v1.8.3

Fix "nonIPQuery"
v1.8.2
2025-08-22 09:36:49 +08:00 · 2023-06-19 00:35:46 +00:00 · 2023-06-19 00:33:59 +00:00 · 2023-06-18 20:43:20 +00:00 · 2023-06-18 09:46:57 -04:00 · 2023-06-18 09:45:32 -04:00
249 changed files with 5403 additions and 4815 deletions
--- a/.github/docker/Dockerfile
+++ b/.github/docker/Dockerfile
@@ -0,0 +1,22 @@
 # syntax=docker/dockerfile:1
 FROM --platform=$BUILDPLATFORM golang:alpine AS build
 WORKDIR /src
 COPY . .
 ARG TARGETOS TARGETARCH
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
 FROM --platform=${TARGETPLATFORM} alpine:latest
 WORKDIR /root
 COPY .github/docker/files/config.json /etc/xray/config.json
 COPY --from=build /src/xray /usr/bin/xray
 RUN set -ex \
 	&& apk add --no-cache tzdata ca-certificates \
 	&& mkdir -p /var/log/xray /usr/share/xray \
    && chmod +x /usr/bin/xray \
 	&& wget -O /usr/share/xray/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat \
 	&& wget -O /usr/share/xray/geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
 VOLUME /etc/xray
 ENV TZ=Asia/Shanghai
 ENTRYPOINT [ "/usr/bin/xray" ]
 CMD [ "-config", "/etc/xray/config.json" ]
--- a/.github/docker/files/config.json
+++ b/.github/docker/files/config.json
@@ -0,0 +1,18 @@
 {
  "inbounds": [{
    "port": 9000,
    "protocol": "vmess",
    "settings": {
      "clients": [
        {
          "id": "1eb6e917-774b-4a84-aff6-b058577c60a5",
          "level": 1
        }
      ]
    }
  }],
  "outbounds": [{
    "protocol": "freedom",
    "settings": {}
  }]
 }
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,45 @@
 name: Build docker image
 on:
  push:
    branches:
      - main
 jobs:
  build-image:
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      - uses: actions/checkout@v3
      - name: Docker metadata
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: ghcr.io/${{ github.repository_owner }}/xray-core
          flavor: latest=true
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - # Add support for more platforms with QEMU (optional)
        # https://github.com/docker/setup-qemu-action
        name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          file: .github/docker/Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,7 +20,51 @@ on:
      - "go.sum"
      - ".github/workflows/*.yml"
 jobs:
  prepare:
    runs-on: ubuntu-latest
    steps:
      - name: Restore Cache
        uses: actions/cache/restore@v3
        with:
          path: resources
          key: xray-geodat-
      - name: Update Geodat
        id: update
        uses: nick-fields/retry@v2
        with:
          timeout_minutes: 60
          retry_wait_seconds: 60
          max_attempts: 60
          command: |
            [ -d 'resources' ] || mkdir resources
            LIST=('geoip geoip geoip' 'domain-list-community dlc geosite')
            for i in "${LIST[@]}"
            do
              INFO=($(echo $i | awk 'BEGIN{FS=" ";OFS=" "} {print $1,$2,$3}'))
              FILE_NAME="${INFO[2]}.dat"
              echo -e "Verifying HASH key..."
              HASH="$(curl -sL "https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat.sha256sum" | awk -F ' ' '{print $1}')"
              if [ -s "./resources/${FILE_NAME}" ] && [ "$(sha256sum "./resources/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ]; then
                  continue
              else
                  echo -e "Downloading https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat..."
                  curl -L "https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat" -o ./resources/${FILE_NAME}
                  echo -e "Verifying HASH key..."
                  [ "$(sha256sum "./resources/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ] || { echo -e "The HASH key of ${FILE_NAME} does not match cloud one."; exit 1; }
                  echo "unhit=true" >> $GITHUB_OUTPUT
              fi
            done
      - name: Save Cache
        uses: actions/cache/save@v3
        if: ${{ steps.update.outputs.unhit }}
        with:
          path: resources
          key: xray-geodat-${{ github.sha }}-${{ github.run_number }}
  build:
    needs: prepare
    permissions:
      contents: write
    strategy:
@@ -121,9 +165,9 @@ jobs:
          echo "ASSET_NAME=$_NAME" >> $GITHUB_ENV
      - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
-          go-version: 1.19
+          go-version: '1.20'
          check-latest: true
      - name: Get project dependencies
@@ -160,26 +204,17 @@ jobs:
          cd ./build_assets || exit 1
          mv xray xray.exe
-      - name: Prepare to release
+      - name: Restore Cache
-        uses: nick-fields/retry@v2
+        uses: actions/cache/restore@v3
        with:
-          timeout_minutes: 60
+          path: resources
-          retry_wait_seconds: 60
+          key: xray-geodat-
-          max_attempts: 60
+
-          command: |
+      - name: Copy README.md & LICENSE
-            cp ${GITHUB_WORKSPACE}/README.md ./build_assets/README.md
+        run: |
-            cp ${GITHUB_WORKSPACE}/LICENSE ./build_assets/LICENSE
+          mv -f resources/* build_assets
-            LIST=('geoip geoip geoip' 'domain-list-community dlc geosite')
+          cp ${GITHUB_WORKSPACE}/README.md ./build_assets/README.md
-            for i in "${LIST[@]}"
+          cp ${GITHUB_WORKSPACE}/LICENSE ./build_assets/LICENSE
            do
              INFO=($(echo $i | awk 'BEGIN{FS=" ";OFS=" "} {print $1,$2,$3}'))
              FILE_NAME="${INFO[2]}.dat"
              echo -e "Downloading https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat..."
              curl -L "https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat" -o ./build_assets/${FILE_NAME}
              echo -e "Verifying HASH key..."
              HASH="$(curl -sL "https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat.sha256sum" | awk -F ' ' '{print $1}')"
              [ "$(sha256sum "./build_assets/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ] || { echo -e "The HASH key of ${FILE_NAME} does not match cloud one."; exit 1; }
            done
      - name: Create ZIP archive
        shell: bash
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -28,24 +28,17 @@ jobs:
        os: [windows-latest, ubuntu-latest, macos-latest]
    steps:
      - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
        with:
-          go-version: 1.19
+          go-version: '1.20'
          check-latest: true
      - name: Checkout codebase
        uses: actions/checkout@v3
-
+      - name: Restore Cache
-      - name: Prepare geo*dat
+        uses: actions/cache/restore@v3
-        if: ${{ matrix.os != 'windows-latest' }}
+        with:
-        run: |
+          path: resources
-          mkdir resources
+          key: xray-geodat-
-          wget -O ./resources/geoip.dat https://github.com/v2fly/geoip/releases/latest/download/geoip.dat
+          enableCrossOsArchive: true
          wget -O ./resources/geosite.dat https://github.com/v2fly/domain-list-community/releases/latest/download/dlc.dat
      - name: Prepare geo*dat for Windows
        if: ${{ matrix.os == 'windows-latest' }}
        run: |
          mkdir resources
          Invoke-WebRequest -Uri "https://github.com/v2fly/geoip/releases/latest/download/geoip.dat" -OutFile "./resources/geoip.dat"
          Invoke-WebRequest -Uri "https://github.com/v2fly/domain-list-community/releases/latest/download/dlc.dat" -OutFile "./resources/geosite.dat"
      - name: Test
        run: go test -timeout 1h -v ./...
--- a/README.md
+++ b/README.md
@@ -1,78 +1,113 @@
 # Project X
-[Project X](https://github.com/XTLS) originates from XTLS protocol, provides a set of network tools such as [Xray-core](https://github.com/XTLS/Xray-core).
+[Project X](https://github.com/XTLS) originates from XTLS protocol, providing a set of network tools such as [Xray-core](https://github.com/XTLS/Xray-core) and [REALITY](https://github.com/XTLS/REALITY).
 [README](https://github.com/XTLS/Xray-core#readme) is open, so feel free to submit your project [here](https://github.com/XTLS/Xray-core/pulls).
 ## License
 [Mozilla Public License Version 2.0](https://github.com/XTLS/Xray-core/blob/main/LICENSE)
 ## Documentation
 [Project X Official Website](https://xtls.github.io)
 ## Telegram
 [Project X](https://t.me/projectXray)
 [Project X Channel](https://t.me/projectXtls)
 ## Installation
 - Linux Script
-  - [Xray-install](https://github.com/XTLS/Xray-install)
+  - [XTLS/Xray-install](https://github.com/XTLS/Xray-install)
  - [Xray-script](https://github.com/kirin10000/Xray-script)
 - Docker
  - [teddysun/xray](https://hub.docker.com/r/teddysun/xray)
 - Web Panel
  - [X-UI](https://github.com/FranzKafkaYu/x-ui), [X-UI-English](https://github.com/NidukaAkalanka/x-ui-english), [3X-UI](https://github.com/MHSanaei/3x-ui), [X-UI](https://github.com/alireza0/x-ui), [X-UI](https://github.com/diditra/x-ui)
  - [Xray-UI](https://github.com/qist/xray-ui), [X-UI](https://github.com/sing-web/x-ui)
  - [Hiddify](https://github.com/hiddify/hiddify-config)
  - [Marzban](https://github.com/Gozargah/Marzban)
  - [Libertea](https://github.com/VZiChoushaDui/Libertea)
 - One Click
-  - [ProxySU](https://github.com/proxysu/ProxySU)
+  - [Xray-REALITY](https://github.com/zxcvos/Xray-script), [xray-reality](https://github.com/sajjaddg/xray-reality), [reality-ezpz](https://github.com/aleskxyz/reality-ezpz)
-  - [v2ray-agent](https://github.com/mack-a/v2ray-agent)
+  - [Xray-script](https://github.com/kirin10000/Xray-script), [Xray_bash_onekey](https://github.com/hello-yunshu/Xray_bash_onekey), [XTool](https://github.com/LordPenguin666/XTool)
-  - [Xray-yes](https://github.com/jiuqi9997/Xray-yes)
+  - [v2ray-agent](https://github.com/mack-a/v2ray-agent), [Xray_onekey](https://github.com/wulabing/Xray_onekey), [ProxySU](https://github.com/proxysu/ProxySU)
  - [Xray_onekey](https://github.com/wulabing/Xray_onekey)
 - Magisk
-  - [Xray4Magisk](https://github.com/CerteKim/Xray4Magisk)
+  - [Xray4Magisk](https://github.com/Asterisk4Magisk/Xray4Magisk)
  - [Xray_For_Magisk](https://github.com/E7KMbb/Xray_For_Magisk)
 - Homebrew
  - `brew install xray`
  - [(Tap) Repository 0](https://github.com/N4FA/homebrew-xray)
  - [(Tap) Repository 1](https://github.com/xiruizhao/homebrew-xray)
 ## Contributing
 [Code Of Conduct](https://github.com/XTLS/Xray-core/blob/main/CODE_OF_CONDUCT.md)
 ## Usage
-[Xray-examples](https://github.com/XTLS/Xray-examples) / [VLESS-TCP-XTLS-WHATEVER](https://github.com/XTLS/Xray-examples/tree/main/VLESS-TCP-XTLS-WHATEVER)
+- Example
  - [VLESS-XTLS-uTLS-REALITY](https://github.com/XTLS/REALITY#readme)
  - [VLESS-TCP-XTLS-Vision](https://github.com/XTLS/Xray-examples/tree/main/VLESS-TCP-XTLS-Vision)
  - [All-in-One-fallbacks-Nginx](https://github.com/XTLS/Xray-examples/tree/main/All-in-One-fallbacks-Nginx)
 - Xray-examples
  - [XTLS/Xray-examples](https://github.com/XTLS/Xray-examples)
  - [chika0801/Xray-examples](https://github.com/chika0801/Xray-examples)
  - [lxhao61/integrated-examples](https://github.com/lxhao61/integrated-examples)
 - Tutorial
  - [XTLS Vision](https://github.com/chika0801/Xray-install)
  - [REALITY (English)](https://cscot.pages.dev/2023/03/02/Xray-REALITY-tutorial/)
  - [XTLS-Iran-Reality (English)](https://github.com/SasukeFreestyle/XTLS-Iran-Reality)
 ## GUI Clients
 - OpenWrt
-  - [PassWall](https://github.com/xiaorouji/openwrt-passwall)
+  - [PassWall](https://github.com/xiaorouji/openwrt-passwall), [PassWall 2](https://github.com/xiaorouji/openwrt-passwall2)
  - [Hello World](https://github.com/jerrykuku/luci-app-vssr)
  - [ShadowSocksR Plus+](https://github.com/fw876/helloworld)
  - [luci-app-xray](https://github.com/yichya/luci-app-xray) ([openwrt-xray](https://github.com/yichya/openwrt-xray))
 - Windows
  - [v2rayN](https://github.com/2dust/v2rayN)
-  - [Qv2ray](https://github.com/Qv2ray/Qv2ray) (This project had been archived and currently inactive)
+  - [HiddifyN](https://github.com/hiddify/HiddifyN)
-  - [Netch (NetFilter & TUN/TAP)](https://github.com/NetchX/Netch) (This project had been archived and currently inactive)
+  - [Invisible Man - Xray](https://github.com/InvisibleManVPN/InvisibleMan-XRayClient)
 - Android
  - [v2rayNG](https://github.com/2dust/v2rayNG)
-  - [Kitsunebi](https://github.com/rurirei/Kitsunebi/tree/release_xtls)
+  - [HiddifyNG](https://github.com/hiddify/HiddifyNG)
- iOS & macOS (with M1 chip)
+  - [X-flutter](https://github.com/XTLS/X-flutter)
-  - [Shadowrocket](https://apps.apple.com/app/shadowrocket/id932747118)
+- iOS & macOS arm64
-  - [Stash](https://apps.apple.com/app/stash/id1596063349)
+  - [Mango](https://github.com/arror/Mango)
- macOS (Intel chip & M1 chip)
+  - [FoXray](https://apps.apple.com/app/foxray/id6448898396)
-  - [Qv2ray](https://github.com/Qv2ray/Qv2ray) (This project had been archived and currently inactive)
+- macOS arm64 & x64
  - [V2RayXS](https://github.com/tzmax/V2RayXS)
  - [FoXray](https://apps.apple.com/app/foxray/id6448898396)
 - Linux
  - [v2rayA](https://github.com/v2rayA/v2rayA)
 ## Others that support VLESS, XTLS, REALITY, XUDP, PLUX...
 - iOS & macOS arm64
  - [Shadowrocket](https://apps.apple.com/app/shadowrocket/id932747118)
 - Xray Wrapper
  - [XTLS/libXray](https://github.com/XTLS/libXray)
  - [xtlsapi](https://github.com/hiddify/xtlsapi)
  - [AndroidLibXrayLite](https://github.com/2dust/AndroidLibXrayLite)
  - [XrayKit](https://github.com/arror/XrayKit)
 - [XrayR](https://github.com/XrayR-project/XrayR)
  - [XrayR-release](https://github.com/XrayR-project/XrayR-release)
  - [XrayR-V2Board](https://github.com/missuo/XrayR-V2Board)
 - [Clash.Meta](https://github.com/MetaCubeX/Clash.Meta)
  - [Clash Verge](https://github.com/zzzgydi/clash-verge)
  - [clashN](https://github.com/2dust/clashN)
  - [Clash Meta for Android](https://github.com/MetaCubeX/ClashMetaForAndroid)
  - [meta_for_ios](https://t.me/meta_for_ios)
 - [sing-box](https://github.com/SagerNet/sing-box)
  - [installReality](https://github.com/BoxXt/installReality)
  - [sbox-reality](https://github.com/Misaka-blog/sbox-reality)
  - [sing-box-for-ios](https://github.com/SagerNet/sing-box-for-ios)
 ## Contributing
 [Code of Conduct](https://github.com/XTLS/Xray-core/blob/main/CODE_OF_CONDUCT.md)
 ## Credits
-This repo relies on the following third-party projects:
+- [Xray-core v1.0.0](https://github.com/XTLS/Xray-core/releases/tag/v1.0.0) was forked from [v2fly-core 9a03cc5](https://github.com/v2fly/v2ray-core/commit/9a03cc5c98d04cc28320fcee26dbc236b3291256), and we have made & accumulated a huge number of enhancements over time, check [the release notes for each version](https://github.com/XTLS/Xray-core/releases).
-
+- For third-party projects used in [Xray-core](https://github.com/XTLS/Xray-core), check your local or [the latest go.mod](https://github.com/XTLS/Xray-core/blob/main/go.mod).
 - Special thanks:
  - [v2fly/v2ray-core](https://github.com/v2fly/v2ray-core)
 - In production:
  - [ghodss/yaml](https://github.com/ghodss/yaml)
  - [gorilla/websocket](https://github.com/gorilla/websocket)
  - [lucas-clemente/quic-go](https://github.com/lucas-clemente/quic-go)
  - [pelletier/go-toml](https://github.com/pelletier/go-toml)
  - [pires/go-proxyproto](https://github.com/pires/go-proxyproto)
  - [refraction-networking/utls](https://github.com/refraction-networking/utls)
  - [seiflotfy/cuckoofilter](https://github.com/seiflotfy/cuckoofilter)
  - [google/starlark-go](https://github.com/google/starlark-go)
 - For testing only:
  - [miekg/dns](https://github.com/miekg/dns)
  - [stretchr/testify](https://github.com/stretchr/testify)
  - [h12w/socks](https://github.com/h12w/socks)
 ## Compilation
@@ -88,12 +123,6 @@ go build -o xray.exe -trimpath -ldflags "-s -w -buildid=" ./main
 go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
 ```
 ## Telegram
 [Project X](https://t.me/projectXray)
 [Project X Channel](https://t.me/projectXtls)
 ## Stargazers over time
 [![Stargazers over time](https://starchart.cc/XTLS/Xray-core.svg)](https://starchart.cc/XTLS/Xray-core)
--- a/app/commander/config.pb.go
+++ b/app/commander/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/commander/config.proto
 package commander
--- a/app/dispatcher/config.pb.go
+++ b/app/dispatcher/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/dispatcher/config.proto
 package dispatcher
--- a/app/dispatcher/default.go
+++ b/app/dispatcher/default.go
@@ -342,29 +342,27 @@ func (d *DefaultDispatcher) DispatchLink(ctx context.Context, destination net.De
 	}
 	sniffingRequest := content.SniffingRequest
 	if !sniffingRequest.Enabled {
-		go d.routedDispatch(ctx, outbound, destination)
+		d.routedDispatch(ctx, outbound, destination)
 	} else {
-		go func() {
+		cReader := &cachedReader{
-			cReader := &cachedReader{
+			reader: outbound.Reader.(*pipe.Reader),
-				reader: outbound.Reader.(*pipe.Reader),
+		}
 		outbound.Reader = cReader
 		result, err := sniffer(ctx, cReader, sniffingRequest.MetadataOnly, destination.Network)
 		if err == nil {
 			content.Protocol = result.Protocol()
 		}
 		if err == nil && d.shouldOverride(ctx, result, sniffingRequest, destination) {
 			domain := result.Domain()
 			newError("sniffed domain: ", domain).WriteToLog(session.ExportIDToError(ctx))
 			destination.Address = net.ParseAddress(domain)
 			if sniffingRequest.RouteOnly && result.Protocol() != "fakedns" {
 				ob.RouteTarget = destination
 			} else {
 				ob.Target = destination
 			}
-			outbound.Reader = cReader
+		}
-			result, err := sniffer(ctx, cReader, sniffingRequest.MetadataOnly, destination.Network)
+		d.routedDispatch(ctx, outbound, destination)
 			if err == nil {
 				content.Protocol = result.Protocol()
 			}
 			if err == nil && d.shouldOverride(ctx, result, sniffingRequest, destination) {
 				domain := result.Domain()
 				newError("sniffed domain: ", domain).WriteToLog(session.ExportIDToError(ctx))
 				destination.Address = net.ParseAddress(domain)
 				if sniffingRequest.RouteOnly && result.Protocol() != "fakedns" {
 					ob.RouteTarget = destination
 				} else {
 					ob.Target = destination
 				}
 			}
 			d.routedDispatch(ctx, outbound, destination)
 		}()
 	}
 	return nil
--- a/app/dns/config.pb.go
+++ b/app/dns/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/dns/config.proto
 package dns
@@ -219,14 +219,14 @@ type Config struct {
 	// the moment. A special value 'localhost' as a domain address can be set to
 	// use DNS on local system.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/dns/config.proto.
 	NameServers []*net.Endpoint `protobuf:"bytes,1,rep,name=NameServers,proto3" json:"NameServers,omitempty"`
 	// NameServer list used by this DNS client.
 	NameServer []*NameServer `protobuf:"bytes,5,rep,name=name_server,json=nameServer,proto3" json:"name_server,omitempty"`
 	// Static hosts. Domain to IP.
 	// Deprecated. Use static_hosts.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/dns/config.proto.
 	Hosts map[string]*net.IPOrDomain `protobuf:"bytes,2,rep,name=Hosts,proto3" json:"Hosts,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 	// Client IP for EDNS client subnet. Must be 4 bytes (IPv4) or 16 bytes
 	// (IPv6).
@@ -273,7 +273,7 @@ func (*Config) Descriptor() ([]byte, []int) {
 	return file_app_dns_config_proto_rawDescGZIP(), []int{1}
 }
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/dns/config.proto.
 func (x *Config) GetNameServers() []*net.Endpoint {
 	if x != nil {
 		return x.NameServers
@@ -288,7 +288,7 @@ func (x *Config) GetNameServer() []*NameServer {
 	return nil
 }
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/dns/config.proto.
 func (x *Config) GetHosts() map[string]*net.IPOrDomain {
 	if x != nil {
 		return x.Hosts
--- a/app/dns/dns.go
+++ b/app/dns/dns.go
@@ -215,7 +215,7 @@ func (s *DNS) LookupIP(domain string, option dns.IPOption) ([]net.IP, error) {
 			newError("failed to lookup ip for domain ", domain, " at server ", client.Name()).Base(err).WriteToLog()
 			errs = append(errs, err)
 		}
-		if err != context.Canceled && err != context.DeadlineExceeded && err != errExpectedIPNonMatch {
+		if err != context.Canceled && err != context.DeadlineExceeded && err != errExpectedIPNonMatch && err != dns.ErrEmptyResponse {
 			return nil, err
 		}
 	}
--- a/app/dns/dns_test.go
+++ b/app/dns/dns_test.go
@@ -13,6 +13,7 @@ import (
 	_ "github.com/xtls/xray-core/app/proxyman/outbound"
 	"github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/serial"
 	"github.com/xtls/xray-core/core"
@@ -260,7 +261,7 @@ func TestUDPServer(t *testing.T) {
 			IPv6Enable: true,
 			FakeEnable: false,
 		})
-		if err != feature_dns.ErrEmptyResponse {
+		if !errors.AllEqual(feature_dns.ErrEmptyResponse, errors.Cause(err)) {
 			t.Fatal("error: ", err)
 		}
 		if len(ips) != 0 {
--- a/app/dns/fakedns/fakedns.pb.go
+++ b/app/dns/fakedns/fakedns.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/dns/fakedns/fakedns.proto
 package fakedns
--- a/app/dns/nameserver_quic.go
+++ b/app/dns/nameserver_quic.go
@@ -7,7 +7,7 @@ import (
 	"sync/atomic"
 	"time"
-	"github.com/lucas-clemente/quic-go"
+	"github.com/quic-go/quic-go"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/log"
@@ -373,8 +373,8 @@ func (s *QUICNameServer) openConnection() (quic.Connection, error) {
 	quicConfig := &quic.Config{
 		HandshakeIdleTimeout: handshakeTimeout,
 	}
-
+	tlsConfig.ServerName = s.destination.Address.String()
-	conn, err := quic.DialAddrContext(context.Background(), s.destination.NetAddr(), tlsConfig.GetTLSConfig(tls.WithNextProto("http/1.1", http2.NextProtoTLS, NextProtoDQ)), quicConfig)
+	conn, err := quic.DialAddr(context.Background(), s.destination.NetAddr(), tlsConfig.GetTLSConfig(tls.WithNextProto("http/1.1", http2.NextProtoTLS, NextProtoDQ)), quicConfig)
 	log.Record(&log.AccessMessage{
 		From:   "DNS",
 		To:     s.destination,
--- a/app/log/command/config.pb.go
+++ b/app/log/command/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/log/command/config.proto
 package command
--- a/app/log/command/config_grpc.pb.go
+++ b/app/log/command/config_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
+// - protoc-gen-go-grpc v1.3.0
-// - protoc             v3.18.0
+// - protoc             v4.23.1
 // source: app/log/command/config.proto
 package command
@@ -18,6 +18,10 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 const (
 	LoggerService_RestartLogger_FullMethodName = "/xray.app.log.command.LoggerService/RestartLogger"
 )
 // LoggerServiceClient is the client API for LoggerService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -35,7 +39,7 @@ func NewLoggerServiceClient(cc grpc.ClientConnInterface) LoggerServiceClient {
 func (c *loggerServiceClient) RestartLogger(ctx context.Context, in *RestartLoggerRequest, opts ...grpc.CallOption) (*RestartLoggerResponse, error) {
 	out := new(RestartLoggerResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.log.command.LoggerService/RestartLogger", in, out, opts...)
