Update dependencies

go.mod

@@ -4,14 +4,14 @@ go 1.18
 
 require (
 	github.com/fsnotify/fsnotify v1.6.0
-	github.com/go-ole/go-ole v1.2.6
+	github.com/go-ole/go-ole v1.3.0
 	github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61
-	github.com/sagernet/gvisor v0.0.0-20230611140528-4411f7659a08
+	github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2
 	github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97
-	github.com/sagernet/sing v0.2.5
+	github.com/sagernet/sing v0.2.13
 	github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9
-	golang.org/x/net v0.11.0
-	golang.org/x/sys v0.9.0
+	golang.org/x/net v0.16.0
+	golang.org/x/sys v0.13.0
 )
 
 require (

go.sum

@@ -1,29 +1,29 @@
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
-github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
-github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
+github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61 h1:5+m7c6AkmAylhauulqN/c5dnh8/KssrE9c93TQrXldA=
 github.com/sagernet/go-tun2socks v1.16.12-0.20220818015926-16cb67876a61/go.mod h1:QUQ4RRHD6hGGHdFMEtR8T2P6GS6R3D/CXKdaYHKKXms=
-github.com/sagernet/gvisor v0.0.0-20230611140528-4411f7659a08 h1:p1z8y0tXLCKSiJ7GbUlaYPhyEbWL8LKLMYFpVxRVsBg=
-github.com/sagernet/gvisor v0.0.0-20230611140528-4411f7659a08/go.mod h1:FgbjODax/nj7J2lr7+rqe88vHs0Ts93pC9na5ZiG9wg=
+github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2 h1:dnkKrzapqtAwjTSWt6hdPrARORfoYvuUczynvRLrueo=
+github.com/sagernet/gvisor v0.0.0-20230627031050-1ab0276e0dd2/go.mod h1:1JUiV7nGuf++YFm9eWZ8q2lrwHmhcUGzptMl/vL1+LA=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97 h1:iL5gZI3uFp0X6EslacyapiRz7LLSJyr4RajF/BhMVyE=
 github.com/sagernet/netlink v0.0.0-20220905062125-8043b4a9aa97/go.mod h1:xLnfdiJbSp8rNqYEdIW/6eDO4mVoogml14Bh2hSiFpM=
 github.com/sagernet/sing v0.0.0-20220817130738-ce854cda8522/go.mod h1:QVsS5L/ZA2Q5UhQwLrn0Trw+msNd/NPGEhBKR/ioWiY=
-github.com/sagernet/sing v0.2.5 h1:N8sUluR8GZvR9DqUiH3FA3vBb4m/EDdOVTYUrDzJvmY=
-github.com/sagernet/sing v0.2.5/go.mod h1:Ta8nHnDLAwqySzKhGoKk4ZIB+vJ3GTKj7UPrWYvM+4w=
+github.com/sagernet/sing v0.2.13 h1:ohczGKWP+Yn3zlQXSvFn+6EKSELGggBi66D5rqpYRQ0=
+github.com/sagernet/sing v0.2.13/go.mod h1:AhNEHu0GXrpqkuzvTwvC8+j2cQUU/dh+zLEmq4C99pg=
 github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9 h1:rc/CcqLH3lh8n+csdOuDfP+NuykE0U6AeYSJJHKDgSg=
 github.com/scjalliance/comshim v0.0.0-20230315213746-5e51f40bd3b9/go.mod h1:a/83NAfUXvEuLpmxDssAXxgUgrEy12MId3Wd7OTs76s=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 h1:gga7acRE695APm9hlsSMoOoE65U4/TcqNj90mc69Rlg=
 github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
-golang.org/x/net v0.11.0 h1:Gi2tvZIJyBtO9SDr1q9h5hEQCp/4L2RQ+ar0qjx2oNU=
-golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
-golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/net v0.16.0 h1:7eBu7KsSvFDtSXUIDbh3aqlK4DPsZ1rByC8PFfBThos=
+golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

gvisor_udp.go

@@ -1,118 +0,0 @@
-//go:build with_gvisor
-
-package tun
-
-import (
-	"context"
-	"math"
-	"net/netip"
-
-	"github.com/sagernet/gvisor/pkg/buffer"
-	"github.com/sagernet/gvisor/pkg/tcpip"
-	"github.com/sagernet/gvisor/pkg/tcpip/checksum"
-	"github.com/sagernet/gvisor/pkg/tcpip/header"
-	"github.com/sagernet/gvisor/pkg/tcpip/stack"
-	"github.com/sagernet/sing/common/buf"
-	M "github.com/sagernet/sing/common/metadata"
-	N "github.com/sagernet/sing/common/network"
-	"github.com/sagernet/sing/common/udpnat"
-)
-
-type UDPForwarder struct {
-	ctx    context.Context
-	stack  *stack.Stack
-	udpNat *udpnat.Service[netip.AddrPort]
-}
-
-func NewUDPForwarder(ctx context.Context, stack *stack.Stack, handler Handler, udpTimeout int64) *UDPForwarder {
-	return &UDPForwarder{
-		ctx:    ctx,
-		stack:  stack,
-		udpNat: udpnat.New[netip.AddrPort](udpTimeout, handler),
-	}
-}
-
-func (f *UDPForwarder) HandlePacket(id stack.TransportEndpointID, pkt stack.PacketBufferPtr) bool {
-	var upstreamMetadata M.Metadata
-	upstreamMetadata.Source = M.SocksaddrFrom(AddrFromAddress(id.RemoteAddress), id.RemotePort)
-	upstreamMetadata.Destination = M.SocksaddrFrom(AddrFromAddress(id.LocalAddress), id.LocalPort)
-	var netProto tcpip.NetworkProtocolNumber
-	if upstreamMetadata.Source.IsIPv4() {
-		netProto = header.IPv4ProtocolNumber
-	} else {
-		netProto = header.IPv6ProtocolNumber
-	}
-	f.udpNat.NewPacket(
-		f.ctx,
-		upstreamMetadata.Source.AddrPort(),
-		buf.As(pkt.Data().AsRange().ToSlice()),
-		upstreamMetadata,
-		func(natConn N.PacketConn) N.PacketWriter {
-			return &UDPBackWriter{f.stack, id.RemoteAddress, id.RemotePort, netProto}
-		},
-	)
-	return true
-}
-
-type UDPBackWriter struct {
-	stack         *stack.Stack
-	source        tcpip.Address
-	sourcePort    uint16
-	sourceNetwork tcpip.NetworkProtocolNumber
-}
-
-func (w *UDPBackWriter) WritePacket(packetBuffer *buf.Buffer, destination M.Socksaddr) error {
-	defer packetBuffer.Release()
-
-	route, err := w.stack.FindRoute(
-		defaultNIC,
-		AddressFromAddr(destination.Addr),
-		w.source,
-		w.sourceNetwork,
-		false,
-	)
-	if err != nil {
-		return wrapStackError(err)
-	}
-	defer route.Release()
-
-	packet := stack.NewPacketBuffer(stack.PacketBufferOptions{
-		ReserveHeaderBytes: header.UDPMinimumSize + int(route.MaxHeaderLength()),
-		Payload:            buffer.MakeWithData(packetBuffer.Bytes()),
-	})
-	defer packet.DecRef()
-
-	packet.TransportProtocolNumber = header.UDPProtocolNumber
-	udpHdr := header.UDP(packet.TransportHeader().Push(header.UDPMinimumSize))
-	pLen := uint16(packet.Size())
-	udpHdr.Encode(&header.UDPFields{
-		SrcPort: destination.Port,
-		DstPort: w.sourcePort,
-		Length:  pLen,
-	})
-
-	if route.RequiresTXTransportChecksum() && w.sourceNetwork == header.IPv6ProtocolNumber {
-		xsum := udpHdr.CalculateChecksum(checksum.Combine(
-			route.PseudoHeaderChecksum(header.UDPProtocolNumber, pLen),
-			packet.Data().Checksum(),
-		))
-		if xsum != math.MaxUint16 {
-			xsum = ^xsum
-		}
-		udpHdr.SetChecksum(xsum)
-	}
-
-	err = route.WritePacket(stack.NetworkHeaderParams{
-		Protocol: header.UDPProtocolNumber,
-		TTL:      route.DefaultTTL(),
-		TOS:      0,
-	}, packet)
-
-	if err != nil {
-		route.Stats().UDP.PacketSendErrors.Increment()
-		return wrapStackError(err)
-	}
-
-	route.Stats().UDP.PacketsSent.Increment()
-	return nil
-}

