[dependencies] Update golangci/golangci-lint-action action to v8

Signed-off-by: 愚者 <11926619+FansChou@users.noreply.github.com>

.github/workflows/build.yml

@@ -437,28 +437,24 @@ jobs:
             platform: ios
             scheme: SFI
             destination: 'generic/platform=iOS'
-            archive: build/SFI.xcarchive
             upload: SFI/Upload.plist
           - name: macOS
             if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'macOS' }}
             platform: macos
             scheme: SFM
             destination: 'generic/platform=macOS'
-            archive: build/SFM.xcarchive
             upload: SFI/Upload.plist
           - name: tvOS
             if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'app-store'|| inputs.build == 'tvOS' }}
             platform: tvos
             scheme: SFT
             destination: 'generic/platform=tvOS'
-            archive: build/SFT.xcarchive
             upload: SFI/Upload.plist
           - name: macOS-standalone
             if: ${{ github.event_name != 'workflow_dispatch' || inputs.build == 'All' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone' }}
             platform: macos
             scheme: SFM.System
             destination: 'generic/platform=macOS'
-            archive: build/SFM.System.xcarchive
             export: SFM.System/Export.plist
             export_path: build/SFM.System
     steps:
@@ -476,11 +472,11 @@ jobs:
       - name: Setup Xcode stable
         if: matrix.if && github.ref == 'refs/heads/main-next'
         run: |-
-          sudo xcode-select -s /Applications/Xcode_16.4.app
+          sudo xcode-select -s /Applications/Xcode_16.2.app
       - name: Setup Xcode beta
         if: matrix.if && github.ref == 'refs/heads/dev-next'
         run: |-
-          sudo xcode-select -s /Applications/Xcode_16.4.app
+          sudo xcode-select -s /Applications/Xcode_16.2.app
       - name: Set tag
         if: matrix.if
         run: |-
@@ -543,6 +539,12 @@ jobs:
           export PATH="$PATH:$(go env GOPATH)/bin"
           go run ./cmd/internal/build_libbox -target apple -platform ${{ matrix.platform }}
           mv Libbox.xcframework clients/apple
+      - name: Build library with tailscale
+        if: matrix.if && (matrix.name == 'iOS' || matrix.name == 'tvOS')
+        run: |-
+          export PATH="$PATH:$(go env GOPATH)/bin"
+          go run ./cmd/internal/build_libbox -target apple -platform ${{ matrix.platform }} -tailscale
+          mv Libbox.xcframework clients/apple/Libbox.WithTailscale.xcframework
       - name: Update macOS version
         if: matrix.if && matrix.name == 'macOS' && github.event_name == 'workflow_dispatch'
         run: |-
@@ -561,18 +563,71 @@ jobs:
             -scheme "${{ matrix.scheme }}" \
             -configuration Release \
             -destination "${{ matrix.destination }}" \
-            -archivePath "${{ matrix.archive }}" \
+            -archivePath "build/${{ matrix.scheme }}.xcarchive" \
             -allowProvisioningUpdates \
             -authenticationKeyPath $ASC_KEY_PATH \
             -authenticationKeyID $ASC_KEY_ID \
             -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
+      - name: Build with Tailscale
+        if: matrix.if && (matrix.name == 'iOS' || matrix.name == 'tvOS')
+        run: |-
+          cd clients/apple
+          mv Libbox.xcframework Libbox.WithoutTailscale.xcframework
+          mv Libbox.WithTailscale.xcframework Libbox.xcframework
+          xcodebuild archive \
+            -scheme "${{ matrix.scheme }}" \
+            -configuration Release \
+            -destination "${{ matrix.destination }}" \
