+		strategyFn = strategyStickySessions()
 	default:
 		return nil, fmt.Errorf("%w: %s", errStrategy, strategy)
 	}
 	return &LoadBalance{
-		Base: outbound.NewBase(outbound.BaseOption{
-			Name:        option.Name,
-			Type:        C.LoadBalance,
-			Interface:   option.Interface,
-			RoutingMark: option.RoutingMark,
+		GroupBase: NewGroupBase(GroupBaseOption{
+			outbound.BaseOption{
+				Name:        option.Name,
+				Type:        C.LoadBalance,
+				Interface:   option.Interface,
+				RoutingMark: option.RoutingMark,
+			},
+			option.Filter,
+			providers,
 		}),
-		single:     singledo.NewSingle[[]C.Proxy](defaultGetProxiesDuration),
-		providers:  providers,
 		strategyFn: strategyFn,
 		disableUDP: option.DisableUDP,
 	}, nil
--- a/adapter/outboundgroup/parser.go
+++ b/adapter/outboundgroup/parser.go
@ -3,7 +3,6 @@ package outboundgroup
 import (
 	"errors"
 	"fmt"
-	"regexp"

 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/adapter/provider"
@ -39,23 +38,10 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 	groupOption := &GroupCommonOption{
 		Lazy: true,
 	}
-
-	var (
-		filterRegx *regexp.Regexp
-		err        error
-	)
-
-	if err = decoder.Decode(config, groupOption); err != nil {
+	if err := decoder.Decode(config, groupOption); err != nil {
 		return nil, errFormat
 	}

-	if groupOption.Filter != "" {
-		filterRegx, err = regexp.Compile(groupOption.Filter)
-		if err != nil {
-			return nil, fmt.Errorf("invalid filter regex: %w", err)
-		}
-	}
-
 	if groupOption.Type == "" || groupOption.Name == "" {
 		return nil, errFormat
 	}
@ -89,8 +75,12 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 			providers = append(providers, pd)
 			providersMap[groupName] = pd
 		} else {
-			if groupOption.URL == "" || groupOption.Interval == 0 {
-				return nil, errMissHealthCheck
+			if groupOption.URL == "" {
+				groupOption.URL = "http://www.gstatic.com/generate_204"
+			}
+
+			if groupOption.Interval == 0 {
+				groupOption.Interval = 300
 			}

 			hc := provider.NewHealthCheck(ps, groupOption.URL, uint(groupOption.Interval), groupOption.Lazy)
@ -105,11 +95,13 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 	}

 	if len(groupOption.Use) != 0 {
-		list, err := getProviders(providersMap, groupOption, filterRegx)
+		list, err := getProviders(providersMap, groupOption.Use)
 		if err != nil {
 			return nil, err
 		}
 		providers = append(providers, list...)
+	} else {
+		groupOption.Filter = ""
 	}

 	var group C.ProxyAdapter
@ -145,13 +137,8 @@ func getProxies(mapping map[string]C.Proxy, list []string) ([]C.Proxy, error) {
 	return ps, nil
 }

-func getProviders(mapping map[string]types.ProxyProvider, groupOption *GroupCommonOption, filterRegx *regexp.Regexp) ([]types.ProxyProvider, error) {
-	var (
-		ps        []types.ProxyProvider
-		list      = groupOption.Use
-		groupName = groupOption.Name
-	)
-
+func getProviders(mapping map[string]types.ProxyProvider, list []string) ([]types.ProxyProvider, error) {
+	var ps []types.ProxyProvider
 	for _, name := range list {
 		p, ok := mapping[name]
 		if !ok {
@ -161,27 +148,6 @@ func getProviders(mapping map[string]types.ProxyProvider, groupOption *GroupComm
 		if p.VehicleType() == types.Compatible {
 			return nil, fmt.Errorf("proxy group %s can't contains in `use`", name)
 		}
-
-		if filterRegx != nil {
-			var hc *provider.HealthCheck
-			if groupOption.Type == "select" || groupOption.Type == "relay" {
-				hc = provider.NewHealthCheck([]C.Proxy{}, "", 0, true)
-			} else {
-				if groupOption.URL == "" || groupOption.Interval == 0 {
-					return nil, errMissHealthCheck
-				}
-				hc = provider.NewHealthCheck([]C.Proxy{}, groupOption.URL, uint(groupOption.Interval), groupOption.Lazy)
-			}
-
-			if _, ok = mapping[groupName]; ok {
-				groupName += "->" + p.Name()
-			}
-
-			pd := p.(*provider.ProxySetProvider)
-			p = provider.NewProxyFilterProvider(groupName, pd, hc, filterRegx)
-			pd.RegisterProvidersInUse(p)
-		}
-
 		ps = append(ps, p)
 	}
 	return ps, nil
--- a/adapter/outboundgroup/relay.go
+++ b/adapter/outboundgroup/relay.go
@ -4,32 +4,20 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"net"
-	"net/netip"

-	"github.com/Dreamacro/clash/adapter"
 	"github.com/Dreamacro/clash/adapter/outbound"
-	"github.com/Dreamacro/clash/common/singledo"
 	"github.com/Dreamacro/clash/component/dialer"
-	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 )

 type Relay struct {
-	*outbound.Base
-	single    *singledo.Single[[]C.Proxy]
-	providers []provider.ProxyProvider
+	*GroupBase
 }

 // DialContext implements C.ProxyAdapter
 func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	var proxies []C.Proxy
-	for _, proxy := range r.proxies(metadata, true) {
-		if proxy.Type() != C.Direct {
-			proxies = append(proxies, proxy)
-		}
-	}
+	proxies, chainProxies := r.proxies(metadata, true)

 	switch len(proxies) {
 	case 0:
@ -38,165 +26,115 @@ func (r *Relay) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 		return proxies[0].DialContext(ctx, metadata, r.Base.DialOptions(opts...)...)
 	}

-	c, err := r.streamContext(ctx, proxies, r.Base.DialOptions(opts...)...)
+	first := proxies[0]
+	last := proxies[len(proxies)-1]
+
+	c, err := dialer.DialContext(ctx, "tcp", first.Addr(), r.Base.DialOptions(opts...)...)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+	}
+	tcpKeepAlive(c)
+
+	var currentMeta *C.Metadata
+	for _, proxy := range proxies[1:] {
+		currentMeta, err = addrToMetadata(proxy.Addr())
+		if err != nil {
+			return nil, err
+		}
+
+		c, err = first.StreamConn(c, currentMeta)
+		if err != nil {
+			return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+		}
+
+		first = proxy
 	}

-	last := proxies[len(proxies)-1]
 	c, err = last.StreamConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", last.Addr(), err)
 	}

-	return outbound.NewConn(c, r), nil
+	conn := outbound.NewConn(c, last)
+
+	for i := len(chainProxies) - 2; i >= 0; i-- {
+		conn.AppendToChains(chainProxies[i])
+	}
+
+	conn.AppendToChains(r)
+
+	return conn, nil
 }

 // ListenPacketContext implements C.ProxyAdapter
-func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	var proxies []C.Proxy
-	for _, proxy := range r.proxies(metadata, true) {
-		if proxy.Type() != C.Direct {
-			proxies = append(proxies, proxy)
-		}
-	}
+func (r *Relay) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
+	proxies, chainProxies := r.proxies(metadata, true)

-	length := len(proxies)
-
-	switch length {
+	switch len(proxies) {
 	case 0:
 		return outbound.NewDirect().ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
 	case 1:
-		proxy := proxies[0]
-		if !proxy.SupportUDP() {
-			return nil, fmt.Errorf("%s connect error: proxy [%s] UDP is not supported", proxy.Addr(), proxy.Name())
-		}
-		return proxy.ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
+		return proxies[0].ListenPacketContext(ctx, metadata, r.Base.DialOptions(opts...)...)
 	}

-	var (
-		firstIndex          = 0
-		nextIndex           = 1
-		lastUDPOverTCPIndex = -1
-		rawUDPRelay         = false
-
-		first = proxies[firstIndex]
-		last  = proxies[length-1]
-
-		c           net.Conn
-		cc          net.Conn
-		err         error
-		currentMeta *C.Metadata
-	)
-
-	if !last.SupportUDP() {
-		return nil, fmt.Errorf("%s connect error: proxy [%s] UDP is not supported in relay chains", last.Addr(), last.Name())
-	}
-
-	rawUDPRelay, lastUDPOverTCPIndex = isRawUDPRelay(proxies)
-
-	if first.Type() == C.Socks5 {
-		cc1, err1 := dialer.DialContext(ctx, "tcp", first.Addr(), r.Base.DialOptions(opts...)...)
-		if err1 != nil {
-			return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
-		}
-		cc = cc1
-		tcpKeepAlive(cc)
-
-		var pc net.PacketConn
-		pc, err = dialer.ListenPacket(ctx, "udp", "", r.Base.DialOptions(opts...)...)
-		c = outbound.WrapConn(pc)
-	} else if rawUDPRelay {
-		var pc net.PacketConn
-		pc, err = dialer.ListenPacket(ctx, "udp", "", r.Base.DialOptions(opts...)...)
-		c = outbound.WrapConn(pc)
-	} else {
-		firstIndex = lastUDPOverTCPIndex
-		nextIndex = firstIndex + 1
-		first = proxies[firstIndex]
-		c, err = r.streamContext(ctx, proxies[:nextIndex], r.Base.DialOptions(opts...)...)
-	}
+	first := proxies[0]
+	last := proxies[len(proxies)-1]

+	c, err := dialer.DialContext(ctx, "tcp", first.Addr(), r.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
 	}
+	tcpKeepAlive(c)

-	if nextIndex < length {
-		for i, proxy := range proxies[nextIndex:] { // raw udp in loop
-			currentMeta, err = addrToMetadata(proxy.Addr())
-			if err != nil {
-				return nil, err
-			}
-			currentMeta.NetWork = C.UDP
-
-			if !isRawUDP(first) && !first.SupportUDP() {
-				return nil, fmt.Errorf("%s connect error: proxy [%s] UDP is not supported in relay chains", first.Addr(), first.Name())
-			}
-
-			if needResolveIP(first, currentMeta) {
-				var ip netip.Addr
-				ip, err = resolver.ResolveProxyServerHost(currentMeta.Host)
-				if err != nil {
-					return nil, fmt.Errorf("can't resolve ip: %w", err)
-				}
-				currentMeta.DstIP = ip
-			}
-
-			if cc != nil { // socks5
-				c, err = streamSocks5PacketConn(first, cc, c, currentMeta)
-				cc = nil
-			} else {
-				c, err = first.StreamPacketConn(c, currentMeta)
-			}
-
-			if err != nil {
-				return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
-			}
-
-			if proxy.Type() == C.Socks5 {
-				endIndex := nextIndex + i + 1
-				cc, err = r.streamContext(ctx, proxies[:endIndex], r.Base.DialOptions(opts...)...)
-				if err != nil {
-					return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
-				}
-			}
-
-			first = proxy
+	var currentMeta *C.Metadata
+	for _, proxy := range proxies[1:] {
+		currentMeta, err = addrToMetadata(proxy.Addr())
+		if err != nil {
+			return nil, err
 		}
+
+		c, err = first.StreamConn(c, currentMeta)
+		if err != nil {
+			return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+		}
+
+		first = proxy
 	}

-	if cc != nil {
-		c, err = streamSocks5PacketConn(last, cc, c, metadata)
-	} else {
-		c, err = last.StreamPacketConn(c, metadata)
-	}
-
+	c, err = last.StreamConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %w", last.Addr(), err)
 	}

-	return outbound.NewPacketConn(c.(net.PacketConn), r), nil
+	var pc C.PacketConn
+	pc, err = last.ListenPacketOnStreamConn(c, metadata)
+	if err != nil {
+		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
+	}
+
+	for i := len(chainProxies) - 2; i >= 0; i-- {
+		pc.AppendToChains(chainProxies[i])
+	}
+
+	pc.AppendToChains(r)
+
+	return pc, nil
 }

 // SupportUDP implements C.ProxyAdapter
 func (r *Relay) SupportUDP() bool {
-	proxies := r.rawProxies(true)
-
-	l := len(proxies)
-
-	if l == 0 {
+	proxies, _ := r.proxies(nil, false)
+	if len(proxies) == 0 { // C.Direct
 		return true
 	}
-
-	last := proxies[l-1]
-
-	return isRawUDP(last) || last.SupportUDP()
+	last := proxies[len(proxies)-1]
+	return last.SupportUDP() && last.SupportUOT()
 }

 // MarshalJSON implements C.ProxyAdapter
 func (r *Relay) MarshalJSON() ([]byte, error) {
-	var all []string
-	for _, proxy := range r.rawProxies(false) {
+	all := []string{}
+	for _, proxy := range r.GetProxies(false) {
 		all = append(all, proxy.Name())
 	}
 	return json.Marshal(map[string]any{
@ -205,114 +143,49 @@ func (r *Relay) MarshalJSON() ([]byte, error) {
 	})
 }

-func (r *Relay) rawProxies(touch bool) []C.Proxy {
-	elm, _, _ := r.single.Do(func() ([]C.Proxy, error) {
-		return getProvidersProxies(r.providers, touch), nil
-	})
+func (r *Relay) proxies(metadata *C.Metadata, touch bool) ([]C.Proxy, []C.Proxy) {
+	rawProxies := r.GetProxies(touch)

-	return elm
-}
+	var proxies []C.Proxy
+	var chainProxies []C.Proxy
+	var targetProxies []C.Proxy

-func (r *Relay) proxies(metadata *C.Metadata, touch bool) []C.Proxy {
-	proxies := r.rawProxies(touch)
-
-	for n, proxy := range proxies {
+	for n, proxy := range rawProxies {
+		proxies = append(proxies, proxy)
+		chainProxies = append(chainProxies, proxy)
 		subproxy := proxy.Unwrap(metadata)
 		for subproxy != nil {
+			chainProxies = append(chainProxies, subproxy)
 			proxies[n] = subproxy
 			subproxy = subproxy.Unwrap(metadata)
 		}
 	}

-	return proxies
-}
-
-func (r *Relay) streamContext(ctx context.Context, proxies []C.Proxy, opts ...dialer.Option) (net.Conn, error) {
-	first := proxies[0]
-
-	c, err := dialer.DialContext(ctx, "tcp", first.Addr(), opts...)
-	if err != nil {
-		return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
-	}
-	tcpKeepAlive(c)
-
-	if len(proxies) > 1 {
-		var currentMeta *C.Metadata
-		for _, proxy := range proxies[1:] {
-			currentMeta, err = addrToMetadata(proxy.Addr())
-			if err != nil {
-				return nil, err
-			}
-
-			c, err = first.StreamConn(c, currentMeta)
-			if err != nil {
-				return nil, fmt.Errorf("%s connect error: %w", first.Addr(), err)
-			}
-
-			first = proxy
+	for _, proxy := range proxies {
+		if proxy.Type() != C.Direct && proxy.Type() != C.Compatible {
+			targetProxies = append(targetProxies, proxy)
 		}
 	}

-	return c, nil
+	return targetProxies, chainProxies
 }

-func streamSocks5PacketConn(proxy C.Proxy, cc, c net.Conn, metadata *C.Metadata) (net.Conn, error) {
-	pc, err := proxy.(*adapter.Proxy).ProxyAdapter.(*outbound.Socks5).StreamSocks5PacketConn(cc, c.(net.PacketConn), metadata)
-	return outbound.WrapConn(pc), err
-}
-
-func isRawUDPRelay(proxies []C.Proxy) (bool, int) {
-	var (
-		lastIndex           = len(proxies) - 1
-		last                = proxies[lastIndex]
-		isLastRawUDP        = isRawUDP(last)
-		isUDPOverTCP        = false
-		lastUDPOverTCPIndex = -1
-	)
-
-	for i := lastIndex; i >= 0; i-- {
-		p := proxies[i]
-
-		isUDPOverTCP = isUDPOverTCP || !isRawUDP(p)
-
-		if isLastRawUDP && isUDPOverTCP && lastUDPOverTCPIndex == -1 {
-			lastUDPOverTCPIndex = i
-		}
-	}
-
-	if !isLastRawUDP {
-		lastUDPOverTCPIndex = lastIndex
-	}
-
-	return !isUDPOverTCP, lastUDPOverTCPIndex
-}
-
-func isRawUDP(proxy C.ProxyAdapter) bool {
-	if proxy.Type() == C.Shadowsocks || proxy.Type() == C.ShadowsocksR || proxy.Type() == C.Socks5 {
-		return true
-	}
-	return false
-}
-
-func needResolveIP(proxy C.ProxyAdapter, metadata *C.Metadata) bool {
-	if metadata.Resolved() {
-		return false
-	}
-	if proxy.Type() != C.Vmess && proxy.Type() != C.Vless {
-		return false
-	}
-	return true
+func (r *Relay) Addr() string {
+	proxies, _ := r.proxies(nil, true)
+	return proxies[len(proxies)-1].Addr()
 }

 func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Relay {
 	return &Relay{
-		Base: outbound.NewBase(outbound.BaseOption{
-			Name:        option.Name,
-			Type:        C.Relay,
-			Interface:   option.Interface,
-			RoutingMark: option.RoutingMark,
+		GroupBase: NewGroupBase(GroupBaseOption{
+			outbound.BaseOption{
+				Name:        option.Name,
+				Type:        C.Relay,
+				Interface:   option.Interface,
+				RoutingMark: option.RoutingMark,
+			},
+			"",
+			providers,
 		}),
-		single:    singledo.NewSingle[[]C.Proxy](defaultGetProxiesDuration),
-		providers: providers,
 	}
 }
--- a/adapter/outboundgroup/selector.go
+++ b/adapter/outboundgroup/selector.go
@ -6,18 +6,15 @@ import (
 	"errors"

 	"github.com/Dreamacro/clash/adapter/outbound"
-	"github.com/Dreamacro/clash/common/singledo"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 )

 type Selector struct {
-	*outbound.Base
+	*GroupBase
 	disableUDP bool
-	single     *singledo.Single[C.Proxy]
 	selected   string
-	providers  []provider.ProxyProvider
 }

 // DialContext implements C.ProxyAdapter
@ -49,8 +46,8 @@ func (s *Selector) SupportUDP() bool {

 // MarshalJSON implements C.ProxyAdapter
 func (s *Selector) MarshalJSON() ([]byte, error) {
-	var all []string
-	for _, proxy := range getProvidersProxies(s.providers, false) {
+	all := []string{}
+	for _, proxy := range s.GetProxies(false) {
 		all = append(all, proxy.Name())
 	}

@ -66,10 +63,9 @@ func (s *Selector) Now() string {
 }

 func (s *Selector) Set(name string) error {
-	for _, proxy := range getProvidersProxies(s.providers, false) {
+	for _, proxy := range s.GetProxies(false) {
 		if proxy.Name() == name {
 			s.selected = name
-			s.single.Reset()
 			return nil
 		}
 	}
@ -78,37 +74,34 @@ func (s *Selector) Set(name string) error {
 }

 // Unwrap implements C.ProxyAdapter
-func (s *Selector) Unwrap(metadata *C.Metadata) C.Proxy {
+func (s *Selector) Unwrap(*C.Metadata) C.Proxy {
 	return s.selectedProxy(true)
 }

 func (s *Selector) selectedProxy(touch bool) C.Proxy {
-	elm, _, _ := s.single.Do(func() (C.Proxy, error) {
-		proxies := getProvidersProxies(s.providers, touch)
-		for _, proxy := range proxies {
-			if proxy.Name() == s.selected {
-				return proxy, nil
-			}
+	proxies := s.GetProxies(touch)
+	for _, proxy := range proxies {
+		if proxy.Name() == s.selected {
+			return proxy
 		}
+	}

