documentation: Bump version

adapter/conn_router.go

@@ -1,104 +0,0 @@
-package adapter
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing/common/logger"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type ConnectionRouter interface {
-	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
-	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
-}
-
-func NewRouteHandler(
-	metadata InboundContext,
-	router ConnectionRouter,
-	logger logger.ContextLogger,
-) UpstreamHandlerAdapter {
-	return &routeHandlerWrapper{
-		metadata: metadata,
-		router:   router,
-		logger:   logger,
-	}
-}
-
-func NewRouteContextHandler(
-	router ConnectionRouter,
-	logger logger.ContextLogger,
-) UpstreamHandlerAdapter {
-	return &routeContextHandlerWrapper{
-		router: router,
-		logger: logger,
-	}
-}
-
-var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
-
-type routeHandlerWrapper struct {
-	metadata InboundContext
-	router   ConnectionRouter
-	logger   logger.ContextLogger
-}
-
-func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RouteConnection(ctx, conn, myMetadata)
-}
-
-func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
-}
-
-func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.logger.ErrorContext(ctx, err)
-}
-
-var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
-
-type routeContextHandlerWrapper struct {
-	router ConnectionRouter
-	logger logger.ContextLogger
-}
-
-func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
-	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RouteConnection(ctx, conn, *myMetadata)
-}
-
-func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
-	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
-		myMetadata.Source = metadata.Source
-	}
-	if metadata.Destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
-	}
-	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
-}
-
-func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
-	w.logger.ErrorContext(ctx, err)
-}

adapter/experimental.go

@@ -4,28 +4,28 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
-	"net"
 	"time"
 
 	"github.com/sagernet/sing-box/common/urltest"
 	"github.com/sagernet/sing-dns"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/varbin"
 )
 
 type ClashServer interface {
-	Service
+	LifecycleService
-	PreStarter
+	ConnectionTracker
 	Mode() string
 	ModeList() []string
 	HistoryStorage() *urltest.HistoryStorage
-	RoutedConnection(ctx context.Context, conn net.Conn, metadata InboundContext, matchedRule Rule) (net.Conn, Tracker)
+}
-	RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext, matchedRule Rule) (N.PacketConn, Tracker)
+
+type V2RayServer interface {
+	LifecycleService
+	StatsService() ConnectionTracker
 }
 
 type CacheFile interface {
-	Service
+	LifecycleService
-	PreStarter
 
 	StoreFakeIP() bool
 	FakeIPStorage
@@ -94,10 +94,6 @@ func (s *SavedRuleSet) UnmarshalBinary(data []byte) error {
 	return nil
 }
 
-type Tracker interface {
-	Leave()
-}
-
 type OutboundGroup interface {
 	Outbound
 	Now() string
@@ -115,13 +111,3 @@ func OutboundTag(detour Outbound) string {
 	}
 	return detour.Tag()
 }
-
-type V2RayServer interface {
-	Service
-	StatsService() V2RayStatsService
-}
-
-type V2RayStatsService interface {
-	RoutedConnection(inbound string, outbound string, user string, conn net.Conn) net.Conn
-	RoutedPacketConnection(inbound string, outbound string, user string, conn N.PacketConn) N.PacketConn
-}

adapter/handler.go

@@ -6,27 +6,53 @@ import (
 
 	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
+// Deprecated
 type ConnectionHandler interface {
 	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
 }
 
+type ConnectionHandlerEx interface {
+	NewConnectionEx(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
+}
+
+// Deprecated: use PacketHandlerEx instead
 type PacketHandler interface {
 	NewPacket(ctx context.Context, conn N.PacketConn, buffer *buf.Buffer, metadata InboundContext) error
 }
 
+type PacketHandlerEx interface {
+	NewPacketEx(buffer *buf.Buffer, source M.Socksaddr)
+}
+
+// Deprecated: use OOBPacketHandlerEx instead
 type OOBPacketHandler interface {
 	NewPacket(ctx context.Context, conn N.PacketConn, buffer *buf.Buffer, oob []byte, metadata InboundContext) error
 }
 
+type OOBPacketHandlerEx interface {
+	NewPacketEx(buffer *buf.Buffer, oob []byte, source M.Socksaddr)
+}
+
+// Deprecated
 type PacketConnectionHandler interface {
 	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
 
+type PacketConnectionHandlerEx interface {
+	NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
+}
+
 type UpstreamHandlerAdapter interface {
 	N.TCPConnectionHandler
 	N.UDPConnectionHandler
 	E.Handler
 }
+
+type UpstreamHandlerAdapterEx interface {
+	N.TCPConnectionHandlerEx
+	N.UDPConnectionHandlerEx
+}

adapter/inbound.go

@@ -2,13 +2,12 @@ package adapter
 
 import (
 	"context"
-	"net"
 	"net/netip"
 
 	"github.com/sagernet/sing-box/common/process"
+	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
 	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 )
 
 type Inbound interface {
@@ -17,11 +16,27 @@ type Inbound interface {
 	Tag() string
 }
 
-type InjectableInbound interface {
+type TCPInjectableInbound interface {
 	Inbound
-	Network() []string
+	ConnectionHandlerEx
-	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+}
-	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+
+type UDPInjectableInbound interface {
+	Inbound
+	PacketConnectionHandlerEx
+}
+
+type InboundRegistry interface {
+	option.InboundOptionsRegistry
+	Create(ctx context.Context, router Router, logger log.ContextLogger, tag string, inboundType string, options any) (Inbound, error)
+}
+
+type InboundManager interface {
+	Lifecycle
+	Inbounds() []Inbound
+	Get(tag string) (Inbound, bool)
+	Remove(tag string) error
+	Create(ctx context.Context, router Router, logger log.ContextLogger, tag string, inboundType string, options any) error
 }
 
 type InboundContext struct {
@@ -43,10 +58,17 @@ type InboundContext struct {
 
 	// cache
 
+	// Deprecated: implement in rule action
 	InboundDetour     string
 	LastInbound       string
 	OriginDestination M.Socksaddr
+	// Deprecated
 	InboundOptions            option.InboundOptions
+	UDPDisableDomainUnmapping bool
+	UDPConnect                bool
+
+	DNSServer string
+
 	DestinationAddresses []netip.Addr
 	SourceGeoIPCode      string
 	GeoIPCode            string

adapter/inbound/adapter.go

@@ -0,0 +1,21 @@
+package inbound
+
+type Adapter struct {
+	inboundType string
+	inboundTag  string
+}
+
+func NewAdapter(inboundType string, inboundTag string) Adapter {
+	return Adapter{
+		inboundType: inboundType,
+		inboundTag:  inboundTag,
+	}
+}
+
+func (a *Adapter) Type() string {
+	return a.inboundType
+}
+
+func (a *Adapter) Tag() string {
+	return a.inboundTag
+}

adapter/inbound/manager.go

@@ -0,0 +1,143 @@
+package inbound
+
+import (
+	"context"
+	"os"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/taskmonitor"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+var _ adapter.InboundManager = (*Manager)(nil)
+
+type Manager struct {
+	logger       log.ContextLogger
+	registry     adapter.InboundRegistry
+	access       sync.Mutex
+	started      bool
+	stage        adapter.StartStage
+	inbounds     []adapter.Inbound
+	inboundByTag map[string]adapter.Inbound
+}
+
+func NewManager(logger log.ContextLogger, registry adapter.InboundRegistry) *Manager {
+	return &Manager{
+		logger:       logger,
+		registry:     registry,
+		inboundByTag: make(map[string]adapter.Inbound),
+	}
+}
+
+func (m *Manager) Start(stage adapter.StartStage) error {
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started && m.stage >= stage {
+		panic("already started")
+	}
+	m.started = true
+	m.stage = stage
+	for _, inbound := range m.inbounds {
+		err := adapter.LegacyStart(inbound, stage)
+		if err != nil {
+			return E.Cause(err, stage.Action(), " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+		}
+	}
+	return nil
+}
+
+func (m *Manager) Close() error {
+	m.access.Lock()
+	defer m.access.Unlock()
+	if !m.started {
+		return nil
+	}
+	m.started = false
+	inbounds := m.inbounds
+	m.inbounds = nil
+	monitor := taskmonitor.New(m.logger, C.StopTimeout)
+	var err error
+	for _, inbound := range inbounds {
+		monitor.Start("close inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+		err = E.Append(err, inbound.Close(), func(err error) error {
+			return E.Cause(err, "close inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+		})
+		monitor.Finish()
+	}
+	return nil
+}
+
+func (m *Manager) Inbounds() []adapter.Inbound {
+	m.access.Lock()
+	defer m.access.Unlock()
+	return m.inbounds
+}
+
+func (m *Manager) Get(tag string) (adapter.Inbound, bool) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	inbound, found := m.inboundByTag[tag]
+	return inbound, found
+}
+
+func (m *Manager) Remove(tag string) error {
+	m.access.Lock()
+	inbound, found := m.inboundByTag[tag]
+	if !found {
+		m.access.Unlock()
+		return os.ErrInvalid
+	}
+	delete(m.inboundByTag, tag)
+	index := common.Index(m.inbounds, func(it adapter.Inbound) bool {
+		return it == inbound
+	})
+	if index == -1 {
+		panic("invalid inbound index")
+	}
+	m.inbounds = append(m.inbounds[:index], m.inbounds[index+1:]...)
+	started := m.started
+	m.access.Unlock()
+	if started {
+		return inbound.Close()
+	}
+	return nil
+}
+
+func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) error {
+	inbound, err := m.registry.Create(ctx, router, logger, tag, outboundType, options)
+	if err != nil {
+		return err
+	}
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started {
+		for _, stage := range adapter.ListStartStages {
+			err = adapter.LegacyStart(inbound, stage)
+			if err != nil {
+				return E.Cause(err, stage.Action(), " inbound/", inbound.Type(), "[", inbound.Tag(), "]")
+			}
+		}
+	}
+	if existsInbound, loaded := m.inboundByTag[tag]; loaded {
+		if m.started {
+			err = existsInbound.Close()
+			if err != nil {
+				return E.Cause(err, "close inbound/", existsInbound.Type(), "[", existsInbound.Tag(), "]")
+			}
+		}
+		existsIndex := common.Index(m.inbounds, func(it adapter.Inbound) bool {
+			return it == existsInbound
+		})
+		if existsIndex == -1 {
+			panic("invalid inbound index")
+		}
+		m.inbounds = append(m.inbounds[:existsIndex], m.inbounds[existsIndex+1:]...)
+	}
+	m.inbounds = append(m.inbounds, inbound)
+	m.inboundByTag[tag] = inbound
+	return nil
+}

adapter/inbound/registry.go

@@ -0,0 +1,68 @@
+package inbound
+
+import (
+	"context"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type ConstructorFunc[T any] func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options T) (adapter.Inbound, error)
+
+func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
+	registry.register(outboundType, func() any {
+		return new(Options)
+	}, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Inbound, error) {
+		return constructor(ctx, router, logger, tag, common.PtrValueOrDefault(options.(*Options)))
+	})
+}
+
+var _ adapter.InboundRegistry = (*Registry)(nil)
+
+type (
+	optionsConstructorFunc func() any
+	constructorFunc        func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Inbound, error)
+)
+
+type Registry struct {
+	access      sync.Mutex
+	optionsType map[string]optionsConstructorFunc
+	constructor map[string]constructorFunc
+}
+
+func NewRegistry() *Registry {
+	return &Registry{
+		optionsType: make(map[string]optionsConstructorFunc),
+		constructor: make(map[string]constructorFunc),
+	}
+}
+
+func (m *Registry) CreateOptions(outboundType string) (any, bool) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	optionsConstructor, loaded := m.optionsType[outboundType]
+	if !loaded {
+		return nil, false
+	}
+	return optionsConstructor(), true
+}
+
+func (m *Registry) Create(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Inbound, error) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	constructor, loaded := m.constructor[outboundType]
+	if !loaded {
+		return nil, E.New("outbound type not found: " + outboundType)
+	}
+	return constructor(ctx, router, logger, tag, options)
+}
+
+func (m *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	m.optionsType[outboundType] = optionsConstructor
+	m.constructor[outboundType] = constructor
+}

adapter/lifecycle.go

@@ -0,0 +1,42 @@
+package adapter
+
+type StartStage uint8
+
+const (
+	StartStateInitialize StartStage = iota
+	StartStateStart
+	StartStatePostStart
+	StartStateStarted
+)
+
+var ListStartStages = []StartStage{
+	StartStateInitialize,
+	StartStateStart,
+	StartStatePostStart,
+	StartStateStarted,
+}
+
+func (s StartStage) Action() string {
+	switch s {
+	case StartStateInitialize:
+		return "initialize"
+	case StartStateStart:
+		return "start"
+	case StartStatePostStart:
+		return "post-start"
+	case StartStateStarted:
+		return "start-after-started"
+	default:
+		panic("unknown stage")
+	}
+}
+
+type Lifecycle interface {
+	Start(stage StartStage) error
+	Close() error
+}
+
+type LifecycleService interface {
+	Name() string
+	Lifecycle
+}

adapter/lifecycle_legacy.go

@@ -0,0 +1,49 @@
+package adapter
+
+func LegacyStart(starter any, stage StartStage) error {
+	switch stage {
+	case StartStateInitialize:
+		if preStarter, isPreStarter := starter.(interface {
+			PreStart() error
+		}); isPreStarter {
+			return preStarter.PreStart()
+		}
+	case StartStateStart:
+		if starter, isStarter := starter.(interface {
+			Start() error
+		}); isStarter {
+			return starter.Start()
+		}
+	case StartStatePostStart:
+		if postStarter, isPostStarter := starter.(interface {
+			PostStart() error
+		}); isPostStarter {
+			return postStarter.PostStart()
+		}
+	}
+	return nil
+}
+
+type lifecycleServiceWrapper struct {
+	Service
+	name string
+}
+
+func NewLifecycleService(service Service, name string) LifecycleService {
+	return &lifecycleServiceWrapper{
+		Service: service,
+		name:    name,
+	}
+}
+
+func (l *lifecycleServiceWrapper) Name() string {
+	return l.name
+}
+
+func (l *lifecycleServiceWrapper) Start(stage StartStage) error {
+	return LegacyStart(l.Service, stage)
+}
+
+func (l *lifecycleServiceWrapper) Close() error {
+	return l.Service.Close()
+}

adapter/network.go

@@ -0,0 +1,23 @@
+package adapter
+
+import (
+	"github.com/sagernet/sing-tun"
+	"github.com/sagernet/sing/common/control"
+)
+
+type NetworkManager interface {
+	Lifecycle
+	InterfaceFinder() control.InterfaceFinder
+	UpdateInterfaces() error
+	DefaultInterface() string
+	AutoDetectInterface() bool
+	AutoDetectInterfaceFunc() control.Func
+	DefaultMark() uint32
+	RegisterAutoRedirectOutputMark(mark uint32) error
+	AutoRedirectOutputMark() uint32
+	NetworkMonitor() tun.NetworkUpdateMonitor
+	InterfaceMonitor() tun.DefaultInterfaceMonitor
+	PackageManager() tun.PackageManager
+	WIFIState() WIFIState
+	ResetNetwork()
+}

adapter/outbound.go

@@ -2,8 +2,9 @@ package adapter
 
 import (
 	"context"
-	"net"
 
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -15,6 +16,18 @@ type Outbound interface {
 	Network() []string
 	Dependencies() []string
 	N.Dialer
-	NewConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+}
-	NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+
+type OutboundRegistry interface {
+	option.OutboundOptionsRegistry
+	CreateOutbound(ctx context.Context, router Router, logger log.ContextLogger, tag string, outboundType string, options any) (Outbound, error)
+}
+
+type OutboundManager interface {
+	Lifecycle
+	Outbounds() []Outbound
+	Outbound(tag string) (Outbound, bool)
+	Default() Outbound
+	Remove(tag string) error
+	Create(ctx context.Context, router Router, logger log.ContextLogger, tag string, outboundType string, options any) error
 }

adapter/outbound/adapter.go

@@ -0,0 +1,45 @@
+package outbound
+
+import (
+	"github.com/sagernet/sing-box/option"
+)
+
+type Adapter struct {
+	protocol     string
+	network      []string
+	tag          string
+	dependencies []string
+}
+
+func NewAdapter(protocol string, network []string, tag string, dependencies []string) Adapter {
+	return Adapter{
+		protocol:     protocol,
+		network:      network,
+		tag:          tag,
+		dependencies: dependencies,
+	}
+}
+
+func NewAdapterWithDialerOptions(protocol string, network []string, tag string, dialOptions option.DialerOptions) Adapter {
+	var dependencies []string
+	if dialOptions.Detour != "" {
+		dependencies = []string{dialOptions.Detour}
+	}
+	return NewAdapter(protocol, network, tag, dependencies)
+}
+
+func (a *Adapter) Type() string {
+	return a.protocol
+}
+
+func (a *Adapter) Tag() string {
+	return a.tag
+}
+
+func (a *Adapter) Network() []string {
+	return a.network
+}
+
+func (a *Adapter) Dependencies() []string {
+	return a.dependencies
+}

adapter/outbound/default.go

@@ -9,8 +9,6 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/log"
-	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/buf"
@@ -21,43 +19,8 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )
 
-type myOutboundAdapter struct {
-	protocol     string
-	network      []string
-	router       adapter.Router
-	logger       log.ContextLogger
-	tag          string
-	dependencies []string
-}
-
-func (a *myOutboundAdapter) Type() string {
-	return a.protocol
-}
-
-func (a *myOutboundAdapter) Tag() string {
-	return a.tag
-}
-
-func (a *myOutboundAdapter) Network() []string {
-	return a.network
-}
-
-func (a *myOutboundAdapter) Dependencies() []string {
-	return a.dependencies
-}
-
-func (a *myOutboundAdapter) NewError(ctx context.Context, err error) {
-	NewError(a.logger, ctx, err)
-}
-
-func withDialerDependency(options option.DialerOptions) []string {
-	if options.Detour != "" {
-		return []string{options.Detour}
-	}
-	return nil
-}
-
 func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata adapter.InboundContext) error {
+	defer conn.Close()
 	ctx = adapter.WithContext(ctx, &metadata)
 	var outConn net.Conn
 	var err error
@@ -69,7 +32,7 @@ func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata a
 	if err != nil {
 		return N.ReportHandshakeFailure(conn, err)
 	}
-	err = N.ReportHandshakeSuccess(conn)
+	err = N.ReportConnHandshakeSuccess(conn, outConn)
 	if err != nil {
 		outConn.Close()
 		return err
@@ -78,6 +41,7 @@ func NewConnection(ctx context.Context, this N.Dialer, conn net.Conn, metadata a
 }
 
 func NewDirectConnection(ctx context.Context, router adapter.Router, this N.Dialer, conn net.Conn, metadata adapter.InboundContext, domainStrategy dns.DomainStrategy) error {
+	defer conn.Close()
 	ctx = adapter.WithContext(ctx, &metadata)
 	var outConn net.Conn
 	var err error
@@ -96,7 +60,7 @@ func NewDirectConnection(ctx context.Context, router adapter.Router, this N.Dial
 	if err != nil {
 		return N.ReportHandshakeFailure(conn, err)
 	}
-	err = N.ReportHandshakeSuccess(conn)
+	err = N.ReportConnHandshakeSuccess(conn, outConn)
 	if err != nil {
 		outConn.Close()
 		return err
@@ -105,29 +69,49 @@ func NewDirectConnection(ctx context.Context, router adapter.Router, this N.Dial
 }
 
 func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext) error {
+	defer conn.Close()
 	ctx = adapter.WithContext(ctx, &metadata)
-	var outConn net.PacketConn
+	var (
-	var destinationAddress netip.Addr
+		outPacketConn      net.PacketConn
-	var err error
+		outConn            net.Conn
+		destinationAddress netip.Addr
+		err                error
+	)
+	if metadata.UDPConnect {
 		if len(metadata.DestinationAddresses) > 0 {
-		outConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
+			outConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses)
 		} else {
-		outConn, err = this.ListenPacket(ctx, metadata.Destination)
+			outConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
 		}
 		if err != nil {
 			return N.ReportHandshakeFailure(conn, err)
 		}
-	err = N.ReportHandshakeSuccess(conn)
+		outPacketConn = bufio.NewUnbindPacketConn(outConn)
+		connRemoteAddr := M.AddrFromNet(outConn.RemoteAddr())
+		if connRemoteAddr != metadata.Destination.Addr {
+			destinationAddress = connRemoteAddr
+		}
+	} else {
+		if len(metadata.DestinationAddresses) > 0 {
+			outPacketConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
+		} else {
+			outPacketConn, err = this.ListenPacket(ctx, metadata.Destination)
+		}
 		if err != nil {
-		outConn.Close()
+			return N.ReportHandshakeFailure(conn, err)
+		}
+	}
+	err = N.ReportPacketConnHandshakeSuccess(conn, outPacketConn)
+	if err != nil {
+		outPacketConn.Close()
 		return err
 	}
 	if destinationAddress.IsValid() {
 		if metadata.Destination.IsFqdn() {
-			if metadata.InboundOptions.UDPDisableDomainUnmapping {
+			if metadata.UDPDisableDomainUnmapping {
-				outConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(outConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
+				outPacketConn = bufio.NewUnidirectionalNATPacketConn(bufio.NewPacketConn(outPacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
 			} else {
-				outConn = bufio.NewNATPacketConn(bufio.NewPacketConn(outConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
+				outPacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(outPacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
 			}
 		}
 		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
@@ -142,37 +126,63 @@ func NewPacketConnection(ctx context.Context, this N.Dialer, conn N.PacketConn,
 	case C.ProtocolDNS:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.DNSTimeout)
 	}
-	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outConn))
+	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outPacketConn))
 }
 
