[dependencies] Update golangci/golangci-lint-action action to v8

Signed-off-by: yanwo <ogilvy@gmail.com>

.github/workflows/build.yml

@@ -437,24 +437,28 @@ jobs:
             platform: ios
             scheme: SFI
             destination: 'generic/platform=iOS'
+            archive: build/SFI.xcarchive
             upload: SFI/Upload.plist
           - name: macOS
             if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'macOS' }}
             platform: macos
             scheme: SFM
             destination: 'generic/platform=macOS'
+            archive: build/SFM.xcarchive
             upload: SFI/Upload.plist
           - name: tvOS
             if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'tvOS' }}
             platform: tvos
             scheme: SFT
             destination: 'generic/platform=tvOS'
+            archive: build/SFT.xcarchive
             upload: SFI/Upload.plist
           - name: macOS-standalone
             if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone' }}
             platform: macos
             scheme: SFM.System
             destination: 'generic/platform=macOS'
+            archive: build/SFM.System.xcarchive
             export: SFM.System/Export.plist
             export_path: build/SFM.System
     steps:
@@ -472,11 +476,11 @@ jobs:
       - name: Setup Xcode stable
         if: matrix.if && github.ref == 'refs/heads/main-next'
         run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2.app
+          sudo xcode-select -s /Applications/Xcode_16.4.app
       - name: Setup Xcode beta
         if: matrix.if && github.ref == 'refs/heads/dev-next'
         run: |-
-          sudo xcode-select -s /Applications/Xcode_16.2.app
+          sudo xcode-select -s /Applications/Xcode_16.4.app
       - name: Set tag
         if: matrix.if
         run: |-
@@ -539,12 +543,6 @@ jobs:
           export PATH="$PATH:$(go env GOPATH)/bin"
           go run ./cmd/internal/build_libbox -target apple -platform ${{ matrix.platform }}
           mv Libbox.xcframework clients/apple
-      - name: Build library with tailscale
-        if: matrix.if && (matrix.name == 'iOS' || matrix.name == 'tvOS')
-        run: |-
-          export PATH="$PATH:$(go env GOPATH)/bin"
-          go run ./cmd/internal/build_libbox -target apple -platform ${{ matrix.platform }} -tailscale
-          mv Libbox.xcframework clients/apple/Libbox.WithTailscale.xcframework
       - name: Update macOS version
         if: matrix.if && matrix.name == 'macOS' && github.event_name == 'workflow_dispatch'
         run: |-
@@ -563,71 +561,18 @@ jobs:
             -scheme "${{ matrix.scheme }}" \
             -configuration Release \
             -destination "${{ matrix.destination }}" \
-            -archivePath "build/${{ matrix.scheme }}.xcarchive" \
+            -archivePath "${{ matrix.archive }}" \
             -allowProvisioningUpdates \
             -authenticationKeyPath $ASC_KEY_PATH \
             -authenticationKeyID $ASC_KEY_ID \
             -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
-      - name: Build with Tailscale
-        if: matrix.if && (matrix.name == 'iOS' || matrix.name == 'tvOS')
-        run: |-
-          cd clients/apple
-          mv Libbox.xcframework Libbox.WithoutTailscale.xcframework
-          mv Libbox.WithTailscale.xcframework Libbox.xcframework
-          xcodebuild archive \
-            -scheme "${{ matrix.scheme }}" \
-            -configuration Release \
-            -destination "${{ matrix.destination }}" \
-            -archivePath "build/${{ matrix.scheme }}.WithTailscale.xcarchive" \
-            -allowProvisioningUpdates \
-            -authenticationKeyPath $ASC_KEY_PATH \
-            -authenticationKeyID $ASC_KEY_ID \
-            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
-      - name: Export IPA
-        if: matrix.if && (matrix.name == 'iOS' || matrix.name == 'tvOS') && github.event_name == 'workflow_dispatch'
-        run: |-
-          pushd clients/apple
-          xcodebuild -exportArchive \
-            -archivePath "build/${{ matrix.scheme }}.xcarchive" \
-            -exportOptionsPlist SFI/Export.plist \
-            -exportPath "build/${{ matrix.scheme }}" \
-            -allowProvisioningUpdates \
-            -authenticationKeyPath $ASC_KEY_PATH \
-            -authenticationKeyID $ASC_KEY_ID \
-            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
-          cp build/${{ matrix.scheme }}/sing-box.ipa .
-          popd
-          mkdir -p dist
-          cp clients/apple/sing-box.ipa "dist/${{ matrix.scheme }}-${{ needs.calculate_version.outputs.version }}.ipa"
-      - name: Export IPA with Tailscale
-        if: matrix.if && (matrix.name == 'iOS' || matrix.name == 'tvOS') && github.event_name == 'workflow_dispatch'
-        run: |-
-          pushd clients/apple
-          xcodebuild -exportArchive \
-            -archivePath "build/${{ matrix.scheme }}.WithTailscale.xcarchive" \
-            -exportOptionsPlist SFI/Export.plist \
-            -exportPath "build/${{ matrix.scheme }}.WithTailscale" \
-            -allowProvisioningUpdates \
-            -authenticationKeyPath $ASC_KEY_PATH \
-            -authenticationKeyID $ASC_KEY_ID \
-            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
-          cp build/${{ matrix.scheme }}.WithTailscale/sing-box.ipa .
-          popd
-          mkdir -p dist
-          cp clients/apple/sing-box.ipa "dist/${{ matrix.scheme }}-${{ needs.calculate_version.outputs.version }}-WithTailscale.ipa"
-      - name: Upload IPA
-        if: matrix.if && (matrix.name == 'iOS' || matrix.name == 'tvOS') && github.event_name == 'workflow_dispatch'
-        uses: actions/upload-artifact@v4
-        with:
-          name: binary-${{ matrix.name }}-ipa
-          path: 'dist'
       - name: Upload to App Store Connect
         if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch'
         run: |-
           go run -v ./cmd/internal/app_store_connect cancel_app_store ${{ matrix.platform }}
           cd clients/apple
           xcodebuild -exportArchive \
-            -archivePath "build/${{ matrix.scheme }}.xcarchive" \
+            -archivePath "${{ matrix.archive }}" \
             -exportOptionsPlist ${{ matrix.upload }} \
             -allowProvisioningUpdates \
             -authenticationKeyPath $ASC_KEY_PATH \
@@ -642,7 +587,7 @@ jobs:
         run: |-
           pushd clients/apple
           xcodebuild -exportArchive \
-            -archivePath "build/${{ matrix.scheme }}.xcarchive" \
+          	-archivePath "${{ matrix.archive }}" \
           	-exportOptionsPlist ${{ matrix.export }} \
           	-exportPath "${{ matrix.export_path }}"
           brew install create-dmg
@@ -655,13 +600,13 @@ jobs:
           		--skip-jenkins \
           	SFM.dmg "${{ matrix.export_path }}/SFM.app"
           xcrun notarytool submit "SFM.dmg" --wait --keychain-profile "notarytool-password"          
-          cd "build/${{ matrix.scheme }}.xcarchive"
+          cd "${{ matrix.archive }}"
           zip -r SFM.dSYMs.zip dSYMs
           popd
 