monitor.go

@@ -10,13 +10,14 @@ import (
 var ErrNoRoute = E.New("no route to internet")
 
 type (
-	NetworkUpdateCallback          = func() error
-	DefaultInterfaceUpdateCallback = func(event int) error
+	NetworkUpdateCallback          = func()
+	DefaultInterfaceUpdateCallback = func(event int)
 )
 
 const (
 	EventInterfaceUpdate  = 1
 	EventAndroidVPNUpdate = 2
+	EventNoRoute          = 4
 )
 
 type NetworkUpdateMonitor interface {
@@ -24,7 +25,6 @@ type NetworkUpdateMonitor interface {
 	Close() error
 	RegisterCallback(callback NetworkUpdateCallback) *list.Element[NetworkUpdateCallback]
 	UnregisterCallback(element *list.Element[NetworkUpdateCallback])
-	E.Handler
 }
 
 type DefaultInterfaceMonitor interface {

monitor_darwin.go

@@ -1,16 +1,15 @@
 package tun
 
 import (
-	"context"
 	"net"
 	"net/netip"
 	"os"
 	"sync"
-	"syscall"
 	"time"
 
-	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/x/list"
 
 	"golang.org/x/net/route"
@@ -18,61 +17,78 @@ import (
 )
 
 type networkUpdateMonitor struct {
-	errorHandler E.Handler
-
-	access      sync.Mutex
-	callbacks   list.List[NetworkUpdateCallback]
-	routeSocket *os.File
+	access          sync.Mutex
+	callbacks       list.List[NetworkUpdateCallback]
+	routeSocketFile *os.File
+	closeOnce       sync.Once
+	done            chan struct{}
+	logger          logger.Logger
 }
 
-func NewNetworkUpdateMonitor(errorHandler E.Handler) (NetworkUpdateMonitor, error) {
+func NewNetworkUpdateMonitor(logger logger.Logger) (NetworkUpdateMonitor, error) {
 	return &networkUpdateMonitor{
-		errorHandler: errorHandler,
+		logger: logger,
+		done:   make(chan struct{}),
 	}, nil
 }
 
 func (m *networkUpdateMonitor) Start() error {
-	routeSocket, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, 0)
-	if err != nil {
-		return err
-	}
-	err = unix.SetNonblock(routeSocket, true)
-	if err != nil {
-		return err
-	}
-	m.routeSocket = os.NewFile(uintptr(routeSocket), "route")
 	go m.loopUpdate()
 	return nil
 }
 
 func (m *networkUpdateMonitor) loopUpdate() {
-	rawConn, err := m.routeSocket.SyscallConn()
+	for {
+		select {
+		case <-m.done:
+			return
+		case <-time.After(time.Second):
+		}
+		err := m.loopUpdate0()
+		if err != nil {
+			m.logger.Error("listen network update: ", err)
+			return
+		}
+	}
+}
+
+func (m *networkUpdateMonitor) loopUpdate0() error {
+	routeSocket, err := unix.Socket(unix.AF_ROUTE, unix.SOCK_RAW, 0)
+	if err != nil {
+		return err
+	}
+	routeSocketFile := os.NewFile(uintptr(routeSocket), "route")
+	m.routeSocketFile = routeSocketFile
+	m.loopUpdate1(routeSocketFile)
+	return nil
+}
+
+func (m *networkUpdateMonitor) loopUpdate1(routeSocketFile *os.File) {
+	defer routeSocketFile.Close()
+	buffer := buf.NewPacket()
+	defer buffer.Release()
+	n, err := routeSocketFile.Read(buffer.FreeBytes())
 	if err != nil {
-		m.errorHandler.NewError(context.Background(), E.Cause(err, "create raw route connection"))
 		return
 	}
-	for {
-		var innerErr error
-		err = rawConn.Read(func(fd uintptr) (done bool) {
-			var msg [2048]byte
-			_, innerErr = unix.Read(int(fd), msg[:])
-			return innerErr != unix.EWOULDBLOCK
-		})
-		if innerErr != nil {
-			err = innerErr
-		}
-		if err != nil {
-			break
-		}
-		m.emit()
+	buffer.Truncate(n)
+	messages, err := route.ParseRIB(route.RIBTypeRoute, buffer.Bytes())
+	if err != nil {
+		return
 	}
-	if err != syscall.EAGAIN {
-		m.errorHandler.NewError(context.Background(), E.Cause(err, "read route message"))
+	for _, message := range messages {
+		if _, isRouteMessage := message.(*route.RouteMessage); isRouteMessage {
+			m.emit()
+			return
+		}
 	}
 }
 
 func (m *networkUpdateMonitor) Close() error {
-	return common.Close(common.PtrOrNil(m.routeSocket))
+	m.closeOnce.Do(func() {
+		close(m.done)
+	})
+	return nil
 }
 
 func (m *defaultInterfaceMonitor) checkUpdate() error {
@@ -116,7 +132,7 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 			continue
 		}
 		if routeMessage.Flags&unix.RTF_IFSCOPE != 0 {
-			continue
+			// continue
 		}
 		defaultInterface = routeInterface
 		break

monitor_linux.go

@@ -2,30 +2,48 @@ package tun
 
 import (
 	"os"
+	"runtime"
 	"sync"
 
 	"github.com/sagernet/netlink"
-	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/x/list"
+
+	"golang.org/x/sys/unix"
 )
 
 type networkUpdateMonitor struct {
-	routeUpdate  chan netlink.RouteUpdate
-	linkUpdate   chan netlink.LinkUpdate
-	close        chan struct{}
-	errorHandler E.Handler
+	routeUpdate chan netlink.RouteUpdate
+	linkUpdate  chan netlink.LinkUpdate
+	close       chan struct{}
 
 	access    sync.Mutex
 	callbacks list.List[NetworkUpdateCallback]
+	logger    logger.Logger
 }
 
