documentation: Bump version

Fix hijack-dns
refactor: Extract clash/v2ray/time service form router
2025-09-06 01:08:49 +08:00 · 2024-11-10 17:33:00 +08:00 · 2024-11-10 17:33:00 +08:00 · 2024-11-10 17:33:00 +08:00 · 2024-11-10 17:33:00 +08:00 · 2024-11-10 12:12:08 +08:00
311 changed files with 9968 additions and 6706 deletions
--- a/adapter/conn_router.go
+++ b/adapter/conn_router.go
@ -1,104 +0,0 @@
-package adapter
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type ConnectionRouter interface {
-	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
-}
-
-func NewRouteHandler(
-	metadata InboundContext,
-	router ConnectionRouter,
-	logger logger.ContextLogger,
-) UpstreamHandlerAdapter {
-	return &routeHandlerWrapper{
-		metadata: metadata,
-		router:   router,
-		logger:   logger,
-	}
-}
-
-func NewRouteContextHandler(
-	router ConnectionRouter,
-	logger logger.ContextLogger,
-) UpstreamHandlerAdapter {
-	return &routeContextHandlerWrapper{
-		router: router,
-		logger: logger,
-	}
-}
-
-var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
-
-type routeHandlerWrapper struct {
-	metadata InboundContext
-	router   ConnectionRouter
-	logger   logger.ContextLogger
-}
-
-func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RouteConnection(ctx, conn, myMetadata)
-}
-
-func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
-}
-
-func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.logger.ErrorContext(ctx, err)
-}
-
-var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
-
-type routeContextHandlerWrapper struct {
-	router ConnectionRouter
-	logger logger.ContextLogger
-}
-
-func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RouteConnection(ctx, conn, *myMetadata)
-}
-
-func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
-}
-
-func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.logger.ErrorContext(ctx, err)
-}
--- a/adapter/experimental.go
+++ b/adapter/experimental.go
@ -4,28 +4,28 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
-	"net"
 	"time"

 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-dns"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/varbin"
 )

 type ClashServer interface {
-	Service
-	PreStarter
+	LifecycleService
+	ConnectionTracker
 	Mode() string
 	ModeList() []string
 	HistoryStorage() *urltest.HistoryStorage
-	RoutedConnection(ctx context.Context, conn net.Conn, metadata InboundContext, matchedRule Rule) (net.Conn, Tracker)
-	RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext, matchedRule Rule) (N.PacketConn, Tracker)
+}
+
+type V2RayServer interface {
+	LifecycleService
+	StatsService() ConnectionTracker
 }

 type CacheFile interface {
-	Service
-	PreStarter
+	LifecycleService

 	StoreFakeIP() bool
 	FakeIPStorage
@ -94,10 +94,6 @@ func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
 	return nil
 }

-type Tracker interface {
-	Leave()
-}
-
 type OutboundGroup interface {
 	Outbound
 	Now() string
@ -115,13 +111,3 @@ func OutboundTag(detour Outbound) string {
 	}
 	return detour.Tag()
 }
-
-type V2RayServer interface {
-	Service
-	StatsService() V2RayStatsService
-}
-
-type V2RayStatsService interface {
-	RoutedConnection(inbound string, outbound string, user string, conn net.Conn) net.Conn
-	RoutedPacketConnection(inbound string, outbound string, user string, conn N.PacketConn) N.PacketConn
-}
--- a/adapter/handler.go
+++ b/adapter/handler.go
@ -6,27 +6,53 @@ import (

 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )

+// Deprecated
 type ConnectionHandler interface {
 	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 }

+type ConnectionHandlerEx interface {
+	NewConnectionEx(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
+}
+
+// Deprecated: use PacketHandlerEx instead
 type PacketHandler interface {
 	NewPacket(ctx context.Context, conn N.PacketConn, buffer *buf.Buffer, metadata InboundContext) error
 }

+type PacketHandlerEx interface {
+	NewPacketEx(buffer *buf.Buffer, source M.Socksaddr)
+}
+
+// Deprecated: use OOBPacketHandlerEx instead
 type OOBPacketHandler interface {
 	NewPacket(ctx context.Context, conn N.PacketConn, buffer *buf.Buffer, oob []byte, metadata InboundContext) error
 }

+type OOBPacketHandlerEx interface {
+	NewPacketEx(buffer *buf.Buffer, oob []byte, source M.Socksaddr)
+}
+
+// Deprecated
 type PacketConnectionHandler interface {
 	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }

+type PacketConnectionHandlerEx interface {
+	NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
+}
+
 type UpstreamHandlerAdapter interface {
 	N.TCPConnectionHandler
 	N.UDPConnectionHandler
 	E.Handler
 }
+
+type UpstreamHandlerAdapterEx interface {
+	N.TCPConnectionHandlerEx
+	N.UDPConnectionHandlerEx
+}
--- a/adapter/inbound.go
+++ b/adapter/inbound.go
@ -2,13 +2,12 @@ package adapter

 import (
 	"context"
-	"net"
 	"net/netip"

 	"github.com/sagernet/sing-box/common/process"
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 )

 type Inbound interface {
@ -17,11 +16,27 @@ type Inbound interface {
 	Tag() string
 }

-type InjectableInbound interface {
+type TCPInjectableInbound interface {
 	Inbound
-	Network() []string
-	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+	ConnectionHandlerEx
+}
+
+type UDPInjectableInbound interface {
+	Inbound
+	PacketConnectionHandlerEx
+}
+
+type InboundRegistry interface {
+	option.InboundOptionsRegistry
+	Create(ctx context.Context, router Router, logger log.ContextLogger, tag string, inboundType string, options any) (Inbound, error)
+}
+
+type InboundManager interface {
+	Lifecycle
+	Inbounds() []Inbound
+	Get(tag string) (Inbound, bool)
+	Remove(tag string) error
+	Create(ctx context.Context, router Router, logger log.ContextLogger, tag string, inboundType string, options any) error
 }

 type InboundContext struct {
@ -43,10 +58,17 @@ type InboundContext struct {

 	// cache

-	InboundDetour        string
-	LastInbound          string
-	OriginDestination    M.Socksaddr
-	InboundOptions       option.InboundOptions
+	// Deprecated: implement in rule action
+	InboundDetour     string
+	LastInbound       string
+	OriginDestination M.Socksaddr
+	// Deprecated
+	InboundOptions            option.InboundOptions
+	UDPDisableDomainUnmapping bool
+	UDPConnect                bool
+
+	DNSServer string
+
 	DestinationAddresses []netip.Addr
 	SourceGeoIPCode      string
 	GeoIPCode            string
--- a/adapter/inbound/adapter.go
+++ b/adapter/inbound/adapter.go
@ -0,0 +1,21 @@
+package inbound
+
+type Adapter struct {
+	inboundType string
+	inboundTag  string
+}
+
+func NewAdapter(inboundType string, inboundTag string) Adapter {
+	return Adapter{
+		inboundType: inboundType,
+		inboundTag:  inboundTag,
+	}
+}
+
+func (a *Adapter) Type() string {
+	return a.inboundType
+}
+
+func (a *Adapter) Tag() string {
+	return a.inboundTag
+}
--- a/adapter/inbound/manager.go
+++ b/adapter/inbound/manager.go
@ -0,0 +1,143 @@
+package inbound
+
+import (
+	"context"
+	"os"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/taskmonitor"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+var _ adapter.InboundManager = (*Manager)(nil)
+
+type Manager struct {
+	logger       log.ContextLogger
+	registry     adapter.InboundRegistry
+	access       sync.Mutex
+	started      bool
+	stage        adapter.StartStage
+	inbounds     []adapter.Inbound
+	inboundByTag map[string]adapter.Inbound
+}
+
+func NewManager(logger log.ContextLogger, registry adapter.InboundRegistry) *Manager {
+	return &Manager{
+		logger:       logger,
+		registry:     registry,
+		inboundByTag: make(map[string]adapter.Inbound),
+	}
+}
+
+func (m *Manager) Start(stage adapter.StartStage) error {
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started && m.stage >= stage {
+		panic("already started")
+	}
+	m.started = true
+	m.stage = stage
+	for _, inbound := range m.inbounds {
+		err := adapter.LegacyStart(inbound, stage)
+		if err != nil {
+			return E.Cause(err, stage.Action(), " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+		}
+	}
+	return nil
+}
+
+func (m *Manager) Close() error {
+	m.access.Lock()
+	defer m.access.Unlock()
+	if !m.started {
+		return nil
+	}
+	m.started = false
+	inbounds := m.inbounds
+	m.inbounds = nil
+	monitor := taskmonitor.New(m.logger, C.StopTimeout)
+	var err error
+	for _, inbound := range inbounds {
+		monitor.Start("close inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+		err = E.Append(err, inbound.Close(), func(err error) error {
+			return E.Cause(err, "close inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+		})
+		monitor.Finish()
+	}
+	return nil
+}
+
+func (m *Manager) Inbounds() []adapter.Inbound {
+	m.access.Lock()
+	defer m.access.Unlock()
+	return m.inbounds
+}
+
+func (m *Manager) Get(tag string) (adapter.Inbound, bool) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	inbound, found := m.inboundByTag[tag]
+	return inbound, found
+}
+
+func (m *Manager) Remove(tag string) error {
+	m.access.Lock()
+	inbound, found := m.inboundByTag[tag]
+	if !found {
+		m.access.Unlock()
+		return os.ErrInvalid
+	}
+	delete(m.inboundByTag, tag)
+	index := common.Index(m.inbounds, func(it adapter.Inbound) bool {
+		return it == inbound
+	})
+	if index == -1 {
+		panic("invalid inbound index")
+	}
+	m.inbounds = append(m.inbounds[:index], m.inbounds[index+1:]...)
+	started := m.started
+	m.access.Unlock()
+	if started {
+		return inbound.Close()
+	}
+	return nil
+}
+
+func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) error {
+	inbound, err := m.registry.Create(ctx, router, logger, tag, outboundType, options)
+	if err != nil {
+		return err
+	}
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started {
+		for _, stage := range adapter.ListStartStages {
+			err = adapter.LegacyStart(inbound, stage)
+			if err != nil {
+				return E.Cause(err, stage.Action(), " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+			}
+		}
+	}
+	if existsInbound, loaded := m.inboundByTag[tag]; loaded {
+		if m.started {
+			err = existsInbound.Close()
+			if err != nil {
+				return E.Cause(err, "close inbound/", existsInbound.Type(), "[", existsInbound.Tag(), "]")
+			}
+		}
+		existsIndex := common.Index(m.inbounds, func(it adapter.Inbound) bool {
+			return it == existsInbound
+		})
+		if existsIndex == -1 {
+			panic("invalid inbound index")
+		}
+		m.inbounds = append(m.inbounds[:existsIndex], m.inbounds[existsIndex+1:]...)
+	}
+	m.inbounds = append(m.inbounds, inbound)
+	m.inboundByTag[tag] = inbound
+	return nil
+}
--- a/adapter/inbound/registry.go
+++ b/adapter/inbound/registry.go
@ -0,0 +1,68 @@
+package inbound
+
+import (
+	"context"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type ConstructorFunc[T any] func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options T) (adapter.Inbound, error)
+
+func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
+	registry.register(outboundType, func() any {
+		return new(Options)
+	}, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Inbound, error) {
+		return constructor(ctx, router, logger, tag, common.PtrValueOrDefault(options.(*Options)))
+	})
+}
+
+var _ adapter.InboundRegistry = (*Registry)(nil)
+
+type (
+	optionsConstructorFunc func() any
+	constructorFunc        func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Inbound, error)
+)
+
+type Registry struct {
+	access      sync.Mutex
+	optionsType map[string]optionsConstructorFunc
+	constructor map[string]constructorFunc
+}
+
+func NewRegistry() *Registry {
+	return &Registry{
+		optionsType: make(map[string]optionsConstructorFunc),
+		constructor: make(map[string]constructorFunc),
+	}
+}
+
+func (m *Registry) CreateOptions(outboundType string) (any, bool) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	optionsConstructor, loaded := m.optionsType[outboundType]
+	if !loaded {
+		return nil, false
+	}
+	return optionsConstructor(), true
+}
+
+func (m *Registry) Create(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Inbound, error) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	constructor, loaded := m.constructor[outboundType]
+	if !loaded {
+		return nil, E.New("outbound type not found: " + outboundType)
+	}
+	return constructor(ctx, router, logger, tag, options)
+}
+
+func (m *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	m.optionsType[outboundType] = optionsConstructor
+	m.constructor[outboundType] = constructor
+}
--- a/adapter/lifecycle.go
+++ b/adapter/lifecycle.go
@ -0,0 +1,42 @@
+package adapter
+
+type StartStage uint8
+
+const (
+	StartStateInitialize StartStage = iota
+	StartStateStart
+	StartStatePostStart
+	StartStateStarted
+)
+
+var ListStartStages = []StartStage{
+	StartStateInitialize,
+	StartStateStart,
+	StartStatePostStart,
+	StartStateStarted,
+}
+
+func (s StartStage) Action() string {
+	switch s {
+	case StartStateInitialize:
+		return "initialize"
+	case StartStateStart:
+		return "start"
+	case StartStatePostStart:
+		return "post-start"
+	case StartStateStarted:
+		return "start-after-started"
+	default:
+		panic("unknown stage")
+	}
+}
+
+type Lifecycle interface {
+	Start(stage StartStage) error
+	Close() error
+}
+
+type LifecycleService interface {
+	Name() string
+	Lifecycle
+}
--- a/adapter/lifecycle_legacy.go
+++ b/adapter/lifecycle_legacy.go
@ -0,0 +1,49 @@
+package adapter
+
+func LegacyStart(starter any, stage StartStage) error {
+	switch stage {
+	case StartStateInitialize:
+		if preStarter, isPreStarter := starter.(interface {
+			PreStart() error
+		}); isPreStarter {
+			return preStarter.PreStart()
+		}
+	case StartStateStart:
+		if starter, isStarter := starter.(interface {
+			Start() error
+		}); isStarter {
+			return starter.Start()
+		}
+	case StartStatePostStart:
+		if postStarter, isPostStarter := starter.(interface {
+			PostStart() error
+		}); isPostStarter {
+			return postStarter.PostStart()
+		}
+	}
+	return nil
+}
+
+type lifecycleServiceWrapper struct {
+	Service
+	name string
+}
+
+func NewLifecycleService(service Service, name string) LifecycleService {
+	return &lifecycleServiceWrapper{
+		Service: service,
+		name:    name,
+	}
+}
+
+func (l *lifecycleServiceWrapper) Name() string {
+	return l.name
+}
+
+func (l *lifecycleServiceWrapper) Start(stage StartStage) error {
+	return LegacyStart(l.Service, stage)
+}
+
+func (l *lifecycleServiceWrapper) Close() error {
+	return l.Service.Close()
+}
--- a/adapter/network.go
+++ b/adapter/network.go
@ -0,0 +1,23 @@
+package adapter
+
+import (
+	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common/control"
+)
+
+type NetworkManager interface {
+	Lifecycle
+	InterfaceFinder() control.InterfaceFinder
+	UpdateInterfaces() error
+	DefaultInterface() string
+	AutoDetectInterface() bool
+	AutoDetectInterfaceFunc() control.Func
+	DefaultMark() uint32
+	RegisterAutoRedirectOutputMark(mark uint32) error
+	AutoRedirectOutputMark() uint32
+	NetworkMonitor() tun.NetworkUpdateMonitor
+	InterfaceMonitor() tun.DefaultInterfaceMonitor
+	PackageManager() tun.PackageManager
+	WIFIState() WIFIState
+	ResetNetwork()
+}
--- a/adapter/outbound.go
+++ b/adapter/outbound.go
@ -2,8 +2,9 @@ package adapter

 import (
 	"context"
-	"net"

+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
 	N "github.com/sagernet/sing/common/network"
 )

@ -15,6 +16,18 @@ type Outbound interface {
 	Network() []string
 	Dependencies() []string
 	N.Dialer
-	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+}
+
+type OutboundRegistry interface {
+	option.OutboundOptionsRegistry
+	CreateOutbound(ctx context.Context, router Router, logger log.ContextLogger, tag string, outboundType string, options any) (Outbound, error)
+}
+
+type OutboundManager interface {
+	Lifecycle
+	Outbounds() []Outbound
+	Outbound(tag string) (Outbound, bool)
+	Default() Outbound
+	Remove(tag string) error
+	Create(ctx context.Context, router Router, logger log.ContextLogger, tag string, outboundType string, options any) error
 }
--- a/adapter/outbound/adapter.go
+++ b/adapter/outbound/adapter.go
@ -0,0 +1,45 @@
+package outbound
+
+import (
+	"github.com/sagernet/sing-box/option"
+)
+
+type Adapter struct {
+	protocol     string
+	network      []string
+	tag          string
+	dependencies []string
+}
+
+func NewAdapter(protocol string, network []string, tag string, dependencies []string) Adapter {
+	return Adapter{
+		protocol:     protocol,
+		network:      network,
+		tag:          tag,
+		dependencies: dependencies,
+	}
+}
+
+func NewAdapterWithDialerOptions(protocol string, network []string, tag string, dialOptions option.DialerOptions) Adapter {
+	var dependencies []string
+	if dialOptions.Detour != "" {
+		dependencies = []string{dialOptions.Detour}
+	}
+	return NewAdapter(protocol, network, tag, dependencies)
+}
+
+func (a *Adapter) Type() string {
+	return a.protocol
+}
+
+func (a *Adapter) Tag() string {
+	return a.tag
+}
+
+func (a *Adapter) Network() []string {
+	return a.network
+}
+
+func (a *Adapter) Dependencies() []string {
+	return a.dependencies
+}
--- a/adapter/outbound/default.go
+++ b/adapter/outbound/default.go
@ -9,8 +9,6 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
@ -21,43 +19,8 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )

-type myOutboundAdapter struct {
-	protocol     string
-	network      []string
-	router       adapter.Router
-	logger       log.ContextLogger
-	tag          string
-	dependencies []string
-}
-
-func (a *myOutboundAdapter) Type() string {
-	return a.protocol
-}
-
-func (a *myOutboundAdapter) Tag() string {
-	return a.tag
-}
-
-func (a *myOutboundAdapter) Network() []string {
-	return a.network
-}
-
-func (a *myOutboundAdapter) Dependencies() []string {
-	return a.dependencies
-}
-
-func (a *myOutboundAdapter) NewError(ctx context.Context, err error) {
-	NewError(a.logger, ctx, err)
-}
-
-func withDialerDependency(options option.DialerOptions) []string {
-	if options.Detour != "" {
-		return []string{options.Detour}
-	}
-	return nil
-}
-
 func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata adapter.InboundContext) error {
+	defer conn.Close()
 	ctx = adapter.WithContext(ctx, &metadata)
 	var outConn net.Conn
 	var err error
@ -69,7 +32,7 @@ func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata a
 	if err != nil {
 		return N.ReportHandshakeFailure(conn, err)
 	}
-	err = N.ReportHandshakeSuccess(conn)
+	err = N.ReportConnHandshakeSuccess(conn, outConn)
 	if err != nil {
 		outConn.Close()
 		return err
@ -78,6 +41,7 @@ func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata a
 }

 func NewDirectConnection(ctx context.Context, router adapter.Router, this N.Dialer, conn net.Conn, metadata adapter.InboundContext, domainStrategy dns.DomainStrategy) error {
+	defer conn.Close()
 	ctx = adapter.WithContext(ctx, &metadata)
 	var outConn net.Conn
 	var err error
@ -96,7 +60,7 @@ func NewDirectConnection(ctx context.Context, router adapter.Router, this N.Dial
 	if err != nil {
 		return N.ReportHandshakeFailure(conn, err)
 	}
-	err = N.ReportHandshakeSuccess(conn)
+	err = N.ReportConnHandshakeSuccess(conn, outConn)
 	if err != nil {
 		outConn.Close()
 		return err
@ -105,29 +69,49 @@ func NewDirectConnection(ctx context.Context, router adapter.Router, this N.Dial
 }

 func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext) error {
+	defer conn.Close()
 	ctx = adapter.WithContext(ctx, &metadata)
-	var outConn net.PacketConn
-	var destinationAddress netip.Addr
-	var err error
-	if len(metadata.DestinationAddresses) > 0 {
-		outConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
+	var (
+		outPacketConn      net.PacketConn
+		outConn            net.Conn
+		destinationAddress netip.Addr
+		err                error
+	)
+	if metadata.UDPConnect {
+		if len(metadata.DestinationAddresses) > 0 {
+			outConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses)
+		} else {
+			outConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
+		}
+		if err != nil {
+			return N.ReportHandshakeFailure(conn, err)
+		}
+		outPacketConn = bufio.NewUnbindPacketConn(outConn)
+		connRemoteAddr := M.AddrFromNet(outConn.RemoteAddr())
+		if connRemoteAddr != metadata.Destination.Addr {
+			destinationAddress = connRemoteAddr
+		}
 	} else {
-		outConn, err = this.ListenPacket(ctx, metadata.Destination)
+		if len(metadata.DestinationAddresses) > 0 {
+			outPacketConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
+		} else {
+			outPacketConn, err = this.ListenPacket(ctx, metadata.Destination)
+		}
+		if err != nil {
+			return N.ReportHandshakeFailure(conn, err)
+		}
 	}
+	err = N.ReportPacketConnHandshakeSuccess(conn, outPacketConn)
 	if err != nil {
-		return N.ReportHandshakeFailure(conn, err)
-	}
-	err = N.ReportHandshakeSuccess(conn)
-	if err != nil {
-		outConn.Close()
+		outPacketConn.Close()
 		return err
 	}
 	if destinationAddress.IsValid() {
 		if metadata.Destination.IsFqdn() {
-			if metadata.InboundOptions.UDPDisableDomainUnmapping {
-				outConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(outConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
+			if metadata.UDPDisableDomainUnmapping {
+				outPacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(outPacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
 			} else {
-				outConn = bufio.NewNATPacketConn(bufio.NewPacketConn(outConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
+				outPacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(outPacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
 			}
 		}
 		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
@ -142,37 +126,63 @@ func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn,
 	case C.ProtocolDNS:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.DNSTimeout)
 	}
-	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outConn))
+	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outPacketConn))
 }