 func NewDirectPacketConnection(ctx context.Context, router adapter.Router, this N.Dialer, conn N.PacketConn, metadata adapter.InboundContext, domainStrategy dns.DomainStrategy) error {
+	defer conn.Close()
 	ctx = adapter.WithContext(ctx, &metadata)
-	var outConn net.PacketConn
+	var (
-	var destinationAddress netip.Addr
+		outPacketConn      net.PacketConn
-	var err error
+		outConn            net.Conn
+		destinationAddress netip.Addr
+		err                error
+	)
+	if metadata.UDPConnect {
 		if len(metadata.DestinationAddresses) > 0 {
-		outConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
+			outConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, metadata.DestinationAddresses)
 		} else if metadata.Destination.IsFqdn() {
 			var destinationAddresses []netip.Addr
 			destinationAddresses, err = router.Lookup(ctx, metadata.Destination.Fqdn, domainStrategy)
 			if err != nil {
 				return N.ReportHandshakeFailure(conn, err)
 			}
-		outConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, destinationAddresses)
+			outConn, err = N.DialSerial(ctx, this, N.NetworkUDP, metadata.Destination, destinationAddresses)
 		} else {
-		outConn, err = this.ListenPacket(ctx, metadata.Destination)
+			outConn, err = this.DialContext(ctx, N.NetworkUDP, metadata.Destination)
 		}
 		if err != nil {
 			return N.ReportHandshakeFailure(conn, err)
 		}
-	err = N.ReportHandshakeSuccess(conn)
+		connRemoteAddr := M.AddrFromNet(outConn.RemoteAddr())
+		if connRemoteAddr != metadata.Destination.Addr {
+			destinationAddress = connRemoteAddr
+		}
+	} else {
+		if len(metadata.DestinationAddresses) > 0 {
+			outPacketConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, metadata.DestinationAddresses)
+		} else if metadata.Destination.IsFqdn() {
+			var destinationAddresses []netip.Addr
+			destinationAddresses, err = router.Lookup(ctx, metadata.Destination.Fqdn, domainStrategy)
 			if err != nil {
-		outConn.Close()
+				return N.ReportHandshakeFailure(conn, err)
+			}
+			outPacketConn, destinationAddress, err = N.ListenSerial(ctx, this, metadata.Destination, destinationAddresses)
+		} else {
+			outPacketConn, err = this.ListenPacket(ctx, metadata.Destination)
+		}
+		if err != nil {
+			return N.ReportHandshakeFailure(conn, err)
+		}
+	}
+	err = N.ReportPacketConnHandshakeSuccess(conn, outPacketConn)
+	if err != nil {
+		outPacketConn.Close()
 		return err
 	}
 	if destinationAddress.IsValid() {
 		if metadata.Destination.IsFqdn() {
-			outConn = bufio.NewNATPacketConn(bufio.NewPacketConn(outConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
+			outPacketConn = bufio.NewNATPacketConn(bufio.NewPacketConn(outPacketConn), M.SocksaddrFrom(destinationAddress, metadata.Destination.Port), metadata.Destination)
 		}
 		if natConn, loaded := common.Cast[bufio.NATPacketConn](conn); loaded {
 			natConn.UpdateDestination(destinationAddress)
@@ -186,7 +196,7 @@ func NewDirectPacketConnection(ctx context.Context, router adapter.Router, this
 	case C.ProtocolDNS:
 		ctx, conn = canceler.NewPacketConn(ctx, conn, C.DNSTimeout)
 	}
-	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outConn))
+	return bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(outPacketConn))
 }
 
 func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) error {
@@ -233,12 +243,3 @@ func CopyEarlyConn(ctx context.Context, conn net.Conn, serverConn net.Conn) erro
 	}
 	return bufio.CopyConn(ctx, conn, serverConn)
 }
-
-func NewError(logger log.ContextLogger, ctx context.Context, err error) {
-	common.Close(err)
-	if E.IsClosedOrCanceled(err) {
-		logger.DebugContext(ctx, "connection closed: ", err)
-		return
-	}
-	logger.ErrorContext(ctx, err)
-}

adapter/outbound/manager.go

@@ -0,0 +1,269 @@
+package outbound
+
+import (
+	"context"
+	"io"
+	"os"
+	"strings"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/taskmonitor"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+)
+
+var _ adapter.OutboundManager = (*Manager)(nil)
+
+type Manager struct {
+	logger                  log.ContextLogger
+	registry                adapter.OutboundRegistry
+	defaultTag              string
+	access                  sync.Mutex
+	started                 bool
+	stage                   adapter.StartStage
+	outbounds               []adapter.Outbound
+	outboundByTag           map[string]adapter.Outbound
+	dependByTag             map[string][]string
+	defaultOutbound         adapter.Outbound
+	defaultOutboundFallback adapter.Outbound
+}
+
+func NewManager(logger logger.ContextLogger, registry adapter.OutboundRegistry, defaultTag string) *Manager {
+	return &Manager{
+		logger:        logger,
+		registry:      registry,
+		defaultTag:    defaultTag,
+		outboundByTag: make(map[string]adapter.Outbound),
+		dependByTag:   make(map[string][]string),
+	}
+}
+
+func (m *Manager) Initialize(defaultOutboundFallback adapter.Outbound) {
+	m.defaultOutboundFallback = defaultOutboundFallback
+}
+
+func (m *Manager) Start(stage adapter.StartStage) error {
+	m.access.Lock()
+	if m.started && m.stage >= stage {
+		panic("already started")
+	}
+	m.started = true
+	m.stage = stage
+	outbounds := m.outbounds
+	m.access.Unlock()
+	if stage == adapter.StartStateStart {
+		return m.startOutbounds(outbounds)
+	} else {
+		for _, outbound := range outbounds {
+			err := adapter.LegacyStart(outbound, stage)
+			if err != nil {
+				return E.Cause(err, stage.Action(), " outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+			}
+		}
+	}
+	return nil
+}
+
+func (m *Manager) startOutbounds(outbounds []adapter.Outbound) error {
+	monitor := taskmonitor.New(m.logger, C.StartTimeout)
+	started := make(map[string]bool)
+	for {
+		canContinue := false
+	startOne:
+		for _, outboundToStart := range outbounds {
+			outboundTag := outboundToStart.Tag()
+			if started[outboundTag] {
+				continue
+			}
+			dependencies := outboundToStart.Dependencies()
+			for _, dependency := range dependencies {
+				if !started[dependency] {
+					continue startOne
+				}
+			}
+			started[outboundTag] = true
+			canContinue = true
+			if starter, isStarter := outboundToStart.(interface {
+				Start() error
+			}); isStarter {
+				monitor.Start("start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				err := starter.Start()
+				monitor.Finish()
+				if err != nil {
+					return E.Cause(err, "start outbound/", outboundToStart.Type(), "[", outboundTag, "]")
+				}
+			}
+		}
+		if len(started) == len(outbounds) {
+			break
+		}
+		if canContinue {
+			continue
+		}
+		currentOutbound := common.Find(outbounds, func(it adapter.Outbound) bool {
+			return !started[it.Tag()]
+		})
+		var lintOutbound func(oTree []string, oCurrent adapter.Outbound) error
+		lintOutbound = func(oTree []string, oCurrent adapter.Outbound) error {
+			problemOutboundTag := common.Find(oCurrent.Dependencies(), func(it string) bool {
+				return !started[it]
+			})
+			if common.Contains(oTree, problemOutboundTag) {
+				return E.New("circular outbound dependency: ", strings.Join(oTree, " -> "), " -> ", problemOutboundTag)
+			}
+			m.access.Lock()
+			problemOutbound := m.outboundByTag[problemOutboundTag]
+			m.access.Unlock()
+			if problemOutbound == nil {
+				return E.New("dependency[", problemOutboundTag, "] not found for outbound[", oCurrent.Tag(), "]")
+			}
+			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
+		}
+		return lintOutbound([]string{currentOutbound.Tag()}, currentOutbound)
+	}
+	return nil
+}
+
+func (m *Manager) Close() error {
+	monitor := taskmonitor.New(m.logger, C.StopTimeout)
+	m.access.Lock()
+	if !m.started {
+		m.access.Unlock()
+		return nil
+	}
+	m.started = false
+	outbounds := m.outbounds
+	m.outbounds = nil
+	m.access.Unlock()
+	var err error
+	for _, outbound := range outbounds {
+		if closer, isCloser := outbound.(io.Closer); isCloser {
+			monitor.Start("close outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+			err = E.Append(err, closer.Close(), func(err error) error {
+				return E.Cause(err, "close outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+			})
+			monitor.Finish()
+		}
+	}
+	return nil
+}
+
+func (m *Manager) Outbounds() []adapter.Outbound {
+	m.access.Lock()
+	defer m.access.Unlock()
+	return m.outbounds
+}
+
+func (m *Manager) Outbound(tag string) (adapter.Outbound, bool) {
+	m.access.Lock()
+	defer m.access.Unlock()
+	outbound, found := m.outboundByTag[tag]
+	return outbound, found
+}
+
+func (m *Manager) Default() adapter.Outbound {
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.defaultOutbound != nil {
+		return m.defaultOutbound
+	} else {
+		return m.defaultOutboundFallback
+	}
+}
+
+func (m *Manager) Remove(tag string) error {
+	m.access.Lock()
+	outbound, found := m.outboundByTag[tag]
+	if !found {
+		m.access.Unlock()
+		return os.ErrInvalid
+	}
+	delete(m.outboundByTag, tag)
+	index := common.Index(m.outbounds, func(it adapter.Outbound) bool {
+		return it == outbound
+	})
+	if index == -1 {
+		panic("invalid inbound index")
+	}
+	m.outbounds = append(m.outbounds[:index], m.outbounds[index+1:]...)
+	started := m.started
+	if m.defaultOutbound == outbound {
+		if len(m.outbounds) > 0 {
+			m.defaultOutbound = m.outbounds[0]
+			m.logger.Info("updated default outbound to ", m.defaultOutbound.Tag())
+		} else {
+			m.defaultOutbound = nil
+		}
+	}
+	dependBy := m.dependByTag[tag]
+	if len(dependBy) > 0 {
+		return E.New("outbound[", tag, "] is depended by ", strings.Join(dependBy, ", "))
+	}
+	dependencies := outbound.Dependencies()
+	for _, dependency := range dependencies {
+		if len(m.dependByTag[dependency]) == 1 {
+			delete(m.dependByTag, dependency)
+		} else {
+			m.dependByTag[dependency] = common.Filter(m.dependByTag[dependency], func(it string) bool {
+				return it != tag
+			})
+		}
+	}
+	m.access.Unlock()
+	if started {
+		return common.Close(outbound)
+	}
+	return nil
+}
+
+func (m *Manager) Create(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, inboundType string, options any) error {
+	if tag == "" {
+		return os.ErrInvalid
+	}
+	outbound, err := m.registry.CreateOutbound(ctx, router, logger, tag, inboundType, options)
+	if err != nil {
+		return err
+	}
+	m.access.Lock()
+	defer m.access.Unlock()
+	if m.started {
+		for _, stage := range adapter.ListStartStages {
+			err = adapter.LegacyStart(outbound, stage)
+			if err != nil {
+				return E.Cause(err, stage.Action(), " outbound/", outbound.Type(), "[", outbound.Tag(), "]")
+			}
+		}
+	}
+	if existsOutbound, loaded := m.outboundByTag[tag]; loaded {
+		if m.started {
+			err = common.Close(existsOutbound)
+			if err != nil {
+				return E.Cause(err, "close outbound/", existsOutbound.Type(), "[", existsOutbound.Tag(), "]")
+			}
+		}
+		existsIndex := common.Index(m.outbounds, func(it adapter.Outbound) bool {
+			return it == existsOutbound
+		})
+		if existsIndex == -1 {
+			panic("invalid inbound index")
+		}
+		m.outbounds = append(m.outbounds[:existsIndex], m.outbounds[existsIndex+1:]...)
+	}
+	m.outbounds = append(m.outbounds, outbound)
+	m.outboundByTag[tag] = outbound
+	dependencies := outbound.Dependencies()
+	for _, dependency := range dependencies {
+		m.dependByTag[dependency] = append(m.dependByTag[dependency], tag)
+	}
+	if tag == m.defaultTag || (m.defaultTag == "" && m.defaultOutbound == nil) {
+		m.defaultOutbound = outbound
+		if m.started {
+			m.logger.Info("updated default outbound to ", outbound.Tag())
+		}
+	}
+	return nil
+}

adapter/outbound/registry.go

@@ -0,0 +1,68 @@
+package outbound
+
+import (
+	"context"
+	"sync"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type ConstructorFunc[T any] func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options T) (adapter.Outbound, error)
+
+func Register[Options any](registry *Registry, outboundType string, constructor ConstructorFunc[Options]) {
+	registry.register(outboundType, func() any {
+		return new(Options)
+	}, func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Outbound, error) {
+		return constructor(ctx, router, logger, tag, common.PtrValueOrDefault(options.(*Options)))
+	})
+}
+
+var _ adapter.OutboundRegistry = (*Registry)(nil)
+
+type (
+	optionsConstructorFunc func() any
+	constructorFunc        func(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options any) (adapter.Outbound, error)
+)
+
+type Registry struct {
+	access       sync.Mutex
+	optionsType  map[string]optionsConstructorFunc
+	constructors map[string]constructorFunc
+}
+
+func NewRegistry() *Registry {
+	return &Registry{
+		optionsType:  make(map[string]optionsConstructorFunc),
+		constructors: make(map[string]constructorFunc),
+	}
+}
+
+func (r *Registry) CreateOptions(outboundType string) (any, bool) {
+	r.access.Lock()
+	defer r.access.Unlock()
+	optionsConstructor, loaded := r.optionsType[outboundType]
+	if !loaded {
+		return nil, false
+	}
+	return optionsConstructor(), true
+}
+
+func (r *Registry) CreateOutbound(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, outboundType string, options any) (adapter.Outbound, error) {
+	r.access.Lock()
+	defer r.access.Unlock()
+	constructor, loaded := r.constructors[outboundType]
+	if !loaded {
+		return nil, E.New("outbound type not found: " + outboundType)
+	}
+	return constructor(ctx, router, logger, tag, options)
+}
+
+func (r *Registry) register(outboundType string, optionsConstructor optionsConstructorFunc, constructor constructorFunc) {
+	r.access.Lock()
+	defer r.access.Unlock()
+	r.optionsType[outboundType] = optionsConstructor
+	r.constructors[outboundType] = constructor
+}

adapter/prestart.go

@@ -1,9 +1 @@
 package adapter
-
-type PreStarter interface {
-	PreStart() error
-}
-
-type PostStarter interface {
-	PostStart() error
-}

adapter/router.go

@@ -10,94 +10,54 @@ import (
 	"github.com/sagernet/sing-box/common/geoip"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-dns"
-	"github.com/sagernet/sing-tun"
-	"github.com/sagernet/sing/common/control"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/x/list"
-	"github.com/sagernet/sing/service"
 
 	mdns "github.com/miekg/dns"
 	"go4.org/netipx"
 )
 
 type Router interface {
-	Service
+	Lifecycle
-	PreStarter
-	PostStarter
-	Cleanup() error
-
-	Outbounds() []Outbound
-	Outbound(tag string) (Outbound, bool)
-	DefaultOutbound(network string) (Outbound, error)
 
 	FakeIPStore() FakeIPStore
 
 	ConnectionRouter
+	PreMatch(metadata InboundContext) error
+	ConnectionRouterEx
 
 	GeoIPReader() *geoip.Reader
 	LoadGeosite(code string) (Rule, error)
-
 	RuleSet(tag string) (RuleSet, bool)
-
 	NeedWIFIState() bool
 
 	Exchange(ctx context.Context, message *mdns.Msg) (*mdns.Msg, error)
 	Lookup(ctx context.Context, domain string, strategy dns.DomainStrategy) ([]netip.Addr, error)
 	LookupDefault(ctx context.Context, domain string) ([]netip.Addr, error)
 	ClearDNSCache()
-
-	InterfaceFinder() control.InterfaceFinder
-	UpdateInterfaces() error
-	DefaultInterface() string
-	AutoDetectInterface() bool
-	AutoDetectInterfaceFunc() control.Func
-	DefaultMark() uint32
-	RegisterAutoRedirectOutputMark(mark uint32) error
-	AutoRedirectOutputMark() uint32
-	NetworkMonitor() tun.NetworkUpdateMonitor
-	InterfaceMonitor() tun.DefaultInterfaceMonitor
-	PackageManager() tun.PackageManager
-	WIFIState() WIFIState
 	Rules() []Rule
 
-	ClashServer() ClashServer
+	SetTracker(tracker ConnectionTracker)
-	SetClashServer(server ClashServer)
 
-	V2RayServer() V2RayServer
+	ResetNetwork()
-	SetV2RayServer(server V2RayServer)
-
-	ResetNetwork() error
 }
 
-func ContextWithRouter(ctx context.Context, router Router) context.Context {
+type ConnectionTracker interface {
-	return service.ContextWith(ctx, router)
+	RoutedConnection(ctx context.Context, conn net.Conn, metadata InboundContext, matchedRule Rule, matchOutbound Outbound) net.Conn
+	RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext, matchedRule Rule, matchOutbound Outbound) N.PacketConn
 }
 
-func RouterFromContext(ctx context.Context) Router {
+// Deprecated: Use ConnectionRouterEx instead.
-	return service.FromContext[Router](ctx)
+type ConnectionRouter interface {
+	RouteConnection(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
 }
 
-type HeadlessRule interface {
+type ConnectionRouterEx interface {
-	Match(metadata *InboundContext) bool
+	ConnectionRouter
-	String() string
+	RouteConnectionEx(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
-}
+	RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
-
-type Rule interface {
-	HeadlessRule
-	Service
-	Type() string
-	UpdateGeosite() error
-	Outbound() string
-}
-
-type DNSRule interface {
-	Rule
-	DisableCache() bool
-	RewriteTTL() *uint32
-	ClientSubnet() *netip.Prefix
-	WithAddressLimit() bool
-	MatchAddressLimit(metadata *InboundContext) bool
 }
 
 type RuleSet interface {

adapter/rule.go

@@ -0,0 +1,38 @@
+package adapter
+
+import (
+	C "github.com/sagernet/sing-box/constant"
+)
+
+type HeadlessRule interface {
+	Match(metadata *InboundContext) bool
+	String() string
+}
+
+type Rule interface {
+	HeadlessRule
+	Service
+	Type() string
+	UpdateGeosite() error
+	Action() RuleAction
+}
+
+type DNSRule interface {
+	Rule
+	WithAddressLimit() bool
+	MatchAddressLimit(metadata *InboundContext) bool
+}
+
+type RuleAction interface {
+	Type() string
+	String() string
+}
+
+func IsFinalAction(action RuleAction) bool {
+	switch action.Type() {
+	case C.RuleActionTypeSniff, C.RuleActionTypeResolve:
+		return false
+	default:
+		return true
+	}
+}

adapter/upstream.go

@@ -4,112 +4,165 @@ import (
 	"context"
 	"net"
 
-	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 )
 
 type (
-	ConnectionHandlerFunc       = func(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	ConnectionHandlerFuncEx       = func(ctx context.Context, conn net.Conn, metadata InboundContext, onClose N.CloseHandlerFunc)
-	PacketConnectionHandlerFunc = func(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+	PacketConnectionHandlerFuncEx = func(ctx context.Context, conn N.PacketConn, metadata InboundContext, onClose N.CloseHandlerFunc)
 )
 
-func NewUpstreamHandler(
+func NewUpstreamHandlerEx(
 	metadata InboundContext,
-	connectionHandler ConnectionHandlerFunc,
+	connectionHandler ConnectionHandlerFuncEx,
-	packetHandler PacketConnectionHandlerFunc,
+	packetHandler PacketConnectionHandlerFuncEx,
-	errorHandler E.Handler,
+) UpstreamHandlerAdapterEx {
-) UpstreamHandlerAdapter {
+	return &myUpstreamHandlerWrapperEx{
-	return &myUpstreamHandlerWrapper{
 		metadata:          metadata,
 		connectionHandler: connectionHandler,
 		packetHandler:     packetHandler,
-		errorHandler:      errorHandler,
 	}
 }
 
-var _ UpstreamHandlerAdapter = (*myUpstreamHandlerWrapper)(nil)
+var _ UpstreamHandlerAdapterEx = (*myUpstreamHandlerWrapperEx)(nil)
 
-type myUpstreamHandlerWrapper struct {
+type myUpstreamHandlerWrapperEx struct {
 	metadata          InboundContext
-	connectionHandler ConnectionHandlerFunc
+	connectionHandler ConnectionHandlerFuncEx
-	packetHandler     PacketConnectionHandlerFunc
+	packetHandler     PacketConnectionHandlerFuncEx
-	errorHandler      E.Handler
 }
 
-func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+func (w *myUpstreamHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
+	if source.IsValid() {
-		myMetadata.Source = metadata.Source
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
+	if destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+		myMetadata.Destination = destination
 	}
-	return w.connectionHandler(ctx, conn, myMetadata)
+	w.connectionHandler(ctx, conn, myMetadata, onClose)
 }
 
-func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+func (w *myUpstreamHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := w.metadata
-	if metadata.Source.IsValid() {
+	if source.IsValid() {
-		myMetadata.Source = metadata.Source
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
+	if destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+		myMetadata.Destination = destination
 	}
-	return w.packetHandler(ctx, conn, myMetadata)
+	w.packetHandler(ctx, conn, myMetadata, onClose)
 }
 
-func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
+var _ UpstreamHandlerAdapterEx = (*myUpstreamContextHandlerWrapperEx)(nil)
-	w.errorHandler.NewError(ctx, err)
+
+type myUpstreamContextHandlerWrapperEx struct {
+	connectionHandler ConnectionHandlerFuncEx
+	packetHandler     PacketConnectionHandlerFuncEx
 }
 
-func UpstreamMetadata(metadata InboundContext) M.Metadata {
+func NewUpstreamContextHandlerEx(
-	return M.Metadata{
+	connectionHandler ConnectionHandlerFuncEx,
-		Source:      metadata.Source,
+	packetHandler PacketConnectionHandlerFuncEx,
-		Destination: metadata.Destination,
+) UpstreamHandlerAdapterEx {
-	}
+	return &myUpstreamContextHandlerWrapperEx{
-}
-
-type myUpstreamContextHandlerWrapper struct {
-	connectionHandler ConnectionHandlerFunc
-	packetHandler     PacketConnectionHandlerFunc
-	errorHandler      E.Handler
-}
-
-func NewUpstreamContextHandler(
-	connectionHandler ConnectionHandlerFunc,
-	packetHandler PacketConnectionHandlerFunc,
-	errorHandler E.Handler,
-) UpstreamHandlerAdapter {
-	return &myUpstreamContextHandlerWrapper{
 		connectionHandler: connectionHandler,
 		packetHandler:     packetHandler,
-		errorHandler:      errorHandler,
 	}
 }
 
-func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+func (w *myUpstreamContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
+	if source.IsValid() {
-		myMetadata.Source = metadata.Source
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
+	if destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+		myMetadata.Destination = destination
 	}
-	return w.connectionHandler(ctx, conn, *myMetadata)
+	w.connectionHandler(ctx, conn, *myMetadata, onClose)
 }
 
