chore: adjust client-fingerprint's snippet

docs: update example config
fix: consistent naming client-fingerprint
2023-03-13 07:02:47 +00:00 · 2023-03-12 12:49:49 -07:00 · 2023-03-12 12:27:37 -07:00 · 2023-03-12 11:51:56 -07:00 · 2023-03-12 11:51:28 -07:00 · 2023-03-12 23:37:45 +08:00
213 changed files with 10762 additions and 2352 deletions
--- a/.github/release.sh
+++ b/.github/release.sh
@ -0,0 +1,26 @@
 #!/bin/bash
 FILENAMES=$(ls)
 for FILENAME in $FILENAMES
 do
    if [[ ! ($FILENAME =~ ".exe" || $FILENAME =~ ".sh")]];then
        gzip -S ".gz" $FILENAME
    elif [[ $FILENAME =~ ".exe" ]];then
        zip -m ${FILENAME%.*}.zip $FILENAME
    else echo "skip $FILENAME"
    fi
 done
 FILENAMES=$(ls)
 for FILENAME in $FILENAMES
 do
    if [[ $FILENAME =~ ".zip" ]];then
        echo "rename $FILENAME"
        mv $FILENAME ${FILENAME%.*}-${VERSION}.zip
    elif [[ $FILENAME =~ ".gz" ]];then
        echo "rename $FILENAME"
        mv $FILENAME ${FILENAME%.*}-${VERSION}.gz
    else
        echo "skip $FILENAME"
    fi
 done
--- a/.github/rename-cgo.sh
+++ b/.github/rename-cgo.sh
@ -0,0 +1,26 @@
 #!/bin/bash
 FILENAMES=$(ls)
 for FILENAME in $FILENAMES
 do
    if [[ $FILENAME =~ "darwin-10.16-arm64" ]];then
        echo "rename darwin-10.16-arm64 $FILENAME"
        mv $FILENAME clash.meta-darwin-arm64-cgo
    elif [[ $FILENAME =~ "darwin-10.16-amd64" ]];then
        echo "rename darwin-10.16-amd64 $FILENAME"
        mv $FILENAME clash.meta-darwin-amd64-cgo
    elif [[ $FILENAME =~ "windows-4.0-386" ]];then
        echo "rename windows 386 $FILENAME"
        mv $FILENAME clash.meta-windows-386-cgo.exe
    elif [[ $FILENAME =~ "windows-4.0-amd64" ]];then
        echo "rename windows amd64 $FILENAME"
        mv $FILENAME clash.meta-windows-amd64-cgo.exe
    elif [[ $FILENAME =~ "linux" ]];then
        echo "rename linux $FILENAME"
        mv $FILENAME $FILENAME-cgo
    elif [[ $FILENAME =~ "android" ]];then
        echo "rename android $FILENAME"
        mv $FILENAME $FILENAME-cgo
    else echo "skip $FILENAME"
    fi
 done
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -1,22 +0,0 @@
 name: Build All
 on:
  workflow_dispatch:
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v3
      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.19'
          check-latest: true
          cache: true
      - name: Build
        run: make all
      - name: Release
        uses: softprops/action-gh-release@v1
        with:
          files: bin/*
          draft: true
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -0,0 +1,357 @@
 name: Build
 on:
  workflow_dispatch:
  push:
    paths-ignore:
      - "docs/**"
      - "README.md"
    branches:
      - Alpha
      - Beta
      - Meta
    tags:
      - "v*"
  pull_request_target:
    branches:
      - Alpha
      - Beta
      - Meta
 concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true
 env:
  REGISTRY: docker.io
 jobs:
  Build:
    permissions: write-all
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        job:
          - {
              type: "WithoutCGO",
              target: "linux-amd64 linux-amd64-compatible",
              id: "1",
            }
          - {
              type: "WithoutCGO",
              target: "linux-armv5 linux-armv6 linux-armv7",
              id: "2",
            }
          - {
              type: "WithoutCGO",
              target: "linux-arm64 linux-mips64 linux-mips64le",
              id: "3",
            }
          - {
              type: "WithoutCGO",
              target: "linux-mips-softfloat linux-mips-hardfloat linux-mipsle-softfloat linux-mipsle-hardfloat",
              id: "4",
            }
          - { type: "WithoutCGO", target: "linux-386 linux-riscv64", id: "5" }
          - {
              type: "WithoutCGO",
              target: "freebsd-386 freebsd-amd64 freebsd-arm64",
              id: "6",
            }
          - {
              type: "WithoutCGO",
              target: "windows-amd64-compatible windows-amd64 windows-386",
              id: "7",
            }
          - {
              type: "WithoutCGO",
              target: "windows-arm64 windows-arm32v7",
              id: "8",
            }
          - {
              type: "WithoutCGO",
              target: "darwin-amd64 darwin-arm64 android-arm64",
              id: "9",
            }
          - { type: "WithCGO", target: "windows/*", id: "1" }
          - { type: "WithCGO", target: "linux/386", id: "2" }
          - { type: "WithCGO", target: "linux/amd64", id: "3" }
          - { type: "WithCGO", target: "linux/arm64,linux/riscv64", id: "4" }
          - { type: "WithCGO", target: "linux/arm,", id: "5" }
          - { type: "WithCGO", target: "linux/arm-6,linux/arm-7", id: "6" }
          - { type: "WithCGO", target: "linux/mips,linux/mipsle", id: "7" }
          - { type: "WithCGO", target: "linux/mips64", id: "8" }
          - { type: "WithCGO", target: "linux/mips64le", id: "9" }
          - { type: "WithCGO", target: "darwin-10.16/*", id: "10" }
          - { type: "WithCGO", target: "android", id: "11" }
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v3
      - name: Set variables
        run: echo "VERSION=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set variables
        if: ${{github.ref_name=='Alpha'}}
        run: echo "VERSION=alpha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set variables
        if: ${{github.ref_name=='Beta'}}
        run: echo "VERSION=beta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set variables
        if: ${{github.ref_name=='Meta'}}
        run: echo "VERSION=meta-$(git rev-parse --short HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set variables
        if: ${{github.ref_name=='' || github.ref_type=='tag'}}
        run: echo "VERSION=$(git describe --tags)" >> $GITHUB_ENV
        shell: bash
      - name: Set ENV
        run: |
          sudo timedatectl set-timezone "Asia/Shanghai"
          echo "NAME=clash.meta" >> $GITHUB_ENV
          echo "REPO=${{ github.repository }}" >> $GITHUB_ENV
          echo "ShortSHA=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV
          echo "BUILDTIME=$(date)" >> $GITHUB_ENV
          echo "BRANCH=$(git rev-parse --abbrev-ref HEAD)" >> $GITHUB_ENV
        shell: bash
      - name: Set ENV
        run: |
          echo "TAGS=with_gvisor,with_lwip" >> $GITHUB_ENV
          echo "LDFLAGS=-X 'github.com/Dreamacro/clash/constant.Version=${VERSION}' -X 'github.com/Dreamacro/clash/constant.BuildTime=${BUILDTIME}' -w -s -buildid=" >> $GITHUB_ENV
        shell: bash
      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version: "1.20"
          check-latest: true
      - name: Test
        if: ${{ matrix.job.id=='1' && matrix.job.type=='WithoutCGO' }}
        run: |
          go test ./...
      - name: Build WithoutCGO
        if: ${{ matrix.job.type=='WithoutCGO' }}
        env:
          NAME: Clash.Meta
          BINDIR: bin
        run: make -j$(($(nproc) + 1)) ${{ matrix.job.target }}
      - uses: nttld/setup-ndk@v1
        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target=='android' }}
        id: setup-ndk
        with:
          ndk-version: r25b
          add-to-path: false
          local-cache: true
      - name: Build Android
        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target=='android' }}
        env:
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
        run: |
          mkdir bin
          CC=${ANDROID_NDK_HOME}/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android33-clang
          CGO_ENABLED=1 CC=${CC} GOARCH=arm64 GOOS=android go build -tags ${TAGS} -trimpath -ldflags "${LDFLAGS}" -o bin/${NAME}-android-arm64
      - name: Set up xgo
        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target!='android' }}
        run: |
          docker pull techknowlogick/xgo:latest
          go install src.techknowlogick.com/xgo@latest
      - name: Build by xgo
        if: ${{ matrix.job.type=='WithCGO' && matrix.job.target!='android' }}
        env:
          ANDROID_NDK_HOME: ${{ steps.setup-ndk.outputs.ndk-path }}
        run: |
          mkdir bin
          xgo --targets="${{ matrix.job.target }}" --tags="${TAGS}" -ldflags="${LDFLAGS}" --out bin/${NAME} ./
      - name: Rename
        if: ${{ matrix.job.type=='WithCGO' }}
        run: |
          cd bin
          ls -la
          cp ../.github/rename-cgo.sh ./
          bash ./rename-cgo.sh
          rm ./rename-cgo.sh
          ls -la
          cd ..
      - name: Zip
        if: ${{  success() }}
        run: |
          cd bin
          ls -la
          chmod +x *
          cp ../.github/release.sh ./
          bash ./release.sh
          rm ./release.sh
          ls -la
          cd ..
      - name: Save version
        run: echo ${VERSION} > bin/version.txt
        shell: bash
      - uses: actions/upload-artifact@v3
        if: ${{  success() }}
        with:
          name: artifact
          path: bin/
  Upload-Prerelease:
    permissions: write-all
    if: ${{ github.ref_type=='branch' }}
    needs: [Build]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: artifact
          path: bin/
      - name: Display structure of downloaded files
        run: ls -R
        working-directory: bin
      - name: Delete current release assets
        uses: andreaswilli/delete-release-assets-action@v2.0.0
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          tag: Prerelease-${{ github.ref_name }}
          deleteOnlyFromDrafts: false
      - name: Set Env
        run: |
          echo "BUILDTIME=$(TZ=Asia/Shanghai date)" >> $GITHUB_ENV
        shell: bash
      - name: Tag Repo
        uses: richardsimko/update-tag@v1.0.6
        with:
          tag_name: Prerelease-${{ github.ref_name }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - run: |
          cat > release.txt << 'EOF'
          Release created at  ${{ env.BUILDTIME }}
          Synchronize ${{ github.ref_name }} branch code updates, keeping only the latest version
          <br>
          ### release version
          `default(not specified in file name)`: compiled with GOAMD64=v3
          `cgo`: support lwip tun stack, compiled with GOAMD64=v1
          `compatible`: compiled with GOAMD64=v1
          Check details between different architectural levels [here](https://github.com/golang/go/wiki/MinimumRequirements#amd64).
          EOF
      - name: Upload Prerelease
        uses: softprops/action-gh-release@v1
        if: ${{  success() }}
        with:
          tag: ${{ github.ref_name }}
          tag_name: Prerelease-${{ github.ref_name }}
          files: |
            bin/*
          prerelease: true
          generate_release_notes: true
          body_path: release.txt
  Upload-Release:
    permissions: write-all
    if: ${{ github.ref_type=='tag' }}
    needs: [Build]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: artifact
          path: bin/
      - name: Display structure of downloaded files
        run: ls -R
        working-directory: bin
      - name: Upload Release
        uses: softprops/action-gh-release@v1
        if: ${{  success() }}
        with:
          tag: ${{ github.ref_name }}
          tag_name: ${{ github.ref_name }}
          files: bin/*
          generate_release_notes: true
  Docker:
    permissions: write-all
    needs: [Build]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: actions/download-artifact@v3
        with:
          name: artifact
          path: bin/
      - name: Display structure of downloaded files
        run: ls -R
        working-directory: bin
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v1
        with:
          version: latest
      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v3
        with:
          images: ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_ACCOUNT }}/${{secrets.DOCKERHUB_REPO}}
      - name: Show files
        run: |
          ls .
          ls bin/
      - name: Log into registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v2
        with:
          context: .
          file: ./Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          platforms: |
            linux/386
            linux/amd64
            linux/arm64/v8
            linux/arm/v7
          #            linux/riscv64
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@ -1,61 +0,0 @@
 name: Docker
 on:
  push:
    branches:
      - Beta
    tags:
      - "v*"
 env:
  REGISTRY: docker.io
 jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v1
        with:
          version: latest
      # Extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v3
        with:
          images: ${{ env.REGISTRY }}/${{ secrets.DOCKERHUB_ACCOUNT }}/${{secrets.DOCKERHUB_REPO}}
      - name: Log into registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v1
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
      # Build and push Docker image with Buildx (don't push on PR)
      # https://github.com/docker/build-push-action
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v2
        with:
          context: .
          file: ./Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          platforms: |
            linux/386
            linux/amd64
            linux/arm64/v8
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@ -1,61 +0,0 @@
 name: Prerelease
 on:
  workflow_dispatch:
  push:
    branches:
      - Alpha
      - Beta
  pull_request:
    branches:
      - Alpha
      - Beta
 jobs:
  Build:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v3
      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.19'
          check-latest: true
          cache: true
      - name: Test
        if: ${{github.ref_name=='Beta'}}
        run: |
          go test ./...
      - name: Build
        if: success()
        env:
          NAME: Clash.Meta
          BINDIR: bin
        run: make -j$(($(nproc) + 1)) releases
      - name: Delete current release assets
        uses: mknejp/delete-release-assets@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          tag_name: Prerelease-${{ github.ref_name }}
          assets: |
              *.zip
              *.gz
      - name: Tag Repo
        uses: richardsimko/update-tag@v1.0.6
        with:
          tag_name: Prerelease-${{ github.ref_name }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload Alpha
        uses: softprops/action-gh-release@v1
        if: ${{  success() }}
        with:
          tag_name: Prerelease-${{ github.ref_name }}
          files: bin/*
          prerelease: true
          generate_release_notes: true
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -1,36 +0,0 @@
 name: Release
 on:
  push:
    tags:
      - "v*"
 jobs:
  Build:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v3
      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.19'
          check-latest: true
          cache: true
      - name: Test
        run: |
          go test ./...
      - name: Build
        if: success()
        env:
          NAME: Clash.Meta
          BINDIR: bin
        run: make -j$(($(nproc) + 1)) releases
      - name: Upload Release
        uses: softprops/action-gh-release@v1
        if: ${{ success() && startsWith(github.ref, 'refs/tags/')}}
        with:
          tag: ${{ github.ref }}
          files: bin/*
          generate_release_notes: true
--- a/.gitignore
+++ b/.gitignore
@ -24,4 +24,5 @@ vendor
 # test suite
 test/config/cache*
 /output
-/.vscode
+.vscode/
 .fleet/
--- a/21
+++ b/21
@ -1,18 +1,19 @@
-FROM golang:alpine as builder
+FROM alpine:latest as builder
 ARG TARGETPLATFORM
 RUN echo "I'm building for $TARGETPLATFORM"
-RUN apk add --no-cache make git && \
+RUN apk add --no-cache gzip && \
    mkdir /clash-config && \
    wget -O /clash-config/Country.mmdb https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb && \
    wget -O /clash-config/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat && \
    wget -O /clash-config/geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
-
+COPY docker/file-name.sh /clash/file-name.sh
-COPY . /clash-src
+WORKDIR /clash
-WORKDIR /clash-src
+COPY bin/ bin/
-RUN go mod download &&\
+RUN FILE_NAME=`sh file-name.sh` && echo $FILE_NAME && \
-    make docker &&\
+    FILE_NAME=`ls bin/ | egrep "$FILE_NAME.*"|awk NR==1` && echo $FILE_NAME && \
-    mv ./bin/Clash.Meta-docker /clash
+    mv bin/$FILE_NAME clash.gz && gzip -d clash.gz && echo "$FILE_NAME" > /clash-config/test
 FROM alpine:latest
 LABEL org.opencontainers.image.source="https://github.com/MetaCubeX/Clash.Meta"
@ -21,6 +22,6 @@ RUN apk add --no-cache ca-certificates tzdata iptables
 VOLUME ["/root/.config/clash/"]
 COPY --from=builder /clash-config/ /root/.config/clash/
-COPY --from=builder /clash /clash
+COPY --from=builder /clash/clash /clash
 RUN chmod +x /clash
 ENTRYPOINT [ "/clash" ]
--- a/16
+++ b/16
@ -1,4 +1,4 @@
-NAME=Clash.Meta
+NAME=clash.meta
 BINDIR=bin
 BRANCH=$(shell git branch --show-current)
 ifeq ($(BRANCH),Alpha)
@ -47,14 +47,17 @@ all:linux-amd64 linux-arm64\
 	darwin-amd64 darwin-arm64\
 	windows-amd64 windows-arm64\
 darwin-all: darwin-amd64 darwin-arm64
 docker:
-	GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-amd64:
 	GOARCH=amd64 GOOS=darwin GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-amd64-compatible:
-	GOARCH=amd64 GOOS=darwin GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOARCH=amd64 GOOS=darwin GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 darwin-arm64:
 	GOARCH=arm64 GOOS=darwin $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
@ -66,7 +69,7 @@ linux-amd64:
 	GOARCH=amd64 GOOS=linux GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-amd64-compatible:
-	GOARCH=amd64 GOOS=linux GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
+	GOARCH=amd64 GOOS=linux GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-arm64:
 	GOARCH=arm64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
@ -98,6 +101,9 @@ linux-mips64:
 linux-mips64le:
 	GOARCH=mips64le GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 linux-riscv64:
 	GOARCH=riscv64 GOOS=linux $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
 android-arm64:
 	GOARCH=arm64 GOOS=android $(GOBUILD) -o $(BINDIR)/$(NAME)-$@
@ -117,7 +123,7 @@ windows-amd64:
 	GOARCH=amd64 GOOS=windows GOAMD64=v3 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 windows-amd64-compatible:
-	GOARCH=amd64 GOOS=windows GOAMD64=v2 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
+	GOARCH=amd64 GOOS=windows GOAMD64=v1 $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
 windows-arm64:
 	GOARCH=arm64 GOOS=windows $(GOBUILD) -o $(BINDIR)/$(NAME)-$@.exe
--- a/README.md
+++ b/README.md
@ -29,32 +29,42 @@
 - Netfilter TCP redirecting. Deploy Clash on your Internet gateway with `iptables`.
 - Comprehensive HTTP RESTful API controller
-## Getting Started
+## Wiki
 Documentations are now moved to [GitHub Wiki](https://github.com/Dreamacro/clash/wiki).
-## Advanced usage for this branch
+Documentation and configuring examples are available on [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki) and [Clash.Meta Wiki](https://docs.metacubex.one/).
 ## Build
 You should install [golang](https://go.dev) first.
 Then get the source code of Clash.Meta:
 ```shell
 git clone https://github.com/MetaCubeX/Clash.Meta.git
 cd Clash.Meta && go mod download
 ```
 If you can't visit github,you should set proxy first:
 ```shell
 go env -w GOPROXY=https://goproxy.io,direct
 ```
-So now you can build it:
+Now you can build it:
 ```shell
 go build
 ```
-### DNS configuration
+If you need gvisor for tun stack, build with:
 ```shell
 go build -tags with_gvisor
 ```
 <!-- ## Advanced usage of this fork -->
 <!-- ### DNS configuration
 Support `geosite` with `fallback-filter`.
@ -64,7 +74,6 @@ Support resolve ip with a `Proxy Tunnel`.
 ```yaml
 proxy-groups:
  - name: DNS
    type: url-test
    use:
@ -73,6 +82,7 @@ proxy-groups:
    interval: 180
    lazy: true
 ```
 ```yaml
 dns:
  enable: true
@ -88,8 +98,8 @@ dns:
    - https://doh.pub/dns-query
    - tls://223.5.5.5:853
  fallback:
-    - 'https://1.0.0.1/dns-query#DNS'  # append the proxy adapter name or group name to the end of DNS URL with '#' prefix.
+    - "https://1.0.0.1/dns-query#DNS" # append the proxy adapter name or group name to the end of DNS URL with '#' prefix.
-    - 'tls://8.8.4.4:853#DNS'
+    - "tls://8.8.4.4:853#DNS"
  fallback-filter:
    geoip: false
    geosite:
@ -110,21 +120,23 @@ Built-in [Wintun](https://www.wintun.net) driver.
 # Enable the TUN listener
 tun:
  enable: true
-  stack: gvisor #  only gvisor
+  stack: system #   system/gvisor
  dns-hijack:
    - 0.0.0.0:53 # additional dns server listen on TUN
  auto-route: true # auto set global route
 ```
 ### Rules configuration
 - Support rule `GEOSITE`.
 - Support rule-providers `RULE-SET`.
 - Support `multiport` condition for rule `SRC-PORT` and `DST-PORT`.
 - Support `network` condition for all rules.
 - Support source IPCIDR condition for all rules, just append to the end.
 - The `GEOSITE` databases via https://github.com/Loyalsoldier/v2ray-rules-dat.
 ```yaml
 rules:
  # network(tcp/udp) condition for all rules
  - DOMAIN-SUFFIX,bilibili.com,DIRECT,tcp
  - DOMAIN-SUFFIX,bilibili.com,REJECT,udp
@ -153,7 +165,6 @@ rules:
  - MATCH,PROXY
 ```
 ### Proxies configuration
 Active health detection `urltest / fallback` (based on tcp handshake, multiple failures within a limited time will actively trigger health detection to use the node)
@ -162,18 +173,17 @@ Support `Policy Group Filter`
 ```yaml
 proxy-groups:
  - name: 🚀 HK Group
    type: select
    use:
      - ALL
-    filter: 'HK'
+    filter: "HK"
  - name: 🚀 US Group
    type: select
    use:
      - ALL
-    filter: 'US'
+    filter: "US"
 proxy-providers:
  ALL:
@ -185,14 +195,12 @@ proxy-providers:
      enable: true
      interval: 600
      url: http://www.gstatic.com/generate_204
 ```
 Support outbound transport protocol `VLESS`.
 The XTLS support (TCP/UDP) transport by the XRAY-CORE.
 ```yaml
 proxies:
  - name: "vless"
@ -232,8 +240,8 @@ proxies:
      grpc-service-name: grpcname
 ```
 Support outbound transport protocol `Wireguard`
 ```yaml
 proxies:
  - name: "wg"
@ -248,6 +256,7 @@ proxies:
 ```
 Support outbound transport protocol `Tuic`
 ```yaml
 proxies:
  - name: "tuic"
@ -266,11 +275,11 @@ proxies:
    # max-udp-relay-packet-size: 1500
    # fast-open: true
    # skip-cert-verify: true
-
+``` -->
 ```
 ### IPTABLES configuration
-Work on Linux OS who's supported `iptables`
+
 Work on Linux OS which supported `iptables`
 ```yaml
 # Enable the TPROXY listener
@ -281,17 +290,15 @@ iptables:
  inbound-interface: eth0 # detect the inbound interface, default is 'lo'
 ```
 ### General installation guide for Linux
 + Create user given name `clash-meta`
-+ Download and decompress pre-built binaries from [releases](https://github.com/MetaCubeX/Clash.Meta/releases)  
+- Create user given name `clash-meta`
-+ Rename executable file to `Clash-Meta` and move to `/usr/local/bin/` 
+- Download and decompress pre-built binaries from [releases](https://github.com/MetaCubeX/Clash.Meta/releases)
 + Create folder `/etc/Clash-Meta/` as working directory 
 - Rename executable file to `Clash-Meta` and move to `/usr/local/bin/`
 - Create folder `/etc/Clash-Meta/` as working directory
 Run Meta Kernel by user `clash-meta` as a daemon.
@ -317,10 +324,13 @@ ExecStart=/usr/local/bin/Clash-Meta -d /etc/Clash-Meta
 [Install]
 WantedBy=multi-user.target
 ```
 Launch clashd on system startup with:
 ```shell
 $ systemctl enable Clash-Meta
 ```
 Launch clashd immediately with:
 ```shell
@ -331,23 +341,29 @@ $ systemctl start Clash-Meta
 Clash add field `Process` to `Metadata` and prepare to get process name for Restful API `GET /connections`.
-To display process name in GUI please use [Dashboard For Meta](https://github.com/MetaCubeX/clash-dashboard).
+To display process name in GUI please use [Razord-meta](https://github.com/MetaCubeX/Razord-meta).
-![img.png](https://github.com/Clash-Mini/Dashboard/raw/master/View/Dashboard-Process.png)
+### Dashboard
 We also made a custom fork of yacd provide better support for this project, check it out at [Yacd-meta](https://github.com/MetaCubeX/Yacd-meta)
 ## Development
 If you want to build an application that uses clash as a library, check out the
 the [GitHub Wiki](https://github.com/Dreamacro/clash/wiki/use-clash-as-a-library)
 ## Debugging
 Check [wiki](https://github.com/MetaCubeX/Clash.Meta/wiki/How-to-use-debug-api) to get an instruction on using debug API.