-func NewNetworkUpdateMonitor(errorHandler E.Handler) (NetworkUpdateMonitor, error) {
-	return &networkUpdateMonitor{
-		routeUpdate:  make(chan netlink.RouteUpdate, 2),
-		linkUpdate:   make(chan netlink.LinkUpdate, 2),
-		close:        make(chan struct{}),
-		errorHandler: errorHandler,
-	}, nil
+func NewNetworkUpdateMonitor(logger logger.Logger) (NetworkUpdateMonitor, error) {
+	monitor := &networkUpdateMonitor{
+		routeUpdate: make(chan netlink.RouteUpdate, 2),
+		linkUpdate:  make(chan netlink.LinkUpdate, 2),
+		close:       make(chan struct{}),
+		logger:      logger,
+	}
+	// check is netlink banned by google
+	if runtime.GOOS == "android" {
+		netlinkSocket, err := unix.Socket(unix.AF_NETLINK, unix.SOCK_DGRAM, unix.NETLINK_ROUTE)
+		if err != nil {
+			return nil, os.ErrInvalid
+		}
+		err = unix.Bind(netlinkSocket, &unix.SockaddrNetlink{
+			Family: unix.AF_NETLINK,
+		})
+		unix.Close(netlinkSocket)
+		if err != nil {
+			return nil, os.ErrInvalid
+		}
+	}
+	return monitor, nil
 }
 
 func (m *networkUpdateMonitor) Start() error {

monitor_linux_default.go

@@ -4,7 +4,6 @@ package tun
 
 import (
 	"github.com/sagernet/netlink"
-	E "github.com/sagernet/sing/common/exceptions"
 
 	"golang.org/x/sys/unix"
 )
@@ -37,5 +36,5 @@ func (m *defaultInterfaceMonitor) checkUpdate() error {
 		m.emit(EventInterfaceUpdate)
 		return nil
 	}
-	return E.New("no route to internet")
+	return ErrNoRoute
 }

monitor_other.go

@@ -5,13 +5,13 @@ package tun
 import (
 	"os"
 
-	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 )
 
-func NewNetworkUpdateMonitor(errorHandler E.Handler) (NetworkUpdateMonitor, error) {
+func NewNetworkUpdateMonitor(logger logger.Logger) (NetworkUpdateMonitor, error) {
 	return nil, os.ErrInvalid
 }
 
-func NewDefaultInterfaceMonitor(networkMonitor NetworkUpdateMonitor, options DefaultInterfaceMonitorOptions) (DefaultInterfaceMonitor, error) {
+func NewDefaultInterfaceMonitor(networkMonitor NetworkUpdateMonitor, logger logger.Logger, options DefaultInterfaceMonitorOptions) (DefaultInterfaceMonitor, error) {
 	return nil, os.ErrInvalid
 }

monitor_shared.go

@@ -3,14 +3,14 @@
 package tun
 
 import (
-	"context"
+	"errors"
 	"net"
 	"net/netip"
 	"sync"
 	"time"
 
 	"github.com/sagernet/sing/common"
-	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	M "github.com/sagernet/sing/common/metadata"
 	"github.com/sagernet/sing/common/x/list"
 )
@@ -32,17 +32,10 @@ func (m *networkUpdateMonitor) emit() {
 	callbacks := m.callbacks.Array()
 	m.access.Unlock()
 	for _, callback := range callbacks {
-		err := callback()
-		if err != nil {
-			m.NewError(context.Background(), err)
-		}
+		callback()
 	}
 }
 
-func (m *networkUpdateMonitor) NewError(ctx context.Context, err error) {
-	m.errorHandler.NewError(ctx, err)
-}
-
 type defaultInterfaceMonitor struct {
 	options               DefaultInterfaceMonitorOptions
 	networkAddresses      []networkAddress
@@ -53,6 +46,7 @@ type defaultInterfaceMonitor struct {
 	element               *list.Element[NetworkUpdateCallback]
 	access                sync.Mutex
 	callbacks             list.List[DefaultInterfaceUpdateCallback]
+	logger                logger.Logger
 }
 
 type networkAddress struct {
@@ -61,30 +55,36 @@ type networkAddress struct {
 	addresses      []netip.Prefix
 }
 
-func NewDefaultInterfaceMonitor(networkMonitor NetworkUpdateMonitor, options DefaultInterfaceMonitorOptions) (DefaultInterfaceMonitor, error) {
+func NewDefaultInterfaceMonitor(networkMonitor NetworkUpdateMonitor, logger logger.Logger, options DefaultInterfaceMonitorOptions) (DefaultInterfaceMonitor, error) {
 	return &defaultInterfaceMonitor{
 		options:               options,
 		networkMonitor:        networkMonitor,
 		defaultInterfaceIndex: -1,
+		logger:                logger,
 	}, nil
 }
 
 func (m *defaultInterfaceMonitor) Start() error {
 	err := m.checkUpdate()
 	if err != nil {
-		m.networkMonitor.NewError(context.Background(), err)
+		m.logger.Error("initialize default interface: ", err)
 	}
 	m.element = m.networkMonitor.RegisterCallback(m.delayCheckUpdate)
 	return nil
 }
 
-func (m *defaultInterfaceMonitor) delayCheckUpdate() error {
+func (m *defaultInterfaceMonitor) delayCheckUpdate() {
 	time.Sleep(time.Second)
 	err := m.updateInterfaces()
 	if err != nil {
-		m.networkMonitor.NewError(context.Background(), E.Cause(err, "update interfaces"))
+		m.logger.Error("update interfaces: ", err)
+	}
+	err = m.checkUpdate()
+	if errors.Is(err, ErrNoRoute) {
+		m.defaultInterfaceName = ""
+		m.defaultInterfaceIndex = -1
+		m.emit(EventNoRoute)
 	}
-	return m.checkUpdate()
 }
 
 func (m *defaultInterfaceMonitor) updateInterfaces() error {
@@ -175,9 +175,6 @@ func (m *defaultInterfaceMonitor) emit(event int) {
 	callbacks := m.callbacks.Array()
 	m.access.Unlock()
 	for _, callback := range callbacks {
-		err := callback(event)
-		if err != nil {
-			m.networkMonitor.NewError(context.Background(), err)
-		}
+		callback(event)
 	}
 }

monitor_windows.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/sagernet/sing-tun/internal/winipcfg"
 	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
 	"github.com/sagernet/sing/common/x/list"
 
 	"golang.org/x/sys/windows"
@@ -17,11 +18,12 @@ type networkUpdateMonitor struct {
 
 	access    sync.Mutex
 	callbacks list.List[NetworkUpdateCallback]
+	logger    logger.Logger
 }
 