+	err := c.cc.Invoke(ctx, LoggerService_RestartLogger_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +84,7 @@ func _LoggerService_RestartLogger_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.log.command.LoggerService/RestartLogger",
+		FullMethod: LoggerService_RestartLogger_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(LoggerServiceServer).RestartLogger(ctx, req.(*RestartLoggerRequest))
--- a/app/log/config.pb.go
+++ b/app/log/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/log/config.proto
 package log
--- a/app/metrics/config.pb.go
+++ b/app/metrics/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/metrics/config.proto
 package metrics
--- a/app/observatory/command/command.pb.go
+++ b/app/observatory/command/command.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/observatory/command/command.proto
 package command
--- a/app/observatory/command/command_grpc.pb.go
+++ b/app/observatory/command/command_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
+// - protoc-gen-go-grpc v1.3.0
-// - protoc             v3.18.0
+// - protoc             v4.23.1
 // source: app/observatory/command/command.proto
 package command
@@ -18,6 +18,10 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 const (
 	ObservatoryService_GetOutboundStatus_FullMethodName = "/xray.core.app.observatory.command.ObservatoryService/GetOutboundStatus"
 )
 // ObservatoryServiceClient is the client API for ObservatoryService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -35,7 +39,7 @@ func NewObservatoryServiceClient(cc grpc.ClientConnInterface) ObservatoryService
 func (c *observatoryServiceClient) GetOutboundStatus(ctx context.Context, in *GetOutboundStatusRequest, opts ...grpc.CallOption) (*GetOutboundStatusResponse, error) {
 	out := new(GetOutboundStatusResponse)
-	err := c.cc.Invoke(ctx, "/xray.core.app.observatory.command.ObservatoryService/GetOutboundStatus", in, out, opts...)
+	err := c.cc.Invoke(ctx, ObservatoryService_GetOutboundStatus_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +84,7 @@ func _ObservatoryService_GetOutboundStatus_Handler(srv interface{}, ctx context.
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.core.app.observatory.command.ObservatoryService/GetOutboundStatus",
+		FullMethod: ObservatoryService_GetOutboundStatus_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(ObservatoryServiceServer).GetOutboundStatus(ctx, req.(*GetOutboundStatusRequest))
--- a/app/observatory/config.pb.go
+++ b/app/observatory/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/observatory/config.proto
 package observatory
--- a/app/policy/config.pb.go
+++ b/app/policy/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/policy/config.proto
 package policy
--- a/app/proxyman/command/command.pb.go
+++ b/app/proxyman/command/command.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/proxyman/command/command.proto
 package command
--- a/app/proxyman/command/command_grpc.pb.go
+++ b/app/proxyman/command/command_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
+// - protoc-gen-go-grpc v1.3.0
-// - protoc             v3.18.0
+// - protoc             v4.23.1
 // source: app/proxyman/command/command.proto
 package command
@@ -18,6 +18,15 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 const (
 	HandlerService_AddInbound_FullMethodName     = "/xray.app.proxyman.command.HandlerService/AddInbound"
 	HandlerService_RemoveInbound_FullMethodName  = "/xray.app.proxyman.command.HandlerService/RemoveInbound"
 	HandlerService_AlterInbound_FullMethodName   = "/xray.app.proxyman.command.HandlerService/AlterInbound"
 	HandlerService_AddOutbound_FullMethodName    = "/xray.app.proxyman.command.HandlerService/AddOutbound"
 	HandlerService_RemoveOutbound_FullMethodName = "/xray.app.proxyman.command.HandlerService/RemoveOutbound"
 	HandlerService_AlterOutbound_FullMethodName  = "/xray.app.proxyman.command.HandlerService/AlterOutbound"
 )
 // HandlerServiceClient is the client API for HandlerService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -40,7 +49,7 @@ func NewHandlerServiceClient(cc grpc.ClientConnInterface) HandlerServiceClient {
 func (c *handlerServiceClient) AddInbound(ctx context.Context, in *AddInboundRequest, opts ...grpc.CallOption) (*AddInboundResponse, error) {
 	out := new(AddInboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/AddInbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_AddInbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -49,7 +58,7 @@ func (c *handlerServiceClient) AddInbound(ctx context.Context, in *AddInboundReq
 func (c *handlerServiceClient) RemoveInbound(ctx context.Context, in *RemoveInboundRequest, opts ...grpc.CallOption) (*RemoveInboundResponse, error) {
 	out := new(RemoveInboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/RemoveInbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_RemoveInbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -58,7 +67,7 @@ func (c *handlerServiceClient) RemoveInbound(ctx context.Context, in *RemoveInbo
 func (c *handlerServiceClient) AlterInbound(ctx context.Context, in *AlterInboundRequest, opts ...grpc.CallOption) (*AlterInboundResponse, error) {
 	out := new(AlterInboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/AlterInbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_AlterInbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -67,7 +76,7 @@ func (c *handlerServiceClient) AlterInbound(ctx context.Context, in *AlterInboun
 func (c *handlerServiceClient) AddOutbound(ctx context.Context, in *AddOutboundRequest, opts ...grpc.CallOption) (*AddOutboundResponse, error) {
 	out := new(AddOutboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/AddOutbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_AddOutbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -76,7 +85,7 @@ func (c *handlerServiceClient) AddOutbound(ctx context.Context, in *AddOutboundR
 func (c *handlerServiceClient) RemoveOutbound(ctx context.Context, in *RemoveOutboundRequest, opts ...grpc.CallOption) (*RemoveOutboundResponse, error) {
 	out := new(RemoveOutboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/RemoveOutbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_RemoveOutbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -85,7 +94,7 @@ func (c *handlerServiceClient) RemoveOutbound(ctx context.Context, in *RemoveOut
 func (c *handlerServiceClient) AlterOutbound(ctx context.Context, in *AlterOutboundRequest, opts ...grpc.CallOption) (*AlterOutboundResponse, error) {
 	out := new(AlterOutboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/AlterOutbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_AlterOutbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -150,7 +159,7 @@ func _HandlerService_AddInbound_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/AddInbound",
+		FullMethod: HandlerService_AddInbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).AddInbound(ctx, req.(*AddInboundRequest))
@@ -168,7 +177,7 @@ func _HandlerService_RemoveInbound_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/RemoveInbound",
+		FullMethod: HandlerService_RemoveInbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).RemoveInbound(ctx, req.(*RemoveInboundRequest))
@@ -186,7 +195,7 @@ func _HandlerService_AlterInbound_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/AlterInbound",
+		FullMethod: HandlerService_AlterInbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).AlterInbound(ctx, req.(*AlterInboundRequest))
@@ -204,7 +213,7 @@ func _HandlerService_AddOutbound_Handler(srv interface{}, ctx context.Context, d
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/AddOutbound",
+		FullMethod: HandlerService_AddOutbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).AddOutbound(ctx, req.(*AddOutboundRequest))
@@ -222,7 +231,7 @@ func _HandlerService_RemoveOutbound_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/RemoveOutbound",
+		FullMethod: HandlerService_RemoveOutbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).RemoveOutbound(ctx, req.(*RemoveOutboundRequest))
@@ -240,7 +249,7 @@ func _HandlerService_AlterOutbound_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/AlterOutbound",
+		FullMethod: HandlerService_AlterOutbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).AlterOutbound(ctx, req.(*AlterOutboundRequest))
--- a/app/proxyman/config.pb.go
+++ b/app/proxyman/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/proxyman/config.proto
 package proxyman
@@ -326,7 +326,7 @@ type ReceiverConfig struct {
 	// Override domains for the given protocol.
 	// Deprecated. Use sniffing_settings.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/proxyman/config.proto.
 	DomainOverride   []KnownProtocols `protobuf:"varint,7,rep,packed,name=domain_override,json=domainOverride,proto3,enum=xray.app.proxyman.KnownProtocols" json:"domain_override,omitempty"`
 	SniffingSettings *SniffingConfig  `protobuf:"bytes,8,opt,name=sniffing_settings,json=sniffingSettings,proto3" json:"sniffing_settings,omitempty"`
 }
@@ -398,7 +398,7 @@ func (x *ReceiverConfig) GetReceiveOriginalDestination() bool {
 	return false
 }
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/proxyman/config.proto.
 func (x *ReceiverConfig) GetDomainOverride() []KnownProtocols {
 	if x != nil {
 		return x.DomainOverride
@@ -594,7 +594,11 @@ type MultiplexingConfig struct {
 	// Whether or not Mux is enabled.
 	Enabled bool `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"`
 	// Max number of concurrent connections that one Mux connection can handle.
-	Concurrency uint32 `protobuf:"varint,2,opt,name=concurrency,proto3" json:"concurrency,omitempty"`
+	Concurrency int32 `protobuf:"varint,2,opt,name=concurrency,proto3" json:"concurrency,omitempty"`
 	// Transport XUDP in another Mux.
 	XudpConcurrency int32 `protobuf:"varint,3,opt,name=xudpConcurrency,proto3" json:"xudpConcurrency,omitempty"`
 	// "reject" (default), "allow" or "skip".
 	XudpProxyUDP443 string `protobuf:"bytes,4,opt,name=xudpProxyUDP443,proto3" json:"xudpProxyUDP443,omitempty"`
 }
 func (x *MultiplexingConfig) Reset() {
@@ -636,13 +640,27 @@ func (x *MultiplexingConfig) GetEnabled() bool {
 	return false
 }
-func (x *MultiplexingConfig) GetConcurrency() uint32 {
+func (x *MultiplexingConfig) GetConcurrency() int32 {
 	if x != nil {
 		return x.Concurrency
 	}
 	return 0
 }
 func (x *MultiplexingConfig) GetXudpConcurrency() int32 {
 	if x != nil {
 		return x.XudpConcurrency
 	}
 	return 0
 }
 func (x *MultiplexingConfig) GetXudpProxyUDP443() string {
 	if x != nil {
 		return x.XudpProxyUDP443
 	}
 	return ""
 }
 type AllocationStrategy_AllocationStrategyConcurrency struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -856,21 +874,26 @@ var file_app_proxyman_config_proto_rawDesc = []byte{
 	0x28, 0x0b, 0x32, 0x25, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72,
 	0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78,
 	0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x11, 0x6d, 0x75, 0x6c, 0x74, 0x69,
-	0x70, 0x6c, 0x65, 0x78, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x50, 0x0a, 0x12,
+	0x70, 0x6c, 0x65, 0x78, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x22, 0xa4, 0x01, 0x0a,
-	0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66,
+	0x12, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e,
-	0x69, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20,
+	0x66, 0x69, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01,
-	0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x20, 0x0a, 0x0b,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x20, 0x0a,
-	0x63, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0b, 0x63, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01,
-	0x0d, 0x52, 0x0b, 0x63, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x2a, 0x23,
+	0x28, 0x05, 0x52, 0x0b, 0x63, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x12,
-	0x0a, 0x0e, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73,
+	0x28, 0x0a, 0x0f, 0x78, 0x75, 0x64, 0x70, 0x43, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e,
-	0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x4c,
+	0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0f, 0x78, 0x75, 0x64, 0x70, 0x43, 0x6f,
-	0x53, 0x10, 0x01, 0x42, 0x55, 0x0a, 0x15, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
+	0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x12, 0x28, 0x0a, 0x0f, 0x78, 0x75, 0x64,
-	0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x50, 0x01, 0x5a, 0x26,
+	0x70, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x55, 0x44, 0x50, 0x34, 0x34, 0x33, 0x18, 0x04, 0x20, 0x01,
-	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f,
+	0x28, 0x09, 0x52, 0x0f, 0x78, 0x75, 0x64, 0x70, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x55, 0x44, 0x50,
-	0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x70, 0x2f, 0x70, 0x72,
+	0x34, 0x34, 0x33, 0x2a, 0x23, 0x0a, 0x0e, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x50, 0x72, 0x6f, 0x74,
-	0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0xaa, 0x02, 0x11, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41, 0x70,
+	0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10, 0x00, 0x12,
-	0x70, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x07, 0x0a, 0x03, 0x54, 0x4c, 0x53, 0x10, 0x01, 0x42, 0x55, 0x0a, 0x15, 0x63, 0x6f, 0x6d, 0x2e,
-	0x6f, 0x33,
+	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61,
 	0x6e, 0x50, 0x01, 0x5a, 0x26, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
 	0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61,
 	0x70, 0x70, 0x2f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0xaa, 0x02, 0x11, 0x58, 0x72,
 	0x61, 0x79, 0x2e, 0x41, 0x70, 0x70, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x62,
 	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
--- a/app/proxyman/config.proto
+++ b/app/proxyman/config.proto
@@ -97,5 +97,9 @@ message MultiplexingConfig {
  // Whether or not Mux is enabled.
  bool enabled = 1;
  // Max number of concurrent connections that one Mux connection can handle.
-  uint32 concurrency = 2;
+  int32 concurrency = 2;
  // Transport XUDP in another Mux.
  int32 xudpConcurrency = 3;
  // "reject" (default), "allow" or "skip".
  string xudpProxyUDP443 = 4;
 }
--- a/app/proxyman/inbound/worker.go
+++ b/app/proxyman/inbound/worker.go
@@ -362,7 +362,7 @@ func (w *udpWorker) clean() error {
 	}
 	for addr, conn := range w.activeConn {
-		if nowSec-atomic.LoadInt64(&conn.lastActivityTime) > 5*60 { // TODO Timeout too small
+		if nowSec-atomic.LoadInt64(&conn.lastActivityTime) > 2*60 {
 			if !conn.inactive {
 				conn.setInactive()
 				delete(w.activeConn, addr)
--- a/app/proxyman/outbound/handler.go
+++ b/app/proxyman/outbound/handler.go
@@ -57,6 +57,8 @@ type Handler struct {
 	proxy           proxy.Outbound
 	outboundManager outbound.Manager
 	mux             *mux.ClientManager
 	xudp            *mux.ClientManager
 	udp443          string
 	uplinkCounter   stats.Counter
 	downlinkCounter stats.Counter
 }
@@ -106,22 +108,50 @@ func NewHandler(ctx context.Context, config *core.OutboundHandlerConfig) (outbou
 	}
 	if h.senderSettings != nil && h.senderSettings.MultiplexSettings != nil {
-		config := h.senderSettings.MultiplexSettings
+		if config := h.senderSettings.MultiplexSettings; config.Enabled {
-		if config.Concurrency < 1 || config.Concurrency > 1024 {
+			if config.Concurrency < 0 {
-			return nil, newError("invalid mux concurrency: ", config.Concurrency).AtWarning()
+				h.mux = &mux.ClientManager{Enabled: false}
-		}
+			}
-		h.mux = &mux.ClientManager{
+			if config.Concurrency == 0 {
-			Enabled: h.senderSettings.MultiplexSettings.Enabled,
+				config.Concurrency = 8 // same as before
-			Picker: &mux.IncrementalWorkerPicker{
+			}
-				Factory: &mux.DialingWorkerFactory{
+			if config.Concurrency > 0 {
-					Proxy:  proxyHandler,
+				h.mux = &mux.ClientManager{
-					Dialer: h,
+					Enabled: true,
-					Strategy: mux.ClientStrategy{
+					Picker: &mux.IncrementalWorkerPicker{
-						MaxConcurrency: config.Concurrency,
+						Factory: &mux.DialingWorkerFactory{
-						MaxConnection:  128,
+							Proxy:  proxyHandler,
 							Dialer: h,
 							Strategy: mux.ClientStrategy{
 								MaxConcurrency: uint32(config.Concurrency),
 								MaxConnection:  128,
 							},
 						},
 					},
-				},
+				}
-			},
+			}
 			if config.XudpConcurrency < 0 {
 				h.xudp = &mux.ClientManager{Enabled: false}
 			}
 			if config.XudpConcurrency == 0 {
 				h.xudp = nil // same as before
 			}
 			if config.XudpConcurrency > 0 {
 				h.xudp = &mux.ClientManager{
 					Enabled: true,
 					Picker: &mux.IncrementalWorkerPicker{
 						Factory: &mux.DialingWorkerFactory{
 							Proxy:  proxyHandler,
 							Dialer: h,
 							Strategy: mux.ClientStrategy{
 								MaxConcurrency: uint32(config.XudpConcurrency),
 								MaxConnection:  128,
 							},
 						},
 					},
 				}
 			}
 			h.udp443 = config.XudpProxyUDP443
 		}
 	}
@@ -136,31 +166,54 @@ func (h *Handler) Tag() string {
 // Dispatch implements proxy.Outbound.Dispatch.
 func (h *Handler) Dispatch(ctx context.Context, link *transport.Link) {
-	if h.mux != nil && (h.mux.Enabled || session.MuxPreferedFromContext(ctx)) {
+	if h.mux != nil {
-		if err := h.mux.Dispatch(ctx, link); err != nil {
+		test := func(err error) {
-			err := newError("failed to process mux outbound traffic").Base(err)
+			if err != nil {
-			session.SubmitOutboundErrorToOriginator(ctx, err)
+				err := newError("failed to process mux outbound traffic").Base(err)
-			err.WriteToLog(session.ExportIDToError(ctx))
+				session.SubmitOutboundErrorToOriginator(ctx, err)
-			common.Interrupt(link.Writer)
+				err.WriteToLog(session.ExportIDToError(ctx))
-		}
+				common.Interrupt(link.Writer)
 	} else {
 		err := h.proxy.Process(ctx, link, h)
 		if err != nil {
 			if errors.Is(err, io.EOF) || errors.Is(err, io.ErrClosedPipe) || errors.Is(err, context.Canceled) {
 				err = nil
 			}
 		}
-		if err != nil {
+		outbound := session.OutboundFromContext(ctx)
-			// Ensure outbound ray is properly closed.
+		if outbound.Target.Network == net.Network_UDP && outbound.Target.Port == 443 {
-			err := newError("failed to process outbound traffic").Base(err)
+			switch h.udp443 {
-			session.SubmitOutboundErrorToOriginator(ctx, err)
+			case "reject":
-			err.WriteToLog(session.ExportIDToError(ctx))
+				test(newError("XUDP rejected UDP/443 traffic").AtInfo())
-			common.Interrupt(link.Writer)
+				return
-		} else {
+			case "skip":
-			common.Must(common.Close(link.Writer))
+				goto out
 			}
 		}
 		if h.xudp != nil && outbound.Target.Network == net.Network_UDP {
 			if !h.xudp.Enabled {
 				goto out
 			}
 			test(h.xudp.Dispatch(ctx, link))
 			return
 		}
 		if h.mux.Enabled {
 			test(h.mux.Dispatch(ctx, link))
 			return
 		}
 		common.Interrupt(link.Reader)
 	}
 out:
 	err := h.proxy.Process(ctx, link, h)
 	if err != nil {
 		if errors.Is(err, io.EOF) || errors.Is(err, io.ErrClosedPipe) || errors.Is(err, context.Canceled) {
 			err = nil
 		}
 	}
 	if err != nil {
 		// Ensure outbound ray is properly closed.
 		err := newError("failed to process outbound traffic").Base(err)
 		session.SubmitOutboundErrorToOriginator(ctx, err)
 		err.WriteToLog(session.ExportIDToError(ctx))
 		common.Interrupt(link.Writer)
 	} else {
 		common.Close(link.Writer)
 	}
 	common.Interrupt(link.Reader)
 }
 // Address implements internet.Dialer.
--- a/app/proxyman/outbound/uot.go
+++ b/app/proxyman/outbound/uot.go
@@ -11,13 +11,21 @@ import (
 )
 func (h *Handler) getUoTConnection(ctx context.Context, dest net.Destination) (stat.Connection, error) {
-	if !dest.Address.Family().IsDomain() || dest.Address.Domain() != uot.UOTMagicAddress {
+	if !dest.Address.Family().IsDomain() {
 		return nil, os.ErrInvalid
 	}
 	var uotVersion int
 	if dest.Address.Domain() == uot.MagicAddress {
 		uotVersion = uot.Version
 	} else if dest.Address.Domain() == uot.LegacyMagicAddress {
 		uotVersion = uot.LegacyVersion
 	} else {
 		return nil, os.ErrInvalid
 	}
 	packetConn, err := internet.ListenSystemPacket(ctx, &net.UDPAddr{IP: net.AnyIP.IP(), Port: 0}, h.streamSettings.SocketSettings)
 	if err != nil {
 		return nil, newError("unable to listen socket").Base(err)
 	}
-	conn := uot.NewServerConn(packetConn)
+	conn := uot.NewServerConn(packetConn, uotVersion)
 	return h.getStatCouterConnection(conn), nil
 }
--- a/app/reverse/config.pb.go
+++ b/app/reverse/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/reverse/config.proto
 package reverse
--- a/app/router/command/command.pb.go
+++ b/app/router/command/command.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/router/command/command.proto
 package command
--- a/app/router/command/command_grpc.pb.go
+++ b/app/router/command/command_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
+// - protoc-gen-go-grpc v1.3.0
-// - protoc             v3.18.0
+// - protoc             v4.23.1
 // source: app/router/command/command.proto
 package command
@@ -18,6 +18,11 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 const (
 	RoutingService_SubscribeRoutingStats_FullMethodName = "/xray.app.router.command.RoutingService/SubscribeRoutingStats"
 	RoutingService_TestRoute_FullMethodName             = "/xray.app.router.command.RoutingService/TestRoute"
 )
 // RoutingServiceClient is the client API for RoutingService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -35,7 +40,7 @@ func NewRoutingServiceClient(cc grpc.ClientConnInterface) RoutingServiceClient {
 }
 func (c *routingServiceClient) SubscribeRoutingStats(ctx context.Context, in *SubscribeRoutingStatsRequest, opts ...grpc.CallOption) (RoutingService_SubscribeRoutingStatsClient, error) {
-	stream, err := c.cc.NewStream(ctx, &RoutingService_ServiceDesc.Streams[0], "/xray.app.router.command.RoutingService/SubscribeRoutingStats", opts...)
+	stream, err := c.cc.NewStream(ctx, &RoutingService_ServiceDesc.Streams[0], RoutingService_SubscribeRoutingStats_FullMethodName, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -68,7 +73,7 @@ func (x *routingServiceSubscribeRoutingStatsClient) Recv() (*RoutingContext, err
 func (c *routingServiceClient) TestRoute(ctx context.Context, in *TestRouteRequest, opts ...grpc.CallOption) (*RoutingContext, error) {
 	out := new(RoutingContext)
-	err := c.cc.Invoke(ctx, "/xray.app.router.command.RoutingService/TestRoute", in, out, opts...)
+	err := c.cc.Invoke(ctx, RoutingService_TestRoute_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -138,7 +143,7 @@ func _RoutingService_TestRoute_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.router.command.RoutingService/TestRoute",
+		FullMethod: RoutingService_TestRoute_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(RoutingServiceServer).TestRoute(ctx, req.(*TestRouteRequest))
--- a/app/router/condition.go
+++ b/app/router/condition.go
@@ -6,8 +6,6 @@ import (
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/strmatcher"
 	"github.com/xtls/xray-core/features/routing"
 	"go.starlark.net/starlark"
 	"go.starlark.net/syntax"
 )
 type Condition interface {
@@ -284,44 +282,22 @@ func (m *ProtocolMatcher) Apply(ctx routing.Context) bool {
 }
 type AttributeMatcher struct {
-	program *starlark.Program
+	configuredKeys map[string]string
 }
 func NewAttributeMatcher(code string) (*AttributeMatcher, error) {
 	starFile, err := syntax.Parse("attr.star", "satisfied=("+code+")", 0)
 	if err != nil {
 		return nil, newError("attr rule").Base(err)
 	}
 	p, err := starlark.FileProgram(starFile, func(name string) bool {
 		return name == "attrs"
 	})
 	if err != nil {
 		return nil, err
 	}
 	return &AttributeMatcher{
 		program: p,
 	}, nil
 }
 // Match implements attributes matching.
 func (m *AttributeMatcher) Match(attrs map[string]string) bool {
-	attrsDict := new(starlark.Dict)
+	// headers are insensitive most likely. So we do a convert
 	httpHeaders := make(map[string]string)
 	for key, value := range attrs {
-		attrsDict.SetKey(starlark.String(key), starlark.String(value))
+		httpHeaders[strings.ToLower(key)] = strings.ToLower(value)
 	}
-
+	for key, value := range m.configuredKeys {
-	predefined := make(starlark.StringDict)
+		if a, ok := httpHeaders[key]; !ok || !strings.Contains(a, value) {
-	predefined["attrs"] = attrsDict
+			return false
-
+		}
 	thread := &starlark.Thread{
 		Name: "matcher",
 	}
-	results, err := m.program.Init(thread, predefined)
+	return true
 	if err != nil {
 		newError("attr matcher").Base(err).WriteToLog()
 	}
 	satisfied := results["satisfied"]
 	return satisfied != nil && bool(satisfied.Truth())
 }
 // Apply implements Condition.