 ## Credits
-* [Dreamacro/clash](https://github.com/Dreamacro/clash)
+- [Dreamacro/clash](https://github.com/Dreamacro/clash)
-* [SagerNet/sing-box](https://github.com/SagerNet/sing-box)
+- [SagerNet/sing-box](https://github.com/SagerNet/sing-box)
-* [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
+- [riobard/go-shadowsocks2](https://github.com/riobard/go-shadowsocks2)
-* [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
+- [v2ray/v2ray-core](https://github.com/v2ray/v2ray-core)
-* [WireGuard/wireguard-go](https://github.com/WireGuard/wireguard-go)
+- [WireGuard/wireguard-go](https://github.com/WireGuard/wireguard-go)
-* [yaling888/clash-plus-pro](https://github.com/yaling888/clash)
+- [yaling888/clash-plus-pro](https://github.com/yaling888/clash)
 ## License
--- a/adapter/adapter.go
+++ b/adapter/adapter.go
@ -92,6 +92,7 @@ func (p *Proxy) MarshalJSON() ([]byte, error) {
 	mapping["history"] = p.DelayHistory()
 	mapping["name"] = p.Name()
 	mapping["udp"] = p.SupportUDP()
 	mapping["xudp"] = p.SupportXUDP()
 	mapping["tfo"] = p.SupportTFO()
 	return json.Marshal(mapping)
 }
--- a/adapter/inbound/http.go
+++ b/adapter/inbound/http.go
@ -16,11 +16,11 @@ func NewHTTP(target socks5.Addr, source net.Addr, conn net.Conn, additions ...Ad
 	for _, addition := range additions {
 		addition.Apply(metadata)
 	}
-	if ip, port, err := parseAddr(source.String()); err == nil {
+	if ip, port, err := parseAddr(source); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
-	if ip, port, err := parseAddr(conn.LocalAddr().String()); err == nil {
+	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
 		metadata.InIP = ip
 		metadata.InPort = port
 	}
--- a/adapter/inbound/https.go
+++ b/adapter/inbound/https.go
@ -15,11 +15,11 @@ func NewHTTPS(request *http.Request, conn net.Conn, additions ...Addition) *cont
 	for _, addition := range additions {
 		addition.Apply(metadata)
 	}
-	if ip, port, err := parseAddr(conn.RemoteAddr().String()); err == nil {
+	if ip, port, err := parseAddr(conn.RemoteAddr()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
-	if ip, port, err := parseAddr(conn.LocalAddr().String()); err == nil {
+	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
 		metadata.InIP = ip
 		metadata.InPort = port
 	}
--- a/adapter/inbound/listen.go
+++ b/adapter/inbound/listen.go
@ -4,7 +4,7 @@ import (
 	"context"
 	"net"
-	"github.com/database64128/tfo-go/v2"
+	"github.com/sagernet/tfo-go"
 )
 var (
--- a/adapter/inbound/packet.go
+++ b/adapter/inbound/packet.go
@ -24,12 +24,12 @@ func NewPacket(target socks5.Addr, packet C.UDPPacket, source C.Type, additions
 	for _, addition := range additions {
 		addition.Apply(metadata)
 	}
-	if ip, port, err := parseAddr(packet.LocalAddr().String()); err == nil {
+	if ip, port, err := parseAddr(packet.LocalAddr()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
 	if p, ok := packet.(C.UDPPacketInAddr); ok {
-		if ip, port, err := parseAddr(p.InAddr().String()); err == nil {
+		if ip, port, err := parseAddr(p.InAddr()); err == nil {
 			metadata.InIP = ip
 			metadata.InPort = port
 		}
--- a/adapter/inbound/socket.go
+++ b/adapter/inbound/socket.go
@ -18,23 +18,14 @@ func NewSocket(target socks5.Addr, conn net.Conn, source C.Type, additions ...Ad
 		addition.Apply(metadata)
 	}
-	remoteAddr := conn.RemoteAddr()
+	if ip, port, err := parseAddr(conn.RemoteAddr()); err == nil {
 	// Filter when net.Addr interface is nil
 	if remoteAddr != nil {
 		if ip, port, err := parseAddr(remoteAddr.String()); err == nil {
 		metadata.SrcIP = ip
 		metadata.SrcPort = port
 	}
-	}
+	if ip, port, err := parseAddr(conn.LocalAddr()); err == nil {
 	localAddr := conn.LocalAddr()
 	// Filter when net.Addr interface is nil
 	if localAddr != nil {
 		if ip, port, err := parseAddr(localAddr.String()); err == nil {
 		metadata.InIP = ip
 		metadata.InPort = port
 	}
 	}
 	return context.NewConnContext(conn, metadata)
 }
@ -43,7 +34,7 @@ func NewInner(conn net.Conn, dst string, host string) *context.ConnContext {
 	metadata := &C.Metadata{}
 	metadata.NetWork = C.TCP
 	metadata.Type = C.INNER
-	metadata.DNSMode = C.DNSMapping
+	metadata.DNSMode = C.DNSNormal
 	metadata.Host = host
 	metadata.Process = C.ClashName
 	if h, port, err := net.SplitHostPort(dst); err == nil {
--- a/adapter/inbound/util.go
+++ b/adapter/inbound/util.go
@ -1,13 +1,14 @@
 package inbound
 import (
-	"github.com/Dreamacro/clash/common/nnip"
+	"errors"
 	"net"
 	"net/http"
 	"net/netip"
 	"strconv"
 	"strings"
 	"github.com/Dreamacro/clash/common/nnip"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
@ -57,8 +58,19 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 	return metadata
 }
-func parseAddr(addr string) (netip.Addr, string, error) {
+func parseAddr(addr net.Addr) (netip.Addr, string, error) {
-	host, port, err := net.SplitHostPort(addr)
+	// Filter when net.Addr interface is nil
 	if addr == nil {
 		return netip.Addr{}, "", errors.New("nil addr")
 	}
 	if rawAddr, ok := addr.(interface{ RawAddr() net.Addr }); ok {
 		ip, port, err := parseAddr(rawAddr.RawAddr())
 		if err == nil {
 			return ip, port, err
 		}
 	}
 	addrStr := addr.String()
 	host, port, err := net.SplitHostPort(addrStr)
 	if err != nil {
 		return netip.Addr{}, "", err
 	}
--- a/adapter/outbound/base.go
+++ b/adapter/outbound/base.go
@ -4,10 +4,11 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
 	"github.com/gofrs/uuid"
 	"net"
 	"strings"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 )
@ -18,6 +19,7 @@ type Base struct {
 	iface  string
 	tp     C.AdapterType
 	udp    bool
 	xudp   bool
 	tfo    bool
 	rmark  int
 	id     string
@ -32,7 +34,7 @@ func (b *Base) Name() string {
 // Id implements C.ProxyAdapter
 func (b *Base) Id() string {
 	if b.id == "" {
-		id, err := uuid.NewV6()
+		id, err := utils.UnsafeUUIDGenerator.NewV6()
 		if err != nil {
 			b.id = b.name
 		} else {
@ -87,6 +89,11 @@ func (b *Base) SupportUDP() bool {
 	return b.udp
 }
 // SupportXUDP implements C.ProxyAdapter
 func (b *Base) SupportXUDP() bool {
 	return b.xudp
 }
 // SupportTFO implements C.ProxyAdapter
 func (b *Base) SupportTFO() bool {
 	return b.tfo
@ -132,10 +139,15 @@ func (b *Base) DialOptions(opts ...dialer.Option) []dialer.Option {
 	default:
 	}
 	if b.tfo {
 		opts = append(opts, dialer.WithTFO(true))
 	}
 	return opts
 }
 type BasicOption struct {
 	TFO         bool   `proxy:"tfo,omitempty" group:"tfo,omitempty"`
 	Interface   string `proxy:"interface-name,omitempty" group:"interface-name,omitempty"`
 	RoutingMark int    `proxy:"routing-mark,omitempty" group:"routing-mark,omitempty"`
 	IPVersion   string `proxy:"ip-version,omitempty" group:"ip-version,omitempty"`
@ -146,6 +158,7 @@ type BaseOption struct {
 	Addr        string
 	Type        C.AdapterType
 	UDP         bool
 	XUDP        bool
 	TFO         bool
 	Interface   string
 	RoutingMark int
@ -158,6 +171,7 @@ func NewBase(opt BaseOption) *Base {
 		addr:   opt.Addr,
 		tp:     opt.Type,
 		udp:    opt.UDP,
 		xudp:   opt.XUDP,
 		tfo:    opt.TFO,
 		iface:  opt.Interface,
 		rmark:  opt.RoutingMark,
@ -166,7 +180,7 @@ func NewBase(opt BaseOption) *Base {
 }
 type conn struct {
-	net.Conn
+	N.ExtendedConn
 	chain                   C.Chain
 	actualRemoteDestination string
 }
@ -185,8 +199,12 @@ func (c *conn) AppendToChains(a C.ProxyAdapter) {
 	c.chain = append(c.chain, a.Name())
 }
 func (c *conn) Upstream() any {
 	return c.ExtendedConn
 }
 func NewConn(c net.Conn, a C.ProxyAdapter) C.Conn {
-	return &conn{c, []string{a.Name()}, parseRemoteDestination(a.Addr())}
+	return &conn{N.NewExtendedConn(c), []string{a.Name()}, parseRemoteDestination(a.Addr())}
 }
 type packetConn struct {
--- a/adapter/outbound/http.go
+++ b/adapter/outbound/http.go
@ -7,7 +7,6 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"io"
 	"net"
 	"net/http"
@ -15,6 +14,7 @@ import (
 	"strconv"
 	"github.com/Dreamacro/clash/component/dialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 )
@ -150,7 +150,7 @@ func NewHttp(option HttpOption) (*Http, error) {
 			sni = option.SNI
 		}
 		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(&tls.Config{
+			tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{
 				InsecureSkipVerify: option.SkipCertVerify,
 				ServerName:         sni,
 			})
@ -170,6 +170,7 @@ func NewHttp(option HttpOption) (*Http, error) {
 			name:   option.Name,
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Http,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@ -178,7 +178,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			return nil, err
 		}
 	} else {
-		tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 	}
 	if len(option.ALPN) > 0 {
--- a/adapter/outbound/reality.go
+++ b/adapter/outbound/reality.go
@ -0,0 +1,35 @@
 package outbound
 import (
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"golang.org/x/crypto/curve25519"
 )
 type RealityOptions struct {
 	PublicKey string `proxy:"public-key"`
 	ShortID   string `proxy:"short-id"`
 }
 func (o RealityOptions) Parse() (*tlsC.RealityConfig, error) {
 	if o.PublicKey != "" {
 		config := new(tlsC.RealityConfig)
 		n, err := base64.RawURLEncoding.Decode(config.PublicKey[:], []byte(o.PublicKey))
 		if err != nil || n != curve25519.ScalarSize {
 			return nil, errors.New("invalid REALITY public key")
 		}
 		n, err = hex.Decode(config.ShortID[:], []byte(o.ShortID))
 		if err != nil || n > tlsC.RealityMaxShortIDLen {
 			return nil, errors.New("invalid REALITY short ID")
 		}
 		return config, nil
 	}
 	return nil, nil
 }
--- a/adapter/outbound/reject.go
+++ b/adapter/outbound/reject.go
@ -6,6 +6,7 @@ import (
 	"net"
 	"time"
 	"github.com/Dreamacro/clash/common/buf"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 )
@ -16,12 +17,12 @@ type Reject struct {
 // DialContext implements C.ProxyAdapter
 func (r *Reject) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.Conn, error) {
-	return NewConn(&nopConn{}, r), nil
+	return NewConn(nopConn{}, r), nil
 }
 // ListenPacketContext implements C.ProxyAdapter
 func (r *Reject) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (C.PacketConn, error) {
-	return newPacketConn(&nopPacketConn{}, r), nil
+	return newPacketConn(nopPacketConn{}, r), nil
 }
 func NewReject() *Reject {
@ -48,27 +49,37 @@ func NewPass() *Reject {
 type nopConn struct{}
-func (rw *nopConn) Read(b []byte) (int, error) {
+func (rw nopConn) Read(b []byte) (int, error) {
 	return 0, io.EOF
 }
-func (rw *nopConn) Write(b []byte) (int, error) {
+func (rw nopConn) ReadBuffer(buffer *buf.Buffer) error {
 	return io.EOF
 }
 func (rw nopConn) Write(b []byte) (int, error) {
 	return 0, io.EOF
 }
-func (rw *nopConn) Close() error                     { return nil }
+func (rw nopConn) WriteBuffer(buffer *buf.Buffer) error {
-func (rw *nopConn) LocalAddr() net.Addr              { return nil }
+	return io.EOF
-func (rw *nopConn) RemoteAddr() net.Addr             { return nil }
+}
-func (rw *nopConn) SetDeadline(time.Time) error      { return nil }
+
-func (rw *nopConn) SetReadDeadline(time.Time) error  { return nil }
+func (rw nopConn) Close() error                     { return nil }
-func (rw *nopConn) SetWriteDeadline(time.Time) error { return nil }
+func (rw nopConn) LocalAddr() net.Addr              { return nil }
 func (rw nopConn) RemoteAddr() net.Addr             { return nil }
 func (rw nopConn) SetDeadline(time.Time) error      { return nil }
 func (rw nopConn) SetReadDeadline(time.Time) error  { return nil }
 func (rw nopConn) SetWriteDeadline(time.Time) error { return nil }
 var udpAddrIPv4Unspecified = &net.UDPAddr{IP: net.IPv4zero, Port: 0}
 type nopPacketConn struct{}
-func (npc *nopPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) { return len(b), nil }
+func (npc nopPacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) { return len(b), nil }
-func (npc *nopPacketConn) ReadFrom(b []byte) (int, net.Addr, error)           { return 0, nil, io.EOF }
+func (npc nopPacketConn) ReadFrom(b []byte) (int, net.Addr, error)           { return 0, nil, io.EOF }
-func (npc *nopPacketConn) Close() error                                       { return nil }
+func (npc nopPacketConn) Close() error                                       { return nil }
-func (npc *nopPacketConn) LocalAddr() net.Addr                                { return &net.UDPAddr{IP: net.IPv4zero, Port: 0} }
+func (npc nopPacketConn) LocalAddr() net.Addr                                { return udpAddrIPv4Unspecified }
-func (npc *nopPacketConn) SetDeadline(time.Time) error                        { return nil }
+func (npc nopPacketConn) SetDeadline(time.Time) error                        { return nil }
-func (npc *nopPacketConn) SetReadDeadline(time.Time) error                    { return nil }
+func (npc nopPacketConn) SetReadDeadline(time.Time) error                    { return nil }
-func (npc *nopPacketConn) SetWriteDeadline(time.Time) error                   { return nil }
+func (npc nopPacketConn) SetWriteDeadline(time.Time) error                   { return nil }
--- a/adapter/outbound/shadowsocks.go
+++ b/adapter/outbound/shadowsocks.go
@ -6,15 +6,20 @@ import (
 	"fmt"
 	"net"
 	"strconv"
 	"time"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/restls"
 	obfs "github.com/Dreamacro/clash/transport/simple-obfs"
 	shadowtls "github.com/Dreamacro/clash/transport/sing-shadowtls"
 	"github.com/Dreamacro/clash/transport/socks5"
 	v2rayObfs "github.com/Dreamacro/clash/transport/v2ray-plugin"
-	"github.com/metacubex/sing-shadowsocks"
+	restlsC "github.com/3andne/restls-client-go"
 	shadowsocks "github.com/metacubex/sing-shadowsocks"
 	"github.com/metacubex/sing-shadowsocks/shadowimpl"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
@ -30,6 +35,8 @@ type ShadowSocks struct {
 	obfsMode        string
 	obfsOption      *simpleObfsOption
 	v2rayOption     *v2rayObfs.Option
 	shadowTLSOption *shadowtls.ShadowTLSOption
 	restlsConfig    *restlsC.Config
 }
 type ShadowSocksOption struct {
@ -43,6 +50,7 @@ type ShadowSocksOption struct {
 	Plugin            string         `proxy:"plugin,omitempty"`
 	PluginOpts        map[string]any `proxy:"plugin-opts,omitempty"`
 	UDPOverTCP        bool           `proxy:"udp-over-tcp,omitempty"`
 	ClientFingerprint string         `proxy:"client-fingerprint,omitempty"`
 }
 type simpleObfsOption struct {
@ -61,8 +69,39 @@ type v2rayObfsOption struct {
 	Mux            bool              `obfs:"mux,omitempty"`
 }
 type shadowTLSOption struct {
 	Password       string `obfs:"password"`
 	Host           string `obfs:"host"`
 	Fingerprint    string `obfs:"fingerprint,omitempty"`
 	SkipCertVerify bool   `obfs:"skip-cert-verify,omitempty"`
 	Version        int    `obfs:"version,omitempty"`
 }
 type restlsOption struct {
 	Password     string `obfs:"password"`
 	Host         string `obfs:"host"`
 	VersionHint  string `obfs:"version-hint"`
 	RestlsScript string `obfs:"restls-script,omitempty"`
 }
 // StreamConn implements C.ProxyAdapter
 func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	switch ss.obfsMode {
 	case shadowtls.Mode:
 		// fix tls handshake not timeout
 		ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout)
 		defer cancel()
 		var err error
 		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return ss.streamConn(c, metadata)
 }
 func (ss *ShadowSocks) streamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	switch ss.obfsMode {
 	case "tls":
 		c = obfs.NewTLSObfs(c, ss.obfsOption.Host)
@ -75,11 +114,25 @@ func (ss *ShadowSocks) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, e
 		if err != nil {
 			return nil, fmt.Errorf("%s connect error: %w", ss.addr, err)
 		}
 	case restls.Mode:
 		var err error
 		c, err = restls.NewRestls(c, ss.restlsConfig)
 		if err != nil {
 			return nil, fmt.Errorf("%s (restls) connect error: %w", ss.addr, err)
 		}
 	}
 	if metadata.NetWork == C.UDP && ss.option.UDPOverTCP {
 		if N.NeedHandshake(c) {
 			return ss.method.DialEarlyConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443")), nil
 		} else {
 			return ss.method.DialConn(c, M.ParseSocksaddr(uot.UOTMagicAddress+":443"))
 		}
 	}
 	if N.NeedHandshake(c) {
 		return ss.method.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 	} else {
 		return ss.method.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 	}
 }
 // DialContext implements C.ProxyAdapter
@ -99,7 +152,15 @@ func (ss *ShadowSocks) DialContextWithDialer(ctx context.Context, dialer C.Diale
 		safeConnClose(c, err)
 	}(c)
-	c, err = ss.StreamConn(c, metadata)
+	switch ss.obfsMode {
 	case shadowtls.Mode:
 		c, err = shadowtls.NewShadowTLS(ctx, c, ss.shadowTLSOption)
 		if err != nil {
 			return nil, err
 		}
 	}
 	c, err = ss.streamConn(c, metadata)
 	return NewConn(c, ss), err
 }
@ -150,13 +211,15 @@ func (ss *ShadowSocks) SupportUOT() bool {
 func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
-	method, err := shadowimpl.FetchMethod(option.Cipher, option.Password)
+	method, err := shadowimpl.FetchMethod(option.Cipher, option.Password, time.Now)
 	if err != nil {
 		return nil, fmt.Errorf("ss %s initialize error: %w", addr, err)
 	}
 	var v2rayOption *v2rayObfs.Option
 	var obfsOption *simpleObfsOption
 	var shadowTLSOpt *shadowtls.ShadowTLSOption
 	var restlsConfig *restlsC.Config
 	obfsMode := ""
 	decoder := structure.NewDecoder(structure.Option{TagName: "obfs", WeaklyTypedInput: true})
@ -192,6 +255,36 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			v2rayOption.TLS = true
 			v2rayOption.SkipCertVerify = opts.SkipCertVerify
 		}
 	} else if option.Plugin == shadowtls.Mode {
 		obfsMode = shadowtls.Mode
 		opt := &shadowTLSOption{
 			Version: 2,
 		}
 		if err := decoder.Decode(option.PluginOpts, opt); err != nil {
 			return nil, fmt.Errorf("ss %s initialize shadow-tls-plugin error: %w", addr, err)
 		}
 		shadowTLSOpt = &shadowtls.ShadowTLSOption{
 			Password:          opt.Password,
 			Host:              opt.Host,
 			Fingerprint:       opt.Fingerprint,
 			ClientFingerprint: option.ClientFingerprint,
 			SkipCertVerify:    opt.SkipCertVerify,
 			Version:           opt.Version,
 		}
 	} else if option.Plugin == restls.Mode {
 		obfsMode = restls.Mode
 		restlsOpt := &restlsOption{}
 		if err := decoder.Decode(option.PluginOpts, restlsOpt); err != nil {
 			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
 		}
 		restlsConfig, err = restlsC.NewRestlsConfig(restlsOpt.Host, restlsOpt.Password, restlsOpt.VersionHint, restlsOpt.RestlsScript, option.ClientFingerprint)
 		restlsConfig.SessionTicketsDisabled = true
 		if err != nil {
 			return nil, fmt.Errorf("ss %s initialize restls-plugin error: %w", addr, err)
 		}
 	}
 	return &ShadowSocks{
@ -200,6 +293,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 			addr:   addr,
 			tp:     C.Shadowsocks,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@ -210,6 +304,8 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) {
 		obfsMode:        obfsMode,
 		v2rayOption:     v2rayOption,
 		obfsOption:      obfsOption,
 		shadowTLSOption: shadowTLSOpt,
 		restlsConfig:    restlsConfig,
 	}, nil
 }
--- a/adapter/outbound/shadowsocksr.go
+++ b/adapter/outbound/shadowsocksr.go
@ -163,6 +163,7 @@ func NewShadowSocksR(option ShadowSocksROption) (*ShadowSocksR, error) {
 			addr:   addr,
 			tp:     C.ShadowsocksR,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/snell.go
+++ b/adapter/outbound/snell.go
@ -167,6 +167,7 @@ func NewSnell(option SnellOption) (*Snell, error) {
 			addr:   addr,
 			tp:     C.Snell,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/socks5.go
+++ b/adapter/outbound/socks5.go
@ -5,12 +5,12 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"io"
 	"net"
 	"strconv"
 	"github.com/Dreamacro/clash/component/dialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/socks5"
 )
@ -167,7 +167,7 @@ func NewSocks5(option Socks5Option) (*Socks5, error) {
 		}
 		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+			tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 		} else {
 			var err error
 			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
@ -182,6 +182,7 @@ func NewSocks5(option Socks5Option) (*Socks5, error) {
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Socks5,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
--- a/adapter/outbound/trojan.go
+++ b/adapter/outbound/trojan.go
@ -4,12 +4,13 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"net"
 	"net/http"
 	"strconv"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/trojan"
@ -25,6 +26,8 @@ type Trojan struct {
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
 	transport    *gun.TransportWrap
 	realityConfig *tlsC.RealityConfig
 }
 type TrojanOption struct {
@ -39,10 +42,12 @@ type TrojanOption struct {
 	Fingerprint       string         `proxy:"fingerprint,omitempty"`
 	UDP               bool           `proxy:"udp,omitempty"`
 	Network           string         `proxy:"network,omitempty"`
 	RealityOpts       RealityOptions `proxy:"reality-opts,omitempty"`
 	GrpcOpts          GrpcOptions    `proxy:"grpc-opts,omitempty"`
 	WSOpts            WSOptions      `proxy:"ws-opts,omitempty"`
 	Flow              string         `proxy:"flow,omitempty"`
 	FlowShow          bool           `proxy:"flow-show,omitempty"`
 	ClientFingerprint string         `proxy:"client-fingerprint,omitempty"`
 }
 func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
@ -75,8 +80,13 @@ func (t *Trojan) plainStream(c net.Conn) (net.Conn, error) {
 // StreamConn implements C.ProxyAdapter
 func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	if tlsC.HaveGlobalFingerprint() && len(t.option.ClientFingerprint) == 0 {
 		t.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
 	}
 	if t.transport != nil {
-		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig)
+		c, err = gun.StreamGunWithConn(c, t.gunTLSConfig, t.gunConfig, t.realityConfig)
 	} else {
 		c, err = t.plainStream(c)
 	}
@ -95,7 +105,7 @@ func (t *Trojan) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error)
 		return c, err
 	}
 	err = t.instance.WriteHeader(c, trojan.CommandTCP, serializesSocksAddr(metadata))
-	return c, err
+	return N.NewExtendedConn(c), err
 }
 // DialContext implements C.ProxyAdapter
@ -217,9 +227,12 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		SkipCertVerify:    option.SkipCertVerify,
 		FlowShow:          option.FlowShow,
 		Fingerprint:       option.Fingerprint,
 		ClientFingerprint: option.ClientFingerprint,
 	}
-	if option.Network != "ws" && len(option.Flow) >= 16 {
+	switch option.Network {
 	case "", "tcp":
 		if len(option.Flow) >= 16 {
 			option.Flow = option.Flow[:16]
 			switch option.Flow {
 			case vless.XRO, vless.XRD, vless.XRS:
@ -228,6 +241,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 				return nil, fmt.Errorf("unsupported xtls flow type: %s", option.Flow)
 			}
 		}
 	}
 	if option.SNI != "" {
 		tOption.ServerName = option.SNI
@ -239,6 +253,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			addr:   addr,
 			tp:     C.Trojan,
 			udp:    option.UDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@ -247,6 +262,13 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		option:   &option,
 	}
 	var err error
 	t.realityConfig, err = option.RealityOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	tOption.Reality = t.realityConfig
 	if option.Network == "grpc" {
 		dialFn := func(network, addr string) (net.Conn, error) {
 			c, err := dialer.DialContext(context.Background(), "tcp", t.addr, t.Base.DialOptions()...)