-func NewNetworkUpdateMonitor(errorHandler E.Handler) (NetworkUpdateMonitor, error) {
+func NewNetworkUpdateMonitor(logger logger.Logger) (NetworkUpdateMonitor, error) {
 	return &networkUpdateMonitor{
-		errorHandler: errorHandler,
+		logger: logger,
 	}, nil
 }
 

stack.go

@@ -35,9 +35,15 @@ func NewStack(
 ) (Stack, error) {
 	switch stack {
 	case "":
-		return NewSystem(options)
+		if WithGVisor {
+			return NewMixed(options)
+		} else {
+			return NewSystem(options)
+		}
 	case "gvisor":
 		return NewGVisor(options)
+	case "mixed":
+		return NewMixed(options)
 	case "system":
 		return NewSystem(options)
 	case "lwip":

stack_gvisor.go

@@ -70,44 +70,10 @@ func (t *GVisor) Start() error {
 	if err != nil {
 		return err
 	}
-	ipStack := stack.New(stack.Options{
-		NetworkProtocols: []stack.NetworkProtocolFactory{
-			ipv4.NewProtocol,
-			ipv6.NewProtocol,
-		},
-		TransportProtocols: []stack.TransportProtocolFactory{
-			tcp.NewProtocol,
-			udp.NewProtocol,
-			icmp.NewProtocol4,
-			icmp.NewProtocol6,
-		},
-	})
-	tErr := ipStack.CreateNIC(defaultNIC, linkEndpoint)
-	if tErr != nil {
-		return E.New("create nic: ", wrapStackError(tErr))
+	ipStack, err := newGVisorStack(linkEndpoint)
+	if err != nil {
+		return err
 	}
-	ipStack.SetRouteTable([]tcpip.Route{
-		{Destination: header.IPv4EmptySubnet, NIC: defaultNIC},
-		{Destination: header.IPv6EmptySubnet, NIC: defaultNIC},
-	})
-	ipStack.SetSpoofing(defaultNIC, true)
-	ipStack.SetPromiscuousMode(defaultNIC, true)
-	bufSize := 20 * 1024
-	ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpip.TCPReceiveBufferSizeRangeOption{
-		Min:     1,
-		Default: bufSize,
-		Max:     bufSize,
-	})
-	ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpip.TCPSendBufferSizeRangeOption{
-		Min:     1,
-		Default: bufSize,
-		Max:     bufSize,
-	})
-	sOpt := tcpip.TCPSACKEnabled(true)
-	ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &sOpt)
-	mOpt := tcpip.TCPModerateReceiveBufferOption(true)
-	ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &mOpt)
-
 	tcpForwarder := tcp.NewForwarder(ipStack, 0, 1024, func(r *tcp.ForwarderRequest) {
 		var wq waiter.Queue
 		handshakeCtx, cancel := context.WithCancel(context.Background())
@@ -162,11 +128,12 @@ func (t *GVisor) Start() error {
 				endpoint.Abort()
 				return
 			}
+			gConn := &gUDPConn{UDPConn: udpConn}
 			go func() {
 				var metadata M.Metadata
 				metadata.Source = M.SocksaddrFromNet(lAddr)
 				metadata.Destination = M.SocksaddrFromNet(rAddr)
-				ctx, conn := canceler.NewPacketConn(t.ctx, bufio.NewPacketConn(&bufio.UnbindPacketConn{ExtendedConn: bufio.NewExtendedConn(&gUDPConn{udpConn}), Addr: M.SocksaddrFromNet(rAddr)}), time.Duration(t.udpTimeout)*time.Second)
+				ctx, conn := canceler.NewPacketConn(t.ctx, bufio.NewPacketConn(&bufio.UnbindPacketConn{ExtendedConn: bufio.NewExtendedConn(gConn), Addr: M.SocksaddrFromNet(rAddr)}), time.Duration(t.udpTimeout)*time.Second)
 				hErr := t.handler.NewPacketConnection(ctx, conn, metadata)
 				if hErr != nil {
 					endpoint.Abort()
@@ -207,3 +174,44 @@ func AddrFromAddress(address tcpip.Address) netip.Addr {
 		return netip.AddrFrom4(address.As4())
 	}
 }
+
+func newGVisorStack(ep stack.LinkEndpoint) (*stack.Stack, error) {
+	ipStack := stack.New(stack.Options{
+		NetworkProtocols: []stack.NetworkProtocolFactory{
+			ipv4.NewProtocol,
+			ipv6.NewProtocol,
+		},
+		TransportProtocols: []stack.TransportProtocolFactory{
+			tcp.NewProtocol,
+			udp.NewProtocol,
+			icmp.NewProtocol4,
+			icmp.NewProtocol6,
+		},
+	})
+	tErr := ipStack.CreateNIC(defaultNIC, ep)
+	if tErr != nil {
+		return nil, E.New("create nic: ", wrapStackError(tErr))
+	}
+	ipStack.SetRouteTable([]tcpip.Route{
+		{Destination: header.IPv4EmptySubnet, NIC: defaultNIC},
+		{Destination: header.IPv6EmptySubnet, NIC: defaultNIC},
+	})
+	ipStack.SetSpoofing(defaultNIC, true)
+	ipStack.SetPromiscuousMode(defaultNIC, true)
+	bufSize := 20 * 1024
+	ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpip.TCPReceiveBufferSizeRangeOption{
+		Min:     1,
+		Default: bufSize,
+		Max:     bufSize,
+	})
+	ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &tcpip.TCPSendBufferSizeRangeOption{
+		Min:     1,
+		Default: bufSize,
+		Max:     bufSize,
+	})
+	sOpt := tcpip.TCPSACKEnabled(true)
+	ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &sOpt)
+	mOpt := tcpip.TCPModerateReceiveBufferOption(true)
+	ipStack.SetTransportProtocolOption(tcp.ProtocolNumber, &mOpt)
+	return ipStack, nil
+}

stack_gvisor_err.go

@@ -27,28 +27,6 @@ func (c *gTCPConn) Write(b []byte) (n int, err error) {
 	return
 }
 
-type gUDPConn struct {
-	*gonet.UDPConn
-}
-
-func (c *gUDPConn) Read(b []byte) (n int, err error) {
-	n, err = c.UDPConn.Read(b)
-	if err == nil {
-		return
-	}
-	err = wrapError(err)
-	return
-}
-
-func (c *gUDPConn) Write(b []byte) (n int, err error) {
-	n, err = c.UDPConn.Write(b)
-	if err == nil {
-		return
-	}
-	err = wrapError(err)
-	return
-}
-
 func wrapStackError(err tcpip.Error) error {
 	switch err.(type) {
 	case *tcpip.ErrClosedForSend,

stack_gvisor_stub.go

@@ -13,3 +13,9 @@ func NewGVisor(
 ) (Stack, error) {
 	return nil, ErrGVisorNotIncluded
 }
+
+func NewMixed(
+	options StackOptions,
+) (Stack, error) {
+	return nil, ErrGVisorNotIncluded
+}