-		return proxies[0], nil
-	})
-
-	return elm
+	return proxies[0]
 }

 func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider) *Selector {
-	selected := providers[0].Proxies()[0].Name()
 	return &Selector{
-		Base: outbound.NewBase(outbound.BaseOption{
-			Name:        option.Name,
-			Type:        C.Selector,
-			Interface:   option.Interface,
-			RoutingMark: option.RoutingMark,
+		GroupBase: NewGroupBase(GroupBaseOption{
+			outbound.BaseOption{
+				Name:        option.Name,
+				Type:        C.Selector,
+				Interface:   option.Interface,
+				RoutingMark: option.RoutingMark,
+			},
+			option.Filter,
+			providers,
 		}),
-		single:     singledo.NewSingle[C.Proxy](defaultGetProxiesDuration),
-		providers:  providers,
-		selected:   selected,
+		selected:   "COMPATIBLE",
 		disableUDP: option.DisableUDP,
 	}
 }
--- a/adapter/outboundgroup/urltest.go
+++ b/adapter/outboundgroup/urltest.go
@ -21,13 +21,11 @@ func urlTestWithTolerance(tolerance uint16) urlTestOption {
 }

 type URLTest struct {
-	*outbound.Base
+	*GroupBase
 	tolerance  uint16
 	disableUDP bool
 	fastNode   C.Proxy
-	single     *singledo.Single[[]C.Proxy]
 	fastSingle *singledo.Single[C.Proxy]
-	providers  []provider.ProxyProvider
 }

 func (u *URLTest) Now() string {
@ -39,6 +37,9 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 	c, err = u.fast(true).DialContext(ctx, metadata, u.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(u)
+		u.onDialSuccess()
+	} else {
+		u.onDialFailed()
 	}
 	return c, err
 }
@ -49,25 +50,18 @@ func (u *URLTest) ListenPacketContext(ctx context.Context, metadata *C.Metadata,
 	if err == nil {
 		pc.AppendToChains(u)
 	}
+
 	return pc, err
 }

 // Unwrap implements C.ProxyAdapter
-func (u *URLTest) Unwrap(metadata *C.Metadata) C.Proxy {
+func (u *URLTest) Unwrap(*C.Metadata) C.Proxy {
 	return u.fast(true)
 }

-func (u *URLTest) proxies(touch bool) []C.Proxy {
-	elm, _, _ := u.single.Do(func() ([]C.Proxy, error) {
-		return getProvidersProxies(u.providers, touch), nil
-	})
-
-	return elm
-}
-
 func (u *URLTest) fast(touch bool) C.Proxy {
 	elm, _, _ := u.fastSingle.Do(func() (C.Proxy, error) {
-		proxies := u.proxies(touch)
+		proxies := u.GetProxies(touch)
 		fast := proxies[0]
 		min := fast.LastDelay()
 		fastNotExist := true
@ -110,8 +104,8 @@ func (u *URLTest) SupportUDP() bool {

 // MarshalJSON implements C.ProxyAdapter
 func (u *URLTest) MarshalJSON() ([]byte, error) {
-	var all []string
-	for _, proxy := range u.proxies(false) {
+	all := []string{}
+	for _, proxy := range u.GetProxies(false) {
 		all = append(all, proxy.Name())
 	}
 	return json.Marshal(map[string]any{
@ -136,15 +130,18 @@ func parseURLTestOption(config map[string]any) []urlTestOption {

 func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, options ...urlTestOption) *URLTest {
 	urlTest := &URLTest{
-		Base: outbound.NewBase(outbound.BaseOption{
-			Name:        option.Name,
-			Type:        C.URLTest,
-			Interface:   option.Interface,
-			RoutingMark: option.RoutingMark,
+		GroupBase: NewGroupBase(GroupBaseOption{
+			outbound.BaseOption{
+				Name:        option.Name,
+				Type:        C.URLTest,
+				Interface:   option.Interface,
+				RoutingMark: option.RoutingMark,
+			},
+
+			option.Filter,
+			providers,
 		}),
-		single:     singledo.NewSingle[[]C.Proxy](defaultGetProxiesDuration),
 		fastSingle: singledo.NewSingle[C.Proxy](time.Second * 10),
-		providers:  providers,
 		disableUDP: option.DisableUDP,
 	}

--- a/adapter/outboundgroup/util.go
+++ b/adapter/outboundgroup/util.go
@ -24,7 +24,8 @@ func addrToMetadata(rawAddress string) (addr *C.Metadata, err error) {
 			DstIP:    netip.Addr{},
 			DstPort:  port,
 		}
-		return addr, nil
+		err = nil
+		return
 	} else if ip.Is4() {
 		addr = &C.Metadata{
 			AddrType: C.AtypIPv4,
@ -48,6 +49,9 @@ func tcpKeepAlive(c net.Conn) {
 	if tcp, ok := c.(*net.TCPConn); ok {
 		_ = tcp.SetKeepAlive(true)
 		_ = tcp.SetKeepAlivePeriod(30 * time.Second)
-		_ = tcp.SetLinger(0)
 	}
 }
+
+type SelectAble interface {
+	Set(string) error
+}
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -8,7 +8,7 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 )

-func ParseProxy(mapping map[string]any, forceCertVerify bool) (C.Proxy, error) {
+func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 	decoder := structure.NewDecoder(structure.Option{TagName: "proxy", WeaklyTypedInput: true})
 	proxyType, existType := mapping["type"].(string)
 	if !existType {
@ -40,9 +40,6 @@ func ParseProxy(mapping map[string]any, forceCertVerify bool) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
-		if forceCertVerify {
-			socksOption.SkipCertVerify = false
-		}
 		proxy = outbound.NewSocks5(*socksOption)
 	case "http":
 		httpOption := &outbound.HttpOption{}
@ -50,25 +47,18 @@ func ParseProxy(mapping map[string]any, forceCertVerify bool) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
-		if forceCertVerify {
-			httpOption.SkipCertVerify = false
-		}
 		proxy = outbound.NewHttp(*httpOption)
 	case "vmess":
 		vmessOption := &outbound.VmessOption{
 			HTTPOpts: outbound.HTTPOptions{
-				Method:  "GET",
-				Path:    []string{"/"},
-				Headers: make(map[string][]string),
+				Method: "GET",
+				Path:   []string{"/"},
 			},
 		}
 		err = decoder.Decode(mapping, vmessOption)
 		if err != nil {
 			break
 		}
-		if forceCertVerify {
-			vmessOption.SkipCertVerify = false
-		}
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
 		vlessOption := &outbound.VlessOption{}
@ -76,9 +66,6 @@ func ParseProxy(mapping map[string]any, forceCertVerify bool) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
-		if forceCertVerify {
-			vlessOption.SkipCertVerify = false
-		}
 		proxy, err = outbound.NewVless(*vlessOption)
 	case "snell":
 		snellOption := &outbound.SnellOption{}
@ -93,10 +80,14 @@ func ParseProxy(mapping map[string]any, forceCertVerify bool) (C.Proxy, error) {
 		if err != nil {
 			break
 		}
-		if forceCertVerify {
-			trojanOption.SkipCertVerify = false
-		}
 		proxy, err = outbound.NewTrojan(*trojanOption)
+	case "hysteria":
+		hyOption := &outbound.HysteriaOption{}
+		err = decoder.Decode(mapping, hyOption)
+		if err != nil {
+			break
+		}
+		proxy, err = outbound.NewHysteria(*hyOption)
 	default:
 		return nil, fmt.Errorf("unsupport proxy type: %s", proxyType)
 	}
--- a/adapter/provider/fetcher.go
+++ b/adapter/provider/fetcher.go
@ -26,6 +26,7 @@ type fetcher[V any] struct {
 	done      chan struct{}
 	hash      [16]byte
 	parser    parser[V]
+	interval  time.Duration
 	onUpdate  func(V)
 }

@ -43,11 +44,18 @@ func (f *fetcher[V]) Initial() (V, error) {
 		err     error
 		isLocal bool
 	)
+
 	if stat, fErr := os.Stat(f.vehicle.Path()); fErr == nil {
 		buf, err = os.ReadFile(f.vehicle.Path())
 		modTime := stat.ModTime()
 		f.updatedAt = &modTime
 		isLocal = true
+		if f.interval != 0 && modTime.Add(f.interval).Before(time.Now()) {
+			defer func() {
+				log.Infoln("[Provider] %s's proxies not updated for a long time, force refresh", f.Name())
+				go f.Update()
+			}()
+		}
 	} else {
 		buf, err = f.vehicle.Read()
 	}
@ -102,7 +110,7 @@ func (f *fetcher[V]) Update() (V, bool, error) {
 	hash := md5.Sum(buf)
 	if bytes.Equal(f.hash[:], hash[:]) {
 		f.updatedAt = &now
-		_ = os.Chtimes(f.vehicle.Path(), now, now)
+		os.Chtimes(f.vehicle.Path(), now, now)
 		return getZero[V](), true, nil
 	}

--- a/adapter/provider/healthcheck.go
+++ b/adapter/provider/healthcheck.go
@ -6,7 +6,6 @@ import (

 	"github.com/Dreamacro/clash/common/batch"
 	C "github.com/Dreamacro/clash/constant"
-
 	"go.uber.org/atomic"
 )

@ -32,9 +31,7 @@ func (hc *HealthCheck) process() {
 	ticker := time.NewTicker(time.Duration(hc.interval) * time.Second)

 	go func() {
-		t := time.NewTicker(30 * time.Second)
-		<-t.C
-		t.Stop()
+		time.Sleep(30 * time.Second)
 		hc.check()
 	}()

@ -65,13 +62,8 @@ func (hc *HealthCheck) touch() {
 }

 func (hc *HealthCheck) check() {
-	proxies := hc.proxies
-	if len(proxies) == 0 {
-		return
-	}
-
 	b, _ := batch.New[bool](context.Background(), batch.WithConcurrencyNum[bool](10))
-	for _, proxy := range proxies {
+	for _, proxy := range hc.proxies {
 		p := proxy
 		b.Go(p.Name(), func() (bool, error) {
 			ctx, cancel := context.WithTimeout(context.Background(), defaultURLTestTimeout)
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@ -20,18 +20,15 @@ type healthCheckSchema struct {
 }

 type proxyProviderSchema struct {
-	Type            string              `provider:"type"`
-	Path            string              `provider:"path"`
-	URL             string              `provider:"url,omitempty"`
-	Interval        int                 `provider:"interval,omitempty"`
-	Filter          string              `provider:"filter,omitempty"`
-	HealthCheck     healthCheckSchema   `provider:"health-check,omitempty"`
-	ForceCertVerify bool                `provider:"force-cert-verify,omitempty"`
-	PrefixName      string              `provider:"prefix-name,omitempty"`
-	Header          map[string][]string `provider:"header,omitempty"`
+	Type        string            `provider:"type"`
+	Path        string            `provider:"path"`
+	URL         string            `provider:"url,omitempty"`
+	Interval    int               `provider:"interval,omitempty"`
+	Filter      string            `provider:"filter,omitempty"`
+	HealthCheck healthCheckSchema `provider:"health-check,omitempty"`
 }

-func ParseProxyProvider(name string, mapping map[string]any, forceCertVerify bool) (types.ProxyProvider, error) {
+func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvider, error) {
 	decoder := structure.NewDecoder(structure.Option{TagName: "provider", WeaklyTypedInput: true})

 	schema := &proxyProviderSchema{
@ -39,11 +36,6 @@ func ParseProxyProvider(name string, mapping map[string]any, forceCertVerify boo
 			Lazy: true,
 		},
 	}
-
-	if forceCertVerify {
-		schema.ForceCertVerify = true
-	}
-
 	if err := decoder.Decode(mapping, schema); err != nil {
 		return nil, err
 	}
@ -61,12 +53,12 @@ func ParseProxyProvider(name string, mapping map[string]any, forceCertVerify boo
 	case "file":
 		vehicle = NewFileVehicle(path)
 	case "http":
-		vehicle = NewHTTPVehicle(schema.URL, path, schema.Header)
+		vehicle = NewHTTPVehicle(schema.URL, path)
 	default:
 		return nil, fmt.Errorf("%w: %s", errVehicleType, schema.Type)
 	}

 	interval := time.Duration(uint(schema.Interval)) * time.Second
 	filter := schema.Filter
-	return NewProxySetProvider(name, interval, filter, vehicle, hc, schema.ForceCertVerify, schema.PrefixName)
+	return NewProxySetProvider(name, interval, filter, vehicle, hc)
 }
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"regexp"
+	"math"
 	"runtime"
 	"time"

@ -12,7 +12,7 @@ import (
 	"github.com/Dreamacro/clash/common/convert"
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
-
+	"github.com/dlclark/regexp2"
 	"gopkg.in/yaml.v3"
 )

@ -31,9 +31,9 @@ type ProxySetProvider struct {

 type proxySetProvider struct {
 	*fetcher[[]C.Proxy]
-	proxies        []C.Proxy
-	healthCheck    *HealthCheck
-	providersInUse []types.ProxyProvider
+	proxies     []C.Proxy
+	healthCheck *HealthCheck
+	version     uint
 }

 func (pp *proxySetProvider) MarshalJSON() ([]byte, error) {
@ -46,6 +46,10 @@ func (pp *proxySetProvider) MarshalJSON() ([]byte, error) {
 	})
 }

+func (pp *proxySetProvider) Version() uint {
+	return pp.version
+}
+
 func (pp *proxySetProvider) Name() string {
 	return pp.name
 }
@ -67,7 +71,6 @@ func (pp *proxySetProvider) Initial() error {
 	if err != nil {
 		return err
 	}
-
 	pp.onUpdate(elm)
 	return nil
 }
@ -80,31 +83,25 @@ func (pp *proxySetProvider) Proxies() []C.Proxy {
 	return pp.proxies
 }

-func (pp *proxySetProvider) ProxiesWithTouch() []C.Proxy {
+func (pp *proxySetProvider) Touch() {
 	pp.healthCheck.touch()
-	return pp.Proxies()
 }

 func (pp *proxySetProvider) setProxies(proxies []C.Proxy) {
 	pp.proxies = proxies
 	pp.healthCheck.setProxy(proxies)
-
-	for _, use := range pp.providersInUse {
-		_ = use.Update()
+	if pp.healthCheck.auto() {
+		defer func() { go pp.healthCheck.check() }()
 	}
 }

-func (pp *proxySetProvider) RegisterProvidersInUse(providers ...types.ProxyProvider) {
-	pp.providersInUse = append(pp.providersInUse, providers...)
-}
-
 func stopProxyProvider(pd *ProxySetProvider) {
 	pd.healthCheck.close()
 	_ = pd.fetcher.Destroy()
 }

-func NewProxySetProvider(name string, interval time.Duration, filter string, vehicle types.Vehicle, hc *HealthCheck, forceCertVerify bool, prefixName string) (*ProxySetProvider, error) {
-	filterReg, err := regexp.Compile(filter)
+func NewProxySetProvider(name string, interval time.Duration, filter string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
+	filterReg, err := regexp2.Compile(filter, 0)
 	if err != nil {
 		return nil, fmt.Errorf("invalid filter regex: %w", err)
 	}
@ -118,7 +115,7 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, veh
 		healthCheck: hc,
 	}

-	fetcher := newFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, filterReg, forceCertVerify, prefixName), proxiesOnUpdate(pd))
+	fetcher := newFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, filterReg), proxiesOnUpdate(pd))
 	pd.fetcher = fetcher

 	wrapper := &ProxySetProvider{pd}
@ -135,6 +132,7 @@ type compatibleProvider struct {
 	name        string
 	healthCheck *HealthCheck
 	proxies     []C.Proxy
+	version     uint
 }

 func (cp *compatibleProvider) MarshalJSON() ([]byte, error) {
@ -146,6 +144,10 @@ func (cp *compatibleProvider) MarshalJSON() ([]byte, error) {
 	})
 }

+func (cp *compatibleProvider) Version() uint {
+	return cp.version
+}
+
 func (cp *compatibleProvider) Name() string {
 	return cp.name
 }
@ -174,9 +176,8 @@ func (cp *compatibleProvider) Proxies() []C.Proxy {
 	return cp.proxies
 }

-func (cp *compatibleProvider) ProxiesWithTouch() []C.Proxy {
+func (cp *compatibleProvider) Touch() {
 	cp.healthCheck.touch()
-	return cp.Proxies()
 }

 func stopCompatibleProvider(pd *CompatibleProvider) {
@ -203,112 +204,25 @@ func NewCompatibleProvider(name string, proxies []C.Proxy, hc *HealthCheck) (*Co
 	return wrapper, nil
 }

-// ProxyFilterProvider for filter provider
-type ProxyFilterProvider struct {
-	*proxyFilterProvider
-}
-
-type proxyFilterProvider struct {
-	name        string
-	psd         *ProxySetProvider
-	proxies     []C.Proxy
-	filter      *regexp.Regexp
-	healthCheck *HealthCheck
-}
-
-func (pf *proxyFilterProvider) MarshalJSON() ([]byte, error) {
-	return json.Marshal(map[string]any{
-		"name":        pf.Name(),
-		"type":        pf.Type().String(),
-		"vehicleType": pf.VehicleType().String(),
-		"proxies":     pf.Proxies(),
-	})
-}
-
-func (pf *proxyFilterProvider) Name() string {
-	return pf.name
-}
-
-func (pf *proxyFilterProvider) HealthCheck() {
-	pf.healthCheck.check()
-}
-
-func (pf *proxyFilterProvider) Update() error {
-	var proxies []C.Proxy
-	if pf.filter != nil {
-		for _, proxy := range pf.psd.Proxies() {
-			if !pf.filter.MatchString(proxy.Name()) {
-				continue
-			}
-			proxies = append(proxies, proxy)
-		}
-	} else {
-		proxies = pf.psd.Proxies()
-	}
-
-	pf.proxies = proxies
-	pf.healthCheck.setProxy(proxies)
-	return nil
-}
-
-func (pf *proxyFilterProvider) Initial() error {
-	return nil
-}
-
-func (pf *proxyFilterProvider) VehicleType() types.VehicleType {
-	return pf.psd.VehicleType()
-}
-
-func (pf *proxyFilterProvider) Type() types.ProviderType {
-	return types.Proxy
-}
-
-func (pf *proxyFilterProvider) Proxies() []C.Proxy {
-	return pf.proxies
-}
-
-func (pf *proxyFilterProvider) ProxiesWithTouch() []C.Proxy {
-	pf.healthCheck.touch()
-	return pf.Proxies()
-}
-
-func stopProxyFilterProvider(pf *ProxyFilterProvider) {
-	pf.healthCheck.close()
-}
-
-func NewProxyFilterProvider(name string, psd *ProxySetProvider, hc *HealthCheck, filterRegx *regexp.Regexp) *ProxyFilterProvider {
-	pd := &proxyFilterProvider{
-		psd:         psd,
-		name:        name,
-		healthCheck: hc,
-		filter:      filterRegx,
-	}
-
-	_ = pd.Update()
-
-	if hc.auto() {
-		go hc.process()
-	}
-
-	wrapper := &ProxyFilterProvider{pd}
-	runtime.SetFinalizer(wrapper, stopProxyFilterProvider)
-	return wrapper
-}
-
 func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
 	return func(elm []C.Proxy) {
 		pd.setProxies(elm)
+		if pd.version == math.MaxUint {
+			pd.version = 0
+		} else {
+			pd.version++
+		}
 	}
 }