 func NewDirectPacketConnection(ctx context.Context, router adapter.Router, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext, domainStrategy dns.DomainStrategy) error {
+	defer conn.Close()
 	ctx = adapter.WithContext(ctx, &metadata)
-	var outConn net.PacketConn
-	var destinationAddress netip.Addr
-	var err error
-	if len(metadata.DestinationAddresses) > 0 {
-		outConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
-	} else if metadata.Destination.IsFqdn() {
-		var destinationAddresses []netip.Addr
-		destinationAddresses, err = router.Lookup(ctx, metadata.Destination.Fqdn, domainStrategy)
+	var (
+		outPacketConn      net.PacketConn
+		outConn            net.Conn
+		destinationAddress netip.Addr
+		err                error
+	)
+	if metadata.UDPConnect {
+		if len(metadata.DestinationAddresses) > 0 {
+			outConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses)
+		} else if metadata.Destination.IsFqdn() {
+			var destinationAddresses []netip.Addr
+			destinationAddresses, err = router.Lookup(ctx, metadata.Destination.Fqdn, domainStrategy)
+			if err != nil {
+				return N.ReportHandshakeFailure(conn, err)
+			}
+			outConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, destinationAddresses)
+		} else {
+			outConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
+		}
 		if err != nil {
 			return N.ReportHandshakeFailure(conn, err)
 		}
-		outConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, destinationAddresses)
+		connRemoteAddr := M.AddrFromNet(outConn.RemoteAddr())
+		if connRemoteAddr != metadata.Destination.Addr {
+			destinationAddress = connRemoteAddr
+		}
 	} else {
-		outConn, err = this.ListenPacket(ctx, metadata.Destination)
+		if len(metadata.DestinationAddresses) > 0 {
+			outPacketConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
+		} else if metadata.Destination.IsFqdn() {
+			var destinationAddresses []netip.Addr
+			destinationAddresses, err = router.Lookup(ctx, metadata.Destination.Fqdn, domainStrategy)
+			if err != nil {
+				return N.ReportHandshakeFailure(conn, err)
+			}
+			outPacketConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, destinationAddresses)
+		} else {
+			outPacketConn, err = this.ListenPacket(ctx, metadata.Destination)
+		}
+		if err != nil {
+			return N.ReportHandshakeFailure(conn, err)
+		}
 	}
+	err = N.ReportPacketConnHandshakeSuccess(conn, outPacketConn)
 	if err != nil {
-		return N.ReportHandshakeFailure(conn, err)
-	}
-	err = N.ReportHandshakeSuccess(conn)
-	if err != nil {
-		outConn.Close()
+		outPacketConn.Close()
 		return err
 	}
 	if destinationAddress.IsValid() {
 		if metadata.Destination.IsFqdn() {
-			outConn = bufio.NewNATPacketConn(bufio.NewPacketConn(outConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
+			outPacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(outPacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
 		}
 		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
 			natConn.UpdateDestination(destinationAddress)
@ -186,7 +196,7 @@ func NewDirectPacketConnection(ctx context.Context, router adapter.Router, this
 	case C.ProtocolDNS:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.DNSTimeout)
 	}
-	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outConn))
+	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outPacketConn))
 }

 func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) error {
@ -233,12 +243,3 @@ func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) erro
 	}
 	return bufio.CopyConn(ctx, conn, serverConn)
 }
-
-func NewError(logger log.ContextLogger, ctx context.Context, err error) {
-	common.Close(err)
-	if E.IsClosedOrCanceled(err) {
-		logger.DebugContext(ctx, "connection closed: ", err)
-		return
-	}
-	logger.ErrorContext(ctx, err)
-}
--- a/adapter/outbound/manager.go
+++ b/adapter/outbound/manager.go
@ -0,0 +1,269 @@
+package outbound
+
+import (
+	"context"
+	"io"
+	"os"
+	"strings"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/taskmonitor"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+)
+
+var _ adapter.OutboundManager = (*Manager)(nil)
+
+type Manager struct {
+	logger                  log.ContextLogger
+	registry                adapter.OutboundRegistry
+	defaultTag              string
+	access                  sync.Mutex
+	started                 bool
+	stage                   adapter.StartStage
+	outbounds               []adapter.Outbound
+	outboundByTag           map[string]adapter.Outbound
+	dependByTag             map[string][]string
+	defaultOutbound         adapter.Outbound
+	defaultOutboundFallback adapter.Outbound
+}
+
+func NewManager(logger logger.ContextLogger, registry adapter.OutboundRegistry, defaultTag string) *Manager {
+	return &Manager{
+		logger:        logger,
+		registry:      registry,
+		defaultTag:    defaultTag,
+		outboundByTag: make(map[string]adapter.Outbound),
+		dependByTag:   make(map[string][]string),
+	}
+}
+
+func (m *Manager) Initialize(defaultOutboundFallback adapter.Outbound) {
+	m.defaultOutboundFallback = defaultOutboundFallback
+}
+
+func (m *Manager) Start(stage adapter.StartStage) error {
+	m.access.Lock()
+	if m.started && m.stage >= stage {
+		panic("already started")
+	}
+	m.started = true
+	m.stage = stage
+	outbounds := m.outbounds
+	m.access.Unlock()
+	if stage == adapter.StartStateStart {
+		return m.startOutbounds(outbounds)
+	} else {
+		for _, outbound := range outbounds {
+			err := adapter.LegacyStart(outbound, stage)
+			if err != nil {
+				return E.Cause(err, stage.Action(), " outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+			}
+		}
+	}
+	return nil
+}
+
+func (m *Manager) startOutbounds(outbounds []adapter.Outbound) error {
+	monitor := taskmonitor.New(m.logger, C.StartTimeout)
+	started := make(map[string]bool)
+	for {
+		canContinue := false
+	startOne:
+		for _, outboundToStart := range outbounds {
+			outboundTag := outboundToStart.Tag()
+			if started[outboundTag] {
+				continue
+			}
+			dependencies := outboundToStart.Dependencies()
+			for _, dependency := range dependencies {
+				if !started[dependency] {
+					continue startOne
+				}
+			}
+			started[outboundTag] = true
+			canContinue = true
+			if starter, isStarter := outboundToStart.(interface {
+				Start() error
+			}); isStarter {
+				monitor.Start("start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				err := starter.Start()
+				monitor.Finish()
+				if err != nil {
+					return E.Cause(err, "start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				}
+			}
+		}
+		if len(started) == len(outbounds) {
+			break
+		}
+		if canContinue {
+			continue
+		}
+		currentOutbound := common.Find(outbounds, func(it adapter.Outbound) bool {
+			return !started[it.Tag()]
+		})
+		var lintOutbound func(oTree []string, oCurrent adapter.Outbound) error
+		lintOutbound = func(oTree []string, oCurrent adapter.Outbound) error {
+			problemOutboundTag := common.Find(oCurrent.Dependencies(), func(it string) bool {
+				return !started[it]
+			})
+			if common.Contains(oTree, problemOutboundTag) {
+				return E.New("circular outbound dependency: ", strings.Join(oTree, " -> "), " -> ", problemOutboundTag)
+			}
+			m.access.Lock()
+			problemOutbound := m.outboundByTag[problemOutboundTag]
+			m.access.Unlock()
+			if problemOutbound == nil {
+				return E.New("dependency[", problemOutboundTag, "] not found for outbound[", oCurrent.Tag(), "]")
+			}
+			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
+		}
+		return lintOutbound([]string{currentOutbound.Tag()}, currentOutbound)
+	}
+	return nil
+}
+
+func (m *Manager) Close() error {
+	monitor := taskmonitor.New(m.logger, C.StopTimeout)
+	m.access.Lock()
+	if !m.started {
+		m.access.Unlock()
+		return nil
+	}
+	m.started = false
+	outbounds := m.outbounds
+	m.outbounds = nil
+	m.access.Unlock()
+	var err error
+	for _, outbound := range outbounds {
+		if closer, isCloser := outbound.(io.Closer); isCloser {
+			monitor.Start("close outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+			err = E.Append(err, closer.Close(), func(err error) error {
+				return E.Cause(err, "close outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+			})
+			monitor.Finish()
+		}
+	}
+	return nil
+}
+
+func (m *Manager) Outbounds() []adapter.Outbound {
+	m.access.Lock()
+	defer m.access.Unlock()
+	return m.outbounds
+}
+
+func (m *Manager) Outbound(tag string) (adapter.Outbound, bool) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	outbound, found := m.outboundByTag[tag]
+	return outbound, found
+}
+
+func (m *Manager) Default() adapter.Outbound {
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.defaultOutbound != nil {
+		return m.defaultOutbound
+	} else {
+		return m.defaultOutboundFallback
+	}
+}
+
+func (m *Manager) Remove(tag string) error {
+	m.access.Lock()
+	outbound, found := m.outboundByTag[tag]
+	if !found {
+		m.access.Unlock()
+		return os.ErrInvalid
+	}
+	delete(m.outboundByTag, tag)
+	index := common.Index(m.outbounds, func(it adapter.Outbound) bool {
+		return it == outbound
+	})
+	if index == -1 {
+		panic("invalid inbound index")
+	}
+	m.outbounds = append(m.outbounds[:index], m.outbounds[index+1:]...)
+	started := m.started
+	if m.defaultOutbound == outbound {
+		if len(m.outbounds) > 0 {
+			m.defaultOutbound = m.outbounds[0]
+			m.logger.Info("updated default outbound to ", m.defaultOutbound.Tag())
+		} else {
+			m.defaultOutbound = nil
+		}
+	}
+	dependBy := m.dependByTag[tag]
+	if len(dependBy) > 0 {
+		return E.New("outbound[", tag, "] is depended by ", strings.Join(dependBy, ", "))
+	}
+	dependencies := outbound.Dependencies()
+	for _, dependency := range dependencies {
+		if len(m.dependByTag[dependency]) == 1 {
+			delete(m.dependByTag, dependency)
+		} else {
+			m.dependByTag[dependency] = common.Filter(m.dependByTag[dependency], func(it string) bool {
+				return it != tag
+			})
+		}
+	}
+	m.access.Unlock()
+	if started {
+		return common.Close(outbound)
+	}
+	return nil
+}
+
+func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, inboundType string, options any) error {
+	if tag == "" {
+		return os.ErrInvalid
+	}
+	outbound, err := m.registry.CreateOutbound(ctx, router, logger, tag, inboundType, options)
+	if err != nil {
+		return err
+	}
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started {
+		for _, stage := range adapter.ListStartStages {
+			err = adapter.LegacyStart(outbound, stage)
+			if err != nil {
+				return E.Cause(err, stage.Action(), " outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+			}
+		}
+	}
+	if existsOutbound, loaded := m.outboundByTag[tag]; loaded {
+		if m.started {
+			err = common.Close(existsOutbound)
+			if err != nil {
+				return E.Cause(err, "close outbound/", existsOutbound.Type(), "[", existsOutbound.Tag(), "]")
+			}
+		}
+		existsIndex := common.Index(m.outbounds, func(it adapter.Outbound) bool {
+			return it == existsOutbound
+		})
+		if existsIndex == -1 {
+			panic("invalid inbound index")
+		}
+		m.outbounds = append(m.outbounds[:existsIndex], m.outbounds[existsIndex+1:]...)
+	}
+	m.outbounds = append(m.outbounds, outbound)
+	m.outboundByTag[tag] = outbound
+	dependencies := outbound.Dependencies()
+	for _, dependency := range dependencies {
+		m.dependByTag[dependency] = append(m.dependByTag[dependency], tag)
+	}
+	if tag == m.defaultTag || (m.defaultTag == "" && m.defaultOutbound == nil) {
+		m.defaultOutbound = outbound
+		if m.started {
+			m.logger.Info("updated default outbound to ", outbound.Tag())
+		}
+	}
+	return nil
+}
--- a/adapter/outbound/registry.go
+++ b/adapter/outbound/registry.go
@ -0,0 +1,68 @@
+package outbound
+
+import (
+	"context"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type ConstructorFunc[T any] func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options T) (adapter.Outbound, error)
+
+func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
+	registry.register(outboundType, func() any {
+		return new(Options)
+	}, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Outbound, error) {
+		return constructor(ctx, router, logger, tag, common.PtrValueOrDefault(options.(*Options)))
+	})
+}
+
+var _ adapter.OutboundRegistry = (*Registry)(nil)
+
+type (
+	optionsConstructorFunc func() any
+	constructorFunc        func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Outbound, error)
+)
+
+type Registry struct {
+	access       sync.Mutex
+	optionsType  map[string]optionsConstructorFunc
+	constructors map[string]constructorFunc
+}
+
+func NewRegistry() *Registry {
+	return &Registry{
+		optionsType:  make(map[string]optionsConstructorFunc),
+		constructors: make(map[string]constructorFunc),
+	}
+}
+
+func (r *Registry) CreateOptions(outboundType string) (any, bool) {
+	r.access.Lock()
+	defer r.access.Unlock()
+	optionsConstructor, loaded := r.optionsType[outboundType]
+	if !loaded {
+		return nil, false
+	}
+	return optionsConstructor(), true
+}
+
+func (r *Registry) CreateOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Outbound, error) {
+	r.access.Lock()
+	defer r.access.Unlock()
+	constructor, loaded := r.constructors[outboundType]
+	if !loaded {
+		return nil, E.New("outbound type not found: " + outboundType)
+	}
+	return constructor(ctx, router, logger, tag, options)
+}
+
+func (r *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
+	r.access.Lock()
+	defer r.access.Unlock()
+	r.optionsType[outboundType] = optionsConstructor
+	r.constructors[outboundType] = constructor
+}
--- a/adapter/prestart.go
+++ b/adapter/prestart.go
@ -1,9 +1 @@
 package adapter
-
-type PreStarter interface {
-	PreStart() error
-}
-
-type PostStarter interface {
-	PostStart() error
-}
--- a/adapter/router.go
+++ b/adapter/router.go
@ -10,94 +10,54 @@ import (
 	"github.com/sagernet/sing-box/common/geoip"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common/control"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
-	"github.com/sagernet/sing/service"

 	mdns "github.com/miekg/dns"
 	"go4.org/netipx"
 )

 type Router interface {
-	Service
-	PreStarter
-	PostStarter
-	Cleanup() error
-
-	Outbounds() []Outbound
-	Outbound(tag string) (Outbound, bool)
-	DefaultOutbound(network string) (Outbound, error)
+	Lifecycle

 	FakeIPStore() FakeIPStore

 	ConnectionRouter
+	PreMatch(metadata InboundContext) error
+	ConnectionRouterEx

 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
-
 	RuleSet(tag string) (RuleSet, bool)
-
 	NeedWIFIState() bool

 	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
 	ClearDNSCache()
-
-	InterfaceFinder() control.InterfaceFinder
-	UpdateInterfaces() error
-	DefaultInterface() string
-	AutoDetectInterface() bool
-	AutoDetectInterfaceFunc() control.Func
-	DefaultMark() uint32
-	RegisterAutoRedirectOutputMark(mark uint32) error
-	AutoRedirectOutputMark() uint32
-	NetworkMonitor() tun.NetworkUpdateMonitor
-	InterfaceMonitor() tun.DefaultInterfaceMonitor
-	PackageManager() tun.PackageManager
-	WIFIState() WIFIState
 	Rules() []Rule

-	ClashServer() ClashServer
-	SetClashServer(server ClashServer)
+	SetTracker(tracker ConnectionTracker)

-	V2RayServer() V2RayServer
-	SetV2RayServer(server V2RayServer)
-
-	ResetNetwork() error
+	ResetNetwork()
 }

-func ContextWithRouter(ctx context.Context, router Router) context.Context {
-	return service.ContextWith(ctx, router)
+type ConnectionTracker interface {
+	RoutedConnection(ctx context.Context, conn net.Conn, metadata InboundContext, matchedRule Rule, matchOutbound Outbound) net.Conn
+	RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext, matchedRule Rule, matchOutbound Outbound) N.PacketConn
 }

-func RouterFromContext(ctx context.Context) Router {
-	return service.FromContext[Router](ctx)
+// Deprecated: Use ConnectionRouterEx instead.
+type ConnectionRouter interface {
+	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }

-type HeadlessRule interface {
-	Match(metadata *InboundContext) bool
-	String() string
-}
-
-type Rule interface {
-	HeadlessRule
-	Service
-	Type() string
-	UpdateGeosite() error
-	Outbound() string
-}
-
-type DNSRule interface {
-	Rule
-	DisableCache() bool
-	RewriteTTL() *uint32
-	ClientSubnet() *netip.Prefix
-	WithAddressLimit() bool
-	MatchAddressLimit(metadata *InboundContext) bool
+type ConnectionRouterEx interface {
+	ConnectionRouter
+	RouteConnectionEx(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
+	RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 }

 type RuleSet interface {
--- a/adapter/rule.go
+++ b/adapter/rule.go
@ -0,0 +1,38 @@
+package adapter
+
+import (
+	C "github.com/sagernet/sing-box/constant"
+)
+
+type HeadlessRule interface {
+	Match(metadata *InboundContext) bool
+	String() string
+}
+
+type Rule interface {
+	HeadlessRule
+	Service
+	Type() string
+	UpdateGeosite() error
+	Action() RuleAction
+}
+
+type DNSRule interface {
+	Rule
+	WithAddressLimit() bool
+	MatchAddressLimit(metadata *InboundContext) bool
+}
+
+type RuleAction interface {
+	Type() string
+	String() string
+}
+
+func IsFinalAction(action RuleAction) bool {
+	switch action.Type() {
+	case C.RuleActionTypeSniff, C.RuleActionTypeResolve:
+		return false
+	default:
+		return true
+	}
+}
--- a/adapter/upstream.go
+++ b/adapter/upstream.go
@ -4,112 +4,165 @@ import (
 	"context"
 	"net"

-	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )

 type (
-	ConnectionHandlerFunc       = func(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	PacketConnectionHandlerFunc = func(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+	ConnectionHandlerFuncEx       = func(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
+	PacketConnectionHandlerFuncEx = func(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 )

-func NewUpstreamHandler(
+func NewUpstreamHandlerEx(
 	metadata InboundContext,
-	connectionHandler ConnectionHandlerFunc,
-	packetHandler PacketConnectionHandlerFunc,
-	errorHandler E.Handler,
-) UpstreamHandlerAdapter {
-	return &myUpstreamHandlerWrapper{
+	connectionHandler ConnectionHandlerFuncEx,
+	packetHandler PacketConnectionHandlerFuncEx,
+) UpstreamHandlerAdapterEx {
+	return &myUpstreamHandlerWrapperEx{
 		metadata:          metadata,
 		connectionHandler: connectionHandler,
 		packetHandler:     packetHandler,
-		errorHandler:      errorHandler,
 	}
 }

-var _ UpstreamHandlerAdapter = (*myUpstreamHandlerWrapper)(nil)
+var _ UpstreamHandlerAdapterEx = (*myUpstreamHandlerWrapperEx)(nil)

-type myUpstreamHandlerWrapper struct {
+type myUpstreamHandlerWrapperEx struct {
 	metadata          InboundContext
-	connectionHandler ConnectionHandlerFunc
-	packetHandler     PacketConnectionHandlerFunc
-	errorHandler      E.Handler
+	connectionHandler ConnectionHandlerFuncEx
+	packetHandler     PacketConnectionHandlerFuncEx
 }

-func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+func (w *myUpstreamHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
+	if source.IsValid() {
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+	if destination.IsValid() {
+		myMetadata.Destination = destination
 	}
-	return w.connectionHandler(ctx, conn, myMetadata)
+	w.connectionHandler(ctx, conn, myMetadata, onClose)
 }

-func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+func (w *myUpstreamHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
+	if source.IsValid() {
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+	if destination.IsValid() {
+		myMetadata.Destination = destination
 	}
-	return w.packetHandler(ctx, conn, myMetadata)
+	w.packetHandler(ctx, conn, myMetadata, onClose)
 }

-func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.errorHandler.NewError(ctx, err)
+var _ UpstreamHandlerAdapterEx = (*myUpstreamContextHandlerWrapperEx)(nil)
+
+type myUpstreamContextHandlerWrapperEx struct {
+	connectionHandler ConnectionHandlerFuncEx
+	packetHandler     PacketConnectionHandlerFuncEx
 }

-func UpstreamMetadata(metadata InboundContext) M.Metadata {
-	return M.Metadata{
-		Source:      metadata.Source,
-		Destination: metadata.Destination,
-	}
-}
-
-type myUpstreamContextHandlerWrapper struct {
-	connectionHandler ConnectionHandlerFunc
-	packetHandler     PacketConnectionHandlerFunc
-	errorHandler      E.Handler
-}
-
-func NewUpstreamContextHandler(
-	connectionHandler ConnectionHandlerFunc,
-	packetHandler PacketConnectionHandlerFunc,
-	errorHandler E.Handler,
-) UpstreamHandlerAdapter {
-	return &myUpstreamContextHandlerWrapper{
+func NewUpstreamContextHandlerEx(
+	connectionHandler ConnectionHandlerFuncEx,
+	packetHandler PacketConnectionHandlerFuncEx,
+) UpstreamHandlerAdapterEx {
+	return &myUpstreamContextHandlerWrapperEx{
 		connectionHandler: connectionHandler,
 		packetHandler:     packetHandler,
-		errorHandler:      errorHandler,
 	}
 }

-func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
+	if source.IsValid() {
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+	if destination.IsValid() {
+		myMetadata.Destination = destination
 	}
-	return w.connectionHandler(ctx, conn, *myMetadata)
+	w.connectionHandler(ctx, conn, *myMetadata, onClose)
 }

-func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
+	if source.IsValid() {
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+	if destination.IsValid() {
+		myMetadata.Destination = destination
 	}
-	return w.packetHandler(ctx, conn, *myMetadata)
+	w.packetHandler(ctx, conn, *myMetadata, onClose)
 }

