v1.8.3

And fixed a memory leak
And regenerated *.pb.go

.github/docker/Dockerfile

@@ -0,0 +1,22 @@
+# syntax=docker/dockerfile:1
+FROM --platform=$BUILDPLATFORM golang:alpine AS build
+WORKDIR /src
+COPY . .
+ARG TARGETOS TARGETARCH
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
+
+FROM --platform=${TARGETPLATFORM} alpine:latest
+WORKDIR /root
+COPY .github/docker/files/config.json /etc/xray/config.json
+COPY --from=build /src/xray /usr/bin/xray
+RUN set -ex \
+	&& apk add --no-cache tzdata ca-certificates \
+	&& mkdir -p /var/log/xray /usr/share/xray \
+    && chmod +x /usr/bin/xray \
+	&& wget -O /usr/share/xray/geosite.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat \
+	&& wget -O /usr/share/xray/geoip.dat https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat
+
+VOLUME /etc/xray
+ENV TZ=Asia/Shanghai
+ENTRYPOINT [ "/usr/bin/xray" ]
+CMD [ "-config", "/etc/xray/config.json" ]

.github/docker/files/config.json

@@ -0,0 +1,18 @@
+{
+  "inbounds": [{
+    "port": 9000,
+    "protocol": "vmess",
+    "settings": {
+      "clients": [
+        {
+          "id": "1eb6e917-774b-4a84-aff6-b058577c60a5",
+          "level": 1
+        }
+      ]
+    }
+  }],
+  "outbounds": [{
+    "protocol": "freedom",
+    "settings": {}
+  }]
+}

.github/workflows/docker.yml

@@ -0,0 +1,45 @@
+name: Build docker image
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-image:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: actions/checkout@v3
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/xray-core
+          flavor: latest=true
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - # Add support for more platforms with QEMU (optional)
+        # https://github.com/docker/setup-qemu-action
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          file: .github/docker/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/release.yml

@@ -20,7 +20,51 @@ on:
       - "go.sum"
       - ".github/workflows/*.yml"
 jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Restore Cache
+        uses: actions/cache/restore@v3
+        with:
+          path: resources
+          key: xray-geodat-
+
+      - name: Update Geodat
+        id: update
+        uses: nick-fields/retry@v2
+        with:
+          timeout_minutes: 60
+          retry_wait_seconds: 60
+          max_attempts: 60
+          command: |
+            [ -d 'resources' ] || mkdir resources
+            LIST=('geoip geoip geoip' 'domain-list-community dlc geosite')
+            for i in "${LIST[@]}"
+            do
+              INFO=($(echo $i | awk 'BEGIN{FS=" ";OFS=" "} {print $1,$2,$3}'))
+              FILE_NAME="${INFO[2]}.dat"
+              echo -e "Verifying HASH key..."
+              HASH="$(curl -sL "https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat.sha256sum" | awk -F ' ' '{print $1}')"
+              if [ -s "./resources/${FILE_NAME}" ] && [ "$(sha256sum "./resources/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ]; then
+                  continue
+              else
+                  echo -e "Downloading https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat..."
+                  curl -L "https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat" -o ./resources/${FILE_NAME}
+                  echo -e "Verifying HASH key..."
+                  [ "$(sha256sum "./resources/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ] || { echo -e "The HASH key of ${FILE_NAME} does not match cloud one."; exit 1; }
+                  echo "unhit=true" >> $GITHUB_OUTPUT
+              fi
+            done
+
+      - name: Save Cache
+        uses: actions/cache/save@v3
+        if: ${{ steps.update.outputs.unhit }}
+        with:
+          path: resources
+          key: xray-geodat-${{ github.sha }}-${{ github.run_number }}
+
   build:
+    needs: prepare
     permissions:
       contents: write
     strategy:
@@ -121,7 +165,7 @@ jobs:
           echo "ASSET_NAME=$_NAME" >> $GITHUB_ENV
 
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: '1.20'
           check-latest: true
@@ -160,26 +204,17 @@ jobs:
           cd ./build_assets || exit 1
           mv xray xray.exe
 
-      - name: Prepare to release
-        uses: nick-fields/retry@v2
+      - name: Restore Cache
+        uses: actions/cache/restore@v3
         with:
-          timeout_minutes: 60
-          retry_wait_seconds: 60
-          max_attempts: 60
-          command: |
-            cp ${GITHUB_WORKSPACE}/README.md ./build_assets/README.md
-            cp ${GITHUB_WORKSPACE}/LICENSE ./build_assets/LICENSE
-            LIST=('geoip geoip geoip' 'domain-list-community dlc geosite')
-            for i in "${LIST[@]}"
-            do
-              INFO=($(echo $i | awk 'BEGIN{FS=" ";OFS=" "} {print $1,$2,$3}'))
-              FILE_NAME="${INFO[2]}.dat"
-              echo -e "Downloading https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat..."
-              curl -L "https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat" -o ./build_assets/${FILE_NAME}
-              echo -e "Verifying HASH key..."
-              HASH="$(curl -sL "https://raw.githubusercontent.com/v2fly/${INFO[0]}/release/${INFO[1]}.dat.sha256sum" | awk -F ' ' '{print $1}')"
-              [ "$(sha256sum "./build_assets/${FILE_NAME}" | awk -F ' ' '{print $1}')" == "${HASH}" ] || { echo -e "The HASH key of ${FILE_NAME} does not match cloud one."; exit 1; }
-            done
+          path: resources
+          key: xray-geodat-
+
+      - name: Copy README.md & LICENSE
+        run: |
+          mv -f resources/* build_assets
+          cp ${GITHUB_WORKSPACE}/README.md ./build_assets/README.md
+          cp ${GITHUB_WORKSPACE}/LICENSE ./build_assets/LICENSE
 
       - name: Create ZIP archive
         shell: bash

.github/workflows/test.yml

@@ -28,24 +28,17 @@ jobs:
         os: [windows-latest, ubuntu-latest, macos-latest]
     steps:
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v4
         with:
           go-version: '1.20'
           check-latest: true
       - name: Checkout codebase
         uses: actions/checkout@v3
-
-      - name: Prepare geo*dat
-        if: ${{ matrix.os != 'windows-latest' }}
-        run: |
-          mkdir resources
-          wget -O ./resources/geoip.dat https://github.com/v2fly/geoip/releases/latest/download/geoip.dat
-          wget -O ./resources/geosite.dat https://github.com/v2fly/domain-list-community/releases/latest/download/dlc.dat
-      - name: Prepare geo*dat for Windows
-        if: ${{ matrix.os == 'windows-latest' }}
-        run: |
-          mkdir resources
-          Invoke-WebRequest -Uri "https://github.com/v2fly/geoip/releases/latest/download/geoip.dat" -OutFile "./resources/geoip.dat"
-          Invoke-WebRequest -Uri "https://github.com/v2fly/domain-list-community/releases/latest/download/dlc.dat" -OutFile "./resources/geosite.dat"
+      - name: Restore Cache
+        uses: actions/cache/restore@v3
+        with:
+          path: resources
+          key: xray-geodat-
+          enableCrossOsArchive: true
       - name: Test
         run: go test -timeout 1h -v ./...

README.md

@@ -1,78 +1,113 @@
 # Project X
 
-[Project X](https://github.com/XTLS) originates from XTLS protocol, provides a set of network tools such as [Xray-core](https://github.com/XTLS/Xray-core).
+[Project X](https://github.com/XTLS) originates from XTLS protocol, providing a set of network tools such as [Xray-core](https://github.com/XTLS/Xray-core) and [REALITY](https://github.com/XTLS/REALITY).
+
+[README](https://github.com/XTLS/Xray-core#readme) is open, so feel free to submit your project [here](https://github.com/XTLS/Xray-core/pulls).
 
 ## License
 
 [Mozilla Public License Version 2.0](https://github.com/XTLS/Xray-core/blob/main/LICENSE)
 
+## Documentation
+
+[Project X Official Website](https://xtls.github.io)
+
+## Telegram
+
+[Project X](https://t.me/projectXray)
+
+[Project X Channel](https://t.me/projectXtls)
+
 ## Installation
 
 - Linux Script
-  - [Xray-install](https://github.com/XTLS/Xray-install)
-  - [Xray-script](https://github.com/kirin10000/Xray-script)
+  - [XTLS/Xray-install](https://github.com/XTLS/Xray-install)
 - Docker
   - [teddysun/xray](https://hub.docker.com/r/teddysun/xray)
+- Web Panel
+  - [X-UI](https://github.com/FranzKafkaYu/x-ui), [X-UI-English](https://github.com/NidukaAkalanka/x-ui-english), [3X-UI](https://github.com/MHSanaei/3x-ui), [X-UI](https://github.com/alireza0/x-ui), [X-UI](https://github.com/diditra/x-ui)
+  - [Xray-UI](https://github.com/qist/xray-ui), [X-UI](https://github.com/sing-web/x-ui)
+  - [Hiddify](https://github.com/hiddify/hiddify-config)
+  - [Marzban](https://github.com/Gozargah/Marzban)
+  - [Libertea](https://github.com/VZiChoushaDui/Libertea)
 - One Click
-  - [ProxySU](https://github.com/proxysu/ProxySU)
-  - [v2ray-agent](https://github.com/mack-a/v2ray-agent)
-  - [Xray-yes](https://github.com/jiuqi9997/Xray-yes)
-  - [Xray_onekey](https://github.com/wulabing/Xray_onekey)
+  - [Xray-REALITY](https://github.com/zxcvos/Xray-script), [xray-reality](https://github.com/sajjaddg/xray-reality), [reality-ezpz](https://github.com/aleskxyz/reality-ezpz)
+  - [Xray-script](https://github.com/kirin10000/Xray-script), [Xray_bash_onekey](https://github.com/hello-yunshu/Xray_bash_onekey), [XTool](https://github.com/LordPenguin666/XTool)
+  - [v2ray-agent](https://github.com/mack-a/v2ray-agent), [Xray_onekey](https://github.com/wulabing/Xray_onekey), [ProxySU](https://github.com/proxysu/ProxySU)
 - Magisk
-  - [Xray4Magisk](https://github.com/CerteKim/Xray4Magisk)
+  - [Xray4Magisk](https://github.com/Asterisk4Magisk/Xray4Magisk)
   - [Xray_For_Magisk](https://github.com/E7KMbb/Xray_For_Magisk)
 - Homebrew
   - `brew install xray`
-  - [(Tap) Repository 0](https://github.com/N4FA/homebrew-xray)
-  - [(Tap) Repository 1](https://github.com/xiruizhao/homebrew-xray)
-
-## Contributing
-[Code Of Conduct](https://github.com/XTLS/Xray-core/blob/main/CODE_OF_CONDUCT.md)
 
 ## Usage
 
-[Xray-examples](https://github.com/XTLS/Xray-examples) / [VLESS-TCP-XTLS-WHATEVER](https://github.com/XTLS/Xray-examples/tree/main/VLESS-TCP-XTLS-WHATEVER)
+- Example
+  - [VLESS-XTLS-uTLS-REALITY](https://github.com/XTLS/REALITY#readme)
+  - [VLESS-TCP-XTLS-Vision](https://github.com/XTLS/Xray-examples/tree/main/VLESS-TCP-XTLS-Vision)
+  - [All-in-One-fallbacks-Nginx](https://github.com/XTLS/Xray-examples/tree/main/All-in-One-fallbacks-Nginx)
+- Xray-examples
+  - [XTLS/Xray-examples](https://github.com/XTLS/Xray-examples)
+  - [chika0801/Xray-examples](https://github.com/chika0801/Xray-examples)
+  - [lxhao61/integrated-examples](https://github.com/lxhao61/integrated-examples)
+- Tutorial
+  - [XTLS Vision](https://github.com/chika0801/Xray-install)
+  - [REALITY (English)](https://cscot.pages.dev/2023/03/02/Xray-REALITY-tutorial/)
+  - [XTLS-Iran-Reality (English)](https://github.com/SasukeFreestyle/XTLS-Iran-Reality)
 
 ## GUI Clients
 
 - OpenWrt
-  - [PassWall](https://github.com/xiaorouji/openwrt-passwall)
-  - [Hello World](https://github.com/jerrykuku/luci-app-vssr)
+  - [PassWall](https://github.com/xiaorouji/openwrt-passwall), [PassWall 2](https://github.com/xiaorouji/openwrt-passwall2)
   - [ShadowSocksR Plus+](https://github.com/fw876/helloworld)
   - [luci-app-xray](https://github.com/yichya/luci-app-xray) ([openwrt-xray](https://github.com/yichya/openwrt-xray))
 - Windows
   - [v2rayN](https://github.com/2dust/v2rayN)
-  - [Qv2ray](https://github.com/Qv2ray/Qv2ray) (This project had been archived and currently inactive)
-  - [Netch (NetFilter & TUN/TAP)](https://github.com/NetchX/Netch) (This project had been archived and currently inactive)
+  - [HiddifyN](https://github.com/hiddify/HiddifyN)
+  - [Invisible Man - Xray](https://github.com/InvisibleManVPN/InvisibleMan-XRayClient)
 - Android
   - [v2rayNG](https://github.com/2dust/v2rayNG)
-  - [Kitsunebi](https://github.com/rurirei/Kitsunebi/tree/release_xtls)
-- iOS & macOS (with M1 chip)
-  - [Shadowrocket](https://apps.apple.com/app/shadowrocket/id932747118)
-  - [Stash](https://apps.apple.com/app/stash/id1596063349)
-- macOS (Intel chip & M1 chip)
-  - [Qv2ray](https://github.com/Qv2ray/Qv2ray) (This project had been archived and currently inactive)
+  - [HiddifyNG](https://github.com/hiddify/HiddifyNG)
+  - [X-flutter](https://github.com/XTLS/X-flutter)
+- iOS & macOS arm64
+  - [Mango](https://github.com/arror/Mango)
+  - [FoXray](https://apps.apple.com/app/foxray/id6448898396)
+- macOS arm64 & x64
   - [V2RayXS](https://github.com/tzmax/V2RayXS)
+  - [FoXray](https://apps.apple.com/app/foxray/id6448898396)
+- Linux
+  - [v2rayA](https://github.com/v2rayA/v2rayA)
+
+## Others that support VLESS, XTLS, REALITY, XUDP, PLUX...
+
+- iOS & macOS arm64
+  - [Shadowrocket](https://apps.apple.com/app/shadowrocket/id932747118)
+- Xray Wrapper
+  - [XTLS/libXray](https://github.com/XTLS/libXray)
+  - [xtlsapi](https://github.com/hiddify/xtlsapi)
+  - [AndroidLibXrayLite](https://github.com/2dust/AndroidLibXrayLite)
+  - [XrayKit](https://github.com/arror/XrayKit)
+- [XrayR](https://github.com/XrayR-project/XrayR)
+  - [XrayR-release](https://github.com/XrayR-project/XrayR-release)
+  - [XrayR-V2Board](https://github.com/missuo/XrayR-V2Board)
+- [Clash.Meta](https://github.com/MetaCubeX/Clash.Meta)
+  - [Clash Verge](https://github.com/zzzgydi/clash-verge)
+  - [clashN](https://github.com/2dust/clashN)
+  - [Clash Meta for Android](https://github.com/MetaCubeX/ClashMetaForAndroid)
+  - [meta_for_ios](https://t.me/meta_for_ios)
+- [sing-box](https://github.com/SagerNet/sing-box)
+  - [installReality](https://github.com/BoxXt/installReality)
+  - [sbox-reality](https://github.com/Misaka-blog/sbox-reality)
+  - [sing-box-for-ios](https://github.com/SagerNet/sing-box-for-ios)
+
+## Contributing
+
+[Code of Conduct](https://github.com/XTLS/Xray-core/blob/main/CODE_OF_CONDUCT.md)
 
 ## Credits
 
-This repo relies on the following third-party projects:
-
-- Special thanks:
-  - [v2fly/v2ray-core](https://github.com/v2fly/v2ray-core)
-- In production:
-  - [ghodss/yaml](https://github.com/ghodss/yaml)
-  - [gorilla/websocket](https://github.com/gorilla/websocket)
-  - [quic-go/quic-go](https://github.com/quic-go/quic-go)
-  - [pelletier/go-toml](https://github.com/pelletier/go-toml)
-  - [pires/go-proxyproto](https://github.com/pires/go-proxyproto)
-  - [refraction-networking/utls](https://github.com/refraction-networking/utls)
-  - [seiflotfy/cuckoofilter](https://github.com/seiflotfy/cuckoofilter)
-  - [google/starlark-go](https://github.com/google/starlark-go)
-- For testing only:
-  - [miekg/dns](https://github.com/miekg/dns)
-  - [stretchr/testify](https://github.com/stretchr/testify)
-  - [h12w/socks](https://github.com/h12w/socks)
+- [Xray-core v1.0.0](https://github.com/XTLS/Xray-core/releases/tag/v1.0.0) was forked from [v2fly-core 9a03cc5](https://github.com/v2fly/v2ray-core/commit/9a03cc5c98d04cc28320fcee26dbc236b3291256), and we have made & accumulated a huge number of enhancements over time, check [the release notes for each version](https://github.com/XTLS/Xray-core/releases).
+- For third-party projects used in [Xray-core](https://github.com/XTLS/Xray-core), check your local or [the latest go.mod](https://github.com/XTLS/Xray-core/blob/main/go.mod).
 