@ -265,7 +287,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 		}
 		if len(option.Fingerprint) == 0 {
-			tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+			tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 		} else {
 			var err error
 			if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil {
@ -273,11 +295,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
 			}
 		}
-		if t.option.Flow != "" {
+		t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, tOption.ClientFingerprint, t.realityConfig)
 			t.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
 		} else {
 			t.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
 		}
 		t.gunTLSConfig = tlsConfig
 		t.gunConfig = &gun.Config{
--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@ -51,6 +51,7 @@ type TuicOption struct {
 	ReceiveWindowConn   int    `proxy:"recv-window-conn,omitempty"`
 	ReceiveWindow       int    `proxy:"recv-window,omitempty"`
 	DisableMTUDiscovery bool   `proxy:"disable-mtu-discovery,omitempty"`
 	SNI                 string `proxy:"sni,omitempty"`
 }
 // DialContext implements C.ProxyAdapter
@ -106,12 +107,14 @@ func (t *Tuic) dialWithDialer(ctx context.Context, dialer C.Dialer) (pc net.Pack
 func NewTuic(option TuicOption) (*Tuic, error) {
 	addr := net.JoinHostPort(option.Server, strconv.Itoa(option.Port))
 	serverName := option.Server
 	tlsConfig := &tls.Config{
 		ServerName:         serverName,
 		InsecureSkipVerify: option.SkipCertVerify,
 		MinVersion:         tls.VersionTLS13,
 	}
 	if option.SNI != "" {
 		tlsConfig.ServerName = option.SNI
 	}
 	var bs []byte
 	var err error
@ -143,7 +146,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			return nil, err
 		}
 	} else {
-		tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+		tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 	}
 	if len(option.ALPN) > 0 {
@ -165,7 +168,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 	}
 	if option.MaxUdpRelayPacketSize == 0 {
-		option.MaxUdpRelayPacketSize = 1500
+		option.MaxUdpRelayPacketSize = 1252
 	}
 	if option.MaxOpenStreams == 0 {
@ -213,12 +216,18 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			udp:    true,
 			tfo:    option.FastOpen,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 	}
-	// to avoid tuic's "too many open streams", decrease to 0.9x
+
 	clientMaxOpenStreams := int64(option.MaxOpenStreams)
 	// to avoid tuic's "too many open streams", decrease to 0.9x
 	if clientMaxOpenStreams == 100 {
 		clientMaxOpenStreams = clientMaxOpenStreams - int64(math.Ceil(float64(clientMaxOpenStreams)/10.0))
 	}
 	if clientMaxOpenStreams < 1 {
 		clientMaxOpenStreams = 1
 	}
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@ -17,10 +17,15 @@ import (
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/transport/gun"
 	"github.com/Dreamacro/clash/transport/socks5"
 	"github.com/Dreamacro/clash/transport/vless"
 	"github.com/Dreamacro/clash/transport/vmess"
 	vmessSing "github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing-vmess/packetaddr"
 	M "github.com/sagernet/sing/common/metadata"
 )
 const (
@ -37,6 +42,8 @@ type Vless struct {
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
 	transport    *gun.TransportWrap
 	realityConfig *tlsC.RealityConfig
 }
 type VlessOption struct {
@ -49,7 +56,11 @@ type VlessOption struct {
 	FlowShow          bool              `proxy:"flow-show,omitempty"`
 	TLS               bool              `proxy:"tls,omitempty"`
 	UDP               bool              `proxy:"udp,omitempty"`
 	PacketAddr        bool              `proxy:"packet-addr,omitempty"`
 	XUDP              bool              `proxy:"xudp,omitempty"`
 	PacketEncoding    string            `proxy:"packet-encoding,omitempty"`
 	Network           string            `proxy:"network,omitempty"`
 	RealityOpts       RealityOptions    `proxy:"reality-opts,omitempty"`
 	HTTPOpts          HTTPOptions       `proxy:"http-opts,omitempty"`
 	HTTP2Opts         HTTP2Options      `proxy:"h2-opts,omitempty"`
 	GrpcOpts          GrpcOptions       `proxy:"grpc-opts,omitempty"`
@ -59,13 +70,18 @@ type VlessOption struct {
 	SkipCertVerify    bool              `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint       string            `proxy:"fingerprint,omitempty"`
 	ServerName        string            `proxy:"servername,omitempty"`
 	ClientFingerprint string            `proxy:"client-fingerprint,omitempty"`
 }
 func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	if tlsC.HaveGlobalFingerprint() && len(v.option.ClientFingerprint) == 0 {
 		v.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
 	}
 	switch v.option.Network {
 	case "ws":
 		host, port, _ := net.SplitHostPort(v.addr)
 		wsOpts := &vmess.WebsocketConfig{
 			Host:                host,
@ -73,6 +89,7 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
 			ClientFingerprint:   v.option.ClientFingerprint,
 			Headers:             http.Header{},
 		}
@ -91,9 +108,12 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			}
 			if len(v.option.Fingerprint) == 0 {
-				wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+				wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 			} else {
 				wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint)
 				if err != nil {
 					return nil, err
 				}
 			}
 			if v.option.ServerName != "" {
@ -137,11 +157,7 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		c, err = vmess.StreamH2Conn(c, h2Opts)
 	case "grpc":
-		if v.isXTLSEnabled() {
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
 			c, err = gun.StreamGunWithXTLSConn(c, v.gunTLSConfig, v.gunConfig)
 		} else {
 			c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
 		}
 	default:
 		// default tcp network
 		// handle TLS And XTLS
@ -152,21 +168,17 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		return nil, err
 	}
-	return v.client.StreamConn(c, parseVlessAddr(metadata))
+	return v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 }
 func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error) {
 	host, _, _ := net.SplitHostPort(v.addr)
-	if v.isXTLSEnabled() {
+	if v.isLegacyXTLSEnabled() && !isH2 {
 		xtlsOpts := vless.XTLSConfig{
 			Host:           host,
 			SkipCertVerify: v.option.SkipCertVerify,
-			FingerPrint:    v.option.Fingerprint,
+			Fingerprint:    v.option.Fingerprint,
 		}
 		if isH2 {
 			xtlsOpts.NextProtos = []string{"h2"}
 		}
 		if v.option.ServerName != "" {
@ -180,6 +192,8 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 			Host:              host,
 			SkipCertVerify:    v.option.SkipCertVerify,
 			FingerPrint:       v.option.Fingerprint,
 			ClientFingerprint: v.option.ClientFingerprint,
 			Reality:           v.realityConfig,
 		}
 		if isH2 {
@ -196,8 +210,8 @@ func (v *Vless) streamTLSOrXTLSConn(conn net.Conn, isH2 bool) (net.Conn, error)
 	return conn, nil
 }
-func (v *Vless) isXTLSEnabled() bool {
+func (v *Vless) isLegacyXTLSEnabled() bool {
-	return v.client.Addons != nil
+	return v.client.Addons != nil && v.client.Addons.Flow != vless.XRV
 }
 // DialContext implements C.ProxyAdapter
@ -212,7 +226,7 @@ func (v *Vless) DialContext(ctx context.Context, metadata *C.Metadata, opts ...d
 			safeConnClose(c, err)
 		}(c)
-		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
+		c, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 		if err != nil {
 			return nil, err
 		}
@ -234,12 +248,15 @@ func (v *Vless) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 	}(c)
 	c, err = v.StreamConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
 	return NewConn(c, v), err
 }
 // ListenPacketContext implements C.ProxyAdapter
 func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -259,7 +276,15 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 			safeConnClose(c, err)
 		}(c)
-		c, err = v.client.StreamConn(c, parseVlessAddr(metadata))
+		if v.option.PacketAddr {
 			packetAddrMetadata := *metadata // make a copy
 			packetAddrMetadata.Host = packetaddr.SeqPacketMagicAddress
 			packetAddrMetadata.DstPort = "443"
 			c, err = v.client.StreamConn(c, parseVlessAddr(&packetAddrMetadata, false))
 		} else {
 			c, err = v.client.StreamConn(c, parseVlessAddr(metadata, v.option.XUDP))
 		}
 		if err != nil {
 			return nil, fmt.Errorf("new vless client error: %v", err)
@ -272,7 +297,7 @@ func (v *Vless) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 // ListenPacketWithDialer implements C.ProxyAdapter
 func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vless use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	// vless use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -289,7 +314,15 @@ func (v *Vless) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 		safeConnClose(c, err)
 	}(c)
 	if v.option.PacketAddr {
 		packetAddrMetadata := *metadata // make a copy
 		packetAddrMetadata.Host = packetaddr.SeqPacketMagicAddress
 		packetAddrMetadata.DstPort = "443"
 		c, err = v.StreamConn(c, &packetAddrMetadata)
 	} else {
 		c, err = v.StreamConn(c, metadata)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("new vless client error: %v", err)
@ -305,6 +338,17 @@ func (v *Vless) SupportWithDialer() bool {
 // ListenPacketOnStreamConn implements C.ProxyAdapter
 func (v *Vless) ListenPacketOnStreamConn(c net.Conn, metadata *C.Metadata) (_ C.PacketConn, err error) {
 	if v.option.XUDP {
 		return newPacketConn(&threadSafePacketConn{
 			PacketConn: vmessSing.NewXUDPConn(c, M.ParseSocksaddr(metadata.RemoteAddress())),
 		}, v), nil
 	} else if v.option.PacketAddr {
 		return newPacketConn(&threadSafePacketConn{
 			PacketConn: packetaddr.NewConn(&vlessPacketConn{
 				Conn: c, rAddr: metadata.UDPAddr(),
 			}, M.ParseSocksaddr(metadata.RemoteAddress())),
 		}, v), nil
 	}
 	return newPacketConn(&vlessPacketConn{Conn: c, rAddr: metadata.UDPAddr()}, v), nil
 }
@ -313,7 +357,7 @@ func (v *Vless) SupportUOT() bool {
 	return true
 }
-func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
+func parseVlessAddr(metadata *C.Metadata, xudp bool) *vless.DstAddr {
 	var addrType byte
 	var addr []byte
 	switch metadata.AddrType() {
@ -337,7 +381,8 @@ func parseVlessAddr(metadata *C.Metadata) *vless.DstAddr {
 		UDP:      metadata.NetWork == C.UDP,
 		AddrType: addrType,
 		Addr:     addr,
-		Port:     uint(port),
+		Port:     uint16(port),
 		Mux:      metadata.NetWork == C.UDP && xudp,
 	}
 }
@ -438,6 +483,9 @@ func NewVless(option VlessOption) (*Vless, error) {
 	if option.Network != "ws" && len(option.Flow) >= 16 {
 		option.Flow = option.Flow[:16]
 		switch option.Flow {
 		case vless.XRV:
 			log.Warnln("To use %s, ensure your server is upgrade to Xray-core v1.8.0+", vless.XRV)
 			fallthrough
 		case vless.XRO, vless.XRD, vless.XRS:
 			addons = &vless.Addons{
 				Flow: option.Flow,
@ -447,6 +495,16 @@ func NewVless(option VlessOption) (*Vless, error) {
 		}
 	}
 	switch option.PacketEncoding {
 	case "packetaddr", "packet":
 		option.PacketAddr = true
 		option.XUDP = false
 	default: // https://github.com/XTLS/Xray-core/pull/1567#issuecomment-1407305458
 		if !option.PacketAddr {
 			option.XUDP = true
 		}
 	}
 	client, err := vless.NewClient(option.UUID, addons, option.FlowShow)
 	if err != nil {
 		return nil, err
@ -458,13 +516,21 @@ func NewVless(option VlessOption) (*Vless, error) {
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Vless,
 			udp:    option.UDP,
 			xudp:   option.XUDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
 		client: client,
 		option: &option,
 	}
 	v.realityConfig, err = v.option.RealityOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	switch option.Network {
 	case "h2":
 		if len(option.HTTP2Opts.Host) == 0 {
@ -483,8 +549,9 @@ func NewVless(option VlessOption) (*Vless, error) {
 		gunConfig := &gun.Config{
 			ServiceName:       v.option.GrpcOpts.GrpcServiceName,
 			Host:              v.option.ServerName,
 			ClientFingerprint: v.option.ClientFingerprint,
 		}
-		tlsConfig := tlsC.GetGlobalFingerprintTLCConfig(&tls.Config{
+		tlsConfig := tlsC.GetGlobalTLSConfig(&tls.Config{
 			InsecureSkipVerify: v.option.SkipCertVerify,
 			ServerName:         v.option.ServerName,
 		})
@ -497,11 +564,8 @@ func NewVless(option VlessOption) (*Vless, error) {
 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		if v.isXTLSEnabled() {
+
-			v.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)
+		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
 		} else {
 			v.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
 		}
 	}
 	return v, nil
--- a/adapter/outbound/vmess.go
+++ b/adapter/outbound/vmess.go
@ -5,20 +5,21 @@ import (
 	"crypto/tls"
 	"errors"
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	vmess "github.com/sagernet/sing-vmess"
 	"net"
 	"net/http"
 	"strconv"
 	"strings"
 	"sync"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/transport/gun"
 	clashVMess "github.com/Dreamacro/clash/transport/vmess"
 	vmess "github.com/sagernet/sing-vmess"
 	"github.com/sagernet/sing-vmess/packetaddr"
 	M "github.com/sagernet/sing/common/metadata"
 )
@ -34,6 +35,8 @@ type Vmess struct {
 	gunTLSConfig *tls.Config
 	gunConfig    *gun.Config
 	transport    *gun.TransportWrap
 	realityConfig *tlsC.RealityConfig
 }
 type VmessOption struct {
@ -50,6 +53,7 @@ type VmessOption struct {
 	SkipCertVerify      bool           `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string         `proxy:"fingerprint,omitempty"`
 	ServerName          string         `proxy:"servername,omitempty"`
 	RealityOpts         RealityOptions `proxy:"reality-opts,omitempty"`
 	HTTPOpts            HTTPOptions    `proxy:"http-opts,omitempty"`
 	HTTP2Opts           HTTP2Options   `proxy:"h2-opts,omitempty"`
 	GrpcOpts            GrpcOptions    `proxy:"grpc-opts,omitempty"`
@ -59,6 +63,7 @@ type VmessOption struct {
 	PacketEncoding      string         `proxy:"packet-encoding,omitempty"`
 	GlobalPadding       bool           `proxy:"global-padding,omitempty"`
 	AuthenticatedLength bool           `proxy:"authenticated-length,omitempty"`
 	ClientFingerprint   string         `proxy:"client-fingerprint,omitempty"`
 }
 type HTTPOptions struct {
@ -86,9 +91,13 @@ type WSOptions struct {
 // StreamConn implements C.ProxyAdapter
 func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	var err error
 	if tlsC.HaveGlobalFingerprint() && (len(v.option.ClientFingerprint) == 0) {
 		v.option.ClientFingerprint = tlsC.GetGlobalFingerprint()
 	}
 	switch v.option.Network {
 	case "ws":
 		host, port, _ := net.SplitHostPort(v.addr)
 		wsOpts := &clashVMess.WebsocketConfig{
 			Host:                host,
@ -96,6 +105,7 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			Path:                v.option.WSOpts.Path,
 			MaxEarlyData:        v.option.WSOpts.MaxEarlyData,
 			EarlyDataHeaderName: v.option.WSOpts.EarlyDataHeaderName,
 			ClientFingerprint:   v.option.ClientFingerprint,
 			Headers:             http.Header{},
 		}
@ -114,9 +124,8 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			}
 			if len(v.option.Fingerprint) == 0 {
-				wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig)
+				wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig)
 			} else {
 				var err error
 				if wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint); err != nil {
 					return nil, err
 				}
@ -136,12 +145,13 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			tlsOpts := &clashVMess.TLSConfig{
 				Host:              host,
 				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
 				Reality:           v.realityConfig,
 			}
 			if v.option.ServerName != "" {
 				tlsOpts.Host = v.option.ServerName
 			}
 			c, err = clashVMess.StreamTLSConn(c, tlsOpts)
 			if err != nil {
 				return nil, err
@ -163,6 +173,8 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			Host:              host,
 			SkipCertVerify:    v.option.SkipCertVerify,
 			NextProtos:        []string{"h2"},
 			ClientFingerprint: v.option.ClientFingerprint,
 			Reality:           v.realityConfig,
 		}
 		if v.option.ServerName != "" {
@ -181,7 +193,7 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 		c, err = clashVMess.StreamH2Conn(c, h2Opts)
 	case "grpc":
-		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig)
+		c, err = gun.StreamGunWithConn(c, v.gunTLSConfig, v.gunConfig, v.realityConfig)
 	default:
 		// handle TLS
 		if v.option.TLS {
@ -189,6 +201,8 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 			tlsOpts := &clashVMess.TLSConfig{
 				Host:              host,
 				SkipCertVerify:    v.option.SkipCertVerify,
 				ClientFingerprint: v.option.ClientFingerprint,
 				Reality:           v.realityConfig,
 			}
 			if v.option.ServerName != "" {
@ -204,13 +218,25 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
 	}
 	if metadata.NetWork == C.UDP {
 		if v.option.XUDP {
 			if N.NeedHandshake(c) {
 				return v.client.DialEarlyXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 			} else {
 				return v.client.DialXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 			}
 		} else {
 			if N.NeedHandshake(c) {
 				return v.client.DialEarlyPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 			} else {
 				return v.client.DialPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 			}
 		}
 	} else {
 		if N.NeedHandshake(c) {
 			return v.client.DialEarlyConn(c, M.ParseSocksaddr(metadata.RemoteAddress())), nil
 		} else {
 			return v.client.DialConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 		}
 	}
 }
 // DialContext implements C.ProxyAdapter
@ -252,7 +278,7 @@ func (v *Vmess) DialContextWithDialer(ctx context.Context, dialer C.Dialer, meta
 // ListenPacketContext implements C.ProxyAdapter
 func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -280,32 +306,30 @@ func (v *Vmess) ListenPacketContext(ctx context.Context, metadata *C.Metadata, o
 		}(c)
 		if v.option.XUDP {
 			if N.NeedHandshake(c) {
 				c = v.client.DialEarlyXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 			} else {
 				c, err = v.client.DialXUDPPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 			}
 		} else {
 			if N.NeedHandshake(c) {
 				c = v.client.DialEarlyPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 			} else {
 				c, err = v.client.DialPacketConn(c, M.ParseSocksaddr(metadata.RemoteAddress()))
 			}
 		}
 		if err != nil {
 			return nil, fmt.Errorf("new vmess client error: %v", err)
 		}
 		return v.ListenPacketOnStreamConn(c, metadata)
 	}
 	c, err = dialer.DialContext(ctx, "tcp", v.addr, v.Base.DialOptions(opts...)...)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
 	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
 	c, err = v.StreamConn(c, metadata)
 	return v.ListenPacketWithDialer(ctx, dialer.NewDialer(v.Base.DialOptions(opts...)...), metadata)
 }
 // ListenPacketWithDialer implements C.ProxyAdapter
 func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, metadata *C.Metadata) (_ C.PacketConn, err error) {
-	// vmess use stream-oriented udp with a special address, so we needs a net.UDPAddr
+	// vmess use stream-oriented udp with a special address, so we need a net.UDPAddr
 	if !metadata.Resolved() {
 		ip, err := resolver.ResolveIP(ctx, metadata.Host)
 		if err != nil {
@ -315,10 +339,18 @@ func (v *Vmess) ListenPacketWithDialer(ctx context.Context, dialer C.Dialer, met
 	}
 	c, err := dialer.DialContext(ctx, "tcp", v.addr)
 	if err != nil {
 		return nil, fmt.Errorf("%s connect error: %s", v.addr, err.Error())
 	}
 	tcpKeepAlive(c)
 	defer func(c net.Conn) {
 		safeConnClose(c, err)
 	}(c)
 	c, err = v.StreamConn(c, metadata)
 	if err != nil {
 		return nil, fmt.Errorf("new vmess client error: %v", err)
 	}
 	return v.ListenPacketOnStreamConn(c, metadata)
 }
@ -369,7 +401,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 	switch option.Network {
 	case "h2", "grpc":
 		if !option.TLS {
-			return nil, fmt.Errorf("TLS must be true with h2/grpc network")
+			option.TLS = true
 		}
 	}
@ -379,6 +411,8 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 			addr:   net.JoinHostPort(option.Server, strconv.Itoa(option.Port)),
 			tp:     C.Vmess,
 			udp:    option.UDP,
 			xudp:   option.XUDP,
 			tfo:    option.TFO,
 			iface:  option.Interface,
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
@ -405,6 +439,7 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		gunConfig := &gun.Config{
 			ServiceName:       v.option.GrpcOpts.GrpcServiceName,
 			Host:              v.option.ServerName,
 			ClientFingerprint: v.option.ClientFingerprint,
 		}
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: v.option.SkipCertVerify,
@ -419,8 +454,15 @@ func NewVmess(option VmessOption) (*Vmess, error) {
 		v.gunTLSConfig = tlsConfig
 		v.gunConfig = gunConfig
-		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig)
+
 		v.transport = gun.NewHTTP2Client(dialFn, tlsConfig, v.option.ClientFingerprint, v.realityConfig)
 	}
 	v.realityConfig, err = v.option.RealityOpts.Parse()
 	if err != nil {
 		return nil, err
 	}
 	return v, nil
 }
--- a/adapter/outbound/wireguard.go
+++ b/adapter/outbound/wireguard.go
@ -17,7 +17,7 @@ import (
 	"github.com/Dreamacro/clash/component/dialer"
 	"github.com/Dreamacro/clash/component/resolver"
 	C "github.com/Dreamacro/clash/constant"
-	"github.com/Dreamacro/clash/listener/sing"
+	"github.com/Dreamacro/clash/log"
 	wireguard "github.com/metacubex/sing-wireguard"
@ -34,7 +34,7 @@ type WireGuard struct {
 	bind      *wireguard.ClientBind
 	device    *device.Device
 	tunDevice wireguard.Device
-	dialer    *wgDialer
+	dialer    *wgSingDialer
 	startOnce sync.Once
 	startErr  error
 }
@ -56,16 +56,28 @@ type WireGuardOption struct {
 	PersistentKeepalive int     `proxy:"persistent-keepalive,omitempty"`
 }
-type wgDialer struct {
+type wgSingDialer struct {
-	options []dialer.Option
+	dialer dialer.Dialer
 }
-func (d *wgDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+var _ N.Dialer = &wgSingDialer{}
-	return dialer.DialContext(ctx, network, destination.String(), d.options...)
+
 func (d *wgSingDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	return d.dialer.DialContext(ctx, network, destination.String())
 }
-func (d *wgDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+func (d *wgSingDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	return dialer.ListenPacket(ctx, dialer.ParseNetwork("udp", destination.Addr), "", d.options...)
+	return d.dialer.ListenPacket(ctx, "udp", "", destination.AddrPort())
 }
 type wgNetDialer struct {
 	tunDevice wireguard.Device
 }
 var _ dialer.NetDialer = &wgNetDialer{}
 func (d wgNetDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
 	return d.tunDevice.DialContext(ctx, network, M.ParseSocksaddr(address).Unwrap())
 }
 func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
@ -79,7 +91,7 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 			rmark:  option.RoutingMark,
 			prefer: C.NewDNSPrefer(option.IPVersion),
 		},
-		dialer: &wgDialer{},
+		dialer: &wgSingDialer{dialer: dialer.NewDialer()},
 	}
 	runtime.SetFinalizer(outbound, closeWireGuard)
@ -174,14 +186,14 @@ func NewWireGuard(option WireGuardOption) (*WireGuard, error) {
 	}
 	outbound.device = device.NewDevice(outbound.tunDevice, outbound.bind, &device.Logger{
 		Verbosef: func(format string, args ...interface{}) {
-			sing.Logger.Debug(fmt.Sprintf(strings.ToLower(format), args...))
+			log.SingLogger.Debug(fmt.Sprintf(strings.ToLower(format), args...))
 		},
 		Errorf: func(format string, args ...interface{}) {
-			sing.Logger.Error(fmt.Sprintf(strings.ToLower(format), args...))
+			log.SingLogger.Error(fmt.Sprintf(strings.ToLower(format), args...))
 		},
 	}, option.Workers)
 	if debug.Enabled {
-		sing.Logger.Trace("created wireguard ipc conf: \n", ipcConf)
+		log.SingLogger.Trace("created wireguard ipc conf: \n", ipcConf)
 	}
 	err = outbound.device.IpcSet(ipcConf)
 	if err != nil {
@ -199,7 +211,8 @@ func closeWireGuard(w *WireGuard) {
 }
 func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.Conn, err error) {
-	w.dialer.options = opts
+	options := w.Base.DialOptions(opts...)
 	w.dialer.dialer = dialer.NewDialer(options...)
 	var conn net.Conn
 	w.startOnce.Do(func() {
 		w.startErr = w.tunDevice.Start()
@ -208,15 +221,12 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 		return nil, w.startErr
 	}
 	if !metadata.Resolved() {
-		var addrs []netip.Addr
+		options = append(options, dialer.WithResolver(resolver.DefaultResolver))
-		addrs, err = resolver.LookupIP(ctx, metadata.Host)
+		options = append(options, dialer.WithNetDialer(wgNetDialer{tunDevice: w.tunDevice}))
-		if err != nil {
+		conn, err = dialer.NewDialer(options...).DialContext(ctx, "tcp", metadata.RemoteAddress())
 			return nil, err
 		}
 		conn, err = N.DialSerial(ctx, w.tunDevice, "tcp", M.ParseSocksaddr(metadata.RemoteAddress()), addrs)
 	} else {
 		port, _ := strconv.Atoi(metadata.DstPort)
-		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.SocksaddrFrom(metadata.DstIP, uint16(port)))
+		conn, err = w.tunDevice.DialContext(ctx, "tcp", M.SocksaddrFrom(metadata.DstIP, uint16(port)).Unwrap())
 	}
 	if err != nil {
 		return nil, err
@ -228,7 +238,8 @@ func (w *WireGuard) DialContext(ctx context.Context, metadata *C.Metadata, opts
 }
 func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (_ C.PacketConn, err error) {
-	w.dialer.options = opts
+	options := w.Base.DialOptions(opts...)
 	w.dialer.dialer = dialer.NewDialer(options...)
 	var pc net.PacketConn
 	w.startOnce.Do(func() {
 		w.startErr = w.tunDevice.Start()
@ -247,7 +258,7 @@ func (w *WireGuard) ListenPacketContext(ctx context.Context, metadata *C.Metadat
 		metadata.DstIP = ip
 	}
 	port, _ := strconv.Atoi(metadata.DstPort)
-	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, uint16(port)))
+	pc, err = w.tunDevice.ListenPacket(ctx, M.SocksaddrFrom(metadata.DstIP, uint16(port)).Unwrap())
 	if err != nil {
 		return nil, err
 	}
--- a/adapter/outboundgroup/fallback.go
+++ b/adapter/outboundgroup/fallback.go
@ -4,11 +4,14 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
 	"time"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/callback"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 	"time"
 )
 type Fallback struct {
@ -29,10 +32,22 @@ func (f *Fallback) DialContext(ctx context.Context, metadata *C.Metadata, opts .
 	c, err := proxy.DialContext(ctx, metadata, f.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(f)
 	} else {
 		f.onDialFailed(proxy.Type(), err)
 	}
 	if N.NeedHandshake(c) {
 		c = &callback.FirstWriteCallBackConn{
 			Conn: c,
 			Callback: func(err error) {
 				if err == nil {
 					f.onDialSuccess()
 				} else {
 					f.onDialFailed(proxy.Type(), err)
 				}
 			},
 		}
 	}
 	return c, err
 }
@ -132,6 +147,7 @@ func NewFallback(option *GroupCommonOption, providers []provider.ProxyProvider)
 			},
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
 			providers,
 		}),
 		disableUDP: option.DisableUDP,
--- a/adapter/outboundgroup/groupbase.go
+++ b/adapter/outboundgroup/groupbase.go
@ -3,23 +3,26 @@ package outboundgroup
 import (
 	"context"
 	"fmt"
 	"strings"
 	"sync"
 	"time"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
 	types "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"
 	"github.com/Dreamacro/clash/tunnel"
 	"github.com/dlclark/regexp2"
 	"go.uber.org/atomic"
 	"strings"
 	"sync"
 	"time"
 )
 type GroupBase struct {
 	*outbound.Base
 	filterRegs       []*regexp2.Regexp
 	excludeFilterReg *regexp2.Regexp
 	excludeTypeArray []string
 	providers        []provider.ProxyProvider
 	failedTestMux    sync.Mutex
 	failedTimes      int
@ -33,6 +36,7 @@ type GroupBaseOption struct {
 	outbound.BaseOption
 	filter        string
 	excludeFilter string
 	excludeType   string
 	providers     []provider.ProxyProvider
 }
@ -41,6 +45,10 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 	if opt.excludeFilter != "" {
 		excludeFilterReg = regexp2.MustCompile(opt.excludeFilter, 0)
 	}
 	var excludeTypeArray []string
 	if opt.excludeType != "" {
 		excludeTypeArray = strings.Split(opt.excludeType, "|")
 	}
 	var filterRegs []*regexp2.Regexp
 	if opt.filter != "" {
@ -54,6 +62,7 @@ func NewGroupBase(opt GroupBaseOption) *GroupBase {
 		Base:             outbound.NewBase(opt.BaseOption),
 		filterRegs:       filterRegs,
 		excludeFilterReg: excludeFilterReg,
 		excludeTypeArray: excludeTypeArray,
 		providers:        opt.providers,
 		failedTesting:    atomic.NewBool(false),
 	}
@ -148,6 +157,25 @@ func (gb *GroupBase) GetProxies(touch bool) []C.Proxy {
 		}
 		proxies = newProxies
 	}
 	if gb.excludeTypeArray != nil {
 		var newProxies []C.Proxy
 		for _, p := range proxies {
 			mType := p.Type().String()
 			flag := false
 			for i := range gb.excludeTypeArray {
 				if strings.EqualFold(mType, gb.excludeTypeArray[i]) {
 					flag = true
 					break
 				}
 			}
 			if flag {
 				continue
 			}
 			newProxies = append(newProxies, p)
 		}
 		proxies = newProxies
 	}
 	if gb.excludeFilterReg != nil {
 		var newProxies []C.Proxy
--- a/adapter/outboundgroup/loadbalance.go
+++ b/adapter/outboundgroup/loadbalance.go
@ -5,12 +5,15 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"github.com/Dreamacro/clash/common/cache"
 	"net"
 	"sync"
 	"time"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/cache"
 	"github.com/Dreamacro/clash/common/callback"
 	"github.com/Dreamacro/clash/common/murmur3"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/provider"
@ -18,7 +21,7 @@ import (
 	"golang.org/x/net/publicsuffix"
 )
-type strategyFn = func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy
+type strategyFn = func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy
 type LoadBalance struct {
 	*GroupBase
@ -83,17 +86,27 @@ func jumpHash(key uint64, buckets int32) int32 {
 // DialContext implements C.ProxyAdapter
 func (lb *LoadBalance) DialContext(ctx context.Context, metadata *C.Metadata, opts ...dialer.Option) (c C.Conn, err error) {
 	proxy := lb.Unwrap(metadata, true)
 	c, err = proxy.DialContext(ctx, metadata, lb.Base.DialOptions(opts...)...)
 	defer func() {
 	if err == nil {
 		c.AppendToChains(lb)
 	} else {
 		lb.onDialFailed(proxy.Type(), err)
 	}
 	if N.NeedHandshake(c) {
 		c = &callback.FirstWriteCallBackConn{
 			Conn: c,
 			Callback: func(err error) {
 				if err == nil {
 					lb.onDialSuccess()
 				} else {
 					lb.onDialFailed(proxy.Type(), err)
 				}
-	}()
+			},
 		}
 	}
 	c, err = proxy.DialContext(ctx, metadata, lb.Base.DialOptions(opts...)...)
 	return
 }
@ -116,12 +129,25 @@ func (lb *LoadBalance) SupportUDP() bool {
 func strategyRoundRobin() strategyFn {
 	idx := 0
-	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+	idxMutex := sync.Mutex{}
 	return func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy {
 		idxMutex.Lock()
 		defer idxMutex.Unlock()
 		i := 0
 		length := len(proxies)
-		for i := 0; i < length; i++ {
+
-			idx = (idx + 1) % length
+		if touch {
-			proxy := proxies[idx]
+			defer func() {
 				idx = (idx + i) % length
 			}()
 		}
 		for ; i < length; i++ {
 			id := (idx + i) % length
 			proxy := proxies[id]
 			if proxy.Alive() {
 				i++
 				return proxy
 			}
 		}
@ -132,7 +158,7 @@ func strategyRoundRobin() strategyFn {
 func strategyConsistentHashing() strategyFn {
 	maxRetry := 5
-	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+	return func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy {
 		key := uint64(murmur3.Sum32([]byte(getKey(metadata))))
 		buckets := int32(len(proxies))
 		for i := 0; i < maxRetry; i, key = i+1, key+1 {
@ -160,7 +186,7 @@ func strategyStickySessions() strategyFn {
 	lruCache := cache.New[uint64, int](
 		cache.WithAge[uint64, int](int64(ttl.Seconds())),
 		cache.WithSize[uint64, int](1000))
-	return func(proxies []C.Proxy, metadata *C.Metadata) C.Proxy {
+	return func(proxies []C.Proxy, metadata *C.Metadata, touch bool) C.Proxy {
 		key := uint64(murmur3.Sum32([]byte(getKeyWithSrcAndDst(metadata))))
 		length := len(proxies)
 		idx, has := lruCache.Get(key)
@ -192,7 +218,7 @@ func strategyStickySessions() strategyFn {
 // Unwrap implements C.ProxyAdapter
 func (lb *LoadBalance) Unwrap(metadata *C.Metadata, touch bool) C.Proxy {
 	proxies := lb.GetProxies(touch)
-	return lb.strategyFn(proxies, metadata)
+	return lb.strategyFn(proxies, metadata, touch)
 }
 // MarshalJSON implements C.ProxyAdapter
@ -229,6 +255,7 @@ func NewLoadBalance(option *GroupCommonOption, providers []provider.ProxyProvide
 			},
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
 			providers,
 		}),
 		strategyFn: strategyFn,
--- a/adapter/outboundgroup/parser.go
+++ b/adapter/outboundgroup/parser.go
@ -31,6 +31,7 @@ type GroupCommonOption struct {
 	DisableUDP    bool     `group:"disable-udp,omitempty"`
 	Filter        string   `group:"filter,omitempty"`
 	ExcludeFilter string   `group:"exclude-filter,omitempty"`
 	ExcludeType   string   `group:"exclude-type,omitempty"`
 }
 func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, providersMap map[string]types.ProxyProvider) (C.ProxyAdapter, error) {
@ -77,7 +78,7 @@ func ParseProxyGroup(config map[string]any, proxyMap map[string]C.Proxy, provide
 			providersMap[groupName] = pd
 		} else {
 			if groupOption.URL == "" {
-				groupOption.URL = "http://www.gstatic.com/generate_204"
+				groupOption.URL = "https://cp.cloudflare.com/generate_204"
 			}
 			if groupOption.Interval == 0 {
--- a/adapter/outboundgroup/relay.go
+++ b/adapter/outboundgroup/relay.go
@ -176,7 +176,7 @@ func (r *Relay) proxies(metadata *C.Metadata, touch bool) ([]C.Proxy, []C.Proxy)
 }
 func (r *Relay) Addr() string {
-	proxies, _ := r.proxies(nil, true)
+	proxies, _ := r.proxies(nil, false)
 	return proxies[len(proxies)-1].Addr()
 }
@ -191,6 +191,7 @@ func NewRelay(option *GroupCommonOption, providers []provider.ProxyProvider) *Re
 			},
 			"",
 			"",
 			"",
 			providers,
 		}),
 	}
--- a/adapter/outboundgroup/selector.go
+++ b/adapter/outboundgroup/selector.go
@ -100,6 +100,7 @@ func NewSelector(option *GroupCommonOption, providers []provider.ProxyProvider)
 			},
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
 			providers,
 		}),
 		selected:   "COMPATIBLE",
--- a/adapter/outboundgroup/urltest.go
+++ b/adapter/outboundgroup/urltest.go
@ -6,6 +6,8 @@ import (
 	"time"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/callback"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/singledo"
 	"github.com/Dreamacro/clash/component/dialer"
 	C "github.com/Dreamacro/clash/constant"
@ -38,10 +40,23 @@ func (u *URLTest) DialContext(ctx context.Context, metadata *C.Metadata, opts ..
