Add XRay

2025-03-09 15:40:03 +00:00 · 2023-09-29 14:58:47 +02:00 · 2023-09-29 14:58:47 +02:00 · ee1ffa2bd8
commit ee1ffa2bd8
parent a816b09134
7 changed files with 3280 additions and 0 deletions
--- a/xray-core/Makefile
+++ b/xray-core/Makefile
@ -0,0 +1,68 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=xray-core
+PKG_VERSION:=1.8.5
+PKG_RELEASE:=1
+
+PKG_LICENSE:=MPLv2
+PKG_LICENSE_FILES:=LICENSE
+PKG_MAINTAINER:=Yannick Chabanois <contact@openmptcprouter.com>
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/XTLS/Xray-core.git
+PKG_SOURCE_VERSION:=585d5ba7c8b64f6da60837546a70bbcfd2350c64
+
+PKG_BUILD_DEPENDS:=golang/host
+PKG_BUILD_PARALLEL:=1
+
+GO_PKG:=github.com/XTLS/Xray-core
+
+include $(INCLUDE_DIR)/package.mk
+include $(TOPDIR)/feeds/openmptcprouter/golang/golang-package.mk
+
+define Package/$(PKG_NAME)
+	SECTION:=Custom
+	CATEGORY:=Extra packages
+	TITLE:=Xray-core
+	DEPENDS:=$(GO_ARCH_DEPENDS)
+	PROVIDES:=xray-core
+endef
+
+define Package/$(PKG_NAME)/description
+	Xray-core bare bones binary (compiled without cgo)
+endef
+
+define Package/$(PKG_NAME)/config
+menu "Xray Configuration"
+	depends on PACKAGE_$(PKG_NAME)
+
+config PACKAGE_XRAY_ENABLE_GOPROXY_IO
+	bool "Use goproxy.io to speed up module fetching (recommended for some network situations)"
+	default n
+
+endmenu
+endef
+
+USE_GOPROXY:=
+ifdef CONFIG_PACKAGE_XRAY_ENABLE_GOPROXY_IO
+	USE_GOPROXY:=GOPROXY=https://goproxy.io,direct
+endif
+
+MAKE_PATH:=$(GO_PKG_WORK_DIR_NAME)/build/src/$(GO_PKG)
+MAKE_VARS += $(GO_PKG_VARS)
+
+#define Build/Patch
+#	$(CP) $(PKG_BUILD_DIR)/../Xray-core-$(PKG_VERSION)/* $(PKG_BUILD_DIR)
+#	$(Build/Patch/Default)
+#endef
+
+define Build/Compile
+	cd $(PKG_BUILD_DIR); $(GO_PKG_VARS) $(USE_GOPROXY) CGO_ENABLED=0 go build -trimpath -ldflags "-s -w" -o $(PKG_INSTALL_DIR)/bin/xray ./main; 
+endef
+
+define Package/$(PKG_NAME)/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/bin/xray $(1)/usr/bin/xray
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,$(PKG_NAME)))
--- a/xray-core/files/etc/firewall.xray-rules
+++ b/xray-core/files/etc/firewall.xray-rules
@ -0,0 +1,2 @@
+#!/bin/sh
+/etc/init.d/xray rules_up
--- a/xray-core/files/etc/init.d/xray
+++ b/xray-core/files/etc/init.d/xray
--- a/xray-core/files/etc/uci-defaults/3010-omr-xray
+++ b/xray-core/files/etc/uci-defaults/3010-omr-xray
@ -0,0 +1,202 @@
+#!/bin/sh
+
+if [ -z "$(uci -q get xray.main)" ]; then
+	touch /etc/config/xray
+	uci batch <<-EOF
+		set xray.main=xray
+		set xray.main.xray_file='/usr/bin/xray'
+		set xray.main.mem_percentage='0'
+		set xray.main.loglevel='error'
+		set xray.main.access_log='/dev/null'
+		set xray.main.error_log='/dev/null'
+		set xray.main.enabled='0'
+		set xray.main.outbounds='omrout'
+		set xray.main.inbounds='omr'
+		add_list xray.main.inbounds='omrtest'
+		set xray.main_dns=dns
+		set xray.main_dns.hosts='example.com|127.0.0.1'
+		set xray.main_dns.enabled='0'