-func proxiesParseAndFilter(filter string, filterReg *regexp.Regexp, forceCertVerify bool, prefixName string) parser[[]C.Proxy] {
+func proxiesParseAndFilter(filter string, filterReg *regexp2.Regexp) parser[[]C.Proxy] {
 	return func(buf []byte) ([]C.Proxy, error) {
 		schema := &ProxySchema{}

 		if err := yaml.Unmarshal(buf, schema); err != nil {
 			proxies, err1 := convert.ConvertsV2Ray(buf)
 			if err1 != nil {
-				return nil, fmt.Errorf("%w, %s", err, err1.Error())
+				return nil, fmt.Errorf("%s, %w", err.Error(), err1)
 			}
 			schema.Proxies = proxies
 		}
@ -319,15 +233,12 @@ func proxiesParseAndFilter(filter string, filterReg *regexp.Regexp, forceCertVer

 		proxies := []C.Proxy{}
 		for idx, mapping := range schema.Proxies {
-			if name, ok := mapping["name"]; ok && len(filter) > 0 && !filterReg.MatchString(name.(string)) {
+			name, ok := mapping["name"]
+			mat, _ := filterReg.FindStringMatch(name.(string))
+			if ok && len(filter) > 0 && mat == nil {
 				continue
 			}
-
-			if prefixName != "" {
-				mapping["name"] = prefixName + mapping["name"].(string)
-			}
-
-			proxy, err := adapter.ParseProxy(mapping, forceCertVerify)
+			proxy, err := adapter.ParseProxy(mapping)
 			if err != nil {
 				return nil, fmt.Errorf("proxy %d error: %w", idx, err)
 			}
--- a/adapter/provider/vehicle.go
+++ b/adapter/provider/vehicle.go
@ -3,14 +3,11 @@ package provider
 import (
 	"context"
 	"io"
-	"net"
 	"net/http"
-	"net/url"
 	"os"
 	"time"

-	"github.com/Dreamacro/clash/common/convert"
-	"github.com/Dreamacro/clash/component/dialer"
+	netHttp "github.com/Dreamacro/clash/component/http"
 	types "github.com/Dreamacro/clash/constant/provider"
 )

@ -35,9 +32,8 @@ func NewFileVehicle(path string) *FileVehicle {
 }

 type HTTPVehicle struct {
-	url    string
-	path   string
-	header http.Header
+	url  string
+	path string
 }

 func (h *HTTPVehicle) Type() types.VehicleType {
@ -51,61 +47,19 @@ func (h *HTTPVehicle) Path() string {
 func (h *HTTPVehicle) Read() ([]byte, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
 	defer cancel()
-
-	uri, err := url.Parse(h.url)
+	resp, err := netHttp.HttpRequest(ctx, h.url, http.MethodGet, nil, nil)
 	if err != nil {
 		return nil, err
 	}

-	req, err := http.NewRequest(http.MethodGet, uri.String(), nil)
-	if err != nil {
-		return nil, err
-	}
-
-	if h.header != nil {
-		req.Header = h.header
-	}
-
-	if user := uri.User; user != nil {
-		password, _ := user.Password()
-		req.SetBasicAuth(user.Username(), password)
-	}
-
-	convert.SetUserAgent(req.Header)
-
-	req = req.WithContext(ctx)
-
-	transport := &http.Transport{
-		// from http.DefaultTransport
-		MaxIdleConns:          100,
-		IdleConnTimeout:       90 * time.Second,
-		TLSHandshakeTimeout:   10 * time.Second,
-		ExpectContinueTimeout: 1 * time.Second,
-		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			if req.URL.Scheme == "https" {
-				return (&net.Dialer{}).DialContext(ctx, network, address) // forward to tun if tun enabled
-			}
-			return dialer.DialContext(ctx, network, address, dialer.WithDirect()) // with direct
-		},
-	}
-
-	client := http.Client{Transport: transport}
-	resp, err := client.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	defer func() {
-		_ = resp.Body.Close()
-	}()
-
+	defer resp.Body.Close()
 	buf, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
-
 	return buf, nil
 }

-func NewHTTPVehicle(url string, path string, header http.Header) *HTTPVehicle {
-	return &HTTPVehicle{url, path, header}
+func NewHTTPVehicle(url string, path string) *HTTPVehicle {
+	return &HTTPVehicle{url, path}
 }
--- a/check_amd64.sh
+++ b/check_amd64.sh
@ -0,0 +1,28 @@
+#!/bin/sh
+flags=$(grep '^flags\b' </proc/cpuinfo | head -n 1)
+flags=" ${flags#*:} "
+
+has_flags () {
+  for flag; do
+    case "$flags" in
+      *" $flag "*) :;;
+      *) return 1;;
+    esac
+  done
+}
+
+determine_level () {
+  level=0
+  has_flags lm cmov cx8 fpu fxsr mmx syscall sse2 || return 0
+  level=1
+  has_flags cx16 lahf_lm popcnt sse4_1 sse4_2 ssse3 || return 0
+  level=2
+  has_flags avx avx2 bmi1 bmi2 f16c fma abm movbe xsave || return 0
+  level=3
+  has_flags avx512f avx512bw avx512cd avx512dq avx512vl || return 0
+  level=4
+}
+
+determine_level
+echo "Your CPU supports amd64-v$level"
+return $level
--- a/common/cache/cache.go
+++ b/common/cache/cache.go
@ -61,7 +61,7 @@ func (c *cache[K, V]) GetWithExpire(key K) (payload V, expired time.Time) {

 func (c *cache[K, V]) cleanup() {
 	c.mapping.Range(func(k, v any) bool {
-		key := k
+		key := k.(string)
 		elm := v.(*element[V])
 		if time.Since(elm.Expired) > 0 {
 			c.mapping.Delete(key)
--- a/common/cert/cert.go
+++ b/common/cert/cert.go
@ -1,303 +0,0 @@
-package cert
-
-import (
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/sha1"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
-	"math/big"
-	"net"
-	"os"
-	"strings"
-	"sync/atomic"
-	"time"
-)
-
-var currentSerialNumber = time.Now().Unix()
-
-type Config struct {
-	ca           *x509.Certificate
-	caPrivateKey *rsa.PrivateKey
-
-	roots *x509.CertPool
-
-	privateKey *rsa.PrivateKey
-
-	validity     time.Duration
-	keyID        []byte
-	organization string
-
-	certsStorage CertsStorage
-}
-
-type CertsStorage interface {
-	Get(key string) (*tls.Certificate, bool)
-
-	Set(key string, cert *tls.Certificate)
-}
-
-func NewAuthority(name, organization string, validity time.Duration) (*x509.Certificate, *rsa.PrivateKey, error) {
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return nil, nil, err
-	}
-	pub := privateKey.Public()
-
-	pkixPub, err := x509.MarshalPKIXPublicKey(pub)
-	if err != nil {
-		return nil, nil, err
-	}
-	h := sha1.New()
-	_, err = h.Write(pkixPub)
-	if err != nil {
-		return nil, nil, err
-	}
-	keyID := h.Sum(nil)
-
-	serial := atomic.AddInt64(&currentSerialNumber, 1)
-
-	tmpl := &x509.Certificate{
-		SerialNumber: big.NewInt(serial),
-		Subject: pkix.Name{
-			CommonName:   name,
-			Organization: []string{organization},
-		},
-		SubjectKeyId:          keyID,
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-		NotBefore:             time.Now().Add(-validity),
-		NotAfter:              time.Now().Add(validity),
-		DNSNames:              []string{name},
-		IsCA:                  true,
-	}
-
-	raw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, pub, privateKey)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	x509c, err := x509.ParseCertificate(raw)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return x509c, privateKey, nil
-}
-
-func NewConfig(ca *x509.Certificate, caPrivateKey *rsa.PrivateKey) (*Config, error) {
-	roots := x509.NewCertPool()
-	roots.AddCert(ca)
-
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return nil, err
-	}
-	pub := privateKey.Public()
-
-	pkixPub, err := x509.MarshalPKIXPublicKey(pub)
-	if err != nil {
-		return nil, err
-	}
-	h := sha1.New()
-	_, err = h.Write(pkixPub)
-	if err != nil {
-		return nil, err
-	}
-	keyID := h.Sum(nil)
-
-	return &Config{
-		ca:           ca,
-		caPrivateKey: caPrivateKey,
-		privateKey:   privateKey,
-		keyID:        keyID,
-		validity:     time.Hour,
-		organization: "Clash",
-		certsStorage: NewDomainTrieCertsStorage(),
-		roots:        roots,
-	}, nil
-}
-
-func (c *Config) GetCA() *x509.Certificate {
-	return c.ca
-}
-
-func (c *Config) SetOrganization(organization string) {
-	c.organization = organization
-}
-
-func (c *Config) SetValidity(validity time.Duration) {
-	c.validity = validity
-}
-
-func (c *Config) NewTLSConfigForHost(hostname string) *tls.Config {
-	tlsConfig := &tls.Config{
-		GetCertificate: func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			host := clientHello.ServerName
-			if host == "" {
-				host = hostname
-			}
-
-			return c.GetOrCreateCert(host)
-		},
-		NextProtos: []string{"http/1.1"},
-	}
-
-	tlsConfig.InsecureSkipVerify = true
-
-	return tlsConfig
-}
-
-func (c *Config) GetOrCreateCert(hostname string, ips ...net.IP) (*tls.Certificate, error) {
-	var leaf *x509.Certificate
-	tlsCertificate, ok := c.certsStorage.Get(hostname)
-	if ok {
-		leaf = tlsCertificate.Leaf
-		if _, err := leaf.Verify(x509.VerifyOptions{
-			DNSName: hostname,
-			Roots:   c.roots,
-		}); err == nil {
-			return tlsCertificate, nil
-		}
-	}
-
-	var (
-		key          = hostname
-		topHost      = hostname
-		wildcardHost = "*." + hostname
-		dnsNames     []string
-	)
-
-	if ip := net.ParseIP(hostname); ip != nil {
-		ips = append(ips, ip)
-	} else {
-		parts := strings.Split(hostname, ".")
-		l := len(parts)
-
-		if leaf != nil {
-			dnsNames = append(dnsNames, leaf.DNSNames...)
-		}
-
-		if l > 2 {
-			topIndex := l - 2
-			topHost = strings.Join(parts[topIndex:], ".")
-
-			for i := topIndex; i > 0; i-- {
-				wildcardHost = "*." + strings.Join(parts[i:], ".")
-
-				if i == topIndex && (len(dnsNames) == 0 || dnsNames[0] != topHost) {
-					dnsNames = append(dnsNames, topHost, wildcardHost)
-				} else if !hasDnsNames(dnsNames, wildcardHost) {
-					dnsNames = append(dnsNames, wildcardHost)
-				}
-			}
-		} else {
-			dnsNames = append(dnsNames, topHost, wildcardHost)
-		}
-
-		key = "+." + topHost
-	}
-
-	serial := atomic.AddInt64(&currentSerialNumber, 1)
-
-	tmpl := &x509.Certificate{
-		SerialNumber: big.NewInt(serial),
-		Subject: pkix.Name{
-			CommonName:   topHost,
-			Organization: []string{c.organization},
-		},
-		SubjectKeyId:          c.keyID,
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-		NotBefore:             time.Now().Add(-c.validity),
-		NotAfter:              time.Now().Add(c.validity),
-		DNSNames:              dnsNames,
-		IPAddresses:           ips,
-	}
-
-	raw, err := x509.CreateCertificate(rand.Reader, tmpl, c.ca, c.privateKey.Public(), c.caPrivateKey)
-	if err != nil {
-		return nil, err
-	}
-
-	x509c, err := x509.ParseCertificate(raw)
-	if err != nil {
-		return nil, err
-	}
-
-	tlsCertificate = &tls.Certificate{
-		Certificate: [][]byte{raw, c.ca.Raw},
-		PrivateKey:  c.privateKey,
-		Leaf:        x509c,
-	}
-
-	c.certsStorage.Set(key, tlsCertificate)
-	return tlsCertificate, nil
-}
-
-// GenerateAndSave generate CA private key and CA certificate and dump them to file
-func GenerateAndSave(caPath string, caKeyPath string) error {
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return err
-	}
-
-	tmpl := &x509.Certificate{
-		SerialNumber: big.NewInt(time.Now().Unix()),
-		Subject: pkix.Name{
-			Country:      []string{"US"},
-			CommonName:   "Clash Root CA",
-			Organization: []string{"Clash Trust Services"},
-		},
-		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		NotBefore:             time.Now().Add(-(time.Hour * 24 * 60)),
-		NotAfter:              time.Now().Add(time.Hour * 24 * 365 * 25),
-		BasicConstraintsValid: true,
-		IsCA:                  true,
-	}
-
-	caRaw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, privateKey.Public(), privateKey)
-	if err != nil {
-		return err
-	}
-
-	caOut, err := os.OpenFile(caPath, os.O_CREATE|os.O_WRONLY, 0o600)
-	if err != nil {
-		return err
-	}
-	defer func(caOut *os.File) {
-		_ = caOut.Close()
-	}(caOut)
-
-	if err = pem.Encode(caOut, &pem.Block{Type: "CERTIFICATE", Bytes: caRaw}); err != nil {
-		return err
-	}
-
-	caKeyOut, err := os.OpenFile(caKeyPath, os.O_CREATE|os.O_WRONLY, 0o600)
-	if err != nil {
-		return err
-	}
-	defer func(caKeyOut *os.File) {
-		_ = caKeyOut.Close()
-	}(caKeyOut)
-
-	if err = pem.Encode(caKeyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func hasDnsNames(dnsNames []string, hostname string) bool {
-	for _, name := range dnsNames {
-		if name == hostname {
-			return true
-		}
-	}
-	return false
-}
--- a/common/cert/cert_test.go
+++ b/common/cert/cert_test.go
@ -1,104 +0,0 @@
-package cert
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"net"
-	"os"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestCert(t *testing.T) {
-	ca, privateKey, err := NewAuthority("Clash ca", "Clash", 24*time.Hour)
-
-	assert.Nil(t, err)
-	assert.NotNil(t, ca)
-	assert.NotNil(t, privateKey)
-
-	c, err := NewConfig(ca, privateKey)
-	assert.Nil(t, err)
-
-	c.SetValidity(20 * time.Hour)
-	c.SetOrganization("Test Organization")
-
-	conf := c.NewTLSConfigForHost("example.org")
-	assert.Equal(t, []string{"http/1.1"}, conf.NextProtos)
-	assert.True(t, conf.InsecureSkipVerify)
-
-	// Test generating a certificate
-	clientHello := &tls.ClientHelloInfo{
-		ServerName: "example.org",
-	}
-	tlsCert, err := conf.GetCertificate(clientHello)
-	assert.Nil(t, err)
-	assert.NotNil(t, tlsCert)
-
-	// Assert certificate details
-	x509c := tlsCert.Leaf
-	assert.Equal(t, "example.org", x509c.Subject.CommonName)
-	assert.Nil(t, x509c.VerifyHostname("example.org"))
-	assert.Nil(t, x509c.VerifyHostname("abc.example.org"))
-	assert.Equal(t, []string{"Test Organization"}, x509c.Subject.Organization)
-	assert.NotNil(t, x509c.SubjectKeyId)
-	assert.True(t, x509c.BasicConstraintsValid)
-	assert.True(t, x509c.KeyUsage&x509.KeyUsageKeyEncipherment == x509.KeyUsageKeyEncipherment)
-	assert.True(t, x509c.KeyUsage&x509.KeyUsageDigitalSignature == x509.KeyUsageDigitalSignature)
-	assert.Equal(t, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, x509c.ExtKeyUsage)
-	assert.Equal(t, []string{"example.org", "*.example.org"}, x509c.DNSNames)
-	assert.True(t, x509c.NotBefore.Before(time.Now().Add(-2*time.Hour)))
-	assert.True(t, x509c.NotAfter.After(time.Now().Add(2*time.Hour)))
-
-	// Check that certificate is cached
-	tlsCert2, err := c.GetOrCreateCert("abc.example.org")
-	assert.Nil(t, err)
-	assert.True(t, tlsCert == tlsCert2)
-
-	// Check that certificate is new
-	_, _ = c.GetOrCreateCert("a.b.c.d.e.f.g.h.i.j.example.org")
-	tlsCert3, err := c.GetOrCreateCert("m.k.l.example.org")
-	x509c = tlsCert3.Leaf
-	assert.Nil(t, err)
-	assert.False(t, tlsCert == tlsCert3)
-	assert.Equal(t, []string{"example.org", "*.example.org", "*.j.example.org", "*.i.j.example.org", "*.h.i.j.example.org", "*.g.h.i.j.example.org", "*.f.g.h.i.j.example.org", "*.e.f.g.h.i.j.example.org", "*.d.e.f.g.h.i.j.example.org", "*.c.d.e.f.g.h.i.j.example.org", "*.b.c.d.e.f.g.h.i.j.example.org", "*.l.example.org", "*.k.l.example.org"}, x509c.DNSNames)
-
-	// Check that certificate is cached
-	tlsCert4, err := c.GetOrCreateCert("xyz.example.org")
-	x509c = tlsCert4.Leaf
-	assert.Nil(t, err)
-	assert.True(t, tlsCert3 == tlsCert4)
-	assert.Nil(t, x509c.VerifyHostname("example.org"))
-	assert.Nil(t, x509c.VerifyHostname("jkf.example.org"))
-	assert.Nil(t, x509c.VerifyHostname("n.j.example.org"))
-	assert.Nil(t, x509c.VerifyHostname("c.i.j.example.org"))
-	assert.Nil(t, x509c.VerifyHostname("m.l.example.org"))
-	assert.Error(t, x509c.VerifyHostname("m.l.jkf.example.org"))
-
-	// Check the certificate for an IP
-	tlsCertForIP, err := c.GetOrCreateCert("192.168.0.1")
-	x509c = tlsCertForIP.Leaf
-	assert.Nil(t, err)
-	assert.Equal(t, 1, len(x509c.IPAddresses))
-	assert.True(t, net.ParseIP("192.168.0.1").Equal(x509c.IPAddresses[0]))
-
-	// Check that certificate is cached
-	tlsCertForIP2, err := c.GetOrCreateCert("192.168.0.1")
-	x509c = tlsCertForIP2.Leaf
-	assert.Nil(t, err)
-	assert.True(t, tlsCertForIP == tlsCertForIP2)
-	assert.Nil(t, x509c.VerifyHostname("192.168.0.1"))
-}
-
-func TestGenerateAndSave(t *testing.T) {
-	caPath := "ca.crt"
-	caKeyPath := "ca.key"
-
-	err := GenerateAndSave(caPath, caKeyPath)
-
-	assert.Nil(t, err)
-
-	_ = os.Remove(caPath)
-	_ = os.Remove(caKeyPath)
-}
--- a/common/cert/storage.go
+++ b/common/cert/storage.go
@ -1,32 +0,0 @@
-package cert
-
-import (
-	"crypto/tls"
-
-	"github.com/Dreamacro/clash/component/trie"
-)
-
-// DomainTrieCertsStorage cache wildcard certificates
-type DomainTrieCertsStorage struct {
-	certsCache *trie.DomainTrie[*tls.Certificate]
-}
-
-// Get gets the certificate from the storage
-func (c *DomainTrieCertsStorage) Get(key string) (*tls.Certificate, bool) {
-	ca := c.certsCache.Search(key)
-	if ca == nil {
-		return nil, false
-	}
-	return ca.Data, true
-}
-
-// Set saves the certificate to the storage
-func (c *DomainTrieCertsStorage) Set(key string, cert *tls.Certificate) {
-	_ = c.certsCache.Insert(key, cert)
-}
-
-func NewDomainTrieCertsStorage() *DomainTrieCertsStorage {
-	return &DomainTrieCertsStorage{
-		certsCache: trie.New[*tls.Certificate](),
-	}
-}
--- a/common/cmd/cmd.go
+++ b/common/cmd/cmd.go
@ -15,7 +15,7 @@ func ExecCmd(cmdStr string) (string, error) {
 	} else {
 		cmd = exec.Command(args[0], args[1:]...)
 	}
-
+	prepareBackgroundCommand(cmd)
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return "", fmt.Errorf("%v, %s", err, string(out))
--- a/common/cmd/cmd_other.go
+++ b/common/cmd/cmd_other.go
@ -0,0 +1,10 @@
+//go:build !windows
+
+package cmd
+
+import (
+	"os/exec"
+)
+
+func prepareBackgroundCommand(cmd *exec.Cmd) {
+}
--- a/common/cmd/cmd_windows.go
+++ b/common/cmd/cmd_windows.go
@ -0,0 +1,12 @@
+//go:build windows
+
+package cmd
+
+import (
+	"os/exec"
+	"syscall"
+)
+
+func prepareBackgroundCommand(cmd *exec.Cmd) {
+	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
+}
--- a/common/collections/stack.go
+++ b/common/collections/stack.go
@ -0,0 +1,56 @@
+package collections
+
+import "sync"
+
+type (
+	stack struct {
+		top    *node
+		length int
+		lock   *sync.RWMutex
+	}
+
+	node struct {
+		value interface{}
+		prev  *node
+	}
+)
+
+// NewStack Create a new stack
+func NewStack() *stack {
+	return &stack{nil, 0, &sync.RWMutex{}}
+}
+
+// Len Return the number of items in the stack
+func (this *stack) Len() int {
+	return this.length
+}
+
+// Peek View the top item on the stack
+func (this *stack) Peek() interface{} {
+	if this.length == 0 {
+		return nil
+	}
+	return this.top.value
+}
+
+// Pop the top item of the stack and return it
+func (this *stack) Pop() interface{} {
+	this.lock.Lock()
+	defer this.lock.Unlock()
+	if this.length == 0 {
+		return nil
+	}
+	n := this.top
+	this.top = n.prev
+	this.length--
+	return n.value
+}
+
+// Push a value onto the top of the stack
+func (this *stack) Push(value interface{}) {
+	this.lock.Lock()
+	defer this.lock.Unlock()
+	n := &node{value, this.top}
+	this.top = n
+	this.length++
+}
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/url"
+	"strconv"
 	"strings"
 )