 	c, err = proxy.DialContext(ctx, metadata, u.Base.DialOptions(opts...)...)
 	if err == nil {
 		c.AppendToChains(u)
 	} else {
 		u.onDialFailed(proxy.Type(), err)
 	}
 	if N.NeedHandshake(c) {
 		c = &callback.FirstWriteCallBackConn{
 			Conn: c,
 			Callback: func(err error) {
 				if err == nil {
 					u.onDialSuccess()
 				} else {
 					u.onDialFailed(proxy.Type(), err)
 				}
 			},
 		}
 	}
 	return c, err
 }
@ -144,6 +159,7 @@ func NewURLTest(option *GroupCommonOption, providers []provider.ProxyProvider, o
 			option.Filter,
 			option.ExcludeFilter,
 			option.ExcludeType,
 			providers,
 		}),
 		fastSingle: singledo.NewSingle[C.Proxy](time.Second * 10),
--- a/adapter/parser.go
+++ b/adapter/parser.go
@ -2,6 +2,9 @@ package adapter
 import (
 	"fmt"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/adapter/outbound"
 	"github.com/Dreamacro/clash/common/structure"
 	C "github.com/Dreamacro/clash/constant"
@ -21,6 +24,11 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 	switch proxyType {
 	case "ss":
 		ssOption := &outbound.ShadowSocksOption{}
 		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
 			ssOption.ClientFingerprint = GlobalUtlsClient
 		}
 		err = decoder.Decode(mapping, ssOption)
 		if err != nil {
 			break
@ -54,6 +62,11 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 				Path:   []string{"/"},
 			},
 		}
 		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
 			vmessOption.ClientFingerprint = GlobalUtlsClient
 		}
 		err = decoder.Decode(mapping, vmessOption)
 		if err != nil {
 			break
@ -61,6 +74,11 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		proxy, err = outbound.NewVmess(*vmessOption)
 	case "vless":
 		vlessOption := &outbound.VlessOption{}
 		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
 			vlessOption.ClientFingerprint = GlobalUtlsClient
 		}
 		err = decoder.Decode(mapping, vlessOption)
 		if err != nil {
 			break
@ -75,6 +93,11 @@ func ParseProxy(mapping map[string]any) (C.Proxy, error) {
 		proxy, err = outbound.NewSnell(*snellOption)
 	case "trojan":
 		trojanOption := &outbound.TrojanOption{}
 		if GlobalUtlsClient := tlsC.GetGlobalFingerprint(); len(GlobalUtlsClient) != 0 {
 			trojanOption.ClientFingerprint = GlobalUtlsClient
 		}
 		err = decoder.Decode(mapping, trojanOption)
 		if err != nil {
 			break
--- a/adapter/provider/healthcheck.go
+++ b/adapter/provider/healthcheck.go
@ -6,10 +6,10 @@ import (
 	"github.com/Dreamacro/clash/common/batch"
 	"github.com/Dreamacro/clash/common/singledo"
 	"github.com/Dreamacro/clash/common/utils"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"github.com/gofrs/uuid"
 	"go.uber.org/atomic"
 )
@ -77,7 +77,7 @@ func (hc *HealthCheck) touch() {
 func (hc *HealthCheck) check() {
 	_, _, _ = hc.singleDo.Do(func() (struct{}, error) {
 		id := ""
-		if uid, err := uuid.NewV4(); err == nil {
+		if uid, err := utils.UnsafeUUIDGenerator.NewV4(); err == nil {
 			id = uid.String()
 		}
 		log.Debugln("Start New Health Checking {%s}", id)
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@ -3,10 +3,10 @@ package provider
 import (
 	"errors"
 	"fmt"
 	"github.com/Dreamacro/clash/component/resource"
 	"time"
 	"github.com/Dreamacro/clash/common/structure"
 	"github.com/Dreamacro/clash/component/resource"
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
 )
@ -27,6 +27,7 @@ type proxyProviderSchema struct {
 	Interval      int               `provider:"interval,omitempty"`
 	Filter        string            `provider:"filter,omitempty"`
 	ExcludeFilter string            `provider:"exclude-filter,omitempty"`
 	ExcludeType   string            `provider:"exclude-type,omitempty"`
 	HealthCheck   healthCheckSchema `provider:"health-check,omitempty"`
 }
@ -63,5 +64,7 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	interval := time.Duration(uint(schema.Interval)) * time.Second
 	filter := schema.Filter
 	excludeFilter := schema.ExcludeFilter
-	return NewProxySetProvider(name, interval, filter, excludeFilter, vehicle, hc)
+	excludeType := schema.ExcludeType
 	return NewProxySetProvider(name, interval, filter, excludeFilter, excludeType, vehicle, hc)
 }
--- a/adapter/provider/provider.go
+++ b/adapter/provider/provider.go
@ -5,8 +5,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"github.com/dlclark/regexp2"
 	"gopkg.in/yaml.v3"
 	"net/http"
 	"runtime"
 	"strings"
@ -19,6 +17,9 @@ import (
 	C "github.com/Dreamacro/clash/constant"
 	types "github.com/Dreamacro/clash/constant/provider"
 	"github.com/Dreamacro/clash/log"
 	"github.com/dlclark/regexp2"
 	"gopkg.in/yaml.v3"
 )
 const (
@ -141,11 +142,16 @@ func stopProxyProvider(pd *ProxySetProvider) {
 	_ = pd.Fetcher.Destroy()
 }
-func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
+func NewProxySetProvider(name string, interval time.Duration, filter string, excludeFilter string, excludeType string, vehicle types.Vehicle, hc *HealthCheck) (*ProxySetProvider, error) {
 	excludeFilterReg, err := regexp2.Compile(excludeFilter, 0)
 	if err != nil {
 		return nil, fmt.Errorf("invalid excludeFilter regex: %w", err)
 	}
 	var excludeTypeArray []string
 	if excludeType != "" {
 		excludeTypeArray = strings.Split(excludeType, "|")
 	}
 	var filterRegs []*regexp2.Regexp
 	for _, filter := range strings.Split(filter, "`") {
 		filterReg, err := regexp2.Compile(filter, 0)
@ -164,7 +170,7 @@ func NewProxySetProvider(name string, interval time.Duration, filter string, exc
 		healthCheck: hc,
 	}
-	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, filterRegs, excludeFilterReg), proxiesOnUpdate(pd))
+	fetcher := resource.NewFetcher[[]C.Proxy](name, interval, vehicle, proxiesParseAndFilter(filter, excludeFilter, excludeTypeArray, filterRegs, excludeFilterReg), proxiesOnUpdate(pd))
 	pd.Fetcher = fetcher
 	pd.getSubscriptionInfo()
@ -262,7 +268,7 @@ func proxiesOnUpdate(pd *proxySetProvider) func([]C.Proxy) {
 	}
 }
-func proxiesParseAndFilter(filter string, excludeFilter string, filterRegs []*regexp2.Regexp, excludeFilterReg *regexp2.Regexp) resource.Parser[[]C.Proxy] {
+func proxiesParseAndFilter(filter string, excludeFilter string, excludeTypeArray []string, filterRegs []*regexp2.Regexp, excludeFilterReg *regexp2.Regexp) resource.Parser[[]C.Proxy] {
 	return func(buf []byte) ([]C.Proxy, error) {
 		schema := &ProxySchema{}
@ -282,6 +288,28 @@ func proxiesParseAndFilter(filter string, excludeFilter string, filterRegs []*re
 		proxiesSet := map[string]struct{}{}
 		for _, filterReg := range filterRegs {
 			for idx, mapping := range schema.Proxies {
 				if nil != excludeTypeArray && len(excludeTypeArray) > 0 {
 					mType, ok := mapping["type"]
 					if !ok {
 						continue
 					}
 					pType, ok := mType.(string)
 					if !ok {
 						continue
 					}
 					flag := false
 					for i := range excludeTypeArray {
 						if strings.EqualFold(pType, excludeTypeArray[i]) {
 							flag = true
 							break
 						}
 					}
 					if flag {
 						continue
 					}
 				}
 				mName, ok := mapping["name"]
 				if !ok {
 					continue
--- a/common/buf/sing.go
+++ b/common/buf/sing.go
@ -0,0 +1,25 @@
 package buf
 import (
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
 )
 const BufferSize = buf.BufferSize
 type Buffer = buf.Buffer
 var New = buf.New
 var StackNew = buf.StackNew
 var StackNewSize = buf.StackNewSize
 var With = buf.With
 var KeepAlive = common.KeepAlive
 //go:norace
 func Dup[T any](obj T) T {
 	return common.Dup(obj)
 }
 var Must = common.Must
 var Error = common.Error
--- a/common/callback/callback.go
+++ b/common/callback/callback.go
@ -0,0 +1,25 @@
 package callback
 import (
 	C "github.com/Dreamacro/clash/constant"
 )
 type FirstWriteCallBackConn struct {
 	C.Conn
 	Callback func(error)
 	written  bool
 }
 func (c *FirstWriteCallBackConn) Write(b []byte) (n int, err error) {
 	defer func() {
 		if !c.written {
 			c.written = true
 			c.Callback(err)
 		}
 	}()
 	return c.Conn.Write(b)
 }
 func (c *FirstWriteCallBackConn) Upstream() any {
 	return c.Conn
 }
--- a/common/convert/converter.go
+++ b/common/convert/converter.go
@ -2,8 +2,10 @@ package convert
 import (
 	"bytes"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"github.com/Dreamacro/clash/log"
 	"net/url"
 	"strconv"
 	"strings"
@ -81,7 +83,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			trojan["port"] = urlTrojan.Port()
 			trojan["password"] = urlTrojan.User.Username()
 			trojan["udp"] = true
-			trojan["skip-cert-verify"] = false
+			trojan["skip-cert-verify"], _ = strconv.ParseBool(query.Get("allowInsecure"))
 			sni := query.Get("sni")
 			if sni != "" {
@ -111,6 +113,12 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				trojan["grpc-opts"] = grpcOpts
 			}
 			if fingerprint := query.Get("fp"); fingerprint == "" {
 				trojan["client-fingerprint"] = "chrome"
 			} else {
 				trojan["client-fingerprint"] = fingerprint
 			}
 			proxies = append(proxies, trojan)
 		case "vless":
@ -120,7 +128,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}
 			query := urlVLess.Query()
 			vless := make(map[string]any, 20)
-			handleVShareLink(names, urlVLess, scheme, vless)
+			err = handleVShareLink(names, urlVLess, scheme, vless)
 			if err != nil {
 				log.Warnln("error:%s line:%s", err.Error(), line)
 				continue
 			}
 			if flow := query.Get("flow"); flow != "" {
 				vless["flow"] = strings.ToLower(flow)
 			}
@ -138,20 +150,16 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				}
 				query := urlVMess.Query()
 				vmess := make(map[string]any, 20)
-				handleVShareLink(names, urlVMess, scheme, vmess)
+				err = handleVShareLink(names, urlVMess, scheme, vmess)
 				if err != nil {
 					log.Warnln("error:%s line:%s", err.Error(), line)
 					continue
 				}
 				vmess["alterId"] = 0
 				vmess["cipher"] = "auto"
 				if encryption := query.Get("encryption"); encryption != "" {
 					vmess["cipher"] = encryption
 				}
 				if packetEncoding := query.Get("packetEncoding"); packetEncoding != "" {
 					switch packetEncoding {
 					case "packet":
 						vmess["packet-addr"] = true
 					case "xudp":
 						vmess["xudp"] = true
 					}
 				}
 				proxies = append(proxies, vmess)
 				continue
 			}
@ -162,8 +170,11 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			if jsonDc.Decode(&values) != nil {
 				continue
 			}
-
+			tempName, ok := values["ps"].(string)
-			name := uniqueName(names, values["ps"].(string))
+			if !ok {
 				continue
 			}
 			name := uniqueName(names, tempName)
 			vmess := make(map[string]any, 20)
 			vmess["name"] = name
@ -177,6 +188,7 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 				vmess["alterId"] = 0
 			}
 			vmess["udp"] = true
 			vmess["xudp"] = true
 			vmess["tls"] = false
 			vmess["skip-cert-verify"] = false
@ -272,19 +284,25 @@ func ConvertsV2Ray(buf []byte) ([]map[string]any, error) {
 			}
 			var (
-				cipher   = urlSS.User.Username()
+				cipherRaw = urlSS.User.Username()
 				cipher    string
 				password  string
 			)
-
+			cipher = cipherRaw
 			if password, found = urlSS.User.Password(); !found {
-				dcBuf, _ := enc.DecodeString(cipher)
+				dcBuf, err := base64.RawURLEncoding.DecodeString(cipherRaw)
-				if !strings.Contains(string(dcBuf), "2022-blake3") {
+				if err != nil {
-					dcBuf, _ = encRaw.DecodeString(cipher)
+					dcBuf, _ = enc.DecodeString(cipherRaw)
 				}
 				cipher, password, found = strings.Cut(string(dcBuf), ":")
 				if !found {
 					continue
 				}
 				err = VerifyMethod(cipher, password)
 				if err != nil {
 					dcBuf, _ = encRaw.DecodeString(cipherRaw)
 					cipher, password, found = strings.Cut(string(dcBuf), ":")
 				}
 			}
 			ss := make(map[string]any, 10)
--- a/common/convert/util.go
+++ b/common/convert/util.go
@ -2,11 +2,14 @@ package convert
 import (
 	"encoding/base64"
 	"math/rand"
 	"net/http"
 	"strings"
 	"time"
-	"github.com/gofrs/uuid"
+	"github.com/Dreamacro/clash/common/utils"
 	"github.com/metacubex/sing-shadowsocks/shadowimpl"
 	"github.com/zhangyunhao116/fastrand"
 )
 var hostsSuffix = []string{
@ -291,7 +294,7 @@ var (
 )
 func RandHost() string {
-	id, _ := uuid.NewV4()
+	id, _ := utils.UnsafeUUIDGenerator.NewV4()
 	base := strings.ToLower(base64.RawURLEncoding.EncodeToString(id.Bytes()))
 	base = strings.ReplaceAll(base, "-", "")
 	base = strings.ReplaceAll(base, "_", "")
@ -300,11 +303,11 @@ func RandHost() string {
 	prefix += string(buf[6:8]) + "-"
 	prefix += string(buf[len(buf)-8:])
-	return prefix + hostsSuffix[rand.Intn(hostsLen)]
+	return prefix + hostsSuffix[fastrand.Intn(hostsLen)]
 }
 func RandUserAgent() string {
-	return userAgents[rand.Intn(uaLen)]
+	return userAgents[fastrand.Intn(uaLen)]
 }
 func SetUserAgent(header http.Header) {
@ -314,3 +317,8 @@ func SetUserAgent(header http.Header) {
 	userAgent := RandUserAgent()
 	header.Set("User-Agent", userAgent)
 }
 func VerifyMethod(cipher, password string) (err error) {
 	_, err = shadowimpl.FetchMethod(cipher, password, time.Now)
 	return
 }
--- a/common/convert/v.go
+++ b/common/convert/v.go
@ -1,15 +1,24 @@
 package convert
 import (
 	"errors"
 	"fmt"
 	"net/url"
 	"strconv"
 	"strings"
 )
-func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy map[string]any) {
+func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy map[string]any) error {
 	// Xray VMessAEAD / VLESS share link standard
 	// https://github.com/XTLS/Xray-core/discussions/716
 	query := url.Query()
 	proxy["name"] = uniqueName(names, url.Fragment)
 	if url.Hostname() == "" {
 		return errors.New("url.Hostname() is empty")
 	}
 	if url.Port() == "" {
 		return errors.New("url.Port() is empty")
 	}
 	proxy["type"] = scheme
 	proxy["server"] = url.Hostname()
 	proxy["port"] = url.Port()
@ -20,11 +29,24 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 	tls := strings.ToLower(query.Get("security"))
 	if strings.HasSuffix(tls, "tls") {
 		proxy["tls"] = true
 		if fingerprint := query.Get("fp"); fingerprint == "" {
 			proxy["client-fingerprint"] = "chrome"
 		} else {
 			proxy["client-fingerprint"] = fingerprint
 		}
 	}
 	if sni := query.Get("sni"); sni != "" {
 		proxy["servername"] = sni
 	}
 	switch query.Get("packetEncoding") {
 	case "none":
 	case "packet":
 		proxy["packet-addr"] = true
 	default:
 		proxy["xudp"] = true
 	}
 	network := strings.ToLower(query.Get("type"))
 	if network == "" {
 		network = "tcp"
@ -79,6 +101,17 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		wsOpts["path"] = query.Get("path")
 		wsOpts["headers"] = headers
 		if earlyData := query.Get("ed"); earlyData != "" {
 			med, err := strconv.Atoi(earlyData)
 			if err != nil {
 				return fmt.Errorf("bad WebSocket max early data size: %v", err)
 			}
 			wsOpts["max-early-data"] = med
 		}
 		if earlyDataHeader := query.Get("eh"); earlyDataHeader != "" {
 			wsOpts["early-data-header-name"] = earlyDataHeader
 		}
 		proxy["ws-opts"] = wsOpts
 	case "grpc":
@ -86,4 +119,5 @@ func handleVShareLink(names map[string]int, url *url.URL, scheme string, proxy m
 		grpcOpts["grpc-service-name"] = query.Get("serviceName")
 		proxy["grpc-opts"] = grpcOpts
 	}
 	return nil
 }
--- a/common/generics/list/list.go
+++ b/common/generics/list/list.go
@ -5,10 +5,10 @@
 // Package list implements a doubly linked list.
 //
 // To iterate over a list (where l is a *List):
 //
 //	for e := l.Front(); e != nil; e = e.Next() {
 //		// do something with e.Value
 //	}
 //
 package list
 // Element is an element of a linked list.
--- a/common/net/bufconn.go
+++ b/common/net/bufconn.go
@ -3,18 +3,23 @@ package net
 import (
 	"bufio"
 	"net"
 	"github.com/Dreamacro/clash/common/buf"
 )
 var _ ExtendedConn = (*BufferedConn)(nil)
 type BufferedConn struct {
 	r *bufio.Reader
-	net.Conn
+	ExtendedConn
 	peeked bool
 }
 func NewBufferedConn(c net.Conn) *BufferedConn {
 	if bc, ok := c.(*BufferedConn); ok {
 		return bc
 	}
-	return &BufferedConn{bufio.NewReader(c), c}
+	return &BufferedConn{bufio.NewReader(c), NewExtendedConn(c), false}
 }
 // Reader returns the internal bufio.Reader.
@ -22,11 +27,24 @@ func (c *BufferedConn) Reader() *bufio.Reader {
 	return c.r
 }
 func (c *BufferedConn) ResetPeeked() {
 	c.peeked = false
 }
 func (c *BufferedConn) Peeked() bool {
 	return c.peeked
 }
 // Peek returns the next n bytes without advancing the reader.
 func (c *BufferedConn) Peek(n int) ([]byte, error) {
 	c.peeked = true
 	return c.r.Peek(n)
 }
 func (c *BufferedConn) Discard(n int) (discarded int, err error) {
 	return c.r.Discard(n)
 }
 func (c *BufferedConn) Read(p []byte) (int, error) {
 	return c.r.Read(p)
 }
@ -42,3 +60,22 @@ func (c *BufferedConn) UnreadByte() error {
 func (c *BufferedConn) Buffered() int {
 	return c.r.Buffered()
 }
 func (c *BufferedConn) ReadBuffer(buffer *buf.Buffer) (err error) {
 	if c.r.Buffered() > 0 {
 		_, err = buffer.ReadOnceFrom(c.r)
 		return
 	}
 	return c.ExtendedConn.ReadBuffer(buffer)
 }
 func (c *BufferedConn) Upstream() any {
 	return c.ExtendedConn
 }
 func (c *BufferedConn) ReaderReplaceable() bool {
 	if c.r.Buffered() > 0 {
 		return false
 	}
 	return true
 }
--- a/common/net/refconn.go
+++ b/common/net/refconn.go
@ -51,6 +51,10 @@ func (c *refConn) SetWriteDeadline(t time.Time) error {
 	return c.conn.SetWriteDeadline(t)
 }
 func (c *refConn) Upstream() any {
 	return c.conn
 }
 func NewRefConn(conn net.Conn, ref any) net.Conn {
 	return &refConn{conn: conn, ref: ref}
 }
--- a/common/net/relay.go
+++ b/common/net/relay.go
@ -1,24 +1,24 @@
 package net
-import (
+//import (
-	"io"
+//	"io"
-	"net"
+//	"net"
-	"time"
+//	"time"
-)
+//)
-
+//
-// Relay copies between left and right bidirectionally.
+//// Relay copies between left and right bidirectionally.
-func Relay(leftConn, rightConn net.Conn) {
+//func Relay(leftConn, rightConn net.Conn) {
-	ch := make(chan error)
+//	ch := make(chan error)
-
+//
-	go func() {
+//	go func() {
-		// Wrapping to avoid using *net.TCPConn.(ReadFrom)
+//		// Wrapping to avoid using *net.TCPConn.(ReadFrom)
-		// See also https://github.com/Dreamacro/clash/pull/1209
+//		// See also https://github.com/Dreamacro/clash/pull/1209
-		_, err := io.Copy(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn})
+//		_, err := io.Copy(WriteOnlyWriter{Writer: leftConn}, ReadOnlyReader{Reader: rightConn})
-		leftConn.SetReadDeadline(time.Now())
+//		leftConn.SetReadDeadline(time.Now())
-		ch <- err
+//		ch <- err
-	}()
+//	}()
-
+//
-	_, _ = io.Copy(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn})
+//	_, _ = io.Copy(WriteOnlyWriter{Writer: rightConn}, ReadOnlyReader{Reader: leftConn})
-	rightConn.SetReadDeadline(time.Now())
+//	rightConn.SetReadDeadline(time.Now())
-	<-ch
+//	<-ch
-}
+//}
--- a/common/net/sing.go
+++ b/common/net/sing.go
@ -0,0 +1,30 @@
 package net
 import (
 	"context"
 	"net"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	"github.com/sagernet/sing/common/network"
 )
 var NewExtendedConn = bufio.NewExtendedConn
 var NewExtendedWriter = bufio.NewExtendedWriter
 var NewExtendedReader = bufio.NewExtendedReader
 type ExtendedConn = network.ExtendedConn
 type ExtendedWriter = network.ExtendedWriter
 type ExtendedReader = network.ExtendedReader
 func NeedHandshake(conn any) bool {
 	if earlyConn, isEarlyConn := common.Cast[network.EarlyConn](conn); isEarlyConn && earlyConn.NeedHandshake() {
 		return true
 	}
 	return false
 }
 // Relay copies between left and right bidirectionally.
 func Relay(leftConn, rightConn net.Conn) {
 	_ = bufio.CopyConn(context.TODO(), leftConn, rightConn)
 }
--- a/common/net/tls.go
+++ b/common/net/tls.go
@ -1,11 +1,19 @@
 package net
 import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
 	"math/big"
 )
 func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
 	if certificate == "" || privateKey == "" {
 		return newRandomTLSKeyPair()
 	}
 	cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
 	if painTextErr == nil {
 		return cert, nil
@ -17,3 +25,28 @@ func ParseCert(certificate, privateKey string) (tls.Certificate, error) {
 	}
 	return cert, nil
 }
 func newRandomTLSKeyPair() (tls.Certificate, error) {
 	key, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
 	template := x509.Certificate{SerialNumber: big.NewInt(1)}
 	certDER, err := x509.CreateCertificate(
 		rand.Reader,
 		&template,
 		&template,
 		&key.PublicKey,
 		key)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
 	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
 	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
 	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
 	if err != nil {
 		return tls.Certificate{}, err
 	}
 	return tlsCert, nil
 }
--- a/common/net/websocket.go
+++ b/common/net/websocket.go
@ -0,0 +1,131 @@
 package net
 import (
 	"encoding/binary"
 	"math/bits"
 )
 // kanged from https://github.com/nhooyr/websocket/blob/master/frame.go
 // License: MIT
 // MaskWebSocket applies the WebSocket masking algorithm to p
 // with the given key.
 // See https://tools.ietf.org/html/rfc6455#section-5.3
 //
 // The returned value is the correctly rotated key to
 // to continue to mask/unmask the message.
 //
 // It is optimized for LittleEndian and expects the key
 // to be in little endian.
 //
 // See https://github.com/golang/go/issues/31586
 func MaskWebSocket(key uint32, b []byte) uint32 {
 	if len(b) >= 8 {
 		key64 := uint64(key)<<32 | uint64(key)
 		// At some point in the future we can clean these unrolled loops up.