stack_gvisor_udp.go

@@ -0,0 +1,221 @@
+//go:build with_gvisor
+
+package tun
+
+import (
+	"context"
+	"errors"
+	"math"
+	"net/netip"
+	"os"
+	"sync"
+	"syscall"
+
+	"github.com/sagernet/gvisor/pkg/buffer"
+	"github.com/sagernet/gvisor/pkg/tcpip"
+	"github.com/sagernet/gvisor/pkg/tcpip/adapters/gonet"
+	"github.com/sagernet/gvisor/pkg/tcpip/checksum"
+	"github.com/sagernet/gvisor/pkg/tcpip/header"
+	"github.com/sagernet/gvisor/pkg/tcpip/stack"
+	"github.com/sagernet/sing/common/buf"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/udpnat"
+)
+
+type UDPForwarder struct {
+	ctx    context.Context
+	stack  *stack.Stack
+	udpNat *udpnat.Service[netip.AddrPort]
+
+	// cache
+	cacheProto tcpip.NetworkProtocolNumber
+	cacheID    stack.TransportEndpointID
+}
+
+func NewUDPForwarder(ctx context.Context, stack *stack.Stack, handler Handler, udpTimeout int64) *UDPForwarder {
+	return &UDPForwarder{
+		ctx:    ctx,
+		stack:  stack,
+		udpNat: udpnat.New[netip.AddrPort](udpTimeout, handler),
+	}
+}
+
+func (f *UDPForwarder) HandlePacket(id stack.TransportEndpointID, pkt stack.PacketBufferPtr) bool {
+	var upstreamMetadata M.Metadata
+	upstreamMetadata.Source = M.SocksaddrFrom(AddrFromAddress(id.RemoteAddress), id.RemotePort)
+	upstreamMetadata.Destination = M.SocksaddrFrom(AddrFromAddress(id.LocalAddress), id.LocalPort)
+	if upstreamMetadata.Source.IsIPv4() {
+		f.cacheProto = header.IPv4ProtocolNumber
+	} else {
+		f.cacheProto = header.IPv6ProtocolNumber
+	}
+	gBuffer := pkt.Data().ToBuffer()
+	sBuffer := buf.NewSize(int(gBuffer.Size()))
+	gBuffer.Apply(func(view *buffer.View) {
+		sBuffer.Write(view.AsSlice())
+	})
+	f.cacheID = id
+	f.udpNat.NewPacket(
+		f.ctx,
+		upstreamMetadata.Source.AddrPort(),
+		sBuffer,
+		upstreamMetadata,
+		f.newUDPConn,
+	)
+	return true
+}
+
+func (f *UDPForwarder) newUDPConn(natConn N.PacketConn) N.PacketWriter {
+	return &UDPBackWriter{
+		stack:         f.stack,
+		source:        f.cacheID.RemoteAddress,
+		sourcePort:    f.cacheID.RemotePort,
+		sourceNetwork: f.cacheProto,
+	}
+}
+
+type UDPBackWriter struct {
+	access        sync.Mutex
+	stack         *stack.Stack
+	source        tcpip.Address
+	sourcePort    uint16
+	sourceNetwork tcpip.NetworkProtocolNumber
+	packet        stack.PacketBufferPtr
+}
+
+func (w *UDPBackWriter) WritePacket(packetBuffer *buf.Buffer, destination M.Socksaddr) error {
+	if !destination.IsIP() {
+		return E.Cause(os.ErrInvalid, "invalid destination")
+	} else if destination.IsIPv4() && w.sourceNetwork == header.IPv6ProtocolNumber {
+		destination = M.SocksaddrFrom(netip.AddrFrom16(destination.Addr.As16()), destination.Port)
+	} else if destination.IsIPv6() && (w.sourceNetwork == header.IPv4ProtocolNumber) {
+		return E.New("send IPv6 packet to IPv4 connection")
+	}
+
+	defer packetBuffer.Release()
+
+	route, err := w.stack.FindRoute(
+		defaultNIC,
+		AddressFromAddr(destination.Addr),
+		w.source,
+		w.sourceNetwork,
+		false,
+	)
+	if err != nil {
+		return wrapStackError(err)
+	}
+	defer route.Release()
+
+	packet := stack.NewPacketBuffer(stack.PacketBufferOptions{
+		ReserveHeaderBytes: header.UDPMinimumSize + int(route.MaxHeaderLength()),
+		Payload:            buffer.MakeWithData(packetBuffer.Bytes()),
+	})
+	defer packet.DecRef()
+
+	packet.TransportProtocolNumber = header.UDPProtocolNumber
+	udpHdr := header.UDP(packet.TransportHeader().Push(header.UDPMinimumSize))
+	pLen := uint16(packet.Size())
+	udpHdr.Encode(&header.UDPFields{
+		SrcPort: destination.Port,
+		DstPort: w.sourcePort,
+		Length:  pLen,
+	})
+
+	if route.RequiresTXTransportChecksum() && w.sourceNetwork == header.IPv6ProtocolNumber {
+		xsum := udpHdr.CalculateChecksum(checksum.Combine(
+			route.PseudoHeaderChecksum(header.UDPProtocolNumber, pLen),
+			packet.Data().Checksum(),
+		))
+		if xsum != math.MaxUint16 {
+			xsum = ^xsum
+		}
+		udpHdr.SetChecksum(xsum)
+	}
+
+	err = route.WritePacket(stack.NetworkHeaderParams{
+		Protocol: header.UDPProtocolNumber,
+		TTL:      route.DefaultTTL(),
+		TOS:      0,
+	}, packet)
+
+	if err != nil {
+		route.Stats().UDP.PacketSendErrors.Increment()
+		return wrapStackError(err)
+	}
+
+	route.Stats().UDP.PacketsSent.Increment()
+	return nil
+}
+
+type gRequest struct {
+	stack *stack.Stack
+	id    stack.TransportEndpointID
+	pkt   stack.PacketBufferPtr
+}
+
+type gUDPConn struct {
+	*gonet.UDPConn
+}
+
+func (c *gUDPConn) Read(b []byte) (n int, err error) {
+	n, err = c.UDPConn.Read(b)
+	if err == nil {
+		return
+	}
+	err = wrapError(err)
+	return
+}
+
+func (c *gUDPConn) Write(b []byte) (n int, err error) {
+	n, err = c.UDPConn.Write(b)
+	if err == nil {
+		return
+	}
+	err = wrapError(err)
+	return
+}
+
+func (c *gUDPConn) Close() error {
+	return c.UDPConn.Close()
+}
+
+func gWriteUnreachable(gStack *stack.Stack, packet stack.PacketBufferPtr, err error) (retErr error) {
+	if errors.Is(err, syscall.ENETUNREACH) {
+		if packet.NetworkProtocolNumber == header.IPv4ProtocolNumber {
+			return gWriteUnreachable4(gStack, packet, stack.RejectIPv4WithICMPNetUnreachable)
+		} else {
+			return gWriteUnreachable6(gStack, packet, stack.RejectIPv6WithICMPNoRoute)
+		}
+	} else if errors.Is(err, syscall.EHOSTUNREACH) {
+		if packet.NetworkProtocolNumber == header.IPv4ProtocolNumber {
+			return gWriteUnreachable4(gStack, packet, stack.RejectIPv4WithICMPHostUnreachable)
+		} else {
+			return gWriteUnreachable6(gStack, packet, stack.RejectIPv6WithICMPNoRoute)
+		}
+	} else if errors.Is(err, syscall.ECONNREFUSED) {
+		if packet.NetworkProtocolNumber == header.IPv4ProtocolNumber {
+			return gWriteUnreachable4(gStack, packet, stack.RejectIPv4WithICMPPortUnreachable)
+		} else {
+			return gWriteUnreachable6(gStack, packet, stack.RejectIPv6WithICMPPortUnreachable)
+		}
+	}
+	return nil
+}
+
+func gWriteUnreachable4(gStack *stack.Stack, packet stack.PacketBufferPtr, icmpCode stack.RejectIPv4WithICMPType) error {
+	err := gStack.NetworkProtocolInstance(header.IPv4ProtocolNumber).(stack.RejectIPv4WithHandler).SendRejectionError(packet, icmpCode, true)
+	if err != nil {
+		return wrapStackError(err)
+	}
+	return nil
+}
+
+func gWriteUnreachable6(gStack *stack.Stack, packet stack.PacketBufferPtr, icmpCode stack.RejectIPv6WithICMPType) error {
+	err := gStack.NetworkProtocolInstance(header.IPv6ProtocolNumber).(stack.RejectIPv6WithHandler).SendRejectionError(packet, icmpCode, true)
+	if err != nil {
+		return wrapStackError(err)
+	}
+	return nil
+}