-func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+func (w *myUpstreamContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
 	myMetadata := ContextFrom(ctx)
-	if metadata.Source.IsValid() {
+	if source.IsValid() {
-		myMetadata.Source = metadata.Source
+		myMetadata.Source = source
 	}
-	if metadata.Destination.IsValid() {
+	if destination.IsValid() {
-		myMetadata.Destination = metadata.Destination
+		myMetadata.Destination = destination
 	}
-	return w.packetHandler(ctx, conn, *myMetadata)
+	w.packetHandler(ctx, conn, *myMetadata, onClose)
 }
 
-func (w *myUpstreamContextHandlerWrapper) NewError(ctx context.Context, err error) {
+func NewRouteHandlerEx(
-	w.errorHandler.NewError(ctx, err)
+	metadata InboundContext,
+	router ConnectionRouterEx,
+) UpstreamHandlerAdapterEx {
+	return &routeHandlerWrapperEx{
+		metadata: metadata,
+		router:   router,
+	}
+}
+
+var _ UpstreamHandlerAdapterEx = (*routeHandlerWrapperEx)(nil)
+
+type routeHandlerWrapperEx struct {
+	metadata InboundContext
+	router   ConnectionRouterEx
+}
+
+func (r *routeHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	if source.IsValid() {
+		r.metadata.Source = source
+	}
+	if destination.IsValid() {
+		r.metadata.Destination = destination
+	}
+	r.router.RouteConnectionEx(ctx, conn, r.metadata, onClose)
+}
+
+func (r *routeHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	if source.IsValid() {
+		r.metadata.Source = source
+	}
+	if destination.IsValid() {
+		r.metadata.Destination = destination
+	}
+	r.router.RoutePacketConnectionEx(ctx, conn, r.metadata, onClose)
+}
+
+func NewRouteContextHandlerEx(
+	router ConnectionRouterEx,
+) UpstreamHandlerAdapterEx {
+	return &routeContextHandlerWrapperEx{
+		router: router,
+	}
+}
+
+var _ UpstreamHandlerAdapterEx = (*routeContextHandlerWrapperEx)(nil)
+
+type routeContextHandlerWrapperEx struct {
+	router ConnectionRouterEx
+}
+
+func (r *routeContextHandlerWrapperEx) NewConnectionEx(ctx context.Context, conn net.Conn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	metadata := ContextFrom(ctx)
+	if source.IsValid() {
+		metadata.Source = source
+	}
+	if destination.IsValid() {
+		metadata.Destination = destination
+	}
+	r.router.RouteConnectionEx(ctx, conn, *metadata, onClose)
+}
+
+func (r *routeContextHandlerWrapperEx) NewPacketConnectionEx(ctx context.Context, conn N.PacketConn, source M.Socksaddr, destination M.Socksaddr, onClose N.CloseHandlerFunc) {
+	metadata := ContextFrom(ctx)
+	if source.IsValid() {
+		metadata.Source = source
+	}
+	if destination.IsValid() {
+		metadata.Destination = destination
+	}
+	r.router.RoutePacketConnectionEx(ctx, conn, *metadata, onClose)
 }

adapter/upstream_legacy.go

@@ -0,0 +1,216 @@
+package adapter
+
+import (
+	"context"
+	"net"
+
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type (
+	// Deprecated
+	ConnectionHandlerFunc = func(ctx context.Context, conn net.Conn, metadata InboundContext) error
+	// Deprecated
+	PacketConnectionHandlerFunc = func(ctx context.Context, conn N.PacketConn, metadata InboundContext) error
+)
+
+// Deprecated
+func NewUpstreamHandler(
+	metadata InboundContext,
+	connectionHandler ConnectionHandlerFunc,
+	packetHandler PacketConnectionHandlerFunc,
+	errorHandler E.Handler,
+) UpstreamHandlerAdapter {
+	return &myUpstreamHandlerWrapper{
+		metadata:          metadata,
+		connectionHandler: connectionHandler,
+		packetHandler:     packetHandler,
+		errorHandler:      errorHandler,
+	}
+}
+
+var _ UpstreamHandlerAdapter = (*myUpstreamHandlerWrapper)(nil)
+
+// Deprecated
+type myUpstreamHandlerWrapper struct {
+	metadata          InboundContext
+	connectionHandler ConnectionHandlerFunc
+	packetHandler     PacketConnectionHandlerFunc
+	errorHandler      E.Handler
+}
+
+func (w *myUpstreamHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.connectionHandler(ctx, conn, myMetadata)
+}
+
+func (w *myUpstreamHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.packetHandler(ctx, conn, myMetadata)
+}
+
+func (w *myUpstreamHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.errorHandler.NewError(ctx, err)
+}
+
+// Deprecated
+func UpstreamMetadata(metadata InboundContext) M.Metadata {
+	return M.Metadata{
+		Source:      metadata.Source,
+		Destination: metadata.Destination,
+	}
+}
+
+// Deprecated
+type myUpstreamContextHandlerWrapper struct {
+	connectionHandler ConnectionHandlerFunc
+	packetHandler     PacketConnectionHandlerFunc
+	errorHandler      E.Handler
+}
+
+// Deprecated
+func NewUpstreamContextHandler(
+	connectionHandler ConnectionHandlerFunc,
+	packetHandler PacketConnectionHandlerFunc,
+	errorHandler E.Handler,
+) UpstreamHandlerAdapter {
+	return &myUpstreamContextHandlerWrapper{
+		connectionHandler: connectionHandler,
+		packetHandler:     packetHandler,
+		errorHandler:      errorHandler,
+	}
+}
+
+func (w *myUpstreamContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.connectionHandler(ctx, conn, *myMetadata)
+}
+
+func (w *myUpstreamContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.packetHandler(ctx, conn, *myMetadata)
+}
+
+func (w *myUpstreamContextHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.errorHandler.NewError(ctx, err)
+}
+
+// Deprecated: Use ConnectionRouterEx instead.
+func NewRouteHandler(
+	metadata InboundContext,
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeHandlerWrapper{
+		metadata: metadata,
+		router:   router,
+		logger:   logger,
+	}
+}
+
+// Deprecated: Use ConnectionRouterEx instead.
+func NewRouteContextHandler(
+	router ConnectionRouter,
+	logger logger.ContextLogger,
+) UpstreamHandlerAdapter {
+	return &routeContextHandlerWrapper{
+		router: router,
+		logger: logger,
+	}
+}
+
+var _ UpstreamHandlerAdapter = (*routeHandlerWrapper)(nil)
+
+// Deprecated: Use ConnectionRouterEx instead.
+type routeHandlerWrapper struct {
+	metadata InboundContext
+	router   ConnectionRouter
+	logger   logger.ContextLogger
+}
+
+func (w *routeHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := w.metadata
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, myMetadata)
+}
+
+func (w *routeHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}
+
+var _ UpstreamHandlerAdapter = (*routeContextHandlerWrapper)(nil)
+
+// Deprecated: Use ConnectionRouterEx instead.
+type routeContextHandlerWrapper struct {
+	router ConnectionRouter
+	logger logger.ContextLogger
+}
+
+func (w *routeContextHandlerWrapper) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RouteConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	myMetadata := ContextFrom(ctx)
+	if metadata.Source.IsValid() {
+		myMetadata.Source = metadata.Source
+	}
+	if metadata.Destination.IsValid() {
+		myMetadata.Destination = metadata.Destination
+	}
+	return w.router.RoutePacketConnection(ctx, conn, *myMetadata)
+}
+
+func (w *routeContextHandlerWrapper) NewError(ctx context.Context, err error) {
+	w.logger.ErrorContext(ctx, err)
+}

adapter/v2ray.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"net"
 
-	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
 )
 
@@ -16,8 +15,7 @@ type V2RayServerTransport interface {
 }
 
 type V2RayServerTransportHandler interface {
-	N.TCPConnectionHandler
+	N.TCPConnectionHandlerEx
-	E.Handler
 }
 
 type V2RayClientTransport interface {

box.go

@@ -9,19 +9,22 @@ import (
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/adapter/inbound"
+	"github.com/sagernet/sing-box/adapter/outbound"
+	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/common/taskmonitor"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/experimental"
 	"github.com/sagernet/sing-box/experimental/cachefile"
 	"github.com/sagernet/sing-box/experimental/libbox/platform"
-	"github.com/sagernet/sing-box/inbound"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/direct"
 	"github.com/sagernet/sing-box/route"
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/ntp"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/pause"
 )
@@ -30,24 +33,40 @@ var _ adapter.Service = (*Box)(nil)
 
 type Box struct {
 	createdAt  time.Time
-	router       adapter.Router
-	inbounds     []adapter.Inbound
-	outbounds    []adapter.Outbound
 	logFactory log.Factory
 	logger     log.ContextLogger
-	preServices1 map[string]adapter.Service
+	network    *route.NetworkManager
-	preServices2 map[string]adapter.Service
+	router     *route.Router
-	postServices map[string]adapter.Service
+	inbound    *inbound.Manager
+	outbound   *outbound.Manager
+	services   []adapter.LifecycleService
 	done       chan struct{}
 }
 
 type Options struct {
 	option.Options
 	Context           context.Context
-	PlatformInterface platform.Interface
 	PlatformLogWriter log.PlatformWriter
 }
 
+func Context(
+	ctx context.Context,
+	inboundRegistry adapter.InboundRegistry,
+	outboundRegistry adapter.OutboundRegistry,
+) context.Context {
+	if service.FromContext[option.InboundOptionsRegistry](ctx) == nil ||
+		service.FromContext[adapter.InboundRegistry](ctx) == nil {
+		ctx = service.ContextWith[option.InboundOptionsRegistry](ctx, inboundRegistry)
+		ctx = service.ContextWith[adapter.InboundRegistry](ctx, inboundRegistry)
+	}
+	if service.FromContext[option.OutboundOptionsRegistry](ctx) == nil ||
+		service.FromContext[adapter.OutboundRegistry](ctx) == nil {
+		ctx = service.ContextWith[option.OutboundOptionsRegistry](ctx, outboundRegistry)
+		ctx = service.ContextWith[adapter.OutboundRegistry](ctx, outboundRegistry)
+	}
+	return ctx
+}
+
 func New(options Options) (*Box, error) {
 	createdAt := time.Now()
 	ctx := options.Context
@@ -55,6 +74,17 @@ func New(options Options) (*Box, error) {
 		ctx = context.Background()
 	}
 	ctx = service.ContextWithDefaultRegistry(ctx)
+
+	inboundRegistry := service.FromContext[adapter.InboundRegistry](ctx)
+	if inboundRegistry == nil {
+		return nil, E.New("missing inbound registry in context")
+	}
+
+	outboundRegistry := service.FromContext[adapter.OutboundRegistry](ctx)
+	if outboundRegistry == nil {
+		return nil, E.New("missing outbound registry in context")
+	}
+
 	ctx = pause.WithDefaultManager(ctx)
 	experimentalOptions := common.PtrValueOrDefault(options.Experimental)
 	applyDebugOptions(common.PtrValueOrDefault(experimentalOptions.Debug))
@@ -70,8 +100,9 @@ func New(options Options) (*Box, error) {
 	if experimentalOptions.V2RayAPI != nil && experimentalOptions.V2RayAPI.Listen != "" {
 		needV2RayAPI = true
 	}
+	platformInterface := service.FromContext[platform.Interface](ctx)
 	var defaultLogWriter io.Writer
-	if options.PlatformInterface != nil {
+	if platformInterface != nil {
 		defaultLogWriter = io.Discard
 	}
 	logFactory, err := log.New(log.Options{
@@ -85,114 +116,155 @@ func New(options Options) (*Box, error) {
 	if err != nil {
 		return nil, E.Cause(err, "create log factory")
 	}
-	router, err := route.NewRouter(
+
-		ctx,
+	routeOptions := common.PtrValueOrDefault(options.Route)
-		logFactory,
+	inboundManager := inbound.NewManager(logFactory.NewLogger("inbound"), inboundRegistry)
-		common.PtrValueOrDefault(options.Route),
+	outboundManager := outbound.NewManager(logFactory.NewLogger("outbound"), outboundRegistry, routeOptions.Final)
-		common.PtrValueOrDefault(options.DNS),
+	service.MustRegister[adapter.InboundManager](ctx, inboundManager)
-		common.PtrValueOrDefault(options.NTP),
+	service.MustRegister[adapter.OutboundManager](ctx, outboundManager)
-		options.Inbounds,
+
-		options.PlatformInterface,
+	networkManager, err := route.NewNetworkManager(ctx, logFactory.NewLogger("network"), routeOptions)
-	)
 	if err != nil {
-		return nil, E.Cause(err, "parse route options")
+		return nil, E.Cause(err, "initialize network manager")
+	}
+	service.MustRegister[adapter.NetworkManager](ctx, networkManager)
+	router, err := route.NewRouter(ctx, logFactory, routeOptions, common.PtrValueOrDefault(options.DNS))
+	if err != nil {
+		return nil, E.Cause(err, "initialize router")
+	}
+	//nolint:staticcheck
+	if len(options.LegacyInbounds) > 0 {
+		for _, legacyInbound := range options.LegacyInbounds {
+			options.Inbounds = append(options.Inbounds, option.Inbound{
+				Type:    legacyInbound.Type,
+				Tag:     legacyInbound.Tag,
+				Options: common.Must1(legacyInbound.RawOptions()),
+			})
+		}
+	}
+	//nolint:staticcheck
+	if len(options.LegacyOutbounds) > 0 {
+		for _, legacyOutbound := range options.LegacyOutbounds {
+			options.Outbounds = append(options.Outbounds, option.Outbound{
+				Type:    legacyOutbound.Type,
+				Tag:     legacyOutbound.Tag,
+				Options: common.Must1(legacyOutbound.RawOptions()),
+			})
+		}
 	}
-	inbounds := make([]adapter.Inbound, 0, len(options.Inbounds))
-	outbounds := make([]adapter.Outbound, 0, len(options.Outbounds))
 	for i, inboundOptions := range options.Inbounds {
-		var in adapter.Inbound
 		var tag string
 		if inboundOptions.Tag != "" {
 			tag = inboundOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		in, err = inbound.New(
+		err = inboundManager.Create(ctx,
-			ctx,
 			router,
 			logFactory.NewLogger(F.ToString("inbound/", inboundOptions.Type, "[", tag, "]")),
 			tag,
-			inboundOptions,
+			inboundOptions.Type,
-			options.PlatformInterface,
+			inboundOptions.Options,
 		)
 		if err != nil {
-			return nil, E.Cause(err, "parse inbound[", i, "]")
+			return nil, E.Cause(err, "initialize inbound[", i, "]")
 		}
-		inbounds = append(inbounds, in)
 	}
 	for i, outboundOptions := range options.Outbounds {
-		var out adapter.Outbound
 		var tag string
 		if outboundOptions.Tag != "" {
 			tag = outboundOptions.Tag
 		} else {
 			tag = F.ToString(i)
 		}
-		out, err = outbound.New(
+		outboundCtx := ctx
-			ctx,
+		if tag != "" {
+			// TODO: remove this
+			outboundCtx = adapter.WithContext(outboundCtx, &adapter.InboundContext{
+				Outbound: tag,
+			})
+		}
+		err = outboundManager.Create(
+			outboundCtx,
 			router,
 			logFactory.NewLogger(F.ToString("outbound/", outboundOptions.Type, "[", tag, "]")),
 			tag,
-			outboundOptions)
+			outboundOptions.Type,
+			outboundOptions.Options,
+		)
 		if err != nil {
-			return nil, E.Cause(err, "parse outbound[", i, "]")
+			return nil, E.Cause(err, "initialize outbound[", i, "]")
 		}
-		outbounds = append(outbounds, out)
 	}
-	err = router.Initialize(inbounds, outbounds, func() adapter.Outbound {
+	outboundManager.Initialize(common.Must1(
-		out, oErr := outbound.New(ctx, router, logFactory.NewLogger("outbound/direct"), "direct", option.Outbound{Type: "direct", Tag: "default"})
+		direct.NewOutbound(
-		common.Must(oErr)
+			ctx,
-		outbounds = append(outbounds, out)
+			router,
-		return out
+			logFactory.NewLogger("outbound/direct"),
-	})
+			"direct",
-	if err != nil {
+			option.DirectOutboundOptions{},
-		return nil, err
+		),
-	}
+	))
-	if options.PlatformInterface != nil {
+	if platformInterface != nil {
-		err = options.PlatformInterface.Initialize(ctx, router)
+		err = platformInterface.Initialize(networkManager)
 		if err != nil {
 			return nil, E.Cause(err, "initialize platform interface")
 		}
 	}
-	preServices1 := make(map[string]adapter.Service)
+	var services []adapter.LifecycleService
-	preServices2 := make(map[string]adapter.Service)
-	postServices := make(map[string]adapter.Service)
 	if needCacheFile {
-		cacheFile := service.FromContext[adapter.CacheFile](ctx)
+		cacheFile := cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
-		if cacheFile == nil {
-			cacheFile = cachefile.New(ctx, common.PtrValueOrDefault(experimentalOptions.CacheFile))
 		service.MustRegister[adapter.CacheFile](ctx, cacheFile)
-		}
+		services = append(services, cacheFile)
-		preServices1["cache file"] = cacheFile
 	}
 	if needClashAPI {
 		clashAPIOptions := common.PtrValueOrDefault(experimentalOptions.ClashAPI)
 		clashAPIOptions.ModeList = experimental.CalculateClashModeList(options.Options)
-		clashServer, err := experimental.NewClashServer(ctx, router, logFactory.(log.ObservableFactory), clashAPIOptions)
+		clashServer, err := experimental.NewClashServer(ctx, logFactory.(log.ObservableFactory), clashAPIOptions)
 		if err != nil {
-			return nil, E.Cause(err, "create clash api server")
+			return nil, E.Cause(err, "create clash-server")
 		}
-		router.SetClashServer(clashServer)
+		router.SetTracker(clashServer)
-		preServices2["clash api"] = clashServer
+		service.MustRegister[adapter.ClashServer](ctx, clashServer)
+		services = append(services, clashServer)
 	}
 	if needV2RayAPI {
 		v2rayServer, err := experimental.NewV2RayServer(logFactory.NewLogger("v2ray-api"), common.PtrValueOrDefault(experimentalOptions.V2RayAPI))
 		if err != nil {
-			return nil, E.Cause(err, "create v2ray api server")
+			return nil, E.Cause(err, "create v2ray-server")
 		}
-		router.SetV2RayServer(v2rayServer)
+		if v2rayServer.StatsService() != nil {
-		preServices2["v2ray api"] = v2rayServer
+			router.SetTracker(v2rayServer.StatsService())
+			services = append(services, v2rayServer)
+			service.MustRegister[adapter.V2RayServer](ctx, v2rayServer)
+		}
+	}
+	ntpOptions := common.PtrValueOrDefault(options.NTP)
+	if ntpOptions.Enabled {
+		ntpDialer, err := dialer.New(ctx, ntpOptions.DialerOptions)
+		if err != nil {
+			return nil, E.Cause(err, "create NTP service")
+		}
+		timeService := ntp.NewService(ntp.Options{
+			Context:       ctx,
+			Dialer:        ntpDialer,
+			Logger:        logFactory.NewLogger("ntp"),
+			Server:        ntpOptions.ServerOptions.Build(),
+			Interval:      time.Duration(ntpOptions.Interval),
+			WriteToSystem: ntpOptions.WriteToSystem,
+		})
+		service.MustRegister[ntp.TimeService](ctx, timeService)
+		services = append(services, adapter.NewLifecycleService(timeService, "ntp service"))
 	}
 	return &Box{
+		network:    networkManager,
 		router:     router,
-		inbounds:     inbounds,
+		inbound:    inboundManager,
-		outbounds:    outbounds,
+		outbound:   outboundManager,
 		createdAt:  createdAt,
 		logFactory: logFactory,
 		logger:     logFactory.Logger(),
-		preServices1: preServices1,
+		services:   services,
-		preServices2: preServices2,
-		postServices: postServices,
 		done:       make(chan struct{}),
 	}, nil
 }
@@ -243,35 +315,29 @@ func (s *Box) preStart() error {
 	if err != nil {
 		return E.Cause(err, "start logger")
 	}
-	for serviceName, service := range s.preServices1 {
+	for _, lifecycleService := range s.services {
-		if preService, isPreService := service.(adapter.PreStarter); isPreService {
+		err = lifecycleService.Start(adapter.StartStateInitialize) // cache-file
-			monitor.Start("pre-start ", serviceName)
-			err := preService.PreStart()
-			monitor.Finish()
 		if err != nil {
-				return E.Cause(err, "pre-start ", serviceName)
+			return E.Cause(err, "initialize ", lifecycleService.Name())
 		}
 	}
-	}
+	for _, lifecycle := range []adapter.Lifecycle{
-	for serviceName, service := range s.preServices2 {
+		s.network, s.router, s.outbound, s.inbound,
-		if preService, isPreService := service.(adapter.PreStarter); isPreService {
+	} {
-			monitor.Start("pre-start ", serviceName)
+		err = lifecycle.Start(adapter.StartStateInitialize)
-			err := preService.PreStart()
-			monitor.Finish()
-			if err != nil {
-				return E.Cause(err, "pre-start ", serviceName)
-			}
-		}
-	}
-	err = s.router.PreStart()
-	if err != nil {
-		return E.Cause(err, "pre-start router")
-	}
-	err = s.startOutbounds()
 		if err != nil {
 			return err
 		}
-	return s.router.Start()
+	}
+	for _, lifecycle := range []adapter.Lifecycle{
+		s.outbound, s.network, s.router,
+	} {
+		err = lifecycle.Start(adapter.StartStateStart)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 func (s *Box) start() error {
@@ -279,63 +345,30 @@ func (s *Box) start() error {
 	if err != nil {
 		return err
 	}
-	for serviceName, service := range s.preServices1 {
+	for _, lifecycleService := range s.services {
-		err = service.Start()
+		err = lifecycleService.Start(adapter.StartStateStart)
 		if err != nil {
-			return E.Cause(err, "start ", serviceName)
+			return E.Cause(err, "initialize ", lifecycleService.Name())
 		}
 	}
-	for serviceName, service := range s.preServices2 {
+	err = s.inbound.Start(adapter.StartStateStart)
-		err = service.Start()
-		if err != nil {
-			return E.Cause(err, "start ", serviceName)
-		}
-	}
-	for i, in := range s.inbounds {
-		var tag string
-		if in.Tag() == "" {
-			tag = F.ToString(i)
-		} else {
-			tag = in.Tag()
-		}
-		err = in.Start()
-		if err != nil {
-			return E.Cause(err, "initialize inbound/", in.Type(), "[", tag, "]")
-		}
-	}
-	err = s.postStart()
 	if err != nil {
 		return err
 	}
-	return s.router.Cleanup()
+	for _, lifecycleService := range []adapter.Lifecycle{
-}
+		s.outbound, s.network, s.router, s.inbound,
-
+	} {
-func (s *Box) postStart() error {
+		err = lifecycleService.Start(adapter.StartStatePostStart)
-	for serviceName, service := range s.postServices {
-		err := service.Start()
-		if err != nil {
-			return E.Cause(err, "start ", serviceName)
-		}
-	}
-	// TODO: reorganize ALL start order
-	for _, out := range s.outbounds {
-		if lateOutbound, isLateOutbound := out.(adapter.PostStarter); isLateOutbound {
-			err := lateOutbound.PostStart()
-			if err != nil {
-				return E.Cause(err, "post-start outbound/", out.Tag())
-			}
-		}
-	}
-	err := s.router.PostStart()
 		if err != nil {
 			return err
 		}
-	for _, in := range s.inbounds {
-		if lateInbound, isLateInbound := in.(adapter.PostStarter); isLateInbound {
-			err = lateInbound.PostStart()
-			if err != nil {
-				return E.Cause(err, "post-start inbound/", in.Tag())
 	}
+	for _, lifecycleService := range []adapter.Lifecycle{
+		s.network, s.router, s.outbound, s.inbound,
+	} {
+		err = lifecycleService.Start(adapter.StartStateStarted)
+		if err != nil {
+			return err
 		}
 	}
 	return nil
@@ -348,58 +381,32 @@ func (s *Box) Close() error {
 	default:
 		close(s.done)
 	}
-	monitor := taskmonitor.New(s.logger, C.StopTimeout)
+	err := common.Close(
-	var errors error
+		s.inbound, s.outbound, s.router, s.network,
-	for serviceName, service := range s.postServices {
+	)
-		monitor.Start("close ", serviceName)
+	for _, lifecycleService := range s.services {
-		errors = E.Append(errors, service.Close(), func(err error) error {
+		err = E.Append(err, lifecycleService.Close(), func(err error) error {
-			return E.Cause(err, "close ", serviceName)
+			return E.Cause(err, "close ", lifecycleService.Name())
-		})
-		monitor.Finish()
-	}
-	for i, in := range s.inbounds {
-		monitor.Start("close inbound/", in.Type(), "[", i, "]")
-		errors = E.Append(errors, in.Close(), func(err error) error {
-			return E.Cause(err, "close inbound/", in.Type(), "[", i, "]")
-		})
-		monitor.Finish()
-	}
-	for i, out := range s.outbounds {
-		monitor.Start("close outbound/", out.Type(), "[", i, "]")
-		errors = E.Append(errors, common.Close(out), func(err error) error {
-			return E.Cause(err, "close outbound/", out.Type(), "[", i, "]")
-		})
-		monitor.Finish()
-	}
-	monitor.Start("close router")
-	if err := common.Close(s.router); err != nil {
-		errors = E.Append(errors, err, func(err error) error {
-			return E.Cause(err, "close router")
 		})
 	}
-	monitor.Finish()
+	err = E.Append(err, s.logFactory.Close(), func(err error) error {
-	for serviceName, service := range s.preServices1 {
-		monitor.Start("close ", serviceName)
-		errors = E.Append(errors, service.Close(), func(err error) error {
-			return E.Cause(err, "close ", serviceName)
-		})
-		monitor.Finish()
-	}
-	for serviceName, service := range s.preServices2 {
-		monitor.Start("close ", serviceName)
-		errors = E.Append(errors, service.Close(), func(err error) error {
-			return E.Cause(err, "close ", serviceName)
-		})
-		monitor.Finish()
-	}
-	if err := common.Close(s.logFactory); err != nil {
-		errors = E.Append(errors, err, func(err error) error {
 		return E.Cause(err, "close logger")
 	})
+	return err
 }
-	return errors
+
+func (s *Box) Network() adapter.NetworkManager {
+	return s.network
 }
 