@ -21,24 +22,21 @@ func DecodeBase64(buf []byte) ([]byte, error) {
 	return dBuf[:n], nil
 }

-func DecodeRawBase64(buf []byte) ([]byte, error) {
-	dBuf := make([]byte, base64.RawStdEncoding.DecodedLen(len(buf)))
-	n, err := base64.RawStdEncoding.Decode(dBuf, buf)
+// DecodeBase64StringToString decode base64 string to string
+func DecodeBase64StringToString(s string) (string, error) {
+	dBuf, err := enc.DecodeString(s)
 	if err != nil {
-		return nil, err
+		return "", err
 	}

-	return dBuf[:n], nil
+	return string(dBuf), nil
 }

 // ConvertsV2Ray convert V2Ray subscribe proxies data to clash proxies config
 func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 	data, err := DecodeBase64(buf)
 	if err != nil {
-		data, err = DecodeRawBase64(buf)
-		if err != nil {
-			data = buf
-		}
+		data = buf
 	}

 	arr := strings.Split(string(data), "\n")
@ -59,6 +57,31 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {

 		scheme = strings.ToLower(scheme)
 		switch scheme {
+		case "hysteria":
+			urlHysteria, err := url.Parse(line)
+			if err != nil {
+				continue
+			}
+
+			query := urlHysteria.Query()
+			name := uniqueName(names, urlHysteria.Fragment)
+			hysteria := make(map[string]any, 20)
+
+			hysteria["name"] = name
+			hysteria["type"] = scheme
+			hysteria["server"] = urlHysteria.Hostname()
+			hysteria["port"] = urlHysteria.Port()
+			hysteria["sni"] = query.Get("peer")
+			hysteria["obfs"] = query.Get("obfs")
+			hysteria["alpn"] = query.Get("alpn")
+			hysteria["auth_str"] = query.Get("auth")
+			hysteria["protocol"] = query.Get("protocol")
+			hysteria["down_mbps"], _ = strconv.Atoi(query.Get("downmbps"))
+			hysteria["up_mbps"], _ = strconv.Atoi(query.Get("upmbps"))
+			hysteria["skip-cert-verify"], _ = strconv.ParseBool(query.Get("insecure"))
+
+			proxies = append(proxies, hysteria)
+
 		case "trojan":
 			urlTrojan, err := url.Parse(line)
 			if err != nil {
@ -88,20 +111,113 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				trojan["network"] = network
 			}

-			if network == "ws" {
+			switch network {
+			case "ws":
 				headers := make(map[string]any)
 				wsOpts := make(map[string]any)

-				headers["Host"] = RandHost()
+				// headers["Host"] = RandHost()
 				headers["User-Agent"] = RandUserAgent()

 				wsOpts["path"] = query.Get("path")
 				wsOpts["headers"] = headers

 				trojan["ws-opts"] = wsOpts
+
+			case "grpc":
+				grpcOpts := make(map[string]any)
+				grpcOpts["grpc-service-name"] = query.Get("serviceName")
+				trojan["grpc-opts"] = grpcOpts
 			}

 			proxies = append(proxies, trojan)
+
+		case "vless":
+			urlVless, err := url.Parse(line)
+			if err != nil {
+				continue
+			}
+
+			query := urlVless.Query()
+
+			name := uniqueName(names, urlVless.Fragment)
+			vless := make(map[string]any, 20)
+
+			vless["name"] = name
+			vless["type"] = scheme
+			vless["server"] = urlVless.Hostname()
+			vless["port"] = urlVless.Port()
+			vless["uuid"] = urlVless.User.Username()
+			vless["udp"] = true
+			vless["skip-cert-verify"] = false
+
+			sni := query.Get("sni")
+			if sni != "" {
+				vless["servername"] = sni
+			}
+
+			flow := strings.ToLower(query.Get("flow"))
+			if flow != "" {
+				vless["flow"] = flow
+			}
+
+			network := strings.ToLower(query.Get("type"))
+			if network != "" {
+				fakeType := strings.ToLower(query.Get("headerType"))
+				if network == "tcp" && fakeType == "http" {
+					network = "http"
+				}
+				if network == "http" {
+					network = "h2"
+				}
+				vless["network"] = network
+			}
+
+			switch network {
+			case "http":
+				headers := make(map[string]any)
+				httpOpts := make(map[string]any)
+
+				if query.Get("method") != "" {
+					httpOpts["method"] = query.Get("method")
+				}
+				if query.Get("path") != "" {
+					httpOpts["path"] = query.Get("path")
+				}
+				headers["User-Agent"] = RandUserAgent()
+				httpOpts["headers"] = headers
+
+				vless["http-opts"] = httpOpts
+
+			case "h2":
+				headers := make(map[string]any)
+				h2Opts := make(map[string]any)
+
+				headers["User-Agent"] = RandUserAgent()
+				h2Opts["path"] = query.Get("path")
+				h2Opts["headers"] = headers
+
+				vless["h2-opts"] = h2Opts
+
+			case "ws":
+				headers := make(map[string]any)
+				wsOpts := make(map[string]any)
+
+				// headers["Host"] = RandHost()
+				headers["User-Agent"] = RandUserAgent()
+				wsOpts["path"] = query.Get("path")
+				wsOpts["headers"] = headers
+
+				vless["ws-opts"] = wsOpts
+
+			case "grpc":
+				grpcOpts := make(map[string]any)
+				grpcOpts["grpc-service-name"] = query.Get("serviceName")
+				vless["grpc-opts"] = grpcOpts
+			}
+
+			proxies = append(proxies, vless)
+
 		case "vmess":
 			dcBuf, err := enc.DecodeString(body)
 			if err != nil {
@ -128,6 +244,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			vmess["udp"] = true
 			vmess["skip-cert-verify"] = false

+			sni := values["sni"]
+			if sni != "" {
+				vmess["sni"] = sni
+			}
+
 			host := values["host"]
 			network := strings.ToLower(values["net"].(string))

@ -141,7 +262,31 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				vmess["tls"] = true
 			}

-			if network == "ws" {
+			switch network {
+			case "http":
+				headers := make(map[string]any)
+				httpOpts := make(map[string]any)
+
+				// headers["Host"] = RandHost()
+				headers["User-Agent"] = RandUserAgent()
+				httpOpts["method"] = values["method"]
+				httpOpts["path"] = values["path"]
+				httpOpts["headers"] = headers
+
+				vmess["http-opts"] = httpOpts
+
+			case "h2":
+				headers := make(map[string]any)
+				h2Opts := make(map[string]any)
+
+				// headers["Host"] = RandHost()
+				headers["User-Agent"] = RandUserAgent()
+				h2Opts["path"] = values["path"]
+				h2Opts["headers"] = headers
+
+				vmess["h2-opts"] = h2Opts
+
+			case "ws":
 				headers := make(map[string]any)
 				wsOpts := make(map[string]any)

@ -154,9 +299,15 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				wsOpts["headers"] = headers

 				vmess["ws-opts"] = wsOpts
+
+			case "grpc":
+				grpcOpts := make(map[string]any)
+				grpcOpts["grpc-service-name"] = values["path"]
+				vmess["grpc-opts"] = grpcOpts
 			}

 			proxies = append(proxies, vmess)
+
 		case "ss":
 			urlSS, err := url.Parse(line)
 			if err != nil {
@ -264,54 +415,6 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}

 			proxies = append(proxies, ssr)
-		case "vless":
-			urlVless, err := url.Parse(line)
-			if err != nil {
-				continue
-			}
-
-			query := urlVless.Query()
-
-			name := uniqueName(names, urlVless.Fragment)
-			vless := make(map[string]any, 20)
-
-			vless["name"] = name
-			vless["type"] = scheme
-			vless["server"] = urlVless.Hostname()
-			vless["port"] = urlVless.Port()
-			vless["uuid"] = urlVless.User.Username()
-			vless["udp"] = true
-			vless["skip-cert-verify"] = false
-
-			sni := query.Get("sni")
-			if sni != "" {
-				vless["servername"] = sni
-			}
-
-			flow := strings.ToLower(query.Get("flow"))
-			if flow != "" {
-				vless["flow"] = flow
-			}
-
-			network := strings.ToLower(query.Get("type"))
-			if network != "" {
-				vless["network"] = network
-			}
-
-			if network == "ws" {
-				headers := make(map[string]any)
-				wsOpts := make(map[string]any)
-
-				headers["Host"] = RandHost()
-				headers["User-Agent"] = RandUserAgent()
-
-				wsOpts["path"] = query.Get("path")
-				wsOpts["headers"] = headers
-
-				vless["ws-opts"] = wsOpts
-			}
-
-			proxies = append(proxies, vless)
 		}
 	}

--- a/common/convert/util.go
+++ b/common/convert/util.go
@ -29,6 +29,7 @@ var hostsSuffix = []string{
 	".alidns.com",
 	".cdngslb.com",
 	".mxhichina.com",
+	".alibabadns.com",
 }

 var userAgents = []string{
--- a/common/net/relay.go
+++ b/common/net/relay.go
@ -4,30 +4,27 @@ import (
 	"io"
 	"net"
 	"time"
+
+	"github.com/Dreamacro/clash/common/pool"
 )

 // Relay copies between left and right bidirectionally.
 func Relay(leftConn, rightConn net.Conn) {
 	ch := make(chan error)

-	tcpKeepAlive(leftConn)
-	tcpKeepAlive(rightConn)
-
 	go func() {
+		buf := pool.Get(pool.RelayBufferSize)
 		// Wrapping to avoid using *net.TCPConn.(ReadFrom)
 		// See also https://github.com/Dreamacro/clash/pull/1209
-		_, err := io.Copy(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn})
-		_ = leftConn.SetReadDeadline(time.Now())
+		_, err := io.CopyBuffer(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn}, buf)
+		pool.Put(buf)
+		leftConn.SetReadDeadline(time.Now())
 		ch <- err
 	}()

-	_, _ = io.Copy(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn})
-	_ = rightConn.SetReadDeadline(time.Now())
+	buf := pool.Get(pool.RelayBufferSize)
+	io.CopyBuffer(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn}, buf)
+	pool.Put(buf)
+	rightConn.SetReadDeadline(time.Now())
 	<-ch
 }
-
-func tcpKeepAlive(c net.Conn) {
-	if tcp, ok := c.(*net.TCPConn); ok {
-		_ = tcp.SetKeepAlive(true)
-	}
-}
--- a/common/net/tcpip.go
+++ b/common/net/tcpip.go
@ -0,0 +1,46 @@
+package net
+
+import (
+	"fmt"
+	"net"
+	"strings"
+)
+
+func SplitNetworkType(s string) (string, string, error) {
+	var (
+		shecme   string
+		hostPort string
+	)
+	result := strings.Split(s, "://")
+	if len(result) == 2 {
+		shecme = result[0]
+		hostPort = result[1]
+	} else if len(result) == 1 {
+		hostPort = result[0]
+	} else {
+		return "", "", fmt.Errorf("tcp/udp style error")
+	}
+
+	if len(shecme) == 0 {
+		shecme = "udp"
+	}
+
+	if shecme != "tcp" && shecme != "udp" {
+		return "", "", fmt.Errorf("scheme should be tcp:// or udp://")
+	} else {
+		return shecme, hostPort, nil
+	}
+}
+
+func SplitHostPort(s string) (host, port string, hasPort bool, err error) {
+	temp := s
+	hasPort = true
+
+	if !strings.Contains(s, ":") && !strings.Contains(s, "]:") {
+		temp += ":0"
+		hasPort = false
+	}
+
+	host, port, err = net.SplitHostPort(temp)
+	return
+}
--- a/common/pool/alloc.go
+++ b/common/pool/alloc.go
@ -6,10 +6,16 @@ import (
 	"errors"
 	"math/bits"
 	"sync"
+
+	"github.com/sagernet/sing/common/buf"
 )

 var defaultAllocator = NewAllocator()

+func init() {
+	buf.DefaultAllocator = defaultAllocator
+}
+
 // Allocator for incoming frames, optimized to prevent overwriting after zeroing
 type Allocator struct {
 	buffers []sync.Pool
--- a/common/structure/structure.go
+++ b/common/structure/structure.go
@ -31,7 +31,7 @@ func NewDecoder(option Option) *Decoder {
 // Decode transform a map[string]any to a struct
 func (d *Decoder) Decode(src map[string]any, dst any) error {
 	if reflect.TypeOf(dst).Kind() != reflect.Ptr {
-		return fmt.Errorf("Decode must recive a ptr struct")
+		return fmt.Errorf("decode must recive a ptr struct")
 	}
 	t := reflect.TypeOf(dst).Elem()
 	v := reflect.ValueOf(dst).Elem()
@ -301,7 +301,7 @@ func (d *Decoder) decodeStructFromMap(name string, dataVal, val reflect.Value) e
 		field reflect.StructField
 		val   reflect.Value
 	}
-	fields := []field{}
+	var fields []field
 	for len(structs) > 0 {
 		structVal := structs[0]
 		structs = structs[1:]
--- a/common/structure/structure_test.go
+++ b/common/structure/structure_test.go
@ -137,45 +137,3 @@ func TestStructure_Nest(t *testing.T) {
 	assert.Nil(t, err)
 	assert.Equal(t, s.BazOptional, goal)
 }
-
-func TestStructure_SliceNilValue(t *testing.T) {
-	rawMap := map[string]any{
-		"foo": 1,
-		"bar": []any{"bar", nil},
-	}
-
-	goal := &BazSlice{
-		Foo: 1,
-		Bar: []string{"bar", ""},
-	}
-
-	s := &BazSlice{}
-	err := weakTypeDecoder.Decode(rawMap, s)
-	assert.Nil(t, err)
-	assert.Equal(t, goal.Bar, s.Bar)
-
-	s = &BazSlice{}
-	err = decoder.Decode(rawMap, s)
-	assert.NotNil(t, err)
-}
-
-func TestStructure_SliceNilValueComplex(t *testing.T) {
-	rawMap := map[string]any{
-		"bar": []any{map[string]any{"bar": "foo"}, nil},
-	}
-
-	s := &struct {
-		Bar []map[string]any `test:"bar"`
-	}{}
-
-	err := decoder.Decode(rawMap, s)
-	assert.Nil(t, err)
-	assert.Nil(t, s.Bar[1])
-
-	ss := &struct {
-		Bar []Baz `test:"bar"`
-	}{}
-
-	err = decoder.Decode(rawMap, ss)
-	assert.NotNil(t, err)
-}
--- a/common/utils/range.go
+++ b/common/utils/range.go
@ -0,0 +1,44 @@
+package utils
+
+import (
+	"golang.org/x/exp/constraints"
+)
+
+type Range[T constraints.Ordered] struct {
+	start T
+	end   T
+}
+
+func NewRange[T constraints.Ordered](start, end T) *Range[T] {
+	if start > end {
+		return &Range[T]{
+			start: end,
+			end:   start,
+		}
+	}
+
+	return &Range[T]{
+		start: start,
+		end:   end,
+	}
+}
+
+func (r *Range[T]) Contains(t T) bool {
+	return t >= r.start && t <= r.end
+}
+
+func (r *Range[T]) LeftContains(t T) bool {
+	return t >= r.start && t < r.end
+}
+
+func (r *Range[T]) RightContains(t T) bool {
+	return t > r.start && t <= r.end
+}
+
+func (r *Range[T]) Start() T {
+	return r.start
+}
+
+func (r *Range[T]) End() T {
+	return r.end
+}
--- a/common/utils/uuid.go
+++ b/common/utils/uuid.go
@ -0,0 +1,16 @@
+package utils
+
+import (
+	"github.com/gofrs/uuid"
+)
+
+var uuidNamespace, _ = uuid.FromString("00000000-0000-0000-0000-000000000000")
+
+// UUIDMap https://github.com/XTLS/Xray-core/issues/158#issue-783294090
+func UUIDMap(str string) (uuid.UUID, error) {
+	u, err := uuid.FromString(str)
+	if err != nil {
+		return uuid.NewV5(uuidNamespace, str), nil
+	}
+	return u, nil
+}
--- a/common/utils/uuid_test.go
+++ b/common/utils/uuid_test.go
@ -0,0 +1,75 @@
+package utils
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/gofrs/uuid"
+)
+
+func TestUUIDMap(t *testing.T) {
+	type args struct {
+		str string
+	}
+
+	tests := []struct {
+		name    string
+		args    args
+		want    uuid.UUID
+		wantErr bool
+	}{
+		{
+			name: "uuid-test-1",
+			args: args{
+				str: "82410302-039e-41b6-98b0-d964084b4170",
+			},
+			want:    uuid.FromStringOrNil("82410302-039e-41b6-98b0-d964084b4170"),
+			wantErr: false,
+		},
+		{
+			name: "uuid-test-2",
+			args: args{
+				str: "88c502e6-d7eb-4c8e-8259-94cb13d83c77",
+			},
+			want:    uuid.FromStringOrNil("88c502e6-d7eb-4c8e-8259-94cb13d83c77"),
+			wantErr: false,
+		},
+		{
+			name: "uuid-map-1",
+			args: args{
+				str: "123456",
+			},
+			want:    uuid.FromStringOrNil("f8598425-92f2-5508-a071-4fc67f9040ac"),
+			wantErr: false,
+		},
+		// GENERATED BY 'xray uuid -i'
+		{
+			name: "uuid-map-2",
+			args: args{
+				str: "a9dk23bz0",
+			},
+			want:    uuid.FromStringOrNil("c91481b6-fc0f-5d9e-b166-5ddf07b9c3c5"),
+			wantErr: false,
+		},
+		{
+			name: "uuid-map-2",
+			args: args{
+				str: "中文123",
+			},
+			want:    uuid.FromStringOrNil("145c544c-2229-59e5-8dbb-3f33b7610d26"),
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := UUIDMap(tt.args.str)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("UUIDMap() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("UUIDMap() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
--- a/component/dhcp/dhcp.go
+++ b/component/dhcp/dhcp.go
@ -8,7 +8,6 @@ import (