--- a/app/router/condition_test.go
+++ b/app/router/condition_test.go
@@ -307,8 +307,10 @@ func TestRoutingRule(t *testing.T) {
 		},
 		{
 			rule: &RoutingRule{
-				Protocol:   []string{"http"},
+				Protocol: []string{"http"},
-				Attributes: "attrs[':path'].startswith('/test')",
+				Attributes: map[string]string{
 					":path": "/test",
 				},
 			},
 			test: []ruleTest{
 				{
--- a/app/router/config.go
+++ b/app/router/config.go
@@ -1,6 +1,8 @@
 package router
 import (
 	"strings"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/features/outbound"
 	"github.com/xtls/xray-core/features/routing"
@@ -143,11 +145,11 @@ func (rr *RoutingRule) BuildCondition() (Condition, error) {
 	}
 	if len(rr.Attributes) > 0 {
-		cond, err := NewAttributeMatcher(rr.Attributes)
+		configuredKeys := make(map[string]string)
-		if err != nil {
+		for key, value := range rr.Attributes {
-			return nil, err
+			configuredKeys[strings.ToLower(key)] = strings.ToLower(value)
 		}
-		conds.Add(cond)
+		conds.Add(&AttributeMatcher{configuredKeys})
 	}
 	if conds.Len() == 0 {
--- a/app/router/config.pb.go
+++ b/app/router/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/router/config.proto
 package router
@@ -486,7 +486,7 @@ type RoutingRule struct {
 	// List of CIDRs for target IP address matching.
 	// Deprecated. Use geoip below.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/router/config.proto.
 	Cidr []*CIDR `protobuf:"bytes,3,rep,name=cidr,proto3" json:"cidr,omitempty"`
 	// List of GeoIPs for target IP address matching. If this entry exists, the
 	// cidr above will have no effect. GeoIP fields with the same country code are
@@ -496,30 +496,30 @@ type RoutingRule struct {
 	// A range of port [from, to]. If the destination port is in this range, this
 	// rule takes effect. Deprecated. Use port_list.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/router/config.proto.
 	PortRange *net.PortRange `protobuf:"bytes,4,opt,name=port_range,json=portRange,proto3" json:"port_range,omitempty"`
 	// List of ports.
 	PortList *net.PortList `protobuf:"bytes,14,opt,name=port_list,json=portList,proto3" json:"port_list,omitempty"`
 	// List of networks. Deprecated. Use networks.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/router/config.proto.
 	NetworkList *net.NetworkList `protobuf:"bytes,5,opt,name=network_list,json=networkList,proto3" json:"network_list,omitempty"`
 	// List of networks for matching.
 	Networks []net.Network `protobuf:"varint,13,rep,packed,name=networks,proto3,enum=xray.common.net.Network" json:"networks,omitempty"`
 	// List of CIDRs for source IP address matching.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/router/config.proto.
 	SourceCidr []*CIDR `protobuf:"bytes,6,rep,name=source_cidr,json=sourceCidr,proto3" json:"source_cidr,omitempty"`
 	// List of GeoIPs for source IP address matching. If this entry exists, the
 	// source_cidr above will have no effect.
 	SourceGeoip []*GeoIP `protobuf:"bytes,11,rep,name=source_geoip,json=sourceGeoip,proto3" json:"source_geoip,omitempty"`
 	// List of ports for source port matching.
-	SourcePortList *net.PortList `protobuf:"bytes,16,opt,name=source_port_list,json=sourcePortList,proto3" json:"source_port_list,omitempty"`
+	SourcePortList *net.PortList     `protobuf:"bytes,16,opt,name=source_port_list,json=sourcePortList,proto3" json:"source_port_list,omitempty"`
-	UserEmail      []string      `protobuf:"bytes,7,rep,name=user_email,json=userEmail,proto3" json:"user_email,omitempty"`
+	UserEmail      []string          `protobuf:"bytes,7,rep,name=user_email,json=userEmail,proto3" json:"user_email,omitempty"`
-	InboundTag     []string      `protobuf:"bytes,8,rep,name=inbound_tag,json=inboundTag,proto3" json:"inbound_tag,omitempty"`
+	InboundTag     []string          `protobuf:"bytes,8,rep,name=inbound_tag,json=inboundTag,proto3" json:"inbound_tag,omitempty"`
-	Protocol       []string      `protobuf:"bytes,9,rep,name=protocol,proto3" json:"protocol,omitempty"`
+	Protocol       []string          `protobuf:"bytes,9,rep,name=protocol,proto3" json:"protocol,omitempty"`
-	Attributes     string        `protobuf:"bytes,15,opt,name=attributes,proto3" json:"attributes,omitempty"`
+	Attributes     map[string]string `protobuf:"bytes,15,rep,name=attributes,proto3" json:"attributes,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	DomainMatcher  string        `protobuf:"bytes,17,opt,name=domain_matcher,json=domainMatcher,proto3" json:"domain_matcher,omitempty"`
+	DomainMatcher  string            `protobuf:"bytes,17,opt,name=domain_matcher,json=domainMatcher,proto3" json:"domain_matcher,omitempty"`
 }
 func (x *RoutingRule) Reset() {
@@ -582,7 +582,7 @@ func (x *RoutingRule) GetDomain() []*Domain {
 	return nil
 }
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/router/config.proto.
 func (x *RoutingRule) GetCidr() []*CIDR {
 	if x != nil {
 		return x.Cidr
@@ -597,7 +597,7 @@ func (x *RoutingRule) GetGeoip() []*GeoIP {
 	return nil
 }
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/router/config.proto.
 func (x *RoutingRule) GetPortRange() *net.PortRange {
 	if x != nil {
 		return x.PortRange
@@ -612,7 +612,7 @@ func (x *RoutingRule) GetPortList() *net.PortList {
 	return nil
 }
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/router/config.proto.
 func (x *RoutingRule) GetNetworkList() *net.NetworkList {
 	if x != nil {
 		return x.NetworkList
@@ -627,7 +627,7 @@ func (x *RoutingRule) GetNetworks() []net.Network {
 	return nil
 }
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/router/config.proto.
 func (x *RoutingRule) GetSourceCidr() []*CIDR {
 	if x != nil {
 		return x.SourceCidr
@@ -670,11 +670,11 @@ func (x *RoutingRule) GetProtocol() []string {
 	return nil
 }
-func (x *RoutingRule) GetAttributes() string {
+func (x *RoutingRule) GetAttributes() map[string]string {
 	if x != nil {
 		return x.Attributes
 	}
-	return ""
+	return nil
 }
 func (x *RoutingRule) GetDomainMatcher() string {
@@ -969,7 +969,7 @@ var file_app_router_config_proto_rawDesc = []byte{
 	0x74, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x2e, 0x0a, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18,
 	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70,
 	0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x47, 0x65, 0x6f, 0x53, 0x69, 0x74, 0x65, 0x52,
-	0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x22, 0xb5, 0x06, 0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x69,
+	0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x22, 0xa2, 0x07, 0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x69,
 	0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x25, 0x0a, 0x0d, 0x62, 0x61,
 	0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x5f, 0x74, 0x61, 0x67, 0x18, 0x0c, 0x20, 0x01, 0x28,
@@ -1015,43 +1015,49 @@ var file_app_router_config_proto_rawDesc = []byte{
 	0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x74, 0x61, 0x67, 0x18, 0x08, 0x20, 0x03, 0x28,
 	0x09, 0x52, 0x0a, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x54, 0x61, 0x67, 0x12, 0x1a, 0x0a,
 	0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52,
-	0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x74, 0x74,
+	0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x4c, 0x0a, 0x0a, 0x61, 0x74, 0x74,
-	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61,
+	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x18, 0x0f, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2c, 0x2e,
-	0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x64, 0x6f, 0x6d,
+	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e,
-	0x61, 0x69, 0x6e, 0x5f, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x18, 0x11, 0x20, 0x01, 0x28,
+	0x52, 0x6f, 0x75, 0x74, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x2e, 0x41, 0x74, 0x74, 0x72,
-	0x09, 0x52, 0x0d, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72,
+	0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x61, 0x74, 0x74,
-	0x42, 0x0c, 0x0a, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67, 0x22, 0x6a,
+	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x64, 0x6f, 0x6d, 0x61, 0x69,
-	0x0a, 0x0d, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x12,
+	0x6e, 0x5f, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61,
+	0x0d, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x1a, 0x3d,
-	0x67, 0x12, 0x2b, 0x0a, 0x11, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x73, 0x65,
+	0x0a, 0x0f, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72,
-	0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x6f, 0x75,
+	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
-	0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1a,
+	0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
-	0x0a, 0x08, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
+	0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x0c, 0x0a,
-	0x52, 0x08, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x22, 0x9b, 0x02, 0x0a, 0x06, 0x43,
+	0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67, 0x22, 0x6a, 0x0a, 0x0d, 0x42,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x4f, 0x0a, 0x0f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x5f,
+	0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x10, 0x0a, 0x03,
-	0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26,
+	0x74, 0x61, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x2b,
-	0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72,
+	0x0a, 0x11, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63,
-	0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74,
+	0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x6f, 0x75, 0x74, 0x62, 0x6f,
-	0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0e, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74,
+	0x75, 0x6e, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x73,
-	0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x30, 0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x02,
+	0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e,
+	0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x22, 0x9b, 0x02, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66,
-	0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x69, 0x6e, 0x67, 0x52, 0x75,
+	0x69, 0x67, 0x12, 0x4f, 0x0a, 0x0f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x5f, 0x73, 0x74, 0x72,
-	0x6c, 0x65, 0x52, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x12, 0x45, 0x0a, 0x0e, 0x62, 0x61, 0x6c, 0x61,
+	0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26, 0x2e, 0x78, 0x72,
-	0x6e, 0x63, 0x69, 0x6e, 0x67, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b,
+	0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x43, 0x6f,
-	0x32, 0x1e, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74,
+	0x6e, 0x66, 0x69, 0x67, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74,
-	0x65, 0x72, 0x2e, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65,
+	0x65, 0x67, 0x79, 0x52, 0x0e, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74,
-	0x52, 0x0d, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x22,
+	0x65, 0x67, 0x79, 0x12, 0x30, 0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28,
-	0x47, 0x0a, 0x0e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67,
+	0x0b, 0x32, 0x1c, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75,
-	0x79, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x73, 0x49, 0x73, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x55,
+	0x74, 0x65, 0x72, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x52,
-	0x73, 0x65, 0x49, 0x70, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x70, 0x49, 0x66, 0x4e, 0x6f,
+	0x04, 0x72, 0x75, 0x6c, 0x65, 0x12, 0x45, 0x0a, 0x0e, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69,
-	0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x49, 0x70, 0x4f, 0x6e,
+	0x6e, 0x67, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e,
-	0x44, 0x65, 0x6d, 0x61, 0x6e, 0x64, 0x10, 0x03, 0x42, 0x4f, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e,
+	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e,
-	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x50,
+	0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0d, 0x62,
-	0x01, 0x5a, 0x24, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74,
+	0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x22, 0x47, 0x0a, 0x0e,
-	0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x70,
+	0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x08,
-	0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0xaa, 0x02, 0x0f, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41,
+	0x0a, 0x04, 0x41, 0x73, 0x49, 0x73, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x73, 0x65, 0x49,
-	0x70, 0x70, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x70, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x70, 0x49, 0x66, 0x4e, 0x6f, 0x6e, 0x4d, 0x61,
-	0x33,
+	0x74, 0x63, 0x68, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x49, 0x70, 0x4f, 0x6e, 0x44, 0x65, 0x6d,
 	0x61, 0x6e, 0x64, 0x10, 0x03, 0x42, 0x4f, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61,
 	0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x50, 0x01, 0x5a, 0x24,
 	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f,
 	0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x70, 0x2f, 0x72, 0x6f,
 	0x75, 0x74, 0x65, 0x72, 0xaa, 0x02, 0x0f, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41, 0x70, 0x70, 0x2e,
 	0x52, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
@@ -1067,7 +1073,7 @@ func file_app_router_config_proto_rawDescGZIP() []byte {
 }
 var file_app_router_config_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
-var file_app_router_config_proto_msgTypes = make([]protoimpl.MessageInfo, 10)
+var file_app_router_config_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
 var file_app_router_config_proto_goTypes = []interface{}{
 	(Domain_Type)(0),           // 0: xray.app.router.Domain.Type
 	(Config_DomainStrategy)(0), // 1: xray.app.router.Config.DomainStrategy
@@ -1081,10 +1087,11 @@ var file_app_router_config_proto_goTypes = []interface{}{
 	(*BalancingRule)(nil),      // 9: xray.app.router.BalancingRule
 	(*Config)(nil),             // 10: xray.app.router.Config
 	(*Domain_Attribute)(nil),   // 11: xray.app.router.Domain.Attribute
-	(*net.PortRange)(nil),      // 12: xray.common.net.PortRange
+	nil,                        // 12: xray.app.router.RoutingRule.AttributesEntry
-	(*net.PortList)(nil),       // 13: xray.common.net.PortList
+	(*net.PortRange)(nil),      // 13: xray.common.net.PortRange
-	(*net.NetworkList)(nil),    // 14: xray.common.net.NetworkList
+	(*net.PortList)(nil),       // 14: xray.common.net.PortList
-	(net.Network)(0),           // 15: xray.common.net.Network
+	(*net.NetworkList)(nil),    // 15: xray.common.net.NetworkList
 	(net.Network)(0),           // 16: xray.common.net.Network
 }
 var file_app_router_config_proto_depIdxs = []int32{
 	0,  // 0: xray.app.router.Domain.type:type_name -> xray.app.router.Domain.Type
@@ -1096,21 +1103,22 @@ var file_app_router_config_proto_depIdxs = []int32{
 	2,  // 6: xray.app.router.RoutingRule.domain:type_name -> xray.app.router.Domain
 	3,  // 7: xray.app.router.RoutingRule.cidr:type_name -> xray.app.router.CIDR
 	4,  // 8: xray.app.router.RoutingRule.geoip:type_name -> xray.app.router.GeoIP
-	12, // 9: xray.app.router.RoutingRule.port_range:type_name -> xray.common.net.PortRange
+	13, // 9: xray.app.router.RoutingRule.port_range:type_name -> xray.common.net.PortRange
-	13, // 10: xray.app.router.RoutingRule.port_list:type_name -> xray.common.net.PortList
+	14, // 10: xray.app.router.RoutingRule.port_list:type_name -> xray.common.net.PortList
-	14, // 11: xray.app.router.RoutingRule.network_list:type_name -> xray.common.net.NetworkList
+	15, // 11: xray.app.router.RoutingRule.network_list:type_name -> xray.common.net.NetworkList
-	15, // 12: xray.app.router.RoutingRule.networks:type_name -> xray.common.net.Network
+	16, // 12: xray.app.router.RoutingRule.networks:type_name -> xray.common.net.Network
 	3,  // 13: xray.app.router.RoutingRule.source_cidr:type_name -> xray.app.router.CIDR
 	4,  // 14: xray.app.router.RoutingRule.source_geoip:type_name -> xray.app.router.GeoIP
-	13, // 15: xray.app.router.RoutingRule.source_port_list:type_name -> xray.common.net.PortList
+	14, // 15: xray.app.router.RoutingRule.source_port_list:type_name -> xray.common.net.PortList
-	1,  // 16: xray.app.router.Config.domain_strategy:type_name -> xray.app.router.Config.DomainStrategy
+	12, // 16: xray.app.router.RoutingRule.attributes:type_name -> xray.app.router.RoutingRule.AttributesEntry
-	8,  // 17: xray.app.router.Config.rule:type_name -> xray.app.router.RoutingRule
+	1,  // 17: xray.app.router.Config.domain_strategy:type_name -> xray.app.router.Config.DomainStrategy
-	9,  // 18: xray.app.router.Config.balancing_rule:type_name -> xray.app.router.BalancingRule
+	8,  // 18: xray.app.router.Config.rule:type_name -> xray.app.router.RoutingRule
-	19, // [19:19] is the sub-list for method output_type
+	9,  // 19: xray.app.router.Config.balancing_rule:type_name -> xray.app.router.BalancingRule
-	19, // [19:19] is the sub-list for method input_type
+	20, // [20:20] is the sub-list for method output_type
-	19, // [19:19] is the sub-list for extension type_name
+	20, // [20:20] is the sub-list for method input_type
-	19, // [19:19] is the sub-list for extension extendee
+	20, // [20:20] is the sub-list for extension type_name
-	0,  // [0:19] is the sub-list for field type_name
+	20, // [20:20] is the sub-list for extension extendee
 	0,  // [0:20] is the sub-list for field type_name
 }
 func init() { file_app_router_config_proto_init() }
@@ -1254,7 +1262,7 @@ func file_app_router_config_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_app_router_config_proto_rawDesc,
 			NumEnums:      2,
-			NumMessages:   10,
+			NumMessages:   11,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
--- a/app/router/config.proto
+++ b/app/router/config.proto
@@ -119,7 +119,7 @@ message RoutingRule {
  repeated string inbound_tag = 8;
  repeated string protocol = 9;
-  string attributes = 15;
+  map<string, string> attributes = 15;
  string domain_matcher = 17;
 }
--- a/app/stats/command/command.pb.go
+++ b/app/stats/command/command.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/stats/command/command.proto
 package command
--- a/app/stats/command/command_grpc.pb.go
+++ b/app/stats/command/command_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
+// - protoc-gen-go-grpc v1.3.0
-// - protoc             v3.18.0
+// - protoc             v4.23.1
 // source: app/stats/command/command.proto
 package command
@@ -18,6 +18,12 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 const (
 	StatsService_GetStats_FullMethodName    = "/xray.app.stats.command.StatsService/GetStats"
 	StatsService_QueryStats_FullMethodName  = "/xray.app.stats.command.StatsService/QueryStats"
 	StatsService_GetSysStats_FullMethodName = "/xray.app.stats.command.StatsService/GetSysStats"
 )
 // StatsServiceClient is the client API for StatsService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -37,7 +43,7 @@ func NewStatsServiceClient(cc grpc.ClientConnInterface) StatsServiceClient {
 func (c *statsServiceClient) GetStats(ctx context.Context, in *GetStatsRequest, opts ...grpc.CallOption) (*GetStatsResponse, error) {
 	out := new(GetStatsResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.stats.command.StatsService/GetStats", in, out, opts...)
+	err := c.cc.Invoke(ctx, StatsService_GetStats_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -46,7 +52,7 @@ func (c *statsServiceClient) GetStats(ctx context.Context, in *GetStatsRequest,
 func (c *statsServiceClient) QueryStats(ctx context.Context, in *QueryStatsRequest, opts ...grpc.CallOption) (*QueryStatsResponse, error) {
 	out := new(QueryStatsResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.stats.command.StatsService/QueryStats", in, out, opts...)
+	err := c.cc.Invoke(ctx, StatsService_QueryStats_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -55,7 +61,7 @@ func (c *statsServiceClient) QueryStats(ctx context.Context, in *QueryStatsReque
 func (c *statsServiceClient) GetSysStats(ctx context.Context, in *SysStatsRequest, opts ...grpc.CallOption) (*SysStatsResponse, error) {
 	out := new(SysStatsResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.stats.command.StatsService/GetSysStats", in, out, opts...)
+	err := c.cc.Invoke(ctx, StatsService_GetSysStats_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -108,7 +114,7 @@ func _StatsService_GetStats_Handler(srv interface{}, ctx context.Context, dec fu
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.stats.command.StatsService/GetStats",
+		FullMethod: StatsService_GetStats_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(StatsServiceServer).GetStats(ctx, req.(*GetStatsRequest))
@@ -126,7 +132,7 @@ func _StatsService_QueryStats_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.stats.command.StatsService/QueryStats",
+		FullMethod: StatsService_QueryStats_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(StatsServiceServer).QueryStats(ctx, req.(*QueryStatsRequest))
@@ -144,7 +150,7 @@ func _StatsService_GetSysStats_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.stats.command.StatsService/GetSysStats",
+		FullMethod: StatsService_GetSysStats_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(StatsServiceServer).GetSysStats(ctx, req.(*SysStatsRequest))
--- a/app/stats/config.pb.go
+++ b/app/stats/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: app/stats/config.proto
 package stats
--- a/common/buf/buffer.go
+++ b/common/buf/buffer.go
@@ -160,6 +160,19 @@ func (b *Buffer) BytesTo(to int32) []byte {
 	return b.v[b.start : b.start+to]
 }
 // Check makes sure that 0 <= b.start <= b.end.
 func (b *Buffer) Check() {
 	if b.start < 0 {
 		b.start = 0
 	}
 	if b.end < 0 {
 		b.end = 0
 	}
 	if b.start > b.end {
 		b.start = b.end
 	}
 }
 // Resize cuts the buffer at the given position.
 func (b *Buffer) Resize(from, to int32) {
 	if from < 0 {
@@ -173,6 +186,7 @@ func (b *Buffer) Resize(from, to int32) {
 	}
 	b.end = b.start + to
 	b.start += from
 	b.Check()
 }
 // Advance cuts the buffer at the given position.
@@ -181,6 +195,7 @@ func (b *Buffer) Advance(from int32) {
 		from += b.Len()
 	}
 	b.start += from
 	b.Check()
 }
 // Len returns the length of the buffer content.
--- a/common/errors/multi_error.go
+++ b/common/errors/multi_error.go
@@ -28,3 +28,20 @@ func Combine(maybeError ...error) error {
 	}
 	return errs
 }
 func AllEqual(expected error, actual error) bool {
 	switch errs := actual.(type) {
 	case multiError:
 		if len(errs) == 0 {
 			return false
 		}
 		for _, err := range errs {
 			if err != expected {
 				return false
 			}
 		}
 		return true
 	default:
 		return errs == expected
 	}
 }
--- a/common/log/log.pb.go
+++ b/common/log/log.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: common/log/log.proto
 package log
--- a/common/mux/client.go
+++ b/common/mux/client.go
@@ -14,6 +14,7 @@ import (
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/common/signal/done"
 	"github.com/xtls/xray-core/common/task"
 	"github.com/xtls/xray-core/common/xudp"
 	"github.com/xtls/xray-core/proxy"
 	"github.com/xtls/xray-core/transport"
 	"github.com/xtls/xray-core/transport/internet"
@@ -247,22 +248,20 @@ func fetchInput(ctx context.Context, s *Session, output buf.Writer) {
 		transferType = protocol.TransferTypePacket
 	}
 	s.transferType = transferType
-	writer := NewWriter(s.ID, dest, output, transferType)
+	writer := NewWriter(s.ID, dest, output, transferType, xudp.GetGlobalID(ctx))
-	defer s.Close()
+	defer s.Close(false)
 	defer writer.Close()
 	newError("dispatching request to ", dest).WriteToLog(session.ExportIDToError(ctx))
 	if err := writeFirstPayload(s.input, writer); err != nil {
 		newError("failed to write first payload").Base(err).WriteToLog(session.ExportIDToError(ctx))
 		writer.hasError = true
 		common.Interrupt(s.input)
 		return
 	}
 	if err := buf.Copy(s.input, writer); err != nil {
 		newError("failed to fetch all input").Base(err).WriteToLog(session.ExportIDToError(ctx))
 		writer.hasError = true
 		common.Interrupt(s.input)
 		return
 	}
 }
@@ -335,15 +334,8 @@ func (m *ClientWorker) handleStatusKeep(meta *FrameMetadata, reader *buf.Buffere
 	err := buf.Copy(rr, s.output)
 	if err != nil && buf.IsWriteError(err) {
 		newError("failed to write to downstream. closing session ", s.ID).Base(err).WriteToLog()
-
+		s.Close(false)
-		// Notify remote peer to close this session.
+		return buf.Copy(rr, buf.Discard)
 		closingWriter := NewResponseWriter(meta.SessionID, m.link.Writer, protocol.TransferTypeStream)
 		closingWriter.Close()
 		drainErr := buf.Copy(rr, buf.Discard)
 		common.Interrupt(s.input)
 		s.Close()
 		return drainErr
 	}
 	return err
@@ -351,12 +343,7 @@ func (m *ClientWorker) handleStatusKeep(meta *FrameMetadata, reader *buf.Buffere
 func (m *ClientWorker) handleStatusEnd(meta *FrameMetadata, reader *buf.BufferedReader) error {
 	if s, found := m.sessionManager.Get(meta.SessionID); found {
-		if meta.Option.Has(OptionError) {
+		s.Close(false)
 			common.Interrupt(s.input)
 			common.Interrupt(s.output)
 		}
 		common.Interrupt(s.input)
 		s.Close()
 	}
 	if meta.Option.Has(OptionData) {
 		return buf.Copy(NewStreamReader(reader), buf.Discard)
--- a/common/mux/frame.go
+++ b/common/mux/frame.go
@@ -58,6 +58,7 @@ type FrameMetadata struct {
 	SessionID     uint16
 	Option        bitmask.Byte
 	SessionStatus SessionStatus
 	GlobalID      [8]byte
 }
 func (f FrameMetadata) WriteTo(b *buf.Buffer) error {
@@ -81,6 +82,9 @@ func (f FrameMetadata) WriteTo(b *buf.Buffer) error {
 		if err := addrParser.WriteAddressPort(b, f.Target.Address, f.Target.Port); err != nil {
 			return err
 		}
 		if b.UDP != nil { // make sure it's user's proxy request
 			b.Write(f.GlobalID[:]) // no need to check whether it's empty
 		}
 	} else if b.UDP != nil {
 		b.WriteByte(byte(TargetNetworkUDP))
 		addrParser.WriteAddressPort(b, b.UDP.Address, b.UDP.Port)
@@ -122,7 +126,8 @@ func (f *FrameMetadata) UnmarshalFromBuffer(b *buf.Buffer) error {
 	f.Option = bitmask.Byte(b.Byte(3))
 	f.Target.Network = net.Network_Unknown
-	if f.SessionStatus == SessionStatusNew || (f.SessionStatus == SessionStatusKeep && b.Len() != 4) {
+	if f.SessionStatus == SessionStatusNew || (f.SessionStatus == SessionStatusKeep && b.Len() > 4 &&
 		TargetNetwork(b.Byte(4)) == TargetNetworkUDP) { // MUST check the flag first
 		if b.Len() < 8 {
 			return newError("insufficient buffer: ", b.Len())
 		}
@@ -144,5 +149,11 @@ func (f *FrameMetadata) UnmarshalFromBuffer(b *buf.Buffer) error {
 		}
 	}
 	// Application data is essential, to test whether the pipe is closed.
 	if f.SessionStatus == SessionStatusNew && f.Option.Has(OptionData) &&
 		f.Target.Network == net.Network_UDP && b.Len() >= 8 {
 		copy(f.GlobalID[:], b.Bytes())
 	}
 	return nil
 }
--- a/common/mux/mux_test.go
+++ b/common/mux/mux_test.go
@@ -32,13 +32,13 @@ func TestReaderWriter(t *testing.T) {
 	pReader, pWriter := pipe.New(pipe.WithSizeLimit(1024))
 	dest := net.TCPDestination(net.DomainAddress("example.com"), 80)
-	writer := NewWriter(1, dest, pWriter, protocol.TransferTypeStream)
+	writer := NewWriter(1, dest, pWriter, protocol.TransferTypeStream, [8]byte{})
 	dest2 := net.TCPDestination(net.LocalHostIP, 443)
-	writer2 := NewWriter(2, dest2, pWriter, protocol.TransferTypeStream)
+	writer2 := NewWriter(2, dest2, pWriter, protocol.TransferTypeStream, [8]byte{})
 	dest3 := net.TCPDestination(net.LocalHostIPv6, 18374)
-	writer3 := NewWriter(3, dest3, pWriter, protocol.TransferTypeStream)
+	writer3 := NewWriter(3, dest3, pWriter, protocol.TransferTypeStream, [8]byte{})
 	writePayload := func(writer *Writer, payload ...byte) error {
 		b := buf.New()
--- a/common/mux/server.go
+++ b/common/mux/server.go
@@ -99,7 +99,7 @@ func handle(ctx context.Context, s *Session, output buf.Writer) {
 	}
 	writer.Close()
-	s.Close()
+	s.Close(false)
 }
 func (w *ServerWorker) ActiveConnections() uint32 {
@@ -131,6 +131,81 @@ func (w *ServerWorker) handleStatusNew(ctx context.Context, meta *FrameMetadata,
 		}
 		ctx = log.ContextWithAccessMessage(ctx, msg)
 	}
 	if network := session.AllowedNetworkFromContext(ctx); network != net.Network_Unknown {
 		if meta.Target.Network != network {
 			return newError("unexpected network ", meta.Target.Network) // it will break the whole Mux connection
 		}
 	}
 	if meta.GlobalID != [8]byte{} { // MUST ignore empty Global ID
 		mb, err := NewPacketReader(reader, &meta.Target).ReadMultiBuffer()
 		if err != nil {
 			return err
 		}
 		XUDPManager.Lock()
 		x := XUDPManager.Map[meta.GlobalID]
 		if x == nil {
 			x = &XUDP{GlobalID: meta.GlobalID}
 			XUDPManager.Map[meta.GlobalID] = x
 			XUDPManager.Unlock()
 		} else {
 			if x.Status == Initializing { // nearly impossible
 				XUDPManager.Unlock()
 				newError("XUDP hit ", meta.GlobalID).Base(errors.New("conflict")).AtWarning().WriteToLog(session.ExportIDToError(ctx))
 				// It's not a good idea to return an err here, so just let client wait.
 				// Client will receive an End frame after sending a Keep frame.
 				return nil
 			}
 			x.Status = Initializing
 			XUDPManager.Unlock()
 			x.Mux.Close(false) // detach from previous Mux
 			b := buf.New()
 			b.Write(mb[0].Bytes())
 			b.UDP = mb[0].UDP
 			if err = x.Mux.output.WriteMultiBuffer(mb); err != nil {
 				x.Interrupt()
 				mb = buf.MultiBuffer{b}
 			} else {
 				b.Release()
 				mb = nil
 			}
 			newError("XUDP hit ", meta.GlobalID).Base(err).WriteToLog(session.ExportIDToError(ctx))
 		}
 		if mb != nil {
 			ctx = session.ContextWithTimeoutOnly(ctx, true)
 			// Actually, it won't return an error in Xray-core's implementations.
 			link, err := w.dispatcher.Dispatch(ctx, meta.Target)
 			if err != nil {
 				XUDPManager.Lock()
 				delete(XUDPManager.Map, x.GlobalID)
 				XUDPManager.Unlock()
 				err = newError("XUDP new ", meta.GlobalID).Base(errors.New("failed to dispatch request to ", meta.Target).Base(err))
 				return err // it will break the whole Mux connection
 			}
 			link.Writer.WriteMultiBuffer(mb) // it's meaningless to test a new pipe
 			x.Mux = &Session{
 				input:  link.Reader,
 				output: link.Writer,
 			}
 			newError("XUDP new ", meta.GlobalID).Base(err).WriteToLog(session.ExportIDToError(ctx))
 		}
 		x.Mux = &Session{
 			input:        x.Mux.input,
 			output:       x.Mux.output,
 			parent:       w.sessionManager,
 			ID:           meta.SessionID,
 			transferType: protocol.TransferTypePacket,
 			XUDP:         x,
 		}
 		go handle(ctx, x.Mux, w.link.Writer)
 		x.Status = Active
 		if !w.sessionManager.Add(x.Mux) {
 			x.Mux.Close(false)
 		}
 		return nil
 	}
 	link, err := w.dispatcher.Dispatch(ctx, meta.Target)
 	if err != nil {
 		if meta.Option.Has(OptionData) {
@@ -157,8 +232,7 @@ func (w *ServerWorker) handleStatusNew(ctx context.Context, meta *FrameMetadata,
 	rr := s.NewReader(reader, &meta.Target)
 	if err := buf.Copy(rr, s.output); err != nil {
 		buf.Copy(rr, buf.Discard)
-		common.Interrupt(s.input)
+		return s.Close(false)
 		return s.Close()
 	}
 	return nil
 }
@@ -182,15 +256,8 @@ func (w *ServerWorker) handleStatusKeep(meta *FrameMetadata, reader *buf.Buffere
 	if err != nil && buf.IsWriteError(err) {
 		newError("failed to write to downstream writer. closing session ", s.ID).Base(err).WriteToLog()
-
+		s.Close(false)
-		// Notify remote peer to close this session.
+		return buf.Copy(rr, buf.Discard)
 		closingWriter := NewResponseWriter(meta.SessionID, w.link.Writer, protocol.TransferTypeStream)
 		closingWriter.Close()
 		drainErr := buf.Copy(rr, buf.Discard)
 		common.Interrupt(s.input)
 		s.Close()
 		return drainErr
 	}
 	return err
@@ -198,12 +265,7 @@ func (w *ServerWorker) handleStatusKeep(meta *FrameMetadata, reader *buf.Buffere
 func (w *ServerWorker) handleStatusEnd(meta *FrameMetadata, reader *buf.BufferedReader) error {
 	if s, found := w.sessionManager.Get(meta.SessionID); found {
-		if meta.Option.Has(OptionError) {
+		s.Close(false)
 			common.Interrupt(s.input)
 			common.Interrupt(s.output)
 		}
 		common.Interrupt(s.input)
 		s.Close()
 	}
 	if meta.Option.Has(OptionData) {
 		return buf.Copy(NewStreamReader(reader), buf.Discard)
--- a/common/mux/session.go
+++ b/common/mux/session.go
@@ -1,12 +1,16 @@
 package mux
 import (
 	"io"
 	"runtime"
 	"sync"
 	"time"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/protocol"
 	"github.com/xtls/xray-core/transport/pipe"
 )
 type SessionManager struct {
@@ -61,21 +65,25 @@ func (m *SessionManager) Allocate() *Session {
 	return s
 }
-func (m *SessionManager) Add(s *Session) {
+func (m *SessionManager) Add(s *Session) bool {
 	m.Lock()
 	defer m.Unlock()
 	if m.closed {
-		return
+		return false
 	}
 	m.count++
 	m.sessions[s.ID] = s
 	return true
 }
-func (m *SessionManager) Remove(id uint16) {
+func (m *SessionManager) Remove(locked bool, id uint16) {
-	m.Lock()
+	if !locked {
-	defer m.Unlock()
+		m.Lock()
 		defer m.Unlock()
 	}
 	locked = true
 	if m.closed {
 		return
@@ -83,9 +91,11 @@ func (m *SessionManager) Remove(id uint16) {
 	delete(m.sessions, id)
-	if len(m.sessions) == 0 {
+	/*
-		m.sessions = make(map[uint16]*Session, 16)
+		if len(m.sessions) == 0 {
-	}
+			m.sessions = make(map[uint16]*Session, 16)
 		}
 	*/
 }
 func (m *SessionManager) Get(id uint16) (*Session, bool) {
@@ -127,8 +137,7 @@ func (m *SessionManager) Close() error {
 	m.closed = true
 	for _, s := range m.sessions {
-		common.Close(s.input)
+		s.Close(true)
 		common.Close(s.output)
 	}
 	m.sessions = nil
@@ -142,13 +151,40 @@ type Session struct {
 	parent       *SessionManager
 	ID           uint16
 	transferType protocol.TransferType
 	closed       bool
 	XUDP         *XUDP
 }
 // Close closes all resources associated with this session.
-func (s *Session) Close() error {
+func (s *Session) Close(locked bool) error {
-	common.Close(s.output)
+	if !locked {
-	common.Close(s.input)
+		s.parent.Lock()
-	s.parent.Remove(s.ID)
+		defer s.parent.Unlock()
 	}
 	locked = true
 	if s.closed {
 		return nil
 	}
 	s.closed = true
 	if s.XUDP == nil {
 		common.Interrupt(s.input)
 		common.Close(s.output)
 	} else {
 		// Stop existing handle(), then trigger writer.Close().
 		// Note that s.output may be dispatcher.SizeStatWriter.
 		s.input.(*pipe.Reader).ReturnAnError(io.EOF)
 		runtime.Gosched()
 		// If the error set by ReturnAnError still exists, clear it.
 		s.input.(*pipe.Reader).Recover()
 		XUDPManager.Lock()
 		if s.XUDP.Status == Active {
 			s.XUDP.Expire = time.Now().Add(time.Minute)
 			s.XUDP.Status = Expiring
 			newError("XUDP put ", s.XUDP.GlobalID).AtDebug().WriteToLog()
 		}
 		XUDPManager.Unlock()
 	}
 	s.parent.Remove(locked, s.ID)
 	return nil
 }
@@ -159,3 +195,45 @@ func (s *Session) NewReader(reader *buf.BufferedReader, dest *net.Destination) b
 	}
 	return NewPacketReader(reader, dest)
 }
 const (
 	Initializing = 0
 	Active       = 1
 	Expiring     = 2
 )
 type XUDP struct {
 	GlobalID [8]byte
 	Status   uint64
 	Expire   time.Time
 	Mux      *Session
 }
 func (x *XUDP) Interrupt() {
 	common.Interrupt(x.Mux.input)
 	common.Close(x.Mux.output)
 }
 var XUDPManager struct {
 	sync.Mutex
 	Map map[[8]byte]*XUDP
 }
 func init() {
 	XUDPManager.Map = make(map[[8]byte]*XUDP)
 	go func() {
 		for {
 			time.Sleep(time.Minute)
 			now := time.Now()
 			XUDPManager.Lock()
 			for id, x := range XUDPManager.Map {
 				if x.Status == Expiring && now.After(x.Expire) {
 					x.Interrupt()
 					delete(XUDPManager.Map, id)
 					newError("XUDP del ", id).AtDebug().WriteToLog()
 				}
 			}
 			XUDPManager.Unlock()
 		}
 	}()
 }
--- a/common/mux/session_test.go
+++ b/common/mux/session_test.go
@@ -44,7 +44,7 @@ func TestSessionManagerClose(t *testing.T) {
 	if m.CloseIfNoSession() {
 		t.Error("able to close")
 	}
-	m.Remove(s.ID)
+	m.Remove(false, s.ID)
 	if !m.CloseIfNoSession() {
 		t.Error("not able to close")
 	}
--- a/common/mux/writer.go
+++ b/common/mux/writer.go
@@ -15,15 +15,17 @@ type Writer struct {
 	followup     bool
 	hasError     bool
 	transferType protocol.TransferType
 	globalID     [8]byte
 }
-func NewWriter(id uint16, dest net.Destination, writer buf.Writer, transferType protocol.TransferType) *Writer {
+func NewWriter(id uint16, dest net.Destination, writer buf.Writer, transferType protocol.TransferType, globalID [8]byte) *Writer {
 	return &Writer{
 		id:           id,
 		dest:         dest,
 		writer:       writer,
 		followup:     false,
 		transferType: transferType,
 		globalID:     globalID,
 	}
 }
@@ -40,6 +42,7 @@ func (w *Writer) getNextFrameMeta() FrameMetadata {
 	meta := FrameMetadata{
 		SessionID: w.id,
 		Target:    w.dest,
 		GlobalID:  w.globalID,
 	}
 	if w.followup {
--- a/common/net/address.pb.go
+++ b/common/net/address.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: common/net/address.proto
 package net
--- a/common/net/destination.pb.go
+++ b/common/net/destination.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: common/net/destination.proto
 package net
--- a/common/net/network.pb.go
+++ b/common/net/network.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: common/net/network.proto
 package net
@@ -24,7 +24,7 @@ type Network int32
 const (
 	Network_Unknown Network = 0
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in common/net/network.proto.
 	Network_RawTCP Network = 1
 	Network_TCP    Network = 2
 	Network_UDP    Network = 3
--- a/common/net/port.pb.go
+++ b/common/net/port.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: common/net/port.proto
 package net
--- a/common/platform/filesystem/file.go
+++ b/common/platform/filesystem/file.go
@@ -3,7 +3,7 @@ package filesystem
 import (
 	"io"
 	"os"
-	"path/filepath"
+
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/platform"
 )
@@ -11,11 +11,7 @@ import (
 type FileReaderFunc func(path string) (io.ReadCloser, error)
 var NewFileReader FileReaderFunc = func(path string) (io.ReadCloser, error) {
-	resolved_path,err:=filepath.EvalSymlinks(path)
+	return os.Open(path)
 	if err!= nil{
 		return nil,err
 	}
 	return os.Open(resolved_path)
 }
 func ReadFile(path string) ([]byte, error) {
--- a/common/protocol/headers.go
+++ b/common/protocol/headers.go
@@ -6,6 +6,7 @@ import (
 	"github.com/xtls/xray-core/common/bitmask"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/uuid"
 	"golang.org/x/sys/cpu"
 )
 // RequestCommand is a custom command in a proxy request.
@@ -29,11 +30,10 @@ func (c RequestCommand) TransferType() TransferType {
 }
 const (
-	// RequestOptionChunkStream indicates request payload is chunked. Each chunk consists of length, authentication and payload.
+	// [DEPRECATED 2023-06] RequestOptionChunkStream indicates request payload is chunked. Each chunk consists of length, authentication and payload.
 	RequestOptionChunkStream bitmask.Byte = 0x01
-	// RequestOptionConnectionReuse indicates client side expects to reuse the connection.
+	// 0x02 legacy setting
 	RequestOptionConnectionReuse bitmask.Byte = 0x02
 	RequestOptionChunkMasking bitmask.Byte = 0x04
@@ -75,13 +75,24 @@ type CommandSwitchAccount struct {
 	Port     net.Port
 	ID       uuid.UUID
 	Level    uint32
 	AlterIds uint16
 	ValidMin byte
 }
 var (
 	hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ
 	hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
 	// Keep in sync with crypto/aes/cipher_s390x.go.
 	hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR &&
 		(cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
 	hasAESGCMHardwareSupport = runtime.GOARCH == "amd64" && hasGCMAsmAMD64 ||
 		runtime.GOARCH == "arm64" && hasGCMAsmARM64 ||
 		runtime.GOARCH == "s390x" && hasGCMAsmS390X
 )
 func (sc *SecurityConfig) GetSecurityType() SecurityType {
 	if sc == nil || sc.Type == SecurityType_AUTO {
-		if runtime.GOARCH == "amd64" || runtime.GOARCH == "s390x" || runtime.GOARCH == "arm64" {
+		if hasAESGCMHardwareSupport {
 			return SecurityType_AES128_GCM
 		}
 		return SecurityType_CHACHA20_POLY1305
--- a/common/protocol/headers.pb.go
+++ b/common/protocol/headers.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: common/protocol/headers.proto
 package protocol
@@ -24,11 +24,10 @@ type SecurityType int32
 const (
 	SecurityType_UNKNOWN           SecurityType = 0
 	SecurityType_LEGACY            SecurityType = 1
 	SecurityType_AUTO              SecurityType = 2
 	SecurityType_AES128_GCM        SecurityType = 3
 	SecurityType_CHACHA20_POLY1305 SecurityType = 4
-	SecurityType_NONE              SecurityType = 5
+	SecurityType_NONE              SecurityType = 5 // [DEPRECATED 2023-06]
 	SecurityType_ZERO              SecurityType = 6
 )
@@ -36,7 +35,6 @@ const (
 var (
 	SecurityType_name = map[int32]string{
 		0: "UNKNOWN",
 		1: "LEGACY",
 		2: "AUTO",
 		3: "AES128_GCM",
 		4: "CHACHA20_POLY1305",
@@ -45,7 +43,6 @@ var (
 	}
 	SecurityType_value = map[string]int32{
 		"UNKNOWN":           0,
 		"LEGACY":            1,
 		"AUTO":              2,
 		"AES128_GCM":        3,
 		"CHACHA20_POLY1305": 4,
@@ -139,20 +136,19 @@ var file_common_protocol_headers_proto_rawDesc = []byte{
 	0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
 	0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2e, 0x53, 0x65, 0x63,
 	0x75, 0x72, 0x69, 0x74, 0x79, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x2a,
-	0x6c, 0x0a, 0x0c, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x54, 0x79, 0x70, 0x65, 0x12,
+	0x60, 0x0a, 0x0c, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x54, 0x79, 0x70, 0x65, 0x12,
-	0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06,
+	0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04,
-	0x4c, 0x45, 0x47, 0x41, 0x43, 0x59, 0x10, 0x01, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x55, 0x54, 0x4f,
+	0x41, 0x55, 0x54, 0x4f, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x41, 0x45, 0x53, 0x31, 0x32, 0x38,
-	0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x41, 0x45, 0x53, 0x31, 0x32, 0x38, 0x5f, 0x47, 0x43, 0x4d,
+	0x5f, 0x47, 0x43, 0x4d, 0x10, 0x03, 0x12, 0x15, 0x0a, 0x11, 0x43, 0x48, 0x41, 0x43, 0x48, 0x41,
-	0x10, 0x03, 0x12, 0x15, 0x0a, 0x11, 0x43, 0x48, 0x41, 0x43, 0x48, 0x41, 0x32, 0x30, 0x5f, 0x50,
+	0x32, 0x30, 0x5f, 0x50, 0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30, 0x35, 0x10, 0x04, 0x12, 0x08, 0x0a,
-	0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30, 0x35, 0x10, 0x04, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e,
+	0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x05, 0x12, 0x08, 0x0a, 0x04, 0x5a, 0x45, 0x52, 0x4f, 0x10,
-	0x45, 0x10, 0x05, 0x12, 0x08, 0x0a, 0x04, 0x5a, 0x45, 0x52, 0x4f, 0x10, 0x06, 0x42, 0x5e, 0x0a,
+	0x06, 0x42, 0x5e, 0x0a, 0x18, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f,
-	0x18, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
+	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x50, 0x01, 0x5a,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x50, 0x01, 0x5a, 0x29, 0x67, 0x69, 0x74,
+	0x29, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73,
-	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61,
+	0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f,
-	0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x70, 0x72,
+	0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0xaa, 0x02, 0x14, 0x58, 0x72, 0x61,
-	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0xaa, 0x02, 0x14, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x43, 0x6f,
+	0x79, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x62, 0x06, 0x70,
+	0x6c, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 	0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
--- a/common/protocol/headers.proto
+++ b/common/protocol/headers.proto
@@ -8,11 +8,10 @@ option java_multiple_files = true;
 enum SecurityType {
  UNKNOWN = 0;
  LEGACY = 1;
  AUTO = 2;
  AES128_GCM = 3;
  CHACHA20_POLY1305 = 4;
-  NONE = 5;
+  NONE = 5; // [DEPRECATED 2023-06] 
  ZERO = 6;
 }
--- a/common/protocol/id.go
+++ b/common/protocol/id.go
@@ -1,9 +1,7 @@
 package protocol
 import (
 	"crypto/hmac"
 	"crypto/md5"
 	"hash"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/uuid"
@@ -13,12 +11,6 @@ const (
 	IDBytesLen = 16
 )
 type IDHash func(key []byte) hash.Hash
 func DefaultIDHash(key []byte) hash.Hash {
 	return hmac.New(md5.New, key)
 }
 // The ID of en entity, in the form of a UUID.
 type ID struct {
 	uuid   uuid.UUID
@@ -55,28 +47,3 @@ func NewID(uuid uuid.UUID) *ID {
 	md5hash.Sum(id.cmdKey[:0])
 	return id
 }
 func nextID(u *uuid.UUID) uuid.UUID {
 	md5hash := md5.New()
 	common.Must2(md5hash.Write(u.Bytes()))
 	common.Must2(md5hash.Write([]byte("16167dc8-16b6-4e6d-b8bb-65dd68113a81")))
 	var newid uuid.UUID
 	for {
 		md5hash.Sum(newid[:0])
 		if !newid.Equals(u) {
 			return newid
 		}
 		common.Must2(md5hash.Write([]byte("533eff8a-4113-4b10-b5ce-0f5d76b98cd2")))
 	}
 }
 func NewAlterIDs(primary *ID, alterIDCount uint16) []*ID {
 	alterIDs := make([]*ID, alterIDCount)
 	prevID := primary.UUID()
 	for idx := range alterIDs {
 		newid := nextID(&prevID)
 		alterIDs[idx] = NewID(newid)
 		prevID = newid
 	}
 	return alterIDs
 }
--- a/common/protocol/quic/qtls_go118.go
+++ b/common/protocol/quic/qtls_go118.go
@@ -1,16 +1,18 @@
 package quic
 import (
 	"crypto"
 	"crypto/cipher"
-
+	_ "crypto/tls"
-	"github.com/marten-seemann/qtls-go1-18"
+	_ "unsafe"
 )
-type (
+type CipherSuiteTLS13 struct {
-	// A CipherSuiteTLS13 is a cipher suite for TLS 1.3
+	ID     uint16
-	CipherSuiteTLS13 = qtls.CipherSuiteTLS13
+	KeyLen int
-)
+	AEAD   func(key, fixedNonce []byte) cipher.AEAD
-
+	Hash   crypto.Hash
 func AEADAESGCMTLS13(key, fixedNonce []byte) cipher.AEAD {
 	return qtls.AEADAESGCMTLS13(key, fixedNonce)
 }
 //go:linkname AEADAESGCMTLS13 crypto/tls.aeadAESGCMTLS13
 func AEADAESGCMTLS13(key, nonceMask []byte) cipher.AEAD
--- a/common/protocol/quic/sniff.go
+++ b/common/protocol/quic/sniff.go
@@ -7,9 +7,10 @@ import (
 	"encoding/binary"
 	"io"
-	"github.com/lucas-clemente/quic-go/quicvarint"
+	"github.com/quic-go/quic-go/quicvarint"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/bytespool"
 	"github.com/xtls/xray-core/common/errors"
 	ptls "github.com/xtls/xray-core/common/protocol/tls"
 	"golang.org/x/crypto/hkdf"
@@ -141,7 +142,7 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
 		packetNumber = uint32(n)
 	}
-	if packetNumber != 0 {
+	if packetNumber != 0 && packetNumber != 1 {
 		return nil, errNotQuicInitial
 	}
@@ -159,32 +160,92 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
 		return nil, err
 	}
 	buffer = buf.FromBytes(decrypted)
-	frameType, err := buffer.ReadByte()
+
-	if err != nil {
+	cryptoLen := uint(0)
-		return nil, io.ErrUnexpectedEOF
+	cryptoData := bytespool.Alloc(buffer.Len())
 	defer bytespool.Free(cryptoData)
 	for i := 0; !buffer.IsEmpty(); i++ {
 		frameType := byte(0x0) // Default to PADDING frame
 		for frameType == 0x0 && !buffer.IsEmpty() {
 			frameType, _ = buffer.ReadByte()
 		}
 		switch frameType {
 		case 0x00: // PADDING frame
 		case 0x01: // PING frame
 		case 0x02, 0x03: // ACK frame
 			if _, err = quicvarint.Read(buffer); err != nil { // Field: Largest Acknowledged
 				return nil, io.ErrUnexpectedEOF
 			}
 			if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Delay
 				return nil, io.ErrUnexpectedEOF
 			}
 			ackRangeCount, err := quicvarint.Read(buffer) // Field: ACK Range Count
 			if err != nil {
 				return nil, io.ErrUnexpectedEOF
 			}
 			if _, err = quicvarint.Read(buffer); err != nil { // Field: First ACK Range
 				return nil, io.ErrUnexpectedEOF
 			}
 			for i := 0; i < int(ackRangeCount); i++ { // Field: ACK Range
 				if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> Gap
 					return nil, io.ErrUnexpectedEOF
 				}
 				if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> ACK Range Length
 					return nil, io.ErrUnexpectedEOF
 				}
 			}
 			if frameType == 0x03 {
 				if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT0 Count
 					return nil, io.ErrUnexpectedEOF
 				}
 				if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT1 Count
 					return nil, io.ErrUnexpectedEOF
 				}
 				if _, err = quicvarint.Read(buffer); err != nil { //nolint:misspell // Field: ECN Counts -> ECT-CE Count
 					return nil, io.ErrUnexpectedEOF
 				}
 			}
 		case 0x06: // CRYPTO frame, we will use this frame
 			offset, err := quicvarint.Read(buffer) // Field: Offset
 			if err != nil {
 				return nil, io.ErrUnexpectedEOF
 			}
 			length, err := quicvarint.Read(buffer) // Field: Length
 			if err != nil || length > uint64(buffer.Len()) {
 				return nil, io.ErrUnexpectedEOF
 			}
 			if cryptoLen < uint(offset+length) {
 				cryptoLen = uint(offset + length)
 			}
 			if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data
 				return nil, io.ErrUnexpectedEOF
 			}
 		case 0x1c: // CONNECTION_CLOSE frame, only 0x1c is permitted in initial packet
 			if _, err = quicvarint.Read(buffer); err != nil { // Field: Error Code
 				return nil, io.ErrUnexpectedEOF
 			}
 			if _, err = quicvarint.Read(buffer); err != nil { // Field: Frame Type
 				return nil, io.ErrUnexpectedEOF
 			}
 			length, err := quicvarint.Read(buffer) // Field: Reason Phrase Length
 			if err != nil {
 				return nil, io.ErrUnexpectedEOF
 			}
 			if _, err := buffer.ReadBytes(int32(length)); err != nil { // Field: Reason Phrase
 				return nil, io.ErrUnexpectedEOF
 			}
 		default:
 			// Only above frame types are permitted in initial packet.
 			// See https://www.rfc-editor.org/rfc/rfc9000.html#section-17.2.2-8
 			return nil, errNotQuicInitial
 		}
 	}
-	if frameType != 0x6 {
+
 		// not crypto frame
 		return &SniffHeader{domain: ""}, nil
 	}
 	if common.Error2(quicvarint.Read(buffer)) != nil {
 		return nil, io.ErrUnexpectedEOF
 	}
 	dataLen, err := quicvarint.Read(buffer)
 	if err != nil {
 		return nil, io.ErrUnexpectedEOF
 	}
 	if dataLen > uint64(buffer.Len()) {
 		return nil, io.ErrUnexpectedEOF
 	}
 	frameData, err := buffer.ReadBytes(int32(dataLen))
 	common.Must(err)
 	tlsHdr := &ptls.SniffHeader{}
-	err = ptls.ReadClientHello(frameData, tlsHdr)
+	err = ptls.ReadClientHello(cryptoData[:cryptoLen], tlsHdr)
 	if err != nil {
 		return nil, err
 	}
 	return &SniffHeader{domain: tlsHdr.Domain()}, nil
 }
--- a/common/protocol/server_spec.pb.go
+++ b/common/protocol/server_spec.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: common/protocol/server_spec.proto
 package protocol
--- a/common/protocol/user.pb.go
+++ b/common/protocol/user.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: common/protocol/user.proto
 package protocol
--- a/common/serial/typed_message.pb.go
+++ b/common/serial/typed_message.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: common/serial/typed_message.proto
 package serial
--- a/common/session/context.go
+++ b/common/session/context.go
@@ -2,10 +2,15 @@ package session
 import (
 	"context"
 	_ "unsafe"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/features/routing"
 )
 //go:linkname IndependentCancelCtx context.newCancelCtx
 func IndependentCancelCtx(parent context.Context) context.Context
 type sessionKey int
 const (
@@ -17,6 +22,8 @@ const (
 	sockoptSessionKey
 	trackedConnectionErrorKey
 	dispatcherKey
 	timeoutOnlyKey
 	allowedNetworkKey
 )
 // ContextWithID returns a new context with the given ID.
@@ -131,3 +138,25 @@ func DispatcherFromContext(ctx context.Context) routing.Dispatcher {
 	}
 	return nil
 }
 func ContextWithTimeoutOnly(ctx context.Context, only bool) context.Context {
 	return context.WithValue(ctx, timeoutOnlyKey, only)
 }
 func TimeoutOnlyFromContext(ctx context.Context) bool {
 	if val, ok := ctx.Value(timeoutOnlyKey).(bool); ok {
 		return val
 	}
 	return false
 }
 func ContextWithAllowedNetwork(ctx context.Context, network net.Network) context.Context {
 	return context.WithValue(ctx, allowedNetworkKey, network)
 }
 func AllowedNetworkFromContext(ctx context.Context) net.Network {
 	if val, ok := ctx.Value(allowedNetworkKey).(net.Network); ok {
 		return val
 	}
 	return net.Network_Unknown
 }
--- a/common/session/session.go
+++ b/common/session/session.go
@@ -42,6 +42,8 @@ type Inbound struct {
 	Gateway net.Destination
 	// Tag of the inbound proxy that handles the connection.
 	Tag string
 	// Name of the inbound proxy that handles the connection.
 	Name string
 	// User is the user that authencates for the inbound. May be nil if the protocol allows anounymous traffic.
 	User *protocol.MemoryUser
 	// Conn is actually internet.Connection. May be nil.
--- a/common/singbridge/destination.go
+++ b/common/singbridge/destination.go
@@ -0,0 +1,46 @@
 package singbridge
 import (
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/xtls/xray-core/common/net"
 )
 func ToNetwork(network string) net.Network {
 	switch N.NetworkName(network) {
 	case N.NetworkTCP:
 		return net.Network_TCP
 	case N.NetworkUDP:
 		return net.Network_UDP
 	default:
 		return net.Network_Unknown
 	}
 }
 func ToDestination(socksaddr M.Socksaddr, network net.Network) net.Destination {
 	if socksaddr.IsFqdn() {
 		return net.Destination{
 			Network: network,
 			Address: net.DomainAddress(socksaddr.Fqdn),
 			Port:    net.Port(socksaddr.Port),
 		}
 	} else {
 		return net.Destination{
 			Network: network,
 			Address: net.IPAddress(socksaddr.Addr.AsSlice()),
 			Port:    net.Port(socksaddr.Port),
 		}
 	}
 }
 func ToSocksaddr(destination net.Destination) M.Socksaddr {
 	var addr M.Socksaddr
 	switch destination.Address.Family() {
 	case net.AddressFamilyDomain:
 		addr.Fqdn = destination.Address.Domain()
 	default:
 		addr.Addr = M.AddrFromIP(destination.Address.IP())
 	}
 	addr.Port = uint16(destination.Port)
 	return addr
 }
--- a/common/singbridge/dialer.go
+++ b/common/singbridge/dialer.go
@@ -0,0 +1,59 @@
 package singbridge
 import (
 	"context"
 	"os"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/net/cnc"
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/proxy"
 	"github.com/xtls/xray-core/transport"
 	"github.com/xtls/xray-core/transport/internet"
 	"github.com/xtls/xray-core/transport/pipe"
 )
 var _ N.Dialer = (*XrayDialer)(nil)
 type XrayDialer struct {
 	internet.Dialer
 }
 func NewDialer(dialer internet.Dialer) *XrayDialer {
 	return &XrayDialer{dialer}
 }
 func (d *XrayDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	return d.Dialer.Dial(ctx, ToDestination(destination, ToNetwork(network)))
 }
 func (d *XrayDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	return nil, os.ErrInvalid
 }
 type XrayOutboundDialer struct {
 	outbound proxy.Outbound
 	dialer   internet.Dialer
 }
 func NewOutboundDialer(outbound proxy.Outbound, dialer internet.Dialer) *XrayOutboundDialer {
 	return &XrayOutboundDialer{outbound, dialer}
 }
 func (d *XrayOutboundDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
 	ctx = session.ContextWithOutbound(context.Background(), &session.Outbound{
 		Target: ToDestination(destination, ToNetwork(network)),
 	})
 	opts := []pipe.Option{pipe.WithSizeLimit(64 * 1024)}
 	uplinkReader, uplinkWriter := pipe.New(opts...)
 	downlinkReader, downlinkWriter := pipe.New(opts...)
 	conn := cnc.NewConnection(cnc.ConnectionInputMulti(downlinkWriter), cnc.ConnectionOutputMulti(uplinkReader))
 	go d.outbound.Process(ctx, &transport.Link{Reader: downlinkReader, Writer: uplinkWriter}, d.dialer)
 	return conn, nil
 }
 func (d *XrayOutboundDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
 	return nil, os.ErrInvalid
 }
--- a/common/singbridge/error.go
+++ b/common/singbridge/error.go
@@ -0,0 +1,10 @@
 package singbridge
 import E "github.com/sagernet/sing/common/exceptions"
 func ReturnError(err error) error {
 	if E.IsClosedOrCanceled(err) {
 		return nil
 	}
 	return err
 }
--- a/common/singbridge/handler.go
+++ b/common/singbridge/handler.go
@@ -0,0 +1,51 @@
 package singbridge
 import (
 	"context"
 	"io"
 	M "github.com/sagernet/sing/common/metadata"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/features/routing"
 	"github.com/xtls/xray-core/transport"
 )
 var (
 	_ N.TCPConnectionHandler = (*Dispatcher)(nil)
 	_ N.UDPConnectionHandler = (*Dispatcher)(nil)
 )
 type Dispatcher struct {
 	upstream     routing.Dispatcher
 	newErrorFunc func(values ...any) *errors.Error
 }
 func NewDispatcher(dispatcher routing.Dispatcher, newErrorFunc func(values ...any) *errors.Error) *Dispatcher {
 	return &Dispatcher{
 		upstream:     dispatcher,
 		newErrorFunc: newErrorFunc,
 	}
 }
 func (d *Dispatcher) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
 	xConn := NewConn(conn)
 	return d.upstream.DispatchLink(ctx, ToDestination(metadata.Destination, net.Network_TCP), &transport.Link{
 		Reader: xConn,
 		Writer: xConn,
 	})
 }
 func (d *Dispatcher) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
 	return d.upstream.DispatchLink(ctx, ToDestination(metadata.Destination, net.Network_UDP), &transport.Link{
 		Reader: buf.NewPacketReader(conn.(io.Reader)),
 		Writer: buf.NewWriter(conn.(io.Writer)),
 	})
 }
 func (d *Dispatcher) NewError(ctx context.Context, err error) {
 	d.newErrorFunc(err).WriteToLog(session.ExportIDToError(ctx))
 }
--- a/common/singbridge/logger.go
+++ b/common/singbridge/logger.go
@@ -0,0 +1,71 @@
 package singbridge
 import (
 	"context"
 	"github.com/sagernet/sing/common/logger"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/session"
 )
 var _ logger.ContextLogger = (*XrayLogger)(nil)
 type XrayLogger struct {
 	newError func(values ...any) *errors.Error
 }
 func NewLogger(newErrorFunc func(values ...any) *errors.Error) *XrayLogger {
 	return &XrayLogger{
 		newErrorFunc,
 	}
 }
 func (l *XrayLogger) Trace(args ...any) {
 }
 func (l *XrayLogger) Debug(args ...any) {
 	l.newError(args...).AtDebug().WriteToLog()
 }
 func (l *XrayLogger) Info(args ...any) {
 	l.newError(args...).AtInfo().WriteToLog()
 }
 func (l *XrayLogger) Warn(args ...any) {
 	l.newError(args...).AtWarning().WriteToLog()
 }
 func (l *XrayLogger) Error(args ...any) {
 	l.newError(args...).AtError().WriteToLog()
 }
 func (l *XrayLogger) Fatal(args ...any) {
 }
 func (l *XrayLogger) Panic(args ...any) {
 }
 func (l *XrayLogger) TraceContext(ctx context.Context, args ...any) {
 }
 func (l *XrayLogger) DebugContext(ctx context.Context, args ...any) {
 	l.newError(args...).AtDebug().WriteToLog(session.ExportIDToError(ctx))
 }
 func (l *XrayLogger) InfoContext(ctx context.Context, args ...any) {
 	l.newError(args...).AtInfo().WriteToLog(session.ExportIDToError(ctx))
 }
 func (l *XrayLogger) WarnContext(ctx context.Context, args ...any) {
 	l.newError(args...).AtWarning().WriteToLog(session.ExportIDToError(ctx))
 }
 func (l *XrayLogger) ErrorContext(ctx context.Context, args ...any) {
 	l.newError(args...).AtError().WriteToLog(session.ExportIDToError(ctx))
 }
 func (l *XrayLogger) FatalContext(ctx context.Context, args ...any) {
 }
 func (l *XrayLogger) PanicContext(ctx context.Context, args ...any) {
 }
--- a/common/singbridge/packet.go
+++ b/common/singbridge/packet.go
@@ -0,0 +1,82 @@
 package singbridge
 import (
 	"context"
 	B "github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/transport"
 )
 func CopyPacketConn(ctx context.Context, inboundConn net.Conn, link *transport.Link, destination net.Destination, serverConn net.PacketConn) error {
 	conn := &PacketConnWrapper{
 		Reader: link.Reader,
 		Writer: link.Writer,
 		Dest:   destination,
 		Conn:   inboundConn,
 	}
 	return ReturnError(bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(serverConn)))
 }
 type PacketConnWrapper struct {
 	buf.Reader
 	buf.Writer
 	net.Conn
 	Dest   net.Destination
 	cached buf.MultiBuffer
 }
 func (w *PacketConnWrapper) ReadPacket(buffer *B.Buffer) (M.Socksaddr, error) {
 	if w.cached != nil {
 		mb, bb := buf.SplitFirst(w.cached)
 		if bb == nil {
 			w.cached = nil
 		} else {
 			buffer.Write(bb.Bytes())
 			w.cached = mb
 			var destination net.Destination
 			if bb.UDP != nil {
 				destination = *bb.UDP
 			} else {
 				destination = w.Dest
 			}
 			bb.Release()
 			return ToSocksaddr(destination), nil
 		}
 	}
 	mb, err := w.ReadMultiBuffer()
 	if err != nil {
 		return M.Socksaddr{}, err
 	}
 	nb, bb := buf.SplitFirst(mb)
 	if bb == nil {
 		return M.Socksaddr{}, nil
 	} else {
 		buffer.Write(bb.Bytes())
 		w.cached = nb
 		var destination net.Destination
 		if bb.UDP != nil {
 			destination = *bb.UDP
 		} else {
 			destination = w.Dest
 		}
 		bb.Release()
 		return ToSocksaddr(destination), nil
 	}
 }
 func (w *PacketConnWrapper) WritePacket(buffer *B.Buffer, destination M.Socksaddr) error {
 	vBuf := buf.New()
 	vBuf.Write(buffer.Bytes())
 	endpoint := ToDestination(destination, net.Network_UDP)
 	vBuf.UDP = &endpoint
 	return w.Writer.WriteMultiBuffer(buf.MultiBuffer{vBuf})
 }
 func (w *PacketConnWrapper) Close() error {
 	buf.ReleaseMulti(w.cached)
 	return nil
 }
--- a/common/singbridge/pipe.go
+++ b/common/singbridge/pipe.go
@@ -0,0 +1,61 @@
 package singbridge
 import (
 	"context"
 	"io"
 	"net"
 	"github.com/sagernet/sing/common/bufio"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/transport"
 )
 func CopyConn(ctx context.Context, inboundConn net.Conn, link *transport.Link, serverConn net.Conn) error {
 	conn := &PipeConnWrapper{
 		W:    link.Writer,
 		Conn: inboundConn,
 	}
 	if ir, ok := link.Reader.(io.Reader); ok {
 		conn.R = ir
 	} else {
 		conn.R = &buf.BufferedReader{Reader: link.Reader}
 	}
 	return ReturnError(bufio.CopyConn(ctx, conn, serverConn))
 }
 type PipeConnWrapper struct {
 	R io.Reader
 	W buf.Writer
 	net.Conn
 }
 func (w *PipeConnWrapper) Close() error {
 	return nil
 }
 func (w *PipeConnWrapper) Read(b []byte) (n int, err error) {
 	return w.R.Read(b)
 }
 func (w *PipeConnWrapper) Write(p []byte) (n int, err error) {
 	n = len(p)
 	var mb buf.MultiBuffer
 	pLen := len(p)
 	for pLen > 0 {
 		buffer := buf.New()
 		if pLen > buf.Size {
 			_, err = buffer.Write(p[:buf.Size])
 			p = p[buf.Size:]
 		} else {
 			buffer.Write(p)
 		}
 		pLen -= int(buffer.Len())
 		mb = append(mb, buffer)
 	}
 	err = w.W.WriteMultiBuffer(mb)
 	if err != nil {
 		n = 0
 		buf.ReleaseMulti(mb)
 	}
 	return
 }
--- a/common/singbridge/reader.go
+++ b/common/singbridge/reader.go
@@ -0,0 +1,66 @@
 package singbridge
 import (
 	"time"
 	"github.com/sagernet/sing/common"
 	"github.com/sagernet/sing/common/bufio"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/net"
 )
 var (
 	_ buf.Reader        = (*Conn)(nil)
 	_ buf.TimeoutReader = (*Conn)(nil)
 	_ buf.Writer        = (*Conn)(nil)
 )
 type Conn struct {
 	net.Conn
 	writer N.VectorisedWriter
 }
 func NewConn(conn net.Conn) *Conn {
 	writer, _ := bufio.CreateVectorisedWriter(conn)
 	return &Conn{
 		Conn:   conn,
 		writer: writer,
 	}
 }
 func (c *Conn) ReadMultiBuffer() (buf.MultiBuffer, error) {
 	buffer, err := buf.ReadBuffer(c.Conn)
 	if err != nil {
 		return nil, err
 	}
 	return buf.MultiBuffer{buffer}, nil
 }
 func (c *Conn) ReadMultiBufferTimeout(duration time.Duration) (buf.MultiBuffer, error) {
 	err := c.SetReadDeadline(time.Now().Add(duration))
 	if err != nil {
 		return nil, err
 	}
 	defer c.SetReadDeadline(time.Time{})
 	return c.ReadMultiBuffer()
 }
 func (c *Conn) WriteMultiBuffer(bufferList buf.MultiBuffer) error {
 	defer buf.ReleaseMulti(bufferList)
 	if c.writer != nil {
 		bytesList := make([][]byte, len(bufferList))
 		for i, buffer := range bufferList {
 			bytesList[i] = buffer.Bytes()
 		}
 		return common.Error(bufio.WriteVectorised(c.writer, bytesList))
 	}
 	// Since this conn is only used by tun, we don't force buffer writes to merge.
 	for _, buffer := range bufferList {
 		_, err := c.Conn.Write(buffer.Bytes())
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/common/task/task.go
+++ b/common/task/task.go
@@ -38,6 +38,12 @@ func Run(ctx context.Context, tasks ...func() error) error {
 		}(task)
 	}
 	/*
 		if altctx := ctx.Value("altctx"); altctx != nil {
 			ctx = altctx.(context.Context)
 		}
 	*/
 	for i := 0; i < n; i++ {
 		select {
 		case err := <-done:
@@ -48,5 +54,11 @@ func Run(ctx context.Context, tasks ...func() error) error {
 		}
 	}
 	/*
 		if cancel := ctx.Value("cancel"); cancel != nil {
 			cancel.(context.CancelFunc)()
 		}
 	*/
 	return nil
 }
--- a/common/xudp/xudp.go
+++ b/common/xudp/xudp.go
@@ -1,30 +1,79 @@
 package xudp
 import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
 	"fmt"
 	"io"
 	"os"
 	"strings"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/protocol"
 	"github.com/xtls/xray-core/common/session"
 	"lukechampine.com/blake3"
 )
-var addrParser = protocol.NewAddressParser(
+var AddrParser = protocol.NewAddressParser(
 	protocol.AddressFamilyByte(byte(protocol.AddressTypeIPv4), net.AddressFamilyIPv4),
 	protocol.AddressFamilyByte(byte(protocol.AddressTypeDomain), net.AddressFamilyDomain),
 	protocol.AddressFamilyByte(byte(protocol.AddressTypeIPv6), net.AddressFamilyIPv6),
 	protocol.PortThenAddress(),
 )
-func NewPacketWriter(writer buf.Writer, dest net.Destination) *PacketWriter {
+var (
 	Show    bool
 	BaseKey []byte
 )
 const (
 	EnvShow    = "XRAY_XUDP_SHOW"
 	EnvBaseKey = "XRAY_XUDP_BASEKEY"
 )
 func init() {
 	if strings.ToLower(os.Getenv(EnvShow)) == "true" {
 		Show = true
 	}
 	if raw, found := os.LookupEnv(EnvBaseKey); found {
 		if BaseKey, _ = base64.RawURLEncoding.DecodeString(raw); len(BaseKey) == 32 {
 			return
 		}
 		panic(EnvBaseKey + ": invalid value: " + raw)
 	}
 	rand.Read(BaseKey)
 }
 func GetGlobalID(ctx context.Context) (globalID [8]byte) {
 	if cone := ctx.Value("cone"); cone == nil || !cone.(bool) { // cone is nil only in some unit tests
 		return
 	}
 	if inbound := session.InboundFromContext(ctx); inbound != nil && inbound.Source.Network == net.Network_UDP &&
 		(inbound.Name == "dokodemo-door" || inbound.Name == "socks" || inbound.Name == "shadowsocks") {
 		h := blake3.New(8, BaseKey)
 		h.Write([]byte(inbound.Source.String()))
 		copy(globalID[:], h.Sum(nil))
 		if Show {
 			fmt.Printf("XUDP inbound.Source.String(): %v\tglobalID: %v\n", inbound.Source.String(), globalID)
 		}
 	}
 	return
 }
 func NewPacketWriter(writer buf.Writer, dest net.Destination, globalID [8]byte) *PacketWriter {
 	return &PacketWriter{
-		Writer: writer,
+		Writer:   writer,
-		Dest:   dest,
+		Dest:     dest,
 		GlobalID: globalID,
 	}
 }
 type PacketWriter struct {
-	Writer buf.Writer
+	Writer   buf.Writer
-	Dest   net.Destination
+	Dest     net.Destination
 	GlobalID [8]byte
 }
 func (w *PacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
@@ -37,19 +86,22 @@ func (w *PacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
 		}
 		eb := buf.New()
-		eb.Write([]byte{0, 0, 0, 0})
+		eb.Write([]byte{0, 0, 0, 0}) // Meta data length; Mux Session ID
 		if w.Dest.Network == net.Network_UDP {
 			eb.WriteByte(1) // New
 			eb.WriteByte(1) // Opt
 			eb.WriteByte(2) // UDP
-			addrParser.WriteAddressPort(eb, w.Dest.Address, w.Dest.Port)
+			AddrParser.WriteAddressPort(eb, w.Dest.Address, w.Dest.Port)
 			if b.UDP != nil { // make sure it's user's proxy request
 				eb.Write(w.GlobalID[:]) // no need to check whether it's empty
 			}
 			w.Dest.Network = net.Network_Unknown
 		} else {
 			eb.WriteByte(2) // Keep
-			eb.WriteByte(1)
+			eb.WriteByte(1) // Opt
 			if b.UDP != nil {
-				eb.WriteByte(2)
+				eb.WriteByte(2) // UDP
-				addrParser.WriteAddressPort(eb, b.UDP.Address, b.UDP.Port)
+				AddrParser.WriteAddressPort(eb, b.UDP.Address, b.UDP.Port)
 			}
 		}
 		l := eb.Len() - 2
@@ -96,9 +148,10 @@ func (r *PacketReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 		discard := false
 		switch b.Byte(2) {
 		case 2:
-			if l != 4 {
+			if l > 4 && b.Byte(4) == 2 { // MUST check the flag first
 				b.Advance(5)
-				addr, port, err := addrParser.ReadAddressPort(nil, b)
+				// b.Clear() will be called automatically if all data had been read.
 				addr, port, err := AddrParser.ReadAddressPort(nil, b)
 				if err != nil {
 					b.Release()
 					return nil, err
@@ -115,6 +168,7 @@ func (r *PacketReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 			b.Release()
 			return nil, io.EOF
 		}
 		b.Clear() // in case there is padding (empty bytes) attached
 		if b.Byte(3) == 1 {
 			if _, err := io.ReadFull(r.Reader, r.cache); err != nil {
 				b.Release()
@@ -122,7 +176,6 @@ func (r *PacketReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 			}
 			length := int32(r.cache[0])<<8 | int32(r.cache[1])
 			if length > 0 {
 				b.Clear()
 				if _, err := b.ReadFullFrom(r.Reader, length); err != nil {
 					b.Release()
 					return nil, err
--- a/common/xudp/xudp_test.go
+++ b/common/xudp/xudp_test.go
@@ -0,0 +1,36 @@
 package xudp
 import (
 	"testing"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/net"
 )
 func TestXudpReadWrite(t *testing.T) {
 	addr, _ := net.ParseDestination("tcp:127.0.0.1:1345")
 	mb := make(buf.MultiBuffer, 0, 16)
 	m := buf.MultiBufferContainer{
 		MultiBuffer: mb,
 	}
 	var arr [8]byte
 	writer := NewPacketWriter(&m, addr, arr)
 	source := make(buf.MultiBuffer, 0, 16)
 	b := buf.New()
 	b.WriteByte('a')
 	b.UDP = &addr
 	source = append(source, b)
 	writer.WriteMultiBuffer(source)
 	reader := NewPacketReader(&m)
 	dest, err := reader.ReadMultiBuffer()
 	common.Must(err)
 	if dest[0].Byte(0) != 'a' {
 		t.Error("failed to parse xudp buffer")
 	}
 	if dest[0].UDP.Port != 1345 {
 		t.Error("failed to parse xudp buffer")
 	}
 }
--- a/core/config.pb.go
+++ b/core/config.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.30.0
-// 	protoc        v3.18.0
+// 	protoc        v4.23.1
 // source: core/config.proto
 package core
@@ -42,7 +42,7 @@ type Config struct {
 	// Deprecated. Each inbound and outbound should choose their own transport
 	// config. Date to remove: 2020-01-13
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in core/config.proto.
 	Transport *global.Config `protobuf:"bytes,5,opt,name=transport,proto3" json:"transport,omitempty"`
 	// Configuration for extensions. The config may not work if corresponding
 	// extension is not loaded into Xray. Xray will ignore such config during
@@ -103,7 +103,7 @@ func (x *Config) GetApp() []*serial.TypedMessage {
 	return nil
 }
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in core/config.proto.
 func (x *Config) GetTransport() *global.Config {
 	if x != nil {
 		return x.Transport
--- a/core/core.go
+++ b/core/core.go
@@ -12,13 +12,19 @@ package core
 //go:generate go run github.com/xtls/xray-core/common/errors/errorgen
 import (
 	"fmt"
 	"runtime"
 	"github.com/xtls/xray-core/common/serial"
 )
 var (
-	version  = "1.7.1"
+	Version_x byte = 1
 	Version_y byte = 8
 	Version_z byte = 3
 )
 var (
 	build    = "Custom"
 	codename = "Xray, Penetrates Everything."
 	intro    = "A unified platform for anti-censorship."
@@ -27,7 +33,7 @@ var (
 // Version returns Xray's version as a string, in the form of "x.y.z" where x, y and z are numbers.
 // ".z" part may be omitted in regular releases.
 func Version() string {
-	return version
+	return fmt.Sprintf("%v.%v.%v", Version_x, Version_y, Version_z)
 }
 // VersionStatement returns a list of strings representing the full version info.
--- a/go.mod
+++ b/go.mod
@@ -1,61 +1,59 @@
 module github.com/xtls/xray-core
-go 1.19
+go 1.20
 require (
-	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
+	github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344
 	github.com/golang/mock v1.6.0
-	github.com/golang/protobuf v1.5.2
+	github.com/golang/protobuf v1.5.3
 	github.com/google/go-cmp v0.5.9
 	github.com/gorilla/websocket v1.5.0
-	github.com/lucas-clemente/quic-go v0.31.1
+	github.com/miekg/dns v1.1.54
 	github.com/marten-seemann/qtls-go1-18 v0.1.4
 	github.com/miekg/dns v1.1.50
 	github.com/pelletier/go-toml v1.9.5
-	github.com/pires/go-proxyproto v0.6.2
+	github.com/pires/go-proxyproto v0.7.0
-	github.com/refraction-networking/utls v1.2.0
+	github.com/quic-go/quic-go v0.35.1
-	github.com/sagernet/sing v0.1.2
+	github.com/refraction-networking/utls v1.3.2
-	github.com/sagernet/sing-shadowsocks v0.1.0
+	github.com/sagernet/sing v0.2.5
 	github.com/sagernet/sing-shadowsocks v0.2.2
 	github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c
 	github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.8.4
 	github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e
-	github.com/xtls/go v0.0.0-20220914232946-0441cf4cf837
+	github.com/xtls/reality v0.0.0-20230613075828-e07c3b04b983
-	go.starlark.net v0.0.0-20230105143730-d7da88764354
+	golang.org/x/crypto v0.10.0
-	golang.org/x/crypto v0.5.0
+	golang.org/x/net v0.11.0
-	golang.org/x/net v0.5.0
+	golang.org/x/sync v0.3.0
-	golang.org/x/sync v0.1.0
+	golang.org/x/sys v0.9.0
-	golang.org/x/sys v0.4.0
+	google.golang.org/grpc v1.56.0
-	google.golang.org/grpc v1.51.0
+	google.golang.org/protobuf v1.30.0
 	google.golang.org/protobuf v1.28.1
 	gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c
 	h12.io/socks v1.0.3
 	lukechampine.com/blake3 v1.2.1
 )
 require (
-	github.com/andybalholm/brotli v1.0.4 // indirect
+	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-metro v0.0.0-20211217172704-adc40b04c140 // indirect
 	github.com/francoispqt/gojay v1.2.13 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
+	github.com/gaukas/godicttls v0.0.3 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/pprof v0.0.0-20221219190121-3cb0bae90811 // indirect
+	github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 // indirect
-	github.com/klauspost/compress v1.15.14 // indirect
+	github.com/klauspost/compress v1.16.6 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.3 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/onsi/ginkgo/v2 v2.11.0 // indirect
 	github.com/marten-seemann/qtls-go1-19 v0.1.2 // indirect
 	github.com/onsi/ginkgo/v2 v2.6.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qtls-go1-19 v0.3.2 // indirect
 	github.com/quic-go/qtls-go1-20 v0.2.2 // indirect
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20230105202349-8879d0199aa3 // indirect
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
-	golang.org/x/mod v0.7.0 // indirect
+	golang.org/x/mod v0.11.0 // indirect
-	golang.org/x/text v0.6.0 // indirect
+	golang.org/x/text v0.10.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.5.0 // indirect
+	golang.org/x/tools v0.10.0 // indirect
-	google.golang.org/genproto v0.0.0-20230106154932-a12b697841d9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.1.7 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -8,19 +8,14 @@ dmitri.shuralyov.com/service/change v0.0.0-20181023043359-a85b471d5412/go.mod h1
 dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D6DFvNNtx+9ybjezNCa8XF0xaYcETyp6rHWU=
 git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
+github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
-github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -28,20 +23,20 @@ github.com/dgryski/go-metro v0.0.0-20200812162917-85c65e2d0165/go.mod h1:c9O8+fp
 github.com/dgryski/go-metro v0.0.0-20211217172704-adc40b04c140 h1:y7y0Oa6UawqTFPCDw9JG6pdKt4F9pAhHv0B7FMGaGD0=
 github.com/dgryski/go-metro v0.0.0-20211217172704-adc40b04c140/go.mod h1:c9O8+fpSOX1DM8cPNSkX/qsBWdkD4yd2dpciOWQjpBw=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/francoispqt/gojay v1.2.13 h1:d2m3sFjloqoIUQU3TsHBgj6qg/BVGlTBeHDUmyJnXKk=
 github.com/francoispqt/gojay v1.2.13/go.mod h1:ehT5mTG4ua4581f1++1WLG0vPdaA9HaiDsoyrBGkyDY=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/gaukas/godicttls v0.0.3 h1:YNDIf0d9adcxOijiLrEzpfZGAkNwLRzPaG6OjU7EITk=
 github.com/gaukas/godicttls v0.0.3/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 h1:Mn26/9ZMNWSw9C9ERFA1PUxfmGpolnw2v0bKOREu5ew=
+github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344 h1:Arcl6UOIS/kgO2nW3A65HN+7CMjSDP/gofXL4CZt1V4=
-github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
+github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
 github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
-github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
@@ -51,25 +46,13 @@ github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -77,8 +60,8 @@ github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+u
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20221219190121-3cb0bae90811 h1:wORs2YN3R3ona/CXYuTvLM31QlgoNKHvlCNuArCDDCU=
+github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 h1:hR7/MlvK23p6+lIw9SN1TigNLn9ZnF3W4SYRKq2gAHs=
-github.com/google/pprof v0.0.0-20221219190121-3cb0bae90811/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
+github.com/google/pprof v0.0.0-20230602150820-91b7bce49751/go.mod h1:Jh3hGz2jkYak8qXPD19ryItVnUgpgeqzdkY/D0EaeuA=
 github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
 github.com/googleapis/gax-go/v2 v2.0.3/go.mod h1:LLvjysVCY1JZeum8Z6l8qUty8fiNwE08qbEPm1M08qg=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
@@ -92,70 +75,58 @@ github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.15.13 h1:NFn1Wr8cfnenSJSA46lLq4wHCcBzKTSjnBIexDMMOV0=
+github.com/klauspost/compress v1.16.6 h1:91SKEy4K37vkp255cJ8QesJhjyRO0hn9i9G0GoUwLsk=
-github.com/klauspost/compress v1.15.13/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
+github.com/klauspost/compress v1.16.6/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
-github.com/klauspost/compress v1.15.14 h1:i7WCKDToww0wA+9qrUZ1xOjp218vfFo3nTU6UHp+gOc=
+github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
-github.com/klauspost/compress v1.15.14/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
+github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/klauspost/cpuid/v2 v2.2.2 h1:xPMwiykqNK9VK0NYC3+jTMYv9I6Vl3YdjZgPZKG3zO0=
 github.com/klauspost/cpuid/v2 v2.2.2/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
 github.com/klauspost/cpuid/v2 v2.2.3 h1:sxCkb+qR91z4vsqw4vGGZlDgPz3G7gjaLyK3V8y70BU=
 github.com/klauspost/cpuid/v2 v2.2.3/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.3/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/lucas-clemente/quic-go v0.31.1 h1:O8Od7hfioqq0PMYHDyBkxU2aA7iZ2W9pjbrWuja2YR4=
 github.com/lucas-clemente/quic-go v0.31.1/go.mod h1:0wFbizLgYzqHqtlyxyCaJKlE7bYgE6JQ+54TLd/Dq2g=
 github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI=
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/marten-seemann/qtls-go1-18 v0.1.4 h1:ogomB+lWV3Vmwiu6RTwDVTMGx+9j7SEi98e8QB35Its=
 github.com/marten-seemann/qtls-go1-18 v0.1.4/go.mod h1:mJttiymBAByA49mhlNZZGrH5u1uXYZJ+RW28Py7f4m4=
 github.com/marten-seemann/qtls-go1-19 v0.1.2 h1:ZevAEqKXH0bZmoOBPiqX2h5rhQ7cbZi+X+rlq2JUbCE=
 github.com/marten-seemann/qtls-go1-19 v0.1.2/go.mod h1:5HTDWtVudo/WFsHKRNuOhWlbdjrfs5JHrYb0wIJqGpI=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
-github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
+github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI=
-github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
+github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJEU3ofeGjhHklVoIGuVj85JJwZ6kWPaJwCIxgnFmo=
 github.com/neelance/sourcemap v0.0.0-20151028013722-8c68805598ab/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM=
-github.com/onsi/ginkgo/v2 v2.6.1 h1:1xQPCjcqYw/J5LchOcp4/2q/jzJFjiAOc25chhnDw+Q=
+github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU=
-github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo=
+github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM=
-github.com/onsi/gomega v1.24.1 h1:KORJXNNTzJXzu4ScJWssJfJMnJ+2QJqhoQSRwNlze9E=
+github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc=
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2 h1:JhzVVoYvbOACxoUmOs6V/G4D5nPVUW73rKvXxP4XUJc=
 github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
-github.com/pires/go-proxyproto v0.6.2 h1:KAZ7UteSOt6urjme6ZldyFm4wDe/z0ZUP0Yv0Dos0d8=
+github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
-github.com/pires/go-proxyproto v0.6.2/go.mod h1:Odh9VFOZJCf9G8cLW5o435Xf1J95Jw9Gw5rnCjcwzAY=
+github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/refraction-networking/utls v1.2.0 h1:U5f8wkij2NVinfLuJdFP3gCMwIHs+EzvhxmYdXgiapo=
+github.com/quic-go/qtls-go1-19 v0.3.2 h1:tFxjCFcTQzK+oMxG6Zcvp4Dq8dx4yD3dDiIiyc86Z5U=
-github.com/refraction-networking/utls v1.2.0/go.mod h1:NPq+cVqzH7D1BeOkmOcb5O/8iVewAsiVt2x1/eO0hgQ=
+github.com/quic-go/qtls-go1-19 v0.3.2/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
 github.com/quic-go/qtls-go1-20 v0.2.2 h1:WLOPx6OY/hxtTxKV1Zrq20FtXtDEkeY00CGQm8GEa3E=
 github.com/quic-go/qtls-go1-20 v0.2.2/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
 github.com/quic-go/quic-go v0.35.1 h1:b0kzj6b/cQAf05cT0CkQubHM31wiA+xH3IBkxP62poo=
 github.com/quic-go/quic-go v0.35.1/go.mod h1:+4CVgVppm0FNjpG3UcX8Joi/frKOH7/ciD5yGcwOO1g=
 github.com/refraction-networking/utls v1.3.2 h1:o+AkWB57mkcoW36ET7uJ002CpBWHu0KPxi6vzxvPnv8=
 github.com/refraction-networking/utls v1.3.2/go.mod h1:fmoaOww2bxzzEpIKOebIsnBvjQpqP7L2vcm/9KUfm/E=
 github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 h1:f/FNXud6gA3MNr8meMVVGxhp+QBTqY91tM8HjEuMjGg=
 github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3/go.mod h1:HgjTstvQsPGkxUsCd2KWxErBblirPizecHcpD3ffK+s=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
-github.com/sagernet/sing v0.1.2 h1:rp5AqY23P0klk2IaLEI0/WJsD8FTVlv9TaI2QSL6TDA=
+github.com/sagernet/sing v0.2.5 h1:N8sUluR8GZvR9DqUiH3FA3vBb4m/EDdOVTYUrDzJvmY=
-github.com/sagernet/sing v0.1.2/go.mod h1:bvmen56QnVbMrWy+nr5nsbz7U5MUPuY0L0S/XfhCsTs=
+github.com/sagernet/sing v0.2.5/go.mod h1:Ta8nHnDLAwqySzKhGoKk4ZIB+vJ3GTKj7UPrWYvM+4w=
-github.com/sagernet/sing-shadowsocks v0.1.0 h1:cDmmOkA11fzVdhyCZQEeI3ozQz+59rj8+rqPb91xux4=
+github.com/sagernet/sing-shadowsocks v0.2.2 h1:ezSdVhrmIcwDXmCZF3bOJVMuVtTQWpda+1Op+Ie2TA4=
-github.com/sagernet/sing-shadowsocks v0.1.0/go.mod h1:O5LtOs8Ivw686FqLpO0Zu+A0ROVE15VeqEK3yDRRAms=
+github.com/sagernet/sing-shadowsocks v0.2.2/go.mod h1:JIBWG6a7orB2HxBxYElViQFLUQxFVG7DuqIj8gD7uCQ=
 github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c h1:vK2wyt9aWYHHvNLWniwijBu/n4pySypiKRhN32u/JGo=
 github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
 github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb h1:XfLJSPIOUX+osiMraVgIrMR27uMXnRJWGm1+GL8/63U=
@@ -186,50 +157,38 @@ github.com/shurcooL/webdavfs v0.0.0-20170829043945-18c3829fa133/go.mod h1:hKmq5k
 github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE=
 github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA=
 github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e h1:5QefA066A1tF8gHIiADmOVOV5LS43gt3ONnlEl3xkwI=
 github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e/go.mod h1:5t19P9LBIrNamL6AcMQOncg/r10y3Pc01AbHeMhwlpU=
 github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU=
 github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
-github.com/xtls/go v0.0.0-20220914232946-0441cf4cf837 h1:AHhUwwFJGl27E46OpdJHplZkK09m7aETNBNzhT6t15M=
+github.com/xtls/reality v0.0.0-20230613075828-e07c3b04b983 h1:AMyzgjkh54WocjQSlCnT1LhDc/BKiUqtNOv40AkpURs=
-github.com/xtls/go v0.0.0-20220914232946-0441cf4cf837/go.mod h1:YJTRELIWrGxR1s8xcEBgxcxBfwQfMGjdvNLTjN9XFgY=
+github.com/xtls/reality v0.0.0-20230613075828-e07c3b04b983/go.mod h1:rkuAY1S9F8eI8gDiPDYvACE8e2uwkyg8qoOTuwWov7Y=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
-go.starlark.net v0.0.0-20221205180719-3fd0dac74452 h1:JZtNuL6LPB+scU5yaQ6hqRlJFRiddZm2FwRt2AQqtHA=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
-go.starlark.net v0.0.0-20221205180719-3fd0dac74452/go.mod h1:kIVgS18CjmEC3PqMd5kaJSGEifyV/CeB9x506ZJ1Vbk=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.starlark.net v0.0.0-20230105143730-d7da88764354 h1:MqQRg4vlpVc7cQoQBgQGPyP3N4FAhKlMQ/y/Akv4/xM=
 go.starlark.net v0.0.0-20230105143730-d7da88764354/go.mod h1:kIVgS18CjmEC3PqMd5kaJSGEifyV/CeB9x506ZJ1Vbk=
 go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
 go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
 golang.org/x/build v0.0.0-20190111050920-041ab4dc3f9d/go.mod h1:OWs+y06UdEOHN4y+MfF/py+xQ/tYqIWW03b70/CG9Rw=
 golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
+golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
-golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
+golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20221217163422-3c43f8badb15 h1:5oN1Pz/eDhCpbMbLstvIPa0b/BEQo6g6nwV3pLjfM6w=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
-golang.org/x/exp v0.0.0-20221217163422-3c43f8badb15/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/exp v0.0.0-20230105202349-8879d0199aa3 h1:fJwx88sMf5RXwDwziL0/Mn9Wqs+efMSo/RYcL+37W9c=
 golang.org/x/exp v0.0.0-20230105202349-8879d0199aa3/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
+golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -237,14 +196,12 @@ golang.org/x/net v0.0.0-20181029044818-c44066c5c816/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20181106065722-10aee1819953/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190313220215-9f648a60d977/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
-golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
+golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
 golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -256,8 +213,8 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181029174526-d69651ed3497/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -266,22 +223,16 @@ golang.org/x/sys v0.0.0-20190316082340-a2f829d7f35f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.0 h1:Zr2JFtRQNX3BCZ8YtxRE9hNJYC8J6I1MVbMg6owUp18=
 golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
-golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
+golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
@@ -291,15 +242,10 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20181030000716-a0a13e073c7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
+golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
-golang.org/x/tools v0.4.0 h1:7mTAgkunk3fr4GAloyyCasadO6h9zSsQZbwvcaIciV4=
+golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
 golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
 golang.org/x/tools v0.5.0 h1:+bSpV5HIeWkuvgaMfI3UmKRThoTA5ODJTUd8T17NO+4=
 golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -316,35 +262,20 @@ google.golang.org/genproto v0.0.0-20180831171423-11092d34479b/go.mod h1:JiN7NxoA
 google.golang.org/genproto v0.0.0-20181029155118-b69ba1387ce2/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20181202183823-bd91e49a0898/go.mod h1:7Ep/1NZk928CDR8SjdVbjWNpdIf6nzjE3BTgJDr2Atg=
 google.golang.org/genproto v0.0.0-20190306203927-b5d61aea6440/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc h1:XSJ8Vk1SWuNr8S18z1NZSziL0CPIXLCCMDOEFtHBOFc=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
 google.golang.org/genproto v0.0.0-20221207170731-23e4bf6bdc37 h1:jmIfw8+gSvXcZSgaFAGyInDXeWzUhvYH57G/5GKMn70=
 google.golang.org/genproto v0.0.0-20221207170731-23e4bf6bdc37/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
 google.golang.org/genproto v0.0.0-20230106154932-a12b697841d9 h1:3wPBShTLWQnEkZ9VW/HZZ8zT/9LLtleBtq7l8SKtJIA=
 google.golang.org/genproto v0.0.0-20230106154932-a12b697841d9/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.56.0 h1:+y7Bs8rtMd07LeXmL3NxcTLn7mUkbKZqEpPhMNkwJEE=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.56.0/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
 google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U=
 google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -362,8 +293,7 @@ h12.io/socks v1.0.3/go.mod h1:AIhxy1jOId/XCz9BO+EIgNL2rQiPTBNnOfnVnQ+3Eck=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+lukechampine.com/blake3 v1.2.1 h1:YuqqRuaqsGV71BV/nm9xlI0MKUv4QC54jQnBChWbGnI=
-lukechampine.com/blake3 v1.1.7 h1:GgRMhmdsuK8+ii6UZFDL8Nb+VyMwadAgcJyfYHxG6n0=
+lukechampine.com/blake3 v1.2.1/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
 lukechampine.com/blake3 v1.1.7/go.mod h1:tkKEOtDkNtklkXtLNEOGNq5tcV90tJiA1vAA12R78LA=
 sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck=
 sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0=
--- a/infra/conf/common.go
+++ b/infra/conf/common.go
@@ -45,6 +45,9 @@ func (v *Address) UnmarshalJSON(data []byte) error {
 	if err := json.Unmarshal(data, &rawStr); err != nil {
 		return newError("invalid address: ", string(data)).Base(err)
 	}
 	if strings.HasPrefix(rawStr, "env:") {
 		rawStr = os.Getenv(rawStr[4:])
 	}
 	v.Address = net.ParseAddress(rawStr)
 	return nil
@@ -115,8 +118,7 @@ func parseIntPort(data []byte) (net.Port, error) {
 func parseStringPort(s string) (net.Port, net.Port, error) {
 	if strings.HasPrefix(s, "env:") {
-		s = s[4:]
+		s = os.Getenv(s[4:])
 		s = os.Getenv(s)
 	}
 	pair := strings.SplitN(s, "-", 2)
--- a/infra/conf/dns_proxy.go
+++ b/infra/conf/dns_proxy.go
@@ -7,10 +7,11 @@ import (
 )
 type DNSOutboundConfig struct {
-	Network   Network  `json:"network"`
+	Network    Network  `json:"network"`
-	Address   *Address `json:"address"`
+	Address    *Address `json:"address"`
-	Port      uint16   `json:"port"`
+	Port       uint16   `json:"port"`
-	UserLevel uint32   `json:"userLevel"`
+	UserLevel  uint32   `json:"userLevel"`
 	NonIPQuery string   `json:"nonIPQuery"`
 }
 func (c *DNSOutboundConfig) Build() (proto.Message, error) {
@@ -24,5 +25,13 @@ func (c *DNSOutboundConfig) Build() (proto.Message, error) {
 	if c.Address != nil {
 		config.Server.Address = c.Address.Build()
 	}
 	switch c.NonIPQuery {
 	case "":
 		c.NonIPQuery = "drop"
 	case "drop", "skip":
 	default:
 		return nil, newError(`unknown "nonIPQuery": `, c.NonIPQuery)
 	}
 	config.Non_IPQuery = c.NonIPQuery
 	return config, nil
 }
--- a/infra/conf/freedom.go
+++ b/infra/conf/freedom.go
@@ -2,6 +2,7 @@ package conf
 import (
 	"net"
 	"strconv"
 	"strings"
 	"github.com/golang/protobuf/proto"
@@ -11,10 +12,17 @@ import (
 )
 type FreedomConfig struct {
-	DomainStrategy string  `json:"domainStrategy"`
+	DomainStrategy string    `json:"domainStrategy"`
-	Timeout        *uint32 `json:"timeout"`
+	Timeout        *uint32   `json:"timeout"`
-	Redirect       string  `json:"redirect"`
+	Redirect       string    `json:"redirect"`
-	UserLevel      uint32  `json:"userLevel"`
+	UserLevel      uint32    `json:"userLevel"`
 	Fragment       *Fragment `json:"fragment"`
 }
 type Fragment struct {
 	Packets  string `json:"packets"`
 	Length   string `json:"length"`
 	Interval string `json:"interval"`
 }
 // Build implements Buildable
@@ -30,6 +38,95 @@ func (c *FreedomConfig) Build() (proto.Message, error) {
 		config.DomainStrategy = freedom.Config_USE_IP6
 	}
 	if c.Fragment != nil {
 		if len(c.Fragment.Interval) == 0 || len(c.Fragment.Length) == 0 {
 			return nil, newError("Invalid interval or length")
 		}
 		intervalMinMax := strings.Split(c.Fragment.Interval, "-")
 		var minInterval, maxInterval int64
 		var err, err2 error
 		if len(intervalMinMax) == 2 {
 			minInterval, err = strconv.ParseInt(intervalMinMax[0], 10, 64)
 			maxInterval, err2 = strconv.ParseInt(intervalMinMax[1], 10, 64)
 		} else {
 			minInterval, err = strconv.ParseInt(intervalMinMax[0], 10, 64)
 			maxInterval = minInterval
 		}
 		if err != nil {
 			return nil, newError("Invalid minimum interval: ", err).Base(err)
 		}
 		if err2 != nil {
 			return nil, newError("Invalid maximum interval: ", err2).Base(err2)
 		}
 		lengthMinMax := strings.Split(c.Fragment.Length, "-")
 		var minLength, maxLength int64
 		if len(lengthMinMax) == 2 {
 			minLength, err = strconv.ParseInt(lengthMinMax[0], 10, 64)
 			maxLength, err2 = strconv.ParseInt(lengthMinMax[1], 10, 64)
 		} else {
 			minLength, err = strconv.ParseInt(lengthMinMax[0], 10, 64)
 			maxLength = minLength
 		}
 		if err != nil {
 			return nil, newError("Invalid minimum length: ", err).Base(err)
 		}
 		if err2 != nil {
 			return nil, newError("Invalid maximum length: ", err2).Base(err2)
 		}
 		if minInterval > maxInterval {
 			minInterval, maxInterval = maxInterval, minInterval
 		}
 		if minLength > maxLength {
 			minLength, maxLength = maxLength, minLength
 		}
 		config.Fragment = &freedom.Fragment{
 			MinInterval: int32(minInterval),
 			MaxInterval: int32(maxInterval),
 			MinLength:   int32(minLength),
 			MaxLength:   int32(maxLength),
 		}
 		switch strings.ToLower(c.Fragment.Packets) {
 		case "tlshello":
 			// TLS Hello Fragmentation (into multiple handshake messages)
 			config.Fragment.StartPacket = 0
 			config.Fragment.EndPacket = 1
 		case "":
 			// TCP Segmentation (all packets)
 			config.Fragment.StartPacket = 0
 			config.Fragment.EndPacket = 0
 		default:
 			// TCP Segmentation (range)
 			packetRange := strings.Split(c.Fragment.Packets, "-")
 			var startPacket, endPacket int64
 			if len(packetRange) == 2 {
 				startPacket, err = strconv.ParseInt(packetRange[0], 10, 64)
 				endPacket, err2 = strconv.ParseInt(packetRange[1], 10, 64)
 			} else {
 				startPacket, err = strconv.ParseInt(packetRange[0], 10, 64)
 				endPacket = startPacket
 			}
 			if err != nil {
 				return nil, newError("Invalid start packet: ", err).Base(err)
 			}
 			if err2 != nil {
 				return nil, newError("Invalid end packet: ", err2).Base(err2)
 			}
 			if startPacket > endPacket {
 				return nil, newError("Invalid packet range: ", c.Fragment.Packets)
 			}
 			if startPacket < 1 {
 				return nil, newError("Cannot start from packet 0")
 			}
 			config.Fragment.StartPacket = int32(startPacket)
 			config.Fragment.EndPacket = int32(endPacket)
 		}
 	}
 	if c.Timeout != nil {
 		config.Timeout = *c.Timeout
 	}
--- a/infra/conf/grpc.go
+++ b/infra/conf/grpc.go
@@ -12,6 +12,7 @@ type GRPCConfig struct {
 	HealthCheckTimeout  int32  `json:"health_check_timeout"`
 	PermitWithoutStream bool   `json:"permit_without_stream"`
 	InitialWindowsSize  int32  `json:"initial_windows_size"`
 	UserAgent           string `json:"user_agent"`
 }
 func (g *GRPCConfig) Build() (proto.Message, error) {
@@ -33,5 +34,6 @@ func (g *GRPCConfig) Build() (proto.Message, error) {
 		HealthCheckTimeout:  g.HealthCheckTimeout,
 		PermitWithoutStream: g.PermitWithoutStream,
 		InitialWindowsSize:  g.InitialWindowsSize,
 		UserAgent:           g.UserAgent,
 	}, nil
 }
--- a/infra/conf/mtproto.go
+++ b/infra/conf/mtproto.go
@@ -1,67 +0,0 @@
 package conf
 import (
 	"encoding/hex"
 	"encoding/json"
 	"github.com/golang/protobuf/proto"
 	"github.com/xtls/xray-core/common/protocol"
 	"github.com/xtls/xray-core/common/serial"
 	"github.com/xtls/xray-core/proxy/mtproto"
 )
 type MTProtoAccount struct {
 	Secret string `json:"secret"`
 }
 // Build implements Buildable
 func (a *MTProtoAccount) Build() (*mtproto.Account, error) {
 	if len(a.Secret) != 32 {
 		return nil, newError("MTProto secret must have 32 chars")
 	}
 	secret, err := hex.DecodeString(a.Secret)
 	if err != nil {
 		return nil, newError("failed to decode secret: ", a.Secret).Base(err)
 	}
 	return &mtproto.Account{
 		Secret: secret,
 	}, nil
 }
 type MTProtoServerConfig struct {
 	Users []json.RawMessage `json:"users"`
 }
 func (c *MTProtoServerConfig) Build() (proto.Message, error) {
 	config := &mtproto.ServerConfig{}
 	if len(c.Users) == 0 {
 		return nil, newError("zero MTProto users configured.")
 	}
 	config.User = make([]*protocol.User, len(c.Users))
 	for idx, rawData := range c.Users {
 		user := new(protocol.User)
 		if err := json.Unmarshal(rawData, user); err != nil {
 			return nil, newError("invalid MTProto user").Base(err)
 		}
 		account := new(MTProtoAccount)
 		if err := json.Unmarshal(rawData, account); err != nil {
 			return nil, newError("invalid MTProto user").Base(err)
 		}
 		accountProto, err := account.Build()
 		if err != nil {
 			return nil, newError("failed to parse MTProto user").Base(err)
 		}
 		user.Account = serial.ToTypedMessage(accountProto)
 		config.User[idx] = user
 	}
 	return config, nil
 }
 type MTProtoClientConfig struct{}
 func (c *MTProtoClientConfig) Build() (proto.Message, error) {
 	config := new(mtproto.ClientConfig)
 	return config, nil
 }
--- a/infra/conf/mtproto_test.go
+++ b/infra/conf/mtproto_test.go
@@ -1,40 +0,0 @@
 package conf_test
 import (
 	"testing"
 	"github.com/xtls/xray-core/common/protocol"
 	"github.com/xtls/xray-core/common/serial"
 	. "github.com/xtls/xray-core/infra/conf"
 	"github.com/xtls/xray-core/proxy/mtproto"
 )
 func TestMTProtoServerConfig(t *testing.T) {
 	creator := func() Buildable {
 		return new(MTProtoServerConfig)
 	}
 	runMultiTestCase(t, []TestCase{
 		{
 			Input: `{
 				"users": [{
 					"email": "love@example.com",
 					"level": 1,
 					"secret": "b0cbcef5a486d9636472ac27f8e11a9d"
 				}]
 			}`,
 			Parser: loadJSON(creator),
 			Output: &mtproto.ServerConfig{
 				User: []*protocol.User{
 					{
 						Email: "love@example.com",
 						Level: 1,
 						Account: serial.ToTypedMessage(&mtproto.Account{
 							Secret: []byte{176, 203, 206, 245, 164, 134, 217, 99, 100, 114, 172, 39, 248, 225, 26, 157},
 						}),
 					},
 				},
 			},
 		},
 	})
 }
--- a/infra/conf/router.go
+++ b/infra/conf/router.go
@@ -504,17 +504,17 @@ func ToCidrList(ips StringList) ([]*router.GeoIP, error) {
 func parseFieldRule(msg json.RawMessage) (*router.RoutingRule, error) {
 	type RawFieldRule struct {
 		RouterRule
-		Domain     *StringList  `json:"domain"`
+		Domain     *StringList       `json:"domain"`
-		Domains    *StringList  `json:"domains"`
+		Domains    *StringList       `json:"domains"`
-		IP         *StringList  `json:"ip"`
+		IP         *StringList       `json:"ip"`
-		Port       *PortList    `json:"port"`
+		Port       *PortList         `json:"port"`
-		Network    *NetworkList `json:"network"`
+		Network    *NetworkList      `json:"network"`
-		SourceIP   *StringList  `json:"source"`
+		SourceIP   *StringList       `json:"source"`
-		SourcePort *PortList    `json:"sourcePort"`
+		SourcePort *PortList         `json:"sourcePort"`
-		User       *StringList  `json:"user"`
+		User       *StringList       `json:"user"`
-		InboundTag *StringList  `json:"inboundTag"`
+		InboundTag *StringList       `json:"inboundTag"`
-		Protocols  *StringList  `json:"protocol"`
+		Protocols  *StringList       `json:"protocol"`
-		Attributes string       `json:"attrs"`
+		Attributes map[string]string `json:"attrs"`
 	}
 	rawFieldRule := new(RawFieldRule)
 	err := json.Unmarshal(msg, rawFieldRule)
--- a/infra/conf/serial/builder.go
+++ b/infra/conf/serial/builder.go
@@ -2,7 +2,6 @@ package serial
 import (
 	"io"
 	"path/filepath"
 	"github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/infra/conf"
@@ -11,11 +10,7 @@ import (
 func BuildConfig(files []string, formats []string) (*core.Config, error) {
 	cf := &conf.Config{}
-	for i, file_ := range files {
+	for i, file := range files {
 		file, err := filepath.EvalSymlinks(file_)
 		if err != nil {
 			return nil, err
 		}
 		newError("Reading config: ", file).AtInfo().WriteToLog()
 		r, err := confloader.LoadConfig(file)
 		if err != nil {
--- a/infra/conf/shadowsocks.go
+++ b/infra/conf/shadowsocks.go
@@ -155,14 +155,15 @@ func buildShadowsocks2022(v *ShadowsocksServerConfig) (proto.Message, error) {
 }
 type ShadowsocksServerTarget struct {
-	Address  *Address `json:"address"`
+	Address    *Address `json:"address"`
-	Port     uint16   `json:"port"`
+	Port       uint16   `json:"port"`
-	Cipher   string   `json:"method"`
+	Cipher     string   `json:"method"`
-	Password string   `json:"password"`
+	Password   string   `json:"password"`
-	Email    string   `json:"email"`
+	Email      string   `json:"email"`
-	Level    byte     `json:"level"`
+	Level      byte     `json:"level"`
-	IVCheck  bool     `json:"ivCheck"`
+	IVCheck    bool     `json:"ivCheck"`
-	UoT      bool     `json:"uot"`
+	UoT        bool     `json:"uot"`
 	UoTVersion int      `json:"uotVersion"`
 }
 type ShadowsocksClientConfig struct {
@@ -193,6 +194,7 @@ func (v *ShadowsocksClientConfig) Build() (proto.Message, error) {
 			config.Method = server.Cipher
 			config.Key = server.Password
 			config.UdpOverTcp = server.UoT
 			config.UdpOverTcpVersion = uint32(server.UoTVersion)
 			return config, nil
 		}
 	}
--- a/infra/conf/transport_authenticators.go
+++ b/infra/conf/transport_authenticators.go
@@ -4,6 +4,7 @@ import (
 	"sort"
 	"github.com/golang/protobuf/proto"
 	"github.com/xtls/xray-core/transport/internet/headers/dns"
 	"github.com/xtls/xray-core/transport/internet/headers/http"
 	"github.com/xtls/xray-core/transport/internet/headers/noop"
 	"github.com/xtls/xray-core/transport/internet/headers/srtp"
@@ -49,6 +50,19 @@ func (WireguardAuthenticator) Build() (proto.Message, error) {
 	return new(wireguard.WireguardConfig), nil
 }
 type DNSAuthenticator struct {
 	Domain string `json:"domain"`
 }
 func (v *DNSAuthenticator) Build() (proto.Message, error) {
 	config := new(dns.Config)
 	config.Domain = "www.baidu.com"
 	if len(v.Domain) > 0 {
 		config.Domain = v.Domain
 	}
 	return config, nil
 }
 type DTLSAuthenticator struct{}
 func (DTLSAuthenticator) Build() (proto.Message, error) {
--- a/infra/conf/transport_internet.go
+++ b/infra/conf/transport_internet.go
@@ -2,13 +2,17 @@ package conf
 import (
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"math"
 	"net/url"
 	"runtime"
 	"strconv"
 	"strings"
 	"syscall"
 	"github.com/golang/protobuf/proto"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/platform/filesystem"
 	"github.com/xtls/xray-core/common/protocol"
 	"github.com/xtls/xray-core/common/serial"
@@ -18,10 +22,10 @@ import (
 	"github.com/xtls/xray-core/transport/internet/http"
 	"github.com/xtls/xray-core/transport/internet/kcp"
 	"github.com/xtls/xray-core/transport/internet/quic"
 	"github.com/xtls/xray-core/transport/internet/reality"
 	"github.com/xtls/xray-core/transport/internet/tcp"
 	"github.com/xtls/xray-core/transport/internet/tls"
 	"github.com/xtls/xray-core/transport/internet/websocket"
 	"github.com/xtls/xray-core/transport/internet/xtls"
 )
 var (
@@ -32,6 +36,7 @@ var (
 		"wechat-video": func() interface{} { return new(WechatVideoAuthenticator) },
 		"dtls":         func() interface{} { return new(DTLSAuthenticator) },
 		"wireguard":    func() interface{} { return new(WireguardAuthenticator) },
 		"dns":          func() interface{} { return new(DNSAuthenticator) },
 	}, "type", "")
 	tcpHeaderLoader = NewJSONConfigLoader(ConfigCreatorCache{
@@ -338,19 +343,20 @@ func (c *TLSCertConfig) Build() (*tls.Certificate, error) {
 }
 type TLSConfig struct {
-	Insecure                         bool             `json:"allowInsecure"`
+	Insecure                             bool             `json:"allowInsecure"`
-	Certs                            []*TLSCertConfig `json:"certificates"`
+	Certs                                []*TLSCertConfig `json:"certificates"`
-	ServerName                       string           `json:"serverName"`
+	ServerName                           string           `json:"serverName"`
-	ALPN                             *StringList      `json:"alpn"`
+	ALPN                                 *StringList      `json:"alpn"`
-	EnableSessionResumption          bool             `json:"enableSessionResumption"`
+	EnableSessionResumption              bool             `json:"enableSessionResumption"`
-	DisableSystemRoot                bool             `json:"disableSystemRoot"`
+	DisableSystemRoot                    bool             `json:"disableSystemRoot"`
-	MinVersion                       string           `json:"minVersion"`
+	MinVersion                           string           `json:"minVersion"`
-	MaxVersion                       string           `json:"maxVersion"`
+	MaxVersion                           string           `json:"maxVersion"`
-	CipherSuites                     string           `json:"cipherSuites"`
+	CipherSuites                         string           `json:"cipherSuites"`
-	PreferServerCipherSuites         bool             `json:"preferServerCipherSuites"`
+	PreferServerCipherSuites             bool             `json:"preferServerCipherSuites"`
-	Fingerprint                      string           `json:"fingerprint"`
+	Fingerprint                          string           `json:"fingerprint"`
-	RejectUnknownSNI                 bool             `json:"rejectUnknownSni"`
+	RejectUnknownSNI                     bool             `json:"rejectUnknownSni"`
-	PinnedPeerCertificateChainSha256 *[]string        `json:"pinnedPeerCertificateChainSha256"`
+	PinnedPeerCertificateChainSha256     *[]string        `json:"pinnedPeerCertificateChainSha256"`
 	PinnedPeerCertificatePublicKeySha256 *[]string        `json:"pinnedPeerCertificatePublicKeySha256"`
 }
 // Build implements Buildable.
@@ -379,6 +385,9 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 	config.CipherSuites = c.CipherSuites
 	config.PreferServerCipherSuites = c.PreferServerCipherSuites
 	config.Fingerprint = strings.ToLower(c.Fingerprint)
 	if config.Fingerprint != "" && tls.GetFingerprint(config.Fingerprint) == nil {
 		return nil, newError(`unknown fingerprint: `, config.Fingerprint)
 	}
 	config.RejectUnknownSni = c.RejectUnknownSNI
 	if c.PinnedPeerCertificateChainSha256 != nil {
@@ -392,111 +401,184 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 		}
 	}
 	if c.PinnedPeerCertificatePublicKeySha256 != nil {
 		config.PinnedPeerCertificatePublicKeySha256 = [][]byte{}
 		for _, v := range *c.PinnedPeerCertificatePublicKeySha256 {
 			hashValue, err := base64.StdEncoding.DecodeString(v)
 			if err != nil {
 				return nil, err
 			}
 			config.PinnedPeerCertificatePublicKeySha256 = append(config.PinnedPeerCertificatePublicKeySha256, hashValue)
 		}
 	}
 	return config, nil
 }
-type XTLSCertConfig struct {
+type REALITYConfig struct {
-	CertFile       string   `json:"certificateFile"`
+	Show         bool            `json:"show"`
-	CertStr        []string `json:"certificate"`
+	Dest         json.RawMessage `json:"dest"`
-	KeyFile        string   `json:"keyFile"`
+	Type         string          `json:"type"`
-	KeyStr         []string `json:"key"`
+	Xver         uint64          `json:"xver"`
-	Usage          string   `json:"usage"`
+	ServerNames  []string        `json:"serverNames"`
-	OcspStapling   uint64   `json:"ocspStapling"`
+	PrivateKey   string          `json:"privateKey"`
-	OneTimeLoading bool     `json:"oneTimeLoading"`
+	MinClientVer string          `json:"minClientVer"`
 	MaxClientVer string          `json:"maxClientVer"`
 	MaxTimeDiff  uint64          `json:"maxTimeDiff"`
 	ShortIds     []string        `json:"shortIds"`
 	Fingerprint string `json:"fingerprint"`
 	ServerName  string `json:"serverName"`
 	PublicKey   string `json:"publicKey"`
 	ShortId     string `json:"shortId"`
 	SpiderX     string `json:"spiderX"`
 }
-// Build implements Buildable.
+func (c *REALITYConfig) Build() (proto.Message, error) {
-func (c *XTLSCertConfig) Build() (*xtls.Certificate, error) {
+	config := new(reality.Config)
-	certificate := new(xtls.Certificate)
+	config.Show = c.Show
-	cert, err := readFileOrString(c.CertFile, c.CertStr)
+	var err error
-	if err != nil {
+	if c.Dest != nil {
-		return nil, newError("failed to parse certificate").Base(err)
+		var i uint16
-	}
+		var s string
-	certificate.Certificate = cert
+		if err = json.Unmarshal(c.Dest, &i); err == nil {
-	certificate.CertificatePath = c.CertFile
+			s = strconv.Itoa(int(i))
-
+		} else {
-	if len(c.KeyFile) > 0 || len(c.KeyStr) > 0 {
+			_ = json.Unmarshal(c.Dest, &s)
 		key, err := readFileOrString(c.KeyFile, c.KeyStr)
 		if err != nil {
 			return nil, newError("failed to parse key").Base(err)
 		}
-		certificate.Key = key
+		if c.Type == "" && s != "" {
-		certificate.KeyPath = c.KeyFile
+			switch s[0] {
-	}
+			case '@', '/':
-
+				c.Type = "unix"
-	switch strings.ToLower(c.Usage) {
+				if s[0] == '@' && len(s) > 1 && s[1] == '@' && (runtime.GOOS == "linux" || runtime.GOOS == "android") {
-	case "encipherment":
+					fullAddr := make([]byte, len(syscall.RawSockaddrUnix{}.Path)) // may need padding to work with haproxy
-		certificate.Usage = xtls.Certificate_ENCIPHERMENT
+					copy(fullAddr, s[1:])
-	case "verify":
+					s = string(fullAddr)
-		certificate.Usage = xtls.Certificate_AUTHORITY_VERIFY
+				}
-	case "issue":
+			default:
-		certificate.Usage = xtls.Certificate_AUTHORITY_ISSUE
+				if _, err = strconv.Atoi(s); err == nil {
-	default:
+					s = "127.0.0.1:" + s
-		certificate.Usage = xtls.Certificate_ENCIPHERMENT
+				}
-	}
+				if _, _, err = net.SplitHostPort(s); err == nil {
-	if certificate.KeyPath == "" && certificate.CertificatePath == "" {
+					c.Type = "tcp"
-		certificate.OneTimeLoading = true
+				}
 	} else {
 		certificate.OneTimeLoading = c.OneTimeLoading
 	}
 	certificate.OcspStapling = c.OcspStapling
 	return certificate, nil
 }
 type XTLSConfig struct {
 	Insecure                         bool              `json:"allowInsecure"`
 	Certs                            []*XTLSCertConfig `json:"certificates"`
 	ServerName                       string            `json:"serverName"`
 	ALPN                             *StringList       `json:"alpn"`
 	EnableSessionResumption          bool              `json:"enableSessionResumption"`
 	DisableSystemRoot                bool              `json:"disableSystemRoot"`
 	MinVersion                       string            `json:"minVersion"`
 	MaxVersion                       string            `json:"maxVersion"`
 	CipherSuites                     string            `json:"cipherSuites"`
 	PreferServerCipherSuites         bool              `json:"preferServerCipherSuites"`
 	RejectUnknownSNI                 bool              `json:"rejectUnknownSni"`
 	PinnedPeerCertificateChainSha256 *[]string         `json:"pinnedPeerCertificateChainSha256"`
 }
 // Build implements Buildable.
 func (c *XTLSConfig) Build() (proto.Message, error) {
 	config := new(xtls.Config)
 	config.Certificate = make([]*xtls.Certificate, len(c.Certs))
 	for idx, certConf := range c.Certs {
 		cert, err := certConf.Build()
 		if err != nil {
 			return nil, err
 		}
 		config.Certificate[idx] = cert
 	}
 	serverName := c.ServerName
 	config.AllowInsecure = c.Insecure
 	if len(c.ServerName) > 0 {
 		config.ServerName = serverName
 	}
 	if c.ALPN != nil && len(*c.ALPN) > 0 {
 		config.NextProtocol = []string(*c.ALPN)
 	}
 	config.EnableSessionResumption = c.EnableSessionResumption
 	config.DisableSystemRoot = c.DisableSystemRoot
 	config.MinVersion = c.MinVersion
 	config.MaxVersion = c.MaxVersion
 	config.CipherSuites = c.CipherSuites
 	config.PreferServerCipherSuites = c.PreferServerCipherSuites
 	config.RejectUnknownSni = c.RejectUnknownSNI
 	if c.PinnedPeerCertificateChainSha256 != nil {
 		config.PinnedPeerCertificateChainSha256 = [][]byte{}
 		for _, v := range *c.PinnedPeerCertificateChainSha256 {
 			hashValue, err := base64.StdEncoding.DecodeString(v)
 			if err != nil {
 				return nil, err
 			}
 			config.PinnedPeerCertificateChainSha256 = append(config.PinnedPeerCertificateChainSha256, hashValue)
 		}
 		if c.Type == "" {
 			return nil, newError(`please fill in a valid value for "dest"`)
 		}
 		if c.Xver > 2 {
 			return nil, newError(`invalid PROXY protocol version, "xver" only accepts 0, 1, 2`)
 		}
 		if len(c.ServerNames) == 0 {
 			return nil, newError(`empty "serverNames"`)
 		}
 		if c.PrivateKey == "" {
 			return nil, newError(`empty "privateKey"`)
 		}
 		if config.PrivateKey, err = base64.RawURLEncoding.DecodeString(c.PrivateKey); err != nil || len(config.PrivateKey) != 32 {
 			return nil, newError(`invalid "privateKey": `, c.PrivateKey)
 		}
 		if c.MinClientVer != "" {
 			config.MinClientVer = make([]byte, 3)
 			var u uint64
 			for i, s := range strings.Split(c.MinClientVer, ".") {
 				if i == 3 {
 					return nil, newError(`invalid "minClientVer": `, c.MinClientVer)
 				}
 				if u, err = strconv.ParseUint(s, 10, 8); err != nil {
 					return nil, newError(`"minClientVer[`, i, `]" should be lesser than 256`)
 				} else {
 					config.MinClientVer[i] = byte(u)
 				}
 			}
 		}
 		if c.MaxClientVer != "" {
 			config.MaxClientVer = make([]byte, 3)
 			var u uint64
 			for i, s := range strings.Split(c.MaxClientVer, ".") {
 				if i == 3 {
 					return nil, newError(`invalid "maxClientVer": `, c.MaxClientVer)
 				}
 				if u, err = strconv.ParseUint(s, 10, 8); err != nil {
 					return nil, newError(`"maxClientVer[`, i, `]" should be lesser than 256`)
 				} else {
 					config.MaxClientVer[i] = byte(u)
 				}
 			}
 		}
 		if len(c.ShortIds) == 0 {
 			return nil, newError(`empty "shortIds"`)
 		}
 		config.ShortIds = make([][]byte, len(c.ShortIds))
 		for i, s := range c.ShortIds {
 			config.ShortIds[i] = make([]byte, 8)
 			if _, err = hex.Decode(config.ShortIds[i], []byte(s)); err != nil {
 				return nil, newError(`invalid "shortIds[`, i, `]": `, s)
 			}
 		}
 		config.Dest = s
 		config.Type = c.Type
 		config.Xver = c.Xver
 		config.ServerNames = c.ServerNames
 		config.MaxTimeDiff = c.MaxTimeDiff
 	} else {
 		if c.Fingerprint == "" {
 			return nil, newError(`empty "fingerprint"`)
 		}
 		if config.Fingerprint = strings.ToLower(c.Fingerprint); tls.GetFingerprint(config.Fingerprint) == nil {
 			return nil, newError(`unknown "fingerprint": `, config.Fingerprint)
 		}
 		if config.Fingerprint == "hellogolang" {
 			return nil, newError(`invalid "fingerprint": `, config.Fingerprint)
 		}
 		if len(c.ServerNames) != 0 {
 			return nil, newError(`non-empty "serverNames", please use "serverName" instead`)
 		}
 		if c.PublicKey == "" {
 			return nil, newError(`empty "publicKey"`)
 		}
 		if config.PublicKey, err = base64.RawURLEncoding.DecodeString(c.PublicKey); err != nil || len(config.PublicKey) != 32 {
 			return nil, newError(`invalid "publicKey": `, c.PublicKey)
 		}
 		if len(c.ShortIds) != 0 {
 			return nil, newError(`non-empty "shortIds", please use "shortId" instead`)
 		}
 		config.ShortId = make([]byte, 8)
 		if _, err = hex.Decode(config.ShortId, []byte(c.ShortId)); err != nil {
 			return nil, newError(`invalid "shortId": `, c.ShortId)
 		}
 		if c.SpiderX == "" {
 			c.SpiderX = "/"
 		}
 		if c.SpiderX[0] != '/' {
 			return nil, newError(`invalid "spiderX": `, c.SpiderX)
 		}
 		config.SpiderY = make([]int64, 10)
 		u, _ := url.Parse(c.SpiderX)
 		q := u.Query()
 		parse := func(param string, index int) {
 			if q.Get(param) != "" {
 				s := strings.Split(q.Get(param), "-")
 				if len(s) == 1 {
 					config.SpiderY[index], _ = strconv.ParseInt(s[0], 10, 64)
 					config.SpiderY[index+1], _ = strconv.ParseInt(s[0], 10, 64)
 				} else {
 					config.SpiderY[index], _ = strconv.ParseInt(s[0], 10, 64)
 					config.SpiderY[index+1], _ = strconv.ParseInt(s[1], 10, 64)
 				}
 			}
 			q.Del(param)
 		}
 		parse("p", 0) // padding
 		parse("c", 2) // concurrency
 		parse("t", 4) // times
 		parse("i", 6) // interval
 		parse("r", 8) // return
 		u.RawQuery = q.Encode()
 		config.SpiderX = u.String()
 		config.ServerName = c.ServerName
 	}
 	return config, nil
 }
@@ -534,6 +616,12 @@ type SocketConfig struct {
 	TCPKeepAliveInterval int32       `json:"tcpKeepAliveInterval"`
 	TCPKeepAliveIdle     int32       `json:"tcpKeepAliveIdle"`
 	TCPCongestion        string      `json:"tcpCongestion"`
 	TCPWindowClamp       int32       `json:"tcpWindowClamp"`
 	TCPMaxSeg            int32       `json:"tcpMaxSeg"`
 	TcpNoDelay           bool        `json:"tcpNoDelay"`
 	TCPUserTimeout       int32       `json:"tcpUserTimeout"`
 	V6only               bool        `json:"v6only"`
 	Interface            string      `json:"interface"`
 }
 // Build implements Buildable.
@@ -583,23 +671,29 @@ func (c *SocketConfig) Build() (*internet.SocketConfig, error) {
 		TcpKeepAliveInterval: c.TCPKeepAliveInterval,
 		TcpKeepAliveIdle:     c.TCPKeepAliveIdle,
 		TcpCongestion:        c.TCPCongestion,
 		TcpWindowClamp:       c.TCPWindowClamp,
 		TcpMaxSeg:            c.TCPMaxSeg,
 		TcpNoDelay:           c.TcpNoDelay,
 		TcpUserTimeout:       c.TCPUserTimeout,
 		V6Only:               c.V6only,
 		Interface:            c.Interface,
 	}, nil
 }
 type StreamConfig struct {
-	Network        *TransportProtocol  `json:"network"`
+	Network         *TransportProtocol  `json:"network"`
-	Security       string              `json:"security"`
+	Security        string              `json:"security"`
-	TLSSettings    *TLSConfig          `json:"tlsSettings"`
+	TLSSettings     *TLSConfig          `json:"tlsSettings"`
-	XTLSSettings   *XTLSConfig         `json:"xtlsSettings"`
+	REALITYSettings *REALITYConfig      `json:"realitySettings"`
-	TCPSettings    *TCPConfig          `json:"tcpSettings"`
+	TCPSettings     *TCPConfig          `json:"tcpSettings"`
-	KCPSettings    *KCPConfig          `json:"kcpSettings"`
+	KCPSettings     *KCPConfig          `json:"kcpSettings"`
-	WSSettings     *WebSocketConfig    `json:"wsSettings"`
+	WSSettings      *WebSocketConfig    `json:"wsSettings"`
-	HTTPSettings   *HTTPConfig         `json:"httpSettings"`
+	HTTPSettings    *HTTPConfig         `json:"httpSettings"`
-	DSSettings     *DomainSocketConfig `json:"dsSettings"`
+	DSSettings      *DomainSocketConfig `json:"dsSettings"`
-	QUICSettings   *QUICConfig         `json:"quicSettings"`
+	QUICSettings    *QUICConfig         `json:"quicSettings"`
-	SocketSettings *SocketConfig       `json:"sockopt"`
+	SocketSettings  *SocketConfig       `json:"sockopt"`
-	GRPCConfig     *GRPCConfig         `json:"grpcSettings"`
+	GRPCConfig      *GRPCConfig         `json:"grpcSettings"`
-	GUNConfig      *GRPCConfig         `json:"gunSettings"`
+	GUNConfig       *GRPCConfig         `json:"gunSettings"`
 }
 // Build implements Buildable.
@@ -614,12 +708,11 @@ func (c *StreamConfig) Build() (*internet.StreamConfig, error) {
 		}
 		config.ProtocolName = protocol
 	}
-	if strings.EqualFold(c.Security, "tls") {
+	switch strings.ToLower(c.Security) {
 	case "", "none":
 	case "tls":
 		tlsSettings := c.TLSSettings
 		if tlsSettings == nil {
 			if c.XTLSSettings != nil {
 				return nil, newError(`TLS: Please use "tlsSettings" instead of "xtlsSettings".`)
 			}
 			tlsSettings = &TLSConfig{}
 		}
 		ts, err := tlsSettings.Build()
@@ -629,25 +722,24 @@ func (c *StreamConfig) Build() (*internet.StreamConfig, error) {
 		tm := serial.ToTypedMessage(ts)
 		config.SecuritySettings = append(config.SecuritySettings, tm)
 		config.SecurityType = tm.Type
-	}
+	case "reality":
-	if strings.EqualFold(c.Security, "xtls") {
+		if config.ProtocolName != "tcp" && config.ProtocolName != "http" && config.ProtocolName != "grpc" && config.ProtocolName != "domainsocket" {
-		if config.ProtocolName != "tcp" && config.ProtocolName != "mkcp" && config.ProtocolName != "domainsocket" {
+			return nil, newError("REALITY only supports TCP, H2, gRPC and DomainSocket for now.")
 			return nil, newError("XTLS only supports TCP, mKCP and DomainSocket for now.")
 		}
-		xtlsSettings := c.XTLSSettings
+		if c.REALITYSettings == nil {
-		if xtlsSettings == nil {
+			return nil, newError(`REALITY: Empty "realitySettings".`)
 			if c.TLSSettings != nil {
 				return nil, newError(`XTLS: Please use "xtlsSettings" instead of "tlsSettings".`)
 			}
 			xtlsSettings = &XTLSConfig{}
 		}
-		ts, err := xtlsSettings.Build()
+		ts, err := c.REALITYSettings.Build()
 		if err != nil {
-			return nil, newError("Failed to build XTLS config.").Base(err)
+			return nil, newError("Failed to build REALITY config.").Base(err)
 		}
 		tm := serial.ToTypedMessage(ts)
 		config.SecuritySettings = append(config.SecuritySettings, tm)
 		config.SecurityType = tm.Type
 	case "xtls":
 		return nil, newError(`Please use VLESS flow "xtls-rprx-vision" with TLS or REALITY.`)
 	default:
 		return nil, newError(`Unknown security "` + c.Security + `".`)
 	}
 	if c.TCPSettings != nil {
 		ts, err := c.TCPSettings.Build()
--- a/infra/conf/trojan.go
+++ b/infra/conf/trojan.go
@@ -53,11 +53,7 @@ func (c *TrojanClientConfig) Build() (proto.Message, error) {
 		}
 		switch account.Flow {
-		case "", "xtls-rprx-origin", "xtls-rprx-origin-udp443", "xtls-rprx-direct", "xtls-rprx-direct-udp443":
+		case "":
 		case "xtls-rprx-splice", "xtls-rprx-splice-udp443":
 			if runtime.GOOS != "linux" && runtime.GOOS != "android" {
 				return nil, newError(`Trojan servers: "` + account.Flow + `" only support linux in this version`)
 			}
 		default:
 			return nil, newError(`Trojan servers: "flow" doesn't support "` + account.Flow + `" in this version`)
 		}
@@ -119,9 +115,7 @@ func (c *TrojanServerConfig) Build() (proto.Message, error) {
 		}
 		switch account.Flow {
-		case "", "xtls-rprx-origin", "xtls-rprx-direct":
+		case "":
 		case "xtls-rprx-splice":
 			return nil, newError(`Trojan clients: inbound doesn't support "xtls-rprx-splice" in this version, please use "xtls-rprx-direct" instead`)
 		default:
 			return nil, newError(`Trojan clients: "flow" doesn't support "` + account.Flow + `" in this version`)
 		}
--- a/infra/conf/vless.go
+++ b/infra/conf/vless.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"runtime"
 	"strconv"
 	"strings"
 	"syscall"
 	"github.com/golang/protobuf/proto"
@@ -53,18 +52,8 @@ func (c *VLessInboundConfig) Build() (proto.Message, error) {
 		}
 		account.Id = u.String()
-		accountFlow := account.Flow
+		switch account.Flow {
-		flows := strings.Split(account.Flow, ",")
+		case "", vless.XRV:
 		for _, f := range flows {
 			t := strings.TrimSpace(f)
 			if t != "none" {
 				accountFlow = t
 			}
 		}
 		switch accountFlow {
 		case "", vless.XRO, vless.XRD, vless.XRV:
 		case vless.XRS:
 			return nil, newError(`VLESS clients: inbound doesn't support "xtls-rprx-splice" in this version, please use "xtls-rprx-direct" instead`)
 		default:
 			return nil, newError(`VLESS clients: "flow" doesn't support "` + account.Flow + `" in this version`)
 		}
@@ -191,11 +180,7 @@ func (c *VLessOutboundConfig) Build() (proto.Message, error) {
 			account.Id = u.String()
 			switch account.Flow {
-			case "", vless.XRO, vless.XRO + "-udp443", vless.XRD, vless.XRD + "-udp443", vless.XRV, vless.XRV + "-udp443":
+			case "", vless.XRV, vless.XRV + "-udp443":
 			case vless.XRS, vless.XRS + "-udp443":
 				if runtime.GOOS != "linux" && runtime.GOOS != "android" {
 					return nil, newError(`VLESS users: "` + account.Flow + `" only support linux in this version`)
 				}
 			default:
 				return nil, newError(`VLESS users: "flow" doesn't support "` + account.Flow + `" in this version`)
 			}
--- a/infra/conf/vless_test.go
+++ b/infra/conf/vless_test.go
@@ -26,7 +26,7 @@ func TestVLessOutbound(t *testing.T) {
 					"users": [
 						{
 							"id": "27848739-7e62-4138-9fd3-098a63964b6b",
-							"flow": "xtls-rprx-direct-udp443",
+							"flow": "xtls-rprx-vision-udp443",
 							"encryption": "none",
 							"level": 0
 						}
@@ -47,7 +47,7 @@ func TestVLessOutbound(t *testing.T) {
 							{
 								Account: serial.ToTypedMessage(&vless.Account{
 									Id:         "27848739-7e62-4138-9fd3-098a63964b6b",
-									Flow:       "xtls-rprx-direct-udp443",
+									Flow:       "xtls-rprx-vision-udp443",
 									Encryption: "none",
 								}),
 								Level: 0,
@@ -71,7 +71,7 @@ func TestVLessInbound(t *testing.T) {
 				"clients": [
 					{
 						"id": "27848739-7e62-4138-9fd3-098a63964b6b",
-						"flow": "xtls-rprx-direct",
+						"flow": "xtls-rprx-vision",
 						"level": 0,
 						"email": "love@example.com"
 					}
@@ -98,7 +98,7 @@ func TestVLessInbound(t *testing.T) {
 					{
 						Account: serial.ToTypedMessage(&vless.Account{
 							Id:   "27848739-7e62-4138-9fd3-098a63964b6b",
-							Flow: "xtls-rprx-direct",
+							Flow: "xtls-rprx-vision",
 						}),
 						Level: 0,
 						Email: "love@example.com",
--- a/infra/conf/vmess.go
+++ b/infra/conf/vmess.go
@@ -15,7 +15,6 @@ import (
 type VMessAccount struct {
 	ID          string `json:"id"`
 	AlterIds    uint16 `json:"alterId"`
 	Security    string `json:"security"`
 	Experiments string `json:"experiments"`
 }
@@ -38,8 +37,7 @@ func (a *VMessAccount) Build() *vmess.Account {
 		st = protocol.SecurityType_AUTO
 	}
 	return &vmess.Account{
-		Id:      a.ID,
+		Id: a.ID,
 		AlterId: uint32(a.AlterIds),
 		SecuritySettings: &protocol.SecurityConfig{
 			Type: st,
 		},
@@ -63,14 +61,12 @@ type FeaturesConfig struct {
 }
 type VMessDefaultConfig struct {
-	AlterIDs uint16 `json:"alterId"`
+	Level byte `json:"level"`
 	Level    byte   `json:"level"`
 }
 // Build implements Buildable
 func (c *VMessDefaultConfig) Build() *inbound.DefaultConfig {
 	config := new(inbound.DefaultConfig)
 	config.AlterId = uint32(c.AlterIDs)
 	config.Level = uint32(c.Level)
 	return config
 }
@@ -80,14 +76,11 @@ type VMessInboundConfig struct {
 	Features     *FeaturesConfig     `json:"features"`
 	Defaults     *VMessDefaultConfig `json:"default"`
 	DetourConfig *VMessDetourConfig  `json:"detour"`
 	SecureOnly   bool                `json:"disableInsecureEncryption"`
 }
 // Build implements Buildable
 func (c *VMessInboundConfig) Build() (proto.Message, error) {
-	config := &inbound.Config{
+	config := &inbound.Config{}
 		SecureEncryptionOnly: c.SecureOnly,
 	}
 	if c.Defaults != nil {
 		config.Default = c.Defaults.Build()
--- a/infra/conf/vmess_test.go
+++ b/infra/conf/vmess_test.go
@@ -105,7 +105,6 @@ func TestVMessInbound(t *testing.T) {
 				Detour: &inbound.DetourConfig{
 					To: "tag_to_detour",
 				},
 				SecureEncryptionOnly: true,
 			},
 		},
 	})
--- a/infra/conf/wireguard.go
+++ b/infra/conf/wireguard.go
@@ -52,6 +52,7 @@ type WireGuardConfig struct {
 	Peers      []*WireGuardPeerConfig `json:"peers"`
 	MTU        int                    `json:"mtu"`
 	NumWorkers int                    `json:"workers"`
 	Reserved   []byte                 `json:"reserved"`
 }
 func (c *WireGuardConfig) Build() (proto.Message, error) {
@@ -90,6 +91,11 @@ func (c *WireGuardConfig) Build() (proto.Message, error) {
 	// we don't need to process fallback manually
 	config.NumWorkers = int32(c.NumWorkers)
 	if len(c.Reserved) != 0 && len(c.Reserved) != 3 {
 		return nil, newError(`"reserved" should be empty or 3 bytes`)
 	}
 	config.Reserved = c.Reserved
 	return config, nil
 }
--- a/infra/conf/xray.go
+++ b/infra/conf/xray.go
@@ -13,7 +13,6 @@ import (
 	"github.com/xtls/xray-core/common/serial"
 	core "github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/transport/internet"
 	"github.com/xtls/xray-core/transport/internet/xtls"
 )
 var (
@@ -25,7 +24,6 @@ var (
 		"vless":         func() interface{} { return new(VLessInboundConfig) },
 		"vmess":         func() interface{} { return new(VMessInboundConfig) },
 		"trojan":        func() interface{} { return new(TrojanServerConfig) },
 		"mtproto":       func() interface{} { return new(MTProtoServerConfig) },
 	}, "protocol", "settings")
 	outboundConfigLoader = NewJSONConfigLoader(ConfigCreatorCache{
@@ -38,7 +36,6 @@ var (
 		"vless":       func() interface{} { return new(VLessOutboundConfig) },
 		"vmess":       func() interface{} { return new(VMessOutboundConfig) },
 		"trojan":      func() interface{} { return new(TrojanClientConfig) },
 		"mtproto":     func() interface{} { return new(MTProtoClientConfig) },
 		"dns":         func() interface{} { return new(DNSOutboundConfig) },
 		"wireguard":   func() interface{} { return new(WireGuardConfig) },
 	}, "protocol", "settings")
@@ -108,25 +105,27 @@ func (c *SniffingConfig) Build() (*proxyman.SniffingConfig, error) {
 }
 type MuxConfig struct {
-	Enabled     bool  `json:"enabled"`
+	Enabled         bool   `json:"enabled"`
-	Concurrency int16 `json:"concurrency"`
+	Concurrency     int16  `json:"concurrency"`
 	XudpConcurrency int16  `json:"xudpConcurrency"`
 	XudpProxyUDP443 string `json:"xudpProxyUDP443"`
 }
 // Build creates MultiplexingConfig, Concurrency < 0 completely disables mux.
-func (m *MuxConfig) Build() *proxyman.MultiplexingConfig {
+func (m *MuxConfig) Build() (*proxyman.MultiplexingConfig, error) {
-	if m.Concurrency < 0 {
+	switch m.XudpProxyUDP443 {
-		return nil
+	case "":
 		m.XudpProxyUDP443 = "reject"
 	case "reject", "allow", "skip":
 	default:
 		return nil, newError(`unknown "xudpProxyUDP443": `, m.XudpProxyUDP443)
 	}
 	var con uint32 = 8
 	if m.Concurrency > 0 {
 		con = uint32(m.Concurrency)
 	}
 	return &proxyman.MultiplexingConfig{
-		Enabled:     m.Enabled,
+		Enabled:         m.Enabled,
-		Concurrency: con,
+		Concurrency:     int32(m.Concurrency),
-	}
+		XudpConcurrency: int32(m.XudpConcurrency),
 		XudpProxyUDP443: m.XudpProxyUDP443,
 	}, nil
 }
 type InboundDetourAllocationConfig struct {
@@ -236,9 +235,6 @@ func (c *InboundDetourConfig) Build() (*core.InboundHandlerConfig, error) {
 		if err != nil {
 			return nil, err
 		}
 		if ss.SecurityType == serial.GetMessageType(&xtls.Config{}) && !strings.EqualFold(c.Protocol, "vless") && !strings.EqualFold(c.Protocol, "trojan") {
 			return nil, newError("XTLS doesn't supports " + c.Protocol + " for now.")
 		}
 		receiverSettings.StreamSettings = ss
 	}
 	if c.SniffingConfig != nil {
@@ -319,9 +315,6 @@ func (c *OutboundDetourConfig) Build() (*core.OutboundHandlerConfig, error) {
 		if err != nil {
 			return nil, err
 		}
 		if ss.SecurityType == serial.GetMessageType(&xtls.Config{}) && !strings.EqualFold(c.Protocol, "vless") && !strings.EqualFold(c.Protocol, "trojan") {
 			return nil, newError("XTLS doesn't supports " + c.Protocol + " for now.")
 		}
 		senderSettings.StreamSettings = ss
 	}
@@ -346,13 +339,9 @@ func (c *OutboundDetourConfig) Build() (*core.OutboundHandlerConfig, error) {
 	}
 	if c.MuxSettings != nil {
-		ms := c.MuxSettings.Build()
+		ms, err := c.MuxSettings.Build()
-		if ms != nil && ms.Enabled {
+		if err != nil {
-			if ss := senderSettings.StreamSettings; ss != nil {
+			return nil, newError("failed to build Mux config.").Base(err)
 				if ss.SecurityType == serial.GetMessageType(&xtls.Config{}) {
 					return nil, newError("XTLS doesn't support Mux for now.")
 				}
 			}
 		}
 		senderSettings.MultiplexSettings = ms
 	}
--- a/infra/conf/xray_test.go
+++ b/infra/conf/xray_test.go
@@ -340,24 +340,35 @@ func TestMuxConfig_Build(t *testing.T) {
 		want   *proxyman.MultiplexingConfig
 	}{
 		{"default", `{"enabled": true, "concurrency": 16}`, &proxyman.MultiplexingConfig{
-			Enabled:     true,
+			Enabled:         true,
-			Concurrency: 16,
+			Concurrency:     16,
 			XudpConcurrency: 0,
 			XudpProxyUDP443: "reject",
 		}},
 		{"empty def", `{}`, &proxyman.MultiplexingConfig{
-			Enabled:     false,
+			Enabled:         false,
-			Concurrency: 8,
+			Concurrency:     0,
 			XudpConcurrency: 0,
 			XudpProxyUDP443: "reject",
 		}},
 		{"not enable", `{"enabled": false, "concurrency": 4}`, &proxyman.MultiplexingConfig{
-			Enabled:     false,
+			Enabled:         false,
-			Concurrency: 4,
+			Concurrency:     4,
 			XudpConcurrency: 0,
 			XudpProxyUDP443: "reject",
 		}},
 		{"forbidden", `{"enabled": false, "concurrency": -1}`, &proxyman.MultiplexingConfig{
 			Enabled:         false,
 			Concurrency:     -1,
 			XudpConcurrency: 0,
 			XudpProxyUDP443: "reject",
 		}},
 		{"forbidden", `{"enabled": false, "concurrency": -1}`, nil},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			m := &MuxConfig{}
 			common.Must(json.Unmarshal([]byte(tt.fields), m))
-			if got := m.Build(); !reflect.DeepEqual(got, tt.want) {
+			if got, _ := m.Build(); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("MuxConfig.Build() = %v, want %v", got, tt.want)
 			}
 		})
--- a/Show More
+++ b/Show More