 func (s *Box) Router() adapter.Router {
 	return s.router
 }
+
+func (s *Box) Inbound() adapter.InboundManager {
+	return s.inbound
+}
+
+func (s *Box) Outbound() adapter.OutboundManager {
+	return s.outbound
+}

box_outbound.go

@@ -1,85 +0,0 @@
-package box
-
-import (
-	"strings"
-
-	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/common/taskmonitor"
-	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
-	F "github.com/sagernet/sing/common/format"
-)
-
-func (s *Box) startOutbounds() error {
-	monitor := taskmonitor.New(s.logger, C.StartTimeout)
-	outboundTags := make(map[adapter.Outbound]string)
-	outbounds := make(map[string]adapter.Outbound)
-	for i, outboundToStart := range s.outbounds {
-		var outboundTag string
-		if outboundToStart.Tag() == "" {
-			outboundTag = F.ToString(i)
-		} else {
-			outboundTag = outboundToStart.Tag()
-		}
-		if _, exists := outbounds[outboundTag]; exists {
-			return E.New("outbound tag ", outboundTag, " duplicated")
-		}
-		outboundTags[outboundToStart] = outboundTag
-		outbounds[outboundTag] = outboundToStart
-	}
-	started := make(map[string]bool)
-	for {
-		canContinue := false
-	startOne:
-		for _, outboundToStart := range s.outbounds {
-			outboundTag := outboundTags[outboundToStart]
-			if started[outboundTag] {
-				continue
-			}
-			dependencies := outboundToStart.Dependencies()
-			for _, dependency := range dependencies {
-				if !started[dependency] {
-					continue startOne
-				}
-			}
-			started[outboundTag] = true
-			canContinue = true
-			if starter, isStarter := outboundToStart.(interface {
-				Start() error
-			}); isStarter {
-				monitor.Start("initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
-				err := starter.Start()
-				monitor.Finish()
-				if err != nil {
-					return E.Cause(err, "initialize outbound/", outboundToStart.Type(), "[", outboundTag, "]")
-				}
-			}
-		}
-		if len(started) == len(s.outbounds) {
-			break
-		}
-		if canContinue {
-			continue
-		}
-		currentOutbound := common.Find(s.outbounds, func(it adapter.Outbound) bool {
-			return !started[outboundTags[it]]
-		})
-		var lintOutbound func(oTree []string, oCurrent adapter.Outbound) error
-		lintOutbound = func(oTree []string, oCurrent adapter.Outbound) error {
-			problemOutboundTag := common.Find(oCurrent.Dependencies(), func(it string) bool {
-				return !started[it]
-			})
-			if common.Contains(oTree, problemOutboundTag) {
-				return E.New("circular outbound dependency: ", strings.Join(oTree, " -> "), " -> ", problemOutboundTag)
-			}
-			problemOutbound := outbounds[problemOutboundTag]
-			if problemOutbound == nil {
-				return E.New("dependency[", problemOutboundTag, "] not found for outbound[", outboundTags[oCurrent], "]")
-			}
-			return lintOutbound(append(oTree, problemOutboundTag), problemOutbound)
-		}
-		return lintOutbound([]string{outboundTags[currentOutbound]}, currentOutbound)
-	}
-	return nil
-}

cmd/sing-box/cmd.go

@@ -7,8 +7,9 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/sagernet/sing-box"
 	"github.com/sagernet/sing-box/experimental/deprecated"
-	_ "github.com/sagernet/sing-box/include"
+	"github.com/sagernet/sing-box/include"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing/service"
 	"github.com/sagernet/sing/service/filemanager"
@@ -68,4 +69,5 @@ func preRun(cmd *cobra.Command, args []string) {
 		configPaths = append(configPaths, "config.json")
 	}
 	globalCtx = service.ContextWith(globalCtx, deprecated.NewStderrManager(log.StdLogger()))
+	globalCtx = box.Context(globalCtx, include.InboundRegistry(), include.OutboundRegistry())
 }

cmd/sing-box/cmd_format.go

@@ -38,7 +38,7 @@ func format() error {
 		return err
 	}
 	for _, optionsEntry := range optionsList {
-		optionsEntry.options, err = badjson.Omitempty(optionsEntry.options)
+		optionsEntry.options, err = badjson.Omitempty(globalCtx, optionsEntry.options)
 		if err != nil {
 			return err
 		}

cmd/sing-box/cmd_merge.go

@@ -68,29 +68,19 @@ func merge(outputPath string) error {
 }
 
 func mergePathResources(options *option.Options) error {
-	for index, inbound := range options.Inbounds {
+	for _, inbound := range options.Inbounds {
-		rawOptions, err := inbound.RawOptions()
+		if tlsOptions, containsTLSOptions := inbound.Options.(option.InboundTLSOptionsWrapper); containsTLSOptions {
-		if err != nil {
-			return err
-		}
-		if tlsOptions, containsTLSOptions := rawOptions.(option.InboundTLSOptionsWrapper); containsTLSOptions {
 			tlsOptions.ReplaceInboundTLSOptions(mergeTLSInboundOptions(tlsOptions.TakeInboundTLSOptions()))
 		}
-		options.Inbounds[index] = inbound
-	}
-	for index, outbound := range options.Outbounds {
-		rawOptions, err := outbound.RawOptions()
-		if err != nil {
-			return err
 	}
+	for _, outbound := range options.Outbounds {
 		switch outbound.Type {
 		case C.TypeSSH:
-			outbound.SSHOptions = mergeSSHOutboundOptions(outbound.SSHOptions)
+			mergeSSHOutboundOptions(outbound.Options.(*option.SSHOutboundOptions))
 		}
-		if tlsOptions, containsTLSOptions := rawOptions.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
+		if tlsOptions, containsTLSOptions := outbound.Options.(option.OutboundTLSOptionsWrapper); containsTLSOptions {
 			tlsOptions.ReplaceOutboundTLSOptions(mergeTLSOutboundOptions(tlsOptions.TakeOutboundTLSOptions()))
 		}
-		options.Outbounds[index] = outbound
 	}
 	return nil
 }
@@ -138,13 +128,12 @@ func mergeTLSOutboundOptions(options *option.OutboundTLSOptions) *option.Outboun
 	return options
 }
 
-func mergeSSHOutboundOptions(options option.SSHOutboundOptions) option.SSHOutboundOptions {
+func mergeSSHOutboundOptions(options *option.SSHOutboundOptions) {
 	if options.PrivateKeyPath != "" {
 		if content, err := os.ReadFile(os.ExpandEnv(options.PrivateKeyPath)); err == nil {
 			options.PrivateKey = trimStringArray(strings.Split(string(content), "\n"))
 		}
 	}
-	return options
 }
 
 func trimStringArray(array []string) []string {

cmd/sing-box/cmd_rule_set_match.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"bytes"
+	"context"
 	"io"
 	"os"
 
@@ -10,7 +11,7 @@ import (
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
-	"github.com/sagernet/sing-box/route"
+	"github.com/sagernet/sing-box/route/rule"
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json"
@@ -84,7 +85,7 @@ func ruleSetMatch(sourcePath string, domain string) error {
 	}
 	for i, ruleOptions := range plainRuleSet.Rules {
 		var currentRule adapter.HeadlessRule
-		currentRule, err = route.NewHeadlessRule(nil, ruleOptions)
+		currentRule, err = rule.NewHeadlessRule(context.Background(), ruleOptions)
 		if err != nil {
 			return E.Cause(err, "parse rule_set.rules.[", i, "]")
 		}

cmd/sing-box/cmd_run.go

@@ -57,7 +57,7 @@ func readConfigAt(path string) (*OptionsEntry, error) {
 	if err != nil {
 		return nil, E.Cause(err, "read config at ", path)
 	}
-	options, err := json.UnmarshalExtended[option.Options](configContent)
+	options, err := json.UnmarshalExtendedContext[option.Options](globalCtx, configContent)
 	if err != nil {
 		return nil, E.Cause(err, "decode config at ", path)
 	}
@@ -109,13 +109,13 @@ func readConfigAndMerge() (option.Options, error) {
 	}
 	var mergedMessage json.RawMessage
 	for _, options := range optionsList {
-		mergedMessage, err = badjson.MergeJSON(options.options.RawMessage, mergedMessage, false)
+		mergedMessage, err = badjson.MergeJSON(globalCtx, options.options.RawMessage, mergedMessage, false)
 		if err != nil {
 			return option.Options{}, E.Cause(err, "merge config at ", options.path)
 		}
 	}
 	var mergedOptions option.Options
-	err = mergedOptions.UnmarshalJSON(mergedMessage)
+	err = mergedOptions.UnmarshalJSONContext(globalCtx, mergedMessage)
 	if err != nil {
 		return option.Options{}, E.Cause(err, "unmarshal merged config")
 	}

cmd/sing-box/cmd_tools.go

@@ -1,6 +1,9 @@
 package main
 
 import (
+	"errors"
+	"os"
+
 	"github.com/sagernet/sing-box"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -23,8 +26,10 @@ func init() {
 func createPreStartedClient() (*box.Box, error) {
 	options, err := readConfigAndMerge()
 	if err != nil {
+		if !(errors.Is(err, os.ErrNotExist) && len(configDirectories) == 0 && len(configPaths) == 1) || configPaths[0] != "config.json" {
 			return nil, err
 		}
+	}
 	instance, err := box.New(box.Options{Options: options})
 	if err != nil {
 		return nil, E.Cause(err, "create service")
@@ -36,11 +41,11 @@ func createPreStartedClient() (*box.Box, error) {
 	return instance, nil
 }
 
-func createDialer(instance *box.Box, network string, outboundTag string) (N.Dialer, error) {
+func createDialer(instance *box.Box, outboundTag string) (N.Dialer, error) {
 	if outboundTag == "" {
-		return instance.Router().DefaultOutbound(N.NetworkName(network))
+		return instance.Outbound().Default(), nil
 	} else {
-		outbound, loaded := instance.Router().Outbound(outboundTag)
+		outbound, loaded := instance.Outbound().Outbound(outboundTag)
 		if !loaded {
 			return nil, E.New("outbound not found: ", outboundTag)
 		}

cmd/sing-box/cmd_tools_connect.go

@@ -45,7 +45,7 @@ func connect(address string) error {
 		return err
 	}
 	defer instance.Close()
-	dialer, err := createDialer(instance, commandConnectFlagNetwork, commandToolsFlagOutbound)
+	dialer, err := createDialer(instance, commandToolsFlagOutbound)
 	if err != nil {
 		return err
 	}

cmd/sing-box/cmd_tools_fetch.go

@@ -48,7 +48,7 @@ func fetch(args []string) error {
 	httpClient = &http.Client{
 		Transport: &http.Transport{
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-				dialer, err := createDialer(instance, network, commandToolsFlagOutbound)
+				dialer, err := createDialer(instance, commandToolsFlagOutbound)
 				if err != nil {
 					return nil, err
 				}

cmd/sing-box/cmd_tools_fetch_http3.go

@@ -16,7 +16,7 @@ import (
 )
 
 func initializeHTTP3Client(instance *box.Box) error {
-	dialer, err := createDialer(instance, N.NetworkUDP, commandToolsFlagOutbound)
+	dialer, err := createDialer(instance, commandToolsFlagOutbound)
 	if err != nil {
 		return err
 	}

cmd/sing-box/cmd_tools_synctime.go

@@ -9,7 +9,6 @@ import (
 	"github.com/sagernet/sing-box/log"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ntp"
 
 	"github.com/spf13/cobra"
@@ -45,7 +44,7 @@ func syncTime() error {
 	if err != nil {
 		return err
 	}
-	dialer, err := createDialer(instance, N.NetworkUDP, commandToolsFlagOutbound)
+	dialer, err := createDialer(instance, commandToolsFlagOutbound)
 	if err != nil {
 		return err
 	}

cmd/sing-box/internal/convertor/adguard/convertor_test.go

@@ -5,7 +5,7 @@ import (
 	"testing"
 
 	"github.com/sagernet/sing-box/adapter"
-	"github.com/sagernet/sing-box/route"
+	"github.com/sagernet/sing-box/route/rule"
 
 	"github.com/stretchr/testify/require"
 )
@@ -26,7 +26,7 @@ example.arpa
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
-	rule, err := route.NewHeadlessRule(nil, rules[0])
+	rule, err := rule.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"example.org",
@@ -85,7 +85,7 @@ func TestHosts(t *testing.T) {
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
-	rule, err := route.NewHeadlessRule(nil, rules[0])
+	rule, err := rule.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"google.com",
@@ -115,7 +115,7 @@ www.example.org
 `))
 	require.NoError(t, err)
 	require.Len(t, rules, 1)
-	rule, err := route.NewHeadlessRule(nil, rules[0])
+	rule, err := rule.NewHeadlessRule(nil, rules[0])
 	require.NoError(t, err)
 	matchDomain := []string{
 		"example.com",

common/dialer/default.go

@@ -3,6 +3,7 @@ package dialer
 import (
 	"context"
 	"net"
+	"net/netip"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
@@ -28,31 +29,31 @@ type DefaultDialer struct {
 	isWireGuardListener bool
 }
 
-func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDialer, error) {
+func NewDefault(networkManager adapter.NetworkManager, options option.DialerOptions) (*DefaultDialer, error) {
 	var dialer net.Dialer
 	var listener net.ListenConfig
 	if options.BindInterface != "" {
 		var interfaceFinder control.InterfaceFinder
-		if router != nil {
+		if networkManager != nil {
-			interfaceFinder = router.InterfaceFinder()
+			interfaceFinder = networkManager.InterfaceFinder()
 		} else {
 			interfaceFinder = control.NewDefaultInterfaceFinder()
 		}
 		bindFunc := control.BindToInterface(interfaceFinder, options.BindInterface, -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router != nil && router.AutoDetectInterface() {
+	} else if networkManager != nil && networkManager.AutoDetectInterface() {
-		bindFunc := router.AutoDetectInterfaceFunc()
+		bindFunc := networkManager.AutoDetectInterfaceFunc()
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
-	} else if router != nil && router.DefaultInterface() != "" {
+	} else if networkManager != nil && networkManager.DefaultInterface() != "" {
-		bindFunc := control.BindToInterface(router.InterfaceFinder(), router.DefaultInterface(), -1)
+		bindFunc := control.BindToInterface(networkManager.InterfaceFinder(), networkManager.DefaultInterface(), -1)
 		dialer.Control = control.Append(dialer.Control, bindFunc)
 		listener.Control = control.Append(listener.Control, bindFunc)
 	}
 	var autoRedirectOutputMark uint32
-	if router != nil {
+	if networkManager != nil {
-		autoRedirectOutputMark = router.AutoRedirectOutputMark()
+		autoRedirectOutputMark = networkManager.AutoRedirectOutputMark()
 	}
 	if autoRedirectOutputMark > 0 {
 		dialer.Control = control.Append(dialer.Control, control.RoutingMark(autoRedirectOutputMark))
@@ -64,9 +65,9 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		if autoRedirectOutputMark > 0 {
 			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `routing_mark`")
 		}
-	} else if router != nil && router.DefaultMark() > 0 {
+	} else if networkManager != nil && networkManager.DefaultMark() > 0 {
-		dialer.Control = control.Append(dialer.Control, control.RoutingMark(router.DefaultMark()))
+		dialer.Control = control.Append(dialer.Control, control.RoutingMark(networkManager.DefaultMark()))
-		listener.Control = control.Append(listener.Control, control.RoutingMark(router.DefaultMark()))
+		listener.Control = control.Append(listener.Control, control.RoutingMark(networkManager.DefaultMark()))
 		if autoRedirectOutputMark > 0 {
 			return nil, E.New("`auto_redirect` with `route_[_exclude]_address_set is conflict with `default_mark`")
 		}
@@ -102,7 +103,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		udpAddr4   string
 	)
 	if options.Inet4BindAddress != nil {
-		bindAddr := options.Inet4BindAddress.Build()
+		bindAddr := options.Inet4BindAddress.Build(netip.IPv4Unspecified())
 		dialer4.LocalAddr = &net.TCPAddr{IP: bindAddr.AsSlice()}
 		udpDialer4.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr4 = M.SocksaddrFrom(bindAddr, 0).String()
@@ -113,7 +114,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		udpAddr6   string
 	)
 	if options.Inet6BindAddress != nil {
-		bindAddr := options.Inet6BindAddress.Build()
+		bindAddr := options.Inet6BindAddress.Build(netip.IPv6Unspecified())
 		dialer6.LocalAddr = &net.TCPAddr{IP: bindAddr.AsSlice()}
 		udpDialer6.LocalAddr = &net.UDPAddr{IP: bindAddr.AsSlice()}
 		udpAddr6 = M.SocksaddrFrom(bindAddr, 0).String()
@@ -125,7 +126,7 @@ func NewDefault(router adapter.Router, options option.DialerOptions) (*DefaultDi
 		setMultiPathTCP(&dialer4)
 	}
 	if options.IsWireGuardListener {
-		for _, controlFn := range wgControlFns {
+		for _, controlFn := range WgControlFns {
 			listener.Control = control.Append(listener.Control, controlFn)
 		}
 	}

common/dialer/detour.go

@@ -12,15 +12,15 @@ import (
 )
 
 type DetourDialer struct {
-	router   adapter.Router
+	outboundManager adapter.OutboundManager
 	detour          string
 	dialer          N.Dialer
 	initOnce        sync.Once
 	initErr         error
 }
 
-func NewDetour(router adapter.Router, detour string) N.Dialer {
+func NewDetour(outboundManager adapter.OutboundManager, detour string) N.Dialer {
-	return &DetourDialer{router: router, detour: detour}
+	return &DetourDialer{outboundManager: outboundManager, detour: detour}
 }
 
 func (d *DetourDialer) Start() error {
@@ -31,7 +31,7 @@ func (d *DetourDialer) Start() error {
 func (d *DetourDialer) Dialer() (N.Dialer, error) {
 	d.initOnce.Do(func() {
 		var loaded bool
-		d.dialer, loaded = d.router.Outbound(d.detour)
+		d.dialer, loaded = d.outboundManager.Outbound(d.detour)
 		if !loaded {
 			d.initErr = E.New("outbound detour not found: ", d.detour)
 		}

common/dialer/dialer.go

@@ -1,34 +1,44 @@
 package dialer
 
 import (
+	"context"
 	"time"
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	"github.com/sagernet/sing-dns"
+	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/service"
 )
 