 	"github.com/Dreamacro/clash/common/nnip"
 	"github.com/Dreamacro/clash/component/iface"
-
 	"github.com/insomniacslk/dhcp/dhcpv4"
 )

--- a/component/dialer/bind_darwin.go
+++ b/component/dialer/bind_darwin.go
@ -6,7 +6,6 @@ import (
 	"syscall"

 	"github.com/Dreamacro/clash/component/iface"
-
 	"golang.org/x/sys/unix"
 )

--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@ -3,12 +3,22 @@ package dialer
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net"
 	"net/netip"
+	"sync"

 	"github.com/Dreamacro/clash/component/resolver"
 )

+var (
+	dialMux                    sync.Mutex
+	actualSingleDialContext    = singleDialContext
+	actualDualStackDialContext = dualStackDialContext
+	tcpConcurrent              = false
+	DisableIPv6                = false
+)
+
 func DialContext(ctx context.Context, network, address string, options ...Option) (net.Conn, error) {
 	opt := &option{
 		interfaceName: DefaultInterface.Load(),
@ -25,33 +35,9 @@ func DialContext(ctx context.Context, network, address string, options ...Option

 	switch network {
 	case "tcp4", "tcp6", "udp4", "udp6":
-		host, port, err := net.SplitHostPort(address)
-		if err != nil {
-			return nil, err
-		}
-
-		var ip netip.Addr
-		switch network {
-		case "tcp4", "udp4":
-			if !opt.direct {
-				ip, err = resolver.ResolveIPv4ProxyServerHost(host)
-			} else {
-				ip, err = resolver.ResolveIPv4(host)
-			}
-		default:
-			if !opt.direct {
-				ip, err = resolver.ResolveIPv6ProxyServerHost(host)
-			} else {
-				ip, err = resolver.ResolveIPv6(host)
-			}
-		}
-		if err != nil {
-			return nil, err
-		}
-
-		return dialContext(ctx, network, ip, port, opt)
+		return actualSingleDialContext(ctx, network, address, opt)
 	case "tcp", "udp":
-		return dualStackDialContext(ctx, network, address, opt)
+		return actualDualStackDialContext(ctx, network, address, opt)
 	default:
 		return nil, errors.New("network invalid")
 	}
@ -89,6 +75,24 @@ func ListenPacket(ctx context.Context, network, address string, options ...Optio
 	return lc.ListenPacket(ctx, network, address)
 }

+func SetDial(concurrent bool) {
+	dialMux.Lock()
+	tcpConcurrent = concurrent
+	if concurrent {
+		actualSingleDialContext = concurrentSingleDialContext
+		actualDualStackDialContext = concurrentDualStackDialContext
+	} else {
+		actualSingleDialContext = singleDialContext
+		actualDualStackDialContext = dualStackDialContext
+	}
+
+	dialMux.Unlock()
+}
+
+func GetDial() bool {
+	return tcpConcurrent
+}
+
 func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt *option) (net.Conn, error) {
 	dialer := &net.Dialer{}
 	if opt.interfaceName != "" {
@ -100,6 +104,10 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 		bindMarkToDialer(opt.routingMark, dialer, network, destination)
 	}

+	if DisableIPv6 && destination.Is6() {
+		return nil, fmt.Errorf("IPv6 is diabled, dialer cancel")
+	}
+
 	return dialer.DialContext(ctx, network, net.JoinHostPort(destination.String(), port))
 }

@ -183,3 +191,130 @@ func dualStackDialContext(ctx context.Context, network, address string, opt *opt

 	return nil, errors.New("never touched")
 }
+
+func concurrentDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		return nil, err
+	}
+
+	var ips []netip.Addr
+
+	if opt.direct {
+		ips, err = resolver.ResolveAllIP(host)
+	} else {
+		ips, err = resolver.ResolveAllIPProxyServerHost(host)
+	}
+
+	return concurrentDialContext(ctx, network, ips, port, opt)
+}
+
+func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
+	returned := make(chan struct{})
+	defer close(returned)
+
+	type dialResult struct {
+		ip netip.Addr
+		net.Conn
+		error
+		resolved bool
+	}
+
+	results := make(chan dialResult)
+
+	tcpRacer := func(ctx context.Context, ip netip.Addr) {
+		result := dialResult{ip: ip}
+
+		defer func() {
+			select {
+			case results <- result:
+			case <-returned:
+				if result.Conn != nil {
+					result.Conn.Close()
+				}
+			}
+		}()
+
+		v := "4"
+		if ip.Is6() {
+			v = "6"
+		}
+
+		result.Conn, result.error = dialContext(ctx, network+v, ip, port, opt)
+	}
+
+	for _, ip := range ips {
+		go tcpRacer(ctx, ip)
+	}
+
+	connCount := len(ips)
+	for res := range results {
+		connCount--
+		if res.error == nil {
+			return res.Conn, nil
+		}
+
+		if connCount == 0 {
+			break
+		}
+	}
+
+	return nil, fmt.Errorf("all ips %v tcp shake hands failed", ips)
+}
+
+func singleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		return nil, err
+	}
+
+	var ip netip.Addr
+	switch network {
+	case "tcp4", "udp4":
+		if !opt.direct {
+			ip, err = resolver.ResolveIPv4ProxyServerHost(host)
+		} else {
+			ip, err = resolver.ResolveIPv4(host)
+		}
+	default:
+		if !opt.direct {
+			ip, err = resolver.ResolveIPv6ProxyServerHost(host)
+		} else {
+			ip, err = resolver.ResolveIPv6(host)
+		}
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return dialContext(ctx, network, ip, port, opt)
+}
+
+func concurrentSingleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
+	host, port, err := net.SplitHostPort(address)
+	if err != nil {
+		return nil, err
+	}
+
+	var ips []netip.Addr
+	switch network {
+	case "tcp4", "udp4":
+		if !opt.direct {
+			ips, err = resolver.ResolveAllIPv4ProxyServerHost(host)
+		} else {
+			ips, err = resolver.ResolveAllIPv4(host)
+		}
+	default:
+		if !opt.direct {
+			ips, err = resolver.ResolveAllIPv6ProxyServerHost(host)
+		} else {
+			ips, err = resolver.ResolveAllIPv6(host)
+		}
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return concurrentDialContext(ctx, network, ips, port, opt)
+}
--- a/component/fakeip/pool_test.go
+++ b/component/fakeip/pool_test.go
@ -9,7 +9,6 @@ import (

 	"github.com/Dreamacro/clash/component/profile/cachefile"
 	"github.com/Dreamacro/clash/component/trie"
-
 	"github.com/stretchr/testify/assert"
 	"go.etcd.io/bbolt"
 )
--- a/component/geodata/geodata.go
+++ b/component/geodata/geodata.go
@ -6,6 +6,7 @@ import (
 	"strings"

 	"github.com/Dreamacro/clash/component/geodata/router"
+	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 )

@ -14,7 +15,7 @@ type loader struct {
 }

 func (l *loader) LoadGeoSite(list string) ([]*router.Domain, error) {
-	return l.LoadGeoSiteWithAttr("geosite.dat", list)
+	return l.LoadGeoSiteWithAttr(C.GeositeName, list)
 }

 func (l *loader) LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*router.Domain, error) {
@ -29,7 +30,7 @@ func (l *loader) LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*route
 		return nil, fmt.Errorf("empty listname in rule: %s", siteWithAttr)
 	}

-	domains, err := l.LoadSite(file, list)
+	domains, err := l.LoadSiteByPath(file, list)
 	if err != nil {
 		return nil, err
 	}
@ -58,7 +59,7 @@ func (l *loader) LoadGeoSiteWithAttr(file string, siteWithAttr string) ([]*route
 }

 func (l *loader) LoadGeoIP(country string) ([]*router.CIDR, error) {
-	return l.LoadIP("geoip.dat", country)
+	return l.LoadIPByPath(C.GeoipName, country)
 }

 var loaders map[string]func() LoaderImplementation
--- a/component/geodata/geodataproto.go
+++ b/component/geodata/geodataproto.go
@ -5,8 +5,10 @@ import (
 )

 type LoaderImplementation interface {
-	LoadSite(filename, list string) ([]*router.Domain, error)
-	LoadIP(filename, country string) ([]*router.CIDR, error)
+	LoadSiteByPath(filename, list string) ([]*router.Domain, error)
+	LoadSiteByBytes(geositeBytes []byte, list string) ([]*router.Domain, error)
+	LoadIPByPath(filename, country string) ([]*router.CIDR, error)
+	LoadIPByBytes(geoipBytes []byte, country string) ([]*router.CIDR, error)
 }

 type Loader interface {
--- a/component/geodata/memconservative/cache.go
+++ b/component/geodata/memconservative/cache.go
@ -8,7 +8,6 @@ import (
 	"github.com/Dreamacro/clash/component/geodata/router"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
-
 	"google.golang.org/protobuf/proto"
 )

@ -33,7 +32,7 @@ func (g GeoIPCache) Set(key string, value *router.GeoIP) {
 }

 func (g GeoIPCache) Unmarshal(filename, code string) (*router.GeoIP, error) {
-	asset := C.Path.Resolve(filename)
+	asset := C.Path.GetAssetLocation(filename)
 	idx := strings.ToLower(asset + ":" + code)
 	if g.Has(idx) {
 		return g.Get(idx), nil
@ -98,7 +97,7 @@ func (g GeoSiteCache) Set(key string, value *router.GeoSite) {
 }

 func (g GeoSiteCache) Unmarshal(filename, code string) (*router.GeoSite, error) {
-	asset := C.Path.Resolve(filename)
+	asset := C.Path.GetAssetLocation(filename)
 	idx := strings.ToLower(asset + ":" + code)
 	if g.Has(idx) {
 		return g.Get(idx), nil
--- a/component/geodata/memconservative/memc.go
+++ b/component/geodata/memconservative/memc.go
@ -1,6 +1,7 @@
 package memconservative

 import (
+	"errors"
 	"fmt"
 	"runtime"

@ -13,7 +14,7 @@ type memConservativeLoader struct {
 	geositecache GeoSiteCache
 }

-func (m *memConservativeLoader) LoadIP(filename, country string) ([]*router.CIDR, error) {
+func (m *memConservativeLoader) LoadIPByPath(filename, country string) ([]*router.CIDR, error) {
 	defer runtime.GC()
 	geoip, err := m.geoipcache.Unmarshal(filename, country)
 	if err != nil {
@ -22,7 +23,11 @@ func (m *memConservativeLoader) LoadIP(filename, country string) ([]*router.CIDR
 	return geoip.Cidr, nil
 }

-func (m *memConservativeLoader) LoadSite(filename, list string) ([]*router.Domain, error) {
+func (m *memConservativeLoader) LoadIPByBytes(geoipBytes []byte, country string) ([]*router.CIDR, error) {
+	return nil, errors.New("memConservative do not support LoadIPByBytes")
+}
+
+func (m *memConservativeLoader) LoadSiteByPath(filename, list string) ([]*router.Domain, error) {
 	defer runtime.GC()
 	geosite, err := m.geositecache.Unmarshal(filename, list)
 	if err != nil {
@ -31,6 +36,10 @@ func (m *memConservativeLoader) LoadSite(filename, list string) ([]*router.Domai
 	return geosite.Domain, nil
 }

+func (m *memConservativeLoader) LoadSiteByBytes(geositeBytes []byte, list string) ([]*router.Domain, error) {
+	return nil, errors.New("memConservative do not support LoadSiteByBytes")
+}
+
 func newMemConservativeLoader() geodata.LoaderImplementation {
 	return &memConservativeLoader{make(map[string]*router.GeoIP), make(map[string]*router.GeoSite)}
 }
--- a/component/geodata/router/condition.go
+++ b/component/geodata/router/condition.go
@ -1,7 +1,10 @@
 package router

 import (
+	"encoding/binary"
 	"fmt"
+	"net"
+	"sort"
 	"strings"

 	"github.com/Dreamacro/clash/component/geodata/strmatcher"
@ -30,9 +33,10 @@ func domainToMatcher(domain *Domain) (strmatcher.Matcher, error) {

 type DomainMatcher struct {
 	matchers strmatcher.IndexMatcher
+	not      bool
 }

-func NewMphMatcherGroup(domains []*Domain) (*DomainMatcher, error) {
+func NewMphMatcherGroup(domains []*Domain, not bool) (*DomainMatcher, error) {
 	g := strmatcher.NewMphMatcherGroup()
 	for _, d := range domains {
 		matcherType, f := matcherTypeMap[d.Type]
@ -47,11 +51,12 @@ func NewMphMatcherGroup(domains []*Domain) (*DomainMatcher, error) {
 	g.Build()
 	return &DomainMatcher{
 		matchers: g,
+		not:      not,
 	}, nil
 }

 // NewDomainMatcher new domain matcher.
-func NewDomainMatcher(domains []*Domain) (*DomainMatcher, error) {
+func NewDomainMatcher(domains []*Domain, not bool) (*DomainMatcher, error) {
 	g := new(strmatcher.MatcherGroup)
 	for _, d := range domains {
 		m, err := domainToMatcher(d)
@ -63,9 +68,289 @@ func NewDomainMatcher(domains []*Domain) (*DomainMatcher, error) {

 	return &DomainMatcher{
 		matchers: g,
+		not:      not,
 	}, nil
 }

 func (m *DomainMatcher) ApplyDomain(domain string) bool {
-	return len(m.matchers.Match(strings.ToLower(domain))) > 0
+	isMatched := len(m.matchers.Match(strings.ToLower(domain))) > 0
+	if m.not {
+		isMatched = !isMatched
+	}
+	return isMatched
+}
+
+// CIDRList is an alias of []*CIDR to provide sort.Interface.
+type CIDRList []*CIDR
+
+// Len implements sort.Interface.
+func (l *CIDRList) Len() int {
+	return len(*l)
+}
+
+// Less implements sort.Interface.
+func (l *CIDRList) Less(i int, j int) bool {
+	ci := (*l)[i]
+	cj := (*l)[j]
+
+	if len(ci.Ip) < len(cj.Ip) {
+		return true
+	}
+
+	if len(ci.Ip) > len(cj.Ip) {
+		return false
+	}
+
+	for k := 0; k < len(ci.Ip); k++ {
+		if ci.Ip[k] < cj.Ip[k] {
+			return true
+		}
+
+		if ci.Ip[k] > cj.Ip[k] {
+			return false
+		}
+	}
+
+	return ci.Prefix < cj.Prefix
+}
+
+// Swap implements sort.Interface.
+func (l *CIDRList) Swap(i int, j int) {
+	(*l)[i], (*l)[j] = (*l)[j], (*l)[i]
+}
+
+type ipv6 struct {
+	a uint64
+	b uint64
+}
+
+type GeoIPMatcher struct {
+	countryCode  string
+	reverseMatch bool
+	ip4          []uint32
+	prefix4      []uint8
+	ip6          []ipv6
+	prefix6      []uint8
+}
+
+func normalize4(ip uint32, prefix uint8) uint32 {
+	return (ip >> (32 - prefix)) << (32 - prefix)
+}
+
+func normalize6(ip ipv6, prefix uint8) ipv6 {
+	if prefix <= 64 {
+		ip.a = (ip.a >> (64 - prefix)) << (64 - prefix)
+		ip.b = 0
+	} else {
+		ip.b = (ip.b >> (128 - prefix)) << (128 - prefix)
+	}
+	return ip
+}
+
+func (m *GeoIPMatcher) Init(cidrs []*CIDR) error {
+	ip4Count := 0
+	ip6Count := 0
+
+	for _, cidr := range cidrs {
+		ip := cidr.Ip
+		switch len(ip) {
+		case 4:
+			ip4Count++
+		case 16:
+			ip6Count++
+		default:
+			return fmt.Errorf("unexpect ip length: %d", len(ip))
+		}
+	}
+
+	cidrList := CIDRList(cidrs)
+	sort.Sort(&cidrList)
+
+	m.ip4 = make([]uint32, 0, ip4Count)
+	m.prefix4 = make([]uint8, 0, ip4Count)
+	m.ip6 = make([]ipv6, 0, ip6Count)
+	m.prefix6 = make([]uint8, 0, ip6Count)
+
+	for _, cidr := range cidrs {
+		ip := cidr.Ip
+		prefix := uint8(cidr.Prefix)
+		switch len(ip) {
+		case 4:
+			m.ip4 = append(m.ip4, normalize4(binary.BigEndian.Uint32(ip), prefix))
+			m.prefix4 = append(m.prefix4, prefix)
+		case 16:
+			ip6 := ipv6{
+				a: binary.BigEndian.Uint64(ip[0:8]),
+				b: binary.BigEndian.Uint64(ip[8:16]),
+			}
+			ip6 = normalize6(ip6, prefix)
+
+			m.ip6 = append(m.ip6, ip6)
+			m.prefix6 = append(m.prefix6, prefix)
+		}
+	}
+
+	return nil
+}
+
+func (m *GeoIPMatcher) SetReverseMatch(isReverseMatch bool) {
+	m.reverseMatch = isReverseMatch
+}
+
+func (m *GeoIPMatcher) match4(ip uint32) bool {
+	if len(m.ip4) == 0 {
+		return false
+	}
+
+	if ip < m.ip4[0] {
+		return false
+	}
+
+	size := uint32(len(m.ip4))
+	l := uint32(0)
+	r := size
+	for l < r {
+		x := ((l + r) >> 1)
+		if ip < m.ip4[x] {
+			r = x
+			continue
+		}
+
+		nip := normalize4(ip, m.prefix4[x])
+		if nip == m.ip4[x] {
+			return true
+		}
+
+		l = x + 1
+	}
+
+	return l > 0 && normalize4(ip, m.prefix4[l-1]) == m.ip4[l-1]
+}
+
+func less6(a ipv6, b ipv6) bool {
+	return a.a < b.a || (a.a == b.a && a.b < b.b)
+}
+
+func (m *GeoIPMatcher) match6(ip ipv6) bool {
+	if len(m.ip6) == 0 {
+		return false
+	}
+
+	if less6(ip, m.ip6[0]) {
+		return false
+	}
+
+	size := uint32(len(m.ip6))
+	l := uint32(0)
+	r := size
+	for l < r {
+		x := (l + r) / 2
+		if less6(ip, m.ip6[x]) {
+			r = x
+			continue
+		}
+
+		if normalize6(ip, m.prefix6[x]) == m.ip6[x] {
+			return true
+		}
+
+		l = x + 1
+	}
+
+	return l > 0 && normalize6(ip, m.prefix6[l-1]) == m.ip6[l-1]
+}
+
+// Match returns true if the given ip is included by the GeoIP.
+func (m *GeoIPMatcher) Match(ip net.IP) bool {
+	switch len(ip) {
+	case 4:
+		if m.reverseMatch {
+			return !m.match4(binary.BigEndian.Uint32(ip))
+		}
+		return m.match4(binary.BigEndian.Uint32(ip))
+	case 16:
+		if m.reverseMatch {
+			return !m.match6(ipv6{
+				a: binary.BigEndian.Uint64(ip[0:8]),
+				b: binary.BigEndian.Uint64(ip[8:16]),
+			})
+		}
+		return m.match6(ipv6{
+			a: binary.BigEndian.Uint64(ip[0:8]),
+			b: binary.BigEndian.Uint64(ip[8:16]),
+		})
+	default:
+		return false
+	}
+}
+
+// GeoIPMatcherContainer is a container for GeoIPMatchers. It keeps unique copies of GeoIPMatcher by country code.
+type GeoIPMatcherContainer struct {
+	matchers []*GeoIPMatcher
+}
+
+// Add adds a new GeoIP set into the container.
+// If the country code of GeoIP is not empty, GeoIPMatcherContainer will try to find an existing one, instead of adding a new one.
+func (c *GeoIPMatcherContainer) Add(geoip *GeoIP) (*GeoIPMatcher, error) {
+	if len(geoip.CountryCode) > 0 {
+		for _, m := range c.matchers {
+			if m.countryCode == geoip.CountryCode && m.reverseMatch == geoip.ReverseMatch {
+				return m, nil
+			}
+		}
+	}
+
+	m := &GeoIPMatcher{
+		countryCode:  geoip.CountryCode,
+		reverseMatch: geoip.ReverseMatch,
+	}
+	if err := m.Init(geoip.Cidr); err != nil {
+		return nil, err
+	}
+	if len(geoip.CountryCode) > 0 {
+		c.matchers = append(c.matchers, m)
+	}
+	return m, nil
+}
+
+var globalGeoIPContainer GeoIPMatcherContainer
+
+type MultiGeoIPMatcher struct {
+	matchers []*GeoIPMatcher
+}
+
+func NewGeoIPMatcher(geoip *GeoIP) (*GeoIPMatcher, error) {
+	matcher, err := globalGeoIPContainer.Add(geoip)
+	if err != nil {
+		return nil, err
+	}
+
+	return matcher, nil
+}
+
+func (m *MultiGeoIPMatcher) ApplyIp(ip net.IP) bool {
+	for _, matcher := range m.matchers {
+		if matcher.Match(ip) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func NewMultiGeoIPMatcher(geoips []*GeoIP) (*MultiGeoIPMatcher, error) {
+	var matchers []*GeoIPMatcher
+	for _, geoip := range geoips {
+		matcher, err := globalGeoIPContainer.Add(geoip)
+		if err != nil {
+			return nil, err
+		}
+		matchers = append(matchers, matcher)
+	}
+
+	matcher := &MultiGeoIPMatcher{
+		matchers: matchers,
+	}
+
+	return matcher, nil
 }
--- a/component/geodata/router/config.pb.go
+++ b/component/geodata/router/config.pb.go
@ -7,10 +7,11 @@
 package router