stack_lwip.go

@@ -52,18 +52,13 @@ func (l *LWIP) loopIn() {
 		l.loopInWintun(winTun)
 		return
 	}
-	mtu := int(l.tunMtu) + PacketOffset
-	_buffer := buf.StackNewSize(mtu)
-	defer common.KeepAlive(_buffer)
-	buffer := common.Dup(_buffer)
-	defer buffer.Release()
-	data := buffer.FreeBytes()
+	buffer := make([]byte, int(l.tunMtu)+PacketOffset)
 	for {
-		n, err := l.tun.Read(data)
+		n, err := l.tun.Read(buffer)
 		if err != nil {
 			return
 		}
-		_, err = l.stack.Write(data[PacketOffset:n])
+		_, err = l.stack.Write(buffer[PacketOffset:n])
 		if err != nil {
 			if err.Error() == "stack closed" {
 				return

stack_mixed.go

@@ -0,0 +1,201 @@
+//go:build with_gvisor
+
+package tun
+
+import (
+	"time"
+
+	"github.com/sagernet/gvisor/pkg/buffer"
+	"github.com/sagernet/gvisor/pkg/tcpip/adapters/gonet"
+	"github.com/sagernet/gvisor/pkg/tcpip/header"
+	"github.com/sagernet/gvisor/pkg/tcpip/link/channel"
+	"github.com/sagernet/gvisor/pkg/tcpip/stack"
+	"github.com/sagernet/gvisor/pkg/tcpip/transport/udp"
+	"github.com/sagernet/gvisor/pkg/waiter"
+	"github.com/sagernet/sing-tun/internal/clashtcpip"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/bufio"
+	"github.com/sagernet/sing/common/canceler"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+type Mixed struct {
+	*System
+	writer                 N.VectorisedWriter
+	endpointIndependentNat bool
+	stack                  *stack.Stack
+	endpoint               *channel.Endpoint
+}
+
+func NewMixed(
+	options StackOptions,
+) (Stack, error) {
+	system, err := NewSystem(options)
+	if err != nil {
+		return nil, err
+	}
+	return &Mixed{
+		System:                 system.(*System),
+		writer:                 options.Tun.CreateVectorisedWriter(),
+		endpointIndependentNat: options.EndpointIndependentNat,
+	}, nil
+}
+
+func (m *Mixed) Start() error {
+	err := m.System.start()
+	if err != nil {
+		return err
+	}
+	endpoint := channel.New(1024, m.mtu, "")
+	ipStack, err := newGVisorStack(endpoint)
+	if err != nil {
+		return err
+	}
+	if !m.endpointIndependentNat {
+		udpForwarder := udp.NewForwarder(ipStack, func(request *udp.ForwarderRequest) {
+			var wq waiter.Queue
+			endpoint, err := request.CreateEndpoint(&wq)
+			if err != nil {
+				return
+			}
+			udpConn := gonet.NewUDPConn(ipStack, &wq, endpoint)
+			lAddr := udpConn.RemoteAddr()
+			rAddr := udpConn.LocalAddr()
+			if lAddr == nil || rAddr == nil {
+				endpoint.Abort()
+				return
+			}
+			gConn := &gUDPConn{UDPConn: udpConn}
+			go func() {
+				var metadata M.Metadata
+				metadata.Source = M.SocksaddrFromNet(lAddr)
+				metadata.Destination = M.SocksaddrFromNet(rAddr)
+				ctx, conn := canceler.NewPacketConn(m.ctx, bufio.NewPacketConn(&bufio.UnbindPacketConn{ExtendedConn: bufio.NewExtendedConn(gConn), Addr: M.SocksaddrFromNet(rAddr)}), time.Duration(m.udpTimeout)*time.Second)
+				hErr := m.handler.NewPacketConnection(ctx, conn, metadata)
+				if hErr != nil {
+					endpoint.Abort()
+				}
+			}()
+		})
+		ipStack.SetTransportProtocolHandler(udp.ProtocolNumber, udpForwarder.HandlePacket)
+	} else {
+		ipStack.SetTransportProtocolHandler(udp.ProtocolNumber, NewUDPForwarder(m.ctx, ipStack, m.handler, m.udpTimeout).HandlePacket)
+	}
+	m.stack = ipStack
+	m.endpoint = endpoint
+	go m.tunLoop()
+	go m.packetLoop()
+	return nil
+}
+
+func (m *Mixed) tunLoop() {
+	if winTun, isWinTun := m.tun.(WinTun); isWinTun {
+		m.wintunLoop(winTun)
+		return
+	}
+	packetBuffer := make([]byte, m.mtu+PacketOffset)
+	for {
+		n, err := m.tun.Read(packetBuffer)
+		if err != nil {
+			return
+		}
+		if n < clashtcpip.IPv4PacketMinLength {
+			continue
+		}
+		packet := packetBuffer[PacketOffset:n]
+		switch ipVersion := packet[0] >> 4; ipVersion {
+		case 4:
+			err = m.processIPv4(packet)
+		case 6:
+			err = m.processIPv6(packet)
+		default:
+			err = E.New("ip: unknown version: ", ipVersion)
+		}
+		if err != nil {
+			m.logger.Trace(err)
+		}
+	}
+}
+
+func (m *Mixed) wintunLoop(winTun WinTun) {
+	for {
+		packet, release, err := winTun.ReadPacket()
+		if err != nil {
+			return
+		}
+		if len(packet) < clashtcpip.IPv4PacketMinLength {
+			release()
+			continue
+		}
+		switch ipVersion := packet[0] >> 4; ipVersion {
+		case 4:
+			err = m.processIPv4(packet)
+		case 6:
+			err = m.processIPv6(packet)
+		default:
+			err = E.New("ip: unknown version: ", ipVersion)
+		}
+		if err != nil {
+			m.logger.Trace(err)
+		}
+		release()
+	}
+}
+
+func (m *Mixed) processIPv4(packet clashtcpip.IPv4Packet) error {
+	switch packet.Protocol() {
+	case clashtcpip.TCP:
+		return m.processIPv4TCP(packet, packet.Payload())
+	case clashtcpip.UDP:
+		pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
+			Payload: buffer.MakeWithData(packet),
+		})
+		m.endpoint.InjectInbound(header.IPv4ProtocolNumber, pkt)
+		pkt.DecRef()
+		return nil
+	case clashtcpip.ICMP:
+		return m.processIPv4ICMP(packet, packet.Payload())
+	default:
+		return common.Error(m.tun.Write(packet))
+	}
+}
+
+func (m *Mixed) processIPv6(packet clashtcpip.IPv6Packet) error {
+	switch packet.Protocol() {
+	case clashtcpip.TCP:
+		return m.processIPv6TCP(packet, packet.Payload())
+	case clashtcpip.UDP:
+		pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
+			Payload: buffer.MakeWithData(packet),
+		})
+		m.endpoint.InjectInbound(header.IPv6ProtocolNumber, pkt)
+		pkt.DecRef()
+		return nil
+	case clashtcpip.ICMPv6:
+		return m.processIPv6ICMP(packet, packet.Payload())
+	default:
+		return common.Error(m.tun.Write(packet))
+	}
+}
+
+func (m *Mixed) packetLoop() {
+	for {
+		packet := m.endpoint.ReadContext(m.ctx)
+		if packet == nil {
+			break
+		}
+		bufio.WriteVectorised(m.writer, packet.AsSlices())
+		packet.DecRef()
+	}
+}
+
+func (m *Mixed) Close() error {
+	m.endpoint.Attach(nil)
+	m.stack.Close()
+	for _, endpoint := range m.stack.CleanupEndpoints() {
+		endpoint.Abort()
+	}
+	return m.System.Close()
+}