 		// See https://github.com/golang/go/issues/31586#issuecomment-487436401
 		// Then we xor until b is less than 128 bytes.
 		for len(b) >= 128 {
 			v := binary.LittleEndian.Uint64(b)
 			binary.LittleEndian.PutUint64(b, v^key64)
 			v = binary.LittleEndian.Uint64(b[8:16])
 			binary.LittleEndian.PutUint64(b[8:16], v^key64)
 			v = binary.LittleEndian.Uint64(b[16:24])
 			binary.LittleEndian.PutUint64(b[16:24], v^key64)
 			v = binary.LittleEndian.Uint64(b[24:32])
 			binary.LittleEndian.PutUint64(b[24:32], v^key64)
 			v = binary.LittleEndian.Uint64(b[32:40])
 			binary.LittleEndian.PutUint64(b[32:40], v^key64)
 			v = binary.LittleEndian.Uint64(b[40:48])
 			binary.LittleEndian.PutUint64(b[40:48], v^key64)
 			v = binary.LittleEndian.Uint64(b[48:56])
 			binary.LittleEndian.PutUint64(b[48:56], v^key64)
 			v = binary.LittleEndian.Uint64(b[56:64])
 			binary.LittleEndian.PutUint64(b[56:64], v^key64)
 			v = binary.LittleEndian.Uint64(b[64:72])
 			binary.LittleEndian.PutUint64(b[64:72], v^key64)
 			v = binary.LittleEndian.Uint64(b[72:80])
 			binary.LittleEndian.PutUint64(b[72:80], v^key64)
 			v = binary.LittleEndian.Uint64(b[80:88])
 			binary.LittleEndian.PutUint64(b[80:88], v^key64)
 			v = binary.LittleEndian.Uint64(b[88:96])
 			binary.LittleEndian.PutUint64(b[88:96], v^key64)
 			v = binary.LittleEndian.Uint64(b[96:104])
 			binary.LittleEndian.PutUint64(b[96:104], v^key64)
 			v = binary.LittleEndian.Uint64(b[104:112])
 			binary.LittleEndian.PutUint64(b[104:112], v^key64)
 			v = binary.LittleEndian.Uint64(b[112:120])
 			binary.LittleEndian.PutUint64(b[112:120], v^key64)
 			v = binary.LittleEndian.Uint64(b[120:128])
 			binary.LittleEndian.PutUint64(b[120:128], v^key64)
 			b = b[128:]
 		}
 		// Then we xor until b is less than 64 bytes.
 		for len(b) >= 64 {
 			v := binary.LittleEndian.Uint64(b)
 			binary.LittleEndian.PutUint64(b, v^key64)
 			v = binary.LittleEndian.Uint64(b[8:16])
 			binary.LittleEndian.PutUint64(b[8:16], v^key64)
 			v = binary.LittleEndian.Uint64(b[16:24])
 			binary.LittleEndian.PutUint64(b[16:24], v^key64)
 			v = binary.LittleEndian.Uint64(b[24:32])
 			binary.LittleEndian.PutUint64(b[24:32], v^key64)
 			v = binary.LittleEndian.Uint64(b[32:40])
 			binary.LittleEndian.PutUint64(b[32:40], v^key64)
 			v = binary.LittleEndian.Uint64(b[40:48])
 			binary.LittleEndian.PutUint64(b[40:48], v^key64)
 			v = binary.LittleEndian.Uint64(b[48:56])
 			binary.LittleEndian.PutUint64(b[48:56], v^key64)
 			v = binary.LittleEndian.Uint64(b[56:64])
 			binary.LittleEndian.PutUint64(b[56:64], v^key64)
 			b = b[64:]
 		}
 		// Then we xor until b is less than 32 bytes.
 		for len(b) >= 32 {
 			v := binary.LittleEndian.Uint64(b)
 			binary.LittleEndian.PutUint64(b, v^key64)
 			v = binary.LittleEndian.Uint64(b[8:16])
 			binary.LittleEndian.PutUint64(b[8:16], v^key64)
 			v = binary.LittleEndian.Uint64(b[16:24])
 			binary.LittleEndian.PutUint64(b[16:24], v^key64)
 			v = binary.LittleEndian.Uint64(b[24:32])
 			binary.LittleEndian.PutUint64(b[24:32], v^key64)
 			b = b[32:]
 		}
 		// Then we xor until b is less than 16 bytes.
 		for len(b) >= 16 {
 			v := binary.LittleEndian.Uint64(b)
 			binary.LittleEndian.PutUint64(b, v^key64)
 			v = binary.LittleEndian.Uint64(b[8:16])
 			binary.LittleEndian.PutUint64(b[8:16], v^key64)
 			b = b[16:]
 		}
 		// Then we xor until b is less than 8 bytes.
 		for len(b) >= 8 {
 			v := binary.LittleEndian.Uint64(b)
 			binary.LittleEndian.PutUint64(b, v^key64)
 			b = b[8:]
 		}
 	}
 	// Then we xor until b is less than 4 bytes.
 	for len(b) >= 4 {
 		v := binary.LittleEndian.Uint32(b)
 		binary.LittleEndian.PutUint32(b, v^key)
 		b = b[4:]
 	}
 	// xor remaining bytes.
 	for i := range b {
 		b[i] ^= byte(key)
 		key = bits.RotateLeft32(key, -8)
 	}
 	return key
 }
--- a/common/pool/alloc_test.go
+++ b/common/pool/alloc_test.go
@ -1,10 +1,10 @@
 package pool
 import (
 	"math/rand"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/zhangyunhao116/fastrand"
 )
 func TestAllocGet(t *testing.T) {
@ -43,6 +43,6 @@ func TestAllocPutThenGet(t *testing.T) {
 func BenchmarkMSB(b *testing.B) {
 	for i := 0; i < b.N; i++ {
-		msb(rand.Int())
+		msb(fastrand.Int())
 	}
 }
--- a/common/utils/must.go
+++ b/common/utils/must.go
@ -0,0 +1,8 @@
 package utils
 func MustOK[T any](result T, ok bool) T {
 	if ok {
 		return result
 	}
 	panic("operation failed")
 }
--- a/common/utils/slice.go
+++ b/common/utils/slice.go
@ -0,0 +1,34 @@
 package utils
 import (
 	"errors"
 	"fmt"
 	"reflect"
 )
 func Filter[T comparable](tSlice []T, filter func(t T) bool) []T {
 	result := make([]T, 0)
 	for _, t := range tSlice {
 		if filter(t) {
 			result = append(result, t)
 		}
 	}
 	return result
 }
 func ToStringSlice(value any) ([]string, error) {
 	strArr := make([]string, 0)
 	switch reflect.TypeOf(value).Kind() {
 	case reflect.Slice, reflect.Array:
 		origin := reflect.ValueOf(value)
 		for i := 0; i < origin.Len(); i++ {
 			item := fmt.Sprintf("%v", origin.Index(i))
 			strArr = append(strArr, item)
 		}
 	case reflect.String:
 		strArr = append(strArr, fmt.Sprintf("%v", value))
 	default:
 		return nil, errors.New("value format error, must be string or array")
 	}
 	return strArr, nil
 }
--- a/common/utils/uuid.go
+++ b/common/utils/uuid.go
@ -2,15 +2,22 @@ package utils
 import (
 	"github.com/gofrs/uuid"
 	"github.com/zhangyunhao116/fastrand"
 )
-var uuidNamespace, _ = uuid.FromString("00000000-0000-0000-0000-000000000000")
+type fastRandReader struct{}
 func (r fastRandReader) Read(p []byte) (int, error) {
 	return fastrand.Read(p)
 }
 var UnsafeUUIDGenerator = uuid.NewGenWithOptions(uuid.WithRandomReader(fastRandReader{}))
 // UUIDMap https://github.com/XTLS/Xray-core/issues/158#issue-783294090
 func UUIDMap(str string) (uuid.UUID, error) {
 	u, err := uuid.FromString(str)
 	if err != nil {
-		return uuid.NewV5(uuidNamespace, str), nil
+		return UnsafeUUIDGenerator.NewV5(uuid.Nil, str), nil
 	}
 	return u, nil
 }
--- a/component/dialer/bind_darwin.go
+++ b/component/dialer/bind_darwin.go
@ -1,6 +1,7 @@
 package dialer
 import (
 	"context"
 	"net"
 	"net/netip"
 	"syscall"
@ -10,16 +11,8 @@ import (
 	"golang.org/x/sys/unix"
 )
-type controlFn = func(network, address string, c syscall.RawConn) error
+func bindControl(ifaceIdx int) controlFn {
-
+	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 func bindControl(ifaceIdx int, chain controlFn) controlFn {
 	return func(network, address string, c syscall.RawConn) (err error) {
 		defer func() {
 			if err == nil && chain != nil {
 				err = chain(network, address, c)
 			}
 		}()
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
 			return
@ -49,7 +42,7 @@ func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.A
 		return err
 	}
-	dialer.Control = bindControl(ifaceObj.Index, dialer.Control)
+	addControlToDialer(dialer, bindControl(ifaceObj.Index))
 	return nil
 }
@ -59,6 +52,10 @@ func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address
 		return "", err
 	}
-	lc.Control = bindControl(ifaceObj.Index, lc.Control)
+	addControlToListenConfig(lc, bindControl(ifaceObj.Index))
 	return address, nil
 }
 func ParseNetwork(network string, addr netip.Addr) string {
 	return network
 }
--- a/component/dialer/bind_linux.go
+++ b/component/dialer/bind_linux.go
@ -1,6 +1,7 @@
 package dialer
 import (
 	"context"
 	"net"
 	"net/netip"
 	"syscall"
@ -8,16 +9,8 @@ import (
 	"golang.org/x/sys/unix"
 )
-type controlFn = func(network, address string, c syscall.RawConn) error
+func bindControl(ifaceName string) controlFn {
-
+	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 func bindControl(ifaceName string, chain controlFn) controlFn {
 	return func(network, address string, c syscall.RawConn) (err error) {
 		defer func() {
 			if err == nil && chain != nil {
 				err = chain(network, address, c)
 			}
 		}()
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
 			return
@ -37,13 +30,17 @@ func bindControl(ifaceName string, chain controlFn) controlFn {
 }
 func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.Addr) error {
-	dialer.Control = bindControl(ifaceName, dialer.Control)
+	addControlToDialer(dialer, bindControl(ifaceName))
 	return nil
 }
 func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string) (string, error) {
-	lc.Control = bindControl(ifaceName, lc.Control)
+	addControlToListenConfig(lc, bindControl(ifaceName))
 	return address, nil
 }
 func ParseNetwork(network string, addr netip.Addr) string {
 	return network
 }
--- a/component/dialer/bind_others.go
+++ b/component/dialer/bind_others.go
@ -1,4 +1,4 @@
-//go:build !linux && !darwin
+//go:build !linux && !darwin && !windows
 package dialer
@ -91,3 +91,13 @@ func bindIfaceToListenConfig(ifaceName string, _ *net.ListenConfig, network, add
 	return addr.String(), nil
 }
 func ParseNetwork(network string, addr netip.Addr) string {
 	// fix bindIfaceToListenConfig() force bind to an ipv4 address
 	if !strings.HasSuffix(network, "4") &&
 		!strings.HasSuffix(network, "6") &&
 		addr.Unmap().Is6() {
 		network += "6"
 	}
 	return network
 }
--- a/component/dialer/bind_windows.go
+++ b/component/dialer/bind_windows.go
@ -0,0 +1,92 @@
 package dialer
 import (
 	"context"
 	"encoding/binary"
 	"net"
 	"net/netip"
 	"syscall"
 	"unsafe"
 	"github.com/Dreamacro/clash/component/iface"
 )
 const (
 	IP_UNICAST_IF   = 31
 	IPV6_UNICAST_IF = 31
 )
 func bind4(handle syscall.Handle, ifaceIdx int) error {
 	var bytes [4]byte
 	binary.BigEndian.PutUint32(bytes[:], uint32(ifaceIdx))
 	idx := *(*uint32)(unsafe.Pointer(&bytes[0]))
 	return syscall.SetsockoptInt(handle, syscall.IPPROTO_IP, IP_UNICAST_IF, int(idx))
 }
 func bind6(handle syscall.Handle, ifaceIdx int) error {
 	return syscall.SetsockoptInt(handle, syscall.IPPROTO_IPV6, IPV6_UNICAST_IF, ifaceIdx)
 }
 func bindControl(ifaceIdx int) controlFn {
 	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
 			return
 		}
 		var innerErr error
 		err = c.Control(func(fd uintptr) {
 			handle := syscall.Handle(fd)
 			bind6err := bind6(handle, ifaceIdx)
 			bind4err := bind4(handle, ifaceIdx)
 			switch network {
 			case "ip6", "tcp6":
 				innerErr = bind6err
 			case "ip4", "tcp4", "udp4":
 				innerErr = bind4err
 			case "udp6":
 				// golang will set network to udp6 when listenUDP on wildcard ip (eg: ":0", "")
 				if (!addrPort.Addr().IsValid() || addrPort.Addr().IsUnspecified()) && bind6err != nil {
 					// try bind ipv6, if failed, ignore. it's a workaround for windows disable interface ipv6
 					if bind4err != nil {
 						innerErr = bind6err
 					} else {
 						innerErr = bind4err
 					}
 				} else {
 					innerErr = bind6err
 				}
 			}
 		})
 		if innerErr != nil {
 			err = innerErr
 		}
 		return
 	}
 }
 func bindIfaceToDialer(ifaceName string, dialer *net.Dialer, _ string, _ netip.Addr) error {
 	ifaceObj, err := iface.ResolveInterface(ifaceName)
 	if err != nil {
 		return err
 	}
 	addControlToDialer(dialer, bindControl(ifaceObj.Index))
 	return nil
 }
 func bindIfaceToListenConfig(ifaceName string, lc *net.ListenConfig, _, address string) (string, error) {
 	ifaceObj, err := iface.ResolveInterface(ifaceName)
 	if err != nil {
 		return "", err
 	}
 	addControlToListenConfig(lc, bindControl(ifaceObj.Index))
 	return address, nil
 }
 func ParseNetwork(network string, addr netip.Addr) string {
 	return network
 }
--- a/component/dialer/control.go
+++ b/component/dialer/control.go
@ -0,0 +1,22 @@
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
 )
 type controlFn = func(ctx context.Context, network, address string, c syscall.RawConn) error
 func addControlToListenConfig(lc *net.ListenConfig, fn controlFn) {
 	llc := *lc
 	lc.Control = func(network, address string, c syscall.RawConn) (err error) {
 		switch {
 		case llc.Control != nil:
 			if err = llc.Control(network, address, c); err != nil {
 				return
 			}
 		}
 		return fn(context.Background(), network, address, c)
 	}
 }
--- a/component/dialer/control_go119.go
+++ b/component/dialer/control_go119.go
@ -0,0 +1,22 @@
 //go:build !go1.20
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
 )
 func addControlToDialer(d *net.Dialer, fn controlFn) {
 	ld := *d
 	d.Control = func(network, address string, c syscall.RawConn) (err error) {
 		switch {
 		case ld.Control != nil:
 			if err = ld.Control(network, address, c); err != nil {
 				return
 			}
 		}
 		return fn(context.Background(), network, address, c)
 	}
 }
--- a/component/dialer/control_go120.go
+++ b/component/dialer/control_go120.go
@ -0,0 +1,26 @@
 //go:build go1.20
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
 )
 func addControlToDialer(d *net.Dialer, fn controlFn) {
 	ld := *d
 	d.ControlContext = func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		switch {
 		case ld.ControlContext != nil:
 			if err = ld.ControlContext(ctx, network, address, c); err != nil {
 				return
 			}
 		case ld.Control != nil:
 			if err = ld.Control(network, address, c); err != nil {
 				return
 			}
 		}
 		return fn(ctx, network, address, c)
 	}
 }
--- a/component/dialer/dialer.go
+++ b/component/dialer/dialer.go
@ -2,40 +2,27 @@ package dialer
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
 	"net/netip"
-	"runtime"
+	"os"
 	"strings"
 	"sync"
 	"time"
 	"github.com/Dreamacro/clash/component/resolver"
 	"go.uber.org/atomic"
 )
 type dialFunc func(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error)
 var (
 	dialMux                      sync.Mutex
-	actualSingleDialContext    = singleDialContext
+	actualSingleStackDialContext = serialSingleStackDialContext
-	actualDualStackDialContext = dualStackDialContext
+	actualDualStackDialContext   = serialDualStackDialContext
 	tcpConcurrent                = false
-	DisableIPv6                = false
+	fallbackTimeout              = 300 * time.Millisecond
 	ErrorInvalidedNetworkStack = errors.New("invalided network stack")
 	ErrorDisableIPv6           = errors.New("IPv6 is disabled, dialer cancel")
 )
 func ParseNetwork(network string, addr netip.Addr) string {
 	if runtime.GOOS == "windows" { // fix bindIfaceToListenConfig() in windows force bind to an ipv4 address
 		if !strings.HasSuffix(network, "4") &&
 			!strings.HasSuffix(network, "6") &&
 			addr.Unmap().Is6() {
 			network += "6"
 		}
 	}
 	return network
 }
 func applyOptions(options ...Option) *option {
 	opt := &option{
 		interfaceName: DefaultInterface.Load(),
@ -66,29 +53,23 @@ func DialContext(ctx context.Context, network, address string, options ...Option
 		network = fmt.Sprintf("%s%d", network, opt.network)
 	}
 	ips, port, err := parseAddr(ctx, network, address, opt.resolver)
 	if err != nil {
 		return nil, err
 	}
 	switch network {
 	case "tcp4", "tcp6", "udp4", "udp6":
-		return actualSingleDialContext(ctx, network, address, opt)
+		return actualSingleStackDialContext(ctx, network, ips, port, opt)
 	case "tcp", "udp":
-		return actualDualStackDialContext(ctx, network, address, opt)
+		return actualDualStackDialContext(ctx, network, ips, port, opt)
 	default:
 		return nil, ErrorInvalidedNetworkStack
 	}
 }
 func ListenPacket(ctx context.Context, network, address string, options ...Option) (net.PacketConn, error) {
-	cfg := &option{
+	cfg := applyOptions(options...)
 		interfaceName: DefaultInterface.Load(),
 		routingMark:   int(DefaultRoutingMark.Load()),
 	}
 	for _, o := range DefaultOptions {
 		o(cfg)
 	}
 	for _, o := range options {
 		o(cfg)
 	}
 	lc := &net.ListenConfig{}
 	if cfg.interfaceName != "" {
@ -108,26 +89,40 @@ func ListenPacket(ctx context.Context, network, address string, options ...Optio
 	return lc.ListenPacket(ctx, network, address)
 }
-func SetDial(concurrent bool) {
+func SetTcpConcurrent(concurrent bool) {
 	dialMux.Lock()
 	defer dialMux.Unlock()
 	tcpConcurrent = concurrent
 	if concurrent {
-		actualSingleDialContext = concurrentSingleDialContext
+		actualSingleStackDialContext = concurrentSingleStackDialContext
 		actualDualStackDialContext = concurrentDualStackDialContext
 	} else {
-		actualSingleDialContext = singleDialContext
+		actualSingleStackDialContext = serialSingleStackDialContext
-		actualDualStackDialContext = dualStackDialContext
+		actualDualStackDialContext = serialDualStackDialContext
 	}
 	dialMux.Unlock()
 }
-func GetDial() bool {
+func GetTcpConcurrent() bool {
 	dialMux.Lock()
 	defer dialMux.Unlock()
 	return tcpConcurrent
 }
 func dialContext(ctx context.Context, network string, destination netip.Addr, port string, opt *option) (net.Conn, error) {
-	dialer := &net.Dialer{}
+	address := net.JoinHostPort(destination.String(), port)
 	netDialer := opt.netDialer
 	switch netDialer.(type) {
 	case nil:
 		netDialer = &net.Dialer{}
 	case *net.Dialer:
 		_netDialer := *netDialer.(*net.Dialer)
 		netDialer = &_netDialer // make a copy
 	default:
 		return netDialer.DialContext(ctx, network, address)
 	}
 	dialer := netDialer.(*net.Dialer)
 	if opt.interfaceName != "" {
 		if err := bindIfaceToDialer(opt.interfaceName, dialer, network, destination); err != nil {
 			return nil, err
@ -136,328 +131,213 @@ func dialContext(ctx context.Context, network string, destination netip.Addr, po
 	if opt.routingMark != 0 {
 		bindMarkToDialer(opt.routingMark, dialer, network, destination)
 	}
-
+	if opt.tfo {
-	if DisableIPv6 && destination.Is6() {
+		return dialTFO(ctx, *dialer, network, address)
 		return nil, ErrorDisableIPv6
 	}
-
+	return dialer.DialContext(ctx, network, address)
 	return dialer.DialContext(ctx, network, net.JoinHostPort(destination.String(), port))
 }
-func dualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
+func serialSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(address)
+	return serialDialContext(ctx, network, ips, port, opt)
-	if err != nil {
+}
 		return nil, err
 	}
 func serialDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	return dualStackDialContext(ctx, serialDialContext, network, ips, port, opt)
 }
 func concurrentSingleStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	return parallelDialContext(ctx, network, ips, port, opt)
 }
 func concurrentDualStackDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	if opt.prefer != 4 && opt.prefer != 6 {
 		return parallelDialContext(ctx, network, ips, port, opt)
 	}
 	return dualStackDialContext(ctx, parallelDialContext, network, ips, port, opt)
 }
 func dualStackDialContext(ctx context.Context, dialFn dialFunc, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	ipv4s, ipv6s := sortationAddr(ips)
 	preferIPVersion := opt.prefer
 	fallbackTicker := time.NewTicker(fallbackTimeout)
 	defer fallbackTicker.Stop()
 	results := make(chan dialResult)
 	returned := make(chan struct{})
 	defer close(returned)
-
+	racer := func(ips []netip.Addr, isPrimary bool) {
-	type dialResult struct {
+		result := dialResult{isPrimary: isPrimary}
 		net.Conn
 		error
 		resolved bool
 		ipv6     bool
 		done     bool
 	}
 	results := make(chan dialResult)
 	var primary, fallback dialResult
 	startRacer := func(ctx context.Context, network, host string, r resolver.Resolver, ipv6 bool) {
 		result := dialResult{ipv6: ipv6, done: true}
 		defer func() {
 			select {
 			case results <- result:
 			case <-returned:
-				if result.Conn != nil {
+				if result.Conn != nil && result.error == nil {
 					_ = result.Conn.Close()
 				}
 			}
 		}()
-
+		result.Conn, result.error = dialFn(ctx, network, ips, port, opt)
 		var ip netip.Addr
 		if ipv6 {
 			if r == nil {
 				ip, result.error = resolver.ResolveIPv6ProxyServerHost(ctx, host)
 			} else {
 				ip, result.error = resolver.ResolveIPv6WithResolver(ctx, host, r)
 	}
-		} else {
+	go racer(ipv4s, preferIPVersion != 6)
-			if r == nil {
+	go racer(ipv6s, preferIPVersion != 4)
-				ip, result.error = resolver.ResolveIPv4ProxyServerHost(ctx, host)
+	var fallback dialResult
-			} else {
+	var errs []error
-				ip, result.error = resolver.ResolveIPv4WithResolver(ctx, host, r)
+	for i := 0; i < 2; {
 			}
 		}
 		if result.error != nil {
 			return
 		}
 		result.resolved = true
 		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
 	}
 	go startRacer(ctx, network+"4", host, opt.resolver, false)
 	go startRacer(ctx, network+"6", host, opt.resolver, true)
 	count := 2
 	for i := 0; i < count; i++ {
 		select {
 		case <-fallbackTicker.C:
 			if fallback.error == nil && fallback.Conn != nil {
 				return fallback.Conn, nil
 			}
 		case res := <-results:
 			i++
 			if res.error == nil {
 				if res.isPrimary {
 					return res.Conn, nil
 				}
 			if !res.ipv6 {
 				primary = res
 			} else {
 				fallback = res
 			}
 			if primary.done && fallback.done {
 				if primary.resolved {
 					return nil, primary.error
 				} else if fallback.resolved {
 					return nil, fallback.error
 			} else {
-					return nil, primary.error
+				if res.isPrimary {
-				}
+					errs = append([]error{fmt.Errorf("connect failed: %w", res.error)}, errs...)
 			}
 		case <-ctx.Done():
 			err = ctx.Err()
 			break
 		}
 	}
 	if err == nil {
 		err = fmt.Errorf("dual stack dial failed")
 				} else {
-		err = fmt.Errorf("dual stack dial failed:%w", err)
+					errs = append(errs, fmt.Errorf("connect failed: %w", res.error))
 				}
-	return nil, err
+			}
 		}
 	}
 	if fallback.error == nil && fallback.Conn != nil {
 		return fallback.Conn, nil
 	}
 	return nil, errorsJoin(errs...)
 }
-func concurrentDualStackDialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
+func parallelDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
-	host, port, err := net.SplitHostPort(address)
+	if len(ips) == 0 {
-	if err != nil {
+		return nil, ErrorNoIpAddress
 		return nil, err
 	}
-
+	results := make(chan dialResult)
 	var ips []netip.Addr
 	if opt.resolver != nil {
 		ips, err = resolver.LookupIPWithResolver(ctx, host, opt.resolver)
 	} else {
 		ips, err = resolver.LookupIPProxyServerHost(ctx, host)
 	}
 	if err != nil {
 		return nil, err
 	}
 	return concurrentDialContext(ctx, network, ips, port, opt)
 }
 func concurrentDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	returned := make(chan struct{})
 	defer close(returned)
-
+	racer := func(ctx context.Context, ip netip.Addr) {
-	type dialResult struct {
+		result := dialResult{isPrimary: true, ip: ip}
 		ip netip.Addr
 		net.Conn
 		error
 		isPrimary bool
 		done      bool
 	}
 	preferCount := atomic.NewInt32(0)
 	results := make(chan dialResult)
 	tcpRacer := func(ctx context.Context, ip netip.Addr) {
 		result := dialResult{ip: ip, done: true}
 		defer func() {
 			select {
 			case results <- result:
 			case <-returned:
-				if result.Conn != nil {
+				if result.Conn != nil && result.error == nil {
 					_ = result.Conn.Close()
 				}
 			}
 		}()
 		if strings.Contains(network, "tcp") {
 			network = "tcp"
 		} else {
 			network = "udp"
 		}
 		if ip.Is6() {
 			network += "6"
 			if opt.prefer != 4 {
 				result.isPrimary = true
 			}
 		}
 		if ip.Is4() {
 			network += "4"
 			if opt.prefer != 6 {
 				result.isPrimary = true
 			}
 		}
 		if result.isPrimary {
 			preferCount.Add(1)
 		}
 		result.Conn, result.error = dialContext(ctx, network, ip, port, opt)
 	}
 	for _, ip := range ips {
-		go tcpRacer(ctx, ip)
+		go racer(ctx, ip)
 	}
-
+	var errs []error
-	connCount := len(ips)
+	for i := 0; i < len(ips); i++ {
-	var fallback dialResult
+		res := <-results
 	var primaryError error
 	var finalError error
 	for i := 0; i < connCount; i++ {
 		select {
 		case res := <-results:
 		if res.error == nil {
 				if res.isPrimary {
 			return res.Conn, nil
 				} else {
 					if !fallback.done || fallback.error != nil {
 						fallback = res
 					}
 				}
 			} else {
 				if res.isPrimary {
 					primaryError = res.error
 					preferCount.Add(-1)
 					if preferCount.Load() == 0 && fallback.done && fallback.error == nil {
 						return fallback.Conn, nil
 					}
 				}
 			}
 		case <-ctx.Done():
 			if fallback.done && fallback.error == nil {
 				return fallback.Conn, nil
 			}
 			finalError = ctx.Err()
 			break
 		}
 		errs = append(errs, res.error)
 	}
-	if fallback.done && fallback.error == nil {
+	if len(errs) > 0 {
-		return fallback.Conn, nil
+		return nil, errorsJoin(errs...)
 	}
-
+	return nil, os.ErrDeadlineExceeded
 	if primaryError != nil {
 		return nil, primaryError
 	}
 	if fallback.error != nil {
 		return nil, fallback.error
 	}
 	if finalError == nil {
 		finalError = fmt.Errorf("all ips %v tcp shake hands failed", ips)
 	} else {
 		finalError = fmt.Errorf("concurrent dial failed:%w", finalError)
 	}
 	return nil, finalError
 }
-func singleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
+func serialDialContext(ctx context.Context, network string, ips []netip.Addr, port string, opt *option) (net.Conn, error) {
 	if len(ips) == 0 {
 		return nil, ErrorNoIpAddress
 	}
 	var errs []error
 	for _, ip := range ips {
 		if conn, err := dialContext(ctx, network, ip, port, opt); err == nil {
 			return conn, nil
 		} else {
 			errs = append(errs, err)
 		}
 	}
 	return nil, errorsJoin(errs...)
 }
 type dialResult struct {
 	ip netip.Addr
 	net.Conn
 	error
 	isPrimary bool
 }
 func parseAddr(ctx context.Context, network, address string, preferResolver resolver.Resolver) ([]netip.Addr, string, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
-		return nil, err
+		return nil, "-1", err
 	}
 	var ip netip.Addr
 	switch network {
 	case "tcp4", "udp4":
 		if opt.resolver == nil {
 			ip, err = resolver.ResolveIPv4ProxyServerHost(ctx, host)
 		} else {
 			ip, err = resolver.ResolveIPv4WithResolver(ctx, host, opt.resolver)
 		}
 	default:
 		if opt.resolver == nil {
 			ip, err = resolver.ResolveIPv6ProxyServerHost(ctx, host)
 		} else {
 			ip, err = resolver.ResolveIPv6WithResolver(ctx, host, opt.resolver)
 		}
 	}
 	if err != nil {
 		return nil, err
 	}
 	return dialContext(ctx, network, ip, port, opt)
 }
 func concurrentSingleDialContext(ctx context.Context, network string, address string, opt *option) (net.Conn, error) {
 	switch network {
 	case "tcp4", "udp4":
 		return concurrentIPv4DialContext(ctx, network, address, opt)
 	default:
 		return concurrentIPv6DialContext(ctx, network, address, opt)
 	}
 }
 func concurrentIPv4DialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ips []netip.Addr
-	if opt.resolver == nil {
+	switch network {
 	case "tcp4", "udp4":
 		if preferResolver == nil {
 			ips, err = resolver.LookupIPv4ProxyServerHost(ctx, host)
 		} else {
-		ips, err = resolver.LookupIPv4WithResolver(ctx, host, opt.resolver)
+			ips, err = resolver.LookupIPv4WithResolver(ctx, host, preferResolver)
 		}
-
+	case "tcp6", "udp6":
-	if err != nil {
+		if preferResolver == nil {
 		return nil, err
 	}
 	return concurrentDialContext(ctx, network, ips, port, opt)
 }
 func concurrentIPv6DialContext(ctx context.Context, network, address string, opt *option) (net.Conn, error) {
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		return nil, err
 	}
 	var ips []netip.Addr
 	if opt.resolver == nil {
 			ips, err = resolver.LookupIPv6ProxyServerHost(ctx, host)
 		} else {
-		ips, err = resolver.LookupIPv6WithResolver(ctx, host, opt.resolver)
+			ips, err = resolver.LookupIPv6WithResolver(ctx, host, preferResolver)
 		}
 	default:
 		if preferResolver == nil {
 			ips, err = resolver.LookupIPProxyServerHost(ctx, host)
 		} else {
 			ips, err = resolver.LookupIPWithResolver(ctx, host, preferResolver)
 		}
 	}
 	if err != nil {
-		return nil, err
+		return nil, "-1", fmt.Errorf("dns resolve failed: %w", err)
 	}
 	for i, ip := range ips {
 		if ip.Is4In6() {
 			ips[i] = ip.Unmap()
 		}
 	}
 	return ips, port, nil
 }
-	return concurrentDialContext(ctx, network, ips, port, opt)
+func sortationAddr(ips []netip.Addr) (ipv4s, ipv6s []netip.Addr) {
 	for _, v := range ips {
 		if v.Is4() { // 4in6 parse was in parseAddr
 			ipv4s = append(ipv4s, v)
 		} else {
 			ipv6s = append(ipv6s, v)
 		}
 	}
 	return
 }
 type Dialer struct {
-	Opt option
+	opt option
 }
 func (d Dialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
-	return DialContext(ctx, network, address, WithOption(d.Opt))
+	return DialContext(ctx, network, address, WithOption(d.opt))
 }
 func (d Dialer) ListenPacket(ctx context.Context, network, address string, rAddrPort netip.AddrPort) (net.PacketConn, error) {
-	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, WithOption(d.Opt))
+	opt := WithOption(d.opt)
 	if rAddrPort.Addr().Unmap().IsLoopback() {
 		// avoid "The requested address is not valid in its context."
 		opt = WithInterface("")
 	}
 	return ListenPacket(ctx, ParseNetwork(network, rAddrPort.Addr()), address, opt)
 }
 func NewDialer(options ...Option) Dialer {
 	opt := applyOptions(options...)