           mkdir -p dist
           cp clients/apple/SFM.dmg "dist/SFM-${VERSION}-universal.dmg"
-          cp "clients/apple/build/${{ matrix.scheme }}.xcarchive/SFM.dSYMs.zip" "dist/SFM-${VERSION}-universal.dSYMs.zip"
+          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/SFM-${VERSION}-universal.dSYMs.zip"
       - name: Upload image
         if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
         uses: actions/upload-artifact@v4
@@ -670,7 +615,7 @@ jobs:
           path: 'dist'
   upload:
     name: Upload builds
-    if: always() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')
+    if: "!failure() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')"
     runs-on: ubuntu-latest
     needs:
       - calculate_version

cmd/internal/build_libbox/main.go

@@ -26,7 +26,7 @@ func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
 	flag.StringVar(&platform, "platform", "", "specify platform")
-	flag.BoolVar(&withTailscale, "tailscale", false, "build tailscale for iOS and tvOS")
+	flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
 }
 
 func main() {
@@ -154,7 +154,7 @@ func buildApple() {
 		"-target", bindTarget,
 		"-libname=box",
 	}
-	if withTailscale {
+	if !withTailscale {
 		args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
 	}
 

common/tls/acme.go

@@ -5,13 +5,13 @@ package tls
 import (
 	"context"
 	"crypto/tls"
-	"os"
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/alidns"
@@ -37,7 +37,38 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }
 