+		set xray.main_policy=policy
+		set xray.main_policy.enabled='1'
+		set xray.main_policy.levels='policy_level_0'
+		set xray.policy_level_0=policy_level
+		set xray.policy_level_0.level='0'
+		set xray.policy_level_0.handshake='4'
+		set xray.policy_level_0.conn_idle='1200'
+		set xray.policy_level_0.uplink_only='0'
+		set xray.policy_level_0.downlink_only='0'
+		set xray.policy_level_0.buffer_size='512'
+		set xray.main_transparent_proxy=transparent_proxy
+		set xray.main_transparent_proxy.proxy_mode='default'
+		set xray.main_transparent_proxy.apnic_delegated_mirror='apnic'
+		set xray.main_transparent_proxy.gfwlist_mirror='github'
+		set xray.main_transparent_proxy.redirect_udp='0'
+		set xray.main_transparent_proxy.redirect_port='1897'
+		set xray.omrout=outbound
+		set xray.omrout.tag='omrout_tunnel'
+		set xray.omrout.protocol='vless'
+		set xray.omrout.s_vmess_address=''
+		set xray.omrout.s_vmess_port='65230'
+		set xray.omrout.s_vmess_user_id=''
+		set xray.omrout.s_vmess_user_security='none'
+		set xray.omrout.s_vmess_user_alter_id='0'
+		set xray.omrout.s_vless_address=''
+		set xray.omrout.s_vless_port='65228'
+		set xray.omrout.s_vless_user_id=''
+		set xray.omrout.s_vless_user_security='none'
+		set xray.omrout.s_vless_user_encryption='none'
+		set xray.omrout.s_vless_user_alter_id='0'
+		set xray.omrout.s_trojan_address=''
+		set xray.omrout.s_trojan_port='65229'
+		set xray.omrout.s_trojan_user_id=''
+		set xray.omrout.s_trojan_user_security='none'
+		set xray.omrout.s_trojan_user_encryption='none'
+		set xray.omrout.s_trojan_user_alter_id='0'
+		set xray.omrout.s_socks_address=''
+		set xray.omrout.s_socks_port='65231'
+		set xray.omrout.s_socks_user_id=''
+		set xray.omrout.s_socks_user_security='none'
+		set xray.omrout.s_socks_user_encryption='none'
+		set xray.omrout.s_socks_user_alter_id='0'
+		set xray.omrout.ss_network='tcp'
+		set xray.omrout.ss_security='tls'
+		set xray.omrout.ss_tls_allow_insecure='1'
+		set xray.omrout.ss_tls_disable_system_root='1'
+		set xray.omrout.ss_tls_cert_usage='verify'
+		set xray.omrout.ss_tls_cert_file='/etc/luci-uploads/client.crt'
+		set xray.omrout.ss_tls_key_file='/etc/luci-uploads/client.key'
+		set xray.omrout.s_shadowsocks_port='65252'
+		set xray.omrout.mux_concurrency='8'
+		set xray.omr=inbound
+		set xray.omr.tag='omrtunnel'
+		set xray.omr.listen='0.0.0.0'
+		set xray.omr.port='1897'
+		set xray.omr.protocol='dokodemo-door'
+		set xray.omr.s_dokodemo_door_network='tcp'
+		add_list xray.omr.s_dokodemo_door_network='udp'
+		set xray.omr.ss_sockopt_tproxy='redirect'
+		set xray.omr.ss_sockopt_tcp_fast_open='1'
+		set xray.omr.ss_sockopt_mptcp='1'
+		set xray.omr.s_dokodemo_door_follow_redirect='1'
+		set xray.omr6=inbound
+		set xray.omr6.tag='omrtunnel6'
+		set xray.omr6.listen='::'
+		set xray.omr6.port='1898'
+		set xray.omr6.protocol='dokodemo-door'
+		set xray.omr6.s_dokodemo_door_network='tcp'