-	return Dialer{Opt: *opt}
+	return Dialer{opt: *opt}
 }
--- a/component/dialer/error.go
+++ b/component/dialer/error.go
@ -0,0 +1,18 @@
 package dialer
 import (
 	"errors"
 	E "github.com/sagernet/sing/common/exceptions"
 )
 var (
 	ErrorNoIpAddress           = errors.New("no ip address")
 	ErrorInvalidedNetworkStack = errors.New("invalided network stack")
 )
 func errorsJoin(errs ...error) error {
 	// compatibility with golang<1.20
 	// maybe use errors.Join(errs...) is better after we drop the old version's support
 	return E.Errors(errs...)
 }
--- a/component/dialer/mark_linux.go
+++ b/component/dialer/mark_linux.go
@ -3,26 +3,22 @@
 package dialer
 import (
 	"context"
 	"net"
 	"net/netip"
 	"syscall"
 )
 func bindMarkToDialer(mark int, dialer *net.Dialer, _ string, _ netip.Addr) {
-	dialer.Control = bindMarkToControl(mark, dialer.Control)
+	addControlToDialer(dialer, bindMarkToControl(mark))
 }
 func bindMarkToListenConfig(mark int, lc *net.ListenConfig, _, _ string) {
-	lc.Control = bindMarkToControl(mark, lc.Control)
+	addControlToListenConfig(lc, bindMarkToControl(mark))
 }
-func bindMarkToControl(mark int, chain controlFn) controlFn {
+func bindMarkToControl(mark int) controlFn {
-	return func(network, address string, c syscall.RawConn) (err error) {
+	return func(ctx context.Context, network, address string, c syscall.RawConn) (err error) {
 		defer func() {
 			if err == nil && chain != nil {
 				err = chain(network, address, c)
 			}
 		}()
 		addrPort, err := netip.ParseAddrPort(address)
 		if err == nil && !addrPort.Addr().IsGlobalUnicast() {
--- a/component/dialer/options.go
+++ b/component/dialer/options.go
@ -1,6 +1,9 @@
 package dialer
 import (
 	"context"
 	"net"
 	"github.com/Dreamacro/clash/component/resolver"
 	"go.uber.org/atomic"
@ -12,13 +15,19 @@ var (
 	DefaultRoutingMark = atomic.NewInt32(0)
 )
 type NetDialer interface {
 	DialContext(ctx context.Context, network, address string) (net.Conn, error)
 }
 type option struct {
 	interfaceName string
 	addrReuse     bool
 	routingMark   int
 	network       int
 	prefer        int
 	tfo           bool
 	resolver      resolver.Resolver
 	netDialer     NetDialer
 }
 type Option func(opt *option)
@ -69,6 +78,18 @@ func WithOnlySingleStack(isIPv4 bool) Option {
 	}
 }
 func WithTFO(tfo bool) Option {
 	return func(opt *option) {
 		opt.tfo = tfo
 	}
 }
 func WithNetDialer(netDialer NetDialer) Option {
 	return func(opt *option) {
 		opt.netDialer = netDialer
 	}
 }
 func WithOption(o option) Option {
 	return func(opt *option) {
 		*opt = o
--- a/component/dialer/reuse_unix.go
+++ b/component/dialer/reuse_unix.go
@ -3,6 +3,7 @@
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
@ -10,18 +11,10 @@ import (
 )
 func addrReuseToListenConfig(lc *net.ListenConfig) {
-	chain := lc.Control
+	addControlToListenConfig(lc, func(ctx context.Context, network, address string, c syscall.RawConn) error {
 	lc.Control = func(network, address string, c syscall.RawConn) (err error) {
 		defer func() {
 			if err == nil && chain != nil {
 				err = chain(network, address, c)
 			}
 		}()
 		return c.Control(func(fd uintptr) {
 			unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEADDR, 1)
 			unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEPORT, 1)
 		})
-	}
+	})
 }
--- a/component/dialer/reuse_windows.go
+++ b/component/dialer/reuse_windows.go
@ -1,6 +1,7 @@
 package dialer
 import (
 	"context"
 	"net"
 	"syscall"
@ -8,17 +9,9 @@ import (
 )
 func addrReuseToListenConfig(lc *net.ListenConfig) {
-	chain := lc.Control
+	addControlToListenConfig(lc, func(ctx context.Context, network, address string, c syscall.RawConn) error {
 	lc.Control = func(network, address string, c syscall.RawConn) (err error) {
 		defer func() {
 			if err == nil && chain != nil {
 				err = chain(network, address, c)
 			}
 		}()
 		return c.Control(func(fd uintptr) {
 			windows.SetsockoptInt(windows.Handle(fd), windows.SOL_SOCKET, windows.SO_REUSEADDR, 1)
 		})
-	}
+	})
 }
--- a/component/dialer/tfo.go
+++ b/component/dialer/tfo.go
@ -0,0 +1,123 @@
 package dialer
 import (
 	"context"
 	"github.com/sagernet/tfo-go"
 	"io"
 	"net"
 	"time"
 )
 type tfoConn struct {
 	net.Conn
 	closed bool
 	dialed chan bool
 	cancel context.CancelFunc
 	ctx    context.Context
 	dialFn func(ctx context.Context, earlyData []byte) (net.Conn, error)
 }
 func (c *tfoConn) Dial(earlyData []byte) (err error) {
 	c.Conn, err = c.dialFn(c.ctx, earlyData)
 	if err != nil {
 		return
 	}
 	c.dialed <- true
 	return err
 }
 func (c *tfoConn) Read(b []byte) (n int, err error) {
 	if c.closed {
 		return 0, io.ErrClosedPipe
 	}
 	if c.Conn == nil {
 		select {
 		case <-c.ctx.Done():
 			return 0, io.ErrUnexpectedEOF
 		case <-c.dialed:
 		}
 	}
 	return c.Conn.Read(b)
 }
 func (c *tfoConn) Write(b []byte) (n int, err error) {
 	if c.closed {
 		return 0, io.ErrClosedPipe
 	}
 	if c.Conn == nil {
 		if err := c.Dial(b); err != nil {
 			return 0, err
 		}
 		return len(b), nil
 	}
 	return c.Conn.Write(b)
 }
 func (c *tfoConn) Close() error {
 	c.closed = true
 	c.cancel()
 	if c.Conn == nil {
 		return nil
 	}
 	return c.Conn.Close()
 }
 func (c *tfoConn) LocalAddr() net.Addr {
 	if c.Conn == nil {
 		return nil
 	}
 	return c.Conn.LocalAddr()
 }
 func (c *tfoConn) RemoteAddr() net.Addr {
 	if c.Conn == nil {
 		return nil
 	}
 	return c.Conn.RemoteAddr()
 }
 func (c *tfoConn) SetDeadline(t time.Time) error {
 	if err := c.SetReadDeadline(t); err != nil {
 		return err
 	}
 	return c.SetWriteDeadline(t)
 }
 func (c *tfoConn) SetReadDeadline(t time.Time) error {
 	if c.Conn == nil {
 		return nil
 	}
 	return c.Conn.SetReadDeadline(t)
 }
 func (c *tfoConn) SetWriteDeadline(t time.Time) error {
 	if c.Conn == nil {
 		return nil
 	}
 	return c.Conn.SetWriteDeadline(t)
 }
 func (c *tfoConn) Upstream() any {
 	if c.Conn == nil { // ensure return a nil interface not an interface with nil value
 		return nil
 	}
 	return c.Conn
 }
 func (c *tfoConn) NeedHandshake() bool {
 	return c.Conn == nil
 }
 func dialTFO(ctx context.Context, netDialer net.Dialer, network, address string) (net.Conn, error) {
 	ctx, cancel := context.WithCancel(ctx)
 	dialer := tfo.Dialer{Dialer: netDialer, DisableTFO: false}
 	return &tfoConn{
 		dialed: make(chan bool, 1),
 		cancel: cancel,
 		ctx:    ctx,
 		dialFn: func(ctx context.Context, earlyData []byte) (net.Conn, error) {
 			return dialer.DialContext(ctx, network, address, earlyData)
 		},
 	}, nil
 }
--- a/component/ebpf/redir/bpf_bpfeb.go
+++ b/component/ebpf/redir/bpf_bpfeb.go
@ -134,5 +134,6 @@ func _BpfClose(closers ...io.Closer) error {
 }
 // Do not access this directly.
 //
 //go:embed bpf_bpfeb.o
 var _BpfBytes []byte
--- a/component/ebpf/redir/bpf_bpfel.go
+++ b/component/ebpf/redir/bpf_bpfel.go
@ -134,5 +134,6 @@ func _BpfClose(closers ...io.Closer) error {
 }
 // Do not access this directly.
 //
 //go:embed bpf_bpfel.o
 var _BpfBytes []byte
--- a/component/ebpf/tc/bpf_bpfeb.go
+++ b/component/ebpf/tc/bpf_bpfeb.go
@ -115,5 +115,6 @@ func _BpfClose(closers ...io.Closer) error {
 }
 // Do not access this directly.
 //
 //go:embed bpf_bpfeb.o
 var _BpfBytes []byte
--- a/component/ebpf/tc/bpf_bpfel.go
+++ b/component/ebpf/tc/bpf_bpfel.go
@ -115,5 +115,6 @@ func _BpfClose(closers ...io.Closer) error {
 }
 // Do not access this directly.
 //
 //go:embed bpf_bpfel.o
 var _BpfBytes []byte
--- a/component/geodata/init.go
+++ b/component/geodata/init.go
@ -2,6 +2,7 @@ package geodata
 import (
 	"fmt"
 	"github.com/Dreamacro/clash/component/mmdb"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 	"io"
@ -9,7 +10,8 @@ import (
 	"os"
 )
-var initFlag bool
+var initGeoSite bool
 var initGeoIP int
 func InitGeoSite() error {
 	if _, err := os.Stat(C.Path.GeoSite()); os.IsNotExist(err) {
@ -18,8 +20,9 @@ func InitGeoSite() error {
 			return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
 		}
 		log.Infoln("Download GeoSite.dat finish")
 		initGeoSite = false
 	}
-	if !initFlag {
+	if !initGeoSite {
 		if err := Verify(C.GeositeName); err != nil {
 			log.Warnln("GeoSite.dat invalid, remove and download: %s", err)
 			if err := os.Remove(C.Path.GeoSite()); err != nil {
@ -29,7 +32,7 @@ func InitGeoSite() error {
 				return fmt.Errorf("can't download GeoSite.dat: %s", err.Error())
 			}
 		}
-		initFlag = true
+		initGeoSite = true
 	}
 	return nil
 }
@ -50,3 +53,68 @@ func downloadGeoSite(path string) (err error) {
 	return err
 }
 func downloadGeoIP(path string) (err error) {
 	resp, err := http.Get(C.GeoIpUrl)
 	if err != nil {
 		return
 	}
 	defer resp.Body.Close()
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	_, err = io.Copy(f, resp.Body)
 	return err
 }
 func InitGeoIP() error {
 	if C.GeodataMode {
 		if _, err := os.Stat(C.Path.GeoIP()); os.IsNotExist(err) {
 			log.Infoln("Can't find GeoIP.dat, start download")
 			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
 				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
 			}
 			log.Infoln("Download GeoIP.dat finish")
 			initGeoIP = 0
 		}
 		if initGeoIP != 1 {
 			if err := Verify(C.GeoipName); err != nil {
 				log.Warnln("GeoIP.dat invalid, remove and download: %s", err)
 				if err := os.Remove(C.Path.GeoIP()); err != nil {
 					return fmt.Errorf("can't remove invalid GeoIP.dat: %s", err.Error())
 				}
 				if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
 					return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
 				}
 			}
 			initGeoIP = 1
 		}
 		return nil
 	}
 	if _, err := os.Stat(C.Path.MMDB()); os.IsNotExist(err) {
 		log.Infoln("Can't find MMDB, start download")
 		if err := mmdb.DownloadMMDB(C.Path.MMDB()); err != nil {
 			return fmt.Errorf("can't download MMDB: %s", err.Error())
 		}
 	}
 	if initGeoIP != 2 {
 		if !mmdb.Verify() {
 			log.Warnln("MMDB invalid, remove and download")
 			if err := os.Remove(C.Path.MMDB()); err != nil {
 				return fmt.Errorf("can't remove invalid MMDB: %s", err.Error())
 			}
 			if err := mmdb.DownloadMMDB(C.Path.MMDB()); err != nil {
 				return fmt.Errorf("can't download MMDB: %s", err.Error())
 			}
 		}
 		initGeoIP = 2
 	}
 	return nil
 }
--- a/component/http/http.go
+++ b/component/http/http.go
@ -13,7 +13,7 @@ import (
 )
 const (
-	UA = "Clash"
+	UA = "clash.meta"
 )
 func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) {
--- a/component/mmdb/mmdb.go
+++ b/component/mmdb/mmdb.go
@ -2,6 +2,9 @@ package mmdb
 import (
 	"github.com/oschwald/geoip2-golang"
 	"io"
 	"net/http"
 	"os"
 	"sync"
 	C "github.com/Dreamacro/clash/constant"
@ -42,3 +45,20 @@ func Instance() *geoip2.Reader {
 	return mmdb
 }
 func DownloadMMDB(path string) (err error) {
 	resp, err := http.Get(C.MmdbUrl)
 	if err != nil {
 		return
 	}
 	defer resp.Body.Close()
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	_, err = io.Copy(f, resp.Body)
 	return err
 }
--- a/component/nat/table.go
+++ b/component/nat/table.go
@ -1,6 +1,7 @@
 package nat
 import (
 	"net"
 	"sync"
 	C "github.com/Dreamacro/clash/constant"
@ -10,16 +11,24 @@ type Table struct {
 	mapping sync.Map
 }
-func (t *Table) Set(key string, pc C.PacketConn) {
+type Entry struct {
-	t.mapping.Store(key, pc)
+	PacketConn      C.PacketConn
 	LocalUDPConnMap sync.Map
 }
 func (t *Table) Set(key string, e C.PacketConn) {
 	t.mapping.Store(key, &Entry{
 		PacketConn:      e,
 		LocalUDPConnMap: sync.Map{},
 	})
 }
 func (t *Table) Get(key string) C.PacketConn {
-	item, exist := t.mapping.Load(key)
+	entry, exist := t.getEntry(key)
 	if !exist {
 		return nil
 	}
-	return item.(C.PacketConn)
+	return entry.PacketConn
 }
 func (t *Table) GetOrCreateLock(key string) (*sync.Cond, bool) {
@ -31,6 +40,62 @@ func (t *Table) Delete(key string) {
 	t.mapping.Delete(key)
 }
 func (t *Table) GetLocalConn(lAddr, rAddr string) *net.UDPConn {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return nil
 	}
 	item, exist := entry.LocalUDPConnMap.Load(rAddr)
 	if !exist {
 		return nil
 	}
 	return item.(*net.UDPConn)
 }
 func (t *Table) AddLocalConn(lAddr, rAddr string, conn *net.UDPConn) bool {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return false
 	}
 	entry.LocalUDPConnMap.Store(rAddr, conn)
 	return true
 }
 func (t *Table) RangeLocalConn(lAddr string, f func(key, value any) bool) {
 	entry, exist := t.getEntry(lAddr)
 	if !exist {
 		return
 	}
 	entry.LocalUDPConnMap.Range(f)
 }
 func (t *Table) GetOrCreateLockForLocalConn(lAddr, key string) (*sync.Cond, bool) {
 	entry, loaded := t.getEntry(lAddr)
 	if !loaded {
 		return nil, false
 	}
 	item, loaded := entry.LocalUDPConnMap.LoadOrStore(key, sync.NewCond(&sync.Mutex{}))
 	return item.(*sync.Cond), loaded
 }
 func (t *Table) DeleteLocalConnMap(lAddr, key string) {
 	entry, loaded := t.getEntry(lAddr)
 	if !loaded {
 		return
 	}
 	entry.LocalUDPConnMap.Delete(key)
 }
 func (t *Table) getEntry(key string) (*Entry, bool) {
 	item, ok := t.mapping.Load(key)
 	// This should not happen usually since this function called after PacketConn created
 	if !ok {
 		return nil, false
 	}
 	entry, ok := item.(*Entry)
 	return entry, ok
 }
 // New return *Cache
 func New() *Table {
 	return &Table{}
--- a/component/process/find_process_mode.go
+++ b/component/process/find_process_mode.go
@ -0,0 +1,57 @@
 package process
 import (
 	"encoding/json"
 	"errors"
 	"strings"
 )
 const (
 	FindProcessAlways = "always"
 	FindProcessStrict = "strict"
 	FindProcessOff    = "off"
 )
 var (
 	validModes = map[string]struct{}{
 		FindProcessAlways: {},
 		FindProcessOff:    {},
 		FindProcessStrict: {},
 	}
 )
 type FindProcessMode string
 func (m FindProcessMode) Always() bool {
 	return m == FindProcessAlways
 }
 func (m FindProcessMode) Off() bool {
 	return m == FindProcessOff
 }
 func (m *FindProcessMode) UnmarshalYAML(unmarshal func(any) error) error {
 	var tp string
 	if err := unmarshal(&tp); err != nil {
 		return err
 	}
 	return m.Set(tp)
 }
 func (m *FindProcessMode) UnmarshalJSON(data []byte) error {
 	var tp string
 	if err := json.Unmarshal(data, &tp); err != nil {
 		return err
 	}
 	return m.Set(tp)
 }
 func (m *FindProcessMode) Set(value string) error {
 	mode := strings.ToLower(value)
 	_, exist := validModes[mode]
 	if !exist {
 		return errors.New("invalid find process mode")
 	}
 	*m = FindProcessMode(mode)
 	return nil
 }
--- a/component/process/process.go
+++ b/component/process/process.go
@ -16,14 +16,6 @@ const (
 	UDP = "udp"
 )
-func FindProcessName(network string, srcIP netip.Addr, srcPort int) (*uint32, string, error) {
+func FindProcessName(network string, srcIP netip.Addr, srcPort int) (uint32, string, error) {
 	return findProcessName(network, srcIP, srcPort)
 }
 func FindUid(network string, srcIP netip.Addr, srcPort int) (*uint32, error) {
 	_, uid, err := resolveSocketByNetlink(network, srcIP, srcPort)
 	if err != nil {
 		return nil, err
 	}
 	return &uid, nil
 }
--- a/component/process/process_darwin.go
+++ b/component/process/process_darwin.go
@ -33,11 +33,7 @@ var structSize = func() int {
 	}
 }()
-func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
+func findProcessName(network string, ip netip.Addr, port int) (uint32, string, error) {
 	return 0, 0, ErrPlatformNotSupport
 }
 func findProcessName(network string, ip netip.Addr, port int) (*uint32, string, error) {
 	var spath string
 	switch network {
 	case TCP:
@ -45,14 +41,14 @@ func findProcessName(network string, ip netip.Addr, port int) (*uint32, string,
 	case UDP:
 		spath = "net.inet.udp.pcblist_n"
 	default:
-		return nil, "", ErrInvalidNetwork
+		return 0, "", ErrInvalidNetwork
 	}
 	isIPv4 := ip.Is4()
 	value, err := syscall.Sysctl(spath)
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	buf := []byte(value)
@ -96,7 +92,7 @@ func findProcessName(network string, ip netip.Addr, port int) (*uint32, string,
 			// xsocket_n.so_last_pid
 			pid := readNativeUint32(buf[so+68 : so+72])
 			pp, err := getExecPathFromPID(pid)
-			return nil, pp, err
+			return 0, pp, err
 		}
 		// udp packet connection may be not equal with srcIP
@ -106,10 +102,10 @@ func findProcessName(network string, ip netip.Addr, port int) (*uint32, string,
 	}
 	if network == UDP && fallbackUDPProcess != "" {
-		return nil, fallbackUDPProcess, nil
+		return 0, fallbackUDPProcess, nil
 	}
-	return nil, "", ErrNotFound
+	return 0, "", ErrNotFound
 }
 func getExecPathFromPID(pid uint32) (string, error) {
--- a/component/process/process_freebsd_amd64.go
+++ b/component/process/process_freebsd_amd64.go
@ -21,11 +21,7 @@ var (
 	once sync.Once
 )
-func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (uint32, string, error) {
 	return 0, 0, ErrPlatformNotSupport
 }
 func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
 	once.Do(func() {
 		if err := initSearcher(); err != nil {
 			log.Errorln("Initialize PROCESS-NAME failed: %s", err.Error())
@ -35,7 +31,7 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, strin
 	})
 	if defaultSearcher == nil {
-		return nil, "", ErrPlatformNotSupport
+		return 0, "", ErrPlatformNotSupport
 	}
 	var spath string
@ -46,22 +42,22 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, strin
 	case UDP:
 		spath = "net.inet.udp.pcblist"
 	default:
-		return nil, "", ErrInvalidNetwork
+		return 0, "", ErrInvalidNetwork
 	}
 	value, err := syscall.Sysctl(spath)
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	buf := []byte(value)
 	pid, err := defaultSearcher.Search(buf, ip, uint16(srcPort), isTCP)
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	pp, err := getExecPathFromPID(pid)
-	return nil, pp, err
+	return 0, pp, err
 }
 func getExecPathFromPID(pid uint32) (string, error) {
--- a/component/process/process_linux.go
+++ b/component/process/process_linux.go
@ -59,14 +59,14 @@ type inetDiagResponse struct {
 	INode   uint32
 }
-func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (uint32, string, error) {
-	inode, uid, err := resolveSocketByNetlink(network, ip, srcPort)
+	uid, inode, err := resolveSocketByNetlink(network, ip, srcPort)
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	pp, err := resolveProcessNameByProcSearch(inode, uid)
-	return &uid, pp, err
+	return uid, pp, err
 }
 func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
@ -119,7 +119,7 @@ func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32,
 		response := (*inetDiagResponse)(unsafe.Pointer(&msg.Data[0]))
-		return response.INode, response.UID, nil
+		return response.UID, response.INode, nil
 	}
 	return 0, 0, ErrNotFound
--- a/component/process/process_other.go
+++ b/component/process/process_other.go
@ -4,8 +4,8 @@ package process
 import "net/netip"
-func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (uint32, string, error) {
-	return nil, "", ErrPlatformNotSupport
+	return 0, "", ErrPlatformNotSupport
 }
 func resolveSocketByNetlink(network string, ip netip.Addr, srcPort int) (uint32, uint32, error) {
--- a/component/process/process_windows.go
+++ b/component/process/process_windows.go
@ -62,7 +62,7 @@ func initWin32API() error {
 	return nil
 }
-func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, string, error) {
+func findProcessName(network string, ip netip.Addr, srcPort int) (uint32, string, error) {
 	once.Do(func() {
 		err := initWin32API()
 		if err != nil {
@ -86,22 +86,22 @@ func findProcessName(network string, ip netip.Addr, srcPort int) (*uint32, strin
 		fn = getExUDPTable
 		class = udpTablePid
 	default:
-		return nil, "", ErrInvalidNetwork
+		return 0, "", ErrInvalidNetwork
 	}
 	buf, err := getTransportTable(fn, family, class)
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	s := newSearcher(family == windows.AF_INET, network == TCP)
 	pid, err := s.Search(buf, ip, uint16(srcPort))
 	if err != nil {
-		return nil, "", err
+		return 0, "", err
 	}
 	pp, err := getExecPathFromPID(pid)
-	return nil, pp, err
+	return 0, pp, err
 }
 type searcher struct {
--- a/component/resolver/host.go
+++ b/component/resolver/host.go
@ -0,0 +1,113 @@
 package resolver
 import (
 	"errors"
 	"net/netip"
 	"strings"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/trie"
 	"github.com/zhangyunhao116/fastrand"
 )
 type Hosts struct {
 	*trie.DomainTrie[HostValue]
 }
 func NewHosts(hosts *trie.DomainTrie[HostValue]) Hosts {
 	return Hosts{
 		hosts,
 	}
 }
 // Return the search result and whether to match the parameter `isDomain`
 func (h *Hosts) Search(domain string, isDomain bool) (*HostValue, bool) {
 	value := h.DomainTrie.Search(domain)
 	if value == nil {
 		return nil, false
 	}
 	hostValue := value.Data()
 	for {
 		if isDomain && hostValue.IsDomain {
 			return &hostValue, true
 		} else {
 			if node := h.DomainTrie.Search(hostValue.Domain); node != nil {
 				hostValue = node.Data()
 			} else {
 				break
 			}
 		}
 	}
 	if isDomain == hostValue.IsDomain {
 		return &hostValue, true
 	}
 	return &hostValue, false
 }
 type HostValue struct {
 	IsDomain bool
 	IPs      []netip.Addr
 	Domain   string
 }
 func NewHostValue(value any) (HostValue, error) {
 	isDomain := true
 	ips := make([]netip.Addr, 0)
 	domain := ""
 	if valueArr, err := utils.ToStringSlice(value); err != nil {
 		return HostValue{}, err
 	} else {
 		if len(valueArr) > 1 {
 			isDomain = false
 			for _, str := range valueArr {
 				if ip, err := netip.ParseAddr(str); err == nil {
 					ips = append(ips, ip)
 				} else {
 					return HostValue{}, err
 				}
 			}
 		} else if len(valueArr) == 1 {
 			host := valueArr[0]
 			if ip, err := netip.ParseAddr(host); err == nil {
 				ips = append(ips, ip)
 				isDomain = false
 			} else {
 				domain = host
 			}
 		}
 	}
 	if isDomain {
 		return NewHostValueByDomain(domain)
 	} else {
 		return NewHostValueByIPs(ips)
 	}
 }
 func NewHostValueByIPs(ips []netip.Addr) (HostValue, error) {
 	if len(ips) == 0 {
 		return HostValue{}, errors.New("ip list is empty")
 	}
 	return HostValue{
 		IsDomain: false,
 		IPs:      ips,
 	}, nil
 }
 func NewHostValueByDomain(domain string) (HostValue, error) {
 	domain = strings.Trim(domain, ".")
 	item := strings.Split(domain, ".")
 	if len(item) < 2 {
 		return HostValue{}, errors.New("invaild domain")
 	}
 	return HostValue{
 		IsDomain: true,
 		Domain:   domain,
 	}, nil
 }
 func (hv HostValue) RandIP() (netip.Addr, error) {
 	if hv.IsDomain {
 		return netip.Addr{}, errors.New("value type is error")
 	}
 	return hv.IPs[fastrand.Intn(len(hv.IPs))], nil
 }
--- a/component/resolver/resolver.go
+++ b/component/resolver/resolver.go
@ -4,13 +4,16 @@ import (
 	"context"
 	"errors"
 	"fmt"
 	"math/rand"
 	"net"
 	"net/netip"
 	"strings"
 	"time"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/trie"
 	"github.com/miekg/dns"
 	"github.com/zhangyunhao116/fastrand"
 )
 var (
@ -25,7 +28,7 @@ var (
 	DisableIPv6 = true
 	// DefaultHosts aim to resolve hosts
-	DefaultHosts = trie.New[netip.Addr]()
+	DefaultHosts = NewHosts(trie.New[HostValue]())
 	// DefaultDNSTimeout defined the default dns request timeout
 	DefaultDNSTimeout = time.Second * 5
@ -44,13 +47,16 @@ type Resolver interface {
 	ResolveIP(ctx context.Context, host string) (ip netip.Addr, err error)
 	ResolveIPv4(ctx context.Context, host string) (ip netip.Addr, err error)
 	ResolveIPv6(ctx context.Context, host string) (ip netip.Addr, err error)
 	ExchangeContext(ctx context.Context, m *dns.Msg) (msg *dns.Msg, err error)
 }
 // LookupIPv4WithResolver same as LookupIPv4, but with a resolver
 func LookupIPv4WithResolver(ctx context.Context, host string, r Resolver) ([]netip.Addr, error) {
-	if node := DefaultHosts.Search(host); node != nil {
+	if node, ok := DefaultHosts.Search(host, false); ok {
-		if ip := node.Data(); ip.Is4() {
+		if addrs := utils.Filter(node.IPs, func(ip netip.Addr) bool {
-			return []netip.Addr{node.Data()}, nil
+			return ip.Is4()
 		}); len(addrs) > 0 {
 			return addrs, nil
 		}
 	}
@ -66,10 +72,6 @@ func LookupIPv4WithResolver(ctx context.Context, host string, r Resolver) ([]net
 		return r.LookupIPv4(ctx, host)
 	}
 	if DefaultResolver != nil {
 		return DefaultResolver.LookupIPv4(ctx, host)
 	}
 	ipAddrs, err := net.DefaultResolver.LookupNetIP(ctx, "ip4", host)
 	if err != nil {
 		return nil, err
@ -93,7 +95,7 @@ func ResolveIPv4WithResolver(ctx context.Context, host string, r Resolver) (neti
 	} else if len(ips) == 0 {
 		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
 	}
-	return ips[rand.Intn(len(ips))], nil
+	return ips[fastrand.Intn(len(ips))], nil
 }
 // ResolveIPv4 with a host, return ipv4
@ -107,9 +109,11 @@ func LookupIPv6WithResolver(ctx context.Context, host string, r Resolver) ([]net
 		return nil, ErrIPv6Disabled
 	}
-	if node := DefaultHosts.Search(host); node != nil {
+	if node, ok := DefaultHosts.Search(host, false); ok {
-		if ip := node.Data(); ip.Is6() {
+		if addrs := utils.Filter(node.IPs, func(ip netip.Addr) bool {
-			return []netip.Addr{ip}, nil
+			return ip.Is6()
 		}); len(addrs) > 0 {
 			return addrs, nil
 		}
 	}
@ -123,9 +127,6 @@ func LookupIPv6WithResolver(ctx context.Context, host string, r Resolver) ([]net
 	if r != nil {
 		return r.LookupIPv6(ctx, host)
 	}
 	if DefaultResolver != nil {
 		return DefaultResolver.LookupIPv6(ctx, host)
 	}
 	ipAddrs, err := net.DefaultResolver.LookupNetIP(ctx, "ip6", host)
 	if err != nil {
@ -150,7 +151,7 @@ func ResolveIPv6WithResolver(ctx context.Context, host string, r Resolver) (neti
 	} else if len(ips) == 0 {
 		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
 	}
-	return ips[rand.Intn(len(ips))], nil
+	return ips[fastrand.Intn(len(ips))], nil
 }
 func ResolveIPv6(ctx context.Context, host string) (netip.Addr, error) {
@ -159,8 +160,8 @@ func ResolveIPv6(ctx context.Context, host string) (netip.Addr, error) {
 // LookupIPWithResolver same as LookupIP, but with a resolver
 func LookupIPWithResolver(ctx context.Context, host string, r Resolver) ([]netip.Addr, error) {
-	if node := DefaultHosts.Search(host); node != nil {
+	if node, ok := DefaultHosts.Search(host, false); ok {
-		return []netip.Addr{node.Data()}, nil
+		return node.IPs, nil
 	}
 	if r != nil {
@ -169,7 +170,7 @@ func LookupIPWithResolver(ctx context.Context, host string, r Resolver) ([]netip
 		}
 		return r.LookupIP(ctx, host)
 	} else if DisableIPv6 {
-		return LookupIPv4(ctx, host)
+		return LookupIPv4WithResolver(ctx, host, r)
 	}
 	if ip, err := netip.ParseAddr(host); err == nil {
@ -199,7 +200,7 @@ func ResolveIPWithResolver(ctx context.Context, host string, r Resolver) (netip.