-func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
+type acmeLogWriter struct {
+	logger logger.Logger
+}
+
+func (w *acmeLogWriter) Write(p []byte) (n int, err error) {
+	logLine := strings.ReplaceAll(string(p), "	", ": ")
+	switch {
+	case strings.HasPrefix(logLine, "error: "):
+		w.logger.Error(logLine[7:])
+	case strings.HasPrefix(logLine, "warn: "):
+		w.logger.Warn(logLine[6:])
+	case strings.HasPrefix(logLine, "info: "):
+		w.logger.Info(logLine[6:])
+	case strings.HasPrefix(logLine, "debug: "):
+		w.logger.Debug(logLine[7:])
+	default:
+		w.logger.Debug(logLine)
+	}
+	return len(p), nil
+}
+
+func (w *acmeLogWriter) Sync() error {
+	return nil
+}
+
+func encoderConfig() zapcore.EncoderConfig {
+	config := zap.NewProductionEncoderConfig()
+	config.TimeKey = zapcore.OmitKey
+	return config
+}
+
+func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	var acmeServer string
 	switch options.Provider {
 	case "", "letsencrypt":
@@ -58,14 +89,15 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 	} else {
 		storage = certmagic.Default.Storage
 	}
+	zapLogger := zap.New(zapcore.NewCore(
+		zapcore.NewConsoleEncoder(encoderConfig()),
+		&acmeLogWriter{logger: logger},
+		zap.DebugLevel,
+	))
 	config := &certmagic.Config{
 		DefaultServerName: options.DefaultServerName,
 		Storage:           storage,
-		Logger: zap.New(zapcore.NewCore(
+		Logger:            zapLogger,
-			zapcore.NewConsoleEncoder(zap.NewProductionEncoderConfig()),
-			os.Stderr,
-			zap.InfoLevel,
-		)),
 	}
 	acmeConfig := certmagic.ACMEIssuer{
 		CA:                      acmeServer,
@@ -75,7 +107,7 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
 		AltHTTPPort:             int(options.AlternativeHTTPPort),
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
-		Logger:                  config.Logger,
+		Logger:                  zapLogger,
 	}
 	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
 		var solver certmagic.DNS01Solver
@@ -103,6 +135,7 @@ func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Con
 		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
 			return config, nil
 		},
+		Logger: zapLogger,
 	})
 	config = certmagic.New(cache, *config)
 	var tlsConfig *tls.Config

common/tls/acme_stub.go

@@ -9,8 +9,9 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 )
 
-func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
+func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	return nil, nil, E.New(`ACME is not included in this build, rebuild with -tags with_acme`)
 }

common/tls/std_server.go

@@ -169,7 +169,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 	var err error
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		//nolint:staticcheck
-		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
+		tlsConfig, acmeService, err = startACME(ctx, logger, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
 			return nil, err
 		}

dns/transport/https.go

@@ -122,6 +122,7 @@ func NewHTTPSRaw(
 	var transport *http.Transport
 	if tlsConfig != nil {
 		transport = &http.Transport{
+			IdleConnTimeout:   C.TCPKeepAliveInitial,
 			ForceAttemptHTTP2: true,
 			DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				tcpConn, hErr := dialer.DialContext(ctx, network, serverAddr)
@@ -138,6 +139,7 @@ func NewHTTPSRaw(
 		}
 	} else {
 		transport = &http.Transport{
+			IdleConnTimeout: C.TCPKeepAliveInitial,
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return dialer.DialContext(ctx, network, serverAddr)
 			},

dns/transport/local/resolv_darwin_cgo.go

@@ -20,7 +20,8 @@ import (
 )
 
 func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
-	if C.res_init() != 0 {
+	var state C.res_state
+	if C.res_ninit(state) != 0 {
 		return &dnsConfig{
 			servers:  defaultNS,
 			search:   dnsDefaultSearch(),
@@ -33,10 +34,10 @@ func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
 	conf := &dnsConfig{
 		ndots:    1,
 		timeout:  5 * time.Second,
-		attempts: int(C._res.retry),
+		attempts: int(state.retry),
 	}
-	for i := 0; i < int(C._res.nscount); i++ {
+	for i := 0; i < int(state.nscount); i++ {
-		ns := C._res.nsaddr_list[i]
+		ns := state.nsaddr_list[i]
 		addr := C.inet_ntoa(ns.sin_addr)
 		if addr == nil {
 			continue
@@ -44,7 +45,7 @@ func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
 		conf.servers = append(conf.servers, C.GoString(addr))
 	}
 	for i := 0; ; i++ {
-		search := C._res.dnsrch[i]
+		search := state.dnsrch[i]
 		if search == nil {
 			break
 		}