-func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error) {
+func New(ctx context.Context, options option.DialerOptions) (N.Dialer, error) {
+	networkManager := service.FromContext[adapter.NetworkManager](ctx)
 	if options.IsWireGuardListener {
-		return NewDefault(router, options)
+		return NewDefault(networkManager, options)
-	}
-	if router == nil {
-		return NewDefault(nil, options)
 	}
 	var (
 		dialer N.Dialer
 		err    error
 	)
 	if options.Detour == "" {
-		dialer, err = NewDefault(router, options)
+		dialer, err = NewDefault(networkManager, options)
 		if err != nil {
 			return nil, err
 		}
 	} else {
-		dialer = NewDetour(router, options.Detour)
+		outboundManager := service.FromContext[adapter.OutboundManager](ctx)
+		if outboundManager == nil {
+			return nil, E.New("missing outbound manager")
+		}
+		dialer = NewDetour(outboundManager, options.Detour)
+	}
+	if networkManager == nil {
+		return NewDefault(networkManager, options)
 	}
 	if options.Detour == "" {
+		router := service.FromContext[adapter.Router](ctx)
+		if router != nil {
 			dialer = NewResolveDialer(
 				router,
 				dialer,
@@ -36,5 +46,6 @@ func New(router adapter.Router, options option.DialerOptions) (N.Dialer, error)
 				dns.DomainStrategy(options.DomainStrategy),
 				time.Duration(options.FallbackDelay))
 		}
+	}
 	return dialer, nil
 }

common/dialer/router.go

@@ -9,30 +9,22 @@ import (
 	N "github.com/sagernet/sing/common/network"
 )
 
-type RouterDialer struct {
+type DefaultOutboundDialer struct {
-	router adapter.Router
+	outboundManager adapter.OutboundManager
 }
 
-func NewRouter(router adapter.Router) N.Dialer {
+func NewDefaultOutbound(outboundManager adapter.OutboundManager) N.Dialer {
-	return &RouterDialer{router: router}
+	return &DefaultOutboundDialer{outboundManager: outboundManager}
 }
 
-func (d *RouterDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+func (d *DefaultOutboundDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
-	dialer, err := d.router.DefaultOutbound(network)
+	return d.outboundManager.Default().DialContext(ctx, network, destination)
-	if err != nil {
-		return nil, err
-	}
-	return dialer.DialContext(ctx, network, destination)
 }
 
-func (d *RouterDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+func (d *DefaultOutboundDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
-	dialer, err := d.router.DefaultOutbound(N.NetworkUDP)
+	return d.outboundManager.Default().ListenPacket(ctx, destination)
-	if err != nil {
-		return nil, err
-	}
-	return dialer.ListenPacket(ctx, destination)
 }
 
-func (d *RouterDialer) Upstream() any {
+func (d *DefaultOutboundDialer) Upstream() any {
-	return d.router
+	return d.outboundManager.Default()
 }

common/dialer/wireguard.go

@@ -2,8 +2,12 @@ package dialer
 
 import (
 	"net"
+
+	"github.com/sagernet/sing/common/control"
 )
 
 type WireGuardListener interface {
 	ListenPacketCompat(network, address string) (net.PacketConn, error)
 }
+
+var WgControlFns []control.Func

common/dialer/wireguard_control.go

@@ -1,11 +0,0 @@
-//go:build with_wireguard
-
-package dialer
-
-import (
-	"github.com/sagernet/wireguard-go/conn"
-)
-
-var _ WireGuardListener = (conn.Listener)(nil)
-
-var wgControlFns = conn.ControlFns

common/dialer/wiregurad_stub.go

@@ -1,9 +0,0 @@
-//go:build !with_wireguard
-
-package dialer
-
-import (
-	"github.com/sagernet/sing/common/control"
-)
-
-var wgControlFns []control.Func

common/listener/listener.go

@@ -0,0 +1,137 @@
+package listener
+
+import (
+	"context"
+	"net"
+	"net/netip"
+	"sync/atomic"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/settings"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type Listener struct {
+	ctx                      context.Context
+	logger                   logger.ContextLogger
+	network                  []string
+	listenOptions            option.ListenOptions
+	connHandler              adapter.ConnectionHandlerEx
+	packetHandler            adapter.PacketHandlerEx
+	oobPacketHandler         adapter.OOBPacketHandlerEx
+	threadUnsafePacketWriter bool
+	disablePacketOutput      bool
+	setSystemProxy           bool
+	systemProxySOCKS         bool
+
+	tcpListener          net.Listener
+	systemProxy          settings.SystemProxy
+	udpConn              *net.UDPConn
+	udpAddr              M.Socksaddr
+	packetOutbound       chan *N.PacketBuffer
+	packetOutboundClosed chan struct{}
+	shutdown             atomic.Bool
+}
+
+type Options struct {
+	Context                  context.Context
+	Logger                   logger.ContextLogger
+	Network                  []string
+	Listen                   option.ListenOptions
+	ConnectionHandler        adapter.ConnectionHandlerEx
+	PacketHandler            adapter.PacketHandlerEx
+	OOBPacketHandler         adapter.OOBPacketHandlerEx
+	ThreadUnsafePacketWriter bool
+	DisablePacketOutput      bool
+	SetSystemProxy           bool
+	SystemProxySOCKS         bool
+}
+
+func New(
+	options Options,
+) *Listener {
+	return &Listener{
+		ctx:                      options.Context,
+		logger:                   options.Logger,
+		network:                  options.Network,
+		listenOptions:            options.Listen,
+		connHandler:              options.ConnectionHandler,
+		packetHandler:            options.PacketHandler,
+		oobPacketHandler:         options.OOBPacketHandler,
+		threadUnsafePacketWriter: options.ThreadUnsafePacketWriter,
+		disablePacketOutput:      options.DisablePacketOutput,
+		setSystemProxy:           options.SetSystemProxy,
+		systemProxySOCKS:         options.SystemProxySOCKS,
+	}
+}
+
+func (l *Listener) Start() error {
+	if common.Contains(l.network, N.NetworkTCP) {
+		_, err := l.ListenTCP()
+		if err != nil {
+			return err
+		}
+		go l.loopTCPIn()
+	}
+	if common.Contains(l.network, N.NetworkUDP) {
+		_, err := l.ListenUDP()
+		if err != nil {
+			return err
+		}
+		l.packetOutboundClosed = make(chan struct{})
+		l.packetOutbound = make(chan *N.PacketBuffer, 64)
+		go l.loopUDPIn()
+		if !l.disablePacketOutput {
+			go l.loopUDPOut()
+		}
+	}
+	if l.setSystemProxy {
+		listenPort := M.SocksaddrFromNet(l.tcpListener.Addr()).Port
+		var listenAddrString string
+		listenAddr := l.listenOptions.Listen.Build(netip.IPv4Unspecified())
+		if listenAddr.IsUnspecified() {
+			listenAddrString = "127.0.0.1"
+		} else {
+			listenAddrString = listenAddr.String()
+		}
+		systemProxy, err := settings.NewSystemProxy(l.ctx, M.ParseSocksaddrHostPort(listenAddrString, listenPort), l.systemProxySOCKS)
+		if err != nil {
+			return E.Cause(err, "initialize system proxy")
+		}
+		err = systemProxy.Enable()
+		if err != nil {
+			return E.Cause(err, "set system proxy")
+		}
+		l.systemProxy = systemProxy
+	}
+	return nil
+}
+
+func (l *Listener) Close() error {
+	l.shutdown.Store(true)
+	var err error
+	if l.systemProxy != nil && l.systemProxy.IsEnabled() {
+		err = l.systemProxy.Disable()
+	}
+	return E.Errors(err, common.Close(
+		l.tcpListener,
+		common.PtrOrNil(l.udpConn),
+	))
+}
+
+func (l *Listener) TCPListener() net.Listener {
+	return l.tcpListener
+}
+
+func (l *Listener) UDPConn() *net.UDPConn {
+	return l.udpConn
+}
+
+func (l *Listener) ListenOptions() option.ListenOptions {
+	return l.listenOptions
+}

common/listener/listener_go121.go

@@ -1,6 +1,6 @@
 //go:build go1.21
 
-package inbound
+package listener
 
 import "net"
 

common/listener/listener_go123.go

@@ -0,0 +1,16 @@
+//go:build go1.23
+
+package listener
+
+import (
+	"net"
+	"time"
+)
+
+func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
+	listener.KeepAliveConfig = net.KeepAliveConfig{
+		Enable:   true,
+		Idle:     idle,
+		Interval: interval,
+	}
+}

common/listener/listener_nongo121.go

@@ -1,6 +1,6 @@
 //go:build !go1.21
 
-package inbound
+package listener
 
 import "net"
 

common/listener/listener_nongo123.go

@@ -0,0 +1,15 @@
+//go:build !go1.23
+
+package listener
+
+import (
+	"net"
+	"time"
+
+	"github.com/sagernet/sing/common/control"
+)
+
+func setKeepAliveConfig(listener *net.ListenConfig, idle time.Duration, interval time.Duration) {
+	listener.KeepAlive = idle
+	listener.Control = control.Append(listener.Control, control.SetKeepAlivePeriod(idle, interval))
+}

common/listener/listener_tcp.go

@@ -0,0 +1,86 @@
+package listener
+
+import (
+	"net"
+	"net/netip"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+
+	"github.com/metacubex/tfo-go"
+)
+
+func (l *Listener) ListenTCP() (net.Listener, error) {
+	var err error
+	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
+	var tcpListener net.Listener
+	var listenConfig net.ListenConfig
+	if l.listenOptions.TCPKeepAlive >= 0 {
+		keepIdle := time.Duration(l.listenOptions.TCPKeepAlive)
+		if keepIdle == 0 {
+			keepIdle = C.TCPKeepAliveInitial
+		}
+		keepInterval := time.Duration(l.listenOptions.TCPKeepAliveInterval)
+		if keepInterval == 0 {
+			keepInterval = C.TCPKeepAliveInterval
+		}
+		setKeepAliveConfig(&listenConfig, keepIdle, keepInterval)
+	}
+	if l.listenOptions.TCPMultiPath {
+		if !go121Available {
+			return nil, E.New("MultiPath TCP requires go1.21, please recompile your binary.")
+		}
+		setMultiPathTCP(&listenConfig)
+	}
+	if l.listenOptions.TCPFastOpen {
+		var tfoConfig tfo.ListenConfig
+		tfoConfig.ListenConfig = listenConfig
+		tcpListener, err = tfoConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
+	} else {
+		tcpListener, err = listenConfig.Listen(l.ctx, M.NetworkFromNetAddr(N.NetworkTCP, bindAddr.Addr), bindAddr.String())
+	}
+	if err == nil {
+		l.logger.Info("tcp server started at ", tcpListener.Addr())
+	}
+	//nolint:staticcheck
+	if l.listenOptions.ProxyProtocol || l.listenOptions.ProxyProtocolAcceptNoHeader {
+		return nil, E.New("Proxy Protocol is deprecated and removed in sing-box 1.6.0")
+	}
+	l.tcpListener = tcpListener
+	return tcpListener, err
+}
+
+func (l *Listener) loopTCPIn() {
+	tcpListener := l.tcpListener
+	var metadata adapter.InboundContext
+	for {
+		conn, err := tcpListener.Accept()
+		if err != nil {
+			//nolint:staticcheck
+			if netError, isNetError := err.(net.Error); isNetError && netError.Temporary() {
+				l.logger.Error(err)
+				continue
+			}
+			if l.shutdown.Load() && E.IsClosed(err) {
+				return
+			}
+			l.tcpListener.Close()
+			l.logger.Error("tcp listener closed: ", err)
+			continue
+		}
+		//nolint:staticcheck
+		metadata.InboundDetour = l.listenOptions.Detour
+		//nolint:staticcheck
+		metadata.InboundOptions = l.listenOptions.InboundOptions
+		metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr()).Unwrap()
+		metadata.OriginDestination = M.SocksaddrFromNet(conn.LocalAddr()).Unwrap()
+		ctx := log.ContextWithNewID(l.ctx)
+		l.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
+		go l.connHandler.NewConnectionEx(ctx, conn, metadata, nil)
+	}
+}

common/listener/listener_udp.go

@@ -0,0 +1,155 @@
+package listener
+
+import (
+	"net"
+	"net/netip"
+	"os"
+	"time"
+
+	"github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/control"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+func (l *Listener) ListenUDP() (net.PacketConn, error) {
+	bindAddr := M.SocksaddrFrom(l.listenOptions.Listen.Build(netip.AddrFrom4([4]byte{127, 0, 0, 1})), l.listenOptions.ListenPort)
+	var lc net.ListenConfig
+	var udpFragment bool
+	if l.listenOptions.UDPFragment != nil {
+		udpFragment = *l.listenOptions.UDPFragment
+	} else {
+		udpFragment = l.listenOptions.UDPFragmentDefault
+	}
+	if !udpFragment {
+		lc.Control = control.Append(lc.Control, control.DisableUDPFragment())
+	}
+	udpConn, err := lc.ListenPacket(l.ctx, M.NetworkFromNetAddr(N.NetworkUDP, bindAddr.Addr), bindAddr.String())
+	if err != nil {
+		return nil, err
+	}
+	l.udpConn = udpConn.(*net.UDPConn)
+	l.udpAddr = bindAddr
+	l.logger.Info("udp server started at ", udpConn.LocalAddr())
+	return udpConn, err
+}
+
+func (l *Listener) UDPAddr() M.Socksaddr {
+	return l.udpAddr
+}
+
+func (l *Listener) PacketWriter() N.PacketWriter {
+	return (*packetWriter)(l)
+}
+
+func (l *Listener) loopUDPIn() {
+	defer close(l.packetOutboundClosed)
+	var buffer *buf.Buffer
+	if !l.threadUnsafePacketWriter {
+		buffer = buf.NewPacket()
+		defer buffer.Release()
+		buffer.IncRef()
+		defer buffer.DecRef()
+	}
+	if l.oobPacketHandler != nil {
+		oob := make([]byte, 1024)
+		for {
+			if l.threadUnsafePacketWriter {
+				buffer = buf.NewPacket()
+			} else {
+				buffer.Reset()
+			}
+			n, oobN, _, addr, err := l.udpConn.ReadMsgUDPAddrPort(buffer.FreeBytes(), oob)
+			if err != nil {
+				if l.threadUnsafePacketWriter {
+					buffer.Release()
+				}
+				if l.shutdown.Load() && E.IsClosed(err) {
+					return
+				}
+				l.udpConn.Close()
+				l.logger.Error("udp listener closed: ", err)
+				return
+			}
+			buffer.Truncate(n)
+			l.oobPacketHandler.NewPacketEx(buffer, oob[:oobN], M.SocksaddrFromNetIP(addr).Unwrap())
+		}
+	} else {
+		for {
+			if l.threadUnsafePacketWriter {
+				buffer = buf.NewPacket()
+			} else {
+				buffer.Reset()
+			}
+			n, addr, err := l.udpConn.ReadFromUDPAddrPort(buffer.FreeBytes())
+			if err != nil {
+				if l.threadUnsafePacketWriter {
+					buffer.Release()
+				}
+				if l.shutdown.Load() && E.IsClosed(err) {
+					return
+				}
+				l.udpConn.Close()
+				l.logger.Error("udp listener closed: ", err)
+				return
+			}
+			buffer.Truncate(n)
+			l.packetHandler.NewPacketEx(buffer, M.SocksaddrFromNetIP(addr).Unwrap())
+		}
+	}
+}
+
+func (l *Listener) loopUDPOut() {
+	for {
+		select {
+		case packet := <-l.packetOutbound:
+			destination := packet.Destination.AddrPort()
+			_, err := l.udpConn.WriteToUDPAddrPort(packet.Buffer.Bytes(), destination)
+			packet.Buffer.Release()
+			N.PutPacketBuffer(packet)
+			if err != nil {
+				if l.shutdown.Load() && E.IsClosed(err) {
+					return
+				}
+				l.udpConn.Close()
+				l.logger.Error("udp listener write back: ", destination, ": ", err)
+				return
+			}
+			continue
+		case <-l.packetOutboundClosed:
+		}
+		for {
+			select {
+			case packet := <-l.packetOutbound:
+				packet.Buffer.Release()
+				N.PutPacketBuffer(packet)
+			case <-time.After(time.Second):
+				return
+			}
+		}
+	}
+}
+
+type packetWriter Listener
+
+func (w *packetWriter) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
+	packet := N.NewPacketBuffer()
+	packet.Buffer = buffer
+	packet.Destination = destination
+	select {
+	case w.packetOutbound <- packet:
+		return nil
+	default:
+		buffer.Release()
+		N.PutPacketBuffer(packet)
+		if w.shutdown.Load() {
+			return os.ErrClosed
+		}
+		w.logger.Trace("dropped packet to ", destination)
+		return nil
+	}
+}
+
+func (w *packetWriter) WriteIsThreadUnsafe() {
+}

common/mux/router.go

@@ -15,11 +15,11 @@ import (
 )
 
 type Router struct {
-	router  adapter.ConnectionRouter
+	router  adapter.ConnectionRouterEx
 	service *mux.Service
 }
 
-func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouter, error) {
+func NewRouterWithOptions(router adapter.ConnectionRouterEx, logger logger.ContextLogger, options option.InboundMultiplexOptions) (adapter.ConnectionRouterEx, error) {
 	if !options.Enabled {
 		return router, nil
 	}
@@ -54,6 +54,7 @@ func NewRouterWithOptions(router adapter.ConnectionRouter, logger logger.Context
 
 func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
 	if metadata.Destination == mux.Destination {
+		// TODO: check if WithContext is necessary
 		return r.service.NewConnection(adapter.WithContext(ctx, &metadata), conn, adapter.UpstreamMetadata(metadata))
 	} else {
 		return r.router.RouteConnection(ctx, conn, metadata)
@@ -63,3 +64,15 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }
+
+func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	if metadata.Destination == mux.Destination {
+		r.service.NewConnectionEx(adapter.WithContext(ctx, &metadata), conn, metadata.Source, metadata.Destination, onClose)
+		return
+	}
+	r.router.RouteConnectionEx(ctx, conn, metadata, onClose)
+}
+
+func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	r.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
+}

common/mux/v2ray_legacy.go

@@ -1,32 +0,0 @@
-package mux
-
-import (
-	"context"
-	"net"
-
-	"github.com/sagernet/sing-box/adapter"
-	vmess "github.com/sagernet/sing-vmess"
-	"github.com/sagernet/sing/common/logger"
-	N "github.com/sagernet/sing/common/network"
-)
-
-type V2RayLegacyRouter struct {
-	router adapter.ConnectionRouter
-	logger logger.ContextLogger
-}
-
-func NewV2RayLegacyRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) adapter.ConnectionRouter {
-	return &V2RayLegacyRouter{router, logger}
-}
-
-func (r *V2RayLegacyRouter) RouteConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext) error {
-	if metadata.Destination.Fqdn == vmess.MuxDestination.Fqdn {
-		r.logger.InfoContext(ctx, "inbound legacy multiplex connection")
-		return vmess.HandleMuxConnection(ctx, conn, adapter.NewRouteHandler(metadata, r.router, r.logger))
-	}
-	return r.router.RouteConnection(ctx, conn, metadata)
-}
-
-func (r *V2RayLegacyRouter) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
-	return r.router.RoutePacketConnection(ctx, conn, metadata)
-}

common/settings/proxy_darwin.go

@@ -12,6 +12,7 @@ import (
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
+	"github.com/sagernet/sing/service"
 )
 
 type DarwinSystemProxy struct {
@@ -24,7 +25,7 @@ type DarwinSystemProxy struct {
 }
 
 func NewSystemProxy(ctx context.Context, serverAddr M.Socksaddr, supportSOCKS bool) (*DarwinSystemProxy, error) {
-	interfaceMonitor := adapter.RouterFromContext(ctx).InterfaceMonitor()
+	interfaceMonitor := service.FromContext[adapter.NetworkManager](ctx).InterfaceMonitor()
 	if interfaceMonitor == nil {
 		return nil, E.New("missing interface monitor")
 	}

common/sniff/sniff.go

@@ -18,7 +18,7 @@ type (
 	PacketSniffer = func(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error
 )
 
-func Skip(metadata adapter.InboundContext) bool {
+func Skip(metadata *adapter.InboundContext) bool {
 	// skip server first protocols
 	switch metadata.Destination.Port {
 	case 25, 465, 587:

common/tls/ech_client.go

@@ -19,6 +19,7 @@ import (
 	"github.com/sagernet/sing-dns"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/ntp"
+	"github.com/sagernet/sing/service"
 
 	mDNS "github.com/miekg/dns"
 )
@@ -213,7 +214,7 @@ func fetchECHClientConfig(ctx context.Context) func(_ context.Context, serverNam
 				},
 			},
 		}
-		response, err := adapter.RouterFromContext(ctx).Exchange(ctx, message)
+		response, err := service.FromContext[adapter.Router](ctx).Exchange(ctx, message)
 		if err != nil {
 			return nil, err
 		}

common/tls/reality_server.go

@@ -11,7 +11,6 @@ import (
 	"time"
 
 	"github.com/sagernet/reality"
-	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/dialer"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
@@ -102,7 +101,7 @@ func NewRealityServer(ctx context.Context, logger log.Logger, options option.Inb
 		tlsConfig.ShortIds[shortID] = true
 	}
 
-	handshakeDialer, err := dialer.New(adapter.RouterFromContext(ctx), options.Reality.Handshake.DialerOptions)
+	handshakeDialer, err := dialer.New(ctx, options.Reality.Handshake.DialerOptions)
 	if err != nil {
 		return nil, err
 	}

common/uot/router.go

@@ -13,14 +13,14 @@ import (
 	"github.com/sagernet/sing/common/uot"
 )
 
-var _ adapter.ConnectionRouter = (*Router)(nil)
+var _ adapter.ConnectionRouterEx = (*Router)(nil)
 
 type Router struct {
-	router adapter.ConnectionRouter
+	router adapter.ConnectionRouterEx
 	logger logger.ContextLogger
 }
 
-func NewRouter(router adapter.ConnectionRouter, logger logger.ContextLogger) *Router {
+func NewRouter(router adapter.ConnectionRouterEx, logger logger.ContextLogger) *Router {
 	return &Router{router, logger}
 }
 