 	} else if len(ips) == 0 {
 		return netip.Addr{}, fmt.Errorf("%w: %s", ErrIPNotFound, host)
 	}
-	return ips[rand.Intn(len(ips))], nil
+	return ips[fastrand.Intn(len(ips))], nil
 }
 // ResolveIP with a host, return ip
--- a/component/resource/fetcher.go
+++ b/component/resource/fetcher.go
@ -57,7 +57,7 @@ func (f *Fetcher[V]) Initial() (V, error) {
 		f.UpdatedAt = &modTime
 		isLocal = true
 		if f.interval != 0 && modTime.Add(f.interval).Before(time.Now()) {
-			log.Infoln("[Provider] %s not updated for a long time, force refresh", f.Name())
+			log.Warnln("[Provider] %s not updated for a long time, force refresh", f.Name())
 			forceUpdate = true
 		}
 	} else {
@ -162,7 +162,7 @@ func (f *Fetcher[V]) pullLoop() {
 		case <-f.ticker.C:
 			elm, same, err := f.Update()
 			if err != nil {
-				log.Warnln("[Provider] %s pull error: %s", f.Name(), err.Error())
+				log.Errorln("[Provider] %s pull error: %s", f.Name(), err.Error())
 				continue
 			}
--- a/component/sniffer/base_sniffer.go
+++ b/component/sniffer/base_sniffer.go
@ -0,0 +1,53 @@
 package sniffer
 import (
 	"errors"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/sniffer"
 )
 type SnifferConfig struct {
 	OverrideDest bool
 	Ports        []utils.Range[uint16]
 }
 type BaseSniffer struct {
 	ports              []utils.Range[uint16]
 	supportNetworkType constant.NetWork
 }
 // Protocol implements sniffer.Sniffer
 func (*BaseSniffer) Protocol() string {
 	return "unknown"
 }
 // SniffTCP implements sniffer.Sniffer
 func (*BaseSniffer) SniffTCP(bytes []byte) (string, error) {
 	return "", errors.New("TODO")
 }
 // SupportNetwork implements sniffer.Sniffer
 func (bs *BaseSniffer) SupportNetwork() constant.NetWork {
 	return bs.supportNetworkType
 }
 // SupportPort implements sniffer.Sniffer
 func (bs *BaseSniffer) SupportPort(port uint16) bool {
 	for _, portRange := range bs.ports {
 		if portRange.Contains(port) {
 			return true
 		}
 	}
 	return false
 }
 func NewBaseSniffer(ports []utils.Range[uint16], networkType constant.NetWork) *BaseSniffer {
 	return &BaseSniffer{
 		ports:              ports,
 		supportNetworkType: networkType,
 	}
 }
 var _ sniffer.Sniffer = (*BaseSniffer)(nil)
--- a/component/sniffer/dispatcher.go
+++ b/component/sniffer/dispatcher.go
@ -11,7 +11,6 @@ import (
 	"github.com/Dreamacro/clash/common/cache"
 	N "github.com/Dreamacro/clash/common/net"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/sniffer"
@ -28,25 +27,16 @@ var Dispatcher *SnifferDispatcher
 type SnifferDispatcher struct {
 	enable          bool
-
+	sniffers        map[sniffer.Sniffer]SnifferConfig
 	sniffers []sniffer.Sniffer
 	forceDomain     *trie.DomainTrie[struct{}]
 	skipSNI         *trie.DomainTrie[struct{}]
 	portRanges  *[]utils.Range[uint16]
 	skipList        *cache.LruCache[string, uint8]
 	rwMux           sync.RWMutex
 	forceDnsMapping bool
 	parsePureIp     bool
 }
-func (sd *SnifferDispatcher) TCPSniff(conn net.Conn, metadata *C.Metadata) {
+func (sd *SnifferDispatcher) TCPSniff(conn *N.BufferedConn, metadata *C.Metadata) {
 	bufConn, ok := conn.(*N.BufferedConn)
 	if !ok {
 		return
 	}
 	if (metadata.Host == "" && sd.parsePureIp) || sd.forceDomain.Search(metadata.Host) != nil || (metadata.DNSMode == C.DNSMapping && sd.forceDnsMapping) {
 		port, err := strconv.ParseUint(metadata.DstPort, 10, 16)
 		if err != nil {
@ -55,12 +45,16 @@ func (sd *SnifferDispatcher) TCPSniff(conn net.Conn, metadata *C.Metadata) {
 		}
 		inWhitelist := false
-		for _, portRange := range *sd.portRanges {
+		overrideDest := false
-			if portRange.Contains(uint16(port)) {
+		for sniffer, config := range sd.sniffers {
-				inWhitelist = true
+			if sniffer.SupportNetwork() == C.TCP || sniffer.SupportNetwork() == C.ALLNet {
 				inWhitelist = sniffer.SupportPort(uint16(port))
 				if inWhitelist {
 					overrideDest = config.OverrideDest
 					break
 				}
 			}
 		}
 		if !inWhitelist {
 			return
@ -75,7 +69,7 @@ func (sd *SnifferDispatcher) TCPSniff(conn net.Conn, metadata *C.Metadata) {
 		}
 		sd.rwMux.RUnlock()
-		if host, err := sd.sniffDomain(bufConn, metadata); err != nil {
+		if host, err := sd.sniffDomain(conn, metadata); err != nil {
 			sd.cacheSniffFailed(metadata)
 			log.Debugln("[Sniffer] All sniffing sniff failed with from [%s:%s] to [%s:%s]", metadata.SrcIP, metadata.SrcPort, metadata.String(), metadata.DstPort)
 			return
@ -89,31 +83,21 @@ func (sd *SnifferDispatcher) TCPSniff(conn net.Conn, metadata *C.Metadata) {
 			sd.skipList.Delete(dst)
 			sd.rwMux.RUnlock()
-			sd.replaceDomain(metadata, host)
+			sd.replaceDomain(metadata, host, overrideDest)
 		}
 	}
 }
-func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string) {
+func (sd *SnifferDispatcher) replaceDomain(metadata *C.Metadata, host string, overrideDest bool) {
-	dstIP := ""
+	metadata.SniffHost = host
-	if metadata.DstIP.IsValid() {
+	if overrideDest {
 		dstIP = metadata.DstIP.String()
 	}
 	originHost := metadata.Host
 	if originHost != host {
 		log.Infoln("[Sniffer] Sniff TCP [%s:%s]-->[%s:%s] success, replace domain [%s]-->[%s]",
 			metadata.SrcIP, metadata.SrcPort,
 			dstIP, metadata.DstPort,
 			metadata.Host, host)
 	} else {
 		log.Debugln("[Sniffer] Sniff TCP [%s:%s]-->[%s:%s] success, replace domain [%s]-->[%s]",
 			metadata.SrcIP, metadata.SrcPort,
 			dstIP, metadata.DstPort,
 			metadata.Host, host)
 	}
 		metadata.Host = host
 	}
 	metadata.DNSMode = C.DNSNormal
 	log.Debugln("[Sniffer] Sniff TCP [%s]-->[%s] success, replace domain [%s]-->[%s]",
 		metadata.SourceDetail(),
 		metadata.RemoteAddress(),
 		metadata.Host, host)
 }
 func (sd *SnifferDispatcher) Enable() bool {
@ -121,7 +105,7 @@ func (sd *SnifferDispatcher) Enable() bool {
 }
 func (sd *SnifferDispatcher) sniffDomain(conn *N.BufferedConn, metadata *C.Metadata) (string, error) {
-	for _, s := range sd.sniffers {
+	for s := range sd.sniffers {
 		if s.SupportNetwork() == C.TCP {
 			_ = conn.SetReadDeadline(time.Now().Add(1 * time.Second))
 			_, err := conn.Peek(1)
@ -182,38 +166,37 @@ func NewCloseSnifferDispatcher() (*SnifferDispatcher, error) {
 	return &dispatcher, nil
 }
-func NewSnifferDispatcher(needSniffer []sniffer.Type, forceDomain *trie.DomainTrie[struct{}],
+func NewSnifferDispatcher(snifferConfig map[sniffer.Type]SnifferConfig, forceDomain *trie.DomainTrie[struct{}],
-	skipSNI *trie.DomainTrie[struct{}], ports *[]utils.Range[uint16],
+	skipSNI *trie.DomainTrie[struct{}],
 	forceDnsMapping bool, parsePureIp bool) (*SnifferDispatcher, error) {
 	dispatcher := SnifferDispatcher{
 		enable:          true,
 		forceDomain:     forceDomain,
 		skipSNI:         skipSNI,
-		portRanges:      ports,
+		skipList:        cache.New(cache.WithSize[string, uint8](128), cache.WithAge[string, uint8](600)),
 		skipList:        cache.New[string, uint8](cache.WithSize[string, uint8](128), cache.WithAge[string, uint8](600)),
 		forceDnsMapping: forceDnsMapping,
 		parsePureIp:     parsePureIp,
 		sniffers:        make(map[sniffer.Sniffer]SnifferConfig, 0),
 	}
-	for _, snifferName := range needSniffer {
+	for snifferName, config := range snifferConfig {
-		s, err := NewSniffer(snifferName)
+		s, err := NewSniffer(snifferName, config)
 		if err != nil {
 			log.Errorln("Sniffer name[%s] is error", snifferName)
 			return &SnifferDispatcher{enable: false}, err
 		}
-
+		dispatcher.sniffers[s] = config
 		dispatcher.sniffers = append(dispatcher.sniffers, s)
 	}
 	return &dispatcher, nil
 }
-func NewSniffer(name sniffer.Type) (sniffer.Sniffer, error) {
+func NewSniffer(name sniffer.Type, snifferConfig SnifferConfig) (sniffer.Sniffer, error) {
 	switch name {
 	case sniffer.TLS:
-		return &TLSSniffer{}, nil
+		return NewTLSSniffer(snifferConfig)
 	case sniffer.HTTP:
-		return &HTTPSniffer{}, nil
+		return NewHTTPSniffer(snifferConfig)
 	default:
 		return nil, ErrorUnsupportedSniffer
 	}
--- a/component/sniffer/http_sniffer.go
+++ b/component/sniffer/http_sniffer.go
@ -7,7 +7,9 @@ import (
 	"net"
 	"strings"
 	"github.com/Dreamacro/clash/common/utils"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/sniffer"
 )
 var (
@ -24,10 +26,25 @@ const (
 )
 type HTTPSniffer struct {
 	*BaseSniffer
 	version version
 	host    string
 }
 var _ sniffer.Sniffer = (*HTTPSniffer)(nil)
 func NewHTTPSniffer(snifferConfig SnifferConfig) (*HTTPSniffer, error) {
 	ports := make([]utils.Range[uint16], 0)
 	if len(snifferConfig.Ports) == 0 {
 		ports = append(ports, *utils.NewRange[uint16](80, 80))
 	} else {
 		ports = append(ports, snifferConfig.Ports...)
 	}
 	return &HTTPSniffer{
 		BaseSniffer: NewBaseSniffer(ports, C.TCP),
 	}, nil
 }
 func (http *HTTPSniffer) Protocol() string {
 	switch http.version {
 	case HTTP1:
--- a/component/sniffer/tls_sniffer.go
+++ b/component/sniffer/tls_sniffer.go
@ -5,7 +5,9 @@ import (
 	"errors"
 	"strings"
 	"github.com/Dreamacro/clash/common/utils"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/constant/sniffer"
 )
 var (
@ -13,7 +15,22 @@ var (
 	errNotClientHello = errors.New("not client hello")
 )
 var _ sniffer.Sniffer = (*TLSSniffer)(nil)
 type TLSSniffer struct {
 	*BaseSniffer
 }
 func NewTLSSniffer(snifferConfig SnifferConfig) (*TLSSniffer, error) {
 	ports := make([]utils.Range[uint16], 0)
 	if len(snifferConfig.Ports) == 0 {
 		ports = append(ports, *utils.NewRange[uint16](443, 443))
 	} else {
 		ports = append(ports, snifferConfig.Ports...)
 	}
 	return &TLSSniffer{
 		BaseSniffer: NewBaseSniffer(ports, C.TCP),
 	}, nil
 }
 func (tls *TLSSniffer) Protocol() string {
--- a/component/tls/config.go
+++ b/component/tls/config.go
@ -6,75 +6,69 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/hex"
 	"errors"
 	"fmt"
-	xtls "github.com/xtls/go"
+	"strings"
 	"sync"
-	"time"
+
 	xtls "github.com/xtls/go"
 )
-var globalFingerprints = make([][32]byte, 0, 0)
+var trustCert, _ = x509.SystemCertPool()
 var mutex sync.Mutex
-func verifyPeerCertificateAndFingerprints(fingerprints *[][32]byte, insecureSkipVerify bool) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+var mutex sync.RWMutex
-	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+var errNotMacth error = errors.New("certificate fingerprints do not match")
-		if insecureSkipVerify {
+
-			return nil
+func AddCertificate(certificate string) error {
 	mutex.Lock()
 	defer mutex.Unlock()
 	if certificate == "" {
 		return fmt.Errorf("certificate is empty")
 	}
 	if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
 		return fmt.Errorf("add certificate failed")
 	}
 	return nil
 }
-		var preErr error
+func ResetCertificate() {
 	mutex.Lock()
 	defer mutex.Unlock()
 	trustCert, _ = x509.SystemCertPool()
 }
 func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 		// ssl pining
 		for i := range rawCerts {
 			rawCert := rawCerts[i]
 			cert, err := x509.ParseCertificate(rawCert)
 			if err == nil {
-				opts := x509.VerifyOptions{
+				hash := sha256.Sum256(cert.Raw)
-					CurrentTime: time.Now(),
+				if bytes.Equal(fingerprint[:], hash[:]) {
 				}
 				if _, err := cert.Verify(opts); err == nil {
 					return nil
 				} else {
 					fingerprint := sha256.Sum256(cert.Raw)
 					for _, fp := range *fingerprints {
 						if bytes.Equal(fingerprint[:], fp[:]) {
 					return nil
 				}
 			}
 					preErr = err
 		}
 		return errNotMacth
 	}
 		}
 		return preErr
 	}
 }
 func AddCertFingerprint(fingerprint string) error {
 	fpByte, err2 := convertFingerprint(fingerprint)
 	if err2 != nil {
 		return err2
 	}
 	mutex.Lock()
 	globalFingerprints = append(globalFingerprints, *fpByte)
 	mutex.Unlock()
 	return nil
 }
 func convertFingerprint(fingerprint string) (*[32]byte, error) {
 	fingerprint = strings.TrimSpace(strings.Replace(fingerprint, ":", "", -1))
 	fpByte, err := hex.DecodeString(fingerprint)
 	if err != nil {
 		return nil, err
 	}
 	if len(fpByte) != 32 {
-		return nil, fmt.Errorf("fingerprint string length error,need sha25 fingerprint")
+		return nil, fmt.Errorf("fingerprint string length error,need sha256 fingerprint")
 	}
 	return (*[32]byte)(fpByte), nil
 }
 func GetDefaultTLSConfig() *tls.Config {
-	return GetGlobalFingerprintTLCConfig(nil)
+	return GetGlobalTLSConfig(nil)
 }
 // GetSpecifiedFingerprintTLSConfig specified fingerprint
@ -82,29 +76,20 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
 	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
 		return nil, err
 	} else {
-		if tlsConfig == nil {
+		tlsConfig = GetGlobalTLSConfig(tlsConfig)
-			return &tls.Config{
+		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
 				InsecureSkipVerify:    true,
 				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),
 			}, nil
 		} else {
 			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
 		tlsConfig.InsecureSkipVerify = true
 		return tlsConfig, nil
 	}
 	}
 }
-func GetGlobalFingerprintTLCConfig(tlsConfig *tls.Config) *tls.Config {
+func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
 	if tlsConfig == nil {
 		return &tls.Config{
-			InsecureSkipVerify:    true,
+			RootCAs: trustCert,
 			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),
 		}
 	}
-
+	tlsConfig.RootCAs = trustCert
 	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)
 	tlsConfig.InsecureSkipVerify = true
 	return tlsConfig
 }
@ -113,28 +98,20 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
 	if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil {
 		return nil, err
 	} else {
-		if tlsConfig == nil {
+		tlsConfig = GetGlobalXTLSConfig(tlsConfig)
-			return &xtls.Config{
+		tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes)
 				InsecureSkipVerify:    true,
 				VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, false),
 			}, nil
 		} else {
 			tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&[][32]byte{*fingerprintBytes}, tlsConfig.InsecureSkipVerify)
 		tlsConfig.InsecureSkipVerify = true
 		return tlsConfig, nil
 	}
 	}
 }
-func GetGlobalFingerprintXTLCConfig(tlsConfig *xtls.Config) *xtls.Config {
+func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
 	if tlsConfig == nil {
 		return &xtls.Config{
-			InsecureSkipVerify:    true,
+			RootCAs: trustCert,
 			VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false),
 		}
 	}
-	tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify)
+	tlsConfig.RootCAs = trustCert
 	tlsConfig.InsecureSkipVerify = true
 	return tlsConfig
 }
--- a/component/tls/reality.go
+++ b/component/tls/reality.go
@ -0,0 +1,169 @@
 package tls
 import (
 	"bytes"
 	"context"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/ed25519"
 	"crypto/hmac"
 	"crypto/sha256"
 	"crypto/sha512"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/binary"
 	"errors"
 	"net"
 	"net/http"
 	"reflect"
 	"strings"
 	"time"
 	"unsafe"
 	"github.com/Dreamacro/clash/common/utils"
 	"github.com/Dreamacro/clash/log"
 	utls "github.com/sagernet/utls"
 	"github.com/zhangyunhao116/fastrand"
 	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/hkdf"
 	"golang.org/x/net/http2"
 )
 const RealityMaxShortIDLen = 8
 type RealityConfig struct {
 	PublicKey [curve25519.ScalarSize]byte
 	ShortID   [RealityMaxShortIDLen]byte
 }
 func GetRealityConn(ctx context.Context, conn net.Conn, ClientFingerprint string, tlsConfig *tls.Config, realityConfig *RealityConfig) (net.Conn, error) {
 	if fingerprint, exists := GetFingerprint(ClientFingerprint); exists {
 		verifier := &realityVerifier{
 			serverName: tlsConfig.ServerName,
 		}
 		uConfig := &utls.Config{
 			ServerName:             tlsConfig.ServerName,
 			NextProtos:             tlsConfig.NextProtos,
 			InsecureSkipVerify:     true,
 			SessionTicketsDisabled: true,
 			VerifyPeerCertificate:  verifier.VerifyPeerCertificate,
 		}
 		clientID := utls.ClientHelloID{
 			Client:  fingerprint.Client,
 			Version: fingerprint.Version,
 			Seed:    fingerprint.Seed,
 		}
 		uConn := utls.UClient(conn, uConfig, clientID)
 		verifier.UConn = uConn
 		err := uConn.BuildHandshakeState()
 		if err != nil {
 			return nil, err
 		}
 		hello := uConn.HandshakeState.Hello
 		hello.SessionId = make([]byte, 32)
 		copy(hello.Raw[39:], hello.SessionId)
 		var nowTime time.Time
 		if uConfig.Time != nil {
 			nowTime = uConfig.Time()
 		} else {
 			nowTime = time.Now()
 		}
 		binary.BigEndian.PutUint64(hello.SessionId, uint64(nowTime.Unix()))
 		hello.SessionId[0] = 1
 		hello.SessionId[1] = 7
 		hello.SessionId[2] = 5
 		copy(hello.SessionId[8:], realityConfig.ShortID[:])
 		//log.Debugln("REALITY hello.sessionId[:16]: %v", hello.SessionId[:16])
 		authKey := uConn.HandshakeState.State13.EcdheParams.SharedKey(realityConfig.PublicKey[:])
 		if authKey == nil {
 			return nil, errors.New("nil auth_key")
 		}
 		verifier.authKey = authKey
 		_, err = hkdf.New(sha256.New, authKey, hello.Random[:20], []byte("REALITY")).Read(authKey)
 		if err != nil {
 			return nil, err
 		}
 		aesBlock, _ := aes.NewCipher(authKey)
 		aesGcmCipher, _ := cipher.NewGCM(aesBlock)
 		aesGcmCipher.Seal(hello.SessionId[:0], hello.Random[20:], hello.SessionId[:16], hello.Raw)
 		copy(hello.Raw[39:], hello.SessionId)
 		//log.Debugln("REALITY hello.sessionId: %v", hello.SessionId)
 		//log.Debugln("REALITY uConn.AuthKey: %v", authKey)
 		err = uConn.HandshakeContext(ctx)
 		if err != nil {
 			return nil, err
 		}
 		log.Debugln("REALITY Authentication: %v", verifier.verified)
 		if !verifier.verified {
 			go realityClientFallback(uConn, uConfig.ServerName, clientID)
 			return nil, errors.New("REALITY authentication failed")
 		}
 		return uConn, nil
 	}
 	return nil, errors.New("unknown uTLS fingerprint")
 }
 func realityClientFallback(uConn net.Conn, serverName string, fingerprint utls.ClientHelloID) {
 	defer uConn.Close()
 	client := http.Client{
 		Transport: &http2.Transport{
 			DialTLSContext: func(ctx context.Context, network, addr string, config *tls.Config) (net.Conn, error) {
 				return uConn, nil
 			},
 		},
 	}
 	request, _ := http.NewRequest("GET", "https://"+serverName, nil)
 	request.Header.Set("User-Agent", fingerprint.Client)
 	request.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", fastrand.Intn(32)+30)})
 	response, err := client.Do(request)
 	if err != nil {
 		return
 	}
 	//_, _ = io.Copy(io.Discard, response.Body)
 	time.Sleep(time.Duration(5 + fastrand.Int63n(10)))
 	response.Body.Close()
 	client.CloseIdleConnections()
 }
 type realityVerifier struct {
 	*utls.UConn
 	serverName string
 	authKey    []byte
 	verified   bool
 }
 var pOffset = utils.MustOK(reflect.TypeOf((*utls.UConn)(nil)).Elem().FieldByName("peerCertificates")).Offset
 func (c *realityVerifier) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 	//p, _ := reflect.TypeOf(c.Conn).Elem().FieldByName("peerCertificates")
 	certs := *(*[]*x509.Certificate)(unsafe.Pointer(uintptr(unsafe.Pointer(c.Conn)) + pOffset))
 	if pub, ok := certs[0].PublicKey.(ed25519.PublicKey); ok {
 		h := hmac.New(sha512.New, c.authKey)
 		h.Write(pub)
 		if bytes.Equal(h.Sum(nil), certs[0].Signature) {
 			c.verified = true
 			return nil
 		}
 	}
 	opts := x509.VerifyOptions{
 		DNSName:       c.serverName,
 		Intermediates: x509.NewCertPool(),
 	}
 	for _, cert := range certs[1:] {
 		opts.Intermediates.AddCert(cert)
 	}
 	if _, err := certs[0].Verify(opts); err != nil {
 		return err
 	}
 	return nil
 }
--- a/component/tls/utls.go
+++ b/component/tls/utls.go
@ -0,0 +1,139 @@
 package tls
 import (
 	"crypto/tls"
 	"net"
 	"github.com/Dreamacro/clash/log"
 	"github.com/mroth/weightedrand/v2"
 	utls "github.com/sagernet/utls"
 )
 type UConn struct {
 	*utls.UConn
 }
 type UClientHelloID struct {
 	*utls.ClientHelloID
 }
 var initRandomFingerprint UClientHelloID
 var initUtlsClient string
 func UClient(c net.Conn, config *tls.Config, fingerprint UClientHelloID) net.Conn {
 	utlsConn := utls.UClient(c, copyConfig(config), utls.ClientHelloID{
 		Client:  fingerprint.Client,
 		Version: fingerprint.Version,
 		Seed:    fingerprint.Seed,
 	})
 	return &UConn{UConn: utlsConn}
 }
 func GetFingerprint(ClientFingerprint string) (UClientHelloID, bool) {
 	if ClientFingerprint == "none" {
 		return UClientHelloID{}, false
 	}
 	if initRandomFingerprint.ClientHelloID == nil {
 		initRandomFingerprint, _ = RollFingerprint()
 	}
 	if ClientFingerprint == "random" {
 		log.Debugln("use initial random HelloID:%s", initRandomFingerprint.Client)
 		return initRandomFingerprint, true
 	}
 	fingerprint, ok := Fingerprints[ClientFingerprint]
 	log.Debugln("use specified fingerprint:%s", fingerprint.Client)
 	return fingerprint, ok
 }
 func RollFingerprint() (UClientHelloID, bool) {
 	chooser, _ := weightedrand.NewChooser(
 		weightedrand.NewChoice("chrome", 6),
 		weightedrand.NewChoice("safari", 3),
 		weightedrand.NewChoice("ios", 2),
 		weightedrand.NewChoice("firefox", 1),
 	)
 	initClient := chooser.Pick()
 	log.Debugln("initial random HelloID:%s", initClient)
 	fingerprint, ok := Fingerprints[initClient]
 	return fingerprint, ok
 }
 var Fingerprints = map[string]UClientHelloID{
 	"chrome":     {&utls.HelloChrome_Auto},
 	"firefox":    {&utls.HelloFirefox_Auto},
 	"safari":     {&utls.HelloSafari_Auto},
 	"ios":        {&utls.HelloIOS_Auto},
 	"android":    {&utls.HelloAndroid_11_OkHttp},
 	"edge":       {&utls.HelloEdge_Auto},
 	"360":        {&utls.Hello360_Auto},
 	"qq":         {&utls.HelloQQ_Auto},
 	"random":     {nil},
 	"randomized": {nil},
 }
 func init() {
 	weights := utls.DefaultWeights
 	weights.TLSVersMax_Set_VersionTLS13 = 1
 	weights.FirstKeyShare_Set_CurveP256 = 0
 	randomized := utls.HelloRandomized
 	randomized.Seed, _ = utls.NewPRNGSeed()
 	randomized.Weights = &weights
 	Fingerprints["randomized"] = UClientHelloID{&randomized}
 }
 func copyConfig(c *tls.Config) *utls.Config {
 	return &utls.Config{
 		RootCAs:               c.RootCAs,
 		ServerName:            c.ServerName,
 		NextProtos:            c.NextProtos,
 		InsecureSkipVerify:    c.InsecureSkipVerify,
 		VerifyPeerCertificate: c.VerifyPeerCertificate,
 	}
 }
 // WebsocketHandshake basically calls UConn.Handshake inside it but it will only send
 // http/1.1 in its ALPN.