 import (
-	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
-	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 )

 const (
--- a/component/geodata/standard/standard.go
+++ b/component/geodata/standard/standard.go
@ -9,7 +9,6 @@ import (
 	"github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/geodata/router"
 	C "github.com/Dreamacro/clash/constant"
-
 	"google.golang.org/protobuf/proto"
 )

@ -26,14 +25,10 @@ func ReadFile(path string) ([]byte, error) {
 }

 func ReadAsset(file string) ([]byte, error) {
-	return ReadFile(C.Path.Resolve(file))
+	return ReadFile(C.Path.GetAssetLocation(file))
 }

-func loadIP(filename, country string) ([]*router.CIDR, error) {
-	geoipBytes, err := ReadAsset(filename)
-	if err != nil {
-		return nil, fmt.Errorf("failed to open file: %s, base error: %s", filename, err.Error())
-	}
+func loadIP(geoipBytes []byte, country string) ([]*router.CIDR, error) {
 	var geoipList router.GeoIPList
 	if err := proto.Unmarshal(geoipBytes, &geoipList); err != nil {
 		return nil, err
@ -45,14 +40,10 @@ func loadIP(filename, country string) ([]*router.CIDR, error) {
 		}
 	}

-	return nil, fmt.Errorf("country not found in %s%s%s", filename, ": ", country)
+	return nil, fmt.Errorf("country %s not found", country)
 }

-func loadSite(filename, list string) ([]*router.Domain, error) {
-	geositeBytes, err := ReadAsset(filename)
-	if err != nil {
-		return nil, fmt.Errorf("failed to open file: %s, base error: %s", filename, err.Error())
-	}
+func loadSite(geositeBytes []byte, list string) ([]*router.Domain, error) {
 	var geositeList router.GeoSiteList
 	if err := proto.Unmarshal(geositeBytes, &geositeList); err != nil {
 		return nil, err
@ -64,17 +55,33 @@ func loadSite(filename, list string) ([]*router.Domain, error) {
 		}
 	}

-	return nil, fmt.Errorf("list not found in %s%s%s", filename, ": ", list)
+	return nil, fmt.Errorf("list %s not found", list)
 }

 type standardLoader struct{}

-func (d standardLoader) LoadSite(filename, list string) ([]*router.Domain, error) {
-	return loadSite(filename, list)
+func (d standardLoader) LoadSiteByPath(filename, list string) ([]*router.Domain, error) {
+	geositeBytes, err := ReadAsset(filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %s, base error: %s", filename, err.Error())
+	}
+	return loadSite(geositeBytes, list)
 }

-func (d standardLoader) LoadIP(filename, country string) ([]*router.CIDR, error) {
-	return loadIP(filename, country)
+func (d standardLoader) LoadSiteByBytes(geositeBytes []byte, list string) ([]*router.Domain, error) {
+	return loadSite(geositeBytes, list)
+}
+
+func (d standardLoader) LoadIPByPath(filename, country string) ([]*router.CIDR, error) {
+	geoipBytes, err := ReadAsset(filename)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file: %s, base error: %s", filename, err.Error())
+	}
+	return loadIP(geoipBytes, country)
+}
+
+func (d standardLoader) LoadIPByBytes(geoipBytes []byte, country string) ([]*router.CIDR, error) {
+	return loadIP(geoipBytes, country)
 }

 func init() {
--- a/component/geodata/utils.go
+++ b/component/geodata/utils.go
@ -1,13 +1,51 @@
 package geodata

 import (
-	"github.com/Dreamacro/clash/component/geodata/router"
+	"fmt"

-	"golang.org/x/exp/maps"
+	"github.com/Dreamacro/clash/component/geodata/router"
+	C "github.com/Dreamacro/clash/constant"
 )

-func loadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error) {
-	geoLoaderName := "standard"
+var geoLoaderName = "memconservative"
+
+//  geoLoaderName = "standard"
+
+func LoaderName() string {
+	return geoLoaderName
+}
+
+func SetLoader(newLoader string) {
+	if newLoader == "memc" {
+		newLoader = "memconservative"
+	}
+	geoLoaderName = newLoader
+}
+
+func Verify(name string) error {
+	switch name {
+	case C.GeositeName:
+		_, _, err := LoadGeoSiteMatcher("CN")
+		return err
+	case C.GeoipName:
+		_, _, err := LoadGeoIPMatcher("CN")
+		return err
+	default:
+		return fmt.Errorf("not support name")
+	}
+}
+
+func LoadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error) {
+	if len(countryCode) == 0 {
+		return nil, 0, fmt.Errorf("country code could not be empty")
+	}
+
+	not := false
+	if countryCode[0] == '!' {
+		not = true
+		countryCode = countryCode[1:]
+	}
+
 	geoLoader, err := GetGeoDataLoader(geoLoaderName)
 	if err != nil {
 		return nil, 0, err
@ -23,7 +61,7 @@ func loadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 	matcher, err := router.NewDomainMatcher(domains)
 	mph：minimal perfect hash algorithm
 	*/
-	matcher, err := router.NewMphMatcherGroup(domains)
+	matcher, err := router.NewMphMatcherGroup(domains, not)
 	if err != nil {
 		return nil, 0, err
 	}
@ -31,32 +69,36 @@ func loadGeoSiteMatcher(countryCode string) (*router.DomainMatcher, int, error)
 	return matcher, len(domains), nil
 }

-var ruleProviders = make(map[string]*router.DomainMatcher)
-
-// HasProvider has geo site provider by county code
-func HasProvider(countyCode string) (ok bool) {
-	_, ok = ruleProviders[countyCode]
-	return ok
-}
-
-// GetProvidersList get geo site providers
-func GetProvidersList(countyCode string) []*router.DomainMatcher {
-	return maps.Values(ruleProviders)
-}
-
-// GetProviderByCode get geo site provider by county code
-func GetProviderByCode(countyCode string) (matcher *router.DomainMatcher, ok bool) {
-	matcher, ok = ruleProviders[countyCode]
-	return
-}
-
-func LoadProviderByCode(countyCode string) (matcher *router.DomainMatcher, count int, err error) {
-	var ok bool
-	matcher, ok = ruleProviders[countyCode]
-	if !ok {
-		if matcher, count, err = loadGeoSiteMatcher(countyCode); err == nil {
-			ruleProviders[countyCode] = matcher
-		}
+func LoadGeoIPMatcher(country string) (*router.GeoIPMatcher, int, error) {
+	if len(country) == 0 {
+		return nil, 0, fmt.Errorf("country code could not be empty")
 	}
-	return
+	geoLoader, err := GetGeoDataLoader(geoLoaderName)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	not := false
+	if country[0] == '!' {
+		not = true
+		country = country[1:]
+	}
+
+	records, err := geoLoader.LoadGeoIP(country)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	geoIP := &router.GeoIP{
+		CountryCode:  country,
+		Cidr:         records,
+		ReverseMatch: not,
+	}
+
+	matcher, err := router.NewGeoIPMatcher(geoIP)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return matcher, len(records), nil
 }
--- a/component/http/http.go
+++ b/component/http/http.go
@ -0,0 +1,64 @@
+package http
+
+import (
+	"context"
+	"io"
+	"net"
+	"net/http"
+	URL "net/url"
+	"strings"
+	"time"
+
+	"github.com/Dreamacro/clash/listener/inner"
+	"github.com/Dreamacro/clash/log"
+)
+
+const (
+	UA = "Clash"
+)
+
+func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) {
+	method = strings.ToUpper(method)
+	urlRes, err := URL.Parse(url)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequest(method, urlRes.String(), body)
+	for k, v := range header {
+		for _, v := range v {
+			req.Header.Add(k, v)
+		}
+	}
+
+	if _, ok := header["User-Agent"]; !ok {
+		req.Header.Set("User-Agent", UA)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	if user := urlRes.User; user != nil {
+		password, _ := user.Password()
+		req.SetBasicAuth(user.Username(), password)
+	}
+
+	req = req.WithContext(ctx)
+
+	transport := &http.Transport{
+		// from http.DefaultTransport
+		MaxIdleConns:          100,
+		IdleConnTimeout:       30 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
+			log.Infoln(urlRes.String())
+			conn := inner.HandleTcp(address, urlRes.Hostname())
+			return conn, nil
+		},
+	}
+
+	client := http.Client{Transport: transport}
+	return client.Do(req)
+}
--- a/component/mmdb/mmdb.go
+++ b/component/mmdb/mmdb.go
@ -5,7 +5,6 @@ import (

 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
-
 	"github.com/oschwald/geoip2-golang"
 )

--- a/component/process/process.go
+++ b/component/process/process.go
@ -13,6 +13,8 @@ var (
 	ErrInvalidNetwork     = errors.New("invalid network")
 	ErrPlatformNotSupport = errors.New("not support on this platform")
 	ErrNotFound           = errors.New("process not found")
+
+	enableFindProcess = true
 )

 const (
@ -20,12 +22,26 @@ const (
 	UDP = "udp"
 )

-func FindProcessName(network string, srcIP netip.Addr, srcPort int) (string, error) {
+func EnableFindProcess(e bool) {
+	enableFindProcess = e
+}
+
+func FindProcessName(network string, srcIP netip.Addr, srcPort int) (int32, string, error) {
 	return findProcessName(network, srcIP, srcPort)
 }

+func FindUid(network string, srcIP netip.Addr, srcPort int) (int32, error) {
+	_, uid, err := resolveSocketByNetlink(network, srcIP, srcPort)
+	if err != nil {
+		return -1, err
+	}
+	return uid, nil
+}
+
 func ShouldFindProcess(metadata *C.Metadata) bool {
-	if metadata.Process != "" {
+	if !enableFindProcess ||
+		metadata.Process != "" ||
+		metadata.ProcessPath != "" {
 		return false
 	}
 	for _, ip := range localIPs {
--- a/component/process/process_darwin.go
+++ b/component/process/process_darwin.go
@ -7,7 +7,6 @@ import (
 	"unsafe"

 	"github.com/Dreamacro/clash/common/nnip"
-
 	"golang.org/x/sys/unix"
 )

@ -17,7 +16,11 @@ const (
 	proccallnumpidinfo  = 0x2
 )

-func findProcessName(network string, ip netip.Addr, port int) (string, error) {
+func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32, int32, error) {
+	return 0, 0, ErrPlatformNotSupport
+}
+
+func findProcessName(network string, ip netip.Addr, port int) (int32, string, error) {
 	var spath string
 	switch network {
 	case TCP:
@ -25,14 +28,14 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {
 	case UDP:
 		spath = "net.inet.udp.pcblist_n"
 	default:
-		return "", ErrInvalidNetwork
+		return -1, "", ErrInvalidNetwork
 	}

 	isIPv4 := ip.Is4()

 	value, err := syscall.Sysctl(spath)
 	if err != nil {
-		return "", err
+		return -1, "", err
 	}

 	buf := []byte(value)
@ -77,10 +80,11 @@ func findProcessName(network string, ip netip.Addr, port int) (string, error) {

 		// xsocket_n.so_last_pid
 		pid := readNativeUint32(buf[so+68 : so+72])
-		return getExecPathFromPID(pid)
+		pp, err := getExecPathFromPID(pid)
+		return -1, pp, err
 	}

-	return "", ErrNotFound
+	return -1, "", ErrNotFound
 }

 func getExecPathFromPID(pid uint32) (string, error) {
--- a/component/process/process_freebsd_amd64.go
+++ b/component/process/process_freebsd_amd64.go
@ -21,7 +21,11 @@ var (
 	once sync.Once
 )

-func findProcessName(network string, ip netip.Addr, srcPort int) (string, error) {
+func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32, int32, error) {
+	return 0, 0, ErrPlatformNotSupport
+}
+
+func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string, error) {
 	once.Do(func() {
 		if err := initSearcher(); err != nil {
 			log.Errorln("Initialize PROCESS-NAME failed: %s", err.Error())
@ -31,7 +35,7 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (string, error)
 	})

 	if defaultSearcher == nil {
-		return "", ErrPlatformNotSupport
+		return -1, "", ErrPlatformNotSupport
 	}

 	var spath string
@ -42,21 +46,22 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (string, error)
 	case UDP:
 		spath = "net.inet.udp.pcblist"
 	default:
-		return "", ErrInvalidNetwork
+		return -1, "", ErrInvalidNetwork
 	}

 	value, err := syscall.Sysctl(spath)
 	if err != nil {
-		return "", err
+		return -1, "", err
 	}

 	buf := []byte(value)
 	pid, err := defaultSearcher.Search(buf, ip, uint16(srcPort), isTCP)
 	if err != nil {
-		return "", err
+		return -1, "", err
 	}

-	return getExecPathFromPID(pid)
+	pp, err := getExecPathFromPID(pid)
+	return -1, pp, err
 }

 func getExecPathFromPID(pid uint32) (string, error) {
--- a/component/process/process_linux.go
+++ b/component/process/process_linux.go
@ -8,6 +8,8 @@ import (
 	"net/netip"
 	"os"
 	"path"
+	"path/filepath"
+	"runtime"
 	"strings"
 	"syscall"
 	"unicode"
@ -32,13 +34,13 @@ const (
 	pathProc                = "/proc"
 )

-func findProcessName(network string, ip netip.Addr, srcPort int) (string, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string, error) {
 	inode, uid, err := resolveSocketByNetlink(network, ip, srcPort)
 	if err != nil {
-		return "", err
+		return -1, "", err
 	}
-
-	return resolveProcessNameByProcSearch(inode, uid)
+	pp, err := resolveProcessNameByProcSearch(inode, uid)
+	return uid, pp, err
 }

 func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32, int32, error) {
@ -108,7 +110,7 @@ func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32,
 		return 0, 0, fmt.Errorf("netlink message: NLMSG_ERROR")
 	}

-	inode, uid := unpackSocketDiagResponse(&messages[0])
+	inode, uid := unpackSocketDiagResponse(&message)
 	if inode < 0 || uid < 0 {
 		return 0, 0, fmt.Errorf("invalid inode(%d) or uid(%d)", inode, uid)
 	}
@ -196,8 +198,19 @@ func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
 				continue
 			}

-			if bytes.Equal(buffer[:n], socket) {
-				return os.Readlink(path.Join(processPath, "exe"))
+			if runtime.GOOS == "android" {
+				if bytes.Equal(buffer[:n], socket) {
+					cmdline, err := os.ReadFile(path.Join(processPath, "cmdline"))
+					if err != nil {
+						return "", err
+					}
+
+					return splitCmdline(cmdline), nil
+				}
+			} else {
+				if bytes.Equal(buffer[:n], socket) {
+					return os.Readlink(path.Join(processPath, "exe"))
+				}
 			}
 		}
 	}
@ -205,6 +218,19 @@ func resolveProcessNameByProcSearch(inode, uid int32) (string, error) {
 	return "", fmt.Errorf("process of uid(%d),inode(%d) not found", uid, inode)
 }

+func splitCmdline(cmdline []byte) string {
+	cmdline = bytes.Trim(cmdline, " ")
+
+	idx := bytes.IndexFunc(cmdline, func(r rune) bool {
+		return unicode.IsControl(r) || unicode.IsSpace(r)
+	})
+
+	if idx == -1 {
+		return filepath.Base(string(cmdline))
+	}
+	return filepath.Base(string(cmdline[:idx]))
+}
+
 func isPid(s string) bool {
 	return strings.IndexFunc(s, func(r rune) bool {
 		return !unicode.IsDigit(r)
--- a/component/process/process_other.go
+++ b/component/process/process_other.go
@ -4,6 +4,10 @@ package process

 import "net/netip"