 ## Compilation
 
@@ -88,12 +123,6 @@ go build -o xray.exe -trimpath -ldflags "-s -w -buildid=" ./main
 go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
 ```
 
-## Telegram
-
-[Project X](https://t.me/projectXray)
-
-[Project X Channel](https://t.me/projectXtls)
-
 ## Stargazers over time
 
 [![Stargazers over time](https://starchart.cc/XTLS/Xray-core.svg)](https://starchart.cc/XTLS/Xray-core)

app/commander/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/commander/config.proto
 
 package commander

app/dispatcher/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/dispatcher/config.proto
 
 package dispatcher

app/dispatcher/default.go

@@ -342,29 +342,27 @@ func (d *DefaultDispatcher) DispatchLink(ctx context.Context, destination net.De
 	}
 	sniffingRequest := content.SniffingRequest
 	if !sniffingRequest.Enabled {
-		go d.routedDispatch(ctx, outbound, destination)
+		d.routedDispatch(ctx, outbound, destination)
 	} else {
-		go func() {
-			cReader := &cachedReader{
-				reader: outbound.Reader.(*pipe.Reader),
+		cReader := &cachedReader{
+			reader: outbound.Reader.(*pipe.Reader),
+		}
+		outbound.Reader = cReader
+		result, err := sniffer(ctx, cReader, sniffingRequest.MetadataOnly, destination.Network)
+		if err == nil {
+			content.Protocol = result.Protocol()
+		}
+		if err == nil && d.shouldOverride(ctx, result, sniffingRequest, destination) {
+			domain := result.Domain()
+			newError("sniffed domain: ", domain).WriteToLog(session.ExportIDToError(ctx))
+			destination.Address = net.ParseAddress(domain)
+			if sniffingRequest.RouteOnly && result.Protocol() != "fakedns" {
+				ob.RouteTarget = destination
+			} else {
+				ob.Target = destination
 			}
-			outbound.Reader = cReader
-			result, err := sniffer(ctx, cReader, sniffingRequest.MetadataOnly, destination.Network)
-			if err == nil {
-				content.Protocol = result.Protocol()
-			}
-			if err == nil && d.shouldOverride(ctx, result, sniffingRequest, destination) {
-				domain := result.Domain()
-				newError("sniffed domain: ", domain).WriteToLog(session.ExportIDToError(ctx))
-				destination.Address = net.ParseAddress(domain)
-				if sniffingRequest.RouteOnly && result.Protocol() != "fakedns" {
-					ob.RouteTarget = destination
-				} else {
-					ob.Target = destination
-				}
-			}
-			d.routedDispatch(ctx, outbound, destination)
-		}()
+		}
+		d.routedDispatch(ctx, outbound, destination)
 	}
 
 	return nil

app/dns/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/dns/config.proto
 
 package dns
@@ -219,14 +219,14 @@ type Config struct {
 	// the moment. A special value 'localhost' as a domain address can be set to
 	// use DNS on local system.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/dns/config.proto.
 	NameServers []*net.Endpoint `protobuf:"bytes,1,rep,name=NameServers,proto3" json:"NameServers,omitempty"`
 	// NameServer list used by this DNS client.
 	NameServer []*NameServer `protobuf:"bytes,5,rep,name=name_server,json=nameServer,proto3" json:"name_server,omitempty"`
 	// Static hosts. Domain to IP.
 	// Deprecated. Use static_hosts.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/dns/config.proto.
 	Hosts map[string]*net.IPOrDomain `protobuf:"bytes,2,rep,name=Hosts,proto3" json:"Hosts,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 	// Client IP for EDNS client subnet. Must be 4 bytes (IPv4) or 16 bytes
 	// (IPv6).
@@ -273,7 +273,7 @@ func (*Config) Descriptor() ([]byte, []int) {
 	return file_app_dns_config_proto_rawDescGZIP(), []int{1}
 }
 
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/dns/config.proto.
 func (x *Config) GetNameServers() []*net.Endpoint {
 	if x != nil {
 		return x.NameServers
@@ -288,7 +288,7 @@ func (x *Config) GetNameServer() []*NameServer {
 	return nil
 }
 
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/dns/config.proto.
 func (x *Config) GetHosts() map[string]*net.IPOrDomain {
 	if x != nil {
 		return x.Hosts

app/dns/dns.go

@@ -215,7 +215,7 @@ func (s *DNS) LookupIP(domain string, option dns.IPOption) ([]net.IP, error) {
 			newError("failed to lookup ip for domain ", domain, " at server ", client.Name()).Base(err).WriteToLog()
 			errs = append(errs, err)
 		}
-		if err != context.Canceled && err != context.DeadlineExceeded && err != errExpectedIPNonMatch {
+		if err != context.Canceled && err != context.DeadlineExceeded && err != errExpectedIPNonMatch && err != dns.ErrEmptyResponse {
 			return nil, err
 		}
 	}

app/dns/dns_test.go

@@ -13,6 +13,7 @@ import (
 	_ "github.com/xtls/xray-core/app/proxyman/outbound"
 	"github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/serial"
 	"github.com/xtls/xray-core/core"
@@ -260,7 +261,7 @@ func TestUDPServer(t *testing.T) {
 			IPv6Enable: true,
 			FakeEnable: false,
 		})
-		if err != feature_dns.ErrEmptyResponse {
+		if !errors.AllEqual(feature_dns.ErrEmptyResponse, errors.Cause(err)) {
 			t.Fatal("error: ", err)
 		}
 		if len(ips) != 0 {

app/dns/fakedns/fakedns.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/dns/fakedns/fakedns.proto
 
 package fakedns

app/dns/nameserver_quic.go

@@ -373,8 +373,8 @@ func (s *QUICNameServer) openConnection() (quic.Connection, error) {
 	quicConfig := &quic.Config{
 		HandshakeIdleTimeout: handshakeTimeout,
 	}
-
-	conn, err := quic.DialAddrContext(context.Background(), s.destination.NetAddr(), tlsConfig.GetTLSConfig(tls.WithNextProto("http/1.1", http2.NextProtoTLS, NextProtoDQ)), quicConfig)
+	tlsConfig.ServerName = s.destination.Address.String()
+	conn, err := quic.DialAddr(context.Background(), s.destination.NetAddr(), tlsConfig.GetTLSConfig(tls.WithNextProto("http/1.1", http2.NextProtoTLS, NextProtoDQ)), quicConfig)
 	log.Record(&log.AccessMessage{
 		From:   "DNS",
 		To:     s.destination,

app/log/command/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/log/command/config.proto
 
 package command

app/log/command/config_grpc.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
-// - protoc             v3.21.12
+// - protoc-gen-go-grpc v1.3.0
+// - protoc             v4.23.1
 // source: app/log/command/config.proto
 
 package command
@@ -18,6 +18,10 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 
+const (
+	LoggerService_RestartLogger_FullMethodName = "/xray.app.log.command.LoggerService/RestartLogger"
+)
+
 // LoggerServiceClient is the client API for LoggerService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -35,7 +39,7 @@ func NewLoggerServiceClient(cc grpc.ClientConnInterface) LoggerServiceClient {
 
 func (c *loggerServiceClient) RestartLogger(ctx context.Context, in *RestartLoggerRequest, opts ...grpc.CallOption) (*RestartLoggerResponse, error) {
 	out := new(RestartLoggerResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.log.command.LoggerService/RestartLogger", in, out, opts...)
+	err := c.cc.Invoke(ctx, LoggerService_RestartLogger_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +84,7 @@ func _LoggerService_RestartLogger_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.log.command.LoggerService/RestartLogger",
+		FullMethod: LoggerService_RestartLogger_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(LoggerServiceServer).RestartLogger(ctx, req.(*RestartLoggerRequest))

app/log/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/log/config.proto
 
 package log

app/metrics/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/metrics/config.proto
 
 package metrics

app/observatory/command/command.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/observatory/command/command.proto
 
 package command

app/observatory/command/command_grpc.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
-// - protoc             v3.21.12
+// - protoc-gen-go-grpc v1.3.0
+// - protoc             v4.23.1
 // source: app/observatory/command/command.proto
 
 package command
@@ -18,6 +18,10 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 
+const (
+	ObservatoryService_GetOutboundStatus_FullMethodName = "/xray.core.app.observatory.command.ObservatoryService/GetOutboundStatus"
+)
+
 // ObservatoryServiceClient is the client API for ObservatoryService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -35,7 +39,7 @@ func NewObservatoryServiceClient(cc grpc.ClientConnInterface) ObservatoryService
 
 func (c *observatoryServiceClient) GetOutboundStatus(ctx context.Context, in *GetOutboundStatusRequest, opts ...grpc.CallOption) (*GetOutboundStatusResponse, error) {
 	out := new(GetOutboundStatusResponse)
-	err := c.cc.Invoke(ctx, "/xray.core.app.observatory.command.ObservatoryService/GetOutboundStatus", in, out, opts...)
+	err := c.cc.Invoke(ctx, ObservatoryService_GetOutboundStatus_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +84,7 @@ func _ObservatoryService_GetOutboundStatus_Handler(srv interface{}, ctx context.
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.core.app.observatory.command.ObservatoryService/GetOutboundStatus",
+		FullMethod: ObservatoryService_GetOutboundStatus_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(ObservatoryServiceServer).GetOutboundStatus(ctx, req.(*GetOutboundStatusRequest))

app/observatory/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/observatory/config.proto
 
 package observatory

app/policy/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/policy/config.proto
 
 package policy

app/proxyman/command/command.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/proxyman/command/command.proto
 
 package command

app/proxyman/command/command_grpc.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
-// - protoc             v3.21.12
+// - protoc-gen-go-grpc v1.3.0
+// - protoc             v4.23.1
 // source: app/proxyman/command/command.proto
 
 package command
@@ -18,6 +18,15 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 
+const (
+	HandlerService_AddInbound_FullMethodName     = "/xray.app.proxyman.command.HandlerService/AddInbound"
+	HandlerService_RemoveInbound_FullMethodName  = "/xray.app.proxyman.command.HandlerService/RemoveInbound"
+	HandlerService_AlterInbound_FullMethodName   = "/xray.app.proxyman.command.HandlerService/AlterInbound"
+	HandlerService_AddOutbound_FullMethodName    = "/xray.app.proxyman.command.HandlerService/AddOutbound"
+	HandlerService_RemoveOutbound_FullMethodName = "/xray.app.proxyman.command.HandlerService/RemoveOutbound"
+	HandlerService_AlterOutbound_FullMethodName  = "/xray.app.proxyman.command.HandlerService/AlterOutbound"
+)
+
 // HandlerServiceClient is the client API for HandlerService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -40,7 +49,7 @@ func NewHandlerServiceClient(cc grpc.ClientConnInterface) HandlerServiceClient {
 
 func (c *handlerServiceClient) AddInbound(ctx context.Context, in *AddInboundRequest, opts ...grpc.CallOption) (*AddInboundResponse, error) {
 	out := new(AddInboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/AddInbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_AddInbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -49,7 +58,7 @@ func (c *handlerServiceClient) AddInbound(ctx context.Context, in *AddInboundReq
 
 func (c *handlerServiceClient) RemoveInbound(ctx context.Context, in *RemoveInboundRequest, opts ...grpc.CallOption) (*RemoveInboundResponse, error) {
 	out := new(RemoveInboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/RemoveInbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_RemoveInbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -58,7 +67,7 @@ func (c *handlerServiceClient) RemoveInbound(ctx context.Context, in *RemoveInbo
 
 func (c *handlerServiceClient) AlterInbound(ctx context.Context, in *AlterInboundRequest, opts ...grpc.CallOption) (*AlterInboundResponse, error) {
 	out := new(AlterInboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/AlterInbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_AlterInbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -67,7 +76,7 @@ func (c *handlerServiceClient) AlterInbound(ctx context.Context, in *AlterInboun
 
 func (c *handlerServiceClient) AddOutbound(ctx context.Context, in *AddOutboundRequest, opts ...grpc.CallOption) (*AddOutboundResponse, error) {
 	out := new(AddOutboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/AddOutbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_AddOutbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -76,7 +85,7 @@ func (c *handlerServiceClient) AddOutbound(ctx context.Context, in *AddOutboundR
 
 func (c *handlerServiceClient) RemoveOutbound(ctx context.Context, in *RemoveOutboundRequest, opts ...grpc.CallOption) (*RemoveOutboundResponse, error) {
 	out := new(RemoveOutboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/RemoveOutbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_RemoveOutbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -85,7 +94,7 @@ func (c *handlerServiceClient) RemoveOutbound(ctx context.Context, in *RemoveOut
 
 func (c *handlerServiceClient) AlterOutbound(ctx context.Context, in *AlterOutboundRequest, opts ...grpc.CallOption) (*AlterOutboundResponse, error) {
 	out := new(AlterOutboundResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.proxyman.command.HandlerService/AlterOutbound", in, out, opts...)
+	err := c.cc.Invoke(ctx, HandlerService_AlterOutbound_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -150,7 +159,7 @@ func _HandlerService_AddInbound_Handler(srv interface{}, ctx context.Context, de
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/AddInbound",
+		FullMethod: HandlerService_AddInbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).AddInbound(ctx, req.(*AddInboundRequest))
@@ -168,7 +177,7 @@ func _HandlerService_RemoveInbound_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/RemoveInbound",
+		FullMethod: HandlerService_RemoveInbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).RemoveInbound(ctx, req.(*RemoveInboundRequest))
@@ -186,7 +195,7 @@ func _HandlerService_AlterInbound_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/AlterInbound",
+		FullMethod: HandlerService_AlterInbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).AlterInbound(ctx, req.(*AlterInboundRequest))
@@ -204,7 +213,7 @@ func _HandlerService_AddOutbound_Handler(srv interface{}, ctx context.Context, d
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/AddOutbound",
+		FullMethod: HandlerService_AddOutbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).AddOutbound(ctx, req.(*AddOutboundRequest))
@@ -222,7 +231,7 @@ func _HandlerService_RemoveOutbound_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/RemoveOutbound",
+		FullMethod: HandlerService_RemoveOutbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).RemoveOutbound(ctx, req.(*RemoveOutboundRequest))
@@ -240,7 +249,7 @@ func _HandlerService_AlterOutbound_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.proxyman.command.HandlerService/AlterOutbound",
+		FullMethod: HandlerService_AlterOutbound_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HandlerServiceServer).AlterOutbound(ctx, req.(*AlterOutboundRequest))

app/proxyman/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/proxyman/config.proto
 
 package proxyman
@@ -326,7 +326,7 @@ type ReceiverConfig struct {
 	// Override domains for the given protocol.
 	// Deprecated. Use sniffing_settings.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/proxyman/config.proto.
 	DomainOverride   []KnownProtocols `protobuf:"varint,7,rep,packed,name=domain_override,json=domainOverride,proto3,enum=xray.app.proxyman.KnownProtocols" json:"domain_override,omitempty"`
 	SniffingSettings *SniffingConfig  `protobuf:"bytes,8,opt,name=sniffing_settings,json=sniffingSettings,proto3" json:"sniffing_settings,omitempty"`
 }
@@ -398,7 +398,7 @@ func (x *ReceiverConfig) GetReceiveOriginalDestination() bool {
 	return false
 }
 
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/proxyman/config.proto.
 func (x *ReceiverConfig) GetDomainOverride() []KnownProtocols {
 	if x != nil {
 		return x.DomainOverride
@@ -594,7 +594,11 @@ type MultiplexingConfig struct {
 	// Whether or not Mux is enabled.
 	Enabled bool `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"`
 	// Max number of concurrent connections that one Mux connection can handle.
-	Concurrency uint32 `protobuf:"varint,2,opt,name=concurrency,proto3" json:"concurrency,omitempty"`
+	Concurrency int32 `protobuf:"varint,2,opt,name=concurrency,proto3" json:"concurrency,omitempty"`
+	// Transport XUDP in another Mux.
+	XudpConcurrency int32 `protobuf:"varint,3,opt,name=xudpConcurrency,proto3" json:"xudpConcurrency,omitempty"`
+	// "reject" (default), "allow" or "skip".
+	XudpProxyUDP443 string `protobuf:"bytes,4,opt,name=xudpProxyUDP443,proto3" json:"xudpProxyUDP443,omitempty"`
 }
 
 func (x *MultiplexingConfig) Reset() {
@@ -636,13 +640,27 @@ func (x *MultiplexingConfig) GetEnabled() bool {
 	return false
 }
 
-func (x *MultiplexingConfig) GetConcurrency() uint32 {
+func (x *MultiplexingConfig) GetConcurrency() int32 {
 	if x != nil {
 		return x.Concurrency
 	}
 	return 0
 }
 
+func (x *MultiplexingConfig) GetXudpConcurrency() int32 {
+	if x != nil {
+		return x.XudpConcurrency
+	}
+	return 0
+}
+
+func (x *MultiplexingConfig) GetXudpProxyUDP443() string {
+	if x != nil {
+		return x.XudpProxyUDP443
+	}
+	return ""
+}
+
 type AllocationStrategy_AllocationStrategyConcurrency struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -856,21 +874,26 @@ var file_app_proxyman_config_proto_rawDesc = []byte{
 	0x28, 0x0b, 0x32, 0x25, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72,
 	0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x2e, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78,
 	0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x11, 0x6d, 0x75, 0x6c, 0x74, 0x69,
-	0x70, 0x6c, 0x65, 0x78, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x22, 0x50, 0x0a, 0x12,
-	0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x20, 0x0a, 0x0b,
-	0x63, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x0d, 0x52, 0x0b, 0x63, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x2a, 0x23,
-	0x0a, 0x0e, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73,
-	0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x4c,
-	0x53, 0x10, 0x01, 0x42, 0x55, 0x0a, 0x15, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e,
-	0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x50, 0x01, 0x5a, 0x26,
-	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f,
-	0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x70, 0x2f, 0x70, 0x72,
-	0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0xaa, 0x02, 0x11, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41, 0x70,
-	0x70, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
+	0x70, 0x6c, 0x65, 0x78, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x22, 0xa4, 0x01, 0x0a,
+	0x12, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x20, 0x0a,
+	0x0b, 0x63, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x05, 0x52, 0x0b, 0x63, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x12,
+	0x28, 0x0a, 0x0f, 0x78, 0x75, 0x64, 0x70, 0x43, 0x6f, 0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e,
+	0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0f, 0x78, 0x75, 0x64, 0x70, 0x43, 0x6f,
+	0x6e, 0x63, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x12, 0x28, 0x0a, 0x0f, 0x78, 0x75, 0x64,
+	0x70, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x55, 0x44, 0x50, 0x34, 0x34, 0x33, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x0f, 0x78, 0x75, 0x64, 0x70, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x55, 0x44, 0x50,
+	0x34, 0x34, 0x33, 0x2a, 0x23, 0x0a, 0x0e, 0x4b, 0x6e, 0x6f, 0x77, 0x6e, 0x50, 0x72, 0x6f, 0x74,
+	0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10, 0x00, 0x12,
+	0x07, 0x0a, 0x03, 0x54, 0x4c, 0x53, 0x10, 0x01, 0x42, 0x55, 0x0a, 0x15, 0x63, 0x6f, 0x6d, 0x2e,
+	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61,
+	0x6e, 0x50, 0x01, 0x5a, 0x26, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61,
+	0x70, 0x70, 0x2f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0xaa, 0x02, 0x11, 0x58, 0x72,
+	0x61, 0x79, 0x2e, 0x41, 0x70, 0x70, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x6d, 0x61, 0x6e, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

app/proxyman/config.proto

@@ -97,5 +97,9 @@ message MultiplexingConfig {
   // Whether or not Mux is enabled.
   bool enabled = 1;
   // Max number of concurrent connections that one Mux connection can handle.
-  uint32 concurrency = 2;
+  int32 concurrency = 2;
+  // Transport XUDP in another Mux.
+  int32 xudpConcurrency = 3;
+  // "reject" (default), "allow" or "skip".
+  string xudpProxyUDP443 = 4;
 }

app/proxyman/inbound/worker.go

@@ -362,7 +362,7 @@ func (w *udpWorker) clean() error {
 	}
 
 	for addr, conn := range w.activeConn {
-		if nowSec-atomic.LoadInt64(&conn.lastActivityTime) > 5*60 { // TODO Timeout too small
+		if nowSec-atomic.LoadInt64(&conn.lastActivityTime) > 2*60 {
 			if !conn.inactive {
 				conn.setInactive()
 				delete(w.activeConn, addr)

app/proxyman/outbound/handler.go

@@ -57,6 +57,8 @@ type Handler struct {
 	proxy           proxy.Outbound
 	outboundManager outbound.Manager
 	mux             *mux.ClientManager
+	xudp            *mux.ClientManager
+	udp443          string
 	uplinkCounter   stats.Counter
 	downlinkCounter stats.Counter
 }
@@ -106,22 +108,50 @@ func NewHandler(ctx context.Context, config *core.OutboundHandlerConfig) (outbou
 	}
 
 	if h.senderSettings != nil && h.senderSettings.MultiplexSettings != nil {
-		config := h.senderSettings.MultiplexSettings
-		if config.Concurrency < 1 || config.Concurrency > 1024 {
-			return nil, newError("invalid mux concurrency: ", config.Concurrency).AtWarning()
-		}
-		h.mux = &mux.ClientManager{
-			Enabled: h.senderSettings.MultiplexSettings.Enabled,
-			Picker: &mux.IncrementalWorkerPicker{
-				Factory: &mux.DialingWorkerFactory{
-					Proxy:  proxyHandler,
-					Dialer: h,
-					Strategy: mux.ClientStrategy{
-						MaxConcurrency: config.Concurrency,
-						MaxConnection:  128,
+		if config := h.senderSettings.MultiplexSettings; config.Enabled {
+			if config.Concurrency < 0 {
+				h.mux = &mux.ClientManager{Enabled: false}
+			}
+			if config.Concurrency == 0 {
+				config.Concurrency = 8 // same as before
+			}
+			if config.Concurrency > 0 {
+				h.mux = &mux.ClientManager{
+					Enabled: true,
+					Picker: &mux.IncrementalWorkerPicker{
+						Factory: &mux.DialingWorkerFactory{
+							Proxy:  proxyHandler,
+							Dialer: h,
+							Strategy: mux.ClientStrategy{
+								MaxConcurrency: uint32(config.Concurrency),
+								MaxConnection:  128,
+							},
+						},
 					},
-				},
-			},
+				}
+			}
+			if config.XudpConcurrency < 0 {
+				h.xudp = &mux.ClientManager{Enabled: false}
+			}
+			if config.XudpConcurrency == 0 {
+				h.xudp = nil // same as before
+			}
+			if config.XudpConcurrency > 0 {
+				h.xudp = &mux.ClientManager{
+					Enabled: true,
+					Picker: &mux.IncrementalWorkerPicker{
+						Factory: &mux.DialingWorkerFactory{
+							Proxy:  proxyHandler,
+							Dialer: h,
+							Strategy: mux.ClientStrategy{
+								MaxConcurrency: uint32(config.XudpConcurrency),
+								MaxConnection:  128,
+							},
+						},
+					},
+				}
+			}
+			h.udp443 = config.XudpProxyUDP443
 		}
 	}
 
@@ -136,31 +166,54 @@ func (h *Handler) Tag() string {
 
 // Dispatch implements proxy.Outbound.Dispatch.
 func (h *Handler) Dispatch(ctx context.Context, link *transport.Link) {
-	if h.mux != nil && (h.mux.Enabled || session.MuxPreferedFromContext(ctx)) {
-		if err := h.mux.Dispatch(ctx, link); err != nil {
-			err := newError("failed to process mux outbound traffic").Base(err)
-			session.SubmitOutboundErrorToOriginator(ctx, err)
-			err.WriteToLog(session.ExportIDToError(ctx))
-			common.Interrupt(link.Writer)
-		}
-	} else {
-		err := h.proxy.Process(ctx, link, h)
-		if err != nil {
-			if errors.Is(err, io.EOF) || errors.Is(err, io.ErrClosedPipe) || errors.Is(err, context.Canceled) {
-				err = nil
+	if h.mux != nil {
+		test := func(err error) {
+			if err != nil {
+				err := newError("failed to process mux outbound traffic").Base(err)
+				session.SubmitOutboundErrorToOriginator(ctx, err)
+				err.WriteToLog(session.ExportIDToError(ctx))
+				common.Interrupt(link.Writer)
 			}
 		}
-		if err != nil {
-			// Ensure outbound ray is properly closed.
-			err := newError("failed to process outbound traffic").Base(err)
-			session.SubmitOutboundErrorToOriginator(ctx, err)
-			err.WriteToLog(session.ExportIDToError(ctx))
-			common.Interrupt(link.Writer)
-		} else {
-			common.Must(common.Close(link.Writer))
+		outbound := session.OutboundFromContext(ctx)
+		if outbound.Target.Network == net.Network_UDP && outbound.Target.Port == 443 {
+			switch h.udp443 {
+			case "reject":
+				test(newError("XUDP rejected UDP/443 traffic").AtInfo())
+				return
+			case "skip":
+				goto out
+			}
+		}
+		if h.xudp != nil && outbound.Target.Network == net.Network_UDP {
+			if !h.xudp.Enabled {
+				goto out
+			}
+			test(h.xudp.Dispatch(ctx, link))
+			return
+		}
+		if h.mux.Enabled {
+			test(h.mux.Dispatch(ctx, link))
+			return
 		}
-		common.Interrupt(link.Reader)
 	}
+out:
+	err := h.proxy.Process(ctx, link, h)
+	if err != nil {
+		if errors.Is(err, io.EOF) || errors.Is(err, io.ErrClosedPipe) || errors.Is(err, context.Canceled) {
+			err = nil
+		}
+	}
+	if err != nil {
+		// Ensure outbound ray is properly closed.
+		err := newError("failed to process outbound traffic").Base(err)
+		session.SubmitOutboundErrorToOriginator(ctx, err)
+		err.WriteToLog(session.ExportIDToError(ctx))
+		common.Interrupt(link.Writer)
+	} else {
+		common.Close(link.Writer)
+	}
+	common.Interrupt(link.Reader)
 }
 
 // Address implements internet.Dialer.

app/proxyman/outbound/uot.go

@@ -11,13 +11,21 @@ import (
 )
 
 func (h *Handler) getUoTConnection(ctx context.Context, dest net.Destination) (stat.Connection, error) {
-	if !dest.Address.Family().IsDomain() || dest.Address.Domain() != uot.UOTMagicAddress {
+	if !dest.Address.Family().IsDomain() {
+		return nil, os.ErrInvalid
+	}
+	var uotVersion int
+	if dest.Address.Domain() == uot.MagicAddress {
+		uotVersion = uot.Version
+	} else if dest.Address.Domain() == uot.LegacyMagicAddress {
+		uotVersion = uot.LegacyVersion
+	} else {
 		return nil, os.ErrInvalid
 	}
 	packetConn, err := internet.ListenSystemPacket(ctx, &net.UDPAddr{IP: net.AnyIP.IP(), Port: 0}, h.streamSettings.SocketSettings)
 	if err != nil {
 		return nil, newError("unable to listen socket").Base(err)
 	}
-	conn := uot.NewServerConn(packetConn)
+	conn := uot.NewServerConn(packetConn, uotVersion)
 	return h.getStatCouterConnection(conn), nil
 }

app/reverse/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/reverse/config.proto
 
 package reverse

app/router/command/command.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/router/command/command.proto
 
 package command

app/router/command/command_grpc.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
-// - protoc             v3.21.12
+// - protoc-gen-go-grpc v1.3.0
+// - protoc             v4.23.1
 // source: app/router/command/command.proto
 
 package command
@@ -18,6 +18,11 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 
+const (
+	RoutingService_SubscribeRoutingStats_FullMethodName = "/xray.app.router.command.RoutingService/SubscribeRoutingStats"
+	RoutingService_TestRoute_FullMethodName             = "/xray.app.router.command.RoutingService/TestRoute"
+)
+
 // RoutingServiceClient is the client API for RoutingService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -35,7 +40,7 @@ func NewRoutingServiceClient(cc grpc.ClientConnInterface) RoutingServiceClient {
 }
 
 func (c *routingServiceClient) SubscribeRoutingStats(ctx context.Context, in *SubscribeRoutingStatsRequest, opts ...grpc.CallOption) (RoutingService_SubscribeRoutingStatsClient, error) {
-	stream, err := c.cc.NewStream(ctx, &RoutingService_ServiceDesc.Streams[0], "/xray.app.router.command.RoutingService/SubscribeRoutingStats", opts...)
+	stream, err := c.cc.NewStream(ctx, &RoutingService_ServiceDesc.Streams[0], RoutingService_SubscribeRoutingStats_FullMethodName, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -68,7 +73,7 @@ func (x *routingServiceSubscribeRoutingStatsClient) Recv() (*RoutingContext, err
 
 func (c *routingServiceClient) TestRoute(ctx context.Context, in *TestRouteRequest, opts ...grpc.CallOption) (*RoutingContext, error) {
 	out := new(RoutingContext)
-	err := c.cc.Invoke(ctx, "/xray.app.router.command.RoutingService/TestRoute", in, out, opts...)
+	err := c.cc.Invoke(ctx, RoutingService_TestRoute_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -138,7 +143,7 @@ func _RoutingService_TestRoute_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.router.command.RoutingService/TestRoute",
+		FullMethod: RoutingService_TestRoute_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(RoutingServiceServer).TestRoute(ctx, req.(*TestRouteRequest))

app/router/condition.go

@@ -6,8 +6,6 @@ import (
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/strmatcher"
 	"github.com/xtls/xray-core/features/routing"
-	"go.starlark.net/starlark"
-	"go.starlark.net/syntax"
 )
 
 type Condition interface {
@@ -284,44 +282,22 @@ func (m *ProtocolMatcher) Apply(ctx routing.Context) bool {
 }
 
 type AttributeMatcher struct {
-	program *starlark.Program
-}
-
-func NewAttributeMatcher(code string) (*AttributeMatcher, error) {
-	starFile, err := syntax.Parse("attr.star", "satisfied=("+code+")", 0)
-	if err != nil {
-		return nil, newError("attr rule").Base(err)
-	}
-	p, err := starlark.FileProgram(starFile, func(name string) bool {
-		return name == "attrs"
-	})
-	if err != nil {
-		return nil, err
-	}
-	return &AttributeMatcher{
-		program: p,
-	}, nil
+	configuredKeys map[string]string
 }
 
 // Match implements attributes matching.
 func (m *AttributeMatcher) Match(attrs map[string]string) bool {
-	attrsDict := new(starlark.Dict)
+	// headers are insensitive most likely. So we do a convert
+	httpHeaders := make(map[string]string)
 	for key, value := range attrs {
-		attrsDict.SetKey(starlark.String(key), starlark.String(value))
+		httpHeaders[strings.ToLower(key)] = strings.ToLower(value)
 	}
-
-	predefined := make(starlark.StringDict)
-	predefined["attrs"] = attrsDict
-
-	thread := &starlark.Thread{
-		Name: "matcher",
+	for key, value := range m.configuredKeys {
+		if a, ok := httpHeaders[key]; !ok || !strings.Contains(a, value) {
+			return false
+		}
 	}
-	results, err := m.program.Init(thread, predefined)
-	if err != nil {
-		newError("attr matcher").Base(err).WriteToLog()
-	}
-	satisfied := results["satisfied"]
-	return satisfied != nil && bool(satisfied.Truth())
+	return true
 }
 
 // Apply implements Condition.

app/router/condition_test.go

@@ -307,8 +307,10 @@ func TestRoutingRule(t *testing.T) {
 		},
 		{
 			rule: &RoutingRule{
-				Protocol:   []string{"http"},
-				Attributes: "attrs[':path'].startswith('/test')",
+				Protocol: []string{"http"},
+				Attributes: map[string]string{
+					":path": "/test",
+				},
 			},
 			test: []ruleTest{
 				{

app/router/config.go

@@ -1,6 +1,8 @@
 package router
 
 import (
+	"strings"
+
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/features/outbound"
 	"github.com/xtls/xray-core/features/routing"
@@ -143,11 +145,11 @@ func (rr *RoutingRule) BuildCondition() (Condition, error) {
 	}
 
 	if len(rr.Attributes) > 0 {
-		cond, err := NewAttributeMatcher(rr.Attributes)
-		if err != nil {
-			return nil, err
+		configuredKeys := make(map[string]string)
+		for key, value := range rr.Attributes {
+			configuredKeys[strings.ToLower(key)] = strings.ToLower(value)
 		}
-		conds.Add(cond)
+		conds.Add(&AttributeMatcher{configuredKeys})
 	}
 
 	if conds.Len() == 0 {

app/router/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/router/config.proto
 
 package router
@@ -486,7 +486,7 @@ type RoutingRule struct {
 	// List of CIDRs for target IP address matching.
 	// Deprecated. Use geoip below.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/router/config.proto.
 	Cidr []*CIDR `protobuf:"bytes,3,rep,name=cidr,proto3" json:"cidr,omitempty"`
 	// List of GeoIPs for target IP address matching. If this entry exists, the
 	// cidr above will have no effect. GeoIP fields with the same country code are
@@ -496,30 +496,30 @@ type RoutingRule struct {
 	// A range of port [from, to]. If the destination port is in this range, this
 	// rule takes effect. Deprecated. Use port_list.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/router/config.proto.
 	PortRange *net.PortRange `protobuf:"bytes,4,opt,name=port_range,json=portRange,proto3" json:"port_range,omitempty"`
 	// List of ports.
 	PortList *net.PortList `protobuf:"bytes,14,opt,name=port_list,json=portList,proto3" json:"port_list,omitempty"`
 	// List of networks. Deprecated. Use networks.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/router/config.proto.
 	NetworkList *net.NetworkList `protobuf:"bytes,5,opt,name=network_list,json=networkList,proto3" json:"network_list,omitempty"`
 	// List of networks for matching.
 	Networks []net.Network `protobuf:"varint,13,rep,packed,name=networks,proto3,enum=xray.common.net.Network" json:"networks,omitempty"`
 	// List of CIDRs for source IP address matching.
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in app/router/config.proto.
 	SourceCidr []*CIDR `protobuf:"bytes,6,rep,name=source_cidr,json=sourceCidr,proto3" json:"source_cidr,omitempty"`
 	// List of GeoIPs for source IP address matching. If this entry exists, the
 	// source_cidr above will have no effect.
 	SourceGeoip []*GeoIP `protobuf:"bytes,11,rep,name=source_geoip,json=sourceGeoip,proto3" json:"source_geoip,omitempty"`
 	// List of ports for source port matching.
-	SourcePortList *net.PortList `protobuf:"bytes,16,opt,name=source_port_list,json=sourcePortList,proto3" json:"source_port_list,omitempty"`
-	UserEmail      []string      `protobuf:"bytes,7,rep,name=user_email,json=userEmail,proto3" json:"user_email,omitempty"`
-	InboundTag     []string      `protobuf:"bytes,8,rep,name=inbound_tag,json=inboundTag,proto3" json:"inbound_tag,omitempty"`
-	Protocol       []string      `protobuf:"bytes,9,rep,name=protocol,proto3" json:"protocol,omitempty"`
-	Attributes     string        `protobuf:"bytes,15,opt,name=attributes,proto3" json:"attributes,omitempty"`
-	DomainMatcher  string        `protobuf:"bytes,17,opt,name=domain_matcher,json=domainMatcher,proto3" json:"domain_matcher,omitempty"`
+	SourcePortList *net.PortList     `protobuf:"bytes,16,opt,name=source_port_list,json=sourcePortList,proto3" json:"source_port_list,omitempty"`
+	UserEmail      []string          `protobuf:"bytes,7,rep,name=user_email,json=userEmail,proto3" json:"user_email,omitempty"`
+	InboundTag     []string          `protobuf:"bytes,8,rep,name=inbound_tag,json=inboundTag,proto3" json:"inbound_tag,omitempty"`
+	Protocol       []string          `protobuf:"bytes,9,rep,name=protocol,proto3" json:"protocol,omitempty"`
+	Attributes     map[string]string `protobuf:"bytes,15,rep,name=attributes,proto3" json:"attributes,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	DomainMatcher  string            `protobuf:"bytes,17,opt,name=domain_matcher,json=domainMatcher,proto3" json:"domain_matcher,omitempty"`
 }
 
 func (x *RoutingRule) Reset() {
@@ -582,7 +582,7 @@ func (x *RoutingRule) GetDomain() []*Domain {
 	return nil
 }
 
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/router/config.proto.
 func (x *RoutingRule) GetCidr() []*CIDR {
 	if x != nil {
 		return x.Cidr
@@ -597,7 +597,7 @@ func (x *RoutingRule) GetGeoip() []*GeoIP {
 	return nil
 }
 
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/router/config.proto.
 func (x *RoutingRule) GetPortRange() *net.PortRange {
 	if x != nil {
 		return x.PortRange
@@ -612,7 +612,7 @@ func (x *RoutingRule) GetPortList() *net.PortList {
 	return nil
 }
 
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/router/config.proto.
 func (x *RoutingRule) GetNetworkList() *net.NetworkList {
 	if x != nil {
 		return x.NetworkList
@@ -627,7 +627,7 @@ func (x *RoutingRule) GetNetworks() []net.Network {
 	return nil
 }
 
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in app/router/config.proto.
 func (x *RoutingRule) GetSourceCidr() []*CIDR {
 	if x != nil {
 		return x.SourceCidr
@@ -670,11 +670,11 @@ func (x *RoutingRule) GetProtocol() []string {
 	return nil
 }
 
-func (x *RoutingRule) GetAttributes() string {
+func (x *RoutingRule) GetAttributes() map[string]string {
 	if x != nil {
 		return x.Attributes
 	}
-	return ""
+	return nil
 }
 
 func (x *RoutingRule) GetDomainMatcher() string {
@@ -969,7 +969,7 @@ var file_app_router_config_proto_rawDesc = []byte{
 	0x74, 0x65, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x2e, 0x0a, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18,
 	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70,
 	0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x47, 0x65, 0x6f, 0x53, 0x69, 0x74, 0x65, 0x52,
-	0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x22, 0xb5, 0x06, 0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x69,
+	0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x22, 0xa2, 0x07, 0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x69,
 	0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x12, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20,
 	0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x25, 0x0a, 0x0d, 0x62, 0x61,
 	0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x5f, 0x74, 0x61, 0x67, 0x18, 0x0c, 0x20, 0x01, 0x28,
@@ -1015,43 +1015,49 @@ var file_app_router_config_proto_rawDesc = []byte{
 	0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x74, 0x61, 0x67, 0x18, 0x08, 0x20, 0x03, 0x28,
 	0x09, 0x52, 0x0a, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x54, 0x61, 0x67, 0x12, 0x1a, 0x0a,
 	0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52,
-	0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x74, 0x74,
-	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x61,
-	0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x64, 0x6f, 0x6d,
-	0x61, 0x69, 0x6e, 0x5f, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x18, 0x11, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0d, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72,
-	0x42, 0x0c, 0x0a, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67, 0x22, 0x6a,
-	0x0a, 0x0d, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x12,
-	0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61,
-	0x67, 0x12, 0x2b, 0x0a, 0x11, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x73, 0x65,
-	0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x6f, 0x75,
-	0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1a,
-	0x0a, 0x08, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x08, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x22, 0x9b, 0x02, 0x0a, 0x06, 0x43,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x4f, 0x0a, 0x0f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x5f,
-	0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26,
-	0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72,
-	0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74,
-	0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0e, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74,
-	0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x30, 0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x02,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e,
-	0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x69, 0x6e, 0x67, 0x52, 0x75,
-	0x6c, 0x65, 0x52, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x12, 0x45, 0x0a, 0x0e, 0x62, 0x61, 0x6c, 0x61,
-	0x6e, 0x63, 0x69, 0x6e, 0x67, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x1e, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74,
-	0x65, 0x72, 0x2e, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65,
-	0x52, 0x0d, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x22,
-	0x47, 0x0a, 0x0e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67,
-	0x79, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x73, 0x49, 0x73, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x55,
-	0x73, 0x65, 0x49, 0x70, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x70, 0x49, 0x66, 0x4e, 0x6f,
-	0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x49, 0x70, 0x4f, 0x6e,
-	0x44, 0x65, 0x6d, 0x61, 0x6e, 0x64, 0x10, 0x03, 0x42, 0x4f, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e,
-	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x50,
-	0x01, 0x5a, 0x24, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74,
-	0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x70,
-	0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0xaa, 0x02, 0x0f, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41,
-	0x70, 0x70, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x33,
+	0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x4c, 0x0a, 0x0a, 0x61, 0x74, 0x74,
+	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x18, 0x0f, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2c, 0x2e,
+	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e,
+	0x52, 0x6f, 0x75, 0x74, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x2e, 0x41, 0x74, 0x74, 0x72,
+	0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x61, 0x74, 0x74,
+	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x64, 0x6f, 0x6d, 0x61, 0x69,
+	0x6e, 0x5f, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0d, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x65, 0x72, 0x1a, 0x3d,
+	0x0a, 0x0f, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72,
+	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x0c, 0x0a,
+	0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x74, 0x61, 0x67, 0x22, 0x6a, 0x0a, 0x0d, 0x42,
+	0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x10, 0x0a, 0x03,
+	0x74, 0x61, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x74, 0x61, 0x67, 0x12, 0x2b,
+	0x0a, 0x11, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63,
+	0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x6f, 0x75, 0x74, 0x62, 0x6f,
+	0x75, 0x6e, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x73,
+	0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73,
+	0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x22, 0x9b, 0x02, 0x0a, 0x06, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x12, 0x4f, 0x0a, 0x0f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x5f, 0x73, 0x74, 0x72,
+	0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26, 0x2e, 0x78, 0x72,
+	0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e, 0x43, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74,
+	0x65, 0x67, 0x79, 0x52, 0x0e, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74,
+	0x65, 0x67, 0x79, 0x12, 0x30, 0x0a, 0x04, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x1c, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75,
+	0x74, 0x65, 0x72, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x52,
+	0x04, 0x72, 0x75, 0x6c, 0x65, 0x12, 0x45, 0x0a, 0x0e, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69,
+	0x6e, 0x67, 0x5f, 0x72, 0x75, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e,
+	0x78, 0x72, 0x61, 0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x2e,
+	0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0d, 0x62,
+	0x61, 0x6c, 0x61, 0x6e, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x75, 0x6c, 0x65, 0x22, 0x47, 0x0a, 0x0e,
+	0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x08,
+	0x0a, 0x04, 0x41, 0x73, 0x49, 0x73, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x73, 0x65, 0x49,
+	0x70, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x70, 0x49, 0x66, 0x4e, 0x6f, 0x6e, 0x4d, 0x61,
+	0x74, 0x63, 0x68, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x49, 0x70, 0x4f, 0x6e, 0x44, 0x65, 0x6d,
+	0x61, 0x6e, 0x64, 0x10, 0x03, 0x42, 0x4f, 0x0a, 0x13, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61,
+	0x79, 0x2e, 0x61, 0x70, 0x70, 0x2e, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x50, 0x01, 0x5a, 0x24,
+	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f,
+	0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x61, 0x70, 0x70, 0x2f, 0x72, 0x6f,
+	0x75, 0x74, 0x65, 0x72, 0xaa, 0x02, 0x0f, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x41, 0x70, 0x70, 0x2e,
+	0x52, 0x6f, 0x75, 0x74, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -1067,7 +1073,7 @@ func file_app_router_config_proto_rawDescGZIP() []byte {
 }
 
 var file_app_router_config_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
-var file_app_router_config_proto_msgTypes = make([]protoimpl.MessageInfo, 10)
+var file_app_router_config_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
 var file_app_router_config_proto_goTypes = []interface{}{
 	(Domain_Type)(0),           // 0: xray.app.router.Domain.Type
 	(Config_DomainStrategy)(0), // 1: xray.app.router.Config.DomainStrategy
@@ -1081,10 +1087,11 @@ var file_app_router_config_proto_goTypes = []interface{}{
 	(*BalancingRule)(nil),      // 9: xray.app.router.BalancingRule
 	(*Config)(nil),             // 10: xray.app.router.Config
 	(*Domain_Attribute)(nil),   // 11: xray.app.router.Domain.Attribute
-	(*net.PortRange)(nil),      // 12: xray.common.net.PortRange
-	(*net.PortList)(nil),       // 13: xray.common.net.PortList
-	(*net.NetworkList)(nil),    // 14: xray.common.net.NetworkList
-	(net.Network)(0),           // 15: xray.common.net.Network
+	nil,                        // 12: xray.app.router.RoutingRule.AttributesEntry
+	(*net.PortRange)(nil),      // 13: xray.common.net.PortRange
+	(*net.PortList)(nil),       // 14: xray.common.net.PortList
+	(*net.NetworkList)(nil),    // 15: xray.common.net.NetworkList
+	(net.Network)(0),           // 16: xray.common.net.Network
 }
 var file_app_router_config_proto_depIdxs = []int32{
 	0,  // 0: xray.app.router.Domain.type:type_name -> xray.app.router.Domain.Type
@@ -1096,21 +1103,22 @@ var file_app_router_config_proto_depIdxs = []int32{
 	2,  // 6: xray.app.router.RoutingRule.domain:type_name -> xray.app.router.Domain
 	3,  // 7: xray.app.router.RoutingRule.cidr:type_name -> xray.app.router.CIDR
 	4,  // 8: xray.app.router.RoutingRule.geoip:type_name -> xray.app.router.GeoIP
-	12, // 9: xray.app.router.RoutingRule.port_range:type_name -> xray.common.net.PortRange
-	13, // 10: xray.app.router.RoutingRule.port_list:type_name -> xray.common.net.PortList
-	14, // 11: xray.app.router.RoutingRule.network_list:type_name -> xray.common.net.NetworkList
-	15, // 12: xray.app.router.RoutingRule.networks:type_name -> xray.common.net.Network
+	13, // 9: xray.app.router.RoutingRule.port_range:type_name -> xray.common.net.PortRange
+	14, // 10: xray.app.router.RoutingRule.port_list:type_name -> xray.common.net.PortList
+	15, // 11: xray.app.router.RoutingRule.network_list:type_name -> xray.common.net.NetworkList
+	16, // 12: xray.app.router.RoutingRule.networks:type_name -> xray.common.net.Network
 	3,  // 13: xray.app.router.RoutingRule.source_cidr:type_name -> xray.app.router.CIDR
 	4,  // 14: xray.app.router.RoutingRule.source_geoip:type_name -> xray.app.router.GeoIP
-	13, // 15: xray.app.router.RoutingRule.source_port_list:type_name -> xray.common.net.PortList
-	1,  // 16: xray.app.router.Config.domain_strategy:type_name -> xray.app.router.Config.DomainStrategy
-	8,  // 17: xray.app.router.Config.rule:type_name -> xray.app.router.RoutingRule
-	9,  // 18: xray.app.router.Config.balancing_rule:type_name -> xray.app.router.BalancingRule
-	19, // [19:19] is the sub-list for method output_type
-	19, // [19:19] is the sub-list for method input_type
-	19, // [19:19] is the sub-list for extension type_name
-	19, // [19:19] is the sub-list for extension extendee
-	0,  // [0:19] is the sub-list for field type_name
+	14, // 15: xray.app.router.RoutingRule.source_port_list:type_name -> xray.common.net.PortList
+	12, // 16: xray.app.router.RoutingRule.attributes:type_name -> xray.app.router.RoutingRule.AttributesEntry
+	1,  // 17: xray.app.router.Config.domain_strategy:type_name -> xray.app.router.Config.DomainStrategy
+	8,  // 18: xray.app.router.Config.rule:type_name -> xray.app.router.RoutingRule
+	9,  // 19: xray.app.router.Config.balancing_rule:type_name -> xray.app.router.BalancingRule
+	20, // [20:20] is the sub-list for method output_type
+	20, // [20:20] is the sub-list for method input_type
+	20, // [20:20] is the sub-list for extension type_name
+	20, // [20:20] is the sub-list for extension extendee
+	0,  // [0:20] is the sub-list for field type_name
 }
 
 func init() { file_app_router_config_proto_init() }
@@ -1254,7 +1262,7 @@ func file_app_router_config_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_app_router_config_proto_rawDesc,
 			NumEnums:      2,
-			NumMessages:   10,
+			NumMessages:   11,
 			NumExtensions: 0,
 			NumServices:   0,
 		},

app/router/config.proto

@@ -119,7 +119,7 @@ message RoutingRule {
   repeated string inbound_tag = 8;
   repeated string protocol = 9;
 
-  string attributes = 15;
+  map<string, string> attributes = 15;
 
   string domain_matcher = 17;
 }

app/stats/command/command.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/stats/command/command.proto
 
 package command

app/stats/command/command_grpc.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
-// - protoc             v3.21.12
+// - protoc-gen-go-grpc v1.3.0
+// - protoc             v4.23.1
 // source: app/stats/command/command.proto
 
 package command
@@ -18,6 +18,12 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7
 
+const (
+	StatsService_GetStats_FullMethodName    = "/xray.app.stats.command.StatsService/GetStats"
+	StatsService_QueryStats_FullMethodName  = "/xray.app.stats.command.StatsService/QueryStats"
+	StatsService_GetSysStats_FullMethodName = "/xray.app.stats.command.StatsService/GetSysStats"
+)
+
 // StatsServiceClient is the client API for StatsService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -37,7 +43,7 @@ func NewStatsServiceClient(cc grpc.ClientConnInterface) StatsServiceClient {
 
 func (c *statsServiceClient) GetStats(ctx context.Context, in *GetStatsRequest, opts ...grpc.CallOption) (*GetStatsResponse, error) {
 	out := new(GetStatsResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.stats.command.StatsService/GetStats", in, out, opts...)
+	err := c.cc.Invoke(ctx, StatsService_GetStats_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -46,7 +52,7 @@ func (c *statsServiceClient) GetStats(ctx context.Context, in *GetStatsRequest,
 
 func (c *statsServiceClient) QueryStats(ctx context.Context, in *QueryStatsRequest, opts ...grpc.CallOption) (*QueryStatsResponse, error) {
 	out := new(QueryStatsResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.stats.command.StatsService/QueryStats", in, out, opts...)
+	err := c.cc.Invoke(ctx, StatsService_QueryStats_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -55,7 +61,7 @@ func (c *statsServiceClient) QueryStats(ctx context.Context, in *QueryStatsReque
 
 func (c *statsServiceClient) GetSysStats(ctx context.Context, in *SysStatsRequest, opts ...grpc.CallOption) (*SysStatsResponse, error) {
 	out := new(SysStatsResponse)
-	err := c.cc.Invoke(ctx, "/xray.app.stats.command.StatsService/GetSysStats", in, out, opts...)
+	err := c.cc.Invoke(ctx, StatsService_GetSysStats_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -108,7 +114,7 @@ func _StatsService_GetStats_Handler(srv interface{}, ctx context.Context, dec fu
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.stats.command.StatsService/GetStats",
+		FullMethod: StatsService_GetStats_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(StatsServiceServer).GetStats(ctx, req.(*GetStatsRequest))
@@ -126,7 +132,7 @@ func _StatsService_QueryStats_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.stats.command.StatsService/QueryStats",
+		FullMethod: StatsService_QueryStats_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(StatsServiceServer).QueryStats(ctx, req.(*QueryStatsRequest))
@@ -144,7 +150,7 @@ func _StatsService_GetSysStats_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/xray.app.stats.command.StatsService/GetSysStats",
+		FullMethod: StatsService_GetSysStats_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(StatsServiceServer).GetSysStats(ctx, req.(*SysStatsRequest))

app/stats/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: app/stats/config.proto
 
 package stats

common/errors/multi_error.go

@@ -28,3 +28,20 @@ func Combine(maybeError ...error) error {
 	}
 	return errs
 }
+
+func AllEqual(expected error, actual error) bool {
+	switch errs := actual.(type) {
+	case multiError:
+		if len(errs) == 0 {
+			return false
+		}
+		for _, err := range errs {
+			if err != expected {
+				return false
+			}
+		}
+		return true
+	default:
+		return errs == expected
+	}
+}

common/log/log.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: common/log/log.proto
 
 package log

common/mux/client.go

@@ -14,6 +14,7 @@ import (
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/common/signal/done"
 	"github.com/xtls/xray-core/common/task"
+	"github.com/xtls/xray-core/common/xudp"
 	"github.com/xtls/xray-core/proxy"
 	"github.com/xtls/xray-core/transport"
 	"github.com/xtls/xray-core/transport/internet"
@@ -247,22 +248,20 @@ func fetchInput(ctx context.Context, s *Session, output buf.Writer) {
 		transferType = protocol.TransferTypePacket
 	}
 	s.transferType = transferType
-	writer := NewWriter(s.ID, dest, output, transferType)
-	defer s.Close()
+	writer := NewWriter(s.ID, dest, output, transferType, xudp.GetGlobalID(ctx))
+	defer s.Close(false)
 	defer writer.Close()
 
 	newError("dispatching request to ", dest).WriteToLog(session.ExportIDToError(ctx))
 	if err := writeFirstPayload(s.input, writer); err != nil {
 		newError("failed to write first payload").Base(err).WriteToLog(session.ExportIDToError(ctx))
 		writer.hasError = true
-		common.Interrupt(s.input)
 		return
 	}
 
 	if err := buf.Copy(s.input, writer); err != nil {
 		newError("failed to fetch all input").Base(err).WriteToLog(session.ExportIDToError(ctx))
 		writer.hasError = true
-		common.Interrupt(s.input)
 		return
 	}
 }
@@ -335,15 +334,8 @@ func (m *ClientWorker) handleStatusKeep(meta *FrameMetadata, reader *buf.Buffere
 	err := buf.Copy(rr, s.output)
 	if err != nil && buf.IsWriteError(err) {
 		newError("failed to write to downstream. closing session ", s.ID).Base(err).WriteToLog()
-
-		// Notify remote peer to close this session.
-		closingWriter := NewResponseWriter(meta.SessionID, m.link.Writer, protocol.TransferTypeStream)
-		closingWriter.Close()
-
-		drainErr := buf.Copy(rr, buf.Discard)
-		common.Interrupt(s.input)
-		s.Close()
-		return drainErr
+		s.Close(false)
+		return buf.Copy(rr, buf.Discard)
 	}
 
 	return err
@@ -351,12 +343,7 @@ func (m *ClientWorker) handleStatusKeep(meta *FrameMetadata, reader *buf.Buffere
 
 func (m *ClientWorker) handleStatusEnd(meta *FrameMetadata, reader *buf.BufferedReader) error {
 	if s, found := m.sessionManager.Get(meta.SessionID); found {
-		if meta.Option.Has(OptionError) {
-			common.Interrupt(s.input)
-			common.Interrupt(s.output)
-		}
-		common.Interrupt(s.input)
-		s.Close()
+		s.Close(false)
 	}
 	if meta.Option.Has(OptionData) {
 		return buf.Copy(NewStreamReader(reader), buf.Discard)

common/mux/frame.go

@@ -58,6 +58,7 @@ type FrameMetadata struct {
 	SessionID     uint16
 	Option        bitmask.Byte
 	SessionStatus SessionStatus
+	GlobalID      [8]byte
 }
 
 func (f FrameMetadata) WriteTo(b *buf.Buffer) error {
@@ -81,6 +82,9 @@ func (f FrameMetadata) WriteTo(b *buf.Buffer) error {
 		if err := addrParser.WriteAddressPort(b, f.Target.Address, f.Target.Port); err != nil {
 			return err
 		}
+		if b.UDP != nil { // make sure it's user's proxy request
+			b.Write(f.GlobalID[:]) // no need to check whether it's empty
+		}
 	} else if b.UDP != nil {
 		b.WriteByte(byte(TargetNetworkUDP))
 		addrParser.WriteAddressPort(b, b.UDP.Address, b.UDP.Port)
@@ -122,7 +126,8 @@ func (f *FrameMetadata) UnmarshalFromBuffer(b *buf.Buffer) error {
 	f.Option = bitmask.Byte(b.Byte(3))
 	f.Target.Network = net.Network_Unknown
 
-	if f.SessionStatus == SessionStatusNew || (f.SessionStatus == SessionStatusKeep && b.Len() != 4) {
+	if f.SessionStatus == SessionStatusNew || (f.SessionStatus == SessionStatusKeep && b.Len() > 4 &&
+		TargetNetwork(b.Byte(4)) == TargetNetworkUDP) { // MUST check the flag first
 		if b.Len() < 8 {
 			return newError("insufficient buffer: ", b.Len())
 		}
@@ -144,5 +149,11 @@ func (f *FrameMetadata) UnmarshalFromBuffer(b *buf.Buffer) error {
 		}
 	}
 
+	// Application data is essential, to test whether the pipe is closed.
+	if f.SessionStatus == SessionStatusNew && f.Option.Has(OptionData) &&
+		f.Target.Network == net.Network_UDP && b.Len() >= 8 {
+		copy(f.GlobalID[:], b.Bytes())
+	}
+
 	return nil
 }

common/mux/mux_test.go

@@ -32,13 +32,13 @@ func TestReaderWriter(t *testing.T) {
 	pReader, pWriter := pipe.New(pipe.WithSizeLimit(1024))
 
 	dest := net.TCPDestination(net.DomainAddress("example.com"), 80)
-	writer := NewWriter(1, dest, pWriter, protocol.TransferTypeStream)
+	writer := NewWriter(1, dest, pWriter, protocol.TransferTypeStream, [8]byte{})
 
 	dest2 := net.TCPDestination(net.LocalHostIP, 443)
-	writer2 := NewWriter(2, dest2, pWriter, protocol.TransferTypeStream)
+	writer2 := NewWriter(2, dest2, pWriter, protocol.TransferTypeStream, [8]byte{})
 
 	dest3 := net.TCPDestination(net.LocalHostIPv6, 18374)
-	writer3 := NewWriter(3, dest3, pWriter, protocol.TransferTypeStream)
+	writer3 := NewWriter(3, dest3, pWriter, protocol.TransferTypeStream, [8]byte{})
 
 	writePayload := func(writer *Writer, payload ...byte) error {
 		b := buf.New()

common/mux/server.go

@@ -99,7 +99,7 @@ func handle(ctx context.Context, s *Session, output buf.Writer) {
 	}
 
 	writer.Close()
-	s.Close()
+	s.Close(false)
 }
 
 func (w *ServerWorker) ActiveConnections() uint32 {
@@ -131,6 +131,81 @@ func (w *ServerWorker) handleStatusNew(ctx context.Context, meta *FrameMetadata,
 		}
 		ctx = log.ContextWithAccessMessage(ctx, msg)
 	}
+
+	if network := session.AllowedNetworkFromContext(ctx); network != net.Network_Unknown {
+		if meta.Target.Network != network {
+			return newError("unexpected network ", meta.Target.Network) // it will break the whole Mux connection
+		}
+	}
+
+	if meta.GlobalID != [8]byte{} { // MUST ignore empty Global ID
+		mb, err := NewPacketReader(reader, &meta.Target).ReadMultiBuffer()
+		if err != nil {
+			return err
+		}
+		XUDPManager.Lock()
+		x := XUDPManager.Map[meta.GlobalID]
+		if x == nil {
+			x = &XUDP{GlobalID: meta.GlobalID}
+			XUDPManager.Map[meta.GlobalID] = x
+			XUDPManager.Unlock()
+		} else {
+			if x.Status == Initializing { // nearly impossible
+				XUDPManager.Unlock()
+				newError("XUDP hit ", meta.GlobalID).Base(errors.New("conflict")).AtWarning().WriteToLog(session.ExportIDToError(ctx))
+				// It's not a good idea to return an err here, so just let client wait.
+				// Client will receive an End frame after sending a Keep frame.
+				return nil
+			}
+			x.Status = Initializing
+			XUDPManager.Unlock()
+			x.Mux.Close(false) // detach from previous Mux
+			b := buf.New()
+			b.Write(mb[0].Bytes())
+			b.UDP = mb[0].UDP
+			if err = x.Mux.output.WriteMultiBuffer(mb); err != nil {
+				x.Interrupt()
+				mb = buf.MultiBuffer{b}
+			} else {
+				b.Release()
+				mb = nil
+			}
+			newError("XUDP hit ", meta.GlobalID).Base(err).WriteToLog(session.ExportIDToError(ctx))
+		}
+		if mb != nil {
+			ctx = session.ContextWithTimeoutOnly(ctx, true)
+			// Actually, it won't return an error in Xray-core's implementations.
+			link, err := w.dispatcher.Dispatch(ctx, meta.Target)
+			if err != nil {
+				XUDPManager.Lock()
+				delete(XUDPManager.Map, x.GlobalID)
+				XUDPManager.Unlock()
+				err = newError("XUDP new ", meta.GlobalID).Base(errors.New("failed to dispatch request to ", meta.Target).Base(err))
+				return err // it will break the whole Mux connection
+			}
+			link.Writer.WriteMultiBuffer(mb) // it's meaningless to test a new pipe
+			x.Mux = &Session{
+				input:  link.Reader,
+				output: link.Writer,
+			}
+			newError("XUDP new ", meta.GlobalID).Base(err).WriteToLog(session.ExportIDToError(ctx))
+		}
+		x.Mux = &Session{
+			input:        x.Mux.input,
+			output:       x.Mux.output,
+			parent:       w.sessionManager,
+			ID:           meta.SessionID,
+			transferType: protocol.TransferTypePacket,
+			XUDP:         x,
+		}
+		go handle(ctx, x.Mux, w.link.Writer)
+		x.Status = Active
+		if !w.sessionManager.Add(x.Mux) {
+			x.Mux.Close(false)
+		}
+		return nil
+	}
+
 	link, err := w.dispatcher.Dispatch(ctx, meta.Target)
 	if err != nil {
 		if meta.Option.Has(OptionData) {
@@ -157,8 +232,7 @@ func (w *ServerWorker) handleStatusNew(ctx context.Context, meta *FrameMetadata,
 	rr := s.NewReader(reader, &meta.Target)
 	if err := buf.Copy(rr, s.output); err != nil {
 		buf.Copy(rr, buf.Discard)
-		common.Interrupt(s.input)
-		return s.Close()
+		return s.Close(false)
 	}
 	return nil
 }
@@ -182,15 +256,8 @@ func (w *ServerWorker) handleStatusKeep(meta *FrameMetadata, reader *buf.Buffere
 
 	if err != nil && buf.IsWriteError(err) {
 		newError("failed to write to downstream writer. closing session ", s.ID).Base(err).WriteToLog()
-
-		// Notify remote peer to close this session.
-		closingWriter := NewResponseWriter(meta.SessionID, w.link.Writer, protocol.TransferTypeStream)
-		closingWriter.Close()
-
-		drainErr := buf.Copy(rr, buf.Discard)
-		common.Interrupt(s.input)
-		s.Close()
-		return drainErr
+		s.Close(false)
+		return buf.Copy(rr, buf.Discard)
 	}
 
 	return err
@@ -198,12 +265,7 @@ func (w *ServerWorker) handleStatusKeep(meta *FrameMetadata, reader *buf.Buffere
 
 func (w *ServerWorker) handleStatusEnd(meta *FrameMetadata, reader *buf.BufferedReader) error {
 	if s, found := w.sessionManager.Get(meta.SessionID); found {
-		if meta.Option.Has(OptionError) {
-			common.Interrupt(s.input)
-			common.Interrupt(s.output)
-		}
-		common.Interrupt(s.input)
-		s.Close()
+		s.Close(false)
 	}
 	if meta.Option.Has(OptionData) {
 		return buf.Copy(NewStreamReader(reader), buf.Discard)

common/mux/session.go

@@ -1,12 +1,16 @@
 package mux
 
 import (
+	"io"
+	"runtime"
 	"sync"
+	"time"
 
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/protocol"
+	"github.com/xtls/xray-core/transport/pipe"
 )
 
 type SessionManager struct {
@@ -61,21 +65,25 @@ func (m *SessionManager) Allocate() *Session {
 	return s
 }
 
-func (m *SessionManager) Add(s *Session) {
+func (m *SessionManager) Add(s *Session) bool {
 	m.Lock()
 	defer m.Unlock()
 
 	if m.closed {
-		return
+		return false
 	}
 
 	m.count++
 	m.sessions[s.ID] = s
+	return true
 }
 
-func (m *SessionManager) Remove(id uint16) {
-	m.Lock()
-	defer m.Unlock()
+func (m *SessionManager) Remove(locked bool, id uint16) {
+	if !locked {
+		m.Lock()
+		defer m.Unlock()
+	}
+	locked = true
 
 	if m.closed {
 		return
@@ -83,9 +91,11 @@ func (m *SessionManager) Remove(id uint16) {
 
 	delete(m.sessions, id)
 
-	if len(m.sessions) == 0 {
-		m.sessions = make(map[uint16]*Session, 16)
-	}
+	/*
+		if len(m.sessions) == 0 {
+			m.sessions = make(map[uint16]*Session, 16)
+		}
+	*/
 }
 
 func (m *SessionManager) Get(id uint16) (*Session, bool) {
@@ -127,8 +137,7 @@ func (m *SessionManager) Close() error {
 	m.closed = true
 
 	for _, s := range m.sessions {
-		common.Close(s.input)
-		common.Close(s.output)
+		s.Close(true)
 	}
 
 	m.sessions = nil
@@ -142,13 +151,40 @@ type Session struct {
 	parent       *SessionManager
 	ID           uint16
 	transferType protocol.TransferType
+	closed       bool
+	XUDP         *XUDP
 }
 
 // Close closes all resources associated with this session.
-func (s *Session) Close() error {
-	common.Close(s.output)
-	common.Close(s.input)
-	s.parent.Remove(s.ID)
+func (s *Session) Close(locked bool) error {
+	if !locked {
+		s.parent.Lock()
+		defer s.parent.Unlock()
+	}
+	locked = true
+	if s.closed {
+		return nil
+	}
+	s.closed = true
+	if s.XUDP == nil {
+		common.Interrupt(s.input)
+		common.Close(s.output)
+	} else {
+		// Stop existing handle(), then trigger writer.Close().
+		// Note that s.output may be dispatcher.SizeStatWriter.
+		s.input.(*pipe.Reader).ReturnAnError(io.EOF)
+		runtime.Gosched()
+		// If the error set by ReturnAnError still exists, clear it.
+		s.input.(*pipe.Reader).Recover()
+		XUDPManager.Lock()
+		if s.XUDP.Status == Active {
+			s.XUDP.Expire = time.Now().Add(time.Minute)
+			s.XUDP.Status = Expiring
+			newError("XUDP put ", s.XUDP.GlobalID).AtDebug().WriteToLog()
+		}
+		XUDPManager.Unlock()
+	}
+	s.parent.Remove(locked, s.ID)
 	return nil
 }
 
@@ -159,3 +195,45 @@ func (s *Session) NewReader(reader *buf.BufferedReader, dest *net.Destination) b
 	}
 	return NewPacketReader(reader, dest)
 }
+
+const (
+	Initializing = 0
+	Active       = 1
+	Expiring     = 2
+)
+
+type XUDP struct {
+	GlobalID [8]byte
+	Status   uint64
+	Expire   time.Time
+	Mux      *Session
+}
+
+func (x *XUDP) Interrupt() {
+	common.Interrupt(x.Mux.input)
+	common.Close(x.Mux.output)
+}
+
+var XUDPManager struct {
+	sync.Mutex
+	Map map[[8]byte]*XUDP
+}
+
+func init() {
+	XUDPManager.Map = make(map[[8]byte]*XUDP)
+	go func() {
+		for {
+			time.Sleep(time.Minute)
+			now := time.Now()
+			XUDPManager.Lock()
+			for id, x := range XUDPManager.Map {
+				if x.Status == Expiring && now.After(x.Expire) {
+					x.Interrupt()
+					delete(XUDPManager.Map, id)
+					newError("XUDP del ", id).AtDebug().WriteToLog()
+				}
+			}
+			XUDPManager.Unlock()
+		}
+	}()
+}

common/mux/session_test.go

@@ -44,7 +44,7 @@ func TestSessionManagerClose(t *testing.T) {
 	if m.CloseIfNoSession() {
 		t.Error("able to close")
 	}
-	m.Remove(s.ID)
+	m.Remove(false, s.ID)
 	if !m.CloseIfNoSession() {
 		t.Error("not able to close")
 	}

common/mux/writer.go

@@ -15,15 +15,17 @@ type Writer struct {
 	followup     bool
 	hasError     bool
 	transferType protocol.TransferType
+	globalID     [8]byte
 }
 
-func NewWriter(id uint16, dest net.Destination, writer buf.Writer, transferType protocol.TransferType) *Writer {
+func NewWriter(id uint16, dest net.Destination, writer buf.Writer, transferType protocol.TransferType, globalID [8]byte) *Writer {
 	return &Writer{
 		id:           id,
 		dest:         dest,
 		writer:       writer,
 		followup:     false,
 		transferType: transferType,
+		globalID:     globalID,
 	}
 }
 
@@ -40,6 +42,7 @@ func (w *Writer) getNextFrameMeta() FrameMetadata {
 	meta := FrameMetadata{
 		SessionID: w.id,
 		Target:    w.dest,
+		GlobalID:  w.globalID,
 	}
 
 	if w.followup {

common/net/address.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: common/net/address.proto
 
 package net

common/net/destination.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: common/net/destination.proto
 
 package net

common/net/network.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: common/net/network.proto
 
 package net
@@ -24,7 +24,7 @@ type Network int32
 
 const (
 	Network_Unknown Network = 0
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in common/net/network.proto.
 	Network_RawTCP Network = 1
 	Network_TCP    Network = 2
 	Network_UDP    Network = 3

common/net/port.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: common/net/port.proto
 
 package net

common/protocol/headers.go

@@ -3,11 +3,10 @@ package protocol
 import (
 	"runtime"
 
-	"golang.org/x/sys/cpu"
-
 	"github.com/xtls/xray-core/common/bitmask"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/uuid"
+	"golang.org/x/sys/cpu"
 )
 
 // RequestCommand is a custom command in a proxy request.
@@ -31,11 +30,10 @@ func (c RequestCommand) TransferType() TransferType {
 }
 
 const (
-	// RequestOptionChunkStream indicates request payload is chunked. Each chunk consists of length, authentication and payload.
+	// [DEPRECATED 2023-06] RequestOptionChunkStream indicates request payload is chunked. Each chunk consists of length, authentication and payload.
 	RequestOptionChunkStream bitmask.Byte = 0x01
 
-	// RequestOptionConnectionReuse indicates client side expects to reuse the connection.
-	RequestOptionConnectionReuse bitmask.Byte = 0x02
+	// 0x02 legacy setting
 
 	RequestOptionChunkMasking bitmask.Byte = 0x04
 
@@ -77,7 +75,6 @@ type CommandSwitchAccount struct {
 	Port     net.Port
 	ID       uuid.UUID
 	Level    uint32
-	AlterIds uint16
 	ValidMin byte
 }
 

common/protocol/headers.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: common/protocol/headers.proto
 
 package protocol
@@ -24,11 +24,10 @@ type SecurityType int32
 
 const (
 	SecurityType_UNKNOWN           SecurityType = 0
-	SecurityType_LEGACY            SecurityType = 1
 	SecurityType_AUTO              SecurityType = 2
 	SecurityType_AES128_GCM        SecurityType = 3
 	SecurityType_CHACHA20_POLY1305 SecurityType = 4
-	SecurityType_NONE              SecurityType = 5
+	SecurityType_NONE              SecurityType = 5 // [DEPRECATED 2023-06]
 	SecurityType_ZERO              SecurityType = 6
 )
 
@@ -36,7 +35,6 @@ const (
 var (
 	SecurityType_name = map[int32]string{
 		0: "UNKNOWN",
-		1: "LEGACY",
 		2: "AUTO",
 		3: "AES128_GCM",
 		4: "CHACHA20_POLY1305",
@@ -45,7 +43,6 @@ var (
 	}
 	SecurityType_value = map[string]int32{
 		"UNKNOWN":           0,
-		"LEGACY":            1,
 		"AUTO":              2,
 		"AES128_GCM":        3,
 		"CHACHA20_POLY1305": 4,
@@ -139,20 +136,19 @@ var file_common_protocol_headers_proto_rawDesc = []byte{
 	0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x22, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d,
 	0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2e, 0x53, 0x65, 0x63,
 	0x75, 0x72, 0x69, 0x74, 0x79, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x2a,
-	0x6c, 0x0a, 0x0c, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x54, 0x79, 0x70, 0x65, 0x12,
-	0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06,
-	0x4c, 0x45, 0x47, 0x41, 0x43, 0x59, 0x10, 0x01, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x55, 0x54, 0x4f,
-	0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x41, 0x45, 0x53, 0x31, 0x32, 0x38, 0x5f, 0x47, 0x43, 0x4d,
-	0x10, 0x03, 0x12, 0x15, 0x0a, 0x11, 0x43, 0x48, 0x41, 0x43, 0x48, 0x41, 0x32, 0x30, 0x5f, 0x50,
-	0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30, 0x35, 0x10, 0x04, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e,
-	0x45, 0x10, 0x05, 0x12, 0x08, 0x0a, 0x04, 0x5a, 0x45, 0x52, 0x4f, 0x10, 0x06, 0x42, 0x5e, 0x0a,
-	0x18, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x50, 0x01, 0x5a, 0x29, 0x67, 0x69, 0x74,
-	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61,
-	0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0xaa, 0x02, 0x14, 0x58, 0x72, 0x61, 0x79, 0x2e, 0x43, 0x6f,
-	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x60, 0x0a, 0x0c, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x54, 0x79, 0x70, 0x65, 0x12,
+	0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04,
+	0x41, 0x55, 0x54, 0x4f, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x41, 0x45, 0x53, 0x31, 0x32, 0x38,
+	0x5f, 0x47, 0x43, 0x4d, 0x10, 0x03, 0x12, 0x15, 0x0a, 0x11, 0x43, 0x48, 0x41, 0x43, 0x48, 0x41,
+	0x32, 0x30, 0x5f, 0x50, 0x4f, 0x4c, 0x59, 0x31, 0x33, 0x30, 0x35, 0x10, 0x04, 0x12, 0x08, 0x0a,
+	0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x05, 0x12, 0x08, 0x0a, 0x04, 0x5a, 0x45, 0x52, 0x4f, 0x10,
+	0x06, 0x42, 0x5e, 0x0a, 0x18, 0x63, 0x6f, 0x6d, 0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x63, 0x6f,
+	0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x50, 0x01, 0x5a,
+	0x29, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78, 0x74, 0x6c, 0x73,
+	0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f,
+	0x6e, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0xaa, 0x02, 0x14, 0x58, 0x72, 0x61,
+	0x79, 0x2e, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

common/protocol/headers.proto

@@ -8,11 +8,10 @@ option java_multiple_files = true;
 
 enum SecurityType {
   UNKNOWN = 0;
-  LEGACY = 1;
   AUTO = 2;
   AES128_GCM = 3;
   CHACHA20_POLY1305 = 4;
-  NONE = 5;
+  NONE = 5; // [DEPRECATED 2023-06] 
   ZERO = 6;
 }
 

common/protocol/id.go

@@ -1,9 +1,7 @@
 package protocol
 
 import (
-	"crypto/hmac"
 	"crypto/md5"
-	"hash"
 
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/uuid"
@@ -13,12 +11,6 @@ const (
 	IDBytesLen = 16
 )
 
-type IDHash func(key []byte) hash.Hash
-
-func DefaultIDHash(key []byte) hash.Hash {
-	return hmac.New(md5.New, key)
-}
-
 // The ID of en entity, in the form of a UUID.
 type ID struct {
 	uuid   uuid.UUID
@@ -55,28 +47,3 @@ func NewID(uuid uuid.UUID) *ID {
 	md5hash.Sum(id.cmdKey[:0])
 	return id
 }
-
-func nextID(u *uuid.UUID) uuid.UUID {
-	md5hash := md5.New()
-	common.Must2(md5hash.Write(u.Bytes()))
-	common.Must2(md5hash.Write([]byte("16167dc8-16b6-4e6d-b8bb-65dd68113a81")))
-	var newid uuid.UUID
-	for {
-		md5hash.Sum(newid[:0])
-		if !newid.Equals(u) {
-			return newid
-		}
-		common.Must2(md5hash.Write([]byte("533eff8a-4113-4b10-b5ce-0f5d76b98cd2")))
-	}
-}
-
-func NewAlterIDs(primary *ID, alterIDCount uint16) []*ID {
-	alterIDs := make([]*ID, alterIDCount)
-	prevID := primary.UUID()
-	for idx := range alterIDs {
-		newid := nextID(&prevID)
-		alterIDs[idx] = NewID(newid)
-		prevID = newid
-	}
-	return alterIDs
-}

common/protocol/quic/sniff.go

@@ -10,6 +10,7 @@ import (
 	"github.com/quic-go/quic-go/quicvarint"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
+	"github.com/xtls/xray-core/common/bytespool"
 	"github.com/xtls/xray-core/common/errors"
 	ptls "github.com/xtls/xray-core/common/protocol/tls"
 	"golang.org/x/crypto/hkdf"
@@ -141,7 +142,7 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
 		packetNumber = uint32(n)
 	}
 
-	if packetNumber != 0 {
+	if packetNumber != 0 && packetNumber != 1 {
 		return nil, errNotQuicInitial
 	}
 
@@ -159,32 +160,92 @@ func SniffQUIC(b []byte) (*SniffHeader, error) {
 		return nil, err
 	}
 	buffer = buf.FromBytes(decrypted)
-	frameType, err := buffer.ReadByte()
-	if err != nil {
-		return nil, io.ErrUnexpectedEOF
+
+	cryptoLen := uint(0)
+	cryptoData := bytespool.Alloc(buffer.Len())
+	defer bytespool.Free(cryptoData)
+	for i := 0; !buffer.IsEmpty(); i++ {
+		frameType := byte(0x0) // Default to PADDING frame
+		for frameType == 0x0 && !buffer.IsEmpty() {
+			frameType, _ = buffer.ReadByte()
+		}
+		switch frameType {
+		case 0x00: // PADDING frame
+		case 0x01: // PING frame
+		case 0x02, 0x03: // ACK frame
+			if _, err = quicvarint.Read(buffer); err != nil { // Field: Largest Acknowledged
+				return nil, io.ErrUnexpectedEOF
+			}
+			if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Delay
+				return nil, io.ErrUnexpectedEOF
+			}
+			ackRangeCount, err := quicvarint.Read(buffer) // Field: ACK Range Count
+			if err != nil {
+				return nil, io.ErrUnexpectedEOF
+			}
+			if _, err = quicvarint.Read(buffer); err != nil { // Field: First ACK Range
+				return nil, io.ErrUnexpectedEOF
+			}
+			for i := 0; i < int(ackRangeCount); i++ { // Field: ACK Range
+				if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> Gap
+					return nil, io.ErrUnexpectedEOF
+				}
+				if _, err = quicvarint.Read(buffer); err != nil { // Field: ACK Range -> ACK Range Length
+					return nil, io.ErrUnexpectedEOF
+				}
+			}
+			if frameType == 0x03 {
+				if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT0 Count
+					return nil, io.ErrUnexpectedEOF
+				}
+				if _, err = quicvarint.Read(buffer); err != nil { // Field: ECN Counts -> ECT1 Count
+					return nil, io.ErrUnexpectedEOF
+				}
+				if _, err = quicvarint.Read(buffer); err != nil { //nolint:misspell // Field: ECN Counts -> ECT-CE Count
+					return nil, io.ErrUnexpectedEOF
+				}
+			}
+		case 0x06: // CRYPTO frame, we will use this frame
+			offset, err := quicvarint.Read(buffer) // Field: Offset
+			if err != nil {
+				return nil, io.ErrUnexpectedEOF
+			}
+			length, err := quicvarint.Read(buffer) // Field: Length
+			if err != nil || length > uint64(buffer.Len()) {
+				return nil, io.ErrUnexpectedEOF
+			}
+			if cryptoLen < uint(offset+length) {
+				cryptoLen = uint(offset + length)
+			}
+			if _, err := buffer.Read(cryptoData[offset : offset+length]); err != nil { // Field: Crypto Data
+				return nil, io.ErrUnexpectedEOF
+			}
+		case 0x1c: // CONNECTION_CLOSE frame, only 0x1c is permitted in initial packet
+			if _, err = quicvarint.Read(buffer); err != nil { // Field: Error Code
+				return nil, io.ErrUnexpectedEOF
+			}
+			if _, err = quicvarint.Read(buffer); err != nil { // Field: Frame Type
+				return nil, io.ErrUnexpectedEOF
+			}
+			length, err := quicvarint.Read(buffer) // Field: Reason Phrase Length
+			if err != nil {
+				return nil, io.ErrUnexpectedEOF
+			}
+			if _, err := buffer.ReadBytes(int32(length)); err != nil { // Field: Reason Phrase
+				return nil, io.ErrUnexpectedEOF
+			}
+		default:
+			// Only above frame types are permitted in initial packet.
+			// See https://www.rfc-editor.org/rfc/rfc9000.html#section-17.2.2-8
+			return nil, errNotQuicInitial
+		}
 	}
-	if frameType != 0x6 {
-		// not crypto frame
-		return &SniffHeader{domain: ""}, nil
-	}
-	if common.Error2(quicvarint.Read(buffer)) != nil {
-		return nil, io.ErrUnexpectedEOF
-	}
-	dataLen, err := quicvarint.Read(buffer)
-	if err != nil {
-		return nil, io.ErrUnexpectedEOF
-	}
-	if dataLen > uint64(buffer.Len()) {
-		return nil, io.ErrUnexpectedEOF
-	}
-	frameData, err := buffer.ReadBytes(int32(dataLen))
-	common.Must(err)
+
 	tlsHdr := &ptls.SniffHeader{}
-	err = ptls.ReadClientHello(frameData, tlsHdr)
+	err = ptls.ReadClientHello(cryptoData[:cryptoLen], tlsHdr)
 	if err != nil {
 		return nil, err
 	}
-
 	return &SniffHeader{domain: tlsHdr.Domain()}, nil
 }
 

common/protocol/server_spec.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: common/protocol/server_spec.proto
 
 package protocol

common/protocol/user.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: common/protocol/user.proto
 
 package protocol

common/serial/typed_message.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: common/serial/typed_message.proto
 
 package serial

common/session/context.go

@@ -2,10 +2,15 @@ package session
 
 import (
 	"context"
+	_ "unsafe"
 
+	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/features/routing"
 )
 
+//go:linkname IndependentCancelCtx context.newCancelCtx
+func IndependentCancelCtx(parent context.Context) context.Context
+
 type sessionKey int
 
 const (
@@ -17,6 +22,8 @@ const (
 	sockoptSessionKey
 	trackedConnectionErrorKey
 	dispatcherKey
+	timeoutOnlyKey
+	allowedNetworkKey
 )
 
 // ContextWithID returns a new context with the given ID.
@@ -131,3 +138,25 @@ func DispatcherFromContext(ctx context.Context) routing.Dispatcher {
 	}
 	return nil
 }
+
+func ContextWithTimeoutOnly(ctx context.Context, only bool) context.Context {
+	return context.WithValue(ctx, timeoutOnlyKey, only)
+}
+
+func TimeoutOnlyFromContext(ctx context.Context) bool {
+	if val, ok := ctx.Value(timeoutOnlyKey).(bool); ok {
+		return val
+	}
+	return false
+}
+
+func ContextWithAllowedNetwork(ctx context.Context, network net.Network) context.Context {
+	return context.WithValue(ctx, allowedNetworkKey, network)
+}
+
+func AllowedNetworkFromContext(ctx context.Context) net.Network {
+	if val, ok := ctx.Value(allowedNetworkKey).(net.Network); ok {
+		return val
+	}
+	return net.Network_Unknown
+}

common/session/session.go

@@ -42,6 +42,8 @@ type Inbound struct {
 	Gateway net.Destination
 	// Tag of the inbound proxy that handles the connection.
 	Tag string
+	// Name of the inbound proxy that handles the connection.
+	Name string
 	// User is the user that authencates for the inbound. May be nil if the protocol allows anounymous traffic.
 	User *protocol.MemoryUser
 	// Conn is actually internet.Connection. May be nil.

common/singbridge/destination.go

@@ -0,0 +1,46 @@
+package singbridge
+
+import (
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/xtls/xray-core/common/net"
+)
+
+func ToNetwork(network string) net.Network {
+	switch N.NetworkName(network) {
+	case N.NetworkTCP:
+		return net.Network_TCP
+	case N.NetworkUDP:
+		return net.Network_UDP
+	default:
+		return net.Network_Unknown
+	}
+}
+
+func ToDestination(socksaddr M.Socksaddr, network net.Network) net.Destination {
+	if socksaddr.IsFqdn() {
+		return net.Destination{
+			Network: network,
+			Address: net.DomainAddress(socksaddr.Fqdn),
+			Port:    net.Port(socksaddr.Port),
+		}
+	} else {
+		return net.Destination{
+			Network: network,
+			Address: net.IPAddress(socksaddr.Addr.AsSlice()),
+			Port:    net.Port(socksaddr.Port),
+		}
+	}
+}
+
+func ToSocksaddr(destination net.Destination) M.Socksaddr {
+	var addr M.Socksaddr
+	switch destination.Address.Family() {
+	case net.AddressFamilyDomain:
+		addr.Fqdn = destination.Address.Domain()
+	default:
+		addr.Addr = M.AddrFromIP(destination.Address.IP())
+	}
+	addr.Port = uint16(destination.Port)
+	return addr
+}

common/singbridge/dialer.go

@@ -0,0 +1,59 @@
+package singbridge
+
+import (
+	"context"
+	"os"
+
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/common/net/cnc"
+	"github.com/xtls/xray-core/common/session"
+	"github.com/xtls/xray-core/proxy"
+	"github.com/xtls/xray-core/transport"
+	"github.com/xtls/xray-core/transport/internet"
+	"github.com/xtls/xray-core/transport/pipe"
+)
+
+var _ N.Dialer = (*XrayDialer)(nil)
+
+type XrayDialer struct {
+	internet.Dialer
+}
+
+func NewDialer(dialer internet.Dialer) *XrayDialer {
+	return &XrayDialer{dialer}
+}
+
+func (d *XrayDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	return d.Dialer.Dial(ctx, ToDestination(destination, ToNetwork(network)))
+}
+
+func (d *XrayDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return nil, os.ErrInvalid
+}
+
+type XrayOutboundDialer struct {
+	outbound proxy.Outbound
+	dialer   internet.Dialer
+}
+
+func NewOutboundDialer(outbound proxy.Outbound, dialer internet.Dialer) *XrayOutboundDialer {
+	return &XrayOutboundDialer{outbound, dialer}
+}
+
+func (d *XrayOutboundDialer) DialContext(ctx context.Context, network string, destination M.Socksaddr) (net.Conn, error) {
+	ctx = session.ContextWithOutbound(context.Background(), &session.Outbound{
+		Target: ToDestination(destination, ToNetwork(network)),
+	})
+	opts := []pipe.Option{pipe.WithSizeLimit(64 * 1024)}
+	uplinkReader, uplinkWriter := pipe.New(opts...)
+	downlinkReader, downlinkWriter := pipe.New(opts...)
+	conn := cnc.NewConnection(cnc.ConnectionInputMulti(downlinkWriter), cnc.ConnectionOutputMulti(uplinkReader))
+	go d.outbound.Process(ctx, &transport.Link{Reader: downlinkReader, Writer: uplinkWriter}, d.dialer)
+	return conn, nil
+}
+
+func (d *XrayOutboundDialer) ListenPacket(ctx context.Context, destination M.Socksaddr) (net.PacketConn, error) {
+	return nil, os.ErrInvalid
+}

common/singbridge/error.go

@@ -0,0 +1,10 @@
+package singbridge
+
+import E "github.com/sagernet/sing/common/exceptions"
+
+func ReturnError(err error) error {
+	if E.IsClosedOrCanceled(err) {
+		return nil
+	}
+	return err
+}

common/singbridge/handler.go

@@ -0,0 +1,51 @@
+package singbridge
+
+import (
+	"context"
+	"io"
+
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/xtls/xray-core/common/buf"
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/common/session"
+	"github.com/xtls/xray-core/features/routing"
+	"github.com/xtls/xray-core/transport"
+)
+
+var (
+	_ N.TCPConnectionHandler = (*Dispatcher)(nil)
+	_ N.UDPConnectionHandler = (*Dispatcher)(nil)
+)
+
+type Dispatcher struct {
+	upstream     routing.Dispatcher
+	newErrorFunc func(values ...any) *errors.Error
+}
+
+func NewDispatcher(dispatcher routing.Dispatcher, newErrorFunc func(values ...any) *errors.Error) *Dispatcher {
+	return &Dispatcher{
+		upstream:     dispatcher,
+		newErrorFunc: newErrorFunc,
+	}
+}
+
+func (d *Dispatcher) NewConnection(ctx context.Context, conn net.Conn, metadata M.Metadata) error {
+	xConn := NewConn(conn)
+	return d.upstream.DispatchLink(ctx, ToDestination(metadata.Destination, net.Network_TCP), &transport.Link{
+		Reader: xConn,
+		Writer: xConn,
+	})
+}
+
+func (d *Dispatcher) NewPacketConnection(ctx context.Context, conn N.PacketConn, metadata M.Metadata) error {
+	return d.upstream.DispatchLink(ctx, ToDestination(metadata.Destination, net.Network_UDP), &transport.Link{
+		Reader: buf.NewPacketReader(conn.(io.Reader)),
+		Writer: buf.NewWriter(conn.(io.Writer)),
+	})
+}
+
+func (d *Dispatcher) NewError(ctx context.Context, err error) {
+	d.newErrorFunc(err).WriteToLog(session.ExportIDToError(ctx))
+}

common/singbridge/logger.go

@@ -0,0 +1,71 @@
+package singbridge
+
+import (
+	"context"
+
+	"github.com/sagernet/sing/common/logger"
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/session"
+)
+
+var _ logger.ContextLogger = (*XrayLogger)(nil)
+
+type XrayLogger struct {
+	newError func(values ...any) *errors.Error
+}
+
+func NewLogger(newErrorFunc func(values ...any) *errors.Error) *XrayLogger {
+	return &XrayLogger{
+		newErrorFunc,
+	}
+}
+
+func (l *XrayLogger) Trace(args ...any) {
+}
+
+func (l *XrayLogger) Debug(args ...any) {
+	l.newError(args...).AtDebug().WriteToLog()
+}
+
+func (l *XrayLogger) Info(args ...any) {
+	l.newError(args...).AtInfo().WriteToLog()
+}
+
+func (l *XrayLogger) Warn(args ...any) {
+	l.newError(args...).AtWarning().WriteToLog()
+}
+
+func (l *XrayLogger) Error(args ...any) {
+	l.newError(args...).AtError().WriteToLog()
+}
+
+func (l *XrayLogger) Fatal(args ...any) {
+}
+
+func (l *XrayLogger) Panic(args ...any) {
+}
+
+func (l *XrayLogger) TraceContext(ctx context.Context, args ...any) {
+}
+
+func (l *XrayLogger) DebugContext(ctx context.Context, args ...any) {
+	l.newError(args...).AtDebug().WriteToLog(session.ExportIDToError(ctx))
+}
+
+func (l *XrayLogger) InfoContext(ctx context.Context, args ...any) {
+	l.newError(args...).AtInfo().WriteToLog(session.ExportIDToError(ctx))
+}
+
+func (l *XrayLogger) WarnContext(ctx context.Context, args ...any) {
+	l.newError(args...).AtWarning().WriteToLog(session.ExportIDToError(ctx))
+}
+
+func (l *XrayLogger) ErrorContext(ctx context.Context, args ...any) {
+	l.newError(args...).AtError().WriteToLog(session.ExportIDToError(ctx))
+}
+
+func (l *XrayLogger) FatalContext(ctx context.Context, args ...any) {
+}
+
+func (l *XrayLogger) PanicContext(ctx context.Context, args ...any) {
+}

common/singbridge/packet.go

@@ -0,0 +1,82 @@
+package singbridge
+
+import (
+	"context"
+
+	B "github.com/sagernet/sing/common/buf"
+	"github.com/sagernet/sing/common/bufio"
+	M "github.com/sagernet/sing/common/metadata"
+	"github.com/xtls/xray-core/common/buf"
+	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/transport"
+)
+
+func CopyPacketConn(ctx context.Context, inboundConn net.Conn, link *transport.Link, destination net.Destination, serverConn net.PacketConn) error {
+	conn := &PacketConnWrapper{
+		Reader: link.Reader,
+		Writer: link.Writer,
+		Dest:   destination,
+		Conn:   inboundConn,
+	}
+	return ReturnError(bufio.CopyPacketConn(ctx, conn, bufio.NewPacketConn(serverConn)))
+}
+
+type PacketConnWrapper struct {
+	buf.Reader
+	buf.Writer
+	net.Conn
+	Dest   net.Destination
+	cached buf.MultiBuffer
+}
+
+func (w *PacketConnWrapper) ReadPacket(buffer *B.Buffer) (M.Socksaddr, error) {
+	if w.cached != nil {
+		mb, bb := buf.SplitFirst(w.cached)
+		if bb == nil {
+			w.cached = nil
+		} else {
+			buffer.Write(bb.Bytes())
+			w.cached = mb
+			var destination net.Destination
+			if bb.UDP != nil {
+				destination = *bb.UDP
+			} else {
+				destination = w.Dest
+			}
+			bb.Release()
+			return ToSocksaddr(destination), nil
+		}
+	}
+	mb, err := w.ReadMultiBuffer()
+	if err != nil {
+		return M.Socksaddr{}, err
+	}
+	nb, bb := buf.SplitFirst(mb)
+	if bb == nil {
+		return M.Socksaddr{}, nil
+	} else {
+		buffer.Write(bb.Bytes())
+		w.cached = nb
+		var destination net.Destination
+		if bb.UDP != nil {
+			destination = *bb.UDP
+		} else {
+			destination = w.Dest
+		}
+		bb.Release()
+		return ToSocksaddr(destination), nil
+	}
+}
+
+func (w *PacketConnWrapper) WritePacket(buffer *B.Buffer, destination M.Socksaddr) error {
+	vBuf := buf.New()
+	vBuf.Write(buffer.Bytes())
+	endpoint := ToDestination(destination, net.Network_UDP)
+	vBuf.UDP = &endpoint
+	return w.Writer.WriteMultiBuffer(buf.MultiBuffer{vBuf})
+}
+
+func (w *PacketConnWrapper) Close() error {
+	buf.ReleaseMulti(w.cached)
+	return nil
+}

common/singbridge/pipe.go

@@ -0,0 +1,61 @@
+package singbridge
+
+import (
+	"context"
+	"io"
+	"net"
+
+	"github.com/sagernet/sing/common/bufio"
+	"github.com/xtls/xray-core/common/buf"
+	"github.com/xtls/xray-core/transport"
+)
+
+func CopyConn(ctx context.Context, inboundConn net.Conn, link *transport.Link, serverConn net.Conn) error {
+	conn := &PipeConnWrapper{
+		W:    link.Writer,
+		Conn: inboundConn,
+	}
+	if ir, ok := link.Reader.(io.Reader); ok {
+		conn.R = ir
+	} else {
+		conn.R = &buf.BufferedReader{Reader: link.Reader}
+	}
+	return ReturnError(bufio.CopyConn(ctx, conn, serverConn))
+}
+
+type PipeConnWrapper struct {
+	R io.Reader
+	W buf.Writer
+	net.Conn
+}
+
+func (w *PipeConnWrapper) Close() error {
+	return nil
+}
+
+func (w *PipeConnWrapper) Read(b []byte) (n int, err error) {
+	return w.R.Read(b)
+}
+
+func (w *PipeConnWrapper) Write(p []byte) (n int, err error) {
+	n = len(p)
+	var mb buf.MultiBuffer
+	pLen := len(p)
+	for pLen > 0 {
+		buffer := buf.New()
+		if pLen > buf.Size {
+			_, err = buffer.Write(p[:buf.Size])
+			p = p[buf.Size:]
+		} else {
+			buffer.Write(p)
+		}
+		pLen -= int(buffer.Len())
+		mb = append(mb, buffer)
+	}
+	err = w.W.WriteMultiBuffer(mb)
+	if err != nil {
+		n = 0
+		buf.ReleaseMulti(mb)
+	}
+	return
+}

common/singbridge/reader.go

@@ -0,0 +1,66 @@
+package singbridge
+
+import (
+	"time"
+
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/bufio"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/xtls/xray-core/common/buf"
+	"github.com/xtls/xray-core/common/net"
+)
+
+var (
+	_ buf.Reader        = (*Conn)(nil)
+	_ buf.TimeoutReader = (*Conn)(nil)
+	_ buf.Writer        = (*Conn)(nil)
+)
+
+type Conn struct {
+	net.Conn
+	writer N.VectorisedWriter
+}
+
+func NewConn(conn net.Conn) *Conn {
+	writer, _ := bufio.CreateVectorisedWriter(conn)
+	return &Conn{
+		Conn:   conn,
+		writer: writer,
+	}
+}
+
+func (c *Conn) ReadMultiBuffer() (buf.MultiBuffer, error) {
+	buffer, err := buf.ReadBuffer(c.Conn)
+	if err != nil {
+		return nil, err
+	}
+	return buf.MultiBuffer{buffer}, nil
+}
+
+func (c *Conn) ReadMultiBufferTimeout(duration time.Duration) (buf.MultiBuffer, error) {
+	err := c.SetReadDeadline(time.Now().Add(duration))
+	if err != nil {
+		return nil, err
+	}
+	defer c.SetReadDeadline(time.Time{})
+	return c.ReadMultiBuffer()
+}
+
+func (c *Conn) WriteMultiBuffer(bufferList buf.MultiBuffer) error {
+	defer buf.ReleaseMulti(bufferList)
+	if c.writer != nil {
+		bytesList := make([][]byte, len(bufferList))
+		for i, buffer := range bufferList {
+			bytesList[i] = buffer.Bytes()
+		}
+		return common.Error(bufio.WriteVectorised(c.writer, bytesList))
+	}
+	// Since this conn is only used by tun, we don't force buffer writes to merge.
+	for _, buffer := range bufferList {
+		_, err := c.Conn.Write(buffer.Bytes())
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

common/task/task.go

@@ -38,6 +38,12 @@ func Run(ctx context.Context, tasks ...func() error) error {
 		}(task)
 	}
 
+	/*
+		if altctx := ctx.Value("altctx"); altctx != nil {
+			ctx = altctx.(context.Context)
+		}
+	*/
+
 	for i := 0; i < n; i++ {
 		select {
 		case err := <-done:
@@ -48,5 +54,11 @@ func Run(ctx context.Context, tasks ...func() error) error {
 		}
 	}
 
+	/*
+		if cancel := ctx.Value("cancel"); cancel != nil {
+			cancel.(context.CancelFunc)()
+		}
+	*/
+
 	return nil
 }

common/xudp/xudp.go

@@ -1,30 +1,79 @@
 package xudp
 
 import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
 	"io"
+	"os"
+	"strings"
 
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/protocol"
+	"github.com/xtls/xray-core/common/session"
+	"lukechampine.com/blake3"
 )
 
-var addrParser = protocol.NewAddressParser(
+var AddrParser = protocol.NewAddressParser(
 	protocol.AddressFamilyByte(byte(protocol.AddressTypeIPv4), net.AddressFamilyIPv4),
 	protocol.AddressFamilyByte(byte(protocol.AddressTypeDomain), net.AddressFamilyDomain),
 	protocol.AddressFamilyByte(byte(protocol.AddressTypeIPv6), net.AddressFamilyIPv6),
 	protocol.PortThenAddress(),
 )
 
-func NewPacketWriter(writer buf.Writer, dest net.Destination) *PacketWriter {
+var (
+	Show    bool
+	BaseKey []byte
+)
+
+const (
+	EnvShow    = "XRAY_XUDP_SHOW"
+	EnvBaseKey = "XRAY_XUDP_BASEKEY"
+)
+
+func init() {
+	if strings.ToLower(os.Getenv(EnvShow)) == "true" {
+		Show = true
+	}
+	if raw, found := os.LookupEnv(EnvBaseKey); found {
+		if BaseKey, _ = base64.RawURLEncoding.DecodeString(raw); len(BaseKey) == 32 {
+			return
+		}
+		panic(EnvBaseKey + ": invalid value: " + raw)
+	}
+	rand.Read(BaseKey)
+}
+
+func GetGlobalID(ctx context.Context) (globalID [8]byte) {
+	if cone := ctx.Value("cone"); cone == nil || !cone.(bool) { // cone is nil only in some unit tests
+		return
+	}
+	if inbound := session.InboundFromContext(ctx); inbound != nil && inbound.Source.Network == net.Network_UDP &&
+		(inbound.Name == "dokodemo-door" || inbound.Name == "socks" || inbound.Name == "shadowsocks") {
+		h := blake3.New(8, BaseKey)
+		h.Write([]byte(inbound.Source.String()))
+		copy(globalID[:], h.Sum(nil))
+		if Show {
+			fmt.Printf("XUDP inbound.Source.String(): %v\tglobalID: %v\n", inbound.Source.String(), globalID)
+		}
+	}
+	return
+}
+
+func NewPacketWriter(writer buf.Writer, dest net.Destination, globalID [8]byte) *PacketWriter {
 	return &PacketWriter{
-		Writer: writer,
-		Dest:   dest,
+		Writer:   writer,
+		Dest:     dest,
+		GlobalID: globalID,
 	}
 }
 
 type PacketWriter struct {
-	Writer buf.Writer
-	Dest   net.Destination
+	Writer   buf.Writer
+	Dest     net.Destination
+	GlobalID [8]byte
 }
 
 func (w *PacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
@@ -37,19 +86,22 @@ func (w *PacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
 		}
 
 		eb := buf.New()
-		eb.Write([]byte{0, 0, 0, 0})
+		eb.Write([]byte{0, 0, 0, 0}) // Meta data length; Mux Session ID
 		if w.Dest.Network == net.Network_UDP {
 			eb.WriteByte(1) // New
 			eb.WriteByte(1) // Opt
 			eb.WriteByte(2) // UDP
-			addrParser.WriteAddressPort(eb, w.Dest.Address, w.Dest.Port)
+			AddrParser.WriteAddressPort(eb, w.Dest.Address, w.Dest.Port)
+			if b.UDP != nil { // make sure it's user's proxy request
+				eb.Write(w.GlobalID[:]) // no need to check whether it's empty
+			}
 			w.Dest.Network = net.Network_Unknown
 		} else {
 			eb.WriteByte(2) // Keep
-			eb.WriteByte(1)
+			eb.WriteByte(1) // Opt
 			if b.UDP != nil {
-				eb.WriteByte(2)
-				addrParser.WriteAddressPort(eb, b.UDP.Address, b.UDP.Port)
+				eb.WriteByte(2) // UDP
+				AddrParser.WriteAddressPort(eb, b.UDP.Address, b.UDP.Port)
 			}
 		}
 		l := eb.Len() - 2
@@ -96,9 +148,10 @@ func (r *PacketReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 		discard := false
 		switch b.Byte(2) {
 		case 2:
-			if l != 4 {
+			if l > 4 && b.Byte(4) == 2 { // MUST check the flag first
 				b.Advance(5)
-				addr, port, err := addrParser.ReadAddressPort(nil, b)
+				// b.Clear() will be called automatically if all data had been read.
+				addr, port, err := AddrParser.ReadAddressPort(nil, b)
 				if err != nil {
 					b.Release()
 					return nil, err
@@ -115,6 +168,7 @@ func (r *PacketReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 			b.Release()
 			return nil, io.EOF
 		}
+		b.Clear() // in case there is padding (empty bytes) attached
 		if b.Byte(3) == 1 {
 			if _, err := io.ReadFull(r.Reader, r.cache); err != nil {
 				b.Release()
@@ -122,7 +176,6 @@ func (r *PacketReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 			}
 			length := int32(r.cache[0])<<8 | int32(r.cache[1])
 			if length > 0 {
-				b.Clear()
 				if _, err := b.ReadFullFrom(r.Reader, length); err != nil {
 					b.Release()
 					return nil, err

common/xudp/xudp_test.go

@@ -0,0 +1,36 @@
+package xudp
+
+import (
+	"testing"
+
+	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/buf"
+	"github.com/xtls/xray-core/common/net"
+)
+
+func TestXudpReadWrite(t *testing.T) {
+	addr, _ := net.ParseDestination("tcp:127.0.0.1:1345")
+	mb := make(buf.MultiBuffer, 0, 16)
+	m := buf.MultiBufferContainer{
+		MultiBuffer: mb,
+	}
+	var arr [8]byte
+	writer := NewPacketWriter(&m, addr, arr)
+
+	source := make(buf.MultiBuffer, 0, 16)
+	b := buf.New()
+	b.WriteByte('a')
+	b.UDP = &addr
+	source = append(source, b)
+	writer.WriteMultiBuffer(source)
+
+	reader := NewPacketReader(&m)
+	dest, err := reader.ReadMultiBuffer()
+	common.Must(err)
+	if dest[0].Byte(0) != 'a' {
+		t.Error("failed to parse xudp buffer")
+	}
+	if dest[0].UDP.Port != 1345 {
+		t.Error("failed to parse xudp buffer")
+	}
+}

core/config.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
-// 	protoc        v3.21.12
+// 	protoc-gen-go v1.30.0
+// 	protoc        v4.23.1
 // source: core/config.proto
 
 package core
@@ -42,7 +42,7 @@ type Config struct {
 	// Deprecated. Each inbound and outbound should choose their own transport
 	// config. Date to remove: 2020-01-13
 	//
-	// Deprecated: Do not use.
+	// Deprecated: Marked as deprecated in core/config.proto.
 	Transport *global.Config `protobuf:"bytes,5,opt,name=transport,proto3" json:"transport,omitempty"`
 	// Configuration for extensions. The config may not work if corresponding
 	// extension is not loaded into Xray. Xray will ignore such config during
@@ -103,7 +103,7 @@ func (x *Config) GetApp() []*serial.TypedMessage {
 	return nil
 }
 
-// Deprecated: Do not use.
+// Deprecated: Marked as deprecated in core/config.proto.
 func (x *Config) GetTransport() *global.Config {
 	if x != nil {
 		return x.Transport

core/core.go

@@ -12,13 +12,19 @@ package core
 //go:generate go run github.com/xtls/xray-core/common/errors/errorgen
 
 import (
+	"fmt"
 	"runtime"
 
 	"github.com/xtls/xray-core/common/serial"
 )
 
 var (
-	version  = "1.7.5"
+	Version_x byte = 1
+	Version_y byte = 8
+	Version_z byte = 3
+)
+
+var (
 	build    = "Custom"
 	codename = "Xray, Penetrates Everything."
 	intro    = "A unified platform for anti-censorship."
@@ -27,7 +33,7 @@ var (
 // Version returns Xray's version as a string, in the form of "x.y.z" where x, y and z are numbers.
 // ".z" part may be omitted in regular releases.
 func Version() string {
-	return version
+	return fmt.Sprintf("%v.%v.%v", Version_x, Version_y, Version_z)
 }
 
 // VersionStatement returns a list of strings representing the full version info.

go.mod

@@ -5,56 +5,55 @@ go 1.20
 require (
 	github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344
 	github.com/golang/mock v1.6.0
-	github.com/golang/protobuf v1.5.2
+	github.com/golang/protobuf v1.5.3
 	github.com/google/go-cmp v0.5.9
 	github.com/gorilla/websocket v1.5.0
-	github.com/miekg/dns v1.1.50
+	github.com/miekg/dns v1.1.54
 	github.com/pelletier/go-toml v1.9.5
-	github.com/pires/go-proxyproto v0.6.2
-	github.com/quic-go/quic-go v0.32.0
-	github.com/refraction-networking/utls v1.2.2-0.20230207151345-a75a4b484849
-	github.com/sagernet/sing v0.1.6
-	github.com/sagernet/sing-shadowsocks v0.1.1-0.20230202035033-e3123545f2f7
+	github.com/pires/go-proxyproto v0.7.0
+	github.com/quic-go/quic-go v0.35.1
+	github.com/refraction-networking/utls v1.3.2
+	github.com/sagernet/sing v0.2.5
+	github.com/sagernet/sing-shadowsocks v0.2.2
 	github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c
 	github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb
-	github.com/stretchr/testify v1.8.1
+	github.com/stretchr/testify v1.8.4
 	github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e
-	github.com/xtls/go v0.0.0-20230107031059-4610f88d00f3
-	go.starlark.net v0.0.0-20230128213706-3f75dec8e403
-	golang.org/x/crypto v0.5.0
-	golang.org/x/net v0.5.0
-	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.5.0
-	google.golang.org/grpc v1.53.0
-	google.golang.org/protobuf v1.28.1
+	github.com/xtls/reality v0.0.0-20230613075828-e07c3b04b983
+	golang.org/x/crypto v0.10.0
+	golang.org/x/net v0.11.0
+	golang.org/x/sync v0.3.0
+	golang.org/x/sys v0.9.0
+	google.golang.org/grpc v1.56.0
+	google.golang.org/protobuf v1.30.0
 	gvisor.dev/gvisor v0.0.0-20220901235040-6ca97ef2ce1c
 	h12.io/socks v1.0.3
+	lukechampine.com/blake3 v1.2.1
 )
 
 require (
-	github.com/andybalholm/brotli v1.0.4 // indirect
+	github.com/andybalholm/brotli v1.0.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-metro v0.0.0-20211217172704-adc40b04c140 // indirect
 	github.com/francoispqt/gojay v1.2.13 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
+	github.com/gaukas/godicttls v0.0.3 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/pprof v0.0.0-20230207041349-798e818bf904 // indirect
-	github.com/klauspost/compress v1.15.15 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.3 // indirect
-	github.com/onsi/ginkgo/v2 v2.8.0 // indirect
+	github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 // indirect
+	github.com/klauspost/compress v1.16.6 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
+	github.com/onsi/ginkgo/v2 v2.11.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/quic-go/qtls-go1-18 v0.2.0 // indirect
-	github.com/quic-go/qtls-go1-19 v0.2.0 // indirect
-	github.com/quic-go/qtls-go1-20 v0.1.0 // indirect
+	github.com/quic-go/qtls-go1-19 v0.3.2 // indirect
+	github.com/quic-go/qtls-go1-20 v0.2.2 // indirect
 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
-	go.uber.org/atomic v1.10.0 // indirect
-	golang.org/x/exp v0.0.0-20230206171751-46f607a40771 // indirect
-	golang.org/x/mod v0.7.0 // indirect
-	golang.org/x/text v0.6.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect
+	golang.org/x/mod v0.11.0 // indirect
+	golang.org/x/text v0.10.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.5.0 // indirect
-	google.golang.org/genproto v0.0.0-20230202175211-008b39050e57 // indirect
+	golang.org/x/tools v0.10.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	lukechampine.com/blake3 v1.1.7 // indirect
 )

go.sum

@@ -8,16 +8,12 @@ dmitri.shuralyov.com/service/change v0.0.0-20181023043359-a85b471d5412/go.mod h1
 dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D6DFvNNtx+9ybjezNCa8XF0xaYcETyp6rHWU=
 git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
-github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
+github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
 github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -27,20 +23,20 @@ github.com/dgryski/go-metro v0.0.0-20200812162917-85c65e2d0165/go.mod h1:c9O8+fp
 github.com/dgryski/go-metro v0.0.0-20211217172704-adc40b04c140 h1:y7y0Oa6UawqTFPCDw9JG6pdKt4F9pAhHv0B7FMGaGD0=
 github.com/dgryski/go-metro v0.0.0-20211217172704-adc40b04c140/go.mod h1:c9O8+fpSOX1DM8cPNSkX/qsBWdkD4yd2dpciOWQjpBw=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/francoispqt/gojay v1.2.13 h1:d2m3sFjloqoIUQU3TsHBgj6qg/BVGlTBeHDUmyJnXKk=
 github.com/francoispqt/gojay v1.2.13/go.mod h1:ehT5mTG4ua4581f1++1WLG0vPdaA9HaiDsoyrBGkyDY=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/gaukas/godicttls v0.0.3 h1:YNDIf0d9adcxOijiLrEzpfZGAkNwLRzPaG6OjU7EITk=
+github.com/gaukas/godicttls v0.0.3/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344 h1:Arcl6UOIS/kgO2nW3A65HN+7CMjSDP/gofXL4CZt1V4=
 github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344/go.mod h1:GIjDIg/heH5DOkXY3YJ/wNhfHsQHoXGjl8G8amsYQ1I=
 github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=
-github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
@@ -50,25 +46,13 @@ github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -76,8 +60,8 @@ github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+u
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20230207041349-798e818bf904 h1:4/hN5RUoecvl+RmJRE2YxKWtnnQls6rQjjW5oV7qg2U=
-github.com/google/pprof v0.0.0-20230207041349-798e818bf904/go.mod h1:uglQLonpP8qtYCYyzA+8c/9qtqgA3qsXGYqCPKARAFg=
+github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 h1:hR7/MlvK23p6+lIw9SN1TigNLn9ZnF3W4SYRKq2gAHs=
+github.com/google/pprof v0.0.0-20230602150820-91b7bce49751/go.mod h1:Jh3hGz2jkYak8qXPD19ryItVnUgpgeqzdkY/D0EaeuA=
 github.com/googleapis/gax-go v2.0.0+incompatible/go.mod h1:SFVmujtThgffbyetf+mdk2eWhX2bMyUtNHzFKcPA9HY=
 github.com/googleapis/gax-go/v2 v2.0.3/go.mod h1:LLvjysVCY1JZeum8Z6l8qUty8fiNwE08qbEPm1M08qg=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
@@ -91,11 +75,10 @@ github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.15.15 h1:EF27CXIuDsYJ6mmvtBRlEuB2UVOqHG1tAXgZ7yIO+lw=
-github.com/klauspost/compress v1.15.15/go.mod h1:ZcK2JAFqKOpnBlxcLsJzYfrS9X1akm9fHZNnD9+Vo/4=
-github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.3 h1:sxCkb+qR91z4vsqw4vGGZlDgPz3G7gjaLyK3V8y70BU=
-github.com/klauspost/cpuid/v2 v2.2.3/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
+github.com/klauspost/compress v1.16.6 h1:91SKEy4K37vkp255cJ8QesJhjyRO0hn9i9G0GoUwLsk=
+github.com/klauspost/compress v1.16.6/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/cpuid/v2 v2.2.5 h1:0E5MSMDEoAulmXNFquVs//DdoomxaoTY1kUhbc/qbZg=
+github.com/klauspost/cpuid/v2 v2.2.5/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -106,47 +89,44 @@ github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm
 github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/microcosm-cc/bluemonday v1.0.1/go.mod h1:hsXNsILzKxV+sX77C5b8FSuKF00vh2OMYv+xgHpAMF4=
-github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
-github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
+github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI=
+github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJEU3ofeGjhHklVoIGuVj85JJwZ6kWPaJwCIxgnFmo=
 github.com/neelance/sourcemap v0.0.0-20151028013722-8c68805598ab/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM=
-github.com/onsi/ginkgo/v2 v2.8.0 h1:pAM+oBNPrpXRs+E/8spkeGx9QgekbRVyr74EUvRVOUI=
-github.com/onsi/ginkgo/v2 v2.8.0/go.mod h1:6JsQiECmxCa3V5st74AL/AmsV482EDdVrGaVW6z3oYU=
-github.com/onsi/gomega v1.25.0 h1:Vw7br2PCDYijJHSfBOWhov+8cAnUf8MfMaIOV323l6Y=
+github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU=
+github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM=
+github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc=
 github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTmOf0Erfk+hxe8=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2 h1:JhzVVoYvbOACxoUmOs6V/G4D5nPVUW73rKvXxP4XUJc=
 github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
-github.com/pires/go-proxyproto v0.6.2 h1:KAZ7UteSOt6urjme6ZldyFm4wDe/z0ZUP0Yv0Dos0d8=
-github.com/pires/go-proxyproto v0.6.2/go.mod h1:Odh9VFOZJCf9G8cLW5o435Xf1J95Jw9Gw5rnCjcwzAY=
+github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
+github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.8.0/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/quic-go/qtls-go1-18 v0.2.0 h1:5ViXqBZ90wpUcZS0ge79rf029yx0dYB0McyPJwqqj7U=
-github.com/quic-go/qtls-go1-18 v0.2.0/go.mod h1:moGulGHK7o6O8lSPSZNoOwcLvJKJ85vVNc7oJFD65bc=
-github.com/quic-go/qtls-go1-19 v0.2.0 h1:Cvn2WdhyViFUHoOqK52i51k4nDX8EwIh5VJiVM4nttk=
-github.com/quic-go/qtls-go1-19 v0.2.0/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
-github.com/quic-go/qtls-go1-20 v0.1.0 h1:d1PK3ErFy9t7zxKsG3NXBJXZjp/kMLoIb3y/kV54oAI=
-github.com/quic-go/qtls-go1-20 v0.1.0/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
-github.com/quic-go/quic-go v0.32.0 h1:lY02md31s1JgPiiyfqJijpu/UX/Iun304FI3yUqX7tA=
-github.com/quic-go/quic-go v0.32.0/go.mod h1:/fCsKANhQIeD5l76c2JFU+07gVE3KaA0FP+0zMWwfwo=
-github.com/refraction-networking/utls v1.2.2-0.20230207151345-a75a4b484849 h1:vNEcNapWFwnYJTBcVkHJa8VrdL40PNDLDbSGVY+ZV7I=
-github.com/refraction-networking/utls v1.2.2-0.20230207151345-a75a4b484849/go.mod h1:L1goe44KvhnTfctUffM2isnJpSjPlYShrhXDeZaoYKw=
+github.com/quic-go/qtls-go1-19 v0.3.2 h1:tFxjCFcTQzK+oMxG6Zcvp4Dq8dx4yD3dDiIiyc86Z5U=
+github.com/quic-go/qtls-go1-19 v0.3.2/go.mod h1:ySOI96ew8lnoKPtSqx2BlI5wCpUVPT05RMAlajtnyOI=
+github.com/quic-go/qtls-go1-20 v0.2.2 h1:WLOPx6OY/hxtTxKV1Zrq20FtXtDEkeY00CGQm8GEa3E=
+github.com/quic-go/qtls-go1-20 v0.2.2/go.mod h1:JKtK6mjbAVcUTN/9jZpvLbGxvdWIKS8uT7EiStoU1SM=
+github.com/quic-go/quic-go v0.35.1 h1:b0kzj6b/cQAf05cT0CkQubHM31wiA+xH3IBkxP62poo=
+github.com/quic-go/quic-go v0.35.1/go.mod h1:+4CVgVppm0FNjpG3UcX8Joi/frKOH7/ciD5yGcwOO1g=
+github.com/refraction-networking/utls v1.3.2 h1:o+AkWB57mkcoW36ET7uJ002CpBWHu0KPxi6vzxvPnv8=
+github.com/refraction-networking/utls v1.3.2/go.mod h1:fmoaOww2bxzzEpIKOebIsnBvjQpqP7L2vcm/9KUfm/E=
 github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 h1:f/FNXud6gA3MNr8meMVVGxhp+QBTqY91tM8HjEuMjGg=
 github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3/go.mod h1:HgjTstvQsPGkxUsCd2KWxErBblirPizecHcpD3ffK+s=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
-github.com/sagernet/sing v0.1.6 h1:Qy63OUfKpcqKjfd5rPmUlj0RGjHZSK/PJn0duyCCsRg=
-github.com/sagernet/sing v0.1.6/go.mod h1:JLSXsPTGRJFo/3X7EcAOCUgJH2/gAoxSJgBsnCZRp/w=
-github.com/sagernet/sing-shadowsocks v0.1.1-0.20230202035033-e3123545f2f7 h1:Plup6oEiyLzY3HDqQ+QsUBzgBGdVmcsgf3t8h940z9U=
-github.com/sagernet/sing-shadowsocks v0.1.1-0.20230202035033-e3123545f2f7/go.mod h1:O5LtOs8Ivw686FqLpO0Zu+A0ROVE15VeqEK3yDRRAms=
+github.com/sagernet/sing v0.2.5 h1:N8sUluR8GZvR9DqUiH3FA3vBb4m/EDdOVTYUrDzJvmY=
+github.com/sagernet/sing v0.2.5/go.mod h1:Ta8nHnDLAwqySzKhGoKk4ZIB+vJ3GTKj7UPrWYvM+4w=
+github.com/sagernet/sing-shadowsocks v0.2.2 h1:ezSdVhrmIcwDXmCZF3bOJVMuVtTQWpda+1Op+Ie2TA4=
+github.com/sagernet/sing-shadowsocks v0.2.2/go.mod h1:JIBWG6a7orB2HxBxYElViQFLUQxFVG7DuqIj8gD7uCQ=
 github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c h1:vK2wyt9aWYHHvNLWniwijBu/n4pySypiKRhN32u/JGo=
 github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
 github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb h1:XfLJSPIOUX+osiMraVgIrMR27uMXnRJWGm1+GL8/63U=
@@ -177,46 +157,38 @@ github.com/shurcooL/webdavfs v0.0.0-20170829043945-18c3829fa133/go.mod h1:hKmq5k
 github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d/go.mod h1:UdhH50NIW0fCiwBSr0co2m7BnFLdv4fQTgdqdJTHFeE=
 github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e/go.mod h1:HuIsMU8RRBOtsCgI77wP899iHVBQpCmg4ErYMZB+2IA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tarm/serial v0.0.0-20180830185346-98f6abe2eb07/go.mod h1:kDXzergiv9cbyO7IOYJZWg1U88JhDg3PB6klq9Hg2pA=
 github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e h1:5QefA066A1tF8gHIiADmOVOV5LS43gt3ONnlEl3xkwI=
 github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e/go.mod h1:5t19P9LBIrNamL6AcMQOncg/r10y3Pc01AbHeMhwlpU=
 github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU=
 github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
-github.com/xtls/go v0.0.0-20230107031059-4610f88d00f3 h1:a3Y4WVjCxwoyO4E2xdNvq577tW8lkSBgyrA8E9+2NtM=
-github.com/xtls/go v0.0.0-20230107031059-4610f88d00f3/go.mod h1:YJTRELIWrGxR1s8xcEBgxcxBfwQfMGjdvNLTjN9XFgY=
+github.com/xtls/reality v0.0.0-20230613075828-e07c3b04b983 h1:AMyzgjkh54WocjQSlCnT1LhDc/BKiUqtNOv40AkpURs=
+github.com/xtls/reality v0.0.0-20230613075828-e07c3b04b983/go.mod h1:rkuAY1S9F8eI8gDiPDYvACE8e2uwkyg8qoOTuwWov7Y=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
-go.starlark.net v0.0.0-20230128213706-3f75dec8e403 h1:jPeC7Exc+m8OBJUlWbBLh0O5UZPM7yU5W4adnhhbG4U=
-go.starlark.net v0.0.0-20230128213706-3f75dec8e403/go.mod h1:jxU+3+j+71eXOW14274+SmmuW82qJzl6iZSeqEtTGds=
-go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
-go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
 golang.org/x/build v0.0.0-20190111050920-041ab4dc3f9d/go.mod h1:OWs+y06UdEOHN4y+MfF/py+xQ/tYqIWW03b70/CG9Rw=
 golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE=
-golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU=
+golang.org/x/crypto v0.10.0 h1:LKqV2xt9+kDzSTfOhx4FrkEBcMrAgHSYgzywV9zcGmM=
+golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20230206171751-46f607a40771 h1:xP7rWLUr1e1n2xkK5YB4LI0hPEy3LJC6Wk+D4pGlOJg=
-golang.org/x/exp v0.0.0-20230206171751-46f607a40771/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
+golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
 golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.11.0 h1:bUO06HqtnRcc/7l71XBe4WcqTZ+3AH1J59zWDDwLKgU=
+golang.org/x/mod v0.11.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -224,14 +196,12 @@ golang.org/x/net v0.0.0-20181029044818-c44066c5c816/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20181106065722-10aee1819953/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190313220215-9f648a60d977/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.5.0 h1:GyT4nK/YDHSqa1c4753ouYCDajOYKTja9Xb/OHtgvSw=
-golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
+golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
+golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -243,8 +213,8 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181029174526-d69651ed3497/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -253,22 +223,16 @@ golang.org/x/sys v0.0.0-20190316082340-a2f829d7f35f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
+golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.6.0 h1:3XmdazWV+ubf7QgHSTWeykHOci5oeekaGJBLkrkaw4k=
-golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.10.0 h1:UpjohKhiEgNc0CSauXmwYftY1+LlaC75SJwh0SgCX58=
+golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
@@ -278,13 +242,10 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20181030000716-a0a13e073c7b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.6-0.20210726203631-07bc1bf47fb2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.5.0 h1:+bSpV5HIeWkuvgaMfI3UmKRThoTA5ODJTUd8T17NO+4=
-golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
+golang.org/x/tools v0.10.0 h1:tvDr/iQoUqNdohiYm0LmmKcBk+q86lb9EprIUFhHHGg=
+golang.org/x/tools v0.10.0/go.mod h1:UJwyiVBsOA2uwvK/e5OY3GTpDUJriEd+/YlqAwLPmyM=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -301,30 +262,18 @@ google.golang.org/genproto v0.0.0-20180831171423-11092d34479b/go.mod h1:JiN7NxoA
 google.golang.org/genproto v0.0.0-20181029155118-b69ba1387ce2/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20181202183823-bd91e49a0898/go.mod h1:7Ep/1NZk928CDR8SjdVbjWNpdIf6nzjE3BTgJDr2Atg=
 google.golang.org/genproto v0.0.0-20190306203927-b5d61aea6440/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20230202175211-008b39050e57 h1:vArvWooPH749rNHpBGgVl+U9B9dATjiEhJzcWGlovNs=
-google.golang.org/genproto v0.0.0-20230202175211-008b39050e57/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc h1:XSJ8Vk1SWuNr8S18z1NZSziL0CPIXLCCMDOEFtHBOFc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.53.0 h1:LAv2ds7cmFV/XTS3XG1NneeENYrXGmorPxsBbptIjNc=
-google.golang.org/grpc v1.53.0/go.mod h1:OnIrk0ipVdj4N5d9IUoFUx72/VlD7+jUsHwZgwSMQpw=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/grpc v1.56.0 h1:+y7Bs8rtMd07LeXmL3NxcTLn7mUkbKZqEpPhMNkwJEE=
+google.golang.org/grpc v1.56.0/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
@@ -344,8 +293,7 @@ h12.io/socks v1.0.3/go.mod h1:AIhxy1jOId/XCz9BO+EIgNL2rQiPTBNnOfnVnQ+3Eck=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-lukechampine.com/blake3 v1.1.7 h1:GgRMhmdsuK8+ii6UZFDL8Nb+VyMwadAgcJyfYHxG6n0=
-lukechampine.com/blake3 v1.1.7/go.mod h1:tkKEOtDkNtklkXtLNEOGNq5tcV90tJiA1vAA12R78LA=
+lukechampine.com/blake3 v1.2.1 h1:YuqqRuaqsGV71BV/nm9xlI0MKUv4QC54jQnBChWbGnI=
+lukechampine.com/blake3 v1.2.1/go.mod h1:0OFRp7fBtAylGVCO40o87sbupkyIGgbpv1+M1k1LM6k=
 sourcegraph.com/sourcegraph/go-diff v0.5.0/go.mod h1:kuch7UrkMzY0X+p9CRK03kfuPQ2zzQcaEFbx8wA8rck=
 sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0=

infra/conf/common.go

@@ -45,6 +45,9 @@ func (v *Address) UnmarshalJSON(data []byte) error {
 	if err := json.Unmarshal(data, &rawStr); err != nil {
 		return newError("invalid address: ", string(data)).Base(err)
 	}
+	if strings.HasPrefix(rawStr, "env:") {
+		rawStr = os.Getenv(rawStr[4:])
+	}
 	v.Address = net.ParseAddress(rawStr)
 
 	return nil
@@ -115,8 +118,7 @@ func parseIntPort(data []byte) (net.Port, error) {
 
 func parseStringPort(s string) (net.Port, net.Port, error) {
 	if strings.HasPrefix(s, "env:") {
-		s = s[4:]
-		s = os.Getenv(s)
+		s = os.Getenv(s[4:])
 	}
 
 	pair := strings.SplitN(s, "-", 2)

infra/conf/dns_proxy.go

@@ -7,10 +7,11 @@ import (
 )
 
 type DNSOutboundConfig struct {
-	Network   Network  `json:"network"`
-	Address   *Address `json:"address"`
-	Port      uint16   `json:"port"`
-	UserLevel uint32   `json:"userLevel"`
+	Network    Network  `json:"network"`
+	Address    *Address `json:"address"`
+	Port       uint16   `json:"port"`
+	UserLevel  uint32   `json:"userLevel"`
+	NonIPQuery string   `json:"nonIPQuery"`
 }
 
 func (c *DNSOutboundConfig) Build() (proto.Message, error) {
@@ -24,5 +25,13 @@ func (c *DNSOutboundConfig) Build() (proto.Message, error) {
 	if c.Address != nil {
 		config.Server.Address = c.Address.Build()
 	}
+	switch c.NonIPQuery {
+	case "":
+		c.NonIPQuery = "drop"
+	case "drop", "skip":
+	default:
+		return nil, newError(`unknown "nonIPQuery": `, c.NonIPQuery)
+	}
+	config.Non_IPQuery = c.NonIPQuery
 	return config, nil
 }

infra/conf/freedom.go

@@ -2,6 +2,7 @@ package conf
 
 import (
 	"net"
+	"strconv"
 	"strings"
 
 	"github.com/golang/protobuf/proto"
@@ -11,10 +12,17 @@ import (
 )
 
 type FreedomConfig struct {
-	DomainStrategy string  `json:"domainStrategy"`
-	Timeout        *uint32 `json:"timeout"`
-	Redirect       string  `json:"redirect"`
-	UserLevel      uint32  `json:"userLevel"`
+	DomainStrategy string    `json:"domainStrategy"`
+	Timeout        *uint32   `json:"timeout"`
+	Redirect       string    `json:"redirect"`
+	UserLevel      uint32    `json:"userLevel"`
+	Fragment       *Fragment `json:"fragment"`
+}
+
+type Fragment struct {
+	Packets  string `json:"packets"`
+	Length   string `json:"length"`
+	Interval string `json:"interval"`
 }
 
 // Build implements Buildable
@@ -30,6 +38,95 @@ func (c *FreedomConfig) Build() (proto.Message, error) {
 		config.DomainStrategy = freedom.Config_USE_IP6
 	}
 
+	if c.Fragment != nil {
+		if len(c.Fragment.Interval) == 0 || len(c.Fragment.Length) == 0 {
+			return nil, newError("Invalid interval or length")
+		}
+		intervalMinMax := strings.Split(c.Fragment.Interval, "-")
+		var minInterval, maxInterval int64
+		var err, err2 error
+		if len(intervalMinMax) == 2 {
+			minInterval, err = strconv.ParseInt(intervalMinMax[0], 10, 64)
+			maxInterval, err2 = strconv.ParseInt(intervalMinMax[1], 10, 64)
+		} else {
+			minInterval, err = strconv.ParseInt(intervalMinMax[0], 10, 64)
+			maxInterval = minInterval
+		}
+		if err != nil {
+			return nil, newError("Invalid minimum interval: ", err).Base(err)
+		}
+		if err2 != nil {
+			return nil, newError("Invalid maximum interval: ", err2).Base(err2)
+		}
+
+		lengthMinMax := strings.Split(c.Fragment.Length, "-")
+		var minLength, maxLength int64
+		if len(lengthMinMax) == 2 {
+			minLength, err = strconv.ParseInt(lengthMinMax[0], 10, 64)
+			maxLength, err2 = strconv.ParseInt(lengthMinMax[1], 10, 64)
+
+		} else {
+			minLength, err = strconv.ParseInt(lengthMinMax[0], 10, 64)
+			maxLength = minLength
+		}
+		if err != nil {
+			return nil, newError("Invalid minimum length: ", err).Base(err)
+		}
+		if err2 != nil {
+			return nil, newError("Invalid maximum length: ", err2).Base(err2)
+		}
+
+		if minInterval > maxInterval {
+			minInterval, maxInterval = maxInterval, minInterval
+		}
+		if minLength > maxLength {
+			minLength, maxLength = maxLength, minLength
+		}
+
+		config.Fragment = &freedom.Fragment{
+			MinInterval: int32(minInterval),
+			MaxInterval: int32(maxInterval),
+			MinLength:   int32(minLength),
+			MaxLength:   int32(maxLength),
+		}
+
+		switch strings.ToLower(c.Fragment.Packets) {
+		case "tlshello":
+			// TLS Hello Fragmentation (into multiple handshake messages)
+			config.Fragment.StartPacket = 0
+			config.Fragment.EndPacket = 1
+		case "":
+			// TCP Segmentation (all packets)
+			config.Fragment.StartPacket = 0
+			config.Fragment.EndPacket = 0
+		default:
+			// TCP Segmentation (range)
+			packetRange := strings.Split(c.Fragment.Packets, "-")
+			var startPacket, endPacket int64
+			if len(packetRange) == 2 {
+				startPacket, err = strconv.ParseInt(packetRange[0], 10, 64)
+				endPacket, err2 = strconv.ParseInt(packetRange[1], 10, 64)
+			} else {
+				startPacket, err = strconv.ParseInt(packetRange[0], 10, 64)
+				endPacket = startPacket
+			}
+			if err != nil {
+				return nil, newError("Invalid start packet: ", err).Base(err)
+			}
+			if err2 != nil {
+				return nil, newError("Invalid end packet: ", err2).Base(err2)
+			}
+			if startPacket > endPacket {
+				return nil, newError("Invalid packet range: ", c.Fragment.Packets)
+			}
+			if startPacket < 1 {
+				return nil, newError("Cannot start from packet 0")
+			}
+			config.Fragment.StartPacket = int32(startPacket)
+			config.Fragment.EndPacket = int32(endPacket)
+		}
+	}
+
 	if c.Timeout != nil {
 		config.Timeout = *c.Timeout
 	}

infra/conf/grpc.go

@@ -12,6 +12,7 @@ type GRPCConfig struct {
 	HealthCheckTimeout  int32  `json:"health_check_timeout"`
 	PermitWithoutStream bool   `json:"permit_without_stream"`
 	InitialWindowsSize  int32  `json:"initial_windows_size"`
+	UserAgent           string `json:"user_agent"`
 }
 
 func (g *GRPCConfig) Build() (proto.Message, error) {
@@ -33,5 +34,6 @@ func (g *GRPCConfig) Build() (proto.Message, error) {
 		HealthCheckTimeout:  g.HealthCheckTimeout,
 		PermitWithoutStream: g.PermitWithoutStream,
 		InitialWindowsSize:  g.InitialWindowsSize,
+		UserAgent:           g.UserAgent,
 	}, nil
 }

infra/conf/mtproto.go

@@ -1,67 +0,0 @@
-package conf
-
-import (
-	"encoding/hex"
-	"encoding/json"
-
-	"github.com/golang/protobuf/proto"
-	"github.com/xtls/xray-core/common/protocol"
-	"github.com/xtls/xray-core/common/serial"
-	"github.com/xtls/xray-core/proxy/mtproto"
-)
-
-type MTProtoAccount struct {
-	Secret string `json:"secret"`
-}
-
-// Build implements Buildable
-func (a *MTProtoAccount) Build() (*mtproto.Account, error) {
-	if len(a.Secret) != 32 {
-		return nil, newError("MTProto secret must have 32 chars")
-	}
-	secret, err := hex.DecodeString(a.Secret)
-	if err != nil {
-		return nil, newError("failed to decode secret: ", a.Secret).Base(err)
-	}
-	return &mtproto.Account{
-		Secret: secret,
-	}, nil
-}
-
-type MTProtoServerConfig struct {
-	Users []json.RawMessage `json:"users"`
-}
-
-func (c *MTProtoServerConfig) Build() (proto.Message, error) {
-	config := &mtproto.ServerConfig{}
-
-	if len(c.Users) == 0 {
-		return nil, newError("zero MTProto users configured.")
-	}
-	config.User = make([]*protocol.User, len(c.Users))
-	for idx, rawData := range c.Users {
-		user := new(protocol.User)
-		if err := json.Unmarshal(rawData, user); err != nil {
-			return nil, newError("invalid MTProto user").Base(err)
-		}
-		account := new(MTProtoAccount)
-		if err := json.Unmarshal(rawData, account); err != nil {
-			return nil, newError("invalid MTProto user").Base(err)
-		}
-		accountProto, err := account.Build()
-		if err != nil {
-			return nil, newError("failed to parse MTProto user").Base(err)
-		}
-		user.Account = serial.ToTypedMessage(accountProto)
-		config.User[idx] = user
-	}
-
-	return config, nil
-}
-
-type MTProtoClientConfig struct{}
-
-func (c *MTProtoClientConfig) Build() (proto.Message, error) {
-	config := new(mtproto.ClientConfig)
-	return config, nil
-}

infra/conf/mtproto_test.go

@@ -1,40 +0,0 @@
-package conf_test
-
-import (
-	"testing"
-
-	"github.com/xtls/xray-core/common/protocol"
-	"github.com/xtls/xray-core/common/serial"
-	. "github.com/xtls/xray-core/infra/conf"
-	"github.com/xtls/xray-core/proxy/mtproto"
-)
-
-func TestMTProtoServerConfig(t *testing.T) {
-	creator := func() Buildable {
-		return new(MTProtoServerConfig)
-	}
-
-	runMultiTestCase(t, []TestCase{
-		{
-			Input: `{
-				"users": [{
-					"email": "love@example.com",
-					"level": 1,
-					"secret": "b0cbcef5a486d9636472ac27f8e11a9d"
-				}]
-			}`,
-			Parser: loadJSON(creator),
-			Output: &mtproto.ServerConfig{
-				User: []*protocol.User{
-					{
-						Email: "love@example.com",
-						Level: 1,
-						Account: serial.ToTypedMessage(&mtproto.Account{
-							Secret: []byte{176, 203, 206, 245, 164, 134, 217, 99, 100, 114, 172, 39, 248, 225, 26, 157},
-						}),
-					},
-				},
-			},
-		},
-	})
-}

infra/conf/router.go

@@ -504,17 +504,17 @@ func ToCidrList(ips StringList) ([]*router.GeoIP, error) {
 func parseFieldRule(msg json.RawMessage) (*router.RoutingRule, error) {
 	type RawFieldRule struct {
 		RouterRule
-		Domain     *StringList  `json:"domain"`
-		Domains    *StringList  `json:"domains"`
-		IP         *StringList  `json:"ip"`
-		Port       *PortList    `json:"port"`
-		Network    *NetworkList `json:"network"`
-		SourceIP   *StringList  `json:"source"`
-		SourcePort *PortList    `json:"sourcePort"`
-		User       *StringList  `json:"user"`
-		InboundTag *StringList  `json:"inboundTag"`
-		Protocols  *StringList  `json:"protocol"`
-		Attributes string       `json:"attrs"`
+		Domain     *StringList       `json:"domain"`
+		Domains    *StringList       `json:"domains"`
+		IP         *StringList       `json:"ip"`
+		Port       *PortList         `json:"port"`
+		Network    *NetworkList      `json:"network"`
+		SourceIP   *StringList       `json:"source"`
+		SourcePort *PortList         `json:"sourcePort"`
+		User       *StringList       `json:"user"`
+		InboundTag *StringList       `json:"inboundTag"`
+		Protocols  *StringList       `json:"protocol"`
+		Attributes map[string]string `json:"attrs"`
 	}
 	rawFieldRule := new(RawFieldRule)
 	err := json.Unmarshal(msg, rawFieldRule)

infra/conf/shadowsocks.go

@@ -155,14 +155,15 @@ func buildShadowsocks2022(v *ShadowsocksServerConfig) (proto.Message, error) {
 }
 
 type ShadowsocksServerTarget struct {
-	Address  *Address `json:"address"`
-	Port     uint16   `json:"port"`
-	Cipher   string   `json:"method"`
-	Password string   `json:"password"`
-	Email    string   `json:"email"`
-	Level    byte     `json:"level"`
-	IVCheck  bool     `json:"ivCheck"`
-	UoT      bool     `json:"uot"`
+	Address    *Address `json:"address"`
+	Port       uint16   `json:"port"`
+	Cipher     string   `json:"method"`
+	Password   string   `json:"password"`
+	Email      string   `json:"email"`
+	Level      byte     `json:"level"`
+	IVCheck    bool     `json:"ivCheck"`
+	UoT        bool     `json:"uot"`
+	UoTVersion int      `json:"uotVersion"`
 }
 
 type ShadowsocksClientConfig struct {
@@ -193,6 +194,7 @@ func (v *ShadowsocksClientConfig) Build() (proto.Message, error) {
 			config.Method = server.Cipher
 			config.Key = server.Password
 			config.UdpOverTcp = server.UoT
+			config.UdpOverTcpVersion = uint32(server.UoTVersion)
 			return config, nil
 		}
 	}

infra/conf/transport_authenticators.go

@@ -4,6 +4,7 @@ import (
 	"sort"
 
 	"github.com/golang/protobuf/proto"
+	"github.com/xtls/xray-core/transport/internet/headers/dns"
 	"github.com/xtls/xray-core/transport/internet/headers/http"
 	"github.com/xtls/xray-core/transport/internet/headers/noop"
 	"github.com/xtls/xray-core/transport/internet/headers/srtp"
@@ -49,6 +50,19 @@ func (WireguardAuthenticator) Build() (proto.Message, error) {
 	return new(wireguard.WireguardConfig), nil
 }
 
+type DNSAuthenticator struct {
+	Domain string `json:"domain"`
+}
+
+func (v *DNSAuthenticator) Build() (proto.Message, error) {
+	config := new(dns.Config)
+	config.Domain = "www.baidu.com"
+	if len(v.Domain) > 0 {
+		config.Domain = v.Domain
+	}
+	return config, nil
+}
+
 type DTLSAuthenticator struct{}
 
 func (DTLSAuthenticator) Build() (proto.Message, error) {

infra/conf/transport_internet.go

@@ -2,13 +2,17 @@ package conf
 
 import (
 	"encoding/base64"
+	"encoding/hex"
 	"encoding/json"
 	"math"
 	"net/url"
+	"runtime"
 	"strconv"
 	"strings"
+	"syscall"
 
 	"github.com/golang/protobuf/proto"
+	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/platform/filesystem"
 	"github.com/xtls/xray-core/common/protocol"
 	"github.com/xtls/xray-core/common/serial"
@@ -18,10 +22,10 @@ import (
 	"github.com/xtls/xray-core/transport/internet/http"
 	"github.com/xtls/xray-core/transport/internet/kcp"
 	"github.com/xtls/xray-core/transport/internet/quic"
+	"github.com/xtls/xray-core/transport/internet/reality"
 	"github.com/xtls/xray-core/transport/internet/tcp"
 	"github.com/xtls/xray-core/transport/internet/tls"
 	"github.com/xtls/xray-core/transport/internet/websocket"
-	"github.com/xtls/xray-core/transport/internet/xtls"
 )
 
 var (
@@ -32,6 +36,7 @@ var (
 		"wechat-video": func() interface{} { return new(WechatVideoAuthenticator) },
 		"dtls":         func() interface{} { return new(DTLSAuthenticator) },
 		"wireguard":    func() interface{} { return new(WireguardAuthenticator) },
+		"dns":          func() interface{} { return new(DNSAuthenticator) },
 	}, "type", "")
 
 	tcpHeaderLoader = NewJSONConfigLoader(ConfigCreatorCache{
@@ -338,19 +343,20 @@ func (c *TLSCertConfig) Build() (*tls.Certificate, error) {
 }
 
 type TLSConfig struct {
-	Insecure                         bool             `json:"allowInsecure"`
-	Certs                            []*TLSCertConfig `json:"certificates"`
-	ServerName                       string           `json:"serverName"`
-	ALPN                             *StringList      `json:"alpn"`
-	EnableSessionResumption          bool             `json:"enableSessionResumption"`
-	DisableSystemRoot                bool             `json:"disableSystemRoot"`
-	MinVersion                       string           `json:"minVersion"`
-	MaxVersion                       string           `json:"maxVersion"`
-	CipherSuites                     string           `json:"cipherSuites"`
-	PreferServerCipherSuites         bool             `json:"preferServerCipherSuites"`
-	Fingerprint                      string           `json:"fingerprint"`
-	RejectUnknownSNI                 bool             `json:"rejectUnknownSni"`
-	PinnedPeerCertificateChainSha256 *[]string        `json:"pinnedPeerCertificateChainSha256"`
+	Insecure                             bool             `json:"allowInsecure"`
+	Certs                                []*TLSCertConfig `json:"certificates"`
+	ServerName                           string           `json:"serverName"`
+	ALPN                                 *StringList      `json:"alpn"`
+	EnableSessionResumption              bool             `json:"enableSessionResumption"`
+	DisableSystemRoot                    bool             `json:"disableSystemRoot"`
+	MinVersion                           string           `json:"minVersion"`
+	MaxVersion                           string           `json:"maxVersion"`
+	CipherSuites                         string           `json:"cipherSuites"`
+	PreferServerCipherSuites             bool             `json:"preferServerCipherSuites"`
+	Fingerprint                          string           `json:"fingerprint"`
+	RejectUnknownSNI                     bool             `json:"rejectUnknownSni"`
+	PinnedPeerCertificateChainSha256     *[]string        `json:"pinnedPeerCertificateChainSha256"`
+	PinnedPeerCertificatePublicKeySha256 *[]string        `json:"pinnedPeerCertificatePublicKeySha256"`
 }
 
 // Build implements Buildable.
@@ -395,117 +401,184 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 		}
 	}
 
-	return config, nil
-}
-
-type XTLSCertConfig struct {
-	CertFile       string   `json:"certificateFile"`
-	CertStr        []string `json:"certificate"`
-	KeyFile        string   `json:"keyFile"`
-	KeyStr         []string `json:"key"`
-	Usage          string   `json:"usage"`
-	OcspStapling   uint64   `json:"ocspStapling"`
-	OneTimeLoading bool     `json:"oneTimeLoading"`
-}
-
-// Build implements Buildable.
-func (c *XTLSCertConfig) Build() (*xtls.Certificate, error) {
-	certificate := new(xtls.Certificate)
-	cert, err := readFileOrString(c.CertFile, c.CertStr)
-	if err != nil {
-		return nil, newError("failed to parse certificate").Base(err)
-	}
-	certificate.Certificate = cert
-	certificate.CertificatePath = c.CertFile
-
-	if len(c.KeyFile) > 0 || len(c.KeyStr) > 0 {
-		key, err := readFileOrString(c.KeyFile, c.KeyStr)
-		if err != nil {
-			return nil, newError("failed to parse key").Base(err)
-		}
-		certificate.Key = key
-		certificate.KeyPath = c.KeyFile
-	}
-
-	switch strings.ToLower(c.Usage) {
-	case "encipherment":
-		certificate.Usage = xtls.Certificate_ENCIPHERMENT
-	case "verify":
-		certificate.Usage = xtls.Certificate_AUTHORITY_VERIFY
-	case "issue":
-		certificate.Usage = xtls.Certificate_AUTHORITY_ISSUE
-	default:
-		certificate.Usage = xtls.Certificate_ENCIPHERMENT
-	}
-	if certificate.KeyPath == "" && certificate.CertificatePath == "" {
-		certificate.OneTimeLoading = true
-	} else {
-		certificate.OneTimeLoading = c.OneTimeLoading
-	}
-	certificate.OcspStapling = c.OcspStapling
-
-	return certificate, nil
-}
-
-type XTLSConfig struct {
-	Insecure                         bool              `json:"allowInsecure"`
-	Certs                            []*XTLSCertConfig `json:"certificates"`
-	ServerName                       string            `json:"serverName"`
-	ALPN                             *StringList       `json:"alpn"`
-	EnableSessionResumption          bool              `json:"enableSessionResumption"`
-	DisableSystemRoot                bool              `json:"disableSystemRoot"`
-	MinVersion                       string            `json:"minVersion"`
-	MaxVersion                       string            `json:"maxVersion"`
-	CipherSuites                     string            `json:"cipherSuites"`
-	PreferServerCipherSuites         bool              `json:"preferServerCipherSuites"`
-	Fingerprint                      string            `json:"fingerprint"`
-	RejectUnknownSNI                 bool              `json:"rejectUnknownSni"`
-	PinnedPeerCertificateChainSha256 *[]string         `json:"pinnedPeerCertificateChainSha256"`
-}
-
-// Build implements Buildable.
-func (c *XTLSConfig) Build() (proto.Message, error) {
-	config := new(xtls.Config)
-	config.Certificate = make([]*xtls.Certificate, len(c.Certs))
-	for idx, certConf := range c.Certs {
-		cert, err := certConf.Build()
-		if err != nil {
-			return nil, err
-		}
-		config.Certificate[idx] = cert
-	}
-	serverName := c.ServerName
-	config.AllowInsecure = c.Insecure
-	if len(c.ServerName) > 0 {
-		config.ServerName = serverName
-	}
-	if c.ALPN != nil && len(*c.ALPN) > 0 {
-		config.NextProtocol = []string(*c.ALPN)
-	}
-	config.EnableSessionResumption = c.EnableSessionResumption
-	config.DisableSystemRoot = c.DisableSystemRoot
-	config.MinVersion = c.MinVersion
-	config.MaxVersion = c.MaxVersion
-	config.CipherSuites = c.CipherSuites
-	config.PreferServerCipherSuites = c.PreferServerCipherSuites
-	if c.Fingerprint != "" {
-		return nil, newError(`Old version of XTLS does not support fingerprint. Please use flow "xtls-rprx-vision" with "tls & tlsSettings" instead.`)
-	}
-	config.RejectUnknownSni = c.RejectUnknownSNI
-
-	if c.PinnedPeerCertificateChainSha256 != nil {
-		config.PinnedPeerCertificateChainSha256 = [][]byte{}
-		for _, v := range *c.PinnedPeerCertificateChainSha256 {
+	if c.PinnedPeerCertificatePublicKeySha256 != nil {
+		config.PinnedPeerCertificatePublicKeySha256 = [][]byte{}
+		for _, v := range *c.PinnedPeerCertificatePublicKeySha256 {
 			hashValue, err := base64.StdEncoding.DecodeString(v)
 			if err != nil {
 				return nil, err
 			}
-			config.PinnedPeerCertificateChainSha256 = append(config.PinnedPeerCertificateChainSha256, hashValue)
+			config.PinnedPeerCertificatePublicKeySha256 = append(config.PinnedPeerCertificatePublicKeySha256, hashValue)
 		}
 	}
 
-	newError(`You are using an old version of XTLS, which is deprecated now and will be removed soon. Please use flow "xtls-rprx-vision" with "tls & tlsSettings" instead.`).AtWarning().WriteToLog()
+	return config, nil
+}
 
+type REALITYConfig struct {
+	Show         bool            `json:"show"`
+	Dest         json.RawMessage `json:"dest"`
+	Type         string          `json:"type"`
+	Xver         uint64          `json:"xver"`
+	ServerNames  []string        `json:"serverNames"`
+	PrivateKey   string          `json:"privateKey"`
+	MinClientVer string          `json:"minClientVer"`
+	MaxClientVer string          `json:"maxClientVer"`
+	MaxTimeDiff  uint64          `json:"maxTimeDiff"`
+	ShortIds     []string        `json:"shortIds"`
+
+	Fingerprint string `json:"fingerprint"`
+	ServerName  string `json:"serverName"`
+	PublicKey   string `json:"publicKey"`
+	ShortId     string `json:"shortId"`
+	SpiderX     string `json:"spiderX"`
+}
+
+func (c *REALITYConfig) Build() (proto.Message, error) {
+	config := new(reality.Config)
+	config.Show = c.Show
+	var err error
+	if c.Dest != nil {
+		var i uint16
+		var s string
+		if err = json.Unmarshal(c.Dest, &i); err == nil {
+			s = strconv.Itoa(int(i))
+		} else {
+			_ = json.Unmarshal(c.Dest, &s)
+		}
+		if c.Type == "" && s != "" {
+			switch s[0] {
+			case '@', '/':
+				c.Type = "unix"
+				if s[0] == '@' && len(s) > 1 && s[1] == '@' && (runtime.GOOS == "linux" || runtime.GOOS == "android") {
+					fullAddr := make([]byte, len(syscall.RawSockaddrUnix{}.Path)) // may need padding to work with haproxy
+					copy(fullAddr, s[1:])
+					s = string(fullAddr)
+				}
+			default:
+				if _, err = strconv.Atoi(s); err == nil {
+					s = "127.0.0.1:" + s
+				}
+				if _, _, err = net.SplitHostPort(s); err == nil {
+					c.Type = "tcp"
+				}
+			}
+		}
+		if c.Type == "" {
+			return nil, newError(`please fill in a valid value for "dest"`)
+		}
+		if c.Xver > 2 {
+			return nil, newError(`invalid PROXY protocol version, "xver" only accepts 0, 1, 2`)
+		}
+		if len(c.ServerNames) == 0 {
+			return nil, newError(`empty "serverNames"`)
+		}
+		if c.PrivateKey == "" {
+			return nil, newError(`empty "privateKey"`)
+		}
+		if config.PrivateKey, err = base64.RawURLEncoding.DecodeString(c.PrivateKey); err != nil || len(config.PrivateKey) != 32 {
+			return nil, newError(`invalid "privateKey": `, c.PrivateKey)
+		}
+		if c.MinClientVer != "" {
+			config.MinClientVer = make([]byte, 3)
+			var u uint64
+			for i, s := range strings.Split(c.MinClientVer, ".") {
+				if i == 3 {
+					return nil, newError(`invalid "minClientVer": `, c.MinClientVer)
+				}
+				if u, err = strconv.ParseUint(s, 10, 8); err != nil {
+					return nil, newError(`"minClientVer[`, i, `]" should be lesser than 256`)
+				} else {
+					config.MinClientVer[i] = byte(u)
+				}
+			}
+		}
+		if c.MaxClientVer != "" {
+			config.MaxClientVer = make([]byte, 3)
+			var u uint64
+			for i, s := range strings.Split(c.MaxClientVer, ".") {
+				if i == 3 {
+					return nil, newError(`invalid "maxClientVer": `, c.MaxClientVer)
+				}
+				if u, err = strconv.ParseUint(s, 10, 8); err != nil {
+					return nil, newError(`"maxClientVer[`, i, `]" should be lesser than 256`)
+				} else {
+					config.MaxClientVer[i] = byte(u)
+				}
+			}
+		}
+		if len(c.ShortIds) == 0 {
+			return nil, newError(`empty "shortIds"`)
+		}
+		config.ShortIds = make([][]byte, len(c.ShortIds))
+		for i, s := range c.ShortIds {
+			config.ShortIds[i] = make([]byte, 8)
+			if _, err = hex.Decode(config.ShortIds[i], []byte(s)); err != nil {
+				return nil, newError(`invalid "shortIds[`, i, `]": `, s)
+			}
+		}
+		config.Dest = s
+		config.Type = c.Type
+		config.Xver = c.Xver
+		config.ServerNames = c.ServerNames
+		config.MaxTimeDiff = c.MaxTimeDiff
+	} else {
+		if c.Fingerprint == "" {
+			return nil, newError(`empty "fingerprint"`)
+		}
+		if config.Fingerprint = strings.ToLower(c.Fingerprint); tls.GetFingerprint(config.Fingerprint) == nil {
+			return nil, newError(`unknown "fingerprint": `, config.Fingerprint)
+		}
+		if config.Fingerprint == "hellogolang" {
+			return nil, newError(`invalid "fingerprint": `, config.Fingerprint)
+		}
+		if len(c.ServerNames) != 0 {
+			return nil, newError(`non-empty "serverNames", please use "serverName" instead`)
+		}
+		if c.PublicKey == "" {
+			return nil, newError(`empty "publicKey"`)
+		}
+		if config.PublicKey, err = base64.RawURLEncoding.DecodeString(c.PublicKey); err != nil || len(config.PublicKey) != 32 {
+			return nil, newError(`invalid "publicKey": `, c.PublicKey)
+		}
+		if len(c.ShortIds) != 0 {
+			return nil, newError(`non-empty "shortIds", please use "shortId" instead`)
+		}
+		config.ShortId = make([]byte, 8)
+		if _, err = hex.Decode(config.ShortId, []byte(c.ShortId)); err != nil {
+			return nil, newError(`invalid "shortId": `, c.ShortId)
+		}
+		if c.SpiderX == "" {
+			c.SpiderX = "/"
+		}
+		if c.SpiderX[0] != '/' {
+			return nil, newError(`invalid "spiderX": `, c.SpiderX)
+		}
+		config.SpiderY = make([]int64, 10)
+		u, _ := url.Parse(c.SpiderX)
+		q := u.Query()
+		parse := func(param string, index int) {
+			if q.Get(param) != "" {
+				s := strings.Split(q.Get(param), "-")
+				if len(s) == 1 {
+					config.SpiderY[index], _ = strconv.ParseInt(s[0], 10, 64)
+					config.SpiderY[index+1], _ = strconv.ParseInt(s[0], 10, 64)
+				} else {
+					config.SpiderY[index], _ = strconv.ParseInt(s[0], 10, 64)
+					config.SpiderY[index+1], _ = strconv.ParseInt(s[1], 10, 64)
+				}
+			}
+			q.Del(param)
+		}
+		parse("p", 0) // padding
+		parse("c", 2) // concurrency
+		parse("t", 4) // times
+		parse("i", 6) // interval
+		parse("r", 8) // return
+		u.RawQuery = q.Encode()
+		config.SpiderX = u.String()
+		config.ServerName = c.ServerName
+	}
 	return config, nil
 }
 
@@ -543,6 +616,11 @@ type SocketConfig struct {
 	TCPKeepAliveInterval int32       `json:"tcpKeepAliveInterval"`
 	TCPKeepAliveIdle     int32       `json:"tcpKeepAliveIdle"`
 	TCPCongestion        string      `json:"tcpCongestion"`
+	TCPWindowClamp       int32       `json:"tcpWindowClamp"`
+	TCPMaxSeg            int32       `json:"tcpMaxSeg"`
+	TcpNoDelay           bool        `json:"tcpNoDelay"`
+	TCPUserTimeout       int32       `json:"tcpUserTimeout"`
+	V6only               bool        `json:"v6only"`
 	Interface            string      `json:"interface"`
 }
 
@@ -593,24 +671,29 @@ func (c *SocketConfig) Build() (*internet.SocketConfig, error) {
 		TcpKeepAliveInterval: c.TCPKeepAliveInterval,
 		TcpKeepAliveIdle:     c.TCPKeepAliveIdle,
 		TcpCongestion:        c.TCPCongestion,
+		TcpWindowClamp:       c.TCPWindowClamp,
+		TcpMaxSeg:            c.TCPMaxSeg,
+		TcpNoDelay:           c.TcpNoDelay,
+		TcpUserTimeout:       c.TCPUserTimeout,
+		V6Only:               c.V6only,
 		Interface:            c.Interface,
 	}, nil
 }
 
 type StreamConfig struct {
-	Network        *TransportProtocol  `json:"network"`
-	Security       string              `json:"security"`
-	TLSSettings    *TLSConfig          `json:"tlsSettings"`
-	XTLSSettings   *XTLSConfig         `json:"xtlsSettings"`
-	TCPSettings    *TCPConfig          `json:"tcpSettings"`
-	KCPSettings    *KCPConfig          `json:"kcpSettings"`
-	WSSettings     *WebSocketConfig    `json:"wsSettings"`
-	HTTPSettings   *HTTPConfig         `json:"httpSettings"`
-	DSSettings     *DomainSocketConfig `json:"dsSettings"`
-	QUICSettings   *QUICConfig         `json:"quicSettings"`
-	SocketSettings *SocketConfig       `json:"sockopt"`
-	GRPCConfig     *GRPCConfig         `json:"grpcSettings"`
-	GUNConfig      *GRPCConfig         `json:"gunSettings"`
+	Network         *TransportProtocol  `json:"network"`
+	Security        string              `json:"security"`
+	TLSSettings     *TLSConfig          `json:"tlsSettings"`
+	REALITYSettings *REALITYConfig      `json:"realitySettings"`
+	TCPSettings     *TCPConfig          `json:"tcpSettings"`
+	KCPSettings     *KCPConfig          `json:"kcpSettings"`
+	WSSettings      *WebSocketConfig    `json:"wsSettings"`
+	HTTPSettings    *HTTPConfig         `json:"httpSettings"`
+	DSSettings      *DomainSocketConfig `json:"dsSettings"`
+	QUICSettings    *QUICConfig         `json:"quicSettings"`
+	SocketSettings  *SocketConfig       `json:"sockopt"`
+	GRPCConfig      *GRPCConfig         `json:"grpcSettings"`
+	GUNConfig       *GRPCConfig         `json:"gunSettings"`
 }
 
 // Build implements Buildable.
@@ -625,12 +708,11 @@ func (c *StreamConfig) Build() (*internet.StreamConfig, error) {
 		}
 		config.ProtocolName = protocol
 	}
-	if strings.EqualFold(c.Security, "tls") {
+	switch strings.ToLower(c.Security) {
+	case "", "none":
+	case "tls":
 		tlsSettings := c.TLSSettings
 		if tlsSettings == nil {
-			if c.XTLSSettings != nil {
-				return nil, newError(`TLS: Please use "tlsSettings" instead of "xtlsSettings".`)
-			}
 			tlsSettings = &TLSConfig{}
 		}
 		ts, err := tlsSettings.Build()
@@ -640,25 +722,24 @@ func (c *StreamConfig) Build() (*internet.StreamConfig, error) {
 		tm := serial.ToTypedMessage(ts)
 		config.SecuritySettings = append(config.SecuritySettings, tm)
 		config.SecurityType = tm.Type
-	}
-	if strings.EqualFold(c.Security, "xtls") {
-		if config.ProtocolName != "tcp" && config.ProtocolName != "mkcp" && config.ProtocolName != "domainsocket" {
-			return nil, newError("XTLS only supports TCP, mKCP and DomainSocket for now.")
+	case "reality":
+		if config.ProtocolName != "tcp" && config.ProtocolName != "http" && config.ProtocolName != "grpc" && config.ProtocolName != "domainsocket" {
+			return nil, newError("REALITY only supports TCP, H2, gRPC and DomainSocket for now.")
 		}
-		xtlsSettings := c.XTLSSettings
-		if xtlsSettings == nil {
-			if c.TLSSettings != nil {
-				return nil, newError(`XTLS: Please use "xtlsSettings" instead of "tlsSettings".`)
-			}
-			xtlsSettings = &XTLSConfig{}
+		if c.REALITYSettings == nil {
+			return nil, newError(`REALITY: Empty "realitySettings".`)
 		}
-		ts, err := xtlsSettings.Build()
+		ts, err := c.REALITYSettings.Build()
 		if err != nil {
-			return nil, newError("Failed to build XTLS config.").Base(err)
+			return nil, newError("Failed to build REALITY config.").Base(err)
 		}
 		tm := serial.ToTypedMessage(ts)
 		config.SecuritySettings = append(config.SecuritySettings, tm)
 		config.SecurityType = tm.Type
+	case "xtls":
+		return nil, newError(`Please use VLESS flow "xtls-rprx-vision" with TLS or REALITY.`)
+	default:
+		return nil, newError(`Unknown security "` + c.Security + `".`)
 	}
 	if c.TCPSettings != nil {
 		ts, err := c.TCPSettings.Build()

infra/conf/trojan.go

@@ -53,11 +53,7 @@ func (c *TrojanClientConfig) Build() (proto.Message, error) {
 		}
 
 		switch account.Flow {
-		case "", "xtls-rprx-origin", "xtls-rprx-origin-udp443", "xtls-rprx-direct", "xtls-rprx-direct-udp443":
-		case "xtls-rprx-splice", "xtls-rprx-splice-udp443":
-			if runtime.GOOS != "linux" && runtime.GOOS != "android" {
-				return nil, newError(`Trojan servers: "` + account.Flow + `" only support linux in this version`)
-			}
+		case "":
 		default:
 			return nil, newError(`Trojan servers: "flow" doesn't support "` + account.Flow + `" in this version`)
 		}
@@ -119,9 +115,7 @@ func (c *TrojanServerConfig) Build() (proto.Message, error) {
 		}
 
 		switch account.Flow {
-		case "", "xtls-rprx-origin", "xtls-rprx-direct":
-		case "xtls-rprx-splice":
-			return nil, newError(`Trojan clients: inbound doesn't support "xtls-rprx-splice" in this version, please use "xtls-rprx-direct" instead`)
+		case "":
 		default:
 			return nil, newError(`Trojan clients: "flow" doesn't support "` + account.Flow + `" in this version`)
 		}

infra/conf/vless.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"runtime"
 	"strconv"
-	"strings"
 	"syscall"
 
 	"github.com/golang/protobuf/proto"
@@ -53,18 +52,8 @@ func (c *VLessInboundConfig) Build() (proto.Message, error) {
 		}
 		account.Id = u.String()
 
-		accountFlow := account.Flow
-		flows := strings.Split(account.Flow, ",")
-		for _, f := range flows {
-			t := strings.TrimSpace(f)
-			if t != "none" {
-				accountFlow = t
-			}
-		}
-		switch accountFlow {
-		case "", vless.XRO, vless.XRD, vless.XRV:
-		case vless.XRS:
-			return nil, newError(`VLESS clients: inbound doesn't support "xtls-rprx-splice" in this version, please use "xtls-rprx-direct" instead`)
+		switch account.Flow {
+		case "", vless.XRV:
 		default:
 			return nil, newError(`VLESS clients: "flow" doesn't support "` + account.Flow + `" in this version`)
 		}
@@ -191,11 +180,7 @@ func (c *VLessOutboundConfig) Build() (proto.Message, error) {
 			account.Id = u.String()
 
 			switch account.Flow {
-			case "", vless.XRO, vless.XRO + "-udp443", vless.XRD, vless.XRD + "-udp443", vless.XRV, vless.XRV + "-udp443":
-			case vless.XRS, vless.XRS + "-udp443":
-				if runtime.GOOS != "linux" && runtime.GOOS != "android" {
-					return nil, newError(`VLESS users: "` + account.Flow + `" only support linux in this version`)
-				}
+			case "", vless.XRV, vless.XRV + "-udp443":
 			default:
 				return nil, newError(`VLESS users: "flow" doesn't support "` + account.Flow + `" in this version`)
 			}

infra/conf/vless_test.go

@@ -26,7 +26,7 @@ func TestVLessOutbound(t *testing.T) {
 					"users": [
 						{
 							"id": "27848739-7e62-4138-9fd3-098a63964b6b",
-							"flow": "xtls-rprx-direct-udp443",
+							"flow": "xtls-rprx-vision-udp443",
 							"encryption": "none",
 							"level": 0
 						}
@@ -47,7 +47,7 @@ func TestVLessOutbound(t *testing.T) {
 							{
 								Account: serial.ToTypedMessage(&vless.Account{
 									Id:         "27848739-7e62-4138-9fd3-098a63964b6b",
-									Flow:       "xtls-rprx-direct-udp443",
+									Flow:       "xtls-rprx-vision-udp443",
 									Encryption: "none",
 								}),
 								Level: 0,
@@ -71,7 +71,7 @@ func TestVLessInbound(t *testing.T) {
 				"clients": [
 					{
 						"id": "27848739-7e62-4138-9fd3-098a63964b6b",
-						"flow": "xtls-rprx-direct",
+						"flow": "xtls-rprx-vision",
 						"level": 0,
 						"email": "love@example.com"
 					}
@@ -98,7 +98,7 @@ func TestVLessInbound(t *testing.T) {
 					{
 						Account: serial.ToTypedMessage(&vless.Account{
 							Id:   "27848739-7e62-4138-9fd3-098a63964b6b",
-							Flow: "xtls-rprx-direct",
+							Flow: "xtls-rprx-vision",
 						}),
 						Level: 0,
 						Email: "love@example.com",

infra/conf/vmess.go

@@ -15,7 +15,6 @@ import (
 
 type VMessAccount struct {
 	ID          string `json:"id"`
-	AlterIds    uint16 `json:"alterId"`
 	Security    string `json:"security"`
 	Experiments string `json:"experiments"`
 }
@@ -38,8 +37,7 @@ func (a *VMessAccount) Build() *vmess.Account {
 		st = protocol.SecurityType_AUTO
 	}
 	return &vmess.Account{
-		Id:      a.ID,
-		AlterId: uint32(a.AlterIds),
+		Id: a.ID,
 		SecuritySettings: &protocol.SecurityConfig{
 			Type: st,
 		},
@@ -63,14 +61,12 @@ type FeaturesConfig struct {
 }
 
 type VMessDefaultConfig struct {
-	AlterIDs uint16 `json:"alterId"`
-	Level    byte   `json:"level"`
+	Level byte `json:"level"`
 }
 
 // Build implements Buildable
 func (c *VMessDefaultConfig) Build() *inbound.DefaultConfig {
 	config := new(inbound.DefaultConfig)
-	config.AlterId = uint32(c.AlterIDs)
 	config.Level = uint32(c.Level)
 	return config
 }
@@ -80,14 +76,11 @@ type VMessInboundConfig struct {
 	Features     *FeaturesConfig     `json:"features"`
 	Defaults     *VMessDefaultConfig `json:"default"`
 	DetourConfig *VMessDetourConfig  `json:"detour"`
-	SecureOnly   bool                `json:"disableInsecureEncryption"`
 }
 
 // Build implements Buildable
 func (c *VMessInboundConfig) Build() (proto.Message, error) {
-	config := &inbound.Config{
-		SecureEncryptionOnly: c.SecureOnly,
-	}
+	config := &inbound.Config{}
 
 	if c.Defaults != nil {
 		config.Default = c.Defaults.Build()

infra/conf/vmess_test.go

@@ -105,7 +105,6 @@ func TestVMessInbound(t *testing.T) {
 				Detour: &inbound.DetourConfig{
 					To: "tag_to_detour",
 				},
-				SecureEncryptionOnly: true,
 			},
 		},
 	})

infra/conf/wireguard.go

@@ -52,6 +52,7 @@ type WireGuardConfig struct {
 	Peers      []*WireGuardPeerConfig `json:"peers"`
 	MTU        int                    `json:"mtu"`
 	NumWorkers int                    `json:"workers"`
+	Reserved   []byte                 `json:"reserved"`
 }
 
 func (c *WireGuardConfig) Build() (proto.Message, error) {
@@ -90,6 +91,11 @@ func (c *WireGuardConfig) Build() (proto.Message, error) {
 	// we don't need to process fallback manually
 	config.NumWorkers = int32(c.NumWorkers)
 
+	if len(c.Reserved) != 0 && len(c.Reserved) != 3 {
+		return nil, newError(`"reserved" should be empty or 3 bytes`)
+	}
+	config.Reserved = c.Reserved
+
 	return config, nil
 }
 

infra/conf/xray.go

@@ -13,7 +13,6 @@ import (
 	"github.com/xtls/xray-core/common/serial"
 	core "github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/transport/internet"
-	"github.com/xtls/xray-core/transport/internet/xtls"
 )
 
 var (
@@ -25,7 +24,6 @@ var (
 		"vless":         func() interface{} { return new(VLessInboundConfig) },
 		"vmess":         func() interface{} { return new(VMessInboundConfig) },
 		"trojan":        func() interface{} { return new(TrojanServerConfig) },
-		"mtproto":       func() interface{} { return new(MTProtoServerConfig) },
 	}, "protocol", "settings")
 
 	outboundConfigLoader = NewJSONConfigLoader(ConfigCreatorCache{
@@ -38,7 +36,6 @@ var (
 		"vless":       func() interface{} { return new(VLessOutboundConfig) },
 		"vmess":       func() interface{} { return new(VMessOutboundConfig) },
 		"trojan":      func() interface{} { return new(TrojanClientConfig) },
-		"mtproto":     func() interface{} { return new(MTProtoClientConfig) },
 		"dns":         func() interface{} { return new(DNSOutboundConfig) },
 		"wireguard":   func() interface{} { return new(WireGuardConfig) },
 	}, "protocol", "settings")
@@ -108,25 +105,27 @@ func (c *SniffingConfig) Build() (*proxyman.SniffingConfig, error) {
 }
 
 type MuxConfig struct {
-	Enabled     bool  `json:"enabled"`
-	Concurrency int16 `json:"concurrency"`
+	Enabled         bool   `json:"enabled"`
+	Concurrency     int16  `json:"concurrency"`
+	XudpConcurrency int16  `json:"xudpConcurrency"`
+	XudpProxyUDP443 string `json:"xudpProxyUDP443"`
 }
 
 // Build creates MultiplexingConfig, Concurrency < 0 completely disables mux.
-func (m *MuxConfig) Build() *proxyman.MultiplexingConfig {
-	if m.Concurrency < 0 {
-		return nil
+func (m *MuxConfig) Build() (*proxyman.MultiplexingConfig, error) {
+	switch m.XudpProxyUDP443 {
+	case "":
+		m.XudpProxyUDP443 = "reject"
+	case "reject", "allow", "skip":
+	default:
+		return nil, newError(`unknown "xudpProxyUDP443": `, m.XudpProxyUDP443)
 	}
-
-	var con uint32 = 8
-	if m.Concurrency > 0 {
-		con = uint32(m.Concurrency)
-	}
-
 	return &proxyman.MultiplexingConfig{
-		Enabled:     m.Enabled,
-		Concurrency: con,
-	}
+		Enabled:         m.Enabled,
+		Concurrency:     int32(m.Concurrency),
+		XudpConcurrency: int32(m.XudpConcurrency),
+		XudpProxyUDP443: m.XudpProxyUDP443,
+	}, nil
 }
 
 type InboundDetourAllocationConfig struct {
@@ -236,9 +235,6 @@ func (c *InboundDetourConfig) Build() (*core.InboundHandlerConfig, error) {
 		if err != nil {
 			return nil, err
 		}
-		if ss.SecurityType == serial.GetMessageType(&xtls.Config{}) && !strings.EqualFold(c.Protocol, "vless") && !strings.EqualFold(c.Protocol, "trojan") {
-			return nil, newError("XTLS doesn't supports " + c.Protocol + " for now.")
-		}
 		receiverSettings.StreamSettings = ss
 	}
 	if c.SniffingConfig != nil {
@@ -319,9 +315,6 @@ func (c *OutboundDetourConfig) Build() (*core.OutboundHandlerConfig, error) {
 		if err != nil {
 			return nil, err
 		}
-		if ss.SecurityType == serial.GetMessageType(&xtls.Config{}) && !strings.EqualFold(c.Protocol, "vless") && !strings.EqualFold(c.Protocol, "trojan") {
-			return nil, newError("XTLS doesn't supports " + c.Protocol + " for now.")
-		}
 		senderSettings.StreamSettings = ss
 	}
 
@@ -346,13 +339,9 @@ func (c *OutboundDetourConfig) Build() (*core.OutboundHandlerConfig, error) {
 	}
 
 	if c.MuxSettings != nil {
-		ms := c.MuxSettings.Build()
-		if ms != nil && ms.Enabled {
-			if ss := senderSettings.StreamSettings; ss != nil {
-				if ss.SecurityType == serial.GetMessageType(&xtls.Config{}) {
-					return nil, newError("XTLS doesn't support Mux for now.")
-				}
-			}
+		ms, err := c.MuxSettings.Build()
+		if err != nil {
+			return nil, newError("failed to build Mux config.").Base(err)
 		}
 		senderSettings.MultiplexSettings = ms
 	}

infra/conf/xray_test.go

@@ -340,24 +340,35 @@ func TestMuxConfig_Build(t *testing.T) {
 		want   *proxyman.MultiplexingConfig
 	}{
 		{"default", `{"enabled": true, "concurrency": 16}`, &proxyman.MultiplexingConfig{
-			Enabled:     true,
-			Concurrency: 16,
+			Enabled:         true,
+			Concurrency:     16,
+			XudpConcurrency: 0,
+			XudpProxyUDP443: "reject",
 		}},
 		{"empty def", `{}`, &proxyman.MultiplexingConfig{
-			Enabled:     false,
-			Concurrency: 8,
+			Enabled:         false,
+			Concurrency:     0,
+			XudpConcurrency: 0,
+			XudpProxyUDP443: "reject",
 		}},
 		{"not enable", `{"enabled": false, "concurrency": 4}`, &proxyman.MultiplexingConfig{
-			Enabled:     false,
-			Concurrency: 4,
+			Enabled:         false,
+			Concurrency:     4,
+			XudpConcurrency: 0,
+			XudpProxyUDP443: "reject",
+		}},
+		{"forbidden", `{"enabled": false, "concurrency": -1}`, &proxyman.MultiplexingConfig{
+			Enabled:         false,
+			Concurrency:     -1,
+			XudpConcurrency: 0,
+			XudpProxyUDP443: "reject",
 		}},
-		{"forbidden", `{"enabled": false, "concurrency": -1}`, nil},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			m := &MuxConfig{}
 			common.Must(json.Unmarshal([]byte(tt.fields), m))
-			if got := m.Build(); !reflect.DeepEqual(got, tt.want) {
+			if got, _ := m.Build(); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("MuxConfig.Build() = %v, want %v", got, tt.want)
 			}
 		})

infra/vprotogen/main.go

@@ -108,7 +108,7 @@ func getProjectProtocVersion(url string) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("can not read from body")
 	}
-	versionRegexp := regexp.MustCompile(`\/\/\s*protoc\s*v(\d+\.\d+\.\d+)`)
+	versionRegexp := regexp.MustCompile(`\/\/\s*protoc\s*v\d+\.(\d+\.\d+)`)
 	matched := versionRegexp.FindStringSubmatch(string(body))
 	return matched[1], nil
 }
@@ -120,7 +120,7 @@ func getInstalledProtocVersion(protocPath string) (string, error) {
 	if cmdErr != nil {
 		return "", cmdErr
 	}
-	versionRegexp := regexp.MustCompile(`protoc\s*(\d+\.\d+\.\d+)`)
+	versionRegexp := regexp.MustCompile(`protoc\s*(\d+\.\d+)`)
 	matched := versionRegexp.FindStringSubmatch(string(output))
 	return matched[1], nil
 }

main/commands/all/commands.go

@@ -15,5 +15,6 @@ func init() {
 		// cmdConvert,
 		tls.CmdTLS,
 		cmdUUID,
+		cmdX25519,
 	)
 }

main/commands/all/x25519.go

@@ -0,0 +1,71 @@
+package all
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+
+	"github.com/xtls/xray-core/main/commands/base"
+	"golang.org/x/crypto/curve25519"
+)
+
+var cmdX25519 = &base.Command{
+	UsageLine: `{{.Exec}} x25519 [-i "private key (base64.RawURLEncoding)"]`,
+	Short:     `Generate key pair for x25519 key exchange`,
+	Long: `
+Generate key pair for x25519 key exchange.
+
+Random: {{.Exec}} x25519
+
+From private key: {{.Exec}} x25519 -i "private key (base64.RawURLEncoding)"
+`,
+}
+
+func init() {
+	cmdX25519.Run = executeX25519 // break init loop
+}
+
+var input_base64 = cmdX25519.Flag.String("i", "", "")
+
+func executeX25519(cmd *base.Command, args []string) {
+	var output string
+	var err error
+	var privateKey []byte
+	var publicKey []byte
+	if len(*input_base64) > 0 {
+		privateKey, err = base64.RawURLEncoding.DecodeString(*input_base64)
+		if err != nil {
+			output = err.Error()
+			goto out
+		}
+		if len(privateKey) != curve25519.ScalarSize {
+			output = "Invalid length of private key."
+			goto out
+		}
+	}
+
+	if privateKey == nil {
+		privateKey = make([]byte, curve25519.ScalarSize)
+		if _, err = rand.Read(privateKey); err != nil {
+			output = err.Error()
+			goto out
+		}
+	}
+
+	// Modify random bytes using algorithm described at:
+	// https://cr.yp.to/ecdh.html.
+	privateKey[0] &= 248
+	privateKey[31] &= 127
+	privateKey[31] |= 64
+
+	if publicKey, err = curve25519.X25519(privateKey, curve25519.Basepoint); err != nil {
+		output = err.Error()
+		goto out
+	}
+
+	output = fmt.Sprintf("Private key: %v\nPublic key: %v",
+		base64.RawURLEncoding.EncodeToString(privateKey),
+		base64.RawURLEncoding.EncodeToString(publicKey))
+out:
+	fmt.Println(output)
+}

main/distro/all/all.go

@@ -40,7 +40,6 @@ import (
 	_ "github.com/xtls/xray-core/proxy/freedom"
 	_ "github.com/xtls/xray-core/proxy/http"
 	_ "github.com/xtls/xray-core/proxy/loopback"
-	_ "github.com/xtls/xray-core/proxy/mtproto"
 	_ "github.com/xtls/xray-core/proxy/shadowsocks"
 	_ "github.com/xtls/xray-core/proxy/socks"
 	_ "github.com/xtls/xray-core/proxy/trojan"
@@ -56,11 +55,11 @@ import (
 	_ "github.com/xtls/xray-core/transport/internet/http"
 	_ "github.com/xtls/xray-core/transport/internet/kcp"
 	_ "github.com/xtls/xray-core/transport/internet/quic"
+	_ "github.com/xtls/xray-core/transport/internet/reality"
 	_ "github.com/xtls/xray-core/transport/internet/tcp"
 	_ "github.com/xtls/xray-core/transport/internet/tls"
 	_ "github.com/xtls/xray-core/transport/internet/udp"
 	_ "github.com/xtls/xray-core/transport/internet/websocket"
-	_ "github.com/xtls/xray-core/transport/internet/xtls"
 
 	// Transport headers
 	_ "github.com/xtls/xray-core/transport/internet/headers/http"