+            -archivePath "build/${{ matrix.scheme }}.WithTailscale.xcarchive" \
+            -allowProvisioningUpdates \
+            -authenticationKeyPath $ASC_KEY_PATH \
+            -authenticationKeyID $ASC_KEY_ID \
+            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
+      - name: Export IPA
+        if: matrix.if && (matrix.name == 'iOS' || matrix.name == 'tvOS') && github.event_name == 'workflow_dispatch'
+        run: |-
+          pushd clients/apple
+          xcodebuild -exportArchive \
+            -archivePath "build/${{ matrix.scheme }}.xcarchive" \
+            -exportOptionsPlist SFI/Export.plist \
+            -exportPath "build/${{ matrix.scheme }}" \
+            -allowProvisioningUpdates \
+            -authenticationKeyPath $ASC_KEY_PATH \
+            -authenticationKeyID $ASC_KEY_ID \
+            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
+          cp build/${{ matrix.scheme }}/sing-box.ipa .
+          popd
+          mkdir -p dist
+          cp clients/apple/sing-box.ipa "dist/${{ matrix.scheme }}-${{ needs.calculate_version.outputs.version }}.ipa"
+      - name: Export IPA with Tailscale
+        if: matrix.if && (matrix.name == 'iOS' || matrix.name == 'tvOS') && github.event_name == 'workflow_dispatch'
+        run: |-
+          pushd clients/apple
+          xcodebuild -exportArchive \
+            -archivePath "build/${{ matrix.scheme }}.WithTailscale.xcarchive" \
+            -exportOptionsPlist SFI/Export.plist \
+            -exportPath "build/${{ matrix.scheme }}.WithTailscale" \
+            -allowProvisioningUpdates \
+            -authenticationKeyPath $ASC_KEY_PATH \
+            -authenticationKeyID $ASC_KEY_ID \
+            -authenticationKeyIssuerID $ASC_KEY_ISSUER_ID
+          cp build/${{ matrix.scheme }}.WithTailscale/sing-box.ipa .
+          popd
+          mkdir -p dist
+          cp clients/apple/sing-box.ipa "dist/${{ matrix.scheme }}-${{ needs.calculate_version.outputs.version }}-WithTailscale.ipa"
+      - name: Upload IPA
+        if: matrix.if && (matrix.name == 'iOS' || matrix.name == 'tvOS') && github.event_name == 'workflow_dispatch'
+        uses: actions/upload-artifact@v4
+        with:
+          name: binary-${{ matrix.name }}-ipa
+          path: 'dist'
       - name: Upload to App Store Connect
         if: matrix.if && matrix.name != 'macOS-standalone' && github.event_name == 'workflow_dispatch'
         run: |-
           go run -v ./cmd/internal/app_store_connect cancel_app_store ${{ matrix.platform }}
           cd clients/apple
           xcodebuild -exportArchive \
-            -archivePath "${{ matrix.archive }}" \
+            -archivePath "build/${{ matrix.scheme }}.xcarchive" \
             -exportOptionsPlist ${{ matrix.upload }} \
             -allowProvisioningUpdates \
             -authenticationKeyPath $ASC_KEY_PATH \
@@ -587,7 +642,7 @@ jobs:
         run: |-
           pushd clients/apple
           xcodebuild -exportArchive \
-          	-archivePath "${{ matrix.archive }}" \
+            -archivePath "build/${{ matrix.scheme }}.xcarchive" \
           	-exportOptionsPlist ${{ matrix.export }} \
           	-exportPath "${{ matrix.export_path }}"
           brew install create-dmg
@@ -600,13 +655,13 @@ jobs:
           		--skip-jenkins \
           	SFM.dmg "${{ matrix.export_path }}/SFM.app"
           xcrun notarytool submit "SFM.dmg" --wait --keychain-profile "notarytool-password"          
-          cd "${{ matrix.archive }}"
+          cd "build/${{ matrix.scheme }}.xcarchive"
           zip -r SFM.dSYMs.zip dSYMs
           popd
 