-func findProcessName(network string, ip netip.Addr, srcPort int) (string, error) {
-	return "", ErrPlatformNotSupport
+func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string, error) {
+	return -1, "", ErrPlatformNotSupport
+}
+
+func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32, int32, error) {
+	return 0, 0, ErrPlatformNotSupport
 }
--- a/component/process/process_windows.go
+++ b/component/process/process_windows.go
@ -9,7 +9,6 @@ import (

 	"github.com/Dreamacro/clash/common/nnip"
 	"github.com/Dreamacro/clash/log"
-
 	"golang.org/x/sys/windows"
 )

@ -29,6 +28,10 @@ var (
 	once sync.Once
 )

+func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (int32, int32, error) {
+	return 0, 0, ErrPlatformNotSupport
+}
+
 func initWin32API() error {
 	h, err := windows.LoadLibrary("iphlpapi.dll")
 	if err != nil {
@ -58,7 +61,7 @@ func initWin32API() error {
 	return nil
 }

-func findProcessName(network string, ip netip.Addr, srcPort int) (string, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (int32, string, error) {
 	once.Do(func() {
 		err := initWin32API()
 		if err != nil {
@ -82,21 +85,22 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (string, error)
 		fn = getExUDPTable
 		class = udpTablePid
 	default:
-		return "", ErrInvalidNetwork
+		return -1, "", ErrInvalidNetwork
 	}

 	buf, err := getTransportTable(fn, family, class)
 	if err != nil {
-		return "", err
+		return -1, "", err
 	}

 	s := newSearcher(family == windows.AF_INET, network == TCP)

 	pid, err := s.Search(buf, ip, uint16(srcPort))
 	if err != nil {
-		return "", err
+		return -1, "", err
 	}
-	return getExecPathFromPID(pid)
+	pp, err := getExecPathFromPID(pid)
+	return -1, pp, err
 }

 type searcher struct {
@ -215,8 +219,7 @@ func getExecPathFromPID(pid uint32) (string, error) {
 		uintptr(h),
 		uintptr(1),
 		uintptr(unsafe.Pointer(&buf[0])),
-		uintptr(unsafe.Pointer(&size)),
-	)
+		uintptr(unsafe.Pointer(&size)))
 	if r1 == 0 {
 		return "", err
 	}
--- a/component/profile/cachefile/cache.go
+++ b/component/profile/cachefile/cache.go
@ -8,7 +8,6 @@ import (
 	"github.com/Dreamacro/clash/component/profile"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
-
 	"go.etcd.io/bbolt"
 )

--- a/component/resolver/resolver.go
+++ b/component/resolver/resolver.go
@ -40,6 +40,10 @@ type Resolver interface {
 	ResolveIP(host string) (ip netip.Addr, err error)
 	ResolveIPv4(host string) (ip netip.Addr, err error)
 	ResolveIPv6(host string) (ip netip.Addr, err error)
+	ResolveAllIP(host string) (ip []netip.Addr, err error)
+	ResolveAllIPPrimaryIPv4(host string) (ips []netip.Addr, err error)
+	ResolveAllIPv4(host string) (ips []netip.Addr, err error)
+	ResolveAllIPv6(host string) (ips []netip.Addr, err error)
 }

 // ResolveIPv4 with a host, return ipv4
@ -48,43 +52,11 @@ func ResolveIPv4(host string) (netip.Addr, error) {
 }

 func ResolveIPv4WithResolver(host string, r Resolver) (netip.Addr, error) {
-	if node := DefaultHosts.Search(host); node != nil {
-		if ip := node.Data; ip.Is4() {
-			return ip, nil
-		}
+	if ips, err := ResolveAllIPv4WithResolver(host, r); err == nil {
+		return ips[rand.Intn(len(ips))], nil
+	} else {
+		return netip.Addr{}, nil
 	}
-
-	ip, err := netip.ParseAddr(host)
-	if err == nil {
-		if ip.Is4() {
-			return ip, nil
-		}
-		return netip.Addr{}, ErrIPVersion
-	}
-
-	if r != nil {
-		return r.ResolveIPv4(host)
-	}
-
-	if DefaultResolver == nil {
-		ctx, cancel := context.WithTimeout(context.Background(), DefaultDNSTimeout)
-		defer cancel()
-		ipAddrs, err := net.DefaultResolver.LookupIP(ctx, "ip4", host)
-		if err != nil {
-			return netip.Addr{}, err
-		} else if len(ipAddrs) == 0 {
-			return netip.Addr{}, ErrIPNotFound
-		}
-
-		ip := ipAddrs[rand.Intn(len(ipAddrs))].To4()
-		if ip == nil {
-			return netip.Addr{}, ErrIPVersion
-		}
-
-		return netip.AddrFrom4(*(*[4]byte)(ip)), nil
-	}
-
-	return netip.Addr{}, ErrIPNotFound
 }

 // ResolveIPv6 with a host, return ipv6
@ -93,74 +65,20 @@ func ResolveIPv6(host string) (netip.Addr, error) {
 }

 func ResolveIPv6WithResolver(host string, r Resolver) (netip.Addr, error) {
-	if DisableIPv6 {
-		return netip.Addr{}, ErrIPv6Disabled
+	if ips, err := ResolveAllIPv6WithResolver(host, r); err == nil {
+		return ips[rand.Intn(len(ips))], nil
+	} else {
+		return netip.Addr{}, err
 	}
-
-	if node := DefaultHosts.Search(host); node != nil {
-		if ip := node.Data; ip.Is6() {
-			return ip, nil
-		}
-	}
-
-	ip, err := netip.ParseAddr(host)
-	if err == nil {
-		if ip.Is6() {
-			return ip, nil
-		}
-		return netip.Addr{}, ErrIPVersion
-	}
-
-	if r != nil {
-		return r.ResolveIPv6(host)
-	}
-
-	if DefaultResolver == nil {
-		ctx, cancel := context.WithTimeout(context.Background(), DefaultDNSTimeout)
-		defer cancel()
-		ipAddrs, err := net.DefaultResolver.LookupIP(ctx, "ip6", host)
-		if err != nil {
-			return netip.Addr{}, err
-		} else if len(ipAddrs) == 0 {
-			return netip.Addr{}, ErrIPNotFound
-		}
-
-		return netip.AddrFrom16(*(*[16]byte)(ipAddrs[rand.Intn(len(ipAddrs))])), nil
-	}
-
-	return netip.Addr{}, ErrIPNotFound
 }

 // ResolveIPWithResolver same as ResolveIP, but with a resolver
 func ResolveIPWithResolver(host string, r Resolver) (netip.Addr, error) {
-	if node := DefaultHosts.Search(host); node != nil {
-		return node.Data, nil
+	if ips, err := ResolveAllIPPrimaryIPv4WithResolver(host, r); err == nil {
+		return ips[rand.Intn(len(ips))], nil
+	} else {
+		return netip.Addr{}, err
 	}
-
-	if r != nil {
-		if DisableIPv6 {
-			return r.ResolveIPv4(host)
-		}
-		return r.ResolveIP(host)
-	} else if DisableIPv6 {
-		return ResolveIPv4(host)
-	}
-
-	ip, err := netip.ParseAddr(host)
-	if err == nil {
-		return ip, nil
-	}
-
-	if DefaultResolver == nil {
-		ipAddr, err := net.ResolveIPAddr("ip", host)
-		if err != nil {
-			return netip.Addr{}, err
-		}
-
-		return nnip.IpToAddr(ipAddr.IP), nil
-	}
-
-	return netip.Addr{}, ErrIPNotFound
 }

 // ResolveIP with a host, return ip
@ -171,23 +89,217 @@ func ResolveIP(host string) (netip.Addr, error) {
 // ResolveIPv4ProxyServerHost proxies server host only
 func ResolveIPv4ProxyServerHost(host string) (netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
-		return ResolveIPv4WithResolver(host, ProxyServerHostResolver)
+		if ip, err := ResolveIPv4WithResolver(host, ProxyServerHostResolver); err != nil {
+			return ResolveIPv4(host)
+		} else {
+			return ip, nil
+		}
 	}
+
 	return ResolveIPv4(host)
 }

 // ResolveIPv6ProxyServerHost proxies server host only
 func ResolveIPv6ProxyServerHost(host string) (netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
-		return ResolveIPv6WithResolver(host, ProxyServerHostResolver)
+		if ip, err := ResolveIPv6WithResolver(host, ProxyServerHostResolver); err != nil {
+			return ResolveIPv6(host)
+		} else {
+			return ip, nil
+		}
 	}
+
 	return ResolveIPv6(host)
 }

 // ResolveProxyServerHost proxies server host only
 func ResolveProxyServerHost(host string) (netip.Addr, error) {
 	if ProxyServerHostResolver != nil {
-		return ResolveIPWithResolver(host, ProxyServerHostResolver)
+		if ip, err := ResolveIPWithResolver(host, ProxyServerHostResolver); err != nil {
+			return ResolveIP(host)
+		} else {
+			return ip, err
+		}
 	}
+
 	return ResolveIP(host)
 }
+
+func ResolveAllIPv6WithResolver(host string, r Resolver) ([]netip.Addr, error) {
+	if DisableIPv6 {
+		return []netip.Addr{}, ErrIPv6Disabled
+	}
+
+	if node := DefaultHosts.Search(host); node != nil {
+		if ip := node.Data; ip.Is6() {
+			return []netip.Addr{ip}, nil
+		}
+	}
+
+	ip, err := netip.ParseAddr(host)
+	if err == nil {
+		if ip.Is6() {
+			return []netip.Addr{ip}, nil
+		}
+		return []netip.Addr{}, ErrIPVersion
+	}
+
+	if r != nil {
+		return r.ResolveAllIPv6(host)
+	}
+
+	if DefaultResolver == nil {
+		ctx, cancel := context.WithTimeout(context.Background(), DefaultDNSTimeout)
+		defer cancel()
+		ipAddrs, err := net.DefaultResolver.LookupIP(ctx, "ip6", host)
+		if err != nil {
+			return []netip.Addr{}, err
+		} else if len(ipAddrs) == 0 {
+			return []netip.Addr{}, ErrIPNotFound
+		}
+
+		return []netip.Addr{netip.AddrFrom16(*(*[16]byte)(ipAddrs[rand.Intn(len(ipAddrs))]))}, nil
+	}
+
+	return []netip.Addr{}, ErrIPNotFound
+}
+
+func ResolveAllIPv4WithResolver(host string, r Resolver) ([]netip.Addr, error) {
+	if node := DefaultHosts.Search(host); node != nil {
+		if ip := node.Data; ip.Is4() {
+			return []netip.Addr{node.Data}, nil
+		}
+	}
+
+	ip, err := netip.ParseAddr(host)
+	if err == nil {
+		if ip.Is4() {
+			return []netip.Addr{ip}, nil
+		}
+		return []netip.Addr{}, ErrIPVersion
+	}
+
+	if r != nil {
+		return r.ResolveAllIPv4(host)
+	}
+
+	if DefaultResolver == nil {
+		ctx, cancel := context.WithTimeout(context.Background(), DefaultDNSTimeout)
+		defer cancel()
+		ipAddrs, err := net.DefaultResolver.LookupIP(ctx, "ip4", host)
+		if err != nil {
+			return []netip.Addr{}, err
+		} else if len(ipAddrs) == 0 {
+			return []netip.Addr{}, ErrIPNotFound
+		}
+
+		ip := ipAddrs[rand.Intn(len(ipAddrs))].To4()
+		if ip == nil {
+			return []netip.Addr{}, ErrIPVersion
+		}
+
+		return []netip.Addr{netip.AddrFrom4(*(*[4]byte)(ip))}, nil
+	}
+
+	return []netip.Addr{}, ErrIPNotFound
+}
+
+func ResolveAllIPWithResolver(host string, r Resolver) ([]netip.Addr, error) {
+	if node := DefaultHosts.Search(host); node != nil {
+		return []netip.Addr{node.Data}, nil
+	}
+
+	if r != nil {
+		if DisableIPv6 {
+			return r.ResolveAllIPv4(host)
+		}
+
+		return r.ResolveAllIP(host)
+	} else if DisableIPv6 {
+		return ResolveAllIPv4(host)
+	}
+
+	ip, err := netip.ParseAddr(host)
+	if err == nil {
+		return []netip.Addr{ip}, nil
+	}
+
+	if DefaultResolver == nil {
+		ipAddr, err := net.ResolveIPAddr("ip", host)
+		if err != nil {
+			return []netip.Addr{}, err
+		}
+
+		return []netip.Addr{nnip.IpToAddr(ipAddr.IP)}, nil
+	}
+
+	return []netip.Addr{}, ErrIPNotFound
+}
+
+func ResolveAllIPPrimaryIPv4WithResolver(host string, r Resolver) ([]netip.Addr, error) {
+	if node := DefaultHosts.Search(host); node != nil {
+		return []netip.Addr{node.Data}, nil
+	}
+
+	if r != nil {
+		if DisableIPv6 {
+			return r.ResolveAllIPv4(host)
+		}
+
+		return r.ResolveAllIPPrimaryIPv4(host)
+	} else if DisableIPv6 {
+		return ResolveAllIPv4(host)
+	}
+
+	ip, err := netip.ParseAddr(host)
+	if err == nil {
+		return []netip.Addr{ip}, nil
+	}
+
+	if DefaultResolver == nil {
+		ipAddr, err := net.ResolveIPAddr("ip", host)
+		if err != nil {
+			return []netip.Addr{}, err
+		}
+
+		return []netip.Addr{nnip.IpToAddr(ipAddr.IP)}, nil
+	}
+
+	return []netip.Addr{}, ErrIPNotFound
+}
+
+func ResolveAllIP(host string) ([]netip.Addr, error) {
+	return ResolveAllIPWithResolver(host, DefaultResolver)
+}
+
+func ResolveAllIPv4(host string) ([]netip.Addr, error) {
+	return ResolveAllIPv4WithResolver(host, DefaultResolver)
+}
+
+func ResolveAllIPv6(host string) ([]netip.Addr, error) {
+	return ResolveAllIPv6WithResolver(host, DefaultResolver)
+}
+
+func ResolveAllIPv6ProxyServerHost(host string) ([]netip.Addr, error) {
+	if ProxyServerHostResolver != nil {
+		return ResolveAllIPv6WithResolver(host, ProxyServerHostResolver)
+	}
+
+	return ResolveAllIPv6(host)
+}
+
+func ResolveAllIPv4ProxyServerHost(host string) ([]netip.Addr, error) {
+	if ProxyServerHostResolver != nil {
+		return ResolveAllIPv4WithResolver(host, ProxyServerHostResolver)
+	}
+
+	return ResolveAllIPv4(host)
+}
+
+func ResolveAllIPProxyServerHost(host string) ([]netip.Addr, error) {
+	if ProxyServerHostResolver != nil {
+		return ResolveAllIPWithResolver(host, ProxyServerHostResolver)
+	}
+
+	return ResolveAllIP(host)
+}
--- a/component/sniffer/dispatcher.go
+++ b/component/sniffer/dispatcher.go
@ -0,0 +1,176 @@
+package sniffer
+
+import (
+	"errors"
+	"net"
+	"net/netip"
+	"strconv"
+	"time"
+
+	CN "github.com/Dreamacro/clash/common/net"
+	"github.com/Dreamacro/clash/common/utils"
+	"github.com/Dreamacro/clash/component/resolver"
+	"github.com/Dreamacro/clash/component/trie"
+	C "github.com/Dreamacro/clash/constant"
+	"github.com/Dreamacro/clash/constant/sniffer"
+	"github.com/Dreamacro/clash/log"
+)
+
+var (
+	ErrorUnsupportedSniffer = errors.New("unsupported sniffer")
+	ErrorSniffFailed        = errors.New("all sniffer failed")
+	ErrNoClue               = errors.New("not enough information for making a decision")
+)
+
+var Dispatcher SnifferDispatcher
+
+type (
+	SnifferDispatcher struct {
+		enable bool
+
+		sniffers []sniffer.Sniffer
+
+		foreDomain *trie.DomainTrie[bool]
+		skipSNI    *trie.DomainTrie[bool]
+		portRanges *[]utils.Range[uint16]
+	}
+)
+
+func (sd *SnifferDispatcher) TCPSniff(conn net.Conn, metadata *C.Metadata) {
+	bufConn, ok := conn.(*CN.BufferedConn)
+	if !ok {
+		return
+	}
+
+	if metadata.Host == "" || sd.foreDomain.Search(metadata.Host) != nil {
+		port, err := strconv.ParseUint(metadata.DstPort, 10, 16)
+		if err != nil {
+			log.Debugln("[Sniffer] Dst port is error")
+			return
+		}
+
+		inWhitelist := false
+		for _, portRange := range *sd.portRanges {
+			if portRange.Contains(uint16(port)) {
+				inWhitelist = true
+				break
+			}
+		}
+
+		if !inWhitelist {
+			return
+		}
+
+		if host, err := sd.sniffDomain(bufConn, metadata); err != nil {
+			log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%s] to [%s:%s]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort)
+			return
+		} else {
+			if sd.skipSNI.Search(host) != nil {
+				log.Debugln("[Sniffer] Skip sni[%s]", host)
+				return
+			}
+
+			sd.replaceDomain(metadata, host)
+		}
+	}
+}
+
+func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string) {
+	log.Debugln("[Sniffer] Sniff TCP [%s:%s]-->[%s:%s] success, replace domain [%s]-->[%s]",
+		metadata.SrcIP, metadata.SrcPort,
+		metadata.DstIP, metadata.DstPort,
+		metadata.Host, host)
+
+	metadata.AddrType = C.AtypDomainName
+	metadata.Host = host
+	metadata.DNSMode = C.DNSMapping
+	resolver.InsertHostByIP(metadata.DstIP, host)
+}
+
+func (sd *SnifferDispatcher) Enable() bool {
+	return sd.enable
+}
+
+func (sd *SnifferDispatcher) sniffDomain(conn *CN.BufferedConn, metadata *C.Metadata) (string, error) {
+	for _, sniffer := range sd.sniffers {
+		if sniffer.SupportNetwork() == C.TCP {
+			_ = conn.SetReadDeadline(time.Now().Add(3 * time.Second))
+			_, err := conn.Peek(1)
+			_ = conn.SetReadDeadline(time.Time{})
+			if err != nil {
+				_, ok := err.(*net.OpError)
+				if ok {
+					log.Errorln("[Sniffer] [%s] may not have any sent data, Consider adding skip", metadata.DstIP.String())
+					_ = conn.Close()
+				}
+
+				return "", err
+			}
+
+			bufferedLen := conn.Buffered()
+			bytes, err := conn.Peek(bufferedLen)
+			if err != nil {
+				log.Debugln("[Sniffer] the data length not enough")
+				continue
+			}
+
+			host, err := sniffer.SniffTCP(bytes)
+			if err != nil {
+				// log.Debugln("[Sniffer] [%s] Sniff data failed %s", sniffer.Protocol(), metadata.DstIP)
+				continue
+			}
+
+			_, err = netip.ParseAddr(host)
+			if err == nil {
+				// log.Debugln("[Sniffer] [%s] Sniff data failed %s", sniffer.Protocol(), metadata.DstIP)
+				continue
+			}
+
+			return host, nil
+		}
+	}
+
+	return "", ErrorSniffFailed
+}
+
+func NewCloseSnifferDispatcher() (*SnifferDispatcher, error) {
+	dispatcher := SnifferDispatcher{
+		enable: false,
+	}
+
+	return &dispatcher, nil
+}
+
+func NewSnifferDispatcher(needSniffer []sniffer.Type, forceDomain *trie.DomainTrie[bool],
+	skipSNI *trie.DomainTrie[bool], ports *[]utils.Range[uint16],
+) (*SnifferDispatcher, error) {
+	dispatcher := SnifferDispatcher{
+		enable:     true,
+		foreDomain: forceDomain,
+		skipSNI:    skipSNI,
+		portRanges: ports,
+	}
+
+	for _, snifferName := range needSniffer {
+		sniffer, err := NewSniffer(snifferName)
+		if err != nil {
+			log.Errorln("Sniffer name[%s] is error", snifferName)
+			return &SnifferDispatcher{enable: false}, err
+		}
+
+		dispatcher.sniffers = append(dispatcher.sniffers, sniffer)
+	}
+
+	return &dispatcher, nil
+}
+
+func NewSniffer(name sniffer.Type) (sniffer.Sniffer, error) {
+	switch name {
+	case sniffer.TLS:
+		return &TLSSniffer{}, nil
+	case sniffer.HTTP:
+		return &HTTPSniffer{}, nil
+	default:
+		return nil, ErrorUnsupportedSniffer
+	}
+}
--- a/component/sniffer/http_sniffer.go
+++ b/component/sniffer/http_sniffer.go
@ -0,0 +1,101 @@
+package sniffer
+
+import (
+	"bytes"
+	"errors"
+	"net"
+	"strings"
+
+	C "github.com/Dreamacro/clash/constant"
+)
+
+var (
+	// refer to https://pkg.go.dev/net/http@master#pkg-constants
+	methods          = [...]string{"get", "post", "head", "put", "delete", "options", "connect", "patch", "trace"}
+	errNotHTTPMethod = errors.New("not an HTTP method")
+)
+
+type version byte
+
+const (
+	HTTP1 version = iota
+	HTTP2
+)
+
+type HTTPSniffer struct {
+	version version
+	host    string
+}
+
+func (http *HTTPSniffer) Protocol() string {
+	switch http.version {
+	case HTTP1:
+		return "http1"
+	case HTTP2:
+		return "http2"
+	default:
+		return "unknown"
+	}
+}
+
+func (http *HTTPSniffer) SupportNetwork() C.NetWork {
+	return C.TCP
+}
+
+func (http *HTTPSniffer) SniffTCP(bytes []byte) (string, error) {
+	domain, err := SniffHTTP(bytes)
+	if err == nil {
+		return *domain, nil
+	} else {
+		return "", err
+	}
+}
+
+func beginWithHTTPMethod(b []byte) error {
+	for _, m := range &methods {
+		if len(b) >= len(m) && strings.EqualFold(string(b[:len(m)]), m) {
+			return nil
+		}
+
+		if len(b) < len(m) {
+			return ErrNoClue
+		}
+	}
+	return errNotHTTPMethod
+}
+
+func SniffHTTP(b []byte) (*string, error) {
+	if err := beginWithHTTPMethod(b); err != nil {
+		return nil, err
+	}
+
+	_ = &HTTPSniffer{
+		version: HTTP1,
+	}
+
+	headers := bytes.Split(b, []byte{'\n'})
+	for i := 1; i < len(headers); i++ {
+		header := headers[i]
+		if len(header) == 0 {
+			break
+		}
+		parts := bytes.SplitN(header, []byte{':'}, 2)
+		if len(parts) != 2 {
+			continue
+		}
+		key := strings.ToLower(string(parts[0]))
+		if key == "host" {
+			rawHost := strings.ToLower(string(bytes.TrimSpace(parts[1])))
+			host, _, err := net.SplitHostPort(rawHost)
+			if err != nil {
+				if addrError, ok := err.(*net.AddrError); ok && strings.Contains(addrError.Err, "missing port") {
+					host = rawHost
+				} else {
+					return nil, err
+				}
+			}
+			return &host, nil
+		}
+	}
+	return nil, ErrNoClue
+}
--- a/component/sniffer/quic_sniffer.go
+++ b/component/sniffer/quic_sniffer.go
@ -0,0 +1,3 @@
+package sniffer
+
+// TODO
--- a/component/sniffer/sniff_test.go
+++ b/component/sniffer/sniff_test.go
@ -1,4 +1,4 @@
-package tls
+package sniffer