-func (w *myUpstreamContextHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.errorHandler.NewError(ctx, err)
+func NewRouteHandlerEx(
+	metadata InboundContext,
+	router ConnectionRouterEx,
+) UpstreamHandlerAdapterEx {
+	return &routeHandlerWrapperEx{
+		metadata: metadata,
+		router:   router,
+	}
+}
+
+var _ UpstreamHandlerAdapterEx = (*routeHandlerWrapperEx)(nil)
+
+type routeHandlerWrapperEx struct {
+	metadata InboundContext
+	router   ConnectionRouterEx
+}
+
+func (r *routeHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	if source.IsValid() {
+		r.metadata.Source = source
+	}
+	if destination.IsValid() {
+		r.metadata.Destination = destination
+	}
+	r.router.RouteConnectionEx(ctx, conn, r.metadata, onClose)
+}
+
+func (r *routeHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	if source.IsValid() {
+		r.metadata.Source = source
+	}
+	if destination.IsValid() {
+		r.metadata.Destination = destination
+	}
+	r.router.RoutePacketConnectionEx(ctx, conn, r.metadata, onClose)
+}
+
+func NewRouteContextHandlerEx(
+	router ConnectionRouterEx,
+) UpstreamHandlerAdapterEx {
+	return &routeContextHandlerWrapperEx{
+		router: router,
+	}
+}
+
+var _ UpstreamHandlerAdapterEx = (*routeContextHandlerWrapperEx)(nil)
+
+type routeContextHandlerWrapperEx struct {
+	router ConnectionRouterEx
+}
+
+func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	metadata := ContextFrom(ctx)
+	if source.IsValid() {
+		metadata.Source = source
+	}
+	if destination.IsValid() {
+		metadata.Destination = destination
+	}
+	r.router.RouteConnectionEx(ctx, conn, *metadata, onClose)
+}
+
+func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	metadata := ContextFrom(ctx)
+	if source.IsValid() {
+		metadata.Source = source
+	}
+	if destination.IsValid() {
+		metadata.Destination = destination
+	}
+	r.router.RoutePacketConnectionEx(ctx, conn, *metadata, onClose)
 }
--- a/adapter/upstream_legacy.go
+++ b/adapter/upstream_legacy.go
@ -0,0 +1,216 @@
+package adapter
+
+import (
+	"context"
+	"net"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type (
+	// Deprecated
+	ConnectionHandlerFunc = func(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	// Deprecated
+	PacketConnectionHandlerFunc = func(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+)
+
+// Deprecated
+func NewUpstreamHandler(
+	metadata InboundContext,
+	connectionHandler ConnectionHandlerFunc,
+	packetHandler PacketConnectionHandlerFunc,
+	errorHandler E.Handler,
+) UpstreamHandlerAdapter {
+	return &myUpstreamHandlerWrapper{
+		metadata:          metadata,
+		connectionHandler: connectionHandler,
+		packetHandler:     packetHandler,
+		errorHandler:      errorHandler,
+	}
+}
+
+var _ UpstreamHandlerAdapter = (*myUpstreamHandlerWrapper)(nil)
+
+// Deprecated
+type myUpstreamHandlerWrapper struct {
+	metadata          InboundContext
+	connectionHandler ConnectionHandlerFunc
+	packetHandler     PacketConnectionHandlerFunc
+	errorHandler      E.Handler
+}
+
+func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.connectionHandler(ctx, conn, myMetadata)
+}
+
+func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.packetHandler(ctx, conn, myMetadata)
+}
+
+func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.errorHandler.NewError(ctx, err)
+}
+
+// Deprecated
+func UpstreamMetadata(metadata InboundContext) M.Metadata {
+	return M.Metadata{
+		Source:      metadata.Source,
+		Destination: metadata.Destination,
+	}
+}
+
+// Deprecated
+type myUpstreamContextHandlerWrapper struct {
+	connectionHandler ConnectionHandlerFunc
+	packetHandler     PacketConnectionHandlerFunc
+	errorHandler      E.Handler
+}
+
+// Deprecated
+func NewUpstreamContextHandler(
+	connectionHandler ConnectionHandlerFunc,
+	packetHandler PacketConnectionHandlerFunc,
+	errorHandler E.Handler,
+) UpstreamHandlerAdapter {
+	return &myUpstreamContextHandlerWrapper{
+		connectionHandler: connectionHandler,
+		packetHandler:     packetHandler,
+		errorHandler:      errorHandler,
+	}
+}
+
+func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.connectionHandler(ctx, conn, *myMetadata)
+}
+
+func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.packetHandler(ctx, conn, *myMetadata)
+}
+
+func (w *myUpstreamContextHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.errorHandler.NewError(ctx, err)
+}
+
+// Deprecated: Use ConnectionRouterEx instead.
+func NewRouteHandler(
+	metadata InboundContext,
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeHandlerWrapper{
+		metadata: metadata,
+		router:   router,
+		logger:   logger,
+	}
+}
+
+// Deprecated: Use ConnectionRouterEx instead.
+func NewRouteContextHandler(
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeContextHandlerWrapper{
+		router: router,
+		logger: logger,
+	}
+}
+
+var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
+
+// Deprecated: Use ConnectionRouterEx instead.
+type routeHandlerWrapper struct {
+	metadata InboundContext
+	router   ConnectionRouter
+	logger   logger.ContextLogger
+}
+
+func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}
+
+var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
+
+// Deprecated: Use ConnectionRouterEx instead.
+type routeContextHandlerWrapper struct {
+	router ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}
--- a/adapter/v2ray.go
+++ b/adapter/v2ray.go
@ -4,7 +4,6 @@ import (
 	"context"
 	"net"

-	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 )

@ -16,8 +15,7 @@ type V2RayServerTransport interface {
 }

 type V2RayServerTransportHandler interface {
-	N.TCPConnectionHandler
-	E.Handler
+	N.TCPConnectionHandlerEx
 }

 type V2RayClientTransport interface {
--- a/box.go
+++ b/box.go
@ -9,19 +9,22 @@ import (
 	"time"

 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/adapter/inbound"
+	"github.com/sagernet/sing-box/adapter/outbound"
+	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
-	"github.com/sagernet/sing-box/inbound"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/direct"
 	"github.com/sagernet/sing-box/route"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
 )
@ -29,25 +32,41 @@ import (
 var _ adapter.Service = (*Box)(nil)

 type Box struct {
-	createdAt    time.Time
-	router       adapter.Router
-	inbounds     []adapter.Inbound
-	outbounds    []adapter.Outbound
-	logFactory   log.Factory
-	logger       log.ContextLogger
-	preServices1 map[string]adapter.Service
-	preServices2 map[string]adapter.Service
-	postServices map[string]adapter.Service
-	done         chan struct{}
+	createdAt  time.Time
+	logFactory log.Factory
+	logger     log.ContextLogger
+	network    *route.NetworkManager
+	router     *route.Router
+	inbound    *inbound.Manager
+	outbound   *outbound.Manager
+	services   []adapter.LifecycleService
+	done       chan struct{}
 }

 type Options struct {
 	option.Options
 	Context           context.Context
-	PlatformInterface platform.Interface
 	PlatformLogWriter log.PlatformWriter
 }

+func Context(
+	ctx context.Context,
+	inboundRegistry adapter.InboundRegistry,
+	outboundRegistry adapter.OutboundRegistry,
+) context.Context {
+	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
+		service.FromContext[adapter.InboundRegistry](ctx) == nil {
+		ctx = service.ContextWith[option.InboundOptionsRegistry](ctx, inboundRegistry)
+		ctx = service.ContextWith[adapter.InboundRegistry](ctx, inboundRegistry)
+	}
+	if service.FromContext[option.OutboundOptionsRegistry](ctx) == nil ||
+		service.FromContext[adapter.OutboundRegistry](ctx) == nil {
+		ctx = service.ContextWith[option.OutboundOptionsRegistry](ctx, outboundRegistry)
+		ctx = service.ContextWith[adapter.OutboundRegistry](ctx, outboundRegistry)
+	}
+	return ctx
+}
+
 func New(options Options) (*Box, error) {
 	createdAt := time.Now()
 	ctx := options.Context
@ -55,6 +74,17 @@ func New(options Options) (*Box, error) {
 		ctx = context.Background()
 	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
+
+	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
+	if inboundRegistry == nil {
+		return nil, E.New("missing inbound registry in context")
+	}
+
+	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
+	if outboundRegistry == nil {
+		return nil, E.New("missing outbound registry in context")
+	}
+
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
@ -70,8 +100,9 @@ func New(options Options) (*Box, error) {
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
 		needV2RayAPI = true
 	}
+	platformInterface := service.FromContext[platform.Interface](ctx)
 	var defaultLogWriter io.Writer
-	if options.PlatformInterface != nil {
+	if platformInterface != nil {
 		defaultLogWriter = io.Discard
 	}
 	logFactory, err := log.New(log.Options{
@ -85,115 +116,156 @@ func New(options Options) (*Box, error) {
 	if err != nil {
 		return nil, E.Cause(err, "create log factory")
 	}
-	router, err := route.NewRouter(
-		ctx,
-		logFactory,
-		common.PtrValueOrDefault(options.Route),
-		common.PtrValueOrDefault(options.DNS),
-		common.PtrValueOrDefault(options.NTP),
-		options.Inbounds,
-		options.PlatformInterface,
-	)
+
+	routeOptions := common.PtrValueOrDefault(options.Route)
+	inboundManager := inbound.NewManager(logFactory.NewLogger("inbound"), inboundRegistry)
+	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, routeOptions.Final)
+	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
+	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
+
+	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions)
 	if err != nil {
-		return nil, E.Cause(err, "parse route options")
+		return nil, E.Cause(err, "initialize network manager")
+	}
+	service.MustRegister[adapter.NetworkManager](ctx, networkManager)
+	router, err := route.NewRouter(ctx, logFactory, routeOptions, common.PtrValueOrDefault(options.DNS))
+	if err != nil {
+		return nil, E.Cause(err, "initialize router")
+	}
+	//nolint:staticcheck
+	if len(options.LegacyInbounds) > 0 {
+		for _, legacyInbound := range options.LegacyInbounds {
+			options.Inbounds = append(options.Inbounds, option.Inbound{
+				Type:    legacyInbound.Type,
+				Tag:     legacyInbound.Tag,
+				Options: common.Must1(legacyInbound.RawOptions()),
+			})
+		}
+	}
+	//nolint:staticcheck
+	if len(options.LegacyOutbounds) > 0 {
+		for _, legacyOutbound := range options.LegacyOutbounds {
+			options.Outbounds = append(options.Outbounds, option.Outbound{
+				Type:    legacyOutbound.Type,
+				Tag:     legacyOutbound.Tag,
+				Options: common.Must1(legacyOutbound.RawOptions()),
+			})
+		}
 	}
-	inbounds := make([]adapter.Inbound, 0, len(options.Inbounds))
-	outbounds := make([]adapter.Outbound, 0, len(options.Outbounds))
 	for i, inboundOptions := range options.Inbounds {
-		var in adapter.Inbound
 		var tag string
 		if inboundOptions.Tag != "" {
 			tag = inboundOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		in, err = inbound.New(
-			ctx,
+		err = inboundManager.Create(ctx,
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			tag,
-			inboundOptions,
-			options.PlatformInterface,
+			inboundOptions.Type,
+			inboundOptions.Options,
 		)
 		if err != nil {
-			return nil, E.Cause(err, "parse inbound[", i, "]")
+			return nil, E.Cause(err, "initialize inbound[", i, "]")
 		}
-		inbounds = append(inbounds, in)
 	}
 	for i, outboundOptions := range options.Outbounds {
-		var out adapter.Outbound
 		var tag string
 		if outboundOptions.Tag != "" {
 			tag = outboundOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		out, err = outbound.New(
-			ctx,
+		outboundCtx := ctx
+		if tag != "" {
+			// TODO: remove this
+			outboundCtx = adapter.WithContext(outboundCtx, &adapter.InboundContext{
+				Outbound: tag,
+			})
+		}
+		err = outboundManager.Create(
+			outboundCtx,
 			router,
 			logFactory.NewLogger(F.ToString("outbound/", outboundOptions.Type, "[", tag, "]")),
 			tag,
-			outboundOptions)
+			outboundOptions.Type,
+			outboundOptions.Options,
+		)
 		if err != nil {
-			return nil, E.Cause(err, "parse outbound[", i, "]")
+			return nil, E.Cause(err, "initialize outbound[", i, "]")
 		}
-		outbounds = append(outbounds, out)
 	}
-	err = router.Initialize(inbounds, outbounds, func() adapter.Outbound {
-		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), "direct", option.Outbound{Type: "direct", Tag: "default"})
-		common.Must(oErr)
-		outbounds = append(outbounds, out)
-		return out
-	})
-	if err != nil {
-		return nil, err
-	}
-	if options.PlatformInterface != nil {
-		err = options.PlatformInterface.Initialize(ctx, router)
+	outboundManager.Initialize(common.Must1(
+		direct.NewOutbound(
+			ctx,
+			router,
+			logFactory.NewLogger("outbound/direct"),
+			"direct",
+			option.DirectOutboundOptions{},
+		),
+	))
+	if platformInterface != nil {
+		err = platformInterface.Initialize(networkManager)
 		if err != nil {
 			return nil, E.Cause(err, "initialize platform interface")
 		}
 	}
-	preServices1 := make(map[string]adapter.Service)
-	preServices2 := make(map[string]adapter.Service)
-	postServices := make(map[string]adapter.Service)
+	var services []adapter.LifecycleService
 	if needCacheFile {
-		cacheFile := service.FromContext[adapter.CacheFile](ctx)
-		if cacheFile == nil {
-			cacheFile = cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
-			service.MustRegister[adapter.CacheFile](ctx, cacheFile)
-		}
-		preServices1["cache file"] = cacheFile
+		cacheFile := cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
+		service.MustRegister[adapter.CacheFile](ctx, cacheFile)
+		services = append(services, cacheFile)
 	}
 	if needClashAPI {
 		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
 		clashAPIOptions.ModeList = experimental.CalculateClashModeList(options.Options)
-		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), clashAPIOptions)
+		clashServer, err := experimental.NewClashServer(ctx, logFactory.(log.ObservableFactory), clashAPIOptions)
 		if err != nil {
-			return nil, E.Cause(err, "create clash api server")
+			return nil, E.Cause(err, "create clash-server")
 		}
-		router.SetClashServer(clashServer)
-		preServices2["clash api"] = clashServer
+		router.SetTracker(clashServer)
+		service.MustRegister[adapter.ClashServer](ctx, clashServer)
+		services = append(services, clashServer)
 	}
 	if needV2RayAPI {
 		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(experimentalOptions.V2RayAPI))
 		if err != nil {
-			return nil, E.Cause(err, "create v2ray api server")
+			return nil, E.Cause(err, "create v2ray-server")
 		}
-		router.SetV2RayServer(v2rayServer)
-		preServices2["v2ray api"] = v2rayServer
+		if v2rayServer.StatsService() != nil {
+			router.SetTracker(v2rayServer.StatsService())
+			services = append(services, v2rayServer)
+			service.MustRegister[adapter.V2RayServer](ctx, v2rayServer)
+		}
+	}
+	ntpOptions := common.PtrValueOrDefault(options.NTP)
+	if ntpOptions.Enabled {
+		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions)
+		if err != nil {
+			return nil, E.Cause(err, "create NTP service")
+		}
+		timeService := ntp.NewService(ntp.Options{
+			Context:       ctx,
+			Dialer:        ntpDialer,
+			Logger:        logFactory.NewLogger("ntp"),
+			Server:        ntpOptions.ServerOptions.Build(),
+			Interval:      time.Duration(ntpOptions.Interval),
+			WriteToSystem: ntpOptions.WriteToSystem,
+		})
+		service.MustRegister[ntp.TimeService](ctx, timeService)
+		services = append(services, adapter.NewLifecycleService(timeService, "ntp service"))
 	}
 	return &Box{
-		router:       router,
-		inbounds:     inbounds,
-		outbounds:    outbounds,
-		createdAt:    createdAt,
-		logFactory:   logFactory,
-		logger:       logFactory.Logger(),
-		preServices1: preServices1,
-		preServices2: preServices2,
-		postServices: postServices,
-		done:         make(chan struct{}),
+		network:    networkManager,
+		router:     router,
+		inbound:    inboundManager,
+		outbound:   outboundManager,
+		createdAt:  createdAt,
+		logFactory: logFactory,
+		logger:     logFactory.Logger(),
+		services:   services,
+		done:       make(chan struct{}),
 	}, nil
 }

@ -243,35 +315,29 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return E.Cause(err, "start logger")
 	}
-	for serviceName, service := range s.preServices1 {
-		if preService, isPreService := service.(adapter.PreStarter); isPreService {
-			monitor.Start("pre-start ", serviceName)
-			err := preService.PreStart()
-			monitor.Finish()
-			if err != nil {
-				return E.Cause(err, "pre-start ", serviceName)
-			}
+	for _, lifecycleService := range s.services {
+		err = lifecycleService.Start(adapter.StartStateInitialize) // cache-file
+		if err != nil {
+			return E.Cause(err, "initialize ", lifecycleService.Name())
 		}
 	}
-	for serviceName, service := range s.preServices2 {
-		if preService, isPreService := service.(adapter.PreStarter); isPreService {
-			monitor.Start("pre-start ", serviceName)
-			err := preService.PreStart()
-			monitor.Finish()
-			if err != nil {
-				return E.Cause(err, "pre-start ", serviceName)
-			}
+	for _, lifecycle := range []adapter.Lifecycle{
+		s.network, s.router, s.outbound, s.inbound,
+	} {
+		err = lifecycle.Start(adapter.StartStateInitialize)
+		if err != nil {
+			return err
 		}
 	}
-	err = s.router.PreStart()
-	if err != nil {
-		return E.Cause(err, "pre-start router")
+	for _, lifecycle := range []adapter.Lifecycle{
+		s.outbound, s.network, s.router,
+	} {
+		err = lifecycle.Start(adapter.StartStateStart)
+		if err != nil {
+			return err
+		}
 	}
-	err = s.startOutbounds()
-	if err != nil {
-		return err
-	}
-	return s.router.Start()
+	return nil
 }

 func (s *Box) start() error {
@ -279,63 +345,30 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	for serviceName, service := range s.preServices1 {
-		err = service.Start()
+	for _, lifecycleService := range s.services {
+		err = lifecycleService.Start(adapter.StartStateStart)
 		if err != nil {
-			return E.Cause(err, "start ", serviceName)
+			return E.Cause(err, "initialize ", lifecycleService.Name())
 		}
 	}
-	for serviceName, service := range s.preServices2 {
-		err = service.Start()
-		if err != nil {
-			return E.Cause(err, "start ", serviceName)
-		}
-	}
-	for i, in := range s.inbounds {
-		var tag string
-		if in.Tag() == "" {
-			tag = F.ToString(i)
-		} else {
-			tag = in.Tag()
-		}
-		err = in.Start()
-		if err != nil {
-			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
-		}
-	}
-	err = s.postStart()
+	err = s.inbound.Start(adapter.StartStateStart)
 	if err != nil {
 		return err
 	}
-	return s.router.Cleanup()
-}
-
-func (s *Box) postStart() error {
-	for serviceName, service := range s.postServices {
-		err := service.Start()
+	for _, lifecycleService := range []adapter.Lifecycle{
+		s.outbound, s.network, s.router, s.inbound,
+	} {
+		err = lifecycleService.Start(adapter.StartStatePostStart)
 		if err != nil {
-			return E.Cause(err, "start ", serviceName)
+			return err
 		}
 	}
-	// TODO: reorganize ALL start order
-	for _, out := range s.outbounds {
-		if lateOutbound, isLateOutbound := out.(adapter.PostStarter); isLateOutbound {
-			err := lateOutbound.PostStart()
-			if err != nil {
-				return E.Cause(err, "post-start outbound/", out.Tag())
-			}
-		}
-	}
-	err := s.router.PostStart()
-	if err != nil {
-		return err
-	}
-	for _, in := range s.inbounds {
-		if lateInbound, isLateInbound := in.(adapter.PostStarter); isLateInbound {
-			err = lateInbound.PostStart()
-			if err != nil {
-				return E.Cause(err, "post-start inbound/", in.Tag())
-			}
+	for _, lifecycleService := range []adapter.Lifecycle{
+		s.network, s.router, s.outbound, s.inbound,
+	} {
+		err = lifecycleService.Start(adapter.StartStateStarted)
+		if err != nil {
+			return err
 		}
 	}
 	return nil
@ -348,58 +381,32 @@ func (s *Box) Close() error {
 	default:
 		close(s.done)
 	}
-	monitor := taskmonitor.New(s.logger, C.StopTimeout)
-	var errors error
-	for serviceName, service := range s.postServices {
-		monitor.Start("close ", serviceName)
-		errors = E.Append(errors, service.Close(), func(err error) error {
-			return E.Cause(err, "close ", serviceName)
-		})
-		monitor.Finish()
-	}
-	for i, in := range s.inbounds {
-		monitor.Start("close inbound/", in.Type(), "[", i, "]")
-		errors = E.Append(errors, in.Close(), func(err error) error {
-			return E.Cause(err, "close inbound/", in.Type(), "[", i, "]")
-		})
-		monitor.Finish()
-	}
-	for i, out := range s.outbounds {
-		monitor.Start("close outbound/", out.Type(), "[", i, "]")
-		errors = E.Append(errors, common.Close(out), func(err error) error {
-			return E.Cause(err, "close outbound/", out.Type(), "[", i, "]")
-		})
-		monitor.Finish()
-	}
-	monitor.Start("close router")
-	if err := common.Close(s.router); err != nil {
-		errors = E.Append(errors, err, func(err error) error {
-			return E.Cause(err, "close router")
+	err := common.Close(
+		s.inbound, s.outbound, s.router, s.network,
+	)
+	for _, lifecycleService := range s.services {
+		err = E.Append(err, lifecycleService.Close(), func(err error) error {
+			return E.Cause(err, "close ", lifecycleService.Name())
 		})
 	}
-	monitor.Finish()
-	for serviceName, service := range s.preServices1 {
-		monitor.Start("close ", serviceName)
-		errors = E.Append(errors, service.Close(), func(err error) error {
-			return E.Cause(err, "close ", serviceName)
-		})
-		monitor.Finish()
-	}
-	for serviceName, service := range s.preServices2 {
-		monitor.Start("close ", serviceName)
-		errors = E.Append(errors, service.Close(), func(err error) error {
-			return E.Cause(err, "close ", serviceName)
-		})
-		monitor.Finish()
-	}
-	if err := common.Close(s.logFactory); err != nil {
-		errors = E.Append(errors, err, func(err error) error {
-			return E.Cause(err, "close logger")
-		})
-	}
-	return errors
+	err = E.Append(err, s.logFactory.Close(), func(err error) error {
+		return E.Cause(err, "close logger")
+	})
+	return err
+}
+
+func (s *Box) Network() adapter.NetworkManager {
+	return s.network
 }