           mkdir -p dist
           cp clients/apple/SFM.dmg "dist/SFM-${VERSION}-universal.dmg"
-          cp "clients/apple/${{ matrix.archive }}/SFM.dSYMs.zip" "dist/SFM-${VERSION}-universal.dSYMs.zip"
+          cp "clients/apple/build/${{ matrix.scheme }}.xcarchive/SFM.dSYMs.zip" "dist/SFM-${VERSION}-universal.dSYMs.zip"
       - name: Upload image
         if: matrix.if && matrix.name == 'macOS-standalone' && github.event_name == 'workflow_dispatch'
         uses: actions/upload-artifact@v4
@@ -615,7 +670,7 @@ jobs:
           path: 'dist'
   upload:
     name: Upload builds
-    if: "!failure() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')"
+    if: always() && github.event_name == 'workflow_dispatch' && (inputs.build == 'All' || inputs.build == 'Binary' || inputs.build == 'Android' || inputs.build == 'Apple' || inputs.build == 'macOS-standalone')
     runs-on: ubuntu-latest
     needs:
       - calculate_version

cmd/internal/build_libbox/main.go

@@ -26,7 +26,7 @@ func init() {
 	flag.BoolVar(&debugEnabled, "debug", false, "enable debug")
 	flag.StringVar(&target, "target", "android", "target platform")
 	flag.StringVar(&platform, "platform", "", "specify platform")
-	flag.BoolVar(&withTailscale, "with-tailscale", false, "build tailscale for iOS and tvOS")
+	flag.BoolVar(&withTailscale, "tailscale", false, "build tailscale for iOS and tvOS")
 }
 
 func main() {
@@ -154,7 +154,7 @@ func buildApple() {
 		"-target", bindTarget,
 		"-libname=box",
 	}
-	if !withTailscale {
+	if withTailscale {
 		args = append(args, "-tags-macos="+strings.Join(memcTags, ","))
 	}
 

common/tls/acme.go

@@ -5,13 +5,13 @@ package tls
 import (
 	"context"
 	"crypto/tls"
+	"os"
 	"strings"
 
 	"github.com/sagernet/sing-box/adapter"
 	C "github.com/sagernet/sing-box/constant"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 
 	"github.com/caddyserver/certmagic"
 	"github.com/libdns/alidns"
@@ -37,38 +37,7 @@ func (w *acmeWrapper) Close() error {
 	return nil
 }
 
-type acmeLogWriter struct {
+func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
-	logger logger.Logger
-}
-
-func (w *acmeLogWriter) Write(p []byte) (n int, err error) {
-	logLine := strings.ReplaceAll(string(p), "	", ": ")
-	switch {
-	case strings.HasPrefix(logLine, "error: "):
-		w.logger.Error(logLine[7:])
-	case strings.HasPrefix(logLine, "warn: "):
-		w.logger.Warn(logLine[6:])
-	case strings.HasPrefix(logLine, "info: "):
-		w.logger.Info(logLine[6:])
-	case strings.HasPrefix(logLine, "debug: "):
-		w.logger.Debug(logLine[7:])
-	default:
-		w.logger.Debug(logLine)
-	}
-	return len(p), nil
-}
-
-func (w *acmeLogWriter) Sync() error {
-	return nil
-}
-
-func encoderConfig() zapcore.EncoderConfig {
-	config := zap.NewProductionEncoderConfig()
-	config.TimeKey = zapcore.OmitKey
-	return config
-}
-
-func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	var acmeServer string
 	switch options.Provider {
 	case "", "letsencrypt":
@@ -89,15 +58,14 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 	} else {
 		storage = certmagic.Default.Storage
 	}
-	zapLogger := zap.New(zapcore.NewCore(
-		zapcore.NewConsoleEncoder(encoderConfig()),
-		&acmeLogWriter{logger: logger},
-		zap.DebugLevel,
-	))
 	config := &certmagic.Config{
 		DefaultServerName: options.DefaultServerName,
 		Storage:           storage,
-		Logger:            zapLogger,
+		Logger: zap.New(zapcore.NewCore(
+			zapcore.NewConsoleEncoder(zap.NewProductionEncoderConfig()),
+			os.Stderr,
+			zap.InfoLevel,
+		)),
 	}
 	acmeConfig := certmagic.ACMEIssuer{
 		CA:                      acmeServer,
@@ -107,7 +75,7 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
 		AltHTTPPort:             int(options.AlternativeHTTPPort),
 		AltTLSALPNPort:          int(options.AlternativeTLSPort),
-		Logger:                  zapLogger,
+		Logger:                  config.Logger,
 	}
 	if dnsOptions := options.DNS01Challenge; dnsOptions != nil && dnsOptions.Provider != "" {
 		var solver certmagic.DNS01Solver
@@ -135,7 +103,6 @@ func startACME(ctx context.Context, logger logger.Logger, options option.Inbound
 		GetConfigForCert: func(certificate certmagic.Certificate) (*certmagic.Config, error) {
 			return config, nil
 		},
-		Logger: zapLogger,
 	})
 	config = certmagic.New(cache, *config)
 	var tlsConfig *tls.Config