@@ -51,3 +51,36 @@ func (r *Router) RouteConnection(ctx context.Context, conn net.Conn, metadata ad
 func (r *Router) RoutePacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext) error {
 	return r.router.RoutePacketConnection(ctx, conn, metadata)
 }
+
+func (r *Router) RouteConnectionEx(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	switch metadata.Destination.Fqdn {
+	case uot.MagicAddress:
+		request, err := uot.ReadRequest(conn)
+		if err != nil {
+			err = E.Cause(err, "UoT read request")
+			r.logger.ErrorContext(ctx, "process connection from ", metadata.Source, ": ", err)
+			N.CloseOnHandshakeFailure(conn, onClose, err)
+			return
+		}
+		if request.IsConnect {
+			r.logger.InfoContext(ctx, "inbound UoT connect connection to ", request.Destination)
+		} else {
+			r.logger.InfoContext(ctx, "inbound UoT connection to ", request.Destination)
+		}
+		metadata.Domain = metadata.Destination.Fqdn
+		metadata.Destination = request.Destination
+		r.router.RoutePacketConnectionEx(ctx, uot.NewConn(conn, *request), metadata, onClose)
+		return
+	case uot.LegacyMagicAddress:
+		r.logger.InfoContext(ctx, "inbound legacy UoT connection")
+		metadata.Domain = metadata.Destination.Fqdn
+		metadata.Destination = M.Socksaddr{Addr: netip.IPv4Unspecified()}
+		r.RoutePacketConnectionEx(ctx, uot.NewConn(conn, uot.Request{}), metadata, onClose)
+		return
+	}
+	r.router.RouteConnectionEx(ctx, conn, metadata, onClose)
+}
+
+func (r *Router) RoutePacketConnectionEx(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, onClose N.CloseHandlerFunc) {
+	r.router.RoutePacketConnectionEx(ctx, conn, metadata, onClose)
+}

constant/rule.go

@@ -22,3 +22,18 @@ const (
 	RuleSetVersion1 = 1 + iota
 	RuleSetVersion2
 )
+
+const (
+	RuleActionTypeRoute        = "route"
+	RuleActionTypeRouteOptions = "route-options"
+	RuleActionTypeDirect       = "direct"
+	RuleActionTypeReject       = "reject"
+	RuleActionTypeHijackDNS    = "hijack-dns"
+	RuleActionTypeSniff        = "sniff"
+	RuleActionTypeResolve      = "resolve"
+)
+
+const (
+	RuleActionRejectMethodDefault = "default"
+	RuleActionRejectMethodDrop    = "drop"
+)

docs/changelog.md

@@ -2,6 +2,66 @@
 icon: material/alert-decagram
 ---
 
+#### 1.11.0-alpha.11
+
+* Fixes and improvements
+
+#### 1.11.0-alpha.9
+
+* Improve tun compatibility **1**
+* Fixes and improvements
+
+**1**:
+
+When `gvisor` tun stack is enabled, even if the request passes routing,
+if the outbound connection establishment fails,
+the connection still does not need to be established and a TCP RST is replied.
+
+#### 1.11.0-alpha.7
+
+* Introducing rule actions **1**
+
+**1**:
+
+New rule actions replace legacy inbound fields and special outbound fields,
+and can be used for pre-matching **2**.
+
+See [Rule](/configuration/route/rule/),
+[Rule Action](/configuration/route/rule_action/),
+[DNS Rule](/configuration/dns/rule/) and
+[DNS Rule Action](/configuration/dns/rule_action/).
+
+For migration, see
+[Migrate legacy special outbounds to rule actions](/migration/#migrate-legacy-special-outbounds-to-rule-actions), 
+[Migrate legacy inbound fields to rule actions](/migration/#migrate-legacy-inbound-fields-to-rule-actions)
+and [Migrate legacy DNS route options to rule actions](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+**2**:
+
+Similar to Surge's pre-matching.
+
+Specifically, the new rule actions allow you to reject connections with
+TCP RST (for TCP connections) and ICMP port unreachable (for UDP packets)
+before connection established to improve tun's compatibility.
+
+See [Rule Action](/configuration/route/rule_action/).
+
+#### 1.11.0-alpha.6
+
+* Update quic-go to v0.48.1
+* Set gateway for tun correctly
+* Fixes and improvements
+
+#### 1.11.0-alpha.2
+
+* Add warnings for usage of deprecated features
+* Fixes and improvements
+
+#### 1.11.0-alpha.1
+
+* Update quic-go to v0.48.0
+* Fixes and improvements
+
 ### 1.10.1
 
 * Fixes and improvements

docs/configuration/dns/index.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! quote "Changes in sing-box 1.9.0"
 
     :material-plus: [client_subnet](#client_subnet)

docs/configuration/dns/index.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! quote "sing-box 1.9.0 中的更改"
 
     :material-plus: [client_subnet](#client_subnet)

docs/configuration/dns/rule.md

@@ -2,6 +2,14 @@
 icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.11.0"
+
+    :material-plus: [action](#action)  
+    :material-alert: [server](#server)  
+    :material-alert: [disable_cache](#disable_cache)  
+    :material-alert: [rewrite_ttl](#rewrite_ttl)  
+    :material-alert: [client_subnet](#client_subnet)
+
 !!! quote "Changes in sing-box 1.10.0"
 
     :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source)  
@@ -135,19 +143,15 @@ icon: material/new-box
         "outbound": [
           "direct"
         ],
-        "server": "local",
+        "action": "route",
-        "disable_cache": false,
+        "server": "local"
-        "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1/24"
       },
       {
         "type": "logical",
         "mode": "and",
         "rules": [],
-        "server": "local",
+        "action": "route",
-        "disable_cache": false,
+        "server": "local"
-        "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1/24"
       }
     ]
   }
@@ -218,7 +222,7 @@ Match domain using regular expression.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
+    Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).
 
 Match geosite.
 
@@ -226,7 +230,7 @@ Match geosite.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 Match source geoip.
 
@@ -354,29 +358,35 @@ Match outbound.
 
 `any` can be used as a value to match any outbound.
 
-#### server
+#### action
 
 ==Required==
 
-Tag of the target dns server.
+See [DNS Rule Actions](../rule_action/) for details.
+
+#### server
+
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Moved to [DNS Rule Action](../rule_action#route).
 
 #### disable_cache
 
-Disable cache and save cache in this query.
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Moved to [DNS Rule Action](../rule_action#route).
 
 #### rewrite_ttl
 
-Rewrite TTL in DNS responses.
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Moved to [DNS Rule Action](../rule_action#route).
 
 #### client_subnet
 
-!!! question "Since sing-box 1.9.0"
+!!! failure "Deprecated in sing-box 1.11.0"
 
-Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+    Moved to [DNS Rule Action](../rule_action#route).
-
-If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
-
-Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
 
 ### Address Filter Fields
 

docs/configuration/dns/rule_action.md

@@ -0,0 +1,85 @@
+---
+icon: material/new-box
+---
+
+# DNS Rule Action
+
+!!! question "Since sing-box 1.11.0"
+
+### route
+
+```json
+{
+  "action": "route",  // default
+  "server": "",
+  
+  // for compatibility
+  "disable_cache": false,
+  "rewrite_ttl": 0,
+  "client_subnet": null
+}
+```
+
+`route` inherits the classic rule behavior of routing DNS requests to the specified server.
+
+#### server
+
+==Required==
+
+Tag of target server.
+
+#### disable_cache/rewrite_ttl/client_subnet
+
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Legacy route options is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+### route-options
+
+```json
+{
+  "action": "route-options",
+  "disable_cache": false,
+  "rewrite_ttl": null,
+  "client_subnet": null
+}
+```
+
+#### disable_cache
+
+Disable cache and save cache in this query.
+
+#### rewrite_ttl
+
+Rewrite TTL in DNS responses.
+
+#### client_subnet
+
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
+
+Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
+
+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default", // default
+  "no_drop": false
+}
+```
+
+`reject` reject DNS requests.
+
+#### method
+
+- `default`: Reply with NXDOMAIN.
+- `drop`: Drop the request.
+
+#### no_drop
+
+If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
+
+Not available when `method` is set to drop.

docs/configuration/dns/rule_action.zh.md

@@ -0,0 +1,86 @@
+---
+icon: material/new-box
+---
+
+# DNS 规则动作
+
+!!! question "自 sing-box 1.11.0 起"
+
+### route
+
+```json
+{
+  "action": "route",  // 默认
+  "server": "",
+  
+  // 兼容性
+  "disable_cache": false,
+  "rewrite_ttl": 0,
+  "client_subnet": null
+}
+```
+
+`route` 继承了将 DNS 请求 路由到指定服务器的经典规则动作。
+
+#### server
+
+==必填==
+
+目标 DNS 服务器的标签。
+
+#### disable_cache/rewrite_ttl/client_subnet
+
+!!! failure "自 sing-box 1.11.0 起"
+
+    旧的路由选项已弃用，且将在 sing-box 1.12.0 中移除，参阅 [迁移指南](/migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+### route-options
+
+```json
+{
+  "action": "route-options",
+  "disable_cache": false,
+  "rewrite_ttl": null,
+  "client_subnet": null
+}
+```
+
+
+#### disable_cache
+
+在此查询中禁用缓存。
+
+#### rewrite_ttl
+
+重写 DNS 回应中的 TTL。
+
+#### client_subnet
+
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+
+将覆盖 `dns.client_subnet` 与 `servers.[].client_subnet`。
+
+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default", // default
+  "no_drop": false
+}
+```
+
+`reject` 拒绝 DNS 请求。
+
+#### method
+
+- `default`: 返回 NXDOMAIN。
+- `drop`: 丢弃请求。
+
+#### no_drop
+
+如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
+
+当 `method` 设为 `drop` 时不可用。

docs/configuration/dns/server.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! quote "Changes in sing-box 1.9.0"
 
     :material-plus: [client_subnet](#client_subnet)

docs/configuration/dns/server.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! quote "sing-box 1.9.0 中的更改"
 
     :material-plus: [client_subnet](#client_subnet)

docs/configuration/experimental/cache-file.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! question "Since sing-box 1.8.0"
 
 !!! quote "Changes in sing-box 1.9.0"

docs/configuration/experimental/cache-file.zh.md

@@ -1,7 +1,3 @@
----
-icon: material/new-box
----
-
 !!! question "自 sing-box 1.8.0 起"
 
 !!! quote "sing-box 1.9.0 中的更改"

docs/configuration/outbound/block.md

@@ -1,8 +1,14 @@
-`block` outbound closes all incoming requests.
+---
+icon: material/delete-clock
+---
+
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Legacy special outbounds are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
 
 ### Structure
 
-```json
+```json F
 {
   "type": "block",
   "tag": "block"

docs/configuration/outbound/block.zh.md

@@ -1,3 +1,11 @@
+---
+icon: material/delete-clock
+---
+
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
+
 `block` 出站关闭所有传入请求。
 
 ### 结构

docs/configuration/outbound/dns.md

@@ -1,3 +1,11 @@
+---
+icon: material/delete-clock
+---
+
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Legacy special outbounds are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-special-outbounds-to-rule-actions).
+
 `dns` outbound is a internal DNS server.
 
 ### Structure

docs/configuration/outbound/dns.zh.md

@@ -1,3 +1,11 @@
+---
+icon: material/delete-clock
+---
+
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    旧的特殊出站已被弃用，且将在 sing-box 1.13.0 中被移除, 参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions). 
+
 `dns` 出站是一个内部 DNS 服务器。
 
 ### 结构

docs/configuration/route/geoip.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 ### Structure
 

docs/configuration/route/geoip.zh.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    GeoIP 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geoip)。
+    GeoIP 已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geoip)。
 
 ### 结构
 

docs/configuration/route/geosite.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
+    Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).
 
 ### Structure
 

docs/configuration/route/geosite.zh.md

@@ -4,7 +4,7 @@ icon: material/delete-clock
 
 !!! failure "已在 sing-box 1.8.0 废弃"
 
-    Geosite 已废弃且可能在不久的将来移除，参阅 [迁移指南](/zh/migration/#geosite)。
+    Geosite 已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/zh/migration/#geosite)。
 
 ### 结构
 

docs/configuration/route/rule.md

@@ -1,7 +1,12 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.11.0"
+
+    :material-plus: [action](#action)  
+    :material-alert: [outbound](#outbound)
+
 !!! quote "Changes in sing-box 1.10.0"
 
     :material-plus: [client](#client)  
@@ -129,6 +134,7 @@ icon: material/alert-decagram
         "rule_set_ipcidr_match_source": false,
         "rule_set_ip_cidr_match_source": false,
         "invert": false,
+        "action": "route",
         "outbound": "direct"
       },
       {
@@ -136,6 +142,7 @@ icon: material/alert-decagram
         "mode": "and",
         "rules": [],
         "invert": false,
+        "action": "route",
         "outbound": "direct"
       }
     ]
@@ -209,7 +216,7 @@ Match domain using regular expression.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    Geosite is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geosite-to-rule-sets).
+    Geosite is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geosite-to-rule-sets).
 
 Match geosite.
 
@@ -217,7 +224,7 @@ Match geosite.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 Match source geoip.
 
@@ -225,7 +232,7 @@ Match source geoip.
 
 !!! failure "Deprecated in sing-box 1.8.0"
 
-    GeoIP is deprecated and may be removed in the future, check [Migration](/migration/#migrate-geoip-to-rule-sets).
+    GeoIP is deprecated and will be removed in sing-box 1.12.0, check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 Match geoip.
 
@@ -357,11 +364,17 @@ Make `ip_cidr` in rule-sets match the source IP.
 
 Invert match result.
 
-#### outbound
+#### action
 
 ==Required==
 
-Tag of the target outbound.
+See [Rule Actions](../rule_action/) for details.
+
+#### outbound
+
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Moved to [Rule Action](../rule_action#route).
 
 ### Logical Fields
 

docs/configuration/route/rule.zh.md

@@ -1,7 +1,12 @@
 ---
-icon: material/alert-decagram
+icon: material/new-box
 ---
 
+!!! quote "sing-box 1.11.0 中的更改"
+
+    :material-plus: [action](#action)  
+    :material-alert: [outbound](#outbound)
+
 !!! quote "sing-box 1.10.0 中的更改"
 
     :material-plus: [client](#client)  
@@ -127,6 +132,7 @@ icon: material/alert-decagram
         "rule_set_ipcidr_match_source": false,
         "rule_set_ip_cidr_match_source": false,
         "invert": false,
+        "action": "route",
         "outbound": "direct"
       },
       {
@@ -134,6 +140,7 @@ icon: material/alert-decagram
         "mode": "and",
         "rules": [],
         "invert": false,
+        "action": "route",
         "outbound": "direct"
       }
     ]
@@ -355,11 +362,17 @@ icon: material/alert-decagram
 
 反选匹配结果。
 
-#### outbound
+#### action
 
 ==必填==
 
-目标出站的标签。
+参阅 [规则行动](../rule_action/)。
+
+#### outbound
+
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    已移动到 [规则行动](../rule_action#route).
 
 ### 逻辑字段
 

docs/configuration/route/rule_action.md

@@ -0,0 +1,139 @@
+---
+icon: material/new-box
+---
+
+# Rule Action
+
+!!! question "Since sing-box 1.11.0"
+
+## Final actions
+
+### route
+
+```json
+{
+  "action": "route", // default
+  "outbound": ""
+}
+```
+
+`route` inherits the classic rule behavior of routing connection to the specified outbound.
+
+#### outbound
+
+==Required==
+
+Tag of target outbound.
+
+### route-options
+
+```json
+{
+  "action": "route-options",
+  "udp_disable_domain_unmapping": false,
+  "udp_connect": false
+}
+```
+
+`route-options` set options for routing.
+
+#### udp_disable_domain_unmapping
+
+If enabled, for UDP proxy requests addressed to a domain,
+the original packet address will be sent in the response instead of the mapped domain.
+
+This option is used for compatibility with clients that
+do not support receiving UDP packets with domain addresses, such as Surge.
+
+#### udp_connect
+
+If enabled, attempts to connect UDP connection to the destination instead of listen.
+
+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default", // default
+  "no_drop": false
+}
+```
+
+`reject` reject connections
+
+The specified method is used for reject tun connections if `sniff` action has not been performed yet.
+
+For non-tun connections and already established connections, will just be closed.
+
+#### method
+
+- `default`: Reply with TCP RST for TCP connections, and ICMP port unreachable for UDP packets.
+- `drop`: Drop packets.
+
+#### no_drop
+
+If not enabled, `method` will be temporarily overwritten to `drop` after 50 triggers in 30s.
+
+Not available when `method` is set to drop.
+
+### hijack-dns
+
+```json
+{
+  "action": "hijack-dns"
+}
+```
+
+`hijack-dns` hijack DNS requests to the sing-box DNS module.
+
+## Non-final actions
+
+### sniff
+
+```json
+{
+  "action": "sniff",
+  "sniffer": [],
+  "timeout": ""
+}
+```
+
+`sniff` performs protocol sniffing on connections.
+
+For deprecated `inbound.sniff` options, it is considered to `sniff()` performed before routing.
+
+#### sniffer
+
+Enabled sniffers.
+
+All sniffers enabled by default.
+
+Available protocol values an be found on in [Protocol Sniff](../sniff/)
+
+#### timeout
+
+Timeout for sniffing.
+
+`300ms` is used by default.
+
+### resolve
+
+```json
+{
+  "action": "resolve",
+  "strategy": "",
+  "server": ""
+}
+```
+
+`resolve` resolve request destination from domain to IP addresses.
+
+#### strategy
+
+DNS resolution strategy, available values are: `prefer_ipv4`, `prefer_ipv6`, `ipv4_only`, `ipv6_only`.
+
+`dns.strategy` will be used by default.
+
+#### server
+
+Specifies DNS server tag to use instead of selecting through DNS routing.

docs/configuration/route/rule_action.zh.md

@@ -0,0 +1,136 @@
+---
+icon: material/new-box
+---
+
+# 规则动作
+
+!!! question "自 sing-box 1.11.0 起"
+
+## 最终动作
+
+### route
+
+```json
+{
+  "action": "route", // 默认
+  "outbound": "",
+  "udp_disable_domain_unmapping": false
+}
+```
+
+`route` 继承了将连接路由到指定出站的经典规则动作。
+
+#### outbound
+
+==必填==
+
+目标出站的标签。
+
+### route-options
+
+```json
+{
+  "action": "route-options",
+  "udp_disable_domain_unmapping": false,
+    "udp_connect": false
+}
+```
+
+#### udp_disable_domain_unmapping
+
+如果启用，对于地址为域的 UDP 代理请求，将在响应中发送原始包地址而不是映射的域。
+
+此选项用于兼容不支持接收带有域地址的 UDP 包的客户端，如 Surge。
+
+#### udp_connect
+
+如果启用，将尝试将 UDP 连接 connect 到目标而不是 listen。
+
+### reject
+
+```json
+{
+  "action": "reject",
+  "method": "default",  // 默认
+  "no_drop": false
+}
+```
+
+`reject` 拒绝连接。
+
+如果尚未执行 `sniff` 操作，则将使用指定方法拒绝 tun 连接。
+
+对于非 tun 连接和已建立的连接，将直接关闭。
+
+#### method
+
+- `default`: 对于 TCP 连接回复 RST，对于 UDP 包回复 ICMP 端口不可达。
+- `drop`: 丢弃数据包。
+
+#### no_drop
+
+如果未启用，则 30 秒内触发 50 次后，`method` 将被暂时覆盖为 `drop`。
+
+当 `method` 设为 `drop` 时不可用。
+
+### hijack-dns
+
+```json
+{
+  "action": "hijack-dns"
+}
+```
+
+`hijack-dns` 劫持 DNS 请求至 sing-box DNS 模块。
+
+## 非最终动作
+
+### sniff
+
+```json
+{
+  "action": "sniff",
+  "sniffer": [],
+  "timeout": ""
+}
+```
+
+`sniff` 对连接执行协议嗅探。
+
+对于已弃用的 `inbound.sniff` 选项，被视为在路由之前执行的 `sniff`。
+
+#### sniffer
+
+启用的探测器。
+
+默认启用所有探测器。
+
+可用的协议值可以在 [协议嗅探](../sniff/) 中找到。
+
+#### timeout
+
+探测超时时间。
+
+默认使用 300ms。
+
+### resolve
+
+```json
+{
+  "action": "resolve",
+  "strategy": "",
+  "server": ""
+}
+```
+
+`resolve` 将请求的目标从域名解析为 IP 地址。
+
+#### strategy
+
+DNS 解析策略，可用值有：`prefer_ipv4`、`prefer_ipv6`、`ipv4_only`、`ipv6_only`。
+
+默认使用 `dns.strategy`。
+
+#### server
+
+指定要使用的 DNS 服务器的标签，而不是通过 DNS 路由进行选择。

docs/configuration/shared/listen.md

@@ -1,3 +1,15 @@
+---
+icon: material/delete-clock
+---
+
+!!! quote "Changes in sing-box 1.11.0"
+
+    :material-delete-clock: [sniff](#sniff)  
+    :material-delete-clock: [sniff_override_destination](#sniff_override_destination)  
+    :material-delete-clock: [sniff_timeout](#sniff_timeout)  
+    :material-delete-clock: [domain_strategy](#domain_strategy)  
+    :material-delete-clock: [udp_disable_domain_unmapping](#udp_disable_domain_unmapping)
+
 ### Structure
 
 ```json
@@ -68,24 +80,40 @@ Requires target inbound support, see [Injectable](/configuration/inbound/#fields
 
 #### sniff
 
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 Enable sniffing.
 
 See [Protocol Sniff](/configuration/route/sniff/) for details.
 
 #### sniff_override_destination
 
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Inbound fields are deprecated and will be removed in sing-box 1.13.0.
+
 Override the connection destination address with the sniffed domain.
 
 If the domain name is invalid (like tor), this will not work.
 
 #### sniff_timeout
 
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 Timeout for sniffing.
 
-300ms is used by default.
+`300ms` is used by default.
 
 #### domain_strategy
 
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 One of `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`.
 
 If set, the requested domain name will be resolved to IP before routing.
@@ -94,6 +122,10 @@ If `sniff_override_destination` is in effect, its value will be taken as a fallb
 
 #### udp_disable_domain_unmapping
 
+!!! failure "Deprecated in sing-box 1.11.0"
+
+    Inbound fields are deprecated and will be removed in sing-box 1.13.0, check [Migration](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 If enabled, for UDP proxy requests addressed to a domain, 
 the original packet address will be sent in the response instead of the mapped domain.
 

docs/configuration/shared/listen.zh.md

@@ -1,3 +1,15 @@
+---
+icon: material/delete-clock
+---
+
+!!! quote "sing-box 1.11.0 中的更改"
+
+    :material-delete-clock: [sniff](#sniff)  
+    :material-delete-clock: [sniff_override_destination](#sniff_override_destination)  
+    :material-delete-clock: [sniff_timeout](#sniff_timeout)  
+    :material-delete-clock: [domain_strategy](#domain_strategy)  
+    :material-delete-clock: [udp_disable_domain_unmapping](#udp_disable_domain_unmapping)
+
 ### 结构
 
 ```json
@@ -69,24 +81,40 @@ UDP NAT 过期时间，以秒为单位。
 
 #### sniff
 
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 启用协议探测。
 
 参阅 [协议探测](/zh/configuration/route/sniff/)
 
 #### sniff_override_destination
 
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除。
+
 用探测出的域名覆盖连接目标地址。
 
 如果域名无效（如 Tor），将不生效。
 
 #### sniff_timeout
 
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 探测超时时间。
 
 默认使用 300ms。
 
 #### domain_strategy
 
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 可选值： `prefer_ipv4` `prefer_ipv6` `ipv4_only` `ipv6_only`。
 
 如果设置，请求的域名将在路由之前解析为 IP。
@@ -95,6 +123,10 @@ UDP NAT 过期时间，以秒为单位。
 
 #### udp_disable_domain_unmapping
 
+!!! failure "已在 sing-box 1.11.0 废弃"
+
+    入站字段已废弃且将在 sing-box 1.12.0 中被移除，参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
 如果启用，对于地址为域的 UDP 代理请求，将在响应中发送原始包地址而不是映射的域。
 
 此选项用于兼容不支持接收带有域地址的 UDP 包的客户端，如 Surge。

docs/deprecated.md

@@ -4,6 +4,32 @@ icon: material/delete-alert
 
 # Deprecated Feature List
 
+## 1.11.0
+
+#### Legacy special outbounds
+
+Legacy special outbounds (`block` / `dns`) are deprecated
+and can be replaced by rule actions,
+check [Migration](../migration/#migrate-legacy-special-outbounds-to-rule-actions).
+
+Old fields will be removed in sing-box 1.13.0.
+
+#### Legacy inbound fields
+
+Legacy inbound fields （`inbound.<sniff/domain_strategy/...>` are deprecated
+and can be replaced by rule actions,
+check [Migration](../migration/#migrate-legacy-inbound-fields-to-rule-actions).
+
+Old fields will be removed in sing-box 1.13.0.
+
+#### Legacy DNS route options
+
+Legacy DNS route options (`disable_cache`, `rewrite_ttl`, `client_subnet`) are deprecated
+and can be replaced by rule actions,
+check [Migration](../migration/#migrate-legacy-dns-route-options-to-rule-actions).
+
+Old fields will be removed in sing-box 1.12.0.
+
 ## 1.10.0
 
 #### TUN address fields are merged
@@ -12,7 +38,7 @@ icon: material/delete-alert
 `inet4_route_address` and `inet6_route_address` are merged into `route_address`,
 `inet4_route_exclude_address` and `inet6_route_exclude_address` are merged into `route_exclude_address`.
 