 func (s *Box) Router() adapter.Router {
 	return s.router
 }
+
+func (s *Box) Inbound() adapter.InboundManager {
+	return s.inbound
+}
+
+func (s *Box) Outbound() adapter.OutboundManager {
+	return s.outbound
+}
--- a/box_outbound.go
+++ b/box_outbound.go
@ -1,85 +0,0 @@
-package box
-
-import (
-	"strings"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-)
-
-func (s *Box) startOutbounds() error {
-	monitor := taskmonitor.New(s.logger, C.StartTimeout)
-	outboundTags := make(map[adapter.Outbound]string)
-	outbounds := make(map[string]adapter.Outbound)
-	for i, outboundToStart := range s.outbounds {
-		var outboundTag string
-		if outboundToStart.Tag() == "" {
-			outboundTag = F.ToString(i)
-		} else {
-			outboundTag = outboundToStart.Tag()
-		}
-		if _, exists := outbounds[outboundTag]; exists {
-			return E.New("outbound tag ", outboundTag, " duplicated")
-		}
-		outboundTags[outboundToStart] = outboundTag
-		outbounds[outboundTag] = outboundToStart
-	}
-	started := make(map[string]bool)
-	for {
-		canContinue := false
-	startOne:
-		for _, outboundToStart := range s.outbounds {
-			outboundTag := outboundTags[outboundToStart]
-			if started[outboundTag] {
-				continue
-			}
-			dependencies := outboundToStart.Dependencies()
-			for _, dependency := range dependencies {
-				if !started[dependency] {
-					continue startOne
-				}
-			}
-			started[outboundTag] = true
-			canContinue = true
-			if starter, isStarter := outboundToStart.(interface {
-				Start() error
-			}); isStarter {
-				monitor.Start("initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
-				err := starter.Start()
-				monitor.Finish()
-				if err != nil {
-					return E.Cause(err, "initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
-				}
-			}
-		}
-		if len(started) == len(s.outbounds) {
-			break
-		}
-		if canContinue {
-			continue
-		}
-		currentOutbound := common.Find(s.outbounds, func(it adapter.Outbound) bool {
-			return !started[outboundTags[it]]
-		})
-		var lintOutbound func(oTree []string, oCurrent adapter.Outbound) error
-		lintOutbound = func(oTree []string, oCurrent adapter.Outbound) error {
-			problemOutboundTag := common.Find(oCurrent.Dependencies(), func(it string) bool {
-				return !started[it]
-			})
-			if common.Contains(oTree, problemOutboundTag) {
-				return E.New("circular outbound dependency: ", strings.Join(oTree, " -> "), " -> ", problemOutboundTag)
-			}
-			problemOutbound := outbounds[problemOutboundTag]
-			if problemOutbound == nil {
-				return E.New("dependency[", problemOutboundTag, "] not found for outbound[", outboundTags[oCurrent], "]")
-			}
-			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
-		}
-		return lintOutbound([]string{outboundTags[currentOutbound]}, currentOutbound)
-	}
-	return nil
-}
--- a/cmd/sing-box/cmd.go
+++ b/cmd/sing-box/cmd.go
@ -7,8 +7,9 @@ import (
 	"strconv"
 	"time"

+	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/experimental/deprecated"
-	_ "github.com/sagernet/sing-box/include"
+	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
@ -68,4 +69,5 @@ func preRun(cmd *cobra.Command, args []string) {
 		configPaths = append(configPaths, "config.json")
 	}
 	globalCtx = service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger()))
+	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry())
 }
--- a/cmd/sing-box/cmd_format.go
+++ b/cmd/sing-box/cmd_format.go
@ -38,7 +38,7 @@ func format() error {
 		return err
 	}
 	for _, optionsEntry := range optionsList {
-		optionsEntry.options, err = badjson.Omitempty(optionsEntry.options)
+		optionsEntry.options, err = badjson.Omitempty(globalCtx, optionsEntry.options)
 		if err != nil {
 			return err
 		}
--- a/cmd/sing-box/cmd_merge.go
+++ b/cmd/sing-box/cmd_merge.go
@ -68,29 +68,19 @@ func merge(outputPath string) error {
 }

 func mergePathResources(options *option.Options) error {
-	for index, inbound := range options.Inbounds {
-		rawOptions, err := inbound.RawOptions()
-		if err != nil {
-			return err
-		}
-		if tlsOptions, containsTLSOptions := rawOptions.(option.InboundTLSOptionsWrapper); containsTLSOptions {
+	for _, inbound := range options.Inbounds {
+		if tlsOptions, containsTLSOptions := inbound.Options.(option.InboundTLSOptionsWrapper); containsTLSOptions {
 			tlsOptions.ReplaceInboundTLSOptions(mergeTLSInboundOptions(tlsOptions.TakeInboundTLSOptions()))
 		}
-		options.Inbounds[index] = inbound
 	}
-	for index, outbound := range options.Outbounds {
-		rawOptions, err := outbound.RawOptions()
-		if err != nil {
-			return err
-		}
+	for _, outbound := range options.Outbounds {
 		switch outbound.Type {
 		case C.TypeSSH:
-			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
+			mergeSSHOutboundOptions(outbound.Options.(*option.SSHOutboundOptions))
 		}
-		if tlsOptions, containsTLSOptions := rawOptions.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
+		if tlsOptions, containsTLSOptions := outbound.Options.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
 			tlsOptions.ReplaceOutboundTLSOptions(mergeTLSOutboundOptions(tlsOptions.TakeOutboundTLSOptions()))
 		}
-		options.Outbounds[index] = outbound
 	}
 	return nil
 }
@ -138,13 +128,12 @@ func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.Outboun
 	return options
 }

-func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
+func mergeSSHOutboundOptions(options *option.SSHOutboundOptions) {
 	if options.PrivateKeyPath != "" {
 		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
 			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
 		}
 	}
-	return options
 }

 func trimStringArray(array []string) []string {
--- a/cmd/sing-box/cmd_rule_set_match.go
+++ b/cmd/sing-box/cmd_rule_set_match.go
@ -2,6 +2,7 @@ package main

 import (
 	"bytes"
+	"context"
 	"io"
 	"os"

@ -10,7 +11,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/route"
+	"github.com/sagernet/sing-box/route/rule"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
@ -84,7 +85,7 @@ func ruleSetMatch(sourcePath string, domain string) error {
 	}
 	for i, ruleOptions := range plainRuleSet.Rules {
 		var currentRule adapter.HeadlessRule
-		currentRule, err = route.NewHeadlessRule(nil, ruleOptions)
+		currentRule, err = rule.NewHeadlessRule(context.Background(), ruleOptions)
 		if err != nil {
 			return E.Cause(err, "parse rule_set.rules.[", i, "]")
 		}
--- a/cmd/sing-box/cmd_run.go
+++ b/cmd/sing-box/cmd_run.go
@ -57,7 +57,7 @@ func readConfigAt(path string) (*OptionsEntry, error) {
 	if err != nil {
 		return nil, E.Cause(err, "read config at ", path)
 	}
-	options, err := json.UnmarshalExtended[option.Options](configContent)
+	options, err := json.UnmarshalExtendedContext[option.Options](globalCtx, configContent)
 	if err != nil {
 		return nil, E.Cause(err, "decode config at ", path)
 	}
@ -109,13 +109,13 @@ func readConfigAndMerge() (option.Options, error) {
 	}
 	var mergedMessage json.RawMessage
 	for _, options := range optionsList {
-		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage, false)
+		mergedMessage, err = badjson.MergeJSON(globalCtx, options.options.RawMessage, mergedMessage, false)
 		if err != nil {
 			return option.Options{}, E.Cause(err, "merge config at ", options.path)
 		}
 	}
 	var mergedOptions option.Options
-	err = mergedOptions.UnmarshalJSON(mergedMessage)
+	err = mergedOptions.UnmarshalJSONContext(globalCtx, mergedMessage)
 	if err != nil {
 		return option.Options{}, E.Cause(err, "unmarshal merged config")
 	}
--- a/cmd/sing-box/cmd_tools.go
+++ b/cmd/sing-box/cmd_tools.go
@ -1,6 +1,9 @@
 package main

 import (
+	"errors"
+	"os"
+
 	"github.com/sagernet/sing-box"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@ -23,7 +26,9 @@ func init() {
 func createPreStartedClient() (*box.Box, error) {
 	options, err := readConfigAndMerge()
 	if err != nil {
-		return nil, err
+		if !(errors.Is(err, os.ErrNotExist) && len(configDirectories) == 0 && len(configPaths) == 1) || configPaths[0] != "config.json" {
+			return nil, err
+		}
 	}
 	instance, err := box.New(box.Options{Options: options})
 	if err != nil {
@ -36,11 +41,11 @@ func createPreStartedClient() (*box.Box, error) {
 	return instance, nil
 }

-func createDialer(instance *box.Box, network string, outboundTag string) (N.Dialer, error) {
+func createDialer(instance *box.Box, outboundTag string) (N.Dialer, error) {
 	if outboundTag == "" {
-		return instance.Router().DefaultOutbound(N.NetworkName(network))
+		return instance.Outbound().Default(), nil
 	} else {
-		outbound, loaded := instance.Router().Outbound(outboundTag)
+		outbound, loaded := instance.Outbound().Outbound(outboundTag)
 		if !loaded {
 			return nil, E.New("outbound not found: ", outboundTag)
 		}
--- a/cmd/sing-box/cmd_tools_connect.go
+++ b/cmd/sing-box/cmd_tools_connect.go
@ -45,7 +45,7 @@ func connect(address string) error {
 		return err
 	}
 	defer instance.Close()
-	dialer, err := createDialer(instance, commandConnectFlagNetwork, commandToolsFlagOutbound)
+	dialer, err := createDialer(instance, commandToolsFlagOutbound)
 	if err != nil {
 		return err
 	}
--- a/cmd/sing-box/cmd_tools_fetch.go
+++ b/cmd/sing-box/cmd_tools_fetch.go
@ -48,7 +48,7 @@ func fetch(args []string) error {
 	httpClient = &http.Client{
 		Transport: &http.Transport{
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				dialer, err := createDialer(instance, network, commandToolsFlagOutbound)
+				dialer, err := createDialer(instance, commandToolsFlagOutbound)
 				if err != nil {
 					return nil, err
 				}
--- a/cmd/sing-box/cmd_tools_fetch_http3.go
+++ b/cmd/sing-box/cmd_tools_fetch_http3.go
@ -16,7 +16,7 @@ import (
 )

 func initializeHTTP3Client(instance *box.Box) error {
-	dialer, err := createDialer(instance, N.NetworkUDP, commandToolsFlagOutbound)
+	dialer, err := createDialer(instance, commandToolsFlagOutbound)
 	if err != nil {
 		return err
 	}
--- a/cmd/sing-box/cmd_tools_synctime.go
+++ b/cmd/sing-box/cmd_tools_synctime.go
@ -9,7 +9,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"

 	"github.com/spf13/cobra"
@ -45,7 +44,7 @@ func syncTime() error {
 	if err != nil {
 		return err
 	}
-	dialer, err := createDialer(instance, N.NetworkUDP, commandToolsFlagOutbound)
+	dialer, err := createDialer(instance, commandToolsFlagOutbound)
 	if err != nil {
 		return err
 	}
--- a/cmd/sing-box/internal/convertor/adguard/convertor_test.go
+++ b/cmd/sing-box/internal/convertor/adguard/convertor_test.go
@ -5,7 +5,7 @@ import (
 	"testing"

 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/route"
+	"github.com/sagernet/sing-box/route/rule"

 	"github.com/stretchr/testify/require"
 )
@ -26,7 +26,7 @@ example.arpa
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
-	rule, err := route.NewHeadlessRule(nil, rules[0])
+	rule, err := rule.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"example.org",
@ -85,7 +85,7 @@ func TestHosts(t *testing.T) {
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
-	rule, err := route.NewHeadlessRule(nil, rules[0])
+	rule, err := rule.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"google.com",
@ -115,7 +115,7 @@ www.example.org
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
-	rule, err := route.NewHeadlessRule(nil, rules[0])
+	rule, err := rule.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"example.com",
--- a/common/dialer/default.go
+++ b/common/dialer/default.go
@ -3,6 +3,7 @@ package dialer
 import (
 	"context"
 	"net"
+	"net/netip"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
@ -28,31 +29,31 @@ type DefaultDialer struct {
 	isWireGuardListener bool
 }

-func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDialer, error) {
+func NewDefault(networkManager adapter.NetworkManager, options option.DialerOptions) (*DefaultDialer, error) {
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
 		var interfaceFinder control.InterfaceFinder
-		if router != nil {
-			interfaceFinder = router.InterfaceFinder()
+		if networkManager != nil {
+			interfaceFinder = networkManager.InterfaceFinder()
 		} else {
 			interfaceFinder = control.NewDefaultInterfaceFinder()
 		}
 		bindFunc := control.BindToInterface(interfaceFinder, options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router != nil && router.AutoDetectInterface() {
-		bindFunc := router.AutoDetectInterfaceFunc()
+	} else if networkManager != nil && networkManager.AutoDetectInterface() {
+		bindFunc := networkManager.AutoDetectInterfaceFunc()
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router != nil && router.DefaultInterface() != "" {
-		bindFunc := control.BindToInterface(router.InterfaceFinder(), router.DefaultInterface(), -1)
+	} else if networkManager != nil && networkManager.DefaultInterface() != "" {
+		bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), networkManager.DefaultInterface(), -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
 	var autoRedirectOutputMark uint32
-	if router != nil {
-		autoRedirectOutputMark = router.AutoRedirectOutputMark()
+	if networkManager != nil {
+		autoRedirectOutputMark = networkManager.AutoRedirectOutputMark()
 	}
 	if autoRedirectOutputMark > 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(autoRedirectOutputMark))
@ -64,9 +65,9 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		if autoRedirectOutputMark > 0 {
 			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `routing_mark`")
 		}
-	} else if router != nil && router.DefaultMark() > 0 {
-		dialer.Control = control.Append(dialer.Control, control.RoutingMark(router.DefaultMark()))
-		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
+	} else if networkManager != nil && networkManager.DefaultMark() > 0 {
+		dialer.Control = control.Append(dialer.Control, control.RoutingMark(networkManager.DefaultMark()))
+		listener.Control = control.Append(listener.Control, control.RoutingMark(networkManager.DefaultMark()))
 		if autoRedirectOutputMark > 0 {
 			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `default_mark`")
 		}
@ -102,7 +103,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		udpAddr4   string
 	)
 	if options.Inet4BindAddress != nil {
-		bindAddr := options.Inet4BindAddress.Build()
+		bindAddr := options.Inet4BindAddress.Build(netip.IPv4Unspecified())
 		dialer4.LocalAddr = &net.TCPAddr{IP: bindAddr.AsSlice()}
 		udpDialer4.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr4 = M.SocksaddrFrom(bindAddr, 0).String()
@ -113,7 +114,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		udpAddr6   string
 	)
 	if options.Inet6BindAddress != nil {
-		bindAddr := options.Inet6BindAddress.Build()
+		bindAddr := options.Inet6BindAddress.Build(netip.IPv6Unspecified())
 		dialer6.LocalAddr = &net.TCPAddr{IP: bindAddr.AsSlice()}
 		udpDialer6.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
@ -125,7 +126,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		setMultiPathTCP(&dialer4)
 	}
 	if options.IsWireGuardListener {
-		for _, controlFn := range wgControlFns {
+		for _, controlFn := range WgControlFns {
 			listener.Control = control.Append(listener.Control, controlFn)
 		}
 	}
--- a/common/dialer/detour.go
+++ b/common/dialer/detour.go
@ -12,15 +12,15 @@ import (
 )

 type DetourDialer struct {
-	router   adapter.Router
-	detour   string
-	dialer   N.Dialer
-	initOnce sync.Once
-	initErr  error
+	outboundManager adapter.OutboundManager
+	detour          string
+	dialer          N.Dialer
+	initOnce        sync.Once
+	initErr         error
 }

-func NewDetour(router adapter.Router, detour string) N.Dialer {
-	return &DetourDialer{router: router, detour: detour}
+func NewDetour(outboundManager adapter.OutboundManager, detour string) N.Dialer {
+	return &DetourDialer{outboundManager: outboundManager, detour: detour}
 }

 func (d *DetourDialer) Start() error {
@ -31,7 +31,7 @@ func (d *DetourDialer) Start() error {
 func (d *DetourDialer) Dialer() (N.Dialer, error) {
 	d.initOnce.Do(func() {
 		var loaded bool
-		d.dialer, loaded = d.router.Outbound(d.detour)
+		d.dialer, loaded = d.outboundManager.Outbound(d.detour)
 		if !loaded {
 			d.initErr = E.New("outbound detour not found: ", d.detour)
 		}
--- a/common/dialer/dialer.go
+++ b/common/dialer/dialer.go
@ -1,40 +1,51 @@
 package dialer

 import (
+	"context"
 	"time"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
+	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 )

-func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error) {
+func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
+	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	if options.IsWireGuardListener {
-		return NewDefault(router, options)
-	}
-	if router == nil {
-		return NewDefault(nil, options)
+		return NewDefault(networkManager, options)
 	}
 	var (
 		dialer N.Dialer
 		err    error
 	)
 	if options.Detour == "" {
-		dialer, err = NewDefault(router, options)
+		dialer, err = NewDefault(networkManager, options)
 		if err != nil {
 			return nil, err
 		}
 	} else {
-		dialer = NewDetour(router, options.Detour)
+		outboundManager := service.FromContext[adapter.OutboundManager](ctx)
+		if outboundManager == nil {
+			return nil, E.New("missing outbound manager")
+		}
+		dialer = NewDetour(outboundManager, options.Detour)
+	}
+	if networkManager == nil {
+		return NewDefault(networkManager, options)
 	}
 	if options.Detour == "" {
-		dialer = NewResolveDialer(
-			router,
-			dialer,
-			options.Detour == "" && !options.TCPFastOpen,
-			dns.DomainStrategy(options.DomainStrategy),
-			time.Duration(options.FallbackDelay))
+		router := service.FromContext[adapter.Router](ctx)
+		if router != nil {
+			dialer = NewResolveDialer(
+				router,
+				dialer,
+				options.Detour == "" && !options.TCPFastOpen,
+				dns.DomainStrategy(options.DomainStrategy),
+				time.Duration(options.FallbackDelay))
+		}
 	}
 	return dialer, nil
 }
--- a/common/dialer/router.go
+++ b/common/dialer/router.go
@ -9,30 +9,22 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )

-type RouterDialer struct {
-	router adapter.Router
+type DefaultOutboundDialer struct {
+	outboundManager adapter.OutboundManager
 }

-func NewRouter(router adapter.Router) N.Dialer {
-	return &RouterDialer{router: router}
+func NewDefaultOutbound(outboundManager adapter.OutboundManager) N.Dialer {
+	return &DefaultOutboundDialer{outboundManager: outboundManager}
 }

-func (d *RouterDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	dialer, err := d.router.DefaultOutbound(network)
-	if err != nil {
-		return nil, err
-	}
-	return dialer.DialContext(ctx, network, destination)
+func (d *DefaultOutboundDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	return d.outboundManager.Default().DialContext(ctx, network, destination)
 }

-func (d *RouterDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	dialer, err := d.router.DefaultOutbound(N.NetworkUDP)
-	if err != nil {
-		return nil, err
-	}
-	return dialer.ListenPacket(ctx, destination)
+func (d *DefaultOutboundDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return d.outboundManager.Default().ListenPacket(ctx, destination)
 }