stack_system.go

@@ -91,6 +91,15 @@ func (s *System) Close() error {
 }
 
 func (s *System) Start() error {
+	err := s.start()
+	if err != nil {
+		return err
+	}
+	go s.tunLoop()
+	return nil
+}
+
+func (s *System) start() error {
 	err := fixWindowsFirewall()
 	if err != nil {
 		return E.Cause(err, "fix windows firewall for system stack")
@@ -125,7 +134,6 @@ func (s *System) Start() error {
 	}
 	s.tcpNat = NewNat(s.ctx, time.Second*time.Duration(s.udpTimeout))
 	s.udpNat = udpnat.New[netip.AddrPort](s.udpTimeout, s.handler)
-	go s.tunLoop()
 	return nil
 }
 
@@ -134,20 +142,16 @@ func (s *System) tunLoop() {
 		s.wintunLoop(winTun)
 		return
 	}
-	_packetBuffer := buf.StackNewSize(int(s.mtu))
-	defer common.KeepAlive(_packetBuffer)
-	packetBuffer := common.Dup(_packetBuffer)
-	defer packetBuffer.Release()
-	packetSlice := packetBuffer.Slice()
+	packetBuffer := make([]byte, s.mtu+PacketOffset)
 	for {
-		n, err := s.tun.Read(packetSlice)
+		n, err := s.tun.Read(packetBuffer)
 		if err != nil {
 			return
 		}
 		if n < clashtcpip.IPv4PacketMinLength {
 			continue
 		}
-		packet := packetSlice[PacketOffset:n]
+		packet := packetBuffer[PacketOffset:n]
 		switch ipVersion := packet[0] >> 4; ipVersion {
 		case 4:
 			err = s.processIPv4(packet)
@@ -475,7 +479,7 @@ type systemUDPPacketWriter4 struct {
 }
 
 func (w *systemUDPPacketWriter4) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	newPacket := buf.StackNewSize(len(w.header) + buffer.Len())
+	newPacket := buf.NewSize(len(w.header) + buffer.Len())
 	defer newPacket.Release()
 	newPacket.Write(w.header)
 	newPacket.Write(buffer.Bytes())
@@ -499,7 +503,7 @@ type systemUDPPacketWriter6 struct {
 }
 
 func (w *systemUDPPacketWriter6) WritePacket(buffer *buf.Buffer, destination M.Socksaddr) error {
-	newPacket := buf.StackNewSize(len(w.header) + buffer.Len())
+	newPacket := buf.NewSize(len(w.header) + buffer.Len())
 	defer newPacket.Release()
 	newPacket.Write(w.header)
 	newPacket.Write(buffer.Bytes())

tun.go

@@ -10,6 +10,7 @@ import (
 
 	E "github.com/sagernet/sing/common/exceptions"
 	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/logger"
 	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/ranges"
 )
@@ -22,6 +23,7 @@ type Handler interface {
 
 type Tun interface {
 	io.ReadWriter
+	CreateVectorisedWriter() N.VectorisedWriter
 	Close() error
 }
 
@@ -39,6 +41,8 @@ type Options struct {
 	StrictRoute        bool
 	Inet4RouteAddress  []netip.Prefix
 	Inet6RouteAddress  []netip.Prefix
+	IncludeInterface   []string
+	ExcludeInterface   []string
 	IncludeUID         []ranges.Range[uint32]
 	ExcludeUID         []ranges.Range[uint32]
 	IncludeAndroidUser []int
@@ -47,6 +51,7 @@ type Options struct {
 	InterfaceMonitor   DefaultInterfaceMonitor
 	TableIndex         int
 	FileDescriptor     int
+	Logger             logger.Logger
 }
 
 func CalculateInterfaceName(name string) (tunName string) {

tun_darwin.go

@@ -10,6 +10,7 @@ import (
 	"unsafe"
 
 	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
 	N "github.com/sagernet/sing/common/network"
@@ -101,6 +102,20 @@ func (t *NativeTun) Write(p []byte) (n int, err error) {
 	return
 }
 
+func (t *NativeTun) CreateVectorisedWriter() N.VectorisedWriter {
+	return t
+}
+
+func (t *NativeTun) WriteVectorised(buffers []*buf.Buffer) error {
+	var packetHeader []byte
+	if buffers[0].Byte(0)>>4 == 4 {
+		packetHeader = packetHeader4[:]
+	} else {
+		packetHeader = packetHeader6[:]
+	}
+	return t.tunWriter.WriteVectorised(append([]*buf.Buffer{buf.As(packetHeader)}, buffers...))
+}
+
 func (t *NativeTun) Close() error {
 	flushDNSCache()
 	return t.tunFile.Close()

tun_darwin_gvisor.go

@@ -7,8 +7,6 @@ import (
 	"github.com/sagernet/gvisor/pkg/tcpip"
 	"github.com/sagernet/gvisor/pkg/tcpip/header"
 	"github.com/sagernet/gvisor/pkg/tcpip/stack"
-	"github.com/sagernet/sing/common"
-	"github.com/sagernet/sing/common/buf"
 	"github.com/sagernet/sing/common/bufio"
 )
 