 import (
 	"testing"
@ -142,7 +142,7 @@ func TestTLSHeaders(t *testing.T) {
 	}

 	for _, test := range cases {
-		header, err := SniffTLS(test.input)
+		domain, err := SniffTLS(test.input)
 		if test.err {
 			if err == nil {
 				t.Errorf("Exepct error but nil in test %v", test)
@ -151,8 +151,8 @@ func TestTLSHeaders(t *testing.T) {
 			if err != nil {
 				t.Errorf("Expect no error but actually %s in test %v", err.Error(), test)
 			}
-			if header.Domain() != test.domain {
-				t.Error("expect domain ", test.domain, " but got ", header.Domain())
+			if *domain != test.domain {
+				t.Error("expect domain ", test.domain, " but got ", domain)
 			}
 		}
 	}
--- a/component/sniffer/tls_sniffer.go
+++ b/component/sniffer/tls_sniffer.go
@ -1,107 +1,114 @@
-package tls
+package sniffer

 import (
 	"encoding/binary"
 	"errors"
 	"strings"
+
+	C "github.com/Dreamacro/clash/constant"
 )

-var ErrNoClue = errors.New("not enough information for making a decision")
-
-type SniffHeader struct {
-	domain string
-}
-
-func (h *SniffHeader) Protocol() string {
-	return "tls"
-}
-
-func (h *SniffHeader) Domain() string {
-	return h.domain
-}
-
 var (
 	errNotTLS         = errors.New("not TLS header")
 	errNotClientHello = errors.New("not client hello")
 )

+type TLSSniffer struct{}
+
+func (tls *TLSSniffer) Protocol() string {
+	return "tls"
+}
+
+func (tls *TLSSniffer) SupportNetwork() C.NetWork {
+	return C.TCP
+}
+
+func (tls *TLSSniffer) SniffTCP(bytes []byte) (string, error) {
+	domain, err := SniffTLS(bytes)
+	if err == nil {
+		return *domain, nil
+	} else {
+		return "", err
+	}
+}
+
 func IsValidTLSVersion(major, minor byte) bool {
 	return major == 3
 }

 // ReadClientHello returns server name (if any) from TLS client hello message.
 // https://github.com/golang/go/blob/master/src/crypto/tls/handshake_messages.go#L300
-func ReadClientHello(data []byte, h *SniffHeader) error {
+func ReadClientHello(data []byte) (*string, error) {
 	if len(data) < 42 {
-		return ErrNoClue
+		return nil, ErrNoClue
 	}
 	sessionIDLen := int(data[38])
 	if sessionIDLen > 32 || len(data) < 39+sessionIDLen {
-		return ErrNoClue
+		return nil, ErrNoClue
 	}
 	data = data[39+sessionIDLen:]
 	if len(data) < 2 {
-		return ErrNoClue
+		return nil, ErrNoClue
 	}
 	// cipherSuiteLen is the number of bytes of cipher suite numbers. Since
 	// they are uint16s, the number must be even.
 	cipherSuiteLen := int(data[0])<<8 | int(data[1])
 	if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen {
-		return errNotClientHello
+		return nil, errNotClientHello
 	}
 	data = data[2+cipherSuiteLen:]
 	if len(data) < 1 {
-		return ErrNoClue
+		return nil, ErrNoClue
 	}
 	compressionMethodsLen := int(data[0])
 	if len(data) < 1+compressionMethodsLen {
-		return ErrNoClue
+		return nil, ErrNoClue
 	}
 	data = data[1+compressionMethodsLen:]

 	if len(data) == 0 {
-		return errNotClientHello
+		return nil, errNotClientHello
 	}
 	if len(data) < 2 {
-		return errNotClientHello
+		return nil, errNotClientHello
 	}

 	extensionsLength := int(data[0])<<8 | int(data[1])
 	data = data[2:]
 	if extensionsLength != len(data) {
-		return errNotClientHello
+		return nil, errNotClientHello
 	}

 	for len(data) != 0 {
 		if len(data) < 4 {
-			return errNotClientHello
+			return nil, errNotClientHello
 		}
 		extension := uint16(data[0])<<8 | uint16(data[1])
 		length := int(data[2])<<8 | int(data[3])
 		data = data[4:]
 		if len(data) < length {
-			return errNotClientHello
+			return nil, errNotClientHello
 		}

 		if extension == 0x00 { /* extensionServerName */
 			d := data[:length]
 			if len(d) < 2 {
-				return errNotClientHello
+				return nil, errNotClientHello
 			}
 			namesLen := int(d[0])<<8 | int(d[1])
 			d = d[2:]
 			if len(d) != namesLen {
-				return errNotClientHello
+				return nil, errNotClientHello
 			}
 			for len(d) > 0 {
 				if len(d) < 3 {
-					return errNotClientHello
+					return nil, errNotClientHello
 				}
 				nameType := d[0]
 				nameLen := int(d[1])<<8 | int(d[2])
 				d = d[3:]
 				if len(d) < nameLen {
-					return errNotClientHello
+					return nil, errNotClientHello
 				}
 				if nameType == 0 {
 					serverName := string(d[:nameLen])
@ -109,21 +116,22 @@ func ReadClientHello(data []byte, h *SniffHeader) error {
 					// trailing dot. See
 					// https://tools.ietf.org/html/rfc6066#section-3.
 					if strings.HasSuffix(serverName, ".") {
-						return errNotClientHello
+						return nil, errNotClientHello
 					}
-					h.domain = serverName
-					return nil
+
+					return &serverName, nil
 				}
+
 				d = d[nameLen:]
 			}
 		}
 		data = data[length:]
 	}

-	return errNotTLS
+	return nil, errNotTLS
 }

-func SniffTLS(b []byte) (*SniffHeader, error) {
+func SniffTLS(b []byte) (*string, error) {
 	if len(b) < 5 {
 		return nil, ErrNoClue
 	}
@ -139,10 +147,9 @@ func SniffTLS(b []byte) (*SniffHeader, error) {
 		return nil, ErrNoClue
 	}

-	h := &SniffHeader{}
-	err := ReadClientHello(b[5:5+headerLen], h)
+	domain, err := ReadClientHello(b[5 : 5+headerLen])
 	if err == nil {
-		return h, nil
+		return domain, nil
 	}
 	return nil, err
 }
--- a/component/trie/ipcidr_node.go
+++ b/component/trie/ipcidr_node.go
@ -0,0 +1,42 @@
+package trie
+
+import "errors"
+
+var ErrorOverMaxValue = errors.New("the value don't over max value")
+
+type IpCidrNode struct {
+	Mark     bool
+	child    map[uint32]*IpCidrNode
+	maxValue uint32
+}
+
+func NewIpCidrNode(mark bool, maxValue uint32) *IpCidrNode {
+	ipCidrNode := &IpCidrNode{
+		Mark:     mark,
+		child:    map[uint32]*IpCidrNode{},
+		maxValue: maxValue,
+	}
+
+	return ipCidrNode
+}
+
+func (n *IpCidrNode) addChild(value uint32) error {
+	if value > n.maxValue {
+		return ErrorOverMaxValue
+	}
+
+	n.child[value] = NewIpCidrNode(false, n.maxValue)
+	return nil
+}
+
+func (n *IpCidrNode) hasChild(value uint32) bool {
+	return n.getChild(value) != nil
+}
+
+func (n *IpCidrNode) getChild(value uint32) *IpCidrNode {
+	if value <= n.maxValue {
+		return n.child[value]
+	}
+
+	return nil
+}
--- a/component/trie/ipcidr_trie.go
+++ b/component/trie/ipcidr_trie.go
@ -0,0 +1,256 @@
+package trie
+
+import (
+	"net"
+
+	"github.com/Dreamacro/clash/log"
+)
+
+type IPV6 bool
+
+const (
+	ipv4GroupMaxValue = 0xFF
+	ipv6GroupMaxValue = 0xFFFF
+)
+
+type IpCidrTrie struct {
+	ipv4Trie *IpCidrNode
+	ipv6Trie *IpCidrNode
+}
+
+func NewIpCidrTrie() *IpCidrTrie {
+	return &IpCidrTrie{
+		ipv4Trie: NewIpCidrNode(false, ipv4GroupMaxValue),
+		ipv6Trie: NewIpCidrNode(false, ipv6GroupMaxValue),
+	}
+}
+
+func (trie *IpCidrTrie) AddIpCidr(ipCidr *net.IPNet) error {
+	subIpCidr, subCidr, isIpv4, err := ipCidrToSubIpCidr(ipCidr)
+	if err != nil {
+		return err
+	}
+
+	for _, sub := range subIpCidr {
+		addIpCidr(trie, isIpv4, sub, subCidr/8)
+	}
+
+	return nil
+}
+
+func (trie *IpCidrTrie) AddIpCidrForString(ipCidr string) error {
+	_, ipNet, err := net.ParseCIDR(ipCidr)
+	if err != nil {
+		return err
+	}
+
+	return trie.AddIpCidr(ipNet)
+}
+
+func (trie *IpCidrTrie) IsContain(ip net.IP) bool {
+	ip, isIpv4 := checkAndConverterIp(ip)
+	if ip == nil {
+		return false
+	}
+
+	var groupValues []uint32
+	var ipCidrNode *IpCidrNode
+
+	if isIpv4 {
+		ipCidrNode = trie.ipv4Trie
+		for _, group := range ip {
+			groupValues = append(groupValues, uint32(group))
+		}
+	} else {
+		ipCidrNode = trie.ipv6Trie
+		for i := 0; i < len(ip); i += 2 {
+			groupValues = append(groupValues, getIpv6GroupValue(ip[i], ip[i+1]))
+		}
+	}
+
+	return search(ipCidrNode, groupValues) != nil
+}
+
+func (trie *IpCidrTrie) IsContainForString(ipString string) bool {
+	return trie.IsContain(net.ParseIP(ipString))
+}
+
+func ipCidrToSubIpCidr(ipNet *net.IPNet) ([]net.IP, int, bool, error) {
+	maskSize, _ := ipNet.Mask.Size()
+	var (
+		ipList      []net.IP
+		newMaskSize int
+		isIpv4      bool
+		err         error
+	)
+
+	ip, isIpv4 := checkAndConverterIp(ipNet.IP)
+	ipList, newMaskSize, err = subIpCidr(ip, maskSize, isIpv4)
+
+	return ipList, newMaskSize, isIpv4, err
+}
+
+func subIpCidr(ip net.IP, maskSize int, isIpv4 bool) ([]net.IP, int, error) {
+	var subIpCidrList []net.IP
+	groupSize := 8
+	if !isIpv4 {
+		groupSize = 16
+	}
+
+	if maskSize%groupSize == 0 {
+		return append(subIpCidrList, ip), maskSize, nil
+	}
+
+	lastByteMaskSize := maskSize % 8
+	lastByteMaskIndex := maskSize / 8
+	subIpCidrNum := 0xFF >> lastByteMaskSize
+	for i := 0; i <= subIpCidrNum; i++ {
+		subIpCidr := make([]byte, len(ip))
+		copy(subIpCidr, ip)
+		subIpCidr[lastByteMaskIndex] += byte(i)
+		subIpCidrList = append(subIpCidrList, subIpCidr)
+	}
+
+	newMaskSize := (lastByteMaskIndex + 1) * 8
+	if !isIpv4 {
+		newMaskSize = (lastByteMaskIndex/2 + 1) * 16
+	}
+
+	return subIpCidrList, newMaskSize, nil
+}
+
+func addIpCidr(trie *IpCidrTrie, isIpv4 bool, ip net.IP, groupSize int) {
+	if isIpv4 {
+		addIpv4Cidr(trie, ip, groupSize)
+	} else {
+		addIpv6Cidr(trie, ip, groupSize)
+	}
+}
+
+func addIpv4Cidr(trie *IpCidrTrie, ip net.IP, groupSize int) {
+	preNode := trie.ipv4Trie
+	node := preNode.getChild(uint32(ip[0]))
+	if node == nil {
+		err := preNode.addChild(uint32(ip[0]))
+		if err != nil {
+			return
+		}
+
+		node = preNode.getChild(uint32(ip[0]))
+	}
+
+	for i := 1; i < groupSize; i++ {
+		if node.Mark {
+			return
+		}
+
+		groupValue := uint32(ip[i])
+		if !node.hasChild(groupValue) {
+			err := node.addChild(groupValue)
+			if err != nil {
+				log.Errorln(err.Error())
+			}
+		}
+
+		preNode = node
+		node = node.getChild(groupValue)
+		if node == nil {
+			err := preNode.addChild(uint32(ip[i-1]))
+			if err != nil {
+				return
+			}
+
+			node = preNode.getChild(uint32(ip[i-1]))
+		}
+	}
+
+	node.Mark = true
+	cleanChild(node)
+}
+
+func addIpv6Cidr(trie *IpCidrTrie, ip net.IP, groupSize int) {
+	preNode := trie.ipv6Trie
+	node := preNode.getChild(getIpv6GroupValue(ip[0], ip[1]))
+	if node == nil {
+		err := preNode.addChild(getIpv6GroupValue(ip[0], ip[1]))
+		if err != nil {
+			return
+		}
+
+		node = preNode.getChild(getIpv6GroupValue(ip[0], ip[1]))
+	}
+
+	for i := 2; i < groupSize; i += 2 {
+		if node.Mark {
+			return
+		}
+
+		groupValue := getIpv6GroupValue(ip[i], ip[i+1])
+		if !node.hasChild(groupValue) {
+			err := node.addChild(groupValue)
+			if err != nil {
+				log.Errorln(err.Error())
+			}
+		}
+
+		preNode = node
+		node = node.getChild(groupValue)
+		if node == nil {
+			err := preNode.addChild(getIpv6GroupValue(ip[i-2], ip[i-1]))
+			if err != nil {
+				return
+			}
+
+			node = preNode.getChild(getIpv6GroupValue(ip[i-2], ip[i-1]))
+		}
+	}
+
+	node.Mark = true
+	cleanChild(node)
+}
+
+func getIpv6GroupValue(high, low byte) uint32 {
+	return (uint32(high) << 8) | uint32(low)
+}
+
+func cleanChild(node *IpCidrNode) {
+	for i := uint32(0); i < uint32(len(node.child)); i++ {
+		delete(node.child, i)
+	}
+}
+
+func search(root *IpCidrNode, groupValues []uint32) *IpCidrNode {
+	node := root.getChild(groupValues[0])
+	if node == nil || node.Mark {
+		return node
+	}
+
+	for _, value := range groupValues[1:] {
+		if !node.hasChild(value) {
+			return nil
+		}
+
+		node = node.getChild(value)
+
+		if node == nil || node.Mark {
+			return node
+		}
+	}
+
+	return nil
+}
+
+// return net.IP To4 or To16 and is ipv4
+func checkAndConverterIp(ip net.IP) (net.IP, bool) {
+	ipResult := ip.To4()
+	if ipResult == nil {
+		ipResult = ip.To16()
+		if ipResult == nil {
+			return nil, false
+		}
+
+		return ipResult, false
+	}
+
+	return ipResult, true
+}
--- a/Show More
+++ b/Show More