common/tls/acme_stub.go

@@ -9,9 +9,8 @@ import (
 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/option"
 	E "github.com/sagernet/sing/common/exceptions"
-	"github.com/sagernet/sing/common/logger"
 )
 
-func startACME(ctx context.Context, logger logger.Logger, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
+func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.SimpleLifecycle, error) {
 	return nil, nil, E.New(`ACME is not included in this build, rebuild with -tags with_acme`)
 }

common/tls/std_server.go

@@ -169,7 +169,7 @@ func NewSTDServer(ctx context.Context, logger log.Logger, options option.Inbound
 	var err error
 	if options.ACME != nil && len(options.ACME.Domain) > 0 {
 		//nolint:staticcheck
-		tlsConfig, acmeService, err = startACME(ctx, logger, common.PtrValueOrDefault(options.ACME))
+		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
 		if err != nil {
 			return nil, err
 		}

dns/transport/https.go

@@ -122,7 +122,6 @@ func NewHTTPSRaw(
 	var transport *http.Transport
 	if tlsConfig != nil {
 		transport = &http.Transport{
-			IdleConnTimeout:   C.TCPKeepAliveInitial,
 			ForceAttemptHTTP2: true,
 			DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				tcpConn, hErr := dialer.DialContext(ctx, network, serverAddr)
@@ -139,7 +138,6 @@ func NewHTTPSRaw(
 		}
 	} else {
 		transport = &http.Transport{
-			IdleConnTimeout: C.TCPKeepAliveInitial,
 			DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
 				return dialer.DialContext(ctx, network, serverAddr)
 			},

dns/transport/local/resolv_darwin_cgo.go

@@ -20,8 +20,7 @@ import (
 )
 
 func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
-	var state C.res_state
+	if C.res_init() != 0 {
-	if C.res_ninit(state) != 0 {
 		return &dnsConfig{
 			servers:  defaultNS,
 			search:   dnsDefaultSearch(),
@@ -34,10 +33,10 @@ func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
 	conf := &dnsConfig{
 		ndots:    1,
 		timeout:  5 * time.Second,
-		attempts: int(state.retry),
+		attempts: int(C._res.retry),
 	}
-	for i := 0; i < int(state.nscount); i++ {
+	for i := 0; i < int(C._res.nscount); i++ {
-		ns := state.nsaddr_list[i]
+		ns := C._res.nsaddr_list[i]
 		addr := C.inet_ntoa(ns.sin_addr)
 		if addr == nil {
 			continue
@@ -45,7 +44,7 @@ func dnsReadConfig(_ context.Context, _ string) *dnsConfig {
 		conf.servers = append(conf.servers, C.GoString(addr))
 	}
 	for i := 0; ; i++ {
-		search := state.dnsrch[i]
+		search := C._res.dnsrch[i]
 		if search == nil {
 			break
 		}

docs/changelog.md

@@ -2,7 +2,7 @@
 icon: material/alert-decagram
 ---
 
-#### 1.12.0-beta.29
+#### 1.12.0-beta.28
 
 * Fixes and improvements
 

docs/clients/apple/index.md

@@ -19,13 +19,21 @@ platform-specific function implementation, such as TUN transparent proxy impleme
 ## :material-download: Download
 
 * [App Store](https://apps.apple.com/app/sing-box-vt/id6673731168)
-* TestFlight (Beta)
+* TestFlight (Beta) **1**
+* [GitHub Releases](https://github.com/SagerNet/sing-box/releases) **2**
+
+**1**:
 
 TestFlight quota is only available to [sponsors](https://github.com/sponsors/nekohasekai)
 (one-time sponsorships are accepted).
 Once you donate, you can get an invitation by join our Telegram group for sponsors from [@yet_another_sponsor_bot](https://t.me/yet_another_sponsor_bot)
 or sending us your Apple ID [via email](mailto:contact@sagernet.org).
 