-Old fields are deprecated and will be removed in sing-box 1.11.0.
+Old fields will be removed in sing-box 1.12.0.
 
 #### Match source rule items are renamed
 
@@ -32,7 +58,7 @@ check [Migration](/migration/#migrate-cache-file-from-clash-api-to-independent-o
 
 #### GeoIP
 
-GeoIP is deprecated and may be removed in the future.
+GeoIP is deprecated and will be removed in sing-box 1.12.0.
 
 The maxmind GeoIP National Database, as an IP classification database,
 is not entirely suitable for traffic bypassing,
@@ -43,7 +69,7 @@ check [Migration](/migration/#migrate-geoip-to-rule-sets).
 
 #### Geosite
 
-Geosite is deprecated and may be removed in the future.
+Geosite is deprecated and will be removed in sing-box 1.12.0.
 
 Geosite, the `domain-list-community` project maintained by V2Ray as an early traffic bypassing solution,
 suffers from a number of problems, including lack of maintenance, inaccurate rules, and difficult management.

docs/deprecated.zh.md

@@ -4,6 +4,29 @@ icon: material/delete-alert
 
 # 废弃功能列表
 
+## 1.11.0
+
+#### 旧的特殊出站
+
+旧的特殊出站（`block` / `dns`）已废弃且可以通过规则动作替代，
+参阅 [迁移指南](/migration/#migrate-legacy-special-outbounds-to-rule-actions)。
+
+旧字段将在 sing-box 1.13.0 中被移除。
+
+#### 旧的入站字段
+
+旧的入站字段（`inbound.<sniff/domain_strategy/...>`）已废弃且可以通过规则动作替代，
+参阅 [迁移指南](/migration/#migrate-legacy-inbound-fields-to-rule-actions)。
+
+旧字段将在 sing-box 1.13.0 中被移除。
+
+#### 旧的 DNS 路由参数
+
+旧的 DNS 路由参数（`disable_cache`、`rewrite_ttl`、`client_subnet`）已废弃且可以通过规则动作替代，
+参阅 [迁移指南](/migration/#migrate-legacy-dns-route-options-to-rule-actions)。
+
+旧字段将在 sing-box 1.12.0 中被移除。
+
 ## 1.10.0
 
 #### Match source 规则项已重命名
@@ -17,7 +40,7 @@ icon: material/delete-alert
 `inet4_route_address` 和 `inet6_route_address` 已合并为 `route_address`，
 `inet4_route_exclude_address` 和 `inet6_route_exclude_address` 已合并为 `route_exclude_address`。
 
-旧字段已废弃，且将在 sing-box 1.11.0 中被移除。
+旧字段将在 sing-box 1.11.0 中被移除。
 
 #### 移除对 go1.18 和 go1.19 的支持
 
@@ -32,7 +55,7 @@ Clash API 中的 `cache_file` 及相关功能已废弃且已迁移到独立的 `
 
 #### GeoIP
 
-GeoIP 已废弃且可能在不久的将来移除。
+GeoIP 已废弃且将在 sing-box 1.12.0 中被移除。
 
 maxmind GeoIP 国家数据库作为 IP 分类数据库，不完全适合流量绕过，
 且现有的实现均存在内存使用大与管理困难的问题。
@@ -42,7 +65,7 @@ sing-box 1.8.0 引入了[规则集](/configuration/rule-set/)，
 
 #### Geosite
 
-Geosite 已废弃且可能在不久的将来移除。
+Geosite 已废弃且将在 sing-box 1.12.0 中被移除。
 
 Geosite，即由 V2Ray 维护的 domain-list-community 项目，作为早期流量绕过解决方案，
 存在着包括缺少维护、规则不准确和管理困难内的大量问题。

docs/migration.md

@@ -2,6 +2,212 @@
 icon: material/arrange-bring-forward
 ---
 
+## 1.11.0
+
+### Migrate legacy special outbounds to rule actions
+
+Legacy special outbounds are deprecated and can be replaced by rule actions.
+
+!!! info "References"
+
+    [Rule Action](/configuration/route/rule_action/) / 
+    [Block](/configuration/outbound/block/) / 
+    [DNS](/configuration/outbound/dns)
+
+=== "Block"
+
+    === ":material-card-remove: Deprecated"
+    
+        ```json
+        {
+          "outbounds": [
+            {
+              "type": "block",
+              "tag": "block"
+            }
+          ],
+          "route": {
+            "rules": [
+              {
+                ...,
+                
+                "outbound": "block"
+              }
+            ]
+          }
+        }
+        ```
+
+    === ":material-card-multiple: New"
+    
+        ```json
+        {
+          "route": {
+            "rules": [
+              {
+                ...,
+                
+                "action": "reject"
+              }
+            ]
+          }
+        }
+        ```
+
+=== "DNS"
+
+    === ":material-card-remove: Deprecated"
+    
+        ```json
+        {
+          "inbound": [
+            {
+              ...,
+              
+              "sniff": true
+            }
+          ],
+          "outbounds": [
+            {
+              "tag": "dns",
+              "type": "dns"
+            }
+          ],
+          "route": {
+            "rules": [
+              {
+                "protocol": "dns",
+                "outbound": "dns"
+              }
+            ]
+          }
+        }
+        ```
+    
+    === ":material-card-multiple: New"
+    
+        ```json
+        {
+          "route": {
+            "rules": [
+              {
+                "action": "sniff"
+              },
+              {
+                "protocol": "dns",
+                "action": "hijack-dns"
+              }
+            ]
+          }
+        }
+        ```
+
+### Migrate legacy inbound fields to rule actions
+
+Inbound fields are deprecated and can be replaced by rule actions.
+
+!!! info "References"
+
+    [Listen Fields](/configuration/inbound/listen/) /
+    [Rule](/configuration/route/rule/) / 
+    [Rule Action](/configuration/route/rule_action/) / 
+    [DNS Rule](/configuration/dns/rule/) / 
+    [DNS Rule Action](/configuration/dns/rule_action/)
+
+=== ":material-card-remove: Deprecated"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "mixed",
+          "sniff": true,
+          "sniff_timeout": "1s",
+          "domain_strategy": "prefer_ipv4"
+        }
+      ]
+    }
+    ```
+
+=== ":material-card-multiple: New"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "mixed",
+          "tag": "in"
+        }
+      ],
+      "route": {
+        "rules": [
+          {
+            "inbound": "in",
+            "action": "resolve",
+            "strategy": "prefer_ipv4"
+          },
+          {
+            "inbound": "in",
+            "action": "sniff",
+            "timeout": "1s"
+          }
+        ]
+      }
+    }
+    ```
+
+### Migrate legacy DNS route options to rule actions
+
+Legacy DNS route options are deprecated and can be replaced by rule actions.
+
+!!! info "References"
+
+    [DNS Rule](/configuration/dns/rule/) / 
+    [DNS Rule Action](/configuration/dns/rule_action/)
+
+=== ":material-card-remove: Deprecated"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            ...,
+            
+            "server": "local",
+            "disable_cache": true,
+            "rewrite_ttl": 600,
+            "client_subnet": "1.1.1.1/24"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-card-multiple: New"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            ...,
+            
+            "action": "route-options",
+            "disable_cache": true,
+            "rewrite_ttl": 600,
+            "client_subnet": "1.1.1.1/24"
+          },
+          {
+            ...,
+            
+            "server": "local"
+          }
+        ]
+      }
+    }
+    ```
+
 ## 1.10.0
 
 ### TUN address fields are merged
@@ -10,8 +216,6 @@ icon: material/arrange-bring-forward
 `inet4_route_address` and `inet6_route_address` are merged into `route_address`,
 `inet4_route_exclude_address` and `inet6_route_exclude_address` are merged into `route_exclude_address`.
 
-Old fields are deprecated and will be removed in sing-box 1.11.0.
-
 !!! info "References"
 
     [TUN](/configuration/inbound/tun/)

docs/migration.zh.md

@@ -2,6 +2,212 @@
 icon: material/arrange-bring-forward
 ---
 
+## 1.11.0
+
+### 迁移旧的特殊出站到规则动作
+
+旧的特殊出站已被弃用，且可以被规则动作替代。
+
+!!! info "参考"
+
+    [规则动作](/zh/configuration/route/rule_action/) /
+    [Block](/zh/configuration/outbound/block/) / 
+    [DNS](/zh/configuration/outbound/dns)
+
+=== "Block"
+
+    === ":material-card-remove: 弃用的"
+    
+        ```json
+        {
+          "outbounds": [
+            {
+              "type": "block",
+              "tag": "block"
+            }
+          ],
+          "route": {
+            "rules": [
+              {
+                ...,
+                
+                "outbound": "block"
+              }
+            ]
+          }
+        }
+        ```
+
+    === ":material-card-multiple: 新的"
+    
+        ```json
+        {
+          "route": {
+            "rules": [
+              {
+                ...,
+                
+                "action": "reject"
+              }
+            ]
+          }
+        }
+        ```
+
+=== "DNS"
+
+    === ":material-card-remove: 弃用的"
+    
+        ```json
+        {
+          "inbound": [
+            {
+              ...,
+              
+              "sniff": true
+            }
+          ],
+          "outbounds": [
+            {
+              "tag": "dns",
+              "type": "dns"
+            }
+          ],
+          "route": {
+            "rules": [
+              {
+                "protocol": "dns",
+                "outbound": "dns"
+              }
+            ]
+          }
+        }
+        ```
+    
+    === ":material-card-multiple: 新的"
+    
+        ```json
+        {
+          "route": {
+            "rules": [
+              {
+                "action": "sniff"
+              },
+              {
+                "protocol": "dns",
+                "action": "hijack-dns"
+              }
+            ]
+          }
+        }
+        ```
+
+### 迁移旧的入站字段到规则动作
+
+入站选项已被弃用，且可以被规则动作替代。
+
+!!! info "参考"
+
+    [监听字段](/zh/configuration/shared/listen/) /
+    [规则](/zh/configuration/route/rule/) /
+    [规则动作](/zh/configuration/route/rule_action/) /
+    [DNS 规则](/zh/configuration/dns/rule/) /
+    [DNS 规则动作](/zh/configuration/dns/rule_action/)
+
+=== ":material-card-remove: 弃用的"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "mixed",
+          "sniff": true,
+          "sniff_timeout": "1s",
+          "domain_strategy": "prefer_ipv4"
+        }
+      ]
+    }
+    ```
+
+=== ":material-card-multiple: New"
+
+    ```json
+    {
+      "inbounds": [
+        {
+          "type": "mixed",
+          "tag": "in"
+        }
+      ],
+      "route": {
+        "rules": [
+          {
+            "inbound": "in",
+            "action": "resolve",
+            "strategy": "prefer_ipv4"
+          },
+          {
+            "inbound": "in",
+            "action": "sniff",
+            "timeout": "1s"
+          }
+        ]
+      }
+    }
+    ```
+
+### 迁移旧的 DNS 路由选项到规则动作
+
+旧的 DNS 路由选项已被弃用，且可以被规则动作替代。
+
+!!! info "参考"
+
+    [DNS 规则](/zh/configuration/dns/rule/) / 
+    [DNS 规则动作](/zh/configuration/dns/rule_action/)
+
+=== ":material-card-remove: 弃用的"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            ...,
+            
+            "server": "local",
+            "disable_cache": true,
+            "rewrite_ttl": 600,
+            "client_subnet": "1.1.1.1/24"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-card-multiple: 新的"
+
+    ```json
+    {
+      "dns": {
+        "rules": [
+          {
+            ...,
+            
+            "action": "route-options",
+            "disable_cache": true,
+            "rewrite_ttl": 600,
+            "client_subnet": "1.1.1.1/24"
+          },
+          {
+            ...,
+            
+            "server": "local"
+          }
+        ]
+      }
+    }
+    ```
+
 ## 1.10.0
 
 ### TUN 地址字段已合并

experimental/cachefile/cache.go

@@ -93,7 +93,18 @@ func New(ctx context.Context, options option.CacheFileOptions) *CacheFile {
 	}
 }
 
-func (c *CacheFile) start() error {
+func (c *CacheFile) Name() string {
+	return "cache-file"
+}
+
+func (c *CacheFile) Dependencies() []string {
+	return nil
+}
+
+func (c *CacheFile) Start(stage adapter.StartStage) error {
+	if stage != adapter.StartStateInitialize {
+		return nil
+	}
 	const fileMode = 0o666
 	options := bbolt.Options{Timeout: time.Second}
 	var (
@@ -151,14 +162,6 @@ func (c *CacheFile) start() error {
 	return nil
 }
 
-func (c *CacheFile) PreStart() error {
-	return c.start()
-}
-
-func (c *CacheFile) Start() error {
-	return nil
-}
-
 func (c *CacheFile) Close() error {
 	if c.DB == nil {
 		return nil

experimental/clashapi.go

@@ -12,7 +12,7 @@ import (
 	"github.com/sagernet/sing/common"
 )
 
-type ClashServerConstructor = func(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error)
+type ClashServerConstructor = func(ctx context.Context, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error)
 
 var clashServerConstructor ClashServerConstructor
 
@@ -20,11 +20,11 @@ func RegisterClashServerConstructor(constructor ClashServerConstructor) {
 	clashServerConstructor = constructor
 }
 
-func NewClashServer(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
+func NewClashServer(ctx context.Context, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
 	if clashServerConstructor == nil {
 		return nil, os.ErrInvalid
 	}
-	return clashServerConstructor(ctx, router, logFactory, options)
+	return clashServerConstructor(ctx, logFactory, options)
 }
 
 func CalculateClashModeList(options option.Options) []string {

experimental/clashapi/api_meta_group.go

@@ -10,7 +10,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/batch"
 	"github.com/sagernet/sing/common/json/badjson"
@@ -23,7 +23,7 @@ func groupRouter(server *Server) http.Handler {
 	r := chi.NewRouter()
 	r.Get("/", getGroups(server))
 	r.Route("/{name}", func(r chi.Router) {
-		r.Use(parseProxyName, findProxyByName(server.router))
+		r.Use(parseProxyName, findProxyByName(server))
 		r.Get("/", getGroup(server))
 		r.Get("/delay", getGroupDelay(server))
 	})
@@ -32,7 +32,7 @@ func groupRouter(server *Server) http.Handler {
 
 func getGroups(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		groups := common.Map(common.Filter(server.router.Outbounds(), func(it adapter.Outbound) bool {
+		groups := common.Map(common.Filter(server.outboundManager.Outbounds(), func(it adapter.Outbound) bool {
 			_, isGroup := it.(adapter.OutboundGroup)
 			return isGroup
 		}), func(it adapter.Outbound) *badjson.JSONObject {
@@ -59,7 +59,7 @@ func getGroup(server *Server) func(w http.ResponseWriter, r *http.Request) {
 func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		proxy := r.Context().Value(CtxKeyProxy).(adapter.Outbound)
-		group, ok := proxy.(adapter.OutboundGroup)
+		outboundGroup, ok := proxy.(adapter.OutboundGroup)
 		if !ok {
 			render.Status(r, http.StatusNotFound)
 			render.JSON(w, r, ErrNotFound)
@@ -82,11 +82,11 @@ func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 		defer cancel()
 
 		var result map[string]uint16
-		if urlTestGroup, isURLTestGroup := group.(adapter.URLTestGroup); isURLTestGroup {
+		if urlTestGroup, isURLTestGroup := outboundGroup.(adapter.URLTestGroup); isURLTestGroup {
 			result, err = urlTestGroup.URLTest(ctx)
 		} else {
-			outbounds := common.FilterNotNil(common.Map(group.All(), func(it string) adapter.Outbound {
+			outbounds := common.FilterNotNil(common.Map(outboundGroup.All(), func(it string) adapter.Outbound {
-				itOutbound, _ := server.router.Outbound(it)
+				itOutbound, _ := server.outboundManager.Outbound(it)
 				return itOutbound
 			}))
 			b, _ := batch.New(ctx, batch.WithConcurrencyNum[any](10))
@@ -95,12 +95,12 @@ func getGroupDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 			var resultAccess sync.Mutex
 			for _, detour := range outbounds {
 				tag := detour.Tag()
-				realTag := outbound.RealTag(detour)
+				realTag := group.RealTag(detour)
 				if checked[realTag] {
 					continue
 				}
 				checked[realTag] = true
-				p, loaded := server.router.Outbound(realTag)
+				p, loaded := server.outboundManager.Outbound(realTag)
 				if !loaded {
 					continue
 				}

experimental/clashapi/proxies.go

@@ -11,7 +11,7 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
 	C "github.com/sagernet/sing-box/constant"
-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/group"
 	"github.com/sagernet/sing/common"
 	F "github.com/sagernet/sing/common/format"
 	"github.com/sagernet/sing/common/json/badjson"
@@ -23,10 +23,10 @@ import (
 
 func proxyRouter(server *Server, router adapter.Router) http.Handler {
 	r := chi.NewRouter()
-	r.Get("/", getProxies(server, router))
+	r.Get("/", getProxies(server))
 
 	r.Route("/{name}", func(r chi.Router) {
-		r.Use(parseProxyName, findProxyByName(router))
+		r.Use(parseProxyName, findProxyByName(server))
 		r.Get("/", getProxy(server))
 		r.Get("/delay", getProxyDelay(server))
 		r.Put("/", updateProxy)
@@ -42,11 +42,11 @@ func parseProxyName(next http.Handler) http.Handler {
 	})
 }
 
-func findProxyByName(router adapter.Router) func(next http.Handler) http.Handler {
+func findProxyByName(server *Server) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			name := r.Context().Value(CtxKeyProxyName).(string)
-			proxy, exist := router.Outbound(name)
+			proxy, exist := server.outboundManager.Outbound(name)
 			if !exist {
 				render.Status(r, http.StatusNotFound)
 				render.JSON(w, r, ErrNotFound)
@@ -83,10 +83,10 @@ func proxyInfo(server *Server, detour adapter.Outbound) *badjson.JSONObject {
 	return &info
 }
 
-func getProxies(server *Server, router adapter.Router) func(w http.ResponseWriter, r *http.Request) {
+func getProxies(server *Server) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var proxyMap badjson.JSONObject
-		outbounds := common.Filter(router.Outbounds(), func(detour adapter.Outbound) bool {
+		outbounds := common.Filter(server.outboundManager.Outbounds(), func(detour adapter.Outbound) bool {
 			return detour.Tag() != ""
 		})
 
@@ -100,12 +100,7 @@ func getProxies(server *Server, router adapter.Router) func(w http.ResponseWrite
 			allProxies = append(allProxies, detour.Tag())
 		}
 
-		var defaultTag string
+		defaultTag := server.outboundManager.Default().Tag()
-		if defaultOutbound, err := router.DefaultOutbound(N.NetworkTCP); err == nil {
-			defaultTag = defaultOutbound.Tag()
-		} else {
-			defaultTag = allProxies[0]
-		}
 
 		sort.SliceStable(allProxies, func(i, j int) bool {
 			return allProxies[i] == defaultTag
@@ -168,7 +163,7 @@ func updateProxy(w http.ResponseWriter, r *http.Request) {
 	}
 
 	proxy := r.Context().Value(CtxKeyProxy).(adapter.Outbound)
-	selector, ok := proxy.(*outbound.Selector)
+	selector, ok := proxy.(*group.Selector)
 	if !ok {
 		render.Status(r, http.StatusBadRequest)
 		render.JSON(w, r, newError("Must be a Selector"))
@@ -204,7 +199,7 @@ func getProxyDelay(server *Server) func(w http.ResponseWriter, r *http.Request)
 
 		delay, err := urltest.URLTest(ctx, url, proxy)
 		defer func() {
-			realTag := outbound.RealTag(proxy)
+			realTag := group.RealTag(proxy)
 			if err != nil {
 				server.urlTestHistory.DeleteURLTestHistory(realTag)
 			} else {

experimental/clashapi/rules.go

@@ -30,10 +30,9 @@ func getRules(router adapter.Router) func(w http.ResponseWriter, r *http.Request
 			rules = append(rules, Rule{
 				Type:    rule.Type(),
 				Payload: rule.String(),
-				Proxy:   rule.Outbound(),
+				Proxy:   rule.Action().String(),
 			})
 		}
-
 		render.JSON(w, r, render.M{
 			"rules": rules,
 		})

experimental/clashapi/server.go

@@ -42,6 +42,7 @@ var _ adapter.ClashServer = (*Server)(nil)
 type Server struct {
 	ctx             context.Context
 	router          adapter.Router
+	outboundManager adapter.OutboundManager
 	logger          log.Logger
 	httpServer      *http.Server
 	trafficManager  *trafficontrol.Manager
@@ -56,12 +57,13 @@ type Server struct {
 	externalUIDownloadDetour string
 }
 