+		add_list xray.omr6.s_dokodemo_door_network='udp'
+		set xray.omr6.ss_sockopt_tproxy='tproxy'
+		set xray.omr6.ss_sockopt_tcp_fast_open='1'
+		set xray.omr6.s_dokodemo_door_follow_redirect='1'
+		set xray.omrtest=inbound
+		set xray.omrtest.port='1111'
+		set xray.omrtest.protocol='socks'
+		set xray.omrtest.listen='127.0.0.1'
+		set xray.omrtest.s_socks_auth='noauth'
+		set xray.omrtest.s_socks_udp='1'
+		set xray.omrtest.s_socks_ip='127.0.0.1'
+		set xray.omrtest.s_socks_userlevel='0'
+		commit xray
+	EOF
+fi
+uci -q batch <<-EOF >/dev/null
+	set xray.omr.listen='0.0.0.0'
+	commit xray
+EOF
+
+if [ "$(uci -q get firewall.xray)" = "" ]; then
+	uci -q batch <<-EOF >/dev/null
+		set firewall.xray=include
+		set firewall.xray.path=/etc/firewall.xray-rules
+		set firewall.xray.reload=0
+		commit firewall
+	EOF
+fi
+if [ "$(uci -q get firewall.xray.path)" != "/etc/firewall.xray-rules" ]; then
+	uci -q batch <<-EOF >/dev/null
+		set firewall.xray.path=/etc/firewall.xray-rules
+		commit firewall
+	EOF
+fi
+
+if [ "$(uci -q get xray.main_reverse.bridges | grep omrbridge)" = "" ]; then
+	uci -q batch <<-EOF >/dev/null
+		set xray.main_reverse=reverse
+		set xray.main_reverse.enabled=1
+		set xray.main_reverse.bridges='omrbridge|omr.lan'
+		commit xray
+	EOF
+fi
+if [ "$(uci -q get xray.omrrouting)" = "" ]; then
+	uci -q batch <<-EOF >/dev/null
+		set xray.omrexit=outbound
+		set xray.omrexit.protocol='freedom'
+		set xray.omrexit.tag='out'
+		add_list xray.main.outbounds=omrexit
+		set xray.omrrouting=routing_rule
+		set xray.omrrouting.type='field'
+		set xray.omrrouting.inbound_tag='omrbridge'
+		set xray.omrrouting.outbound_tag='omrout_tunnel'
+		set xray.omrrouting.domain='full:omr.lan'
+		set xray.omrroutingo=routing_rule
+		set xray.omrroutingo.type='field'
+		set xray.omrroutingo.inbound_tag='omrbridge'
+		set xray.omrroutingo.outbound_tag='out'
+		set xray.main_routing=routing
+		set xray.main_routing.enabled=1
+		set xray.main_routing.rules='omrrouting'
+		add_list xray.main_routing.rules='omrroutingo'
+		commit xray
+	EOF
+fi
+
+if [ "$(uci -q get xray.main.error_log)" != "/dev/null" ]; then
+	uci -q batch <<-EOF >/dev/null
+		set xray.main.error_log='/dev/null'
+		commit xray
+	EOF
+fi
+#if [ "$(uci -q get xray.main.mem_percentage)" = "0" ]; then
+#	uci -q batch <<-EOF >/dev/null
+#		set xray.main.mem_percentage='80'
+#		commit xray
+#	EOF
+#fi
+if [ "$(uci -q get xray.policy_level_0.conn_idle)" = "2400" ]; then
+	uci -q batch <<-EOF >/dev/null
+		set xray.policy_level_0.conn_idle='1200'
+		commit xray
+	EOF
+fi
+
+if [ "$(uci -q get xray.omrout.s_vmess_port)" = "65228" ]; then
+	uci -q batch <<-EOF >/dev/null
+		set xray.omrout.s_vmess_port='65230'
+		commit xray
+	EOF
+fi
+
+if [ "$(uci -q get xray.omrout.s_trojan_port)" = "" ]; then
+	uci -q batch <<-EOF >/dev/null
+		set xray.omrout.s_trojan_address=''
+		set xray.omrout.s_trojan_port='65229'
+		set xray.omrout.s_trojan_user_id=''
+		set xray.omrout.s_trojan_user_security='none'
+		set xray.omrout.s_trojan_user_encryption='none'
+		set xray.omrout.s_trojan_user_alter_id='0'
+		commit xray
+	EOF
+fi
+if [ "$(uci -q get xray.omrout.s_socks_port)" = "" ]; then
+	uci -q batch <<-EOF >/dev/null
+		set xray.omrout.s_socks_address=''
+		set xray.omrout.s_socks_port='65231'
+		set xray.omrout.s_socks_user_id=''
+		set xray.omrout.s_socks_user_security='none'
+		set xray.omrout.s_socks_user_encryption='none'
+		set xray.omrout.s_socks_user_alter_id='0'
+		commit xray
+	EOF
+fi
+
+exit 0
--- a/xray-core/files/usr/bin/xray-rules
+++ b/xray-core/files/usr/bin/xray-rules
@ -0,0 +1,319 @@
+#!/bin/sh -e
+#
+# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com>
+# Copyright (C) 2018-2021 Ycarus (Yannick Chabanois) <ycarus@zugaina.org> for OpenMPTCProuter
+#
+# The design idea was derived from ss-rules by Jian Chang <aa65535@live.com>
+#
+# This is free software, licensed under the GNU General Public License v3.
+# See /LICENSE for more information.
+#
+
+if [ -f /usr/sbin/iptables-legacy ]; then
+	IPTABLES="/usr/sbin/iptables-legacy"
+	IPTABLESRESTORE="/usr/sbin/iptables-legacy-restore"
+	IPTABLESSAVE="/usr/sbin/iptables-legacy-save"
+else
+	IPTABLES="/usr/sbin/iptables"
+	IPTABLESRESTORE="/usr/sbin/iptables-restore"
+	IPTABLESSAVE="/usr/sbin/iptables-save"
+fi
+
+
+
+xr_rules_usage() {
+	cat >&2 <<EOF
+Usage: xray-rules [options]
+
+	-h, --help      Show this help message then exit
+	-f, --flush     Flush rules, ipset then exit
+	-l <port>       Local port number of ss-redir with TCP mode
+	-L <port>       Local port number of ss-redir with UDP mode
+	-s <ips>        List of ip addresses of remote shadowsocks server
+	--ifnames       Only apply rules on packets from these ifnames
+	--src-bypass <ips|cidr>
+	--src-forward <ips|cidr>
+	--src-checkdst <ips|cidr>
+	--src-default <bypass|forward|checkdst>
+	                Packets will have their src ip checked in order against
+	                bypass, forward, checkdst list and will bypass, forward
+	                through, or continue to have their dst ip checked
+	                respectively on the first match.  Otherwise, --src-default
+	                decide the default action
+	--dst-bypass <ips|cidr>
+	--dst-forward <ips|cidr>
+	--dst-bypass-file <file>
+	--dst-forward-file <file>
+	--dst-default <bypass|forward>
+	                Same as with their --src-xx equivalent
+	--dst-forward-recentrst
+	                Forward those packets whose destinations have recently
+	                sent to us multiple tcp-rst packets
+	--local-default <bypass|forward|checkdst>
+	                Default action for local out TCP traffic
+
+The following ipsets will be created by ss-rules.  They are also intended to be
+populated by other programs like dnsmasq with ipset support
+
+	ss_rules_src_bypass
+	ss_rules_src_forward
+	ss_rules_src_checkdst
+	ss_