+**2**:
+
+You can now download compiled IPAs for iOS and tvOS directly from GitHub releases, 
+but you need to purchase the **Apple Developer Program** to install them through AltStore or SideStore.
+
 ## :material-file-download: Download (macOS standalone version)
 
 * [Homebrew Cask](https://formulae.brew.sh/cask/sfm)

docs/configuration/endpoint/index.zh.md

@@ -25,7 +25,7 @@ icon: material/new-box
 
 | 类型          | 格式                        |
 |-------------|---------------------------|
-| `wireguard` | [WireGuard](./wireguard/) |
+| `wireguard` | [WireGuard](./wiregaurd/) |
 | `tailscale` | [Tailscale](./tailscale/) |
 
 #### tag

docs/configuration/experimental/clash-api.md

@@ -59,7 +59,7 @@
     {
       "external_controller": "0.0.0.0:9090",
       "external_ui": "dashboard"
-      // "external_ui_download_detour": "direct"
+      // external_ui_download_detour: "direct"
     }
     ```
 

docs/configuration/experimental/clash-api.zh.md

@@ -59,7 +59,7 @@
     {
       "external_controller": "0.0.0.0:9090",
       "external_ui": "dashboard"
-      // "external_ui_download_detour": "direct"
+      // external_ui_download_detour: "direct"
     }
     ```
 