docs/changelog.md

@@ -2,7 +2,7 @@
 icon: material/alert-decagram
 ---
 
-#### 1.12.0-beta.28
+#### 1.12.0-beta.29
 
 * Fixes and improvements
 

docs/clients/apple/index.md

@@ -19,21 +19,13 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 ## :material-download: Download
 
 * [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
-* TestFlight (Beta) **1**
+* TestFlight (Beta)
-* [GitHub Releases](https://github.com/SagerNet/sing-box/releases) **2**
-
-**1**:
 
 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
 (one-time sponsorships are accepted).
 Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
 or sending us your Apple ID [via email](mailto:contact@sagernet.org).
 
-**2**:
-
-You can now download compiled IPAs for iOS and tvOS directly from GitHub releases, 
-but you need to purchase the **Apple Developer Program** to install them through AltStore or SideStore.
-
 ## :material-file-download: Download (macOS standalone version)
 
 * [Homebrew Cask](https://formulae.brew.sh/cask/sfm)

docs/configuration/endpoint/index.zh.md

@@ -25,7 +25,7 @@ icon: material/new-box
 
 | 类型          | 格式                        |
 |-------------|---------------------------|
-| `wireguard` | [WireGuard](./wiregaurd/) |
+| `wireguard` | [WireGuard](./wireguard/) |
 | `tailscale` | [Tailscale](./tailscale/) |
 
 #### tag

docs/configuration/experimental/clash-api.md

@@ -59,7 +59,7 @@
     {
       "external_controller": "0.0.0.0:9090",
       "external_ui": "dashboard"
-      // external_ui_download_detour: "direct"
+      // "external_ui_download_detour": "direct"
     }
     ```
 

docs/configuration/experimental/clash-api.zh.md

@@ -59,7 +59,7 @@
     {
       "external_controller": "0.0.0.0:9090",
       "external_ui": "dashboard"
-      // external_ui_download_detour: "direct"
+      // "external_ui_download_detour": "direct"
     }
     ```
 

docs/manual/proxy/client.md

@@ -94,18 +94,13 @@ flowchart TB
         "servers": [
           {
             "tag": "google",
-            "address": "tls://8.8.8.8"
+            "type": "tls",
+            "server": "8.8.8.8"
           },
           {
             "tag": "local",
-            "address": "223.5.5.5",
+            "type": "udp",
-            "detour": "direct"
+            "server": "223.5.5.5"
-          }
-        ],
-        "rules": [
-          {
-            "outbound": "any",
-            "server": "local"
           }
         ],
         "strategy": "ipv4_only"
@@ -115,7 +110,8 @@ flowchart TB
           "type": "tun",
           "inet4_address": "172.19.0.1/30",
           "auto_route": true,
-          "strict_route": false
+          // "auto_redirect": true, // On linux
+          "strict_route": true
         }
       ],
       "outbounds": [
@@ -123,25 +119,23 @@ flowchart TB
         {
           "type": "direct",
           "tag": "direct"
-        },
-        {
-          "type": "dns",
-          "tag": "dns-out"
         }
       ],
       "route": {
         "rules": [
           {
-            "protocol": "dns",
+            "action": "sniff"
-            "outbound": "dns-out"
           },
           {
-            "geoip": [
+            "protocol": "dns",
-              "private"
+            "action": "hijack-dns"
-            ],
+          },
+          {
+            "ip_is_private": true,
             "outbound": "direct"
           }
         ],
+        "default_domain_resolver": "local",
         "auto_detect_interface": true
       }
     }
@@ -155,18 +149,13 @@ flowchart TB
         "servers": [
           {
             "tag": "google",
-            "address": "tls://8.8.8.8"
+            "type": "tls",
+            "server": "8.8.8.8"
           },
           {
             "tag": "local",
-            "address": "223.5.5.5",
+            "type": "udp",
-            "detour": "direct"
+            "server": "223.5.5.5"
-          }
-        ],
-        "rules": [
-          {
-            "outbound": "any",
-            "server": "local"
           }
         ]
       },
@@ -176,7 +165,8 @@ flowchart TB
           "inet4_address": "172.19.0.1/30",
           "inet6_address": "fdfe:dcba:9876::1/126",
           "auto_route": true,
-          "strict_route": false
+          // "auto_redirect": true, // On linux
+          "strict_route": true
         }
       ],
       "outbounds": [
@@ -184,25 +174,23 @@ flowchart TB
         {
           "type": "direct",
           "tag": "direct"
-        },
-        {
-          "type": "dns",
-          "tag": "dns-out"
         }
       ],
       "route": {
         "rules": [
           {
-            "protocol": "dns",
+            "action": "sniff"
-            "outbound": "dns-out"
           },
           {
-            "geoip": [
+            "protocol": "dns",
-              "private"
+            "action": "hijack-dns"
-            ],
+          },
+          {
+            "ip_is_private": true,
             "outbound": "direct"
           }
         ],
+        "default_domain_resolver": "local",
         "auto_detect_interface": true
       }
     }
@@ -216,23 +204,22 @@ flowchart TB
         "servers": [
           {
             "tag": "google",
-            "address": "tls://8.8.8.8"
+            "type": "tls",
+            "server": "8.8.8.8"
           },
           {
             "tag": "local",
-            "address": "223.5.5.5",
+            "type": "udp",
-            "detour": "direct"
+            "server": "223.5.5.5"
           },
           {
             "tag": "remote",
-            "address": "fakeip"
+            "type": "fakeip",
+            "inet4_range": "198.18.0.0/15",
+            "inet6_range": "fc00::/18"
           }
         ],
         "rules": [
-          {
-            "outbound": "any",
-            "server": "local"
-          },
           {
             "query_type": [
               "A",
@@ -241,11 +228,6 @@ flowchart TB
             "server": "remote"
           }
         ],
-        "fakeip": {
-          "enabled": true,
-          "inet4_range": "198.18.0.0/15",
-          "inet6_range": "fc00::/18"
-        },
         "independent_cache": true
       },
       "inbounds": [
@@ -254,6 +236,7 @@ flowchart TB
           "inet4_address": "172.19.0.1/30",
           "inet6_address": "fdfe:dcba:9876::1/126",
           "auto_route": true,
+          // "auto_redirect": true, // On linux
           "strict_route": true
         }
       ],
@@ -262,25 +245,23 @@ flowchart TB
         {
           "type": "direct",
           "tag": "direct"
-        },
-        {
-          "type": "dns",
-          "tag": "dns-out"
         }
       ],
       "route": {
         "rules": [
           {
-            "protocol": "dns",
+            "action": "sniff"
-            "outbound": "dns-out"
           },
           {
-            "geoip": [
+            "protocol": "dns",
-              "private"
+            "action": "hijack-dns"
-            ],
+          },
+          {
+            "ip_is_private": true,
             "outbound": "direct"
           }
         ],
+        "default_domain_resolver": "local",
         "auto_detect_interface": true
       }
     }
@@ -290,54 +271,6 @@ flowchart TB
 
 === ":material-dns: DNS rules"
 
-    ```json
-    {
-      "dns": {
-        "servers": [
-          {
-            "tag": "google",
-            "address": "tls://8.8.8.8"
-          },
-          {
-            "tag": "local",
-            "address": "223.5.5.5",
-            "detour": "direct"
-          }
-        ],
-        "rules": [
-          {
-            "outbound": "any",
-            "server": "local"
-          },
-          {
-            "clash_mode": "Direct",
-            "server": "local"
-          },
-          {
-            "clash_mode": "Global",
-            "server": "google"
-          },
-          {
-            "rule_set": "geosite-geolocation-cn",
-            "server": "local"
-          }
-        ]
-      },
-      "route": {
-        "rule_set": [
-          {
-            "type": "remote",
-            "tag": "geosite-geolocation-cn",
-            "format": "binary",
-            "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
-          }
-        ]
-      }
-    }
-    ```
-
-=== ":material-dns: DNS rules (Enhanced, but slower) (1.9.0+)"
-
     === ":material-shield-off: With DNS leaks"
 
         ```json
@@ -346,35 +279,20 @@ flowchart TB
             "servers": [
               {
                 "tag": "google",
-                "address": "tls://8.8.8.8"
+                "type": "tls",
+                "server": "8.8.8.8"
               },
               {
                 "tag": "local",
-                "address": "https://223.5.5.5/dns-query",
+                "type": "https",
-                "detour": "direct"
+                "server": "223.5.5.5"
               }
             ],
             "rules": [
-              {
-                "outbound": "any",
-                "server": "local"
-              },
-              {
-                "clash_mode": "Direct",
-                "server": "local"
-              },
-              {
-                "clash_mode": "Global",
-                "server": "google"
-              },
               {
                 "rule_set": "geosite-geolocation-cn",
                 "server": "local"
               },
-              {
-                "clash_mode": "Default",
-                "server": "google"
-              },
               {
                 "type": "logical",
                 "mode": "and",
@@ -392,6 +310,7 @@ flowchart TB
             ]
           },
           "route": {
+            "default_domain_resolver": "local",
             "rule_set": [
               {
                 "type": "remote",
@@ -425,35 +344,24 @@ flowchart TB
         }
         ```
 
-    === ":material-security: Without DNS leaks, but slower (1.9.0-alpha.2+)"
+    === ":material-security: Without DNS leaks, but slower"
-
+    
         ```json
         {
           "dns": {
             "servers": [
               {
                 "tag": "google",
-                "address": "tls://8.8.8.8"
+                "type": "tls",
+                "server": "8.8.8.8"
               },
               {
                 "tag": "local",
-                "address": "https://223.5.5.5/dns-query",
+                "type": "https",
-                "detour": "direct"
+                "server": "223.5.5.5"
               }
             ],
             "rules": [
-              {
-                "outbound": "any",
-                "server": "local"
-              },
-              {
-                "clash_mode": "Direct",
-                "server": "local"
-              },
-              {
-                "clash_mode": "Global",
-                "server": "google"
-              },
               {
                 "rule_set": "geosite-geolocation-cn",
                 "server": "local"
@@ -476,6 +384,7 @@ flowchart TB
             ]
           },
           "route": {
+            "default_domain_resolver": "local",
             "rule_set": [
               {
                 "type": "remote",
@@ -517,14 +426,13 @@ flowchart TB
         {
           "type": "direct",
           "tag": "direct"
-        },
-        {
-          "type": "block",
-          "tag": "block"
         }
       ],
       "route": {
         "rules": [
+          {
+            "action": "sniff"
+          },
           {
             "type": "logical",
             "mode": "or",
@@ -536,20 +444,12 @@ flowchart TB
                 "port": 53
               }
             ],
-            "outbound": "dns"
+            "action": "hijack-dns"
           },
           {
             "ip_is_private": true,
             "outbound": "direct"
           },
-          {
-            "clash_mode": "Direct",
-            "outbound": "direct"
-          },
-          {
-            "clash_mode": "Global",
-            "outbound": "default"
-          },
           {
             "type": "logical",
             "mode": "or",
@@ -565,12 +465,23 @@ flowchart TB
                 "protocol": "stun"
               }
             ],
-            "outbound": "block"
+            "action": "reject"
           },
           {
-            "rule_set": [
+            "rule_set": "geosite-geolocation-cn",
-              "geoip-cn",
+            "outbound": "direct"
-              "geosite-geolocation-cn"
+          },
+          {
+            "type": "logical",
+            "mode": "and",
+            "rules": [
+              {
+                "rule_set": "geoip-cn"
+              },
+              {
+                "rule_set": "geosite-geolocation-!cn",
+                "invert": true
+              }
             ],
             "outbound": "direct"
           }
@@ -591,4 +502,4 @@ flowchart TB
         ]
       }
     }
-    ```
+    ```

protocol/vless/inbound.go

@@ -205,6 +205,10 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	var metadata adapter.InboundContext
 	metadata.Source = source
 	metadata.Destination = destination
+	//nolint:staticcheck
+	metadata.InboundDetour = h.listener.ListenOptions().Detour
+	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/vmess/inbound.go

@@ -219,6 +219,10 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	var metadata adapter.InboundContext
 	metadata.Source = source
 	metadata.Destination = destination
+	//nolint:staticcheck
+	metadata.InboundDetour = h.listener.ListenOptions().Detour
+	//nolint:staticcheck
+	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }