文档新增 reF1nd 分支特性

.github/CRONET_GO_VERSION

@@ -1 +1 @@
-cba7b9ac0399055aa49fbdc57c03c374f58e1597
+d181863d6a4aa2e7bb7eaf67c1d512c5e4827fde

.gitignore

@@ -1,4 +1,5 @@
 /.idea/
+/.vscode/
 /vendor/
 /*.json
 /*.srs

README.md

@@ -16,6 +16,141 @@ The universal proxy platform.
 
 https://sing-box.sagernet.org
 
+## Inbound TLS
+
+```json
+{
+  "inbounds": [
+    {
+      "type": "trojan",
+      "tag": "trojan-in",
+      "tls": {
+        "enabled": true,
+        "server_name": "sekai.love",
+        "certificate_path": "cert.pem",
+        "key_path": "key.key",
+        "reject_unknown_sni": true
+      }
+    },
+    {
+      "type": "anytls",
+      "tag": "anytls-in",
+      "tls": {
+        "enabled": true,
+        "server_names": [
+          "sagernet.sekai.love",
+          "sekai.love"
+        ],
+        "certificate_path": "cert.pem",
+        "key_path": "key.key",
+        "reject_unknown_sni": true
+      }
+    }
+  ]
+}
+```
+
+Reject unknown SNI: If the server name of connection does not match `server_name` or any domain in `server_names`,
+and is not included in the certificate, it will be rejected.
+
+拒绝未知 SNI：如果连接的 server name 与 `server_name` 或者 `server_names` 中包含的域名 不符 且 证书中不包含它，则拒绝连接。
+
+## Dialer
+
+```json
+{
+  "outbounds": [
+    {
+      "type": "direct",
+      "tag": "direct",
+      "tcp_keep_alive": "5m",
+      "tcp_keep_alive_interval": "75s",
+      "tcp_keep_alive_count": 0,
+      "disable_tcp_keep_alive": false
+    }
+  ]
+}
+```
+
+TCP Keep alive options.
+
+## DNS
+
+### TCP
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "tcp",
+        "tag": "cloudlfare-tcp",
+        "server": "1.1.1.1",
+        "server_port": 53,
+        "reuse": true,
+        "pipeline": true
+      }
+    ]
+  }
+}
+```
+
+- `reuse`: Reuse TCP connection. Always enabled when `pipeline` is true.
+- `pipeline`: Enable DNS pipelining (RFC 9210). Multiple queries can be sent without waiting for responses, improving performance.
+
+### DoT
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "type": "tls",
+        "tag": "cloudflare-dot",
+        "server": "1.1.1.1",
+        "server_port": 853,
+        "pipeline": true
+      }
+    ]
+  }
+}
+```
+
+- `pipeline`: Enable DNS pipelining (RFC 9210). Multiple queries can be sent over the same TLS connection without waiting for responses,
+significantly improving performance in high-concurrency scenarios.
+
+## URLTest Fallback 支持
+
+按照**可用性**和**顺序**选择出站
+
+可用：指 URL 测试存在有效结果
+
+配置示例：
+```
+{
+    "tag": "fallback",
+    "type": "urltest",
+    "outbounds": [
+        "A",
+        "B",
+        "C"
+    ],
+    "fallback": {
+        "enabled": true, // 开启 fallback
+        "max_delay": "200ms" // 可选配置
+        // 若某节点可用，但是延迟超过 max_delay，则认为该节点不可用，淘汰忽略该节点，继续匹配选择下一个节点
+        // 但若所有节点均不可用，但是存在被 max_delay 规则淘汰的节点，则选择延迟最低的被淘汰节点
+    }
+}
+```
+以上配置为例子：
+1. 当 A, B, C 都可用时，优选选择 A。当 A 不可用时，优选选择 B。当 A, B 都不可用时，选择 C，若 C 也不可用，则返回第一个出站：A
+2. (配置了 max_delay) 当 A, C 都不可用，B 延迟超过 200ms 时（在第一轮选择时淘汰，被认为是不可用节点），则选择 B
+
+For extended features
+
+- Providers: [中文](./docs/configuration/provider/index.zh.md), [English](./docs/configuration/provider/index.md)
+
 ## License
 
 ```

adapter/dns.go

@@ -20,14 +20,18 @@ type DNSRouter interface {
 	Lookup(ctx context.Context, domain string, options DNSQueryOptions) ([]netip.Addr, error)
 	ClearCache()
 	LookupReverseMapping(ip netip.Addr) (string, bool)
+	Rules() []DNSRule
+	Rule(uuid string) (DNSRule, bool)
 	ResetNetwork()
 }
 
 type DNSClient interface {
 	Start()
-	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error)
-	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error)
+	Exchange(ctx context.Context, transport DNSTransport, message *dns.Msg, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) (*dns.Msg, error, bool)
+	Lookup(ctx context.Context, transport DNSTransport, domain string, options DNSQueryOptions, responseChecker func(responseAddrs []netip.Addr) bool) ([]netip.Addr, error, bool)
 	ClearCache()
+	UpdateDnsCacheFromContext(ctx context.Context) bool
+	UpdateDnsCacheToContext(ctx context.Context) context.Context
 }
 
 type DNSQueryOptions struct {
@@ -37,6 +41,7 @@ type DNSQueryOptions struct {
 	DisableCache   bool
 	RewriteTTL     *uint32
 	ClientSubnet   netip.Prefix
+	LazyCacheTTL   *uint32
 }
 
 func DNSQueryOptionsFrom(ctx context.Context, options *option.DomainResolveOptions) (*DNSQueryOptions, error) {

adapter/experimental.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"time"
 
+	"github.com/sagernet/sing-box/common/hash"
 	"github.com/sagernet/sing/common/observable"
 	"github.com/sagernet/sing/common/varbin"
 )