docs/manual/proxy/client.md

@@ -94,13 +94,18 @@ flowchart TB
         "servers": [
           {
             "tag": "google",
-            "type": "tls",
+            "address": "tls://8.8.8.8"
-            "server": "8.8.8.8"
           },
           {
             "tag": "local",
-            "type": "udp",
+            "address": "223.5.5.5",
-            "server": "223.5.5.5"
+            "detour": "direct"
+          }
+        ],
+        "rules": [
+          {
+            "outbound": "any",
+            "server": "local"
           }
         ],
         "strategy": "ipv4_only"
@@ -110,8 +115,7 @@ flowchart TB
           "type": "tun",
           "inet4_address": "172.19.0.1/30",
           "auto_route": true,
-          // "auto_redirect": true, // On linux
+          "strict_route": false
-          "strict_route": true
         }
       ],
       "outbounds": [
@@ -119,23 +123,25 @@ flowchart TB
         {
           "type": "direct",
           "tag": "direct"
+        },
+        {
+          "type": "dns",
+          "tag": "dns-out"
         }
       ],
       "route": {
         "rules": [
-          {
-            "action": "sniff"
-          },
           {
             "protocol": "dns",
-            "action": "hijack-dns"
+            "outbound": "dns-out"
           },
           {
-            "ip_is_private": true,
+            "geoip": [
+              "private"
+            ],
             "outbound": "direct"
           }
         ],
-        "default_domain_resolver": "local",
         "auto_detect_interface": true
       }
     }
@@ -149,13 +155,18 @@ flowchart TB
         "servers": [
           {
             "tag": "google",
-            "type": "tls",
+            "address": "tls://8.8.8.8"
-            "server": "8.8.8.8"
           },
           {
             "tag": "local",
-            "type": "udp",
+            "address": "223.5.5.5",
-            "server": "223.5.5.5"
+            "detour": "direct"
+          }
+        ],
+        "rules": [
+          {
+            "outbound": "any",
+            "server": "local"
           }
         ]
       },
@@ -165,8 +176,7 @@ flowchart TB
           "inet4_address": "172.19.0.1/30",
           "inet6_address": "fdfe:dcba:9876::1/126",
           "auto_route": true,
-          // "auto_redirect": true, // On linux
+          "strict_route": false
-          "strict_route": true
         }
       ],
       "outbounds": [
@@ -174,23 +184,25 @@ flowchart TB
         {
           "type": "direct",
           "tag": "direct"
+        },
+        {
+          "type": "dns",
+          "tag": "dns-out"
         }
       ],
       "route": {
         "rules": [
-          {
-            "action": "sniff"
-          },
           {
             "protocol": "dns",
-            "action": "hijack-dns"
+            "outbound": "dns-out"
           },
           {
-            "ip_is_private": true,
+            "geoip": [
+              "private"
+            ],
             "outbound": "direct"
           }
         ],
-        "default_domain_resolver": "local",
         "auto_detect_interface": true
       }
     }
@@ -204,22 +216,23 @@ flowchart TB
         "servers": [
           {
             "tag": "google",
-            "type": "tls",
+            "address": "tls://8.8.8.8"
-            "server": "8.8.8.8"
           },
           {
             "tag": "local",
-            "type": "udp",
+            "address": "223.5.5.5",
-            "server": "223.5.5.5"
+            "detour": "direct"
           },
           {
             "tag": "remote",
-            "type": "fakeip",
+            "address": "fakeip"
-            "inet4_range": "198.18.0.0/15",
-            "inet6_range": "fc00::/18"
           }
         ],
         "rules": [
+          {
+            "outbound": "any",
+            "server": "local"
+          },
           {
             "query_type": [
               "A",
@@ -228,6 +241,11 @@ flowchart TB
             "server": "remote"
           }
         ],
+        "fakeip": {
+          "enabled": true,
+          "inet4_range": "198.18.0.0/15",
+          "inet6_range": "fc00::/18"
+        },
         "independent_cache": true
       },
       "inbounds": [
@@ -236,7 +254,6 @@ flowchart TB
           "inet4_address": "172.19.0.1/30",
           "inet6_address": "fdfe:dcba:9876::1/126",
           "auto_route": true,
-          // "auto_redirect": true, // On linux
           "strict_route": true
         }
       ],
@@ -245,23 +262,25 @@ flowchart TB
         {
           "type": "direct",
           "tag": "direct"
+        },
+        {
+          "type": "dns",
+          "tag": "dns-out"
         }
       ],
       "route": {
         "rules": [
-          {
-            "action": "sniff"
-          },
           {
             "protocol": "dns",
-            "action": "hijack-dns"
+            "outbound": "dns-out"
           },
           {
-            "ip_is_private": true,
+            "geoip": [
+              "private"
+            ],
             "outbound": "direct"
           }
         ],
-        "default_domain_resolver": "local",
         "auto_detect_interface": true
       }
     }
@@ -271,6 +290,54 @@ flowchart TB
 
 === ":material-dns: DNS rules"
 
+    ```json
+    {
+      "dns": {
+        "servers": [
+          {
+            "tag": "google",
+            "address": "tls://8.8.8.8"
+          },
+          {
+            "tag": "local",
+            "address": "223.5.5.5",
+            "detour": "direct"
+          }
+        ],
+        "rules": [
+          {
+            "outbound": "any",
+            "server": "local"
+          },
+          {
+            "clash_mode": "Direct",
+            "server": "local"
+          },
+          {
+            "clash_mode": "Global",
+            "server": "google"
+          },
+          {
+            "rule_set": "geosite-geolocation-cn",
+            "server": "local"
+          }
+        ]
+      },
+      "route": {
+        "rule_set": [
+          {
+            "type": "remote",
+            "tag": "geosite-geolocation-cn",
+            "format": "binary",
+            "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-geolocation-cn.srs"
+          }
+        ]
+      }
+    }
+    ```
+
+=== ":material-dns: DNS rules (Enhanced, but slower) (1.9.0+)"
+
     === ":material-shield-off: With DNS leaks"
 