-func NewServer(ctx context.Context, router adapter.Router, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
+func NewServer(ctx context.Context, logFactory log.ObservableFactory, options option.ClashAPIOptions) (adapter.ClashServer, error) {
 	trafficManager := trafficontrol.NewManager()
 	chiRouter := chi.NewRouter()
-	server := &Server{
+	s := &Server{
 		ctx:             ctx,
-		router: router,
+		router:          service.FromContext[adapter.Router](ctx),
+		outboundManager: service.FromContext[adapter.OutboundManager](ctx),
 		logger:          logFactory.NewLogger("clash-api"),
 		httpServer: &http.Server{
 			Addr:    options.ExternalController,
@@ -73,18 +75,18 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		externalUIDownloadURL:    options.ExternalUIDownloadURL,
 		externalUIDownloadDetour: options.ExternalUIDownloadDetour,
 	}
-	server.urlTestHistory = service.PtrFromContext[urltest.HistoryStorage](ctx)
+	s.urlTestHistory = service.PtrFromContext[urltest.HistoryStorage](ctx)
-	if server.urlTestHistory == nil {
+	if s.urlTestHistory == nil {
-		server.urlTestHistory = urltest.NewHistoryStorage()
+		s.urlTestHistory = urltest.NewHistoryStorage()
 	}
 	defaultMode := "Rule"
 	if options.DefaultMode != "" {
 		defaultMode = options.DefaultMode
 	}
-	if !common.Contains(server.modeList, defaultMode) {
+	if !common.Contains(s.modeList, defaultMode) {
-		server.modeList = append([]string{defaultMode}, server.modeList...)
+		s.modeList = append([]string{defaultMode}, s.modeList...)
 	}
-	server.mode = defaultMode
+	s.mode = defaultMode
 	//goland:noinspection GoDeprecation
 	//nolint:staticcheck
 	if options.StoreMode || options.StoreSelected || options.StoreFakeIP || options.CacheFile != "" || options.CacheID != "" {
@@ -108,33 +110,39 @@ func NewServer(ctx context.Context, router adapter.Router, logFactory log.Observ
 		r.Get("/logs", getLogs(logFactory))
 		r.Get("/traffic", traffic(trafficManager))
 		r.Get("/version", version)
-		r.Mount("/configs", configRouter(server, logFactory))
+		r.Mount("/configs", configRouter(s, logFactory))
-		r.Mount("/proxies", proxyRouter(server, router))
+		r.Mount("/proxies", proxyRouter(s, s.router))
-		r.Mount("/rules", ruleRouter(router))
+		r.Mount("/rules", ruleRouter(s.router))
-		r.Mount("/connections", connectionRouter(router, trafficManager))
+		r.Mount("/connections", connectionRouter(s.router, trafficManager))
 		r.Mount("/providers/proxies", proxyProviderRouter())
 		r.Mount("/providers/rules", ruleProviderRouter())
 		r.Mount("/script", scriptRouter())
 		r.Mount("/profile", profileRouter())
 		r.Mount("/cache", cacheRouter(ctx))
-		r.Mount("/dns", dnsRouter(router))
+		r.Mount("/dns", dnsRouter(s.router))
 
-		server.setupMetaAPI(r)
+		s.setupMetaAPI(r)
 	})
 	if options.ExternalUI != "" {
-		server.externalUI = filemanager.BasePath(ctx, os.ExpandEnv(options.ExternalUI))
+		s.externalUI = filemanager.BasePath(ctx, os.ExpandEnv(options.ExternalUI))
 		chiRouter.Group(func(r chi.Router) {
-			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(server.externalUI)))
+			fs := http.StripPrefix("/ui", http.FileServer(http.Dir(s.externalUI)))
 			r.Get("/ui", http.RedirectHandler("/ui/", http.StatusTemporaryRedirect).ServeHTTP)
 			r.Get("/ui/*", func(w http.ResponseWriter, r *http.Request) {
 				fs.ServeHTTP(w, r)
 			})
 		})
 	}
-	return server, nil
+	return s, nil
 }
 
-func (s *Server) PreStart() error {
+func (s *Server) Name() string {
+	return "clash server"
+}
+
+func (s *Server) Start(stage adapter.StartStage) error {
+	switch stage {
+	case adapter.StartStateStart:
 		cacheFile := service.FromContext[adapter.CacheFile](s.ctx)
 		if cacheFile != nil {
 			mode := cacheFile.LoadMode()
@@ -144,10 +152,7 @@ func (s *Server) PreStart() error {
 				s.mode = mode
 			}
 		}
-	return nil
+	case adapter.StartStateStarted:
-}
-
-func (s *Server) Start() error {
 		if s.externalController {
 			s.checkAndDownloadExternalUI()
 			var (
@@ -173,6 +178,8 @@ func (s *Server) Start() error {
 				}
 			}()
 		}
+	}
+
 	return nil
 }
 
@@ -234,14 +241,12 @@ func (s *Server) TrafficManager() *trafficontrol.Manager {
 	return s.trafficManager
 }
 
-func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule) (net.Conn, adapter.Tracker) {
+func (s *Server) RoutedConnection(ctx context.Context, conn net.Conn, metadata adapter.InboundContext, matchedRule adapter.Rule, matchOutbound adapter.Outbound) net.Conn {
-	tracker := trafficontrol.NewTCPTracker(conn, s.trafficManager, metadata, s.router, matchedRule)
+	return trafficontrol.NewTCPTracker(conn, s.trafficManager, metadata, s.outboundManager, matchedRule, matchOutbound)
-	return tracker, tracker
 }
 
-func (s *Server) RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, matchedRule adapter.Rule) (N.PacketConn, adapter.Tracker) {
+func (s *Server) RoutedPacketConnection(ctx context.Context, conn N.PacketConn, metadata adapter.InboundContext, matchedRule adapter.Rule, matchOutbound adapter.Outbound) N.PacketConn {
-	tracker := trafficontrol.NewUDPTracker(conn, s.trafficManager, metadata, s.router, matchedRule)
+	return trafficontrol.NewUDPTracker(conn, s.trafficManager, metadata, s.outboundManager, matchedRule, matchOutbound)
-	return tracker, tracker
 }
 
 func authentication(serverSecret string) func(next http.Handler) http.Handler {

experimental/clashapi/server_resources.go

@@ -15,7 +15,6 @@ import (
 	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"
 	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/service/filemanager"
 )
 
@@ -45,16 +44,13 @@ func (s *Server) downloadExternalUI() error {
 	s.logger.Info("downloading external ui")
 	var detour adapter.Outbound
 	if s.externalUIDownloadDetour != "" {
-		outbound, loaded := s.router.Outbound(s.externalUIDownloadDetour)
+		outbound, loaded := s.outboundManager.Outbound(s.externalUIDownloadDetour)
 		if !loaded {
 			return E.New("detour outbound not found: ", s.externalUIDownloadDetour)
 		}
 		detour = outbound
 	} else {
-		outbound, err := s.router.DefaultOutbound(N.NetworkTCP)
+		outbound := s.outboundManager.Default()
-		if err != nil {
-			return err
-		}
 		detour = outbound
 	}
 	httpClient := &http.Client{

experimental/clashapi/trafficontrol/tracker.go

@@ -60,7 +60,7 @@ func (t TrackerMetadata) MarshalJSON() ([]byte, error) {
 	}
 	var rule string
 	if t.Rule != nil {
-		rule = F.ToString(t.Rule, " => ", t.Rule.Outbound())
+		rule = F.ToString(t.Rule, " => ", t.Rule.Action())
 	} else {
 		rule = "final"
 	}
@@ -87,7 +87,6 @@ func (t TrackerMetadata) MarshalJSON() ([]byte, error) {
 }
 
 type Tracker interface {
-	adapter.Tracker
 	Metadata() TrackerMetadata
 	Close() error
 }
@@ -107,10 +106,6 @@ func (tt *TCPConn) Close() error {
 	return tt.ExtendedConn.Close()
 }
 
-func (tt *TCPConn) Leave() {
-	tt.manager.Leave(tt)
-}
-
 func (tt *TCPConn) Upstream() any {
 	return tt.ExtendedConn
 }
@@ -123,7 +118,7 @@ func (tt *TCPConn) WriterReplaceable() bool {
 	return true
 }
 
-func NewTCPTracker(conn net.Conn, manager *Manager, metadata adapter.InboundContext, router adapter.Router, rule adapter.Rule) *TCPConn {
+func NewTCPTracker(conn net.Conn, manager *Manager, metadata adapter.InboundContext, outboundManager adapter.OutboundManager, matchRule adapter.Rule, matchOutbound adapter.Outbound) *TCPConn {
 	id, _ := uuid.NewV4()
 	var (
 		chain        []string
@@ -131,19 +126,17 @@ func NewTCPTracker(conn net.Conn, manager *Manager, metadata adapter.InboundCont
 		outbound     string
 		outboundType string
 	)
-	if rule == nil {
+	if matchOutbound != nil {
-		if defaultOutbound, err := router.DefaultOutbound(N.NetworkTCP); err == nil {
+		next = matchOutbound.Tag()
-			next = defaultOutbound.Tag()
-		}
 	} else {
-		next = rule.Outbound()
+		next = outboundManager.Default().Tag()
 	}
 	for {
-		chain = append(chain, next)
+		detour, loaded := outboundManager.Outbound(next)
-		detour, loaded := router.Outbound(next)
 		if !loaded {
 			break
 		}
+		chain = append(chain, next)
 		outbound = detour.Tag()
 		outboundType = detour.Type()
 		group, isGroup := detour.(adapter.OutboundGroup)
@@ -169,7 +162,7 @@ func NewTCPTracker(conn net.Conn, manager *Manager, metadata adapter.InboundCont
 			Upload:       upload,
 			Download:     download,
 			Chain:        common.Reverse(chain),
-			Rule:         rule,
+			Rule:         matchRule,
 			Outbound:     outbound,
 			OutboundType: outboundType,
 		},
@@ -194,10 +187,6 @@ func (ut *UDPConn) Close() error {
 	return ut.PacketConn.Close()
 }
 
-func (ut *UDPConn) Leave() {
-	ut.manager.Leave(ut)
-}
-
 func (ut *UDPConn) Upstream() any {
 	return ut.PacketConn
 }
@@ -210,7 +199,7 @@ func (ut *UDPConn) WriterReplaceable() bool {
 	return true
 }
 
-func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata adapter.InboundContext, router adapter.Router, rule adapter.Rule) *UDPConn {
+func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata adapter.InboundContext, outboundManager adapter.OutboundManager, matchRule adapter.Rule, matchOutbound adapter.Outbound) *UDPConn {
 	id, _ := uuid.NewV4()
 	var (
 		chain        []string
@@ -218,19 +207,17 @@ func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata adapter.Inbound
 		outbound     string
 		outboundType string
 	)
-	if rule == nil {
+	if matchOutbound != nil {
-		if defaultOutbound, err := router.DefaultOutbound(N.NetworkUDP); err == nil {
+		next = matchOutbound.Tag()
-			next = defaultOutbound.Tag()
-		}
 	} else {
-		next = rule.Outbound()
+		next = outboundManager.Default().Tag()
 	}
 	for {
-		chain = append(chain, next)
+		detour, loaded := outboundManager.Outbound(next)
-		detour, loaded := router.Outbound(next)
 		if !loaded {
 			break
 		}
+		chain = append(chain, next)
 		outbound = detour.Tag()
 		outboundType = detour.Type()
 		group, isGroup := detour.(adapter.OutboundGroup)
@@ -256,7 +243,7 @@ func NewUDPTracker(conn N.PacketConn, manager *Manager, metadata adapter.Inbound
 			Upload:       upload,
 			Download:     download,
 			Chain:        common.Reverse(chain),
-			Rule:         rule,
+			Rule:         matchRule,
 			Outbound:     outbound,
 			OutboundType: outboundType,
 		},

experimental/deprecated/constants.go

@@ -1,6 +1,7 @@
 package deprecated
 
 import (
+	"github.com/sagernet/sing-box/common/badversion"
 	C "github.com/sagernet/sing-box/constant"
 	F "github.com/sagernet/sing/common/format"
 
@@ -23,11 +24,12 @@ func (n Note) Impending() bool {
 	if !semver.IsValid("v" + C.Version) {
 		return false
 	}
-	versionMinor := semver.Compare(semver.MajorMinor("v"+C.Version), "v"+n.ScheduledVersion)
+	versionCurrent := badversion.Parse(C.Version)
-	if semver.Prerelease("v"+C.Version) == "" && versionMinor > 0 {
+	versionMinor := badversion.Parse(n.ScheduledVersion).Minor - versionCurrent.Minor
+	if versionCurrent.PreReleaseIdentifier == "" && versionMinor < 0 {
 		panic("invalid deprecated note: " + n.Name)
 	}
-	return versionMinor >= -1
+	return versionMinor <= 1
 }
 
 func (n Note) Message() string {
@@ -49,6 +51,7 @@ var OptionBadMatchSource = Note{
 	Description:       "legacy match source rule item",
 	DeprecatedVersion: "1.10.0",
 	ScheduledVersion:  "1.11.0",
+	EnvName:           "BAD_MATCH_SOURCE",
 	MigrationLink:     "https://sing-box.sagernet.org/deprecated/#match-source-rule-items-are-renamed",
 }
 
@@ -75,12 +78,43 @@ var OptionTUNAddressX = Note{
 	Description:       "legacy tun address fields",
 	DeprecatedVersion: "1.10.0",
 	ScheduledVersion:  "1.12.0",
+	EnvName:           "TUN_ADDRESS_X",
 	MigrationLink:     "https://sing-box.sagernet.org/migration/#tun-address-fields-are-merged",
 }
 
+var OptionSpecialOutbounds = Note{
+	Name:              "special-outbounds",
+	Description:       "legacy special outbounds",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "SPECIAL_OUTBOUNDS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
+}
+
+var OptionInboundOptions = Note{
+	Name:              "inbound-options",
+	Description:       "legacy inbound fields",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.13.0",
+	EnvName:           "INBOUND_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-special-outbounds-to-rule-actions",
+}
+
+var OptionLegacyDNSRouteOptions = Note{
+	Name:              "legacy-dns-route-options",
+	Description:       "legacy dns route options",
+	DeprecatedVersion: "1.11.0",
+	ScheduledVersion:  "1.12.0",
+	EnvName:           "LEGACY_DNS_ROUTE_OPTIONS",
+	MigrationLink:     "https://sing-box.sagernet.org/migration/#migrate-legacy-dns-route-options-to-rule-actions",
+}
+
 var Options = []Note{
 	OptionBadMatchSource,
 	OptionGEOIP,
 	OptionGEOSITE,
 	OptionTUNAddressX,
+	OptionSpecialOutbounds,
+	OptionInboundOptions,
+	OptionLegacyDNSRouteOptions,
 }

experimental/libbox/command_clash_mode.go

@@ -38,11 +38,7 @@ func (s *CommandServer) handleSetClashMode(conn net.Conn) error {
 	if service == nil {
 		return writeError(conn, E.New("service not ready"))
 	}
-	clashServer := service.instance.Router().ClashServer()
+	service.clashServer.(*clashapi.Server).SetMode(newMode)
-	if clashServer == nil {
-		return writeError(conn, E.New("Clash API disabled"))
-	}
-	clashServer.(*clashapi.Server).SetMode(newMode)
 	return writeError(conn, nil)
 }
 
@@ -69,18 +65,14 @@ func (s *CommandServer) handleModeConn(conn net.Conn) error {
 			return ctx.Err()
 		}
 	}
-	clashServer := s.service.instance.Router().ClashServer()
+	err := writeClashModeList(conn, s.service.clashServer)
-	if clashServer == nil {
-		return binary.Write(conn, binary.BigEndian, uint16(0))
-	}
-	err := writeClashModeList(conn, clashServer)
 	if err != nil {
 		return err
 	}
 	for {
 		select {
 		case <-s.modeUpdate:
-			err = varbin.Write(conn, binary.BigEndian, clashServer.Mode())
+			err = varbin.Write(conn, binary.BigEndian, s.service.clashServer.Mode())
 			if err != nil {
 				return err
 			}

experimental/libbox/command_close_connection.go

@@ -45,11 +45,7 @@ func (s *CommandServer) handleCloseConnection(conn net.Conn) error {
 	if service == nil {
 		return writeError(conn, E.New("service not ready"))
 	}
-	clashServer := service.instance.Router().ClashServer()
+	targetConn := service.clashServer.(*clashapi.Server).TrafficManager().Connection(uuid.FromStringOrNil(connId))
-	if clashServer == nil {
-		return writeError(conn, E.New("Clash API disabled"))
-	}
-	targetConn := clashServer.(*clashapi.Server).TrafficManager().Connection(uuid.FromStringOrNil(connId))
 	if targetConn == nil {
 		return writeError(conn, E.New("connection already closed"))
 	}

experimental/libbox/command_connections.go

@@ -49,11 +49,7 @@ func (s *CommandServer) handleConnectionsConn(conn net.Conn) error {
 	for {
 		service := s.service
 		if service != nil {
-			clashServer := service.instance.Router().ClashServer()
+			trafficManager = service.clashServer.(*clashapi.Server).TrafficManager()
-			if clashServer == nil {
-				return E.New("Clash API disabled")
-			}
-			trafficManager = clashServer.(*clashapi.Server).TrafficManager()
 			break
 		}
 		select {

experimental/libbox/command_group.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/common/urltest"
-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/group"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/varbin"
 	"github.com/sagernet/sing/service"
@@ -109,7 +109,7 @@ func readGroups(reader io.Reader) (OutboundGroupIterator, error) {
 func writeGroups(writer io.Writer, boxService *BoxService) error {
 	historyStorage := service.PtrFromContext[urltest.HistoryStorage](boxService.ctx)
 	cacheFile := service.FromContext[adapter.CacheFile](boxService.ctx)
-	outbounds := boxService.instance.Router().Outbounds()
+	outbounds := boxService.instance.Outbound().Outbounds()
 	var iGroups []adapter.OutboundGroup
 	for _, it := range outbounds {
 		if group, isGroup := it.(adapter.OutboundGroup); isGroup {
@@ -118,19 +118,19 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 	}
 	var groups []OutboundGroup
 	for _, iGroup := range iGroups {
-		var group OutboundGroup
+		var outboundGroup OutboundGroup
-		group.Tag = iGroup.Tag()
+		outboundGroup.Tag = iGroup.Tag()
-		group.Type = iGroup.Type()
+		outboundGroup.Type = iGroup.Type()
-		_, group.Selectable = iGroup.(*outbound.Selector)
+		_, outboundGroup.Selectable = iGroup.(*group.Selector)
-		group.Selected = iGroup.Now()
+		outboundGroup.Selected = iGroup.Now()
 		if cacheFile != nil {
-			if isExpand, loaded := cacheFile.LoadGroupExpand(group.Tag); loaded {
+			if isExpand, loaded := cacheFile.LoadGroupExpand(outboundGroup.Tag); loaded {
-				group.IsExpand = isExpand
+				outboundGroup.IsExpand = isExpand
 			}
 		}
 
 		for _, itemTag := range iGroup.All() {
-			itemOutbound, isLoaded := boxService.instance.Router().Outbound(itemTag)
+			itemOutbound, isLoaded := boxService.instance.Outbound().Outbound(itemTag)
 			if !isLoaded {
 				continue
 			}
@@ -142,12 +142,12 @@ func writeGroups(writer io.Writer, boxService *BoxService) error {
 				item.URLTestTime = history.Time.Unix()
 				item.URLTestDelay = int32(history.Delay)
 			}
-			group.ItemList = append(group.ItemList, &item)
+			outboundGroup.ItemList = append(outboundGroup.ItemList, &item)
 		}
-		if len(group.ItemList) < 2 {
+		if len(outboundGroup.ItemList) < 2 {
 			continue
 		}
-		groups = append(groups, group)
+		groups = append(groups, outboundGroup)
 	}
 	return varbin.Write(writer, binary.BigEndian, groups)
 }

experimental/libbox/command_select.go

@@ -4,7 +4,7 @@ import (
 	"encoding/binary"
 	"net"
 
-	"github.com/sagernet/sing-box/outbound"
+	"github.com/sagernet/sing-box/protocol/group"
 	E "github.com/sagernet/sing/common/exceptions"
 	"github.com/sagernet/sing/common/varbin"
 )
@@ -43,11 +43,11 @@ func (s *CommandServer) handleSelectOutbound(conn net.Conn) error {
 	if service == nil {
 		return writeError(conn, E.New("service not ready"))
 	}
-	outboundGroup, isLoaded := service.instance.Router().Outbound(groupTag)
+	outboundGroup, isLoaded := service.instance.Outbound().Outbound(groupTag)
 	if !isLoaded {
 		return writeError(conn, E.New("selector not found: ", groupTag))
 	}
-	selector, isSelector := outboundGroup.(*outbound.Selector)
+	selector, isSelector := outboundGroup.(*group.Selector)
 	if !isSelector {
 		return writeError(conn, E.New("outbound is not a selector: ", groupTag))
 	}

experimental/libbox/command_server.go

@@ -60,7 +60,7 @@ func NewCommandServer(handler CommandServerHandler, maxLines int32) *CommandServ
 func (s *CommandServer) SetService(newService *BoxService) {
 	if newService != nil {
 		service.PtrFromContext[urltest.HistoryStorage](newService.ctx).SetHook(s.urlTestUpdate)
-		newService.instance.Router().ClashServer().(*clashapi.Server).SetModeUpdateHook(s.modeUpdate)
+		newService.clashServer.(*clashapi.Server).SetModeUpdateHook(s.modeUpdate)
 	}
 	s.service = newService
 	s.notifyURLTestUpdate()

experimental/libbox/command_status.go

@@ -31,14 +31,12 @@ func (s *CommandServer) readStatus() StatusMessage {
 	message.ConnectionsOut = int32(conntrack.Count())
 
 	if s.service != nil {
-		if clashServer := s.service.instance.Router().ClashServer(); clashServer != nil {
 		message.TrafficAvailable = true
-			trafficManager := clashServer.(*clashapi.Server).TrafficManager()
+		trafficManager := s.service.clashServer.(*clashapi.Server).TrafficManager()
 		message.Uplink, message.Downlink = trafficManager.Now()
 		message.UplinkTotal, message.DownlinkTotal = trafficManager.Total()
 		message.ConnectionsIn = int32(trafficManager.ConnectionsLen())
 	}
-	}
 
 	return message
 }