-func (d *RouterDialer) Upstream() any {
-	return d.router
+func (d *DefaultOutboundDialer) Upstream() any {
+	return d.outboundManager.Default()
 }
--- a/common/dialer/wireguard.go
+++ b/common/dialer/wireguard.go
@ -2,8 +2,12 @@ package dialer

 import (
 	"net"
+
+	"github.com/sagernet/sing/common/control"
 )

 type WireGuardListener interface {
 	ListenPacketCompat(network, address string) (net.PacketConn, error)
 }
+
+var WgControlFns []control.Func
--- a/common/dialer/wireguard_control.go
+++ b/common/dialer/wireguard_control.go
@ -1,11 +0,0 @@
-//go:build with_wireguard
-
-package dialer
-
-import (
-	"github.com/sagernet/wireguard-go/conn"
-)
-
-var _ WireGuardListener = (conn.Listener)(nil)
-
-var wgControlFns = conn.ControlFns
--- a/common/dialer/wiregurad_stub.go
+++ b/common/dialer/wiregurad_stub.go
@ -1,9 +0,0 @@
-//go:build !with_wireguard
-
-package dialer
-
-import (
-	"github.com/sagernet/sing/common/control"
-)
-
-var wgControlFns []control.Func
--- a/common/listener/listener.go
+++ b/common/listener/listener.go
@ -0,0 +1,137 @@
+package listener
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"sync/atomic"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/settings"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type Listener struct {
+	ctx                      context.Context
+	logger                   logger.ContextLogger
+	network                  []string
+	listenOptions            option.ListenOptions
+	connHandler              adapter.ConnectionHandlerEx
+	packetHandler            adapter.PacketHandlerEx
+	oobPacketHandler         adapter.OOBPacketHandlerEx
+	threadUnsafePacketWriter bool
+	disablePacketOutput      bool
+	setSystemProxy           bool
+	systemProxySOCKS         bool
+
+	tcpListener          net.Listener
+	systemProxy          settings.SystemProxy
+	udpConn              *net.UDPConn
+	udpAddr              M.Socksaddr
+	packetOutbound       chan *N.PacketBuffer
+	packetOutboundClosed chan struct{}
+	shutdown             atomic.Bool
+}
+
+type Options struct {
+	Context                  context.Context
+	Logger                   logger.ContextLogger
+	Network                  []string
+	Listen                   option.ListenOptions
+	ConnectionHandler        adapter.ConnectionHandlerEx
+	PacketHandler            adapter.PacketHandlerEx
+	OOBPacketHandler         adapter.OOBPacketHandlerEx
+	ThreadUnsafePacketWriter bool
+	DisablePacketOutput      bool
+	SetSystemProxy           bool
+	SystemProxySOCKS         bool
+}
+
+func New(
+	options Options,
+) *Listener {
+	return &Listener{
+		ctx:                      options.Context,
+		logger:                   options.Logger,
+		network:                  options.Network,
+		listenOptions:            options.Listen,
+		connHandler:              options.ConnectionHandler,
+		packetHandler:            options.PacketHandler,
+		oobPacketHandler:         options.OOBPacketHandler,
+		threadUnsafePacketWriter: options.ThreadUnsafePacketWriter,
+		disablePacketOutput:      options.DisablePacketOutput,
+		setSystemProxy:           options.SetSystemProxy,
+		systemProxySOCKS:         options.SystemProxySOCKS,
+	}
+}
+
+func (l *Listener) Start() error {
+	if common.Contains(l.network, N.NetworkTCP) {
+		_, err := l.ListenTCP()
+		if err != nil {
+			return err
+		}
+		go l.loopTCPIn()
+	}
+	if common.Contains(l.network, N.NetworkUDP) {
+		_, err := l.ListenUDP()
+		if err != nil {
+			return err
+		}
+		l.packetOutboundClosed = make(chan struct{})
+		l.packetOutbound = make(chan *N.PacketBuffer, 64)
+		go l.loopUDPIn()
+		if !l.disablePacketOutput {
+			go l.loopUDPOut()
+		}
+	}
+	if l.setSystemProxy {
+		listenPort := M.SocksaddrFromNet(l.tcpListener.Addr()).Port
+		var listenAddrString string
+		listenAddr := l.listenOptions.Listen.Build(netip.IPv4Unspecified())
+		if listenAddr.IsUnspecified() {
+			listenAddrString = "127.0.0.1"
+		} else {
+			listenAddrString = listenAddr.String()
+		}
+		systemProxy, err := settings.NewSystemProxy(l.ctx, M.ParseSocksaddrHostPort(listenAddrString, listenPort), l.systemProxySOCKS)
+		if err != nil {
+			return E.Cause(err, "initialize system proxy")
+		}
+		err = systemProxy.Enable()
+		if err != nil {
+			return E.Cause(err, "set system proxy")
+		}
+		l.systemProxy = systemProxy
+	}
+	return nil
+}
+
+func (l *Listener) Close() error {
+	l.shutdown.Store(true)
+	var err error
+	if l.systemProxy != nil && l.systemProxy.IsEnabled() {
+		err = l.systemProxy.Disable()
+	}
+	return E.Errors(err, common.Close(
+		l.tcpListener,
+		common.PtrOrNil(l.udpConn),
+	))
+}
+
+func (l *Listener) TCPListener() net.Listener {
+	return l.tcpListener
+}
+
+func (l *Listener) UDPConn() *net.UDPConn {
+	return l.udpConn
+}
+
+func (l *Listener) ListenOptions() option.ListenOptions {
+	return l.listenOptions
+}
--- a/common/listener/listener_go121.go
+++ b/common/listener/listener_go121.go
@ -1,6 +1,6 @@
 //go:build go1.21

-package inbound
+package listener

 import "net"

--- a/common/listener/listener_go123.go
+++ b/common/listener/listener_go123.go
@ -0,0 +1,16 @@
+//go:build go1.23
+
+package listener
+
+import (
+	"net"
+	"time"
+)
+
+func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
+	listener.KeepAliveConfig = net.KeepAliveConfig{
+		Enable:   true,
+		Idle:     idle,
+		Interval: interval,
+	}
+}
--- a/common/listener/listener_nongo121.go
+++ b/common/listener/listener_nongo121.go
@ -1,6 +1,6 @@
 //go:build !go1.21

-package inbound
+package listener

 import "net"

--- a/common/listener/listener_nongo123.go
+++ b/common/listener/listener_nongo123.go
@ -0,0 +1,15 @@
+//go:build !go1.23
+
+package listener
+
+import (
+	"net"
+	"time"
+
+	"github.com/sagernet/sing/common/control"
+)
+
+func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
+	listener.KeepAlive = idle
+	listener.Control = control.Append(listener.Control, control.SetKeepAlivePeriod(idle, interval))
+}
--- a/common/listener/listener_tcp.go
+++ b/common/listener/listener_tcp.go
@ -0,0 +1,86 @@
+package listener
+
+import (
+	"net"
+	"net/netip"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/metacubex/tfo-go"
+)
+
+func (l *Listener) ListenTCP() (net.Listener, error) {
+	var err error
+	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
+	var tcpListener net.Listener
+	var listenConfig net.ListenConfig
+	if l.listenOptions.TCPKeepAlive >= 0 {
+		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
+		if keepIdle == 0 {
+			keepIdle = C.TCPKeepAliveInitial
+		}
+		keepInterval := time.Duration(l.listenOptions.TCPKeepAliveInterval)
+		if keepInterval == 0 {
+			keepInterval = C.TCPKeepAliveInterval
+		}
+		setKeepAliveConfig(&listenConfig, keepIdle, keepInterval)
+	}
+	if l.listenOptions.TCPMultiPath {
+		if !go121Available {
+			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
+		}
+		setMultiPathTCP(&listenConfig)
+	}
+	if l.listenOptions.TCPFastOpen {
+		var tfoConfig tfo.ListenConfig
+		tfoConfig.ListenConfig = listenConfig
+		tcpListener, err = tfoConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
+	} else {
+		tcpListener, err = listenConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
+	}
+	if err == nil {
+		l.logger.Info("tcp server started at ", tcpListener.Addr())
+	}
+	//nolint:staticcheck
+	if l.listenOptions.ProxyProtocol || l.listenOptions.ProxyProtocolAcceptNoHeader {
+		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
+	}
+	l.tcpListener = tcpListener
+	return tcpListener, err
+}
+
+func (l *Listener) loopTCPIn() {
+	tcpListener := l.tcpListener
+	var metadata adapter.InboundContext
+	for {
+		conn, err := tcpListener.Accept()
+		if err != nil {
+			//nolint:staticcheck
+			if netError, isNetError := err.(net.Error); isNetError && netError.Temporary() {
+				l.logger.Error(err)
+				continue
+			}
+			if l.shutdown.Load() && E.IsClosed(err) {
+				return
+			}
+			l.tcpListener.Close()
+			l.logger.Error("tcp listener closed: ", err)
+			continue
+		}
+		//nolint:staticcheck
+		metadata.InboundDetour = l.listenOptions.Detour
+		//nolint:staticcheck
+		metadata.InboundOptions = l.listenOptions.InboundOptions
+		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
+		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
+		ctx := log.ContextWithNewID(l.ctx)
+		l.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
+		go l.connHandler.NewConnectionEx(ctx, conn, metadata, nil)
+	}
+}
--- a/common/listener/listener_udp.go
+++ b/common/listener/listener_udp.go
@ -0,0 +1,155 @@
+package listener
+
+import (
+	"net"
+	"net/netip"
+	"os"
+	"time"
+
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/control"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func (l *Listener) ListenUDP() (net.PacketConn, error) {
+	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
+	var lc net.ListenConfig
+	var udpFragment bool
+	if l.listenOptions.UDPFragment != nil {
+		udpFragment = *l.listenOptions.UDPFragment
+	} else {
+		udpFragment = l.listenOptions.UDPFragmentDefault
+	}
+	if !udpFragment {
+		lc.Control = control.Append(lc.Control, control.DisableUDPFragment())
+	}
+	udpConn, err := lc.ListenPacket(l.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
+	if err != nil {
+		return nil, err
+	}
+	l.udpConn = udpConn.(*net.UDPConn)
+	l.udpAddr = bindAddr
+	l.logger.Info("udp server started at ", udpConn.LocalAddr())
+	return udpConn, err
+}
+
+func (l *Listener) UDPAddr() M.Socksaddr {
+	return l.udpAddr
+}
+
+func (l *Listener) PacketWriter() N.PacketWriter {
+	return (*packetWriter)(l)
+}
+
+func (l *Listener) loopUDPIn() {
+	defer close(l.packetOutboundClosed)
+	var buffer *buf.Buffer
+	if !l.threadUnsafePacketWriter {
+		buffer = buf.NewPacket()
+		defer buffer.Release()
+		buffer.IncRef()
+		defer buffer.DecRef()
+	}
+	if l.oobPacketHandler != nil {
+		oob := make([]byte, 1024)
+		for {
+			if l.threadUnsafePacketWriter {
+				buffer = buf.NewPacket()
+			} else {
+				buffer.Reset()
+			}
+			n, oobN, _, addr, err := l.udpConn.ReadMsgUDPAddrPort(buffer.FreeBytes(), oob)
+			if err != nil {
+				if l.threadUnsafePacketWriter {
+					buffer.Release()
+				}
+				if l.shutdown.Load() && E.IsClosed(err) {
+					return
+				}
+				l.udpConn.Close()
+				l.logger.Error("udp listener closed: ", err)
+				return
+			}
+			buffer.Truncate(n)
+			l.oobPacketHandler.NewPacketEx(buffer, oob[:oobN], M.SocksaddrFromNetIP(addr).Unwrap())
+		}
+	} else {
+		for {
+			if l.threadUnsafePacketWriter {
+				buffer = buf.NewPacket()
+			} else {
+				buffer.Reset()
+			}
+			n, addr, err := l.udpConn.ReadFromUDPAddrPort(buffer.FreeBytes())
+			if err != nil {
+				if l.threadUnsafePacketWriter {
+					buffer.Release()
+				}
+				if l.shutdown.Load() && E.IsClosed(err) {
+					return
+				}
+				l.udpConn.Close()
+				l.logger.Error("udp listener closed: ", err)
+				return
+			}
+			buffer.Truncate(n)
+			l.packetHandler.NewPacketEx(buffer, M.SocksaddrFromNetIP(addr).Unwrap())
+		}
+	}
+}
+
+func (l *Listener) loopUDPOut() {
+	for {
+		select {
+		case packet := <-l.packetOutbound:
+			destination := packet.Destination.AddrPort()
+			_, err := l.udpConn.WriteToUDPAddrPort(packet.Buffer.Bytes(), destination)
+			packet.Buffer.Release()
+			N.PutPacketBuffer(packet)
+			if err != nil {
+				if l.shutdown.Load() && E.IsClosed(err) {
+					return
+				}
+				l.udpConn.Close()
+				l.logger.Error("udp listener write back: ", destination, ": ", err)
+				return
+			}
+			continue
+		case <-l.packetOutboundClosed:
+		}
+		for {
+			select {
+			case packet := <-l.packetOutbound:
+				packet.Buffer.Release()
+				N.PutPacketBuffer(packet)
+			case <-time.After(time.Second):
+				return
+			}
+		}
+	}
+}
+
+type packetWriter Listener
+
+func (w *packetWriter) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	packet := N.NewPacketBuffer()
+	packet.Buffer = buffer
+	packet.Destination = destination
+	select {
+	case w.packetOutbound <- packet:
+		return nil
+	default:
+		buffer.Release()
+		N.PutPacketBuffer(packet)
+		if w.shutdown.Load() {
+			return os.ErrClosed
+		}
+		w.logger.Trace("dropped packet to ", destination)
+		return nil
+	}
+}
+
+func (w *packetWriter) WriteIsThreadUnsafe() {
+}
--- a/common/mux/router.go
+++ b/common/mux/router.go
@ -15,11 +15,11 @@ import (
 )

 type Router struct {
-	router  adapter.ConnectionRouter
+	router  adapter.ConnectionRouterEx
 	service *mux.Service
 }

-func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouter, error) {
+func NewRouterWithOptions(router adapter.ConnectionRouterEx, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouterEx, error) {
 	if !options.Enabled {
 		return router, nil
 	}
@ -54,6 +54,7 @@ func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.Context

 func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	if metadata.Destination == mux.Destination {
+		// TODO: check if WithContext is necessary
 		return r.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
 	} else {
 		return r.router.RouteConnection(ctx, conn, metadata)
@ -63,3 +64,15 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }
+
+func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	if metadata.Destination == mux.Destination {
+		r.service.NewConnectionEx(adapter.WithContext(ctx, &metadata), conn, metadata.Source, metadata.Destination, onClose)
+		return
+	}
+	r.router.RouteConnectionEx(ctx, conn, metadata, onClose)
+}
+
+func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	r.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
+}
--- a/common/mux/v2ray_legacy.go
+++ b/common/mux/v2ray_legacy.go
@ -1,32 +0,0 @@
-package mux
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
-	vmess "github.com/sagernet/sing-vmess"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type V2RayLegacyRouter struct {
-	router adapter.ConnectionRouter
-	logger logger.ContextLogger
-}
-
-func NewV2RayLegacyRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) adapter.ConnectionRouter {
-	return &V2RayLegacyRouter{router, logger}
-}
-
-func (r *V2RayLegacyRouter) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	if metadata.Destination.Fqdn == vmess.MuxDestination.Fqdn {
-		r.logger.InfoContext(ctx, "inbound legacy multiplex connection")
-		return vmess.HandleMuxConnection(ctx, conn, adapter.NewRouteHandler(metadata, r.router, r.logger))
-	}
-	return r.router.RouteConnection(ctx, conn, metadata)
-}
-
-func (r *V2RayLegacyRouter) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	return r.router.RoutePacketConnection(ctx, conn, metadata)
-}
--- a/common/settings/proxy_darwin.go
+++ b/common/settings/proxy_darwin.go
@ -12,6 +12,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
+	"github.com/sagernet/sing/service"
 )

 type DarwinSystemProxy struct {
@ -24,7 +25,7 @@ type DarwinSystemProxy struct {
 }

 func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*DarwinSystemProxy, error) {
-	interfaceMonitor := adapter.RouterFromContext(ctx).InterfaceMonitor()
+	interfaceMonitor := service.FromContext[adapter.NetworkManager](ctx).InterfaceMonitor()
 	if interfaceMonitor == nil {
 		return nil, E.New("missing interface monitor")
 	}
--- a/common/sniff/sniff.go
+++ b/common/sniff/sniff.go
@ -18,7 +18,7 @@ type (
 	PacketSniffer = func(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error
 )

-func Skip(metadata adapter.InboundContext) bool {
+func Skip(metadata *adapter.InboundContext) bool {
 	// skip server first protocols
 	switch metadata.Destination.Port {
 	case 25, 465, 587:
--- a/common/tls/ech_client.go
+++ b/common/tls/ech_client.go
@ -19,6 +19,7 @@ import (
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
+	"github.com/sagernet/sing/service"

 	mDNS "github.com/miekg/dns"
 )
@ -213,7 +214,7 @@ func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverNam
 				},
 			},
 		}
-		response, err := adapter.RouterFromContext(ctx).Exchange(ctx, message)
+		response, err := service.FromContext[adapter.Router](ctx).Exchange(ctx, message)
 		if err != nil {
 			return nil, err
 		}
--- a/common/tls/reality_server.go
+++ b/common/tls/reality_server.go
@ -11,7 +11,6 @@ import (
 	"time"

 	"github.com/sagernet/reality"
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
@ -102,7 +101,7 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 		tlsConfig.ShortIds[shortID] = true
 	}

-	handshakeDialer, err := dialer.New(adapter.RouterFromContext(ctx), options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(ctx, options.Reality.Handshake.DialerOptions)
 	if err != nil {
 		return nil, err
 	}
--- a/common/uot/router.go
+++ b/common/uot/router.go
@ -13,14 +13,14 @@ import (
 	"github.com/sagernet/sing/common/uot"
 )

-var _ adapter.ConnectionRouter = (*Router)(nil)
+var _ adapter.ConnectionRouterEx = (*Router)(nil)

 type Router struct {
-	router adapter.ConnectionRouter
+	router adapter.ConnectionRouterEx
 	logger logger.ContextLogger
 }

-func NewRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) *Router {
+func NewRouter(router adapter.ConnectionRouterEx, logger logger.ContextLogger) *Router {
 	return &Router{router, logger}
 }

@ -51,3 +51,36 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }
+
+func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	switch metadata.Destination.Fqdn {
+	case uot.MagicAddress:
+		request, err := uot.ReadRequest(conn)
+		if err != nil {
+			err = E.Cause(err, "UoT read request")
+			r.logger.ErrorContext(ctx, "process connection from ", metadata.Source, ": ", err)
+			N.CloseOnHandshakeFailure(conn, onClose, err)
+			return
+		}
+		if request.IsConnect {
+			r.logger.InfoContext(ctx, "inbound UoT connect connection to ", request.Destination)
+		} else {
+			r.logger.InfoContext(ctx, "inbound UoT connection to ", request.Destination)
+		}
+		metadata.Domain = metadata.Destination.Fqdn
+		metadata.Destination = request.Destination
+		r.router.RoutePacketConnectionEx(ctx, uot.NewConn(conn, *request), metadata, onClose)
+		return
+	case uot.LegacyMagicAddress:
+		r.logger.InfoContext(ctx, "inbound legacy UoT connection")
+		metadata.Domain = metadata.Destination.Fqdn
+		metadata.Destination = M.Socksaddr{Addr: netip.IPv4Unspecified()}
+		r.RoutePacketConnectionEx(ctx, uot.NewConn(conn, uot.Request{}), metadata, onClose)
+		return
+	}
+	r.router.RouteConnectionEx(ctx, conn, metadata, onClose)
+}
+
+func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	r.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
+}
--- a/constant/rule.go
+++ b/constant/rule.go
@ -22,3 +22,18 @@ const (
 	RuleSetVersion1 = 1 + iota
 	RuleSetVersion2
 )
+
+const (
+	RuleActionTypeRoute        = "route"
+	RuleActionTypeRouteOptions = "route-options"
+	RuleActionTypeDirect       = "direct"
+	RuleActionTypeReject       = "reject"
+	RuleActionTypeHijackDNS    = "hijack-dns"
+	RuleActionTypeSniff        = "sniff"
+	RuleActionTypeResolve      = "resolve"
+)
+
+const (
+	RuleActionRejectMethodDefault = "default"
+	RuleActionRejectMethodDrop    = "drop"
+)
--- a/docs/changelog.md
+++ b/docs/changelog.md
@ -2,6 +2,66 @@
 icon: material/alert-decagram
 ---

+#### 1.11.0-alpha.11
+
+* Fixes and improvements
+
+#### 1.11.0-alpha.9
+
+* Improve tun compatibility **1**
+* Fixes and improvements
+
+**1**:
+
+When `gvisor` tun stack is enabled, even if the request passes routing,
+if the outbound connection establishment fails,
+the connection still does not need to be established and a TCP RST is replied.
+
+#### 1.11.0-alpha.7
+
+* Introducing rule actions **1**
+
+**1**:
+
+New rule actions replace legacy inbound fields and special outbound fields,
+and can be used for pre-matching **2**.
+
+See [Rule](/configuration/route/rule/),
+[Rule Action](/configuration/route/rule_action/),
+[DNS Rule](/configuration/dns/rule/) and
+[DNS Rule Action](/configuration/dns/rule_action/).
+
+For migration, see
+[Migrate legacy special outbounds to rule actions](/migration/#migrate-legacy-special-outbounds-to-rule-actions), 
+[Migrate legacy inbound fields to rule actions](/migration/#migrate-legacy-inbound-fields-to-rule-actions)
+and [Migrate legacy DNS route options to rule actions](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+**2**:
+
+Similar to Surge's pre-matching.
+
+Specifically, the new rule actions allow you to reject connections with
+TCP RST (for TCP connections) and ICMP port unreachable (for UDP packets)
+before connection established to improve tun's compatibility.
+
+See [Rule Action](/configuration/route/rule_action/).
+
+#### 1.11.0-alpha.6
+
+* Update quic-go to v0.48.1
+* Set gateway for tun correctly
+* Fixes and improvements
+
+#### 1.11.0-alpha.2
+
+* Add warnings for usage of deprecated features
+* Fixes and improvements
+
+#### 1.11.0-alpha.1
+
+* Update quic-go to v0.48.0
+* Fixes and improvements
+
 ### 1.10.1

 * Fixes and improvements
@ -33,7 +93,7 @@ Important changes since 1.9:
 The new auto-redirect feature allows TUN to automatically
 configure connection redirection to improve proxy performance.

-When auto-redirect is enabled, new route address set options will allow you to 
+When auto-redirect is enabled, new route address set options will allow you to
 automatically configure destination IP CIDR rules from a specified rule set to the firewall.

 Specified or unspecified destinations will bypass the sing-box routes to get better performance
--- a/docs/configuration/dns/index.md
+++ b/docs/configuration/dns/index.md
@ -1,7 +1,3 @@
---
-icon: material/new-box
---
-
 !!! quote "Changes in sing-box 1.9.0"

    :material-plus: [client_subnet](#client_subnet)
--- a/docs/configuration/dns/index.zh.md
+++ b/docs/configuration/dns/index.zh.md
@ -1,7 +1,3 @@
---
-icon: material/new-box
---
-
 !!! quote "sing-box 1.9.0 中的更改"

    :material-plus: [client_subnet](#client_subnet)
--- a/docs/configuration/dns/rule.md
+++ b/docs/configuration/dns/rule.md
@ -2,6 +2,14 @@
 icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.11.0"
+
+    :material-plus: [action](#action)  
+    :material-alert: [server](#server)  
+    :material-alert: [disable_cache](#disable_cache)  
+    :material-alert: [rewrite_ttl](#rewrite_ttl)  
+    :material-alert: [client_subnet](#client_subnet)
+
 !!! quote "Changes in sing-box 1.10.0"

    :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
@ -14,7 +22,7 @@ icon: material/new-box
    :material-plus: [geoip](#geoip)  
    :material-plus: [ip_cidr](#ip_cidr)  
    :material-plus: [ip_is_private](#ip_is_private)  
-    :material-plus: [client_subnet](#client_subnet)
+    :material-plus: [client_subnet](#client_subnet)  
    :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)

 !!! quote "Changes in sing-box 1.8.0"
@ -135,19 +143,15 @@ icon: material/new-box
        "outbound": [
          "direct"
        ],
-        "server": "local",
-        "disable_cache": false,
-        "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1/24"
+        "action": "route",
+        "server": "local"
      },
      {
        "type": "logical",
        "mode": "and",
        "rules": [],
-        "server": "local",
-        "disable_cache": false,
-        "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1/24"
+        "action": "route",
+        "server": "local"
      }
    ]
  }
@ -218,7 +222,7 @@ Match domain using regular expression.