         ```json
@@ -279,20 +346,35 @@ flowchart TB
             "servers": [
               {
                 "tag": "google",
-                "type": "tls",
+                "address": "tls://8.8.8.8"
-                "server": "8.8.8.8"
               },
               {
                 "tag": "local",
-                "type": "https",
+                "address": "https://223.5.5.5/dns-query",
-                "server": "223.5.5.5"
+                "detour": "direct"
               }
             ],
             "rules": [
+              {
+                "outbound": "any",
+                "server": "local"
+              },
+              {
+                "clash_mode": "Direct",
+                "server": "local"
+              },
+              {
+                "clash_mode": "Global",
+                "server": "google"
+              },
               {
                 "rule_set": "geosite-geolocation-cn",
                 "server": "local"
               },
+              {
+                "clash_mode": "Default",
+                "server": "google"
+              },
               {
                 "type": "logical",
                 "mode": "and",
@@ -310,7 +392,6 @@ flowchart TB
             ]
           },
           "route": {
-            "default_domain_resolver": "local",
             "rule_set": [
               {
                 "type": "remote",
@@ -344,7 +425,7 @@ flowchart TB
         }
         ```
 
-    === ":material-security: Without DNS leaks, but slower"
+    === ":material-security: Without DNS leaks, but slower (1.9.0-alpha.2+)"
 
         ```json
         {
@@ -352,16 +433,27 @@ flowchart TB
             "servers": [
               {
                 "tag": "google",
-                "type": "tls",
+                "address": "tls://8.8.8.8"
-                "server": "8.8.8.8"
               },
               {
                 "tag": "local",
-                "type": "https",
+                "address": "https://223.5.5.5/dns-query",
-                "server": "223.5.5.5"
+                "detour": "direct"
               }
             ],
             "rules": [
+              {
+                "outbound": "any",
+                "server": "local"
+              },
+              {
+                "clash_mode": "Direct",
+                "server": "local"
+              },
+              {
+                "clash_mode": "Global",
+                "server": "google"
+              },
               {
                 "rule_set": "geosite-geolocation-cn",
                 "server": "local"
@@ -384,7 +476,6 @@ flowchart TB
             ]
           },
           "route": {
-            "default_domain_resolver": "local",
             "rule_set": [
               {
                 "type": "remote",
@@ -426,13 +517,14 @@ flowchart TB
         {
           "type": "direct",
           "tag": "direct"
+        },
+        {
+          "type": "block",
+          "tag": "block"
         }
       ],
       "route": {
         "rules": [
-          {
-            "action": "sniff"
-          },
           {
             "type": "logical",
             "mode": "or",
@@ -444,12 +536,20 @@ flowchart TB
                 "port": 53
               }
             ],
-            "action": "hijack-dns"
+            "outbound": "dns"
           },
           {
             "ip_is_private": true,
             "outbound": "direct"
           },
+          {
+            "clash_mode": "Direct",
+            "outbound": "direct"
+          },
+          {
+            "clash_mode": "Global",
+            "outbound": "default"
+          },
           {
             "type": "logical",
             "mode": "or",
@@ -465,23 +565,12 @@ flowchart TB
                 "protocol": "stun"
               }
             ],
-            "action": "reject"
+            "outbound": "block"
           },
           {
-            "rule_set": "geosite-geolocation-cn",
+            "rule_set": [
-            "outbound": "direct"
+              "geoip-cn",
-          },
+              "geosite-geolocation-cn"
-          {
-            "type": "logical",
-            "mode": "and",
-            "rules": [
-              {
-                "rule_set": "geoip-cn"
-              },
-              {
-                "rule_set": "geosite-geolocation-!cn",
-                "invert": true
-              }
             ],
             "outbound": "direct"
           }

protocol/vless/inbound.go

@@ -205,10 +205,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	var metadata adapter.InboundContext
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
-	metadata.InboundDetour = h.listener.ListenOptions().Detour
-	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }

protocol/vmess/inbound.go

@@ -219,10 +219,6 @@ func (h *inboundTransportHandler) NewConnectionEx(ctx context.Context, conn net.
 	var metadata adapter.InboundContext
 	metadata.Source = source
 	metadata.Destination = destination
-	//nolint:staticcheck
-	metadata.InboundDetour = h.listener.ListenOptions().Detour
-	//nolint:staticcheck
-	metadata.InboundOptions = h.listener.ListenOptions().InboundOptions
 	h.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
 	(*Inbound)(h).NewConnectionEx(ctx, conn, metadata, onClose)
 }