@@ -55,9 +56,14 @@ type CacheFile interface {
 	StoreGroupExpand(group string, expand bool) error
 	LoadRuleSet(tag string) *SavedBinary
 	SaveRuleSet(tag string, set *SavedBinary) error
+	LoadExternalUI(tag string) *SavedBinary
+	SaveExternalUI(tag string, info *SavedBinary) error
+	LoadSubscription(tag string) *SavedBinary
+	SaveSubscription(tag string, sub *SavedBinary) error
 }
 
 type SavedBinary struct {
+	Hash        hash.HashType
 	Content     []byte
 	LastUpdated time.Time
 	LastEtag    string
@@ -69,6 +75,18 @@ func (s *SavedBinary) MarshalBinary() ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+	hash, err := s.Hash.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+	_, err = varbin.WriteUvarint(&buffer, uint64(len(hash)))
+	if err != nil {
+		return nil, err
+	}
+	_, err = buffer.Write(hash)
+	if err != nil {
+		return nil, err
+	}
 	_, err = varbin.WriteUvarint(&buffer, uint64(len(s.Content)))
 	if err != nil {
 		return nil, err
@@ -99,6 +117,19 @@ func (s *SavedBinary) UnmarshalBinary(data []byte) error {
 	if err != nil {
 		return err
 	}
+	hashLength, err := binary.ReadUvarint(reader)
+	if err != nil {
+		return err
+	}
+	hash := make([]byte, hashLength)
+	_, err = io.ReadFull(reader, hash)
+	if err != nil {
+		return err
+	}
+	err = s.Hash.UnmarshalBinary(hash)
+	if err != nil {
+		return err
+	}
 	contentLength, err := binary.ReadUvarint(reader)
 	if err != nil {
 		return err
@@ -138,9 +169,20 @@ type URLTestGroup interface {
 	URLTest(ctx context.Context) (map[string]uint16, error)
 }
 
+type LoadBalanceGroup interface {
+	OutboundGroup
+	URLTest(ctx context.Context) (map[string]uint16, error)
+}
+
+type SelectorGroup interface {
+	Selected() Outbound
+}
+
 func OutboundTag(detour Outbound) string {
 	if group, isGroup := detour.(OutboundGroup); isGroup {
-		return group.Now()
+		if now := group.Now(); now != "" {
+			return now
+		}
 	}
 	return detour.Tag()
 }

adapter/inbound.go

@@ -2,6 +2,7 @@ package adapter
 
 import (
 	"context"
+	"net"
 	"net/netip"
 	"time"
 
@@ -53,14 +54,17 @@ type InboundContext struct {
 	// sniffer
 
 	Protocol     string
-	Domain       string
+	SniffHost    string
 	Client       string
 	SniffContext any
 	SnifferNames []string
 	SniffError   error
 
 	// cache
 
+	CacheIPs []netip.Addr
+	Domain   string
+
 	// Deprecated: implement in rule action
 	InboundDetour             string
 	LastInbound               string
@@ -82,8 +86,11 @@ type InboundContext struct {
 	SourceGeoIPCode      string
 	GeoIPCode            string
 	ProcessInfo          *ConnectionOwner
+	SourceMACAddress     net.HardwareAddr
+	SourceHostname       string
 	QueryType            uint16
 	FakeIP               bool
+	DestOverride         bool
 
 	// rule cache
 
@@ -96,6 +103,32 @@ type InboundContext struct {
 	DestinationPortMatch         bool
 	DidMatch                     bool
 	IgnoreDestinationIPCIDRMatch bool
+
+	// extended metadata
+	Extended *InboundContextExtended
+}
+
+type InboundContextExtended struct {
+	RealOutboundChain []string
+}
+
+func (c *InboundContext) InitExtended() {
+	if c.Extended == nil {
+		c.Extended = new(InboundContextExtended)
+	}
+}
+
+func (c *InboundContext) AppendRealOutbound(tag string) {
+	if c.Extended != nil {
+		c.Extended.RealOutboundChain = append(c.Extended.RealOutboundChain, tag)
+	}
+}
+
+func (c *InboundContext) GetRealOutboundChain() []string {
+	if c.Extended != nil {
+		return c.Extended.RealOutboundChain
+	}
+	return nil
 }
 
 func (c *InboundContext) ResetRuleCache() {
@@ -111,6 +144,7 @@ func (c *InboundContext) ResetRuleCache() {
 type inboundContextKey struct{}
 
 func WithContext(ctx context.Context, inboundContext *InboundContext) context.Context {
+	inboundContext.InitExtended()
 	return context.WithValue(ctx, (*inboundContextKey)(nil), inboundContext)
 }
 

adapter/neighbor.go

@@ -0,0 +1,23 @@
+package adapter
+
+import (
+	"net"
+	"net/netip"
+)
+
+type NeighborEntry struct {
+	Address    netip.Addr
+	MACAddress net.HardwareAddr
+	Hostname   string
+}
+
+type NeighborResolver interface {
+	LookupMAC(address netip.Addr) (net.HardwareAddr, bool)
+	LookupHostname(address netip.Addr) (string, bool)
+	Start() error
+	Close() error
+}
+
+type NeighborUpdateListener interface {
+	UpdateNeighborTable(entries []NeighborEntry)
+}

adapter/platform.go

@@ -36,6 +36,10 @@ type PlatformInterface interface {
 
 	UsePlatformNotification() bool
 	SendNotification(notification *Notification) error
+
+	UsePlatformNeighborResolver() bool
+	StartNeighborMonitor(listener NeighborUpdateListener) error
+	CloseNeighborMonitor(listener NeighborUpdateListener) error
 }
 
 type FindConnectionOwnerRequest struct {