 !!! failure "Deprecated in sing-box 1.8.0"

-    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
+    Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).

 Match geosite.

@ -226,7 +230,7 @@ Match geosite.

 !!! failure "Deprecated in sing-box 1.8.0"

-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).

 Match source geoip.

@ -354,29 +358,35 @@ Match outbound.

 `any` can be used as a value to match any outbound.

-#### server
+#### action

 ==Required==

-Tag of the target dns server.
+See [DNS Rule Actions](../rule_action/) for details.
+
+#### server
+
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Moved to [DNS Rule Action](../rule_action#route).

 #### disable_cache

-Disable cache and save cache in this query.
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Moved to [DNS Rule Action](../rule_action#route).

 #### rewrite_ttl

-Rewrite TTL in DNS responses.
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Moved to [DNS Rule Action](../rule_action#route).

 #### client_subnet

-!!! question "Since sing-box 1.9.0"
+!!! failure "Deprecated in sing-box 1.11.0"

-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
-
-Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
+    Moved to [DNS Rule Action](../rule_action#route).

 ### Address Filter Fields

--- a/docs/configuration/dns/rule.zh.md
+++ b/docs/configuration/dns/rule.zh.md
@ -14,7 +14,7 @@ icon: material/new-box
    :material-plus: [geoip](#geoip)  
    :material-plus: [ip_cidr](#ip_cidr)  
    :material-plus: [ip_is_private](#ip_is_private)  
-    :material-plus: [client_subnet](#client_subnet)
+    :material-plus: [client_subnet](#client_subnet)  
    :material-plus: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)

 !!! quote "sing-box 1.8.0 中的更改"
--- a/docs/configuration/dns/rule_action.md
+++ b/docs/configuration/dns/rule_action.md
@ -0,0 +1,85 @@
+---
+icon: material/new-box
+---
+
+# DNS Rule Action
+
+!!! question "Since sing-box 1.11.0"
+
+### route
+
+```json
+{
+  "action": "route",  // default
+  "server": "",
+  
+  // for compatibility
+  "disable_cache": false,
+  "rewrite_ttl": 0,
+  "client_subnet": null
+}
+```
+
+`route` inherits the classic rule behavior of routing DNS requests to the specified server.
+
+#### server
+
+==Required==
+
+Tag of target server.
+
+#### disable_cache/rewrite_ttl/client_subnet
+
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Legacy route options is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+### route-options
+
+```json
+{
+  "action": "route-options",
+  "disable_cache": false,
+  "rewrite_ttl": null,
+  "client_subnet": null
+}
+```
+
+#### disable_cache
+
+Disable cache and save cache in this query.
+
+#### rewrite_ttl
+
+Rewrite TTL in DNS responses.
+
+#### client_subnet
+
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+
+Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
+
+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default", // default
+  "no_drop": false
+}
+```
+
+`reject` reject DNS requests.
+
+#### method
+
+- `default`: Reply with NXDOMAIN.
+- `drop`: Drop the request.
+
+#### no_drop
+
+If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
+
+Not available when `method` is set to drop.
--- a/docs/configuration/dns/rule_action.zh.md
+++ b/docs/configuration/dns/rule_action.zh.md
@ -0,0 +1,86 @@
+---
+icon: material/new-box
+---
+
+# DNS 规则动作
+
+!!! question "自 sing-box 1.11.0 起"
+
+### route
+
+```json
+{
+  "action": "route",  // 默认
+  "server": "",
+  
+  // 兼容性
+  "disable_cache": false,
+  "rewrite_ttl": 0,
+  "client_subnet": null
+}
+```
+
+`route` 继承了将 DNS 请求 路由到指定服务器的经典规则动作。
+
+#### server
+
+==必填==
+
+目标 DNS 服务器的标签。
+
+#### disable_cache/rewrite_ttl/client_subnet
+
+!!! failure "自 sing-box 1.11.0 起"
+
+    旧的路由选项已弃用，且将在 sing-box 1.12.0 中移除，参阅 [迁移指南](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+### route-options
+
+```json
+{
+  "action": "route-options",
+  "disable_cache": false,
+  "rewrite_ttl": null,
+  "client_subnet": null
+}
+```
+
+
+#### disable_cache
+
+在此查询中禁用缓存。
+
+#### rewrite_ttl
+
+重写 DNS 回应中的 TTL。
+
+#### client_subnet
+
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+
+将覆盖 `dns.client_subnet` 与 `servers.[].client_subnet`。
+
+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default", // default
+  "no_drop": false
+}
+```
+
+`reject` 拒绝 DNS 请求。
+
+#### method
+
+- `default`: 返回 NXDOMAIN。
+- `drop`: 丢弃请求。
+
+#### no_drop
+
+如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
+
+当 `method` 设为 `drop` 时不可用。
--- a/docs/configuration/dns/server.md
+++ b/docs/configuration/dns/server.md
@ -1,7 +1,3 @@
---
-icon: material/new-box
---
-
 !!! quote "Changes in sing-box 1.9.0"

    :material-plus: [client_subnet](#client_subnet)
--- a/docs/configuration/dns/server.zh.md
+++ b/docs/configuration/dns/server.zh.md
@ -1,7 +1,3 @@
---
-icon: material/new-box
---
-
 !!! quote "sing-box 1.9.0 中的更改"

    :material-plus: [client_subnet](#client_subnet)
--- a/docs/configuration/experimental/cache-file.md
+++ b/docs/configuration/experimental/cache-file.md
@ -1,7 +1,3 @@
---
-icon: material/new-box
---
-
 !!! question "Since sing-box 1.8.0"

 !!! quote "Changes in sing-box 1.9.0"
--- a/docs/configuration/experimental/cache-file.zh.md
+++ b/docs/configuration/experimental/cache-file.zh.md
@ -1,7 +1,3 @@
---
-icon: material/new-box
---
-
 !!! question "自 sing-box 1.8.0 起"

 !!! quote "sing-box 1.9.0 中的更改"
--- a/docs/configuration/outbound/block.md
+++ b/docs/configuration/outbound/block.md
@ -1,8 +1,14 @@
-`block` outbound closes all incoming requests.
+---
+icon: material/delete-clock
+---
+
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Legacy special outbounds are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 

 ### Structure

-```json
+```json F
 {
  "type": "block",
  "tag": "block"
--- a/docs/configuration/outbound/block.zh.md
+++ b/docs/configuration/outbound/block.zh.md
@ -1,3 +1,11 @@
+---
+icon: material/delete-clock
+---
+
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
+
 `block` 出站关闭所有传入请求。

 ### 结构
@ -11,4 +19,4 @@

 ### 字段

-无字段。
+无字段。
--- a/docs/configuration/outbound/dns.md
+++ b/docs/configuration/outbound/dns.md
@ -1,3 +1,11 @@
+---
+icon: material/delete-clock
+---
+
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Legacy special outbounds are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-special-outbounds-to-rule-actions).
+
 `dns` outbound is a internal DNS server.

 ### Structure
--- a/docs/configuration/outbound/dns.zh.md
+++ b/docs/configuration/outbound/dns.zh.md
@ -1,3 +1,11 @@
+---
+icon: material/delete-clock
+---
+
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
+
 `dns` 出站是一个内部 DNS 服务器。

 ### 结构
--- a/docs/configuration/route/geoip.md
+++ b/docs/configuration/route/geoip.md
@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "Deprecated in sing-box 1.8.0"

-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).

 ### Structure

--- a/docs/configuration/route/geoip.zh.md
+++ b/docs/configuration/route/geoip.zh.md
@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "已在 sing-box 1.8.0 废弃"

-    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。

 ### 结构

--- a/docs/configuration/route/geosite.md
+++ b/docs/configuration/route/geosite.md
@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "Deprecated in sing-box 1.8.0"

-    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
+    Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).

 ### Structure

--- a/docs/configuration/route/geosite.zh.md
+++ b/docs/configuration/route/geosite.zh.md
@ -4,7 +4,7 @@ icon: material/delete-clock

 !!! failure "已在 sing-box 1.8.0 废弃"

-    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geosite)。
+    Geosite 已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。

 ### 结构

--- a/docs/configuration/route/rule.md
+++ b/docs/configuration/route/rule.md
@ -1,7 +1,12 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---

+!!! quote "Changes in sing-box 1.11.0"
+
+    :material-plus: [action](#action)  
+    :material-alert: [outbound](#outbound)
+
 !!! quote "Changes in sing-box 1.10.0"

    :material-plus: [client](#client)  
@ -129,6 +134,7 @@ icon: material/alert-decagram
        "rule_set_ipcidr_match_source": false,
        "rule_set_ip_cidr_match_source": false,
        "invert": false,
+        "action": "route",
        "outbound": "direct"
      },
      {
@ -136,6 +142,7 @@ icon: material/alert-decagram
        "mode": "and",
        "rules": [],
        "invert": false,
+        "action": "route",
        "outbound": "direct"
      }
    ]
@ -209,7 +216,7 @@ Match domain using regular expression.

 !!! failure "Deprecated in sing-box 1.8.0"

-    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
+    Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).

 Match geosite.

@ -217,7 +224,7 @@ Match geosite.

 !!! failure "Deprecated in sing-box 1.8.0"

-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).

 Match source geoip.

@ -225,7 +232,7 @@ Match source geoip.

 !!! failure "Deprecated in sing-box 1.8.0"

-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).

 Match geoip.

@ -357,11 +364,17 @@ Make `ip_cidr` in rule-sets match the source IP.

 Invert match result.

-#### outbound
+#### action

 ==Required==

-Tag of the target outbound.
+See [Rule Actions](../rule_action/) for details.
+
+#### outbound
+
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Moved to [Rule Action](../rule_action#route).

 ### Logical Fields

--- a/docs/configuration/route/rule.zh.md
+++ b/docs/configuration/route/rule.zh.md
@ -1,7 +1,12 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---

+!!! quote "sing-box 1.11.0 中的更改"
+
+    :material-plus: [action](#action)  
+    :material-alert: [outbound](#outbound)
+
 !!! quote "sing-box 1.10.0 中的更改"

    :material-plus: [client](#client)  
@ -127,6 +132,7 @@ icon: material/alert-decagram
        "rule_set_ipcidr_match_source": false,
        "rule_set_ip_cidr_match_source": false,
        "invert": false,
+        "action": "route",
        "outbound": "direct"
      },
      {
@ -134,6 +140,7 @@ icon: material/alert-decagram
        "mode": "and",
        "rules": [],
        "invert": false,
+        "action": "route",
        "outbound": "direct"
      }
    ]
@ -355,11 +362,17 @@ icon: material/alert-decagram

 反选匹配结果。

-#### outbound
+#### action

 ==必填==

-目标出站的标签。
+参阅 [规则行动](../rule_action/)。
+
+#### outbound
+
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    已移动到 [规则行动](../rule_action#route).

 ### 逻辑字段

--- a/docs/configuration/route/rule_action.md
+++ b/docs/configuration/route/rule_action.md
@ -0,0 +1,139 @@
+---
+icon: material/new-box
+---
+
+# Rule Action
+
+!!! question "Since sing-box 1.11.0"
+
+## Final actions
+
+### route
+
+```json
+{
+  "action": "route", // default
+  "outbound": ""
+}
+```
+
+`route` inherits the classic rule behavior of routing connection to the specified outbound.
+
+#### outbound
+
+==Required==
+
+Tag of target outbound.
+
+### route-options
+
+```json
+{
+  "action": "route-options",
+  "udp_disable_domain_unmapping": false,
+  "udp_connect": false
+}
+```
+
+`route-options` set options for routing.
+
+#### udp_disable_domain_unmapping
+
+If enabled, for UDP proxy requests addressed to a domain,
+the original packet address will be sent in the response instead of the mapped domain.
+
+This option is used for compatibility with clients that
+do not support receiving UDP packets with domain addresses, such as Surge.
+
+#### udp_connect
+
+If enabled, attempts to connect UDP connection to the destination instead of listen.
+
+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default", // default
+  "no_drop": false
+}
+```
+
+`reject` reject connections
+
+The specified method is used for reject tun connections if `sniff` action has not been performed yet.
+
+For non-tun connections and already established connections, will just be closed.
+
+#### method
+
+- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.
+- `drop`: Drop packets.
+
+#### no_drop
+
+If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
+
+Not available when `method` is set to drop.
+
+### hijack-dns
+
+```json
+{
+  "action": "hijack-dns"
+}
+```
+
+`hijack-dns` hijack DNS requests to the sing-box DNS module.
+
+## Non-final actions
+
+### sniff
+
+```json
+{
+  "action": "sniff",
+  "sniffer": [],
+  "timeout": ""
+}
+```
+
+`sniff` performs protocol sniffing on connections.
+
+For deprecated `inbound.sniff` options, it is considered to `sniff()` performed before routing.
+
+#### sniffer
+
+Enabled sniffers.
+
+All sniffers enabled by default.
+
+Available protocol values an be found on in [Protocol Sniff](../sniff/)
+
+#### timeout
+
+Timeout for sniffing.
+
+`300ms` is used by default.
+
+### resolve
+
+```json
+{
+  "action": "resolve",
+  "strategy": "",
+  "server": ""
+}
+```
+
+`resolve` resolve request destination from domain to IP addresses.
+
+#### strategy
+
+DNS resolution strategy, available values are: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.
+
+`dns.strategy` will be used by default.
+
+#### server
+
+Specifies DNS server tag to use instead of selecting through DNS routing.
--- a/docs/configuration/route/rule_action.zh.md
+++ b/docs/configuration/route/rule_action.zh.md
@ -0,0 +1,136 @@
+---
+icon: material/new-box
+---
+
+# 规则动作
+
+!!! question "自 sing-box 1.11.0 起"
+
+## 最终动作
+
+### route
+
+```json
+{
+  "action": "route", // 默认
+  "outbound": "",
+  "udp_disable_domain_unmapping": false
+}
+```
+
+`route` 继承了将连接路由到指定出站的经典规则动作。
+
+#### outbound
+
+==必填==
+
+目标出站的标签。
+
+### route-options
+
+```json
+{
+  "action": "route-options",
+  "udp_disable_domain_unmapping": false,
+    "udp_connect": false
+}
+```
+
+#### udp_disable_domain_unmapping
+
+如果启用，对于地址为域的 UDP 代理请求，将在响应中发送原始包地址而不是映射的域。
+
+此选项用于兼容不支持接收带有域地址的 UDP 包的客户端，如 Surge。
+
+#### udp_connect
+
+如果启用，将尝试将 UDP 连接 connect 到目标而不是 listen。
+
+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default",  // 默认
+  "no_drop": false
+}
+```
+
+`reject` 拒绝连接。
+
+如果尚未执行 `sniff` 操作，则将使用指定方法拒绝 tun 连接。
+
+对于非 tun 连接和已建立的连接，将直接关闭。
+
+#### method
+
+- `default`: 对于 TCP 连接回复 RST，对于 UDP 包回复 ICMP 端口不可达。
+- `drop`: 丢弃数据包。
+
+#### no_drop
+
+如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
+
+当 `method` 设为 `drop` 时不可用。
+
+### hijack-dns
+
+```json
+{
+  "action": "hijack-dns"
+}
+```
+
+`hijack-dns` 劫持 DNS 请求至 sing-box DNS 模块。
+
+## 非最终动作
+
+### sniff
+
+```json
+{
+  "action": "sniff",
+  "sniffer": [],
+  "timeout": ""
+}
+```
+
+`sniff` 对连接执行协议嗅探。
+
+对于已弃用的 `inbound.sniff` 选项，被视为在路由之前执行的 `sniff`。
+
+#### sniffer
+
+启用的探测器。
+
+默认启用所有探测器。
+
+可用的协议值可以在 [协议嗅探](../sniff/) 中找到。
+
+#### timeout
+
+探测超时时间。
+
+默认使用 300ms。
+
+### resolve
+
+```json
+{
+  "action": "resolve",
+  "strategy": "",
+  "server": ""
+}
+```
+
+`resolve` 将请求的目标从域名解析为 IP 地址。
+
+#### strategy
+
+DNS 解析策略，可用值有：`prefer_ipv4`、`prefer_ipv6`、`ipv4_only`、`ipv6_only`。
+
+默认使用 `dns.strategy`。
+
+#### server
+
+指定要使用的 DNS 服务器的标签，而不是通过 DNS 路由进行选择。
--- a/docs/configuration/shared/listen.md
+++ b/docs/configuration/shared/listen.md
@ -1,3 +1,15 @@
+---
+icon: material/delete-clock
+---
+
+!!! quote "Changes in sing-box 1.11.0"
+
+    :material-delete-clock: [sniff](#sniff)  
+    :material-delete-clock: [sniff_override_destination](#sniff_override_destination)  
+    :material-delete-clock: [sniff_timeout](#sniff_timeout)  
+    :material-delete-clock: [domain_strategy](#domain_strategy)  
+    :material-delete-clock: [udp_disable_domain_unmapping](#udp_disable_domain_unmapping)
+
 ### Structure

 ```json
@ -68,24 +80,40 @@ Requires target inbound support, see [Injectable](/configuration/inbound/#fields

 #### sniff

+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 Enable sniffing.

 See [Protocol Sniff](/configuration/route/sniff/) for details.

 #### sniff_override_destination

+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Inbound fields are deprecated and will be removed in sing-box 1.13.0.
+
 Override the connection destination address with the sniffed domain.

 If the domain name is invalid (like tor), this will not work.

 #### sniff_timeout

+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 Timeout for sniffing.

-300ms is used by default.
+`300ms` is used by default.

 #### domain_strategy

+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.

 If set, the requested domain name will be resolved to IP before routing.
@ -94,6 +122,10 @@ If `sniff_override_destination` is in effect, its value will be taken as a fallb

 #### udp_disable_domain_unmapping

+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 If enabled, for UDP proxy requests addressed to a domain, 
 the original packet address will be sent in the response instead of the mapped domain.

--- a/docs/configuration/shared/listen.zh.md
+++ b/docs/configuration/shared/listen.zh.md
@ -1,3 +1,15 @@
+---
+icon: material/delete-clock
+---
+
+!!! quote "sing-box 1.11.0 中的更改"
+
+    :material-delete-clock: [sniff](#sniff)  
+    :material-delete-clock: [sniff_override_destination](#sniff_override_destination)  
+    :material-delete-clock: [sniff_timeout](#sniff_timeout)  
+    :material-delete-clock: [domain_strategy](#domain_strategy)  
+    :material-delete-clock: [udp_disable_domain_unmapping](#udp_disable_domain_unmapping)
+
 ### 结构

 ```json
@ -69,24 +81,40 @@ UDP NAT 过期时间，以秒为单位。

 #### sniff

+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 启用协议探测。

 参阅 [协议探测](/zh/configuration/route/sniff/)

 #### sniff_override_destination

+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除。
+
 用探测出的域名覆盖连接目标地址。

 如果域名无效（如 Tor），将不生效。

 #### sniff_timeout

+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 探测超时时间。

 默认使用 300ms。

 #### domain_strategy

+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。

 如果设置，请求的域名将在路由之前解析为 IP。
@ -95,6 +123,10 @@ UDP NAT 过期时间，以秒为单位。

 #### udp_disable_domain_unmapping

+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 如果启用，对于地址为域的 UDP 代理请求，将在响应中发送原始包地址而不是映射的域。

 此选项用于兼容不支持接收带有域地址的 UDP 包的客户端，如 Surge。
--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@ -4,6 +4,32 @@ icon: material/delete-alert

 # Deprecated Feature List

+## 1.11.0
+
+#### Legacy special outbounds
+
+Legacy special outbounds (`block` / `dns`) are deprecated
+and can be replaced by rule actions,
+check [Migration](../migration/#migrate-legacy-special-outbounds-to-rule-actions).
+
+Old fields will be removed in sing-box 1.13.0.
+
+#### Legacy inbound fields
+
+Legacy inbound fields （`inbound.<sniff/domain_strategy/...>` are deprecated
+and can be replaced by rule actions,
+check [Migration](../migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
+Old fields will be removed in sing-box 1.13.0.
+
+#### Legacy DNS route options
+
+Legacy DNS route options (`disable_cache`, `rewrite_ttl`, `client_subnet`) are deprecated
+and can be replaced by rule actions,
+check [Migration](../migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+Old fields will be removed in sing-box 1.12.0.
+
 ## 1.10.0

 #### TUN address fields are merged
@ -12,7 +38,7 @@ icon: material/delete-alert
 `inet4_route_address` and `inet6_route_address` are merged into `route_address`,
 `inet4_route_exclude_address` and `inet6_route_exclude_address` are merged into `route_exclude_address`.

-Old fields are deprecated and will be removed in sing-box 1.11.0.
+Old fields will be removed in sing-box 1.12.0.

 #### Match source rule items are renamed

@ -32,7 +58,7 @@ check [Migration](/migration/#migrate-cache-file-from-clash-api-to-independent-o

 #### GeoIP

-GeoIP is deprecated and may be removed in the future.
+GeoIP is deprecated and will be removed in sing-box 1.12.0.

 The maxmind GeoIP National Database, as an IP classification database,
 is not entirely suitable for traffic bypassing,
@ -43,7 +69,7 @@ check [Migration](/migration/#migrate-geoip-to-rule-sets).

 #### Geosite

-Geosite is deprecated and may be removed in the future.
+Geosite is deprecated and will be removed in sing-box 1.12.0.