@@ -53,37 +51,33 @@ func (e *DarwinEndpoint) Attach(dispatcher stack.NetworkDispatcher) {
 }
 
 func (e *DarwinEndpoint) dispatchLoop() {
-	_buffer := buf.StackNewSize(int(e.tun.mtu) + 4)
-	defer common.KeepAlive(_buffer)
-	packetBuffer := common.Dup(_buffer)
-	defer packetBuffer.Release()
-	data := packetBuffer.FreeBytes()
+	packetBuffer := make([]byte, e.tun.mtu+4)
 	for {
-		n, err := e.tun.tunFile.Read(data)
+		n, err := e.tun.tunFile.Read(packetBuffer)
 		if err != nil {
 			break
 		}
-		packet := data[4:n]
+		packet := packetBuffer[4:n]
 		var networkProtocol tcpip.NetworkProtocolNumber
 		switch header.IPVersion(packet) {
 		case header.IPv4Version:
 			networkProtocol = header.IPv4ProtocolNumber
 			if header.IPv4(packet).DestinationAddress().As4() == e.tun.inet4Address {
-				e.tun.tunFile.Write(data[:n])
+				e.tun.tunFile.Write(packetBuffer[:n])
 				continue
 			}
 		case header.IPv6Version:
 			networkProtocol = header.IPv6ProtocolNumber
 			if header.IPv6(packet).DestinationAddress().As16() == e.tun.inet6Address {
-				e.tun.tunFile.Write(data[:n])
+				e.tun.tunFile.Write(packetBuffer[:n])
 				continue
 			}
 		default:
-			e.tun.tunFile.Write(data[:n])
+			e.tun.tunFile.Write(packetBuffer[:n])
 			continue
 		}
 		pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
-			Payload:           buffer.MakeWithData(data[4:n]),
+			Payload:           buffer.MakeWithData(packetBuffer[4:n]),
 			IsForwardedPacket: true,
 		})
 		pkt.NetworkProtocolNumber = networkProtocol

tun_linux.go

@@ -12,7 +12,9 @@ import (
 
 	"github.com/sagernet/netlink"
 	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/bufio"
 	E "github.com/sagernet/sing/common/exceptions"
+	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/rw"
 	"github.com/sagernet/sing/common/shell"
 	"github.com/sagernet/sing/common/x/list"
@@ -68,6 +70,10 @@ func (t *NativeTun) Write(p []byte) (n int, err error) {
 	return t.tunFile.Write(p)
 }
 
+func (t *NativeTun) CreateVectorisedWriter() N.VectorisedWriter {
+	return bufio.NewVectorisedWriter(t.tunFile)
+}
+
 var controlPath string
 
 func init() {
@@ -317,6 +323,110 @@ func (t *NativeTun) rules() []*netlink.Rule {
 			priority6++
 		}
 	}
+	if len(t.options.IncludeInterface) > 0 {
+		matchPriority := priority + 2*len(t.options.IncludeInterface) + 1
+		for _, includeInterface := range t.options.IncludeInterface {
+			if p4 {
+				it = netlink.NewRule()
+				it.Priority = priority
+				it.IifName = includeInterface
+				it.Goto = matchPriority
+				it.Family = unix.AF_INET
+				rules = append(rules, it)
+				priority++
+
+				it = netlink.NewRule()
+				it.Priority = priority
+				it.OifName = includeInterface
+				it.Goto = matchPriority
+				it.Family = unix.AF_INET
+				rules = append(rules, it)
+				priority++
+			}
+			if p6 {
+				it = netlink.NewRule()
+				it.Priority = priority6
+				it.IifName = includeInterface
+				it.Goto = matchPriority
+				it.Family = unix.AF_INET6
+				rules = append(rules, it)
+				priority6++
+
+				it = netlink.NewRule()
+				it.Priority = priority6
+				it.OifName = includeInterface
+				it.Goto = matchPriority
+				it.Family = unix.AF_INET6
+				rules = append(rules, it)
+				priority6++
+			}
+		}
+		if p4 {
+			it = netlink.NewRule()
+			it.Priority = priority
+			it.Family = unix.AF_INET
+			it.Goto = nopPriority
+			rules = append(rules, it)
+			priority++
+
+			it = netlink.NewRule()
+			it.Priority = matchPriority
+			it.Family = unix.AF_INET
+			rules = append(rules, it)
+			priority++
+		}
+		if p6 {
+			it = netlink.NewRule()
+			it.Priority = priority6
+			it.Family = unix.AF_INET6
+			it.Goto = nopPriority
+			rules = append(rules, it)
+			priority6++
+
+			it = netlink.NewRule()
+			it.Priority = matchPriority
+			it.Family = unix.AF_INET6
+			rules = append(rules, it)
+			priority6++
+		}
+	} else if len(t.options.ExcludeInterface) > 0 {
+		for _, excludeInterface := range t.options.ExcludeInterface {
+			if p4 {
+				it = netlink.NewRule()
+				it.Priority = priority
+				it.IifName = excludeInterface
+				it.Goto = nopPriority
+				it.Family = unix.AF_INET
+				rules = append(rules, it)
+				priority++
+
+				it = netlink.NewRule()
+				it.Priority = priority
+				it.OifName = excludeInterface
+				it.Goto = nopPriority
+				it.Family = unix.AF_INET
+				rules = append(rules, it)
+				priority++
+			}
+			if p6 {
+				it = netlink.NewRule()
+				it.Priority = priority6
+				it.IifName = excludeInterface
+				it.Goto = nopPriority
+				it.Family = unix.AF_INET6
+				rules = append(rules, it)
+				priority6++
+
+				it = netlink.NewRule()
+				it.Priority = priority6
+				it.OifName = excludeInterface
+				it.Goto = nopPriority
+				it.Family = unix.AF_INET6
+				rules = append(rules, it)
+				priority6++
+			}
+		}
+	}
 
 	if runtime.GOOS == "android" && t.options.InterfaceMonitor.AndroidVPNEnabled() {
 		const protectedFromVPN = 0x20000
@@ -588,15 +698,16 @@ func (t *NativeTun) resetRules() error {
 	return t.setRules()
 }
 
-func (t *NativeTun) routeUpdate(event int) error {
+func (t *NativeTun) routeUpdate(event int) {
 	if event&EventAndroidVPNUpdate == 0 {
-		return nil
+		return
 	}
 	err := t.resetRules()
 	if err != nil {
-		return E.Cause(err, "reset route")
+		if t.options.Logger != nil {
+			t.options.Logger.Error(E.Cause(err, "reset route"))
+		}
 	}
-	return nil
 }
 
 func (t *NativeTun) setSearchDomainForSystemdResolved() {

tun_windows.go

@@ -16,7 +16,10 @@ import (
 	"github.com/sagernet/sing-tun/internal/winipcfg"
 	"github.com/sagernet/sing-tun/internal/winsys"
 	"github.com/sagernet/sing-tun/internal/wintun"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/buf"
 	E "github.com/sagernet/sing/common/exceptions"
+	N "github.com/sagernet/sing/common/network"
 	"github.com/sagernet/sing/common/windnsapi"
 
 	"golang.org/x/sys/windows"
@@ -467,6 +470,15 @@ func (t *NativeTun) write(packetElementList [][]byte) (n int, err error) {
 	return 0, fmt.Errorf("write failed: %w", err)
 }
 
+func (t *NativeTun) CreateVectorisedWriter() N.VectorisedWriter {
+	return t
+}
+
+func (t *NativeTun) WriteVectorised(buffers []*buf.Buffer) error {
+	defer buf.ReleaseMulti(buffers)
+	return common.Error(t.write(buf.ToSliceMulti(buffers)))
+}
+
 func (t *NativeTun) Close() error {
 	var err error
 	t.closeOnce.Do(func() {