 // Copy from https://github.com/XTLS/Xray-core/blob/main/transport/internet/tls/tls.go
 func (c *UConn) WebsocketHandshake() error {
 	// Build the handshake state. This will apply every variable of the TLS of the
 	// fingerprint in the UConn
 	if err := c.BuildHandshakeState(); err != nil {
 		return err
 	}
 	// Iterate over extensions and check for utls.ALPNExtension
 	hasALPNExtension := false
 	for _, extension := range c.Extensions {
 		if alpn, ok := extension.(*utls.ALPNExtension); ok {
 			hasALPNExtension = true
 			alpn.AlpnProtocols = []string{"http/1.1"}
 			break
 		}
 	}
 	if !hasALPNExtension { // Append extension if doesn't exists
 		c.Extensions = append(c.Extensions, &utls.ALPNExtension{AlpnProtocols: []string{"http/1.1"}})
 	}
 	// Rebuild the client hello and do the handshake
 	if err := c.BuildHandshakeState(); err != nil {
 		return err
 	}
 	return c.Handshake()
 }
 func SetGlobalUtlsClient(Client string) {
 	initUtlsClient = Client
 }
 func HaveGlobalFingerprint() bool {
 	if len(initUtlsClient) != 0 && initUtlsClient != "none" {
 		return true
 	}
 	return false
 }
 func GetGlobalFingerprint() string {
 	return initUtlsClient
 }
--- a/config/config.go
+++ b/config/config.go
@ -8,6 +8,7 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
 	"regexp"
 	"runtime"
 	"strconv"
 	"strings"
@ -23,6 +24,10 @@ import (
 	"github.com/Dreamacro/clash/component/fakeip"
 	"github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/geodata/router"
 	P "github.com/Dreamacro/clash/component/process"
 	"github.com/Dreamacro/clash/component/resolver"
 	SNIFF "github.com/Dreamacro/clash/component/sniffer"
 	tlsC "github.com/Dreamacro/clash/component/tls"
 	"github.com/Dreamacro/clash/component/trie"
 	C "github.com/Dreamacro/clash/constant"
 	providerTypes "github.com/Dreamacro/clash/constant/provider"
@ -51,9 +56,10 @@ type General struct {
 	GeodataMode             bool              `json:"geodata-mode"`
 	GeodataLoader           string            `json:"geodata-loader"`
 	TCPConcurrent           bool              `json:"tcp-concurrent"`
-	EnableProcess bool         `json:"enable-process"`
+	FindProcessMode         P.FindProcessMode `json:"find-process-mode"`
 	Sniffing                bool              `json:"sniffing"`
 	EBpf                    EBpf              `json:"-"`
 	GlobalClientFingerprint string            `json:"global-client-fingerprint"`
 }
 // Inbound config
@ -86,6 +92,7 @@ type DNS struct {
 	Enable                bool             `yaml:"enable"`
 	PreferH3              bool             `yaml:"prefer-h3"`
 	IPv6                  bool             `yaml:"ipv6"`
 	IPv6Timeout           uint             `yaml:"ipv6-timeout"`
 	NameServer            []dns.NameServer `yaml:"nameserver"`
 	Fallback              []dns.NameServer `yaml:"fallback"`
 	FallbackFilter        FallbackFilter   `yaml:"fallback-filter"`
@ -93,8 +100,8 @@ type DNS struct {
 	EnhancedMode          C.DNSMode        `yaml:"enhanced-mode"`
 	DefaultNameserver     []dns.NameServer `yaml:"default-nameserver"`
 	FakeIPRange           *fakeip.Pool
-	Hosts                 *trie.DomainTrie[netip.Addr]
+	Hosts                 *trie.DomainTrie[resolver.HostValue]
-	NameServerPolicy      map[string]dns.NameServer
+	NameServerPolicy      map[string][]dns.NameServer
 	ProxyServerNameserver []dns.NameServer
 }
@ -116,6 +123,7 @@ type Profile struct {
 type TLS struct {
 	Certificate     string   `yaml:"certificate"`
 	PrivateKey      string   `yaml:"private-key"`
 	CustomTrustCert []string `yaml:"custom-certifactes"`
 }
 // IPTables config
@ -127,11 +135,10 @@ type IPTables struct {
 type Sniffer struct {
 	Enable          bool
-	Sniffers        []snifferTypes.Type
+	Sniffers        map[snifferTypes.Type]SNIFF.SnifferConfig
 	Reverses        *trie.DomainTrie[struct{}]
 	ForceDomain     *trie.DomainTrie[struct{}]
 	SkipDomain      *trie.DomainTrie[struct{}]
 	Ports           *[]utils.Range[uint16]
 	ForceDnsMapping bool
 	ParsePureIp     bool
 }
@ -147,7 +154,7 @@ type Config struct {
 	IPTables      *IPTables
 	DNS           *DNS
 	Experimental  *Experimental
-	Hosts         *trie.DomainTrie[netip.Addr]
+	Hosts         *trie.DomainTrie[resolver.HostValue]
 	Profile       *Profile
 	Rules         []C.Rule
 	SubRules      map[string][]C.Rule
@ -165,6 +172,7 @@ type RawDNS struct {
 	Enable                bool              `yaml:"enable"`
 	PreferH3              bool              `yaml:"prefer-h3"`
 	IPv6                  bool              `yaml:"ipv6"`
 	IPv6Timeout           uint              `yaml:"ipv6-timeout"`
 	UseHosts              bool              `yaml:"use-hosts"`
 	NameServer            []string          `yaml:"nameserver"`
 	Fallback              []string          `yaml:"fallback"`
@ -174,7 +182,7 @@ type RawDNS struct {
 	FakeIPRange           string            `yaml:"fake-ip-range"`
 	FakeIPFilter          []string          `yaml:"fake-ip-filter"`
 	DefaultNameserver     []string          `yaml:"default-nameserver"`
-	NameServerPolicy      map[string]string `yaml:"nameserver-policy"`
+	NameServerPolicy      map[string]any    `yaml:"nameserver-policy"`
 	ProxyServerNameserver []string          `yaml:"proxy-server-nameserver"`
 }
@ -251,12 +259,13 @@ type RawConfig struct {
 	GeodataMode             bool              `yaml:"geodata-mode"`
 	GeodataLoader           string            `yaml:"geodata-loader"`
 	TCPConcurrent           bool              `yaml:"tcp-concurrent" json:"tcp-concurrent"`
-	EnableProcess         bool         `yaml:"enable-process" json:"enable-process"`
+	FindProcessMode         P.FindProcessMode `yaml:"find-process-mode" json:"find-process-mode"`
 	GlobalClientFingerprint string            `yaml:"global-client-fingerprint"`
 	Sniffer       RawSniffer                `yaml:"sniffer"`
 	ProxyProvider map[string]map[string]any `yaml:"proxy-providers"`
 	RuleProvider  map[string]map[string]any `yaml:"rule-providers"`
-	Hosts         map[string]string         `yaml:"hosts"`
+	Hosts         map[string]any            `yaml:"hosts"`
 	DNS           RawDNS                    `yaml:"dns"`
 	Tun           RawTun                    `yaml:"tun"`
 	TuicServer    RawTuicServer             `yaml:"tuic-server"`
@ -281,12 +290,19 @@ type RawGeoXUrl struct {
 type RawSniffer struct {
 	Enable          bool                         `yaml:"enable" json:"enable"`
 	OverrideDest    bool                         `yaml:"override-destination" json:"override-destination"`
 	Sniffing        []string                     `yaml:"sniffing" json:"sniffing"`
 	ForceDomain     []string                     `yaml:"force-domain" json:"force-domain"`
 	SkipDomain      []string                     `yaml:"skip-domain" json:"skip-domain"`
 	Ports           []string                     `yaml:"port-whitelist" json:"port-whitelist"`
 	ForceDnsMapping bool                         `yaml:"force-dns-mapping" json:"force-dns-mapping"`
 	ParsePureIp     bool                         `yaml:"parse-pure-ip" json:"parse-pure-ip"`
 	Sniff           map[string]RawSniffingConfig `yaml:"sniff" json:"sniff"`
 }
 type RawSniffingConfig struct {
 	Ports        []string `yaml:"ports" json:"ports"`
 	OverrideDest *bool    `yaml:"override-destination" json:"override-destination"`
 }
 // EBpf config
@ -323,12 +339,12 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 		UnifiedDelay:    false,
 		Authentication:  []string{},
 		LogLevel:        log.INFO,
-		Hosts:          map[string]string{},
+		Hosts:           map[string]any{},
 		Rule:            []string{},
 		Proxy:           []map[string]any{},
 		ProxyGroup:      []map[string]any{},
 		TCPConcurrent:   false,
-		EnableProcess:  false,
+		FindProcessMode: P.FindProcessStrict,
 		Tun: RawTun{
 			Enable:              false,
 			Device:              "",
@ -363,6 +379,7 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			Enable:       false,
 			IPv6:         false,
 			UseHosts:     true,
 			IPv6Timeout:  100,
 			EnhancedMode: C.DNSMapping,
 			FakeIPRange:  "198.18.0.1/16",
 			FallbackFilter: RawFallbackFilter{
@ -395,14 +412,15 @@ func UnmarshalRawConfig(buf []byte) (*RawConfig, error) {
 			Ports:           []string{},
 			ForceDnsMapping: true,
 			ParsePureIp:     true,
 			OverrideDest:    true,
 		},
 		Profile: Profile{
 			StoreSelected: true,
 		},
 		GeoXUrl: RawGeoXUrl{
-			GeoIp:   "https://ghproxy.com/https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/geoip.dat",
+			Mmdb:    "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/country.mmdb",
-			Mmdb:    "https://ghproxy.com/https://raw.githubusercontent.com/Loyalsoldier/geoip/release/Country.mmdb",
+			GeoIp:   "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geoip.dat",
-			GeoSite: "https://ghproxy.com/https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/geosite.dat",
+			GeoSite: "https://testingcf.jsdelivr.net/gh/MetaCubeX/meta-rules-dat@release/geosite.dat",
 		},
 	}
@ -428,6 +446,11 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.General = general
 	if len(config.General.GlobalClientFingerprint) != 0 {
 		log.Debugln("GlobalClientFingerprint:%s", config.General.GlobalClientFingerprint)
 		tlsC.SetGlobalUtlsClient(config.General.GlobalClientFingerprint)
 	}
 	dialer.DefaultInterface.Store(config.General.Interface)
 	proxies, providers, err := parseProxies(rawCfg)
 	if err != nil {
@ -545,8 +568,9 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 		GeodataMode:             cfg.GeodataMode,
 		GeodataLoader:           cfg.GeodataLoader,
 		TCPConcurrent:           cfg.TCPConcurrent,
-		EnableProcess: cfg.EnableProcess,
+		FindProcessMode:         cfg.FindProcessMode,
 		EBpf:                    cfg.EBpf,
 		GlobalClientFingerprint: cfg.GlobalClientFingerprint,
 	}, nil
 }
@ -803,21 +827,47 @@ func parseRules(rulesConfig []string, proxies map[string]C.Proxy, subRules map[s
 	return rules, nil
 }
-func parseHosts(cfg *RawConfig) (*trie.DomainTrie[netip.Addr], error) {
+func parseHosts(cfg *RawConfig) (*trie.DomainTrie[resolver.HostValue], error) {
-	tree := trie.New[netip.Addr]()
+	tree := trie.New[resolver.HostValue]()
 	// add default hosts
-	if err := tree.Insert("localhost", netip.AddrFrom4([4]byte{127, 0, 0, 1})); err != nil {
+	hostValue, _ := resolver.NewHostValueByIPs(
 		[]netip.Addr{netip.AddrFrom4([4]byte{127, 0, 0, 1})})
 	if err := tree.Insert("localhost", hostValue); err != nil {
 		log.Errorln("insert localhost to host error: %s", err.Error())
 	}
 	if len(cfg.Hosts) != 0 {
-		for domain, ipStr := range cfg.Hosts {
+		for domain, anyValue := range cfg.Hosts {
-			ip, err := netip.ParseAddr(ipStr)
+			if str, ok := anyValue.(string); ok && str == "clash" {
-			if err != nil {
+				if addrs, err := net.InterfaceAddrs(); err != nil {
-				return nil, fmt.Errorf("%s is not a valid IP", ipStr)
+					log.Errorln("insert clash to host error: %s", err)
 				} else {
 					ips := make([]netip.Addr, 0)
 					for _, addr := range addrs {
 						if ipnet, ok := addr.(*net.IPNet); ok && !ipnet.IP.IsLoopback() {
 							if ip, err := netip.ParseAddr(ipnet.IP.String()); err == nil {
 								ips = append(ips, ip)
 							}
-			_ = tree.Insert(domain, ip)
+						}
 					}
 					anyValue = ips
 				}
 			}
 			value, err := resolver.NewHostValue(anyValue)
 			if err != nil {
 				return nil, fmt.Errorf("%s is not a valid value", anyValue)
 			}
 			if value.IsDomain {
 				node := tree.Search(value.Domain)
 				for node != nil && node.Data().IsDomain {
 					if node.Data().Domain == domain {
 						return nil, fmt.Errorf("%s, there is a cycle in domain name mapping", domain)
 					}
 					node = tree.Search(node.Data().Domain)
 				}
 			}
 			_ = tree.Insert(domain, value)
 		}
 	}
 	tree.Optimize()
@ -826,17 +876,15 @@ func parseHosts(cfg *RawConfig) (*trie.DomainTrie[netip.Addr], error) {
 }
 func hostWithDefaultPort(host string, defPort string) (string, error) {
 	if !strings.Contains(host, ":") {
 		host += ":"
 	}
 	hostname, port, err := net.SplitHostPort(host)
 	if err != nil {
 		if !strings.Contains(err.Error(), "missing port in address") {
 			return "", err
 		}
 		host = host + ":" + defPort
 		if hostname, port, err = net.SplitHostPort(host); err != nil {
 			return "", err
 		}
 	if port == "" {
 		port = defPort
 	}
 	return net.JoinHostPort(hostname, port), nil
@ -846,10 +894,7 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 	var nameservers []dns.NameServer
 	for idx, server := range servers {
-		// parse without scheme .e.g 8.8.8.8:53
+		server = parsePureDNSServer(server)
 		if !strings.Contains(server, "://") {
 			server = "udp://" + server
 		}
 		u, err := url.Parse(server)
 		if err != nil {
 			return nil, fmt.Errorf("DNS NameServer[%d] format error: %s", idx, err.Error())
@ -870,16 +915,10 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 			addr, err = hostWithDefaultPort(u.Host, "853")
 			dnsNetType = "tcp-tls" // DNS over TLS
 		case "https":
-			host := u.Host
+			addr, err = hostWithDefaultPort(u.Host, "443")
 			if err == nil {
 				proxyAdapter = ""
-			if _, _, err := net.SplitHostPort(host); err != nil && strings.Contains(err.Error(), "missing port in address") {
+				clearURL := url.URL{Scheme: "https", Host: addr, Path: u.Path}
 				host = net.JoinHostPort(host, "443")
 			} else {
 				if err != nil {
 					return nil, err
 				}
 			}
 			clearURL := url.URL{Scheme: "https", Host: host, Path: u.Path}
 				addr = clearURL.String()
 				dnsNetType = "https" // DNS over HTTPS
 				if len(u.Fragment) != 0 {
@ -896,6 +935,7 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 						}
 					}
 				}
 			}
 		case "dhcp":
 			addr = u.Host
 			dnsNetType = "dhcp" // UDP from DHCP
@ -925,18 +965,66 @@ func parseNameServer(servers []string, preferH3 bool) ([]dns.NameServer, error)
 	return nameservers, nil
 }
-func parseNameServerPolicy(nsPolicy map[string]string, preferH3 bool) (map[string]dns.NameServer, error) {
+func parsePureDNSServer(server string) string {
-	policy := map[string]dns.NameServer{}
+	addPre := func(server string) string {
 		return "udp://" + server
 	}
-	for domain, server := range nsPolicy {
+	if ip, err := netip.ParseAddr(server); err != nil {
-		nameservers, err := parseNameServer([]string{server}, preferH3)
+		if strings.Contains(server, "://") {
 			return server
 		}
 		return addPre(server)
 	} else {
 		if ip.Is4() {
 			return addPre(server)
 		} else {
 			return addPre("[" + server + "]")
 		}
 	}
 }
 func parseNameServerPolicy(nsPolicy map[string]any, preferH3 bool) (map[string][]dns.NameServer, error) {
 	policy := map[string][]dns.NameServer{}
 	updatedPolicy := make(map[string]interface{})
 	re := regexp.MustCompile(`[a-zA-Z0-9\-]+\.[a-zA-Z]{2,}(\.[a-zA-Z]{2,})?`)
 	for k, v := range nsPolicy {
 		if strings.Contains(k, "geosite:") {
 			subkeys := strings.Split(k, ":")
 			subkeys = subkeys[1:]
 			subkeys = strings.Split(subkeys[0], ",")
 			//log.Infoln("subkeys:%+v", subkeys)
 			for _, subkey := range subkeys {
 				newKey := "geosite:" + subkey
 				//log.Infoln("newKey:%+v", newKey)
 				updatedPolicy[newKey] = v
 			}
 		} else if re.MatchString(k) {
 			subkeys := strings.Split(k, ",")
 			//log.Infoln("subkeys:%+v", subkeys)
 			for _, subkey := range subkeys {
 				updatedPolicy[subkey] = v
 			}
 		} else {
 			updatedPolicy[k] = v
 		}
 	}
 	//log.Infoln("updatedPolicy:%+v", updatedPolicy)
 	for domain, server := range updatedPolicy {
 		servers, err := utils.ToStringSlice(server)
 		if err != nil {
 			return nil, err
 		}
 		nameservers, err := parseNameServer(servers, preferH3)
 		if err != nil {
 			return nil, err
 		}
 		if _, valid := trie.ValidAndSplitDomain(domain); !valid {
 			return nil, fmt.Errorf("DNS ResoverRule invalid domain: %s", domain)
 		}
-		policy[domain] = nameservers[0]
+		policy[domain] = nameservers
 	}
 	return policy, nil
@ -962,6 +1050,7 @@ func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]*router.DomainM
 		if err := geodata.InitGeoSite(); err != nil {
 			return nil, fmt.Errorf("can't initial GeoSite: %s", err)
 		}
 		log.Warnln("replace fallback-filter.geosite with nameserver-policy, it will be removed in the future")
 	}
 	for _, country := range countries {
@ -991,7 +1080,7 @@ func parseFallbackGeoSite(countries []string, rules []C.Rule) ([]*router.DomainM
 	return sites, nil
 }
-func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.Rule) (*DNS, error) {
+func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[resolver.HostValue], rules []C.Rule) (*DNS, error) {
 	cfg := rawCfg.DNS
 	if cfg.Enable && len(cfg.NameServer) == 0 {
 		return nil, fmt.Errorf("if DNS configuration is turned on, NameServer cannot be empty")
@ -1001,6 +1090,7 @@ func parseDNS(rawCfg *RawConfig, hosts *trie.DomainTrie[netip.Addr], rules []C.R
 		Enable:       cfg.Enable,
 		Listen:       cfg.Listen,
 		PreferH3:     cfg.PreferH3,
 		IPv6Timeout:  cfg.IPv6Timeout,
 		IPv6:         cfg.IPv6,
 		EnhancedMode: cfg.EnhancedMode,
 		FallbackFilter: FallbackFilter{
@ -1180,44 +1270,52 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 		ForceDnsMapping: snifferRaw.ForceDnsMapping,
 		ParsePureIp:     snifferRaw.ParsePureIp,
 	}
 	loadSniffer := make(map[snifferTypes.Type]SNIFF.SnifferConfig)
-	var ports []utils.Range[uint16]
+	if len(snifferRaw.Sniff) != 0 {
-	if len(snifferRaw.Ports) == 0 {
+		for sniffType, sniffConfig := range snifferRaw.Sniff {
-		ports = append(ports, *utils.NewRange[uint16](80, 80))
+			find := false
-		ports = append(ports, *utils.NewRange[uint16](443, 443))
+			ports, err := parsePortRange(sniffConfig.Ports)
 	} else {
 		for _, portRange := range snifferRaw.Ports {
 			portRaws := strings.Split(portRange, "-")
 			p, err := strconv.ParseUint(portRaws[0], 10, 16)
 			if err != nil {
-				return nil, fmt.Errorf("%s format error", portRange)
+				return nil, err
 			}
 			overrideDest := snifferRaw.OverrideDest
 			if sniffConfig.OverrideDest != nil {
 				overrideDest = *sniffConfig.OverrideDest
 			}
 			for _, snifferType := range snifferTypes.List {
 				if snifferType.String() == strings.ToUpper(sniffType) {
 					find = true
 					loadSniffer[snifferType] = SNIFF.SnifferConfig{
 						Ports:        ports,
 						OverrideDest: overrideDest,
 					}
 				}
 			}
-			start := uint16(p)
+			if !find {
-			if len(portRaws) > 1 {
+				return nil, fmt.Errorf("not find the sniffer[%s]", sniffType)
-				p, err = strconv.ParseUint(portRaws[1], 10, 16)
+			}
 				if err != nil {
 					return nil, fmt.Errorf("%s format error", portRange)
 		}
 				end := uint16(p)
 				ports = append(ports, *utils.NewRange(start, end))
 	} else {
-				ports = append(ports, *utils.NewRange(start, start))
+		if sniffer.Enable {
 			// Deprecated: Use Sniff instead
 			log.Warnln("Deprecated: Use Sniff instead")
 		}
 		globalPorts, err := parsePortRange(snifferRaw.Ports)
 		if err != nil {
 			return nil, err
 		}
 	}
 	sniffer.Ports = &ports
 	loadSniffer := make(map[snifferTypes.Type]struct{})
 		for _, snifferName := range snifferRaw.Sniffing {
 			find := false
 			for _, snifferType := range snifferTypes.List {
 				if snifferType.String() == strings.ToUpper(snifferName) {
 					find = true
-				loadSniffer[snifferType] = struct{}{}
+					loadSniffer[snifferType] = SNIFF.SnifferConfig{
 						Ports:        globalPorts,
 						OverrideDest: snifferRaw.OverrideDest,
 					}
 				}
 			}
@ -1225,10 +1323,9 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 				return nil, fmt.Errorf("not find the sniffer[%s]", snifferName)
 			}
 		}
 	for st := range loadSniffer {
 		sniffer.Sniffers = append(sniffer.Sniffers, st)
 	}
 	sniffer.Sniffers = loadSniffer
 	sniffer.ForceDomain = trie.New[struct{}]()
 	for _, domain := range snifferRaw.ForceDomain {
 		err := sniffer.ForceDomain.Insert(domain, struct{}{})
@ -1249,3 +1346,28 @@ func parseSniffer(snifferRaw RawSniffer) (*Sniffer, error) {
 	return sniffer, nil
 }
 func parsePortRange(portRanges []string) ([]utils.Range[uint16], error) {
 	ports := make([]utils.Range[uint16], 0)
 	for _, portRange := range portRanges {
 		portRaws := strings.Split(portRange, "-")
 		p, err := strconv.ParseUint(portRaws[0], 10, 16)
 		if err != nil {
 			return nil, fmt.Errorf("%s format error", portRange)
 		}
 		start := uint16(p)
 		if len(portRaws) > 1 {
 			p, err = strconv.ParseUint(portRaws[1], 10, 16)
 			if err != nil {
 				return nil, fmt.Errorf("%s format error", portRange)
 			}
 			end := uint16(p)
 			ports = append(ports, *utils.NewRange(start, end))
 		} else {
 			ports = append(ports, *utils.NewRange(start, start))
 		}
 	}
 	return ports, nil
 }
--- a/config/initial.go
+++ b/config/initial.go
@ -3,92 +3,12 @@ package config
 import (
 	"fmt"
 	"github.com/Dreamacro/clash/component/geodata"
 	"github.com/Dreamacro/clash/component/mmdb"
 	"io"
 	"net/http"
 	"os"
 	C "github.com/Dreamacro/clash/constant"
 	"github.com/Dreamacro/clash/log"
 )
 func downloadMMDB(path string) (err error) {
 	resp, err := http.Get(C.MmdbUrl)
 	if err != nil {
 		return
 	}
 	defer resp.Body.Close()
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	_, err = io.Copy(f, resp.Body)
 	return err
 }
 func downloadGeoIP(path string) (err error) {
 	resp, err := http.Get(C.GeoIpUrl)
 	if err != nil {
 		return
 	}
 	defer resp.Body.Close()
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0o644)
 	if err != nil {
 		return err
 	}
 	defer f.Close()
 	_, err = io.Copy(f, resp.Body)
 	return err
 }
 func initGeoIP() error {
 	if C.GeodataMode {
 		if _, err := os.Stat(C.Path.GeoIP()); os.IsNotExist(err) {
 			log.Infoln("Can't find GeoIP.dat, start download")
 			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
 				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
 			}
 			log.Infoln("Download GeoIP.dat finish")
 		}
 		if err := geodata.Verify(C.GeoipName); err != nil {
 			log.Warnln("GeoIP.dat invalid, remove and download: %s", err)
 			if err := os.Remove(C.Path.GeoIP()); err != nil {
 				return fmt.Errorf("can't remove invalid GeoIP.dat: %s", err.Error())
 			}
 			if err := downloadGeoIP(C.Path.GeoIP()); err != nil {
 				return fmt.Errorf("can't download GeoIP.dat: %s", err.Error())
 			}
 		}
 		return nil
 	}
 	if _, err := os.Stat(C.Path.MMDB()); os.IsNotExist(err) {
 		log.Infoln("Can't find MMDB, start download")
 		if err := downloadMMDB(C.Path.MMDB()); err != nil {
 			return fmt.Errorf("can't download MMDB: %s", err.Error())
 		}
 	}
 	if !mmdb.Verify() {
 		log.Warnln("MMDB invalid, remove and download")
 		if err := os.Remove(C.Path.MMDB()); err != nil {
 			return fmt.Errorf("can't remove invalid MMDB: %s", err.Error())
 		}
 		if err := downloadMMDB(C.Path.MMDB()); err != nil {
 			return fmt.Errorf("can't download MMDB: %s", err.Error())
 		}
 	}
 	return nil
 }
 // Init prepare necessary files
 func Init(dir string) error {
 	// initial homedir
@ -122,7 +42,7 @@ func Init(dir string) error {
 	C.GeoSiteUrl = rawCfg.GeoXUrl.GeoSite
 	C.MmdbUrl = rawCfg.GeoXUrl.Mmdb
 	// initial GeoIP
-	if err := initGeoIP(); err != nil {
+	if err := geodata.InitGeoIP(); err != nil {
 		return fmt.Errorf("can't initial GeoIP: %w", err)
 	}
--- a/Show More
+++ b/Show More