 Geosite, the `domain-list-community` project maintained by V2Ray as an early traffic bypassing solution,
 suffers from a number of problems, including lack of maintenance, inaccurate rules, and difficult management.
--- a/docs/deprecated.zh.md
+++ b/docs/deprecated.zh.md
@ -4,6 +4,29 @@ icon: material/delete-alert

 # 废弃功能列表

+## 1.11.0
+
+#### 旧的特殊出站
+
+旧的特殊出站（`block` / `dns`）已废弃且可以通过规则动作替代，
+参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions)。
+
+旧字段将在 sing-box 1.13.0 中被移除。
+
+#### 旧的入站字段
+
+旧的入站字段（`inbound.<sniff/domain_strategy/...>`）已废弃且可以通过规则动作替代，
+参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions)。
+
+旧字段将在 sing-box 1.13.0 中被移除。
+
+#### 旧的 DNS 路由参数
+
+旧的 DNS 路由参数（`disable_cache`、`rewrite_ttl`、`client_subnet`）已废弃且可以通过规则动作替代，
+参阅 [迁移指南](/migration/#migrate-legacy-dns-route-options-to-rule-actions)。
+
+旧字段将在 sing-box 1.12.0 中被移除。
+
 ## 1.10.0

 #### Match source 规则项已重命名
@ -17,7 +40,7 @@ icon: material/delete-alert
 `inet4_route_address` 和 `inet6_route_address` 已合并为 `route_address`，
 `inet4_route_exclude_address` 和 `inet6_route_exclude_address` 已合并为 `route_exclude_address`。

-旧字段已废弃，且将在 sing-box 1.11.0 中被移除。
+旧字段将在 sing-box 1.11.0 中被移除。

 #### 移除对 go1.18 和 go1.19 的支持

@ -32,7 +55,7 @@ Clash API 中的 `cache_file` 及相关功能已废弃且已迁移到独立的 `

 #### GeoIP

-GeoIP 已废弃且可能在不久的将来移除。
+GeoIP 已废弃且将在 sing-box 1.12.0 中被移除。

 maxmind GeoIP 国家数据库作为 IP 分类数据库，不完全适合流量绕过，
 且现有的实现均存在内存使用大与管理困难的问题。
@ -42,7 +65,7 @@ sing-box 1.8.0 引入了[规则集](/configuration/rule-set/)，

 #### Geosite

-Geosite 已废弃且可能在不久的将来移除。
+Geosite 已废弃且将在 sing-box 1.12.0 中被移除。

 Geosite，即由 V2Ray 维护的 domain-list-community 项目，作为早期流量绕过解决方案，
 存在着包括缺少维护、规则不准确和管理困难内的大量问题。
--- a/docs/migration.md
+++ b/docs/migration.md
@ -2,6 +2,212 @@
 icon: material/arrange-bring-forward
 ---

+## 1.11.0
+
+### Migrate legacy special outbounds to rule actions
+
+Legacy special outbounds are deprecated and can be replaced by rule actions.
+
+!!! info "References"
+
+    [Rule Action](/configuration/route/rule_action/) / 
+    [Block](/configuration/outbound/block/) / 
+    [DNS](/configuration/outbound/dns)
+
+=== "Block"
+
+    === ":material-card-remove: Deprecated"
+    
+        ```json
+        {
+          "outbounds": [
+            {
+              "type": "block",
+              "tag": "block"
+            }
+          ],
+          "route": {
+            "rules": [
+              {
+                ...,
+                
+                "outbound": "block"
+              }
+            ]
+          }
+        }
+        ```
+
+    === ":material-card-multiple: New"
+    
+        ```json
+        {
+          "route": {
+            "rules": [
+              {
+                ...,
+                
+                "action": "reject"
+              }
+            ]
+          }
+        }
+        ```
+
+=== "DNS"
+
+    === ":material-card-remove: Deprecated"
+    
+        ```json
+        {
+          "inbound": [
+            {
+              ...,
+              
+              "sniff": true
+            }
+          ],
+          "outbounds": [
+            {
+              "tag": "dns",
+              "type": "dns"
+            }
+          ],
+          "route": {
+            "rules": [
+              {
+                "protocol": "dns",
+                "outbound": "dns"
+              }
+            ]
+          }
+        }
+        ```
+    
+    === ":material-card-multiple: New"
+    
+        ```json
+        {
+          "route": {
+            "rules": [
+              {
+                "action": "sniff"
+              },
+              {
+                "protocol": "dns",
+                "action": "hijack-dns"
+              }
+            ]
+          }
+        }
+        ```
+
+### Migrate legacy inbound fields to rule actions
+
+Inbound fields are deprecated and can be replaced by rule actions.
+
+!!! info "References"
+
+    [Listen Fields](/configuration/inbound/listen/) /
+    [Rule](/configuration/route/rule/) / 
+    [Rule Action](/configuration/route/rule_action/) / 
+    [DNS Rule](/configuration/dns/rule/) / 
+    [DNS Rule Action](/configuration/dns/rule_action/)
+
+=== ":material-card-remove: Deprecated"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "mixed",
+          "sniff": true,
+          "sniff_timeout": "1s",
+          "domain_strategy": "prefer_ipv4"
+        }
+      ]
+    }
+    ```
+
+=== ":material-card-multiple: New"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "mixed",
+          "tag": "in"
+        }
+      ],
+      "route": {
+        "rules": [
+          {
+            "inbound": "in",
+            "action": "resolve",
+            "strategy": "prefer_ipv4"
+          },
+          {
+            "inbound": "in",
+            "action": "sniff",
+            "timeout": "1s"
+          }
+        ]
+      }
+    }
+    ```
+
+### Migrate legacy DNS route options to rule actions
+
+Legacy DNS route options are deprecated and can be replaced by rule actions.
+
+!!! info "References"
+
+    [DNS Rule](/configuration/dns/rule/) / 
+    [DNS Rule Action](/configuration/dns/rule_action/)
+
+=== ":material-card-remove: Deprecated"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            ...,
+            
+            "server": "local",
+            "disable_cache": true,
+            "rewrite_ttl": 600,
+            "client_subnet": "1.1.1.1/24"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-card-multiple: New"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            ...,
+            
+            "action": "route-options",
+            "disable_cache": true,
+            "rewrite_ttl": 600,
+            "client_subnet": "1.1.1.1/24"
+          },
+          {
+            ...,
+            
+            "server": "local"
+          }
+        ]
+      }
+    }
+    ```
+
 ## 1.10.0

 ### TUN address fields are merged
@ -10,8 +216,6 @@ icon: material/arrange-bring-forward
 `inet4_route_address` and `inet6_route_address` are merged into `route_address`,
 `inet4_route_exclude_address` and `inet6_route_exclude_address` are merged into `route_exclude_address`.

-Old fields are deprecated and will be removed in sing-box 1.11.0.
-
 !!! info "References"

    [TUN](/configuration/inbound/tun/)
--- a/docs/migration.zh.md
+++ b/docs/migration.zh.md
@ -2,6 +2,212 @@
 icon: material/arrange-bring-forward
 ---

+## 1.11.0
+
+### 迁移旧的特殊出站到规则动作
+
+旧的特殊出站已被弃用，且可以被规则动作替代。
+
+!!! info "参考"
+
+    [规则动作](/zh/configuration/route/rule_action/) /
+    [Block](/zh/configuration/outbound/block/) / 
+    [DNS](/zh/configuration/outbound/dns)
+
+=== "Block"
+
+    === ":material-card-remove: 弃用的"
+    
+        ```json
+        {
+          "outbounds": [
+            {
+              "type": "block",
+              "tag": "block"
+            }
+          ],
+          "route": {
+            "rules": [
+              {
+                ...,
+                
+                "outbound": "block"
+              }
+            ]
+          }
+        }
+        ```
+
+    === ":material-card-multiple: 新的"
+    
+        ```json
+        {
+          "route": {
+            "rules": [
+              {
+                ...,
+                
+                "action": "reject"
+              }
+            ]
+          }
+        }
+        ```
+
+=== "DNS"
+
+    === ":material-card-remove: 弃用的"
+    
+        ```json
+        {
+          "inbound": [
+            {
+              ...,
+              
+              "sniff": true
+            }
+          ],
+          "outbounds": [
+            {
+              "tag": "dns",
+              "type": "dns"
+            }
+          ],
+          "route": {
+            "rules": [
+              {
+                "protocol": "dns",
+                "outbound": "dns"
+              }
+            ]
+          }
+        }
+        ```
+    
+    === ":material-card-multiple: 新的"
+    
+        ```json
+        {
+          "route": {
+            "rules": [
+              {
+                "action": "sniff"
+              },
+              {
+                "protocol": "dns",
+                "action": "hijack-dns"
+              }
+            ]
+          }
+        }
+        ```
+
+### 迁移旧的入站字段到规则动作
+
+入站选项已被弃用，且可以被规则动作替代。
+
+!!! info "参考"
+
+    [监听字段](/zh/configuration/shared/listen/) /
+    [规则](/zh/configuration/route/rule/) /
+    [规则动作](/zh/configuration/route/rule_action/) /
+    [DNS 规则](/zh/configuration/dns/rule/) /
+    [DNS 规则动作](/zh/configuration/dns/rule_action/)
+
+=== ":material-card-remove: 弃用的"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "mixed",
+          "sniff": true,
+          "sniff_timeout": "1s",
+          "domain_strategy": "prefer_ipv4"
+        }
+      ]
+    }
+    ```
+
+=== ":material-card-multiple: New"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "mixed",
+          "tag": "in"
+        }
+      ],
+      "route": {
+        "rules": [
+          {
+            "inbound": "in",
+            "action": "resolve",
+            "strategy": "prefer_ipv4"
+          },
+          {
+            "inbound": "in",
+            "action": "sniff",
+            "timeout": "1s"
+          }
+        ]
+      }
+    }
+    ```
+
+### 迁移旧的 DNS 路由选项到规则动作
+
+旧的 DNS 路由选项已被弃用，且可以被规则动作替代。
+
+!!! info "参考"
+
+    [DNS 规则](/zh/configuration/dns/rule/) / 
+    [DNS 规则动作](/zh/configuration/dns/rule_action/)
+
+=== ":material-card-remove: 弃用的"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            ...,
+            
+            "server": "local",
+            "disable_cache": true,
+            "rewrite_ttl": 600,
+            "client_subnet": "1.1.1.1/24"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-card-multiple: 新的"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            ...,
+            
+            "action": "route-options",
+            "disable_cache": true,
+            "rewrite_ttl": 600,
+            "client_subnet": "1.1.1.1/24"
+          },
+          {
+            ...,
+            
+            "server": "local"
+          }
+        ]
+      }
+    }
+    ```
+
 ## 1.10.0

 ### TUN 地址字段已合并
--- a/experimental/cachefile/cache.go
+++ b/experimental/cachefile/cache.go
@ -93,7 +93,18 @@ func New(ctx context.Context, options option.CacheFileOptions) *CacheFile {
 	}
 }

-func (c *CacheFile) start() error {
+func (c *CacheFile) Name() string {
+	return "cache-file"
+}
+
+func (c *CacheFile) Dependencies() []string {
+	return nil
+}
+
+func (c *CacheFile) Start(stage adapter.StartStage) error {
+	if stage != adapter.StartStateInitialize {
+		return nil
+	}
 	const fileMode = 0o666
 	options := bbolt.Options{Timeout: time.Second}
 	var (
@ -151,14 +162,6 @@ func (c *CacheFile) start() error {
 	return nil
 }

-func (c *CacheFile) PreStart() error {
-	return c.start()
-}
-
-func (c *CacheFile) Start() error {
-	return nil
-}
-
 func (c *CacheFile) Close() error {
 	if c.DB == nil {
 		return nil
--- a/experimental/clashapi.go
+++ b/experimental/clashapi.go
@ -12,7 +12,7 @@ import (
 	"github.com/sagernet/sing/common"
 )

-type ClashServerConstructor = func(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error)
+type ClashServerConstructor = func(ctx context.Context, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error)

 var clashServerConstructor ClashServerConstructor

@ -20,11 +20,11 @@ func RegisterClashServerConstructor(constructor ClashServerConstructor) {
 	clashServerConstructor = constructor
 }

-func NewClashServer(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
+func NewClashServer(ctx context.Context, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
 	if clashServerConstructor == nil {
 		return nil, os.ErrInvalid
 	}
-	return clashServerConstructor(ctx, router, logFactory, options)
+	return clashServerConstructor(ctx, logFactory, options)
 }

 func CalculateClashModeList(options option.Options) []string {
--- a/experimental/clashapi/api_meta_group.go
+++ b/experimental/clashapi/api_meta_group.go
@ -10,7 +10,7 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	"github.com/sagernet/sing/common/json/badjson"
@ -23,7 +23,7 @@ func groupRouter(server *Server) http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getGroups(server))
 	r.Route("/{name}", func(r chi.Router) {
-		r.Use(parseProxyName, findProxyByName(server.router))
+		r.Use(parseProxyName, findProxyByName(server))
 		r.Get("/", getGroup(server))
 		r.Get("/delay", getGroupDelay(server))
 	})
@ -32,7 +32,7 @@ func groupRouter(server *Server) http.Handler {

 func getGroups(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		groups := common.Map(common.Filter(server.router.Outbounds(), func(it adapter.Outbound) bool {
+		groups := common.Map(common.Filter(server.outboundManager.Outbounds(), func(it adapter.Outbound) bool {
 			_, isGroup := it.(adapter.OutboundGroup)
 			return isGroup
 		}), func(it adapter.Outbound) *badjson.JSONObject {
@ -59,7 +59,7 @@ func getGroup(server *Server) func(w http.ResponseWriter, r *http.Request) {
 func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		proxy := r.Context().Value(CtxKeyProxy).(adapter.Outbound)
-		group, ok := proxy.(adapter.OutboundGroup)
+		outboundGroup, ok := proxy.(adapter.OutboundGroup)
 		if !ok {
 			render.Status(r, http.StatusNotFound)
 			render.JSON(w, r, ErrNotFound)
@ -82,11 +82,11 @@ func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 		defer cancel()

 		var result map[string]uint16
-		if urlTestGroup, isURLTestGroup := group.(adapter.URLTestGroup); isURLTestGroup {
+		if urlTestGroup, isURLTestGroup := outboundGroup.(adapter.URLTestGroup); isURLTestGroup {
 			result, err = urlTestGroup.URLTest(ctx)
 		} else {
-			outbounds := common.FilterNotNil(common.Map(group.All(), func(it string) adapter.Outbound {
-				itOutbound, _ := server.router.Outbound(it)
+			outbounds := common.FilterNotNil(common.Map(outboundGroup.All(), func(it string) adapter.Outbound {
+				itOutbound, _ := server.outboundManager.Outbound(it)
 				return itOutbound
 			}))
 			b, _ := batch.New(ctx, batch.WithConcurrencyNum[any](10))
@ -95,12 +95,12 @@ func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 			var resultAccess sync.Mutex
 			for _, detour := range outbounds {
 				tag := detour.Tag()
-				realTag := outbound.RealTag(detour)
+				realTag := group.RealTag(detour)
 				if checked[realTag] {
 					continue
 				}
 				checked[realTag] = true
-				p, loaded := server.router.Outbound(realTag)
+				p, loaded := server.outboundManager.Outbound(realTag)
 				if !loaded {
 					continue
 				}
--- a/experimental/clashapi/proxies.go
+++ b/experimental/clashapi/proxies.go
@ -11,7 +11,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing/common"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json/badjson"
@ -23,10 +23,10 @@ import (

 func proxyRouter(server *Server, router adapter.Router) http.Handler {
 	r := chi.NewRouter()
-	r.Get("/", getProxies(server, router))
+	r.Get("/", getProxies(server))

 	r.Route("/{name}", func(r chi.Router) {
-		r.Use(parseProxyName, findProxyByName(router))
+		r.Use(parseProxyName, findProxyByName(server))
 		r.Get("/", getProxy(server))
 		r.Get("/delay", getProxyDelay(server))
 		r.Put("/", updateProxy)
@ -42,11 +42,11 @@ func parseProxyName(next http.Handler) http.Handler {
 	})
 }

-func findProxyByName(router adapter.Router) func(next http.Handler) http.Handler {
+func findProxyByName(server *Server) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			name := r.Context().Value(CtxKeyProxyName).(string)
-			proxy, exist := router.Outbound(name)
+			proxy, exist := server.outboundManager.Outbound(name)
 			if !exist {
 				render.Status(r, http.StatusNotFound)
 				render.JSON(w, r, ErrNotFound)
@ -83,10 +83,10 @@ func proxyInfo(server *Server, detour adapter.Outbound) *badjson.JSONObject {
 	return &info
 }

-func getProxies(server *Server, router adapter.Router) func(w http.ResponseWriter, r *http.Request) {
+func getProxies(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var proxyMap badjson.JSONObject
-		outbounds := common.Filter(router.Outbounds(), func(detour adapter.Outbound) bool {
+		outbounds := common.Filter(server.outboundManager.Outbounds(), func(detour adapter.Outbound) bool {
 			return detour.Tag() != ""
 		})

@ -100,12 +100,7 @@ func getProxies(server *Server, router adapter.Router) func(w http.ResponseWrite
 			allProxies = append(allProxies, detour.Tag())
 		}

-		var defaultTag string
-		if defaultOutbound, err := router.DefaultOutbound(N.NetworkTCP); err == nil {
-			defaultTag = defaultOutbound.Tag()
-		} else {
-			defaultTag = allProxies[0]
-		}
+		defaultTag := server.outboundManager.Default().Tag()

 		sort.SliceStable(allProxies, func(i, j int) bool {
 			return allProxies[i] == defaultTag
@ -168,7 +163,7 @@ func updateProxy(w http.ResponseWriter, r *http.Request) {
 	}

 	proxy := r.Context().Value(CtxKeyProxy).(adapter.Outbound)
-	selector, ok := proxy.(*outbound.Selector)
+	selector, ok := proxy.(*group.Selector)
 	if !ok {
 		render.Status(r, http.StatusBadRequest)
 		render.JSON(w, r, newError("Must be a Selector"))
@ -204,7 +199,7 @@ func getProxyDelay(server *Server) func(w http.ResponseWriter, r *http.Request)

 		delay, err := urltest.URLTest(ctx, url, proxy)
 		defer func() {
-			realTag := outbound.RealTag(proxy)
+			realTag := group.RealTag(proxy)
 			if err != nil {
 				server.urlTestHistory.DeleteURLTestHistory(realTag)
 			} else {
--- a/experimental/clashapi/rules.go
+++ b/experimental/clashapi/rules.go
@ -30,10 +30,9 @@ func getRules(router adapter.Router) func(w http.ResponseWriter, r *http.Request
 			rules = append(rules, Rule{
 				Type:    rule.Type(),
 				Payload: rule.String(),
-				Proxy:   rule.Outbound(),
+				Proxy:   rule.Action().String(),
 			})
 		}
-
 		render.JSON(w, r, render.M{
 			"rules": rules,
 		})
--- a/experimental/clashapi/server.go
+++ b/experimental/clashapi/server.go
@ -40,15 +40,16 @@ func init() {
 var _ adapter.ClashServer = (*Server)(nil)

 type Server struct {
-	ctx            context.Context
-	router         adapter.Router
-	logger         log.Logger
-	httpServer     *http.Server
-	trafficManager *trafficontrol.Manager
-	urlTestHistory *urltest.HistoryStorage
-	mode           string
-	modeList       []string
-	modeUpdateHook chan<- struct{}
+	ctx             context.Context
+	router          adapter.Router
+	outboundManager adapter.OutboundManager
+	logger          log.Logger
+	httpServer      *http.Server
+	trafficManager  *trafficontrol.Manager
+	urlTestHistory  *urltest.HistoryStorage
+	mode            string
+	modeList        []string
+	modeUpdateHook  chan<- struct{}

 	externalController       bool
 	externalUI               string
@ -56,13 +57,14 @@ type Server struct {
 	externalUIDownloadDetour string
 }

-func NewServer(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
+func NewServer(ctx context.Context, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
 	trafficManager := trafficontrol.NewManager()
 	chiRouter := chi.NewRouter()
-	server := &Server{
-		ctx:    ctx,
-		router: router,
-		logger: logFactory.NewLogger("clash-api"),
+	s := &Server{
+		ctx:             ctx,
+		router:          service.FromContext[adapter.Router](ctx),
+		outboundManager: service.FromContext[adapter.OutboundManager](ctx),
+		logger:          logFactory.NewLogger("clash-api"),
 		httpServer: &http.Server{
 			Addr:    options.ExternalController,
 			Handler: chiRouter,
@ -73,18 +75,18 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		externalUIDownloadURL:    options.ExternalUIDownloadURL,
 		externalUIDownloadDetour: options.ExternalUIDownloadDetour,
 	}
-	server.urlTestHistory = service.PtrFromContext[urltest.HistoryStorage](ctx)
-	if server.urlTestHistory == nil {
-		server.urlTestHistory = urltest.NewHistoryStorage()
+	s.urlTestHistory = service.PtrFromContext[urltest.HistoryStorage](ctx)
+	if s.urlTestHistory == nil {
+		s.urlTestHistory = urltest.NewHistoryStorage()
 	}
 	defaultMode := "Rule"
 	if options.DefaultMode != "" {
 		defaultMode = options.DefaultMode
 	}
-	if !common.Contains(server.modeList, defaultMode) {
-		server.modeList = append([]string{defaultMode}, server.modeList...)
+	if !common.Contains(s.modeList, defaultMode) {
+		s.modeList = append([]string{defaultMode}, s.modeList...)
 	}
-	server.mode = defaultMode
+	s.mode = defaultMode
 	//goland:noinspection GoDeprecation
 	//nolint:staticcheck
 	if options.StoreMode || options.StoreSelected || options.StoreFakeIP || options.CacheFile != "" || options.CacheID != "" {
@ -108,71 +110,76 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		r.Get("/logs", getLogs(logFactory))
 		r.Get("/traffic", traffic(trafficManager))
 		r.Get("/version", version)
-		r.Mount("/configs", configRouter(server, logFactory))
-		r.Mount("/proxies", proxyRouter(server, router))
-		r.Mount("/rules", ruleRouter(router))
-		r.Mount("/connections", connectionRouter(router, trafficManager))
+		r.Mount("/configs", configRouter(s, logFactory))
+		r.Mount("/proxies", proxyRouter(s, s.router))
+		r.Mount("/rules", ruleRouter(s.router))
+		r.Mount("/connections", connectionRouter(s.router, trafficManager))
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/script", scriptRouter())
 		r.Mount("/profile", profileRouter())
 		r.Mount("/cache", cacheRouter(ctx))
-		r.Mount("/dns", dnsRouter(router))
+		r.Mount("/dns", dnsRouter(s.router))

-		server.setupMetaAPI(r)
+		s.setupMetaAPI(r)
 	})
 	if options.ExternalUI != "" {
-		server.externalUI = filemanager.BasePath(ctx, os.ExpandEnv(options.ExternalUI))
+		s.externalUI = filemanager.BasePath(ctx, os.ExpandEnv(options.ExternalUI))
 		chiRouter.Group(func(r chi.Router) {
-			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(server.externalUI)))
+			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(s.externalUI)))
 			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusTemporaryRedirect).ServeHTTP)
 			r.Get("/ui/*", func(w http.ResponseWriter, r *http.Request) {
 				fs.ServeHTTP(w, r)
 			})
 		})
 	}
-	return server, nil
+	return s, nil
 }

-func (s *Server) PreStart() error {
-	cacheFile := service.FromContext[adapter.CacheFile](s.ctx)
-	if cacheFile != nil {
-		mode := cacheFile.LoadMode()
-		if common.Any(s.modeList, func(it string) bool {
-			return strings.EqualFold(it, mode)
-		}) {
-			s.mode = mode
-		}
-	}
-	return nil
+func (s *Server) Name() string {
+	return "clash server"
 }

-func (s *Server) Start() error {
-	if s.externalController {
-		s.checkAndDownloadExternalUI()
-		var (
-			listener net.Listener
-			err      error
-		)
-		for i := 0; i < 3; i++ {
-			listener, err = net.Listen("tcp", s.httpServer.Addr)
-			if runtime.GOOS == "android" && errors.Is(err, syscall.EADDRINUSE) {
-				time.Sleep(100 * time.Millisecond)
-				continue
+func (s *Server) Start(stage adapter.StartStage) error {
+	switch stage {
+	case adapter.StartStateStart:
+		cacheFile := service.FromContext[adapter.CacheFile](s.ctx)
+		if cacheFile != nil {
+			mode := cacheFile.LoadMode()
+			if common.Any(s.modeList, func(it string) bool {
+				return strings.EqualFold(it, mode)
+			}) {
+				s.mode = mode
 			}
-			break
 		}
-		if err != nil {
-			return E.Cause(err, "external controller listen error")
-		}
-		s.logger.Info("restful api listening at ", listener.Addr())
-		go func() {
-			err = s.httpServer.Serve(listener)
-			if err != nil && !errors.Is(err, http.ErrServerClosed) {
-				s.logger.Error("external controller serve error: ", err)
+	case adapter.StartStateStarted:
+		if s.externalController {
+			s.checkAndDownloadExternalUI()
+			var (
+				listener net.Listener
+				err      error
+			)
+			for i := 0; i < 3; i++ {
+				listener, err = net.Listen("tcp", s.httpServer.Addr)
+				if runtime.GOOS == "android" && errors.Is(err, syscall.EADDRINUSE) {
+					time.Sleep(100 * time.Millisecond)
+					continue
+				}
+				break
 			}
-		}()
+			if err != nil {
+				return E.Cause(err, "external controller listen error")
+			}
+			s.logger.Info("restful api listening at ", listener.Addr())
+			go func() {
+				err = s.httpServer.Serve(listener)
+				if err != nil && !errors.Is(err, http.ErrServerClosed) {
+					s.logger.Error("external controller serve error: ", err)
+				}
+			}()
+		}
 	}
+
 	return nil
 }

@ -234,14 +241,12 @@ func (s *Server) TrafficManager() *trafficontrol.Manager {
 	return s.trafficManager
 }

-func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule) (net.Conn, adapter.Tracker) {
-	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, metadata, s.router, matchedRule)
-	return tracker, tracker
+func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule, matchOutbound adapter.Outbound) net.Conn {
+	return trafficontrol.NewTCPTracker(conn, s.trafficManager, metadata, s.outboundManager, matchedRule, matchOutbound)
 }

-func (s *Server) RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, matchedRule adapter.Rule) (N.PacketConn, adapter.Tracker) {
-	tracker := trafficontrol.NewUDPTracker(conn, s.trafficManager, metadata, s.router, matchedRule)
-	return tracker, tracker
+func (s *Server) RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, matchedRule adapter.Rule, matchOutbound adapter.Outbound) N.PacketConn {
+	return trafficontrol.NewUDPTracker(conn, s.trafficManager, metadata, s.outboundManager, matchedRule, matchOutbound)
 }

 func authentication(serverSecret string) func(next http.Handler) http.Handler {
--- a/experimental/clashapi/server_resources.go
+++ b/experimental/clashapi/server_resources.go
@ -15,7 +15,6 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service/filemanager"
 )

@ -45,16 +44,13 @@ func (s *Server) downloadExternalUI() error {
 	s.logger.Info("downloading external ui")
 	var detour adapter.Outbound
 	if s.externalUIDownloadDetour != "" {
-		outbound, loaded := s.router.Outbound(s.externalUIDownloadDetour)
+		outbound, loaded := s.outboundManager.Outbound(s.externalUIDownloadDetour)
 		if !loaded {
 			return E.New("detour outbound not found: ", s.externalUIDownloadDetour)
 		}
 		detour = outbound
 	} else {
-		outbound, err := s.router.DefaultOutbound(N.NetworkTCP)
-		if err != nil {
-			return err
-		}
+		outbound := s.outboundManager.Default()
 		detour = outbound
 	}
 	httpClient := &http.Client{
--- a/experimental/clashapi/trafficontrol/tracker.go
+++ b/experimental/clashapi/trafficontrol/tracker.go
@ -60,7 +60,7 @@ func (t TrackerMetadata) MarshalJSON() ([]byte, error) {
 	}
 	var rule string
 	if t.Rule != nil {
-		rule = F.ToString(t.Rule, " => ", t.Rule.Outbound())
+		rule = F.ToString(t.Rule, " => ", t.Rule.Action())
 	} else {
 		rule = "final"
 	}
@ -87,7 +87,6 @@ func (t TrackerMetadata) MarshalJSON() ([]byte, error) {
 }

 type Tracker interface {
-	adapter.Tracker
 	Metadata() TrackerMetadata
 	Close() error
 }
@ -107,10 +106,6 @@ func (tt *TCPConn) Close() error {
 	return tt.ExtendedConn.Close()
 }

-func (tt *TCPConn) Leave() {
-	tt.manager.Leave(tt)
-}
-
 func (tt *TCPConn) Upstream() any {
 	return tt.ExtendedConn
 }
@ -123,7 +118,7 @@ func (tt *TCPConn) WriterReplaceable() bool {
 	return true
 }

-func NewTCPTracker(conn net.Conn, manager *Manager, metadata adapter.InboundContext, router adapter.Router, rule adapter.Rule) *TCPConn {
+func NewTCPTracker(conn net.Conn, manager *Manager, metadata adapter.InboundContext, outboundManager adapter.OutboundManager, matchRule adapter.Rule, matchOutbound adapter.Outbound) *TCPConn {
 	id, _ := uuid.NewV4()
 	var (
 		chain        []string
@ -131,19 +126,17 @@ func NewTCPTracker(conn net.Conn, manager *Manager, metadata adapter.InboundCont
 		outbound     string
 		outboundType string
 	)
-	if rule == nil {
-		if defaultOutbound, err := router.DefaultOutbound(N.NetworkTCP); err == nil {
-			next = defaultOutbound.Tag()
-		}
+	if matchOutbound != nil {
+		next = matchOutbound.Tag()
 	} else {
-		next = rule.Outbound()
+		next = outboundManager.Default().Tag()
 	}
 	for {
-		chain = append(chain, next)
-		detour, loaded := router.Outbound(next)
+		detour, loaded := outboundManager.Outbound(next)
 		if !loaded {
 			break
 		}
+		chain = append(chain, next)
 		outbound = detour.Tag()
 		outboundType = detour.Type()
 		group, isGroup := detour.(adapter.OutboundGroup)
@ -169,7 +162,7 @@ func NewTCPTracker(conn net.Conn, manager *Manager, metadata adapter.InboundCont
 			Upload:       upload,
 			Download:     download,
 			Chain:        common.Reverse(chain),
-			Rule:         rule,
+			Rule:         matchRule,
 			Outbound:     outbound,
 			OutboundType: outboundType,
 		},
@ -194,10 +187,6 @@ func (ut *UDPConn) Close() error {
 	return ut.PacketConn.Close()
 }

-func (ut *UDPConn) Leave() {
-	ut.manager.Leave(ut)
-}
-
 func (ut *UDPConn) Upstream() any {
 	return ut.PacketConn
 }
@ -210,7 +199,7 @@ func (ut *UDPConn) WriterReplaceable() bool {
 	return true
 }

-func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata adapter.InboundContext, router adapter.Router, rule adapter.Rule) *UDPConn {
+func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata adapter.InboundContext, outboundManager adapter.OutboundManager, matchRule adapter.Rule, matchOutbound adapter.Outbound) *UDPConn {
 	id, _ := uuid.NewV4()
 	var (
 		chain        []string
@ -218,19 +207,17 @@ func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata adapter.Inbound
 		outbound     string
 		outboundType string
 	)
-	if rule == nil {
-		if defaultOutbound, err := router.DefaultOutbound(N.NetworkUDP); err == nil {
-			next = defaultOutbound.Tag()
-		}
+	if matchOutbound != nil {
+		next = matchOutbound.Tag()
 	} else {
-		next = rule.Outbound()
+		next = outboundManager.Default().Tag()
 	}
 	for {
-		chain = append(chain, next)
-		detour, loaded := router.Outbound(next)
+		detour, loaded := outboundManager.Outbound(next)
 		if !loaded {
 			break
 		}
+		chain = append(chain, next)
 		outbound = detour.Tag()
 		outboundType = detour.Type()
 		group, isGroup := detour.(adapter.OutboundGroup)
@ -256,7 +243,7 @@ func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata adapter.Inbound
 			Upload:       upload,
 			Download:     download,
 			Chain:        common.Reverse(chain),
-			Rule:         rule,
+			Rule:         matchRule,
 			Outbound:     outbound,
 			OutboundType: outboundType,
 		},
--- a/experimental/deprecated/constants.go
+++ b/experimental/deprecated/constants.go
@ -1,6 +1,7 @@
 package deprecated

 import (
+	"github.com/sagernet/sing-box/common/badversion"
 	C "github.com/sagernet/sing-box/constant"
 	F "github.com/sagernet/sing/common/format"

@ -23,11 +24,12 @@ func (n Note) Impending() bool {
 	if !semver.IsValid("v" + C.Version) {
 		return false
 	}
-	versionMinor := semver.Compare(semver.MajorMinor("v"+C.Version), "v"+n.ScheduledVersion)
-	if semver.Prerelease("v"+C.Version) == "" && versionMinor > 0 {
+	versionCurrent := badversion.Parse(C.Version)
+	versionMinor := badversion.Parse(n.ScheduledVersion).Minor - versionCurrent.Minor
+	if versionCurrent.PreReleaseIdentifier == "" && versionMinor < 0 {
 		panic("invalid deprecated note: " + n.Name)
 	}
-	return versionMinor >= -1
+	return versionMinor <= 1
 }

 func (n Note) Message() string {
@ -49,6 +51,7 @@ var OptionBadMatchSource = Note{
 	Description:       "legacy match source rule item",
 	DeprecatedVersion: "1.10.0",
 	ScheduledVersion:  "1.11.0",
+	EnvName:           "BAD_MATCH_SOURCE",
 	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#match-source-rule-items-are-renamed",
 }

@ -75,12 +78,43 @@ var OptionTUNAddressX = Note{
 	Description:       "legacy tun address fields",
 	DeprecatedVersion: "1.10.0",
 	ScheduledVersion:  "1.12.0",
+	EnvName:           "TUN_ADDRESS_X",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#tun-address-fields-are-merged",
 }

+var OptionSpecialOutbounds = Note{
+	Name:              "special-outbounds",
+	Description:       "legacy special outbounds",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "SPECIAL_OUTBOUNDS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
+}
+
+var OptionInboundOptions = Note{
+	Name:              "inbound-options",
+	Description:       "legacy inbound fields",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "INBOUND_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
+}
+
+var OptionLegacyDNSRouteOptions = Note{
+	Name:              "legacy-dns-route-options",
+	Description:       "legacy dns route options",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "LEGACY_DNS_ROUTE_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-dns-route-options-to-rule-actions",
+}
+
 var Options = []Note{
 	OptionBadMatchSource,
 	OptionGEOIP,
 	OptionGEOSITE,
 	OptionTUNAddressX,
+	OptionSpecialOutbounds,
+	OptionInboundOptions,
+	OptionLegacyDNSRouteOptions,
 }
--- a/experimental/libbox/command_clash_mode.go
+++ b/experimental/libbox/command_clash_mode.go
@ -38,11 +38,7 @@ func (s *CommandServer) handleSetClashMode(conn net.Conn) error {
 	if service == nil {
 		return writeError(conn, E.New("service not ready"))
 	}
-	clashServer := service.instance.Router().ClashServer()
-	if clashServer == nil {
-		return writeError(conn, E.New("Clash API disabled"))
-	}
-	clashServer.(*clashapi.Server).SetMode(newMode)
+	service.clashServer.(*clashapi.Server).SetMode(newMode)
 	return writeError(conn, nil)
 }

@ -69,18 +65,14 @@ func (s *CommandServer) handleModeConn(conn net.Conn) error {
 			return ctx.Err()
 		}
 	}
-	clashServer := s.service.instance.Router().ClashServer()
-	if clashServer == nil {
-		return binary.Write(conn, binary.BigEndian, uint16(0))
-	}
-	err := writeClashModeList(conn, clashServer)
+	err := writeClashModeList(conn, s.service.clashServer)
 	if err != nil {
 		return err
 	}
 	for {
 		select {
 		case <-s.modeUpdate:
-			err = varbin.Write(conn, binary.BigEndian, clashServer.Mode())
+			err = varbin.Write(conn, binary.BigEndian, s.service.clashServer.Mode())
 			if err != nil {
 				return err
 			}
--- a/experimental/libbox/command_close_connection.go
+++ b/experimental/libbox/command_close_connection.go
@ -45,11 +45,7 @@ func (s *CommandServer) handleCloseConnection(conn net.Conn) error {
 	if service == nil {
 		return writeError(conn, E.New("service not ready"))
 	}
-	clashServer := service.instance.Router().ClashServer()
-	if clashServer == nil {
-		return writeError(conn, E.New("Clash API disabled"))
-	}
-	targetConn := clashServer.(*clashapi.Server).TrafficManager().Connection(uuid.FromStringOrNil(connId))
+	targetConn := service.clashServer.(*clashapi.Server).TrafficManager().Connection(uuid.FromStringOrNil(connId))
 	if targetConn == nil {
 		return writeError(conn, E.New("connection already closed"))
 	}
--- a/experimental/libbox/command_connections.go
+++ b/experimental/libbox/command_connections.go
@ -49,11 +49,7 @@ func (s *CommandServer) handleConnectionsConn(conn net.Conn) error {
 	for {
 		service := s.service
 		if service != nil {
-			clashServer := service.instance.Router().ClashServer()
-			if clashServer == nil {
-				return E.New("Clash API disabled")
-			}
-			trafficManager = clashServer.(*clashapi.Server).TrafficManager()
+			trafficManager = service.clashServer.(*clashapi.Server).TrafficManager()
 			break
 		}
 		select {
--- a/experimental/libbox/command_group.go
+++ b/experimental/libbox/command_group.go
@ -9,7 +9,7 @@ import (

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/group"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/varbin"
 	"github.com/sagernet/sing/service"
@ -109,7 +109,7 @@ func readGroups(reader io.Reader) (OutboundGroupIterator, error) {
 func writeGroups(writer io.Writer, boxService *BoxService) error {
 	historyStorage := service.PtrFromContext[urltest.HistoryStorage](boxService.ctx)
 	cacheFile := service.FromContext[adapter.CacheFile](boxService.ctx)
-	outbounds := boxService.instance.Router().Outbounds()
+	outbounds := boxService.instance.Outbound().Outbounds()
 	var iGroups []adapter.OutboundGroup
 	for _, it := range outbounds {
 		if group, isGroup := it.(adapter.OutboundGroup); isGroup {
@ -118,19 +118,19 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 	}
 	var groups []OutboundGroup
 	for _, iGroup := range iGroups {
-		var group OutboundGroup
-		group.Tag = iGroup.Tag()
-		group.Type = iGroup.Type()
-		_, group.Selectable = iGroup.(*outbound.Selector)
-		group.Selected = iGroup.Now()
+		var outboundGroup OutboundGroup
+		outboundGroup.Tag = iGroup.Tag()
+		outboundGroup.Type = iGroup.Type()
+		_, outboundGroup.Selectable = iGroup.(*group.Selector)
+		outboundGroup.Selected = iGroup.Now()
 		if cacheFile != nil {
-			if isExpand, loaded := cacheFile.LoadGroupExpand(group.Tag); loaded {
-				group.IsExpand = isExpand
+			if isExpand, loaded := cacheFile.LoadGroupExpand(outboundGroup.Tag); loaded {
+				outboundGroup.IsExpand = isExpand
 			}
 		}

 		for _, itemTag := range iGroup.All() {
-			itemOutbound, isLoaded := boxService.instance.Router().Outbound(itemTag)
+			itemOutbound, isLoaded := boxService.instance.Outbound().Outbound(itemTag)
 			if !isLoaded {
 				continue
 			}
@ -142,12 +142,12 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 				item.URLTestTime = history.Time.Unix()
 				item.URLTestDelay = int32(history.Delay)
 			}
-			group.ItemList = append(group.ItemList, &item)
+			outboundGroup.ItemList = append(outboundGroup.ItemList, &item)
 		}
-		if len(group.ItemList) < 2 {
+		if len(outboundGroup.ItemList) < 2 {
 			continue
 		}
-		groups = append(groups, group)
+		groups = append(groups, outboundGroup)
 	}
 	return varbin.Write(writer, binary.BigEndian, groups)
 }
--- a/experimental/libbox/command_select.go
+++ b/experimental/libbox/command_select.go
@ -4,7 +4,7 @@ import (
 	"encoding/binary"
 	"net"

-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/group"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/varbin"
 )
@ -43,11 +43,11 @@ func (s *CommandServer) handleSelectOutbound(conn net.Conn) error {
 	if service == nil {
 		return writeError(conn, E.New("service not ready"))
 	}
-	outboundGroup, isLoaded := service.instance.Router().Outbound(groupTag)
+	outboundGroup, isLoaded := service.instance.Outbound().Outbound(groupTag)
 	if !isLoaded {
 		return writeError(conn, E.New("selector not found: ", groupTag))
 	}
-	selector, isSelector := outboundGroup.(*outbound.Selector)
+	selector, isSelector := outboundGroup.(*group.Selector)
 	if !isSelector {
 		return writeError(conn, E.New("outbound is not a selector: ", groupTag))
 	}
--- a/experimental/libbox/command_server.go
+++ b/experimental/libbox/command_server.go
@ -60,7 +60,7 @@ func NewCommandServer(handler CommandServerHandler, maxLines int32) *CommandServ
 func (s *CommandServer) SetService(newService *BoxService) {
 	if newService != nil {
 		service.PtrFromContext[urltest.HistoryStorage](newService.ctx).SetHook(s.urlTestUpdate)
-		newService.instance.Router().ClashServer().(*clashapi.Server).SetModeUpdateHook(s.modeUpdate)
+		newService.clashServer.(*clashapi.Server).SetModeUpdateHook(s.modeUpdate)
 	}
 	s.service = newService
 	s.notifyURLTestUpdate()
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
世界	e3ffffc645	documentation: Bump version	2024-11-10 17:33:00 +08:00
世界	7daf2d1716	Fix hijack-dns	2024-11-10 17:33:00 +08:00
世界	b4f1c2a596	refactor: Extract clash/v2ray/time service form router	2024-11-10 17:33:00 +08:00
世界	1df8dfcade	refactor: Modular network manager	2024-11-10 17:33:00 +08:00
世界	beaab2e4db	refactor: Modular inbound/outbound manager	2024-11-10 12:12:08 +08:00
世界	1ee7a4a272	documentation: Bump version	2024-11-10 12:12:08 +08:00
世界	44560f0c20	documentation: Add rule action	2024-11-10 12:12:08 +08:00
世界	b8613de673	documentation: Update the scheduled removal time of deprecated features	2024-11-10 12:12:08 +08:00
世界	24496d89b1	documentation: Remove outdated icons	2024-11-10 12:12:08 +08:00
世界	1a230bda5d	Migrate bad options to library	2024-11-10 12:12:08 +08:00
世界	85f634d0cb	Implement udp connect	2024-11-10 12:12:08 +08:00
世界	b75dbc8a26	Implement new deprecated warnings	2024-11-10 12:12:08 +08:00
世界	3a3ad11cb3	Improve rule actions	2024-11-09 18:41:11 +08:00
世界	866be4acbd	Remove unused reject methods	2024-11-09 18:41:11 +08:00
世界	776052de20	refactor: Modular inbounds/outbounds	2024-11-09 18:41:11 +08:00
世界	e45763d5ba	Implement dns-hijack	2024-11-09 12:35:48 +08:00
世界	5eb8522205	Implement resolve(server)	2024-11-09 12:35:47 +08:00
世界	c2b833a228	Implement TCP and ICMP rejects	2024-11-09 12:35:47 +08:00
世界	7f65ab8166	Crazy sekai overturns the small pond	2024-11-09 12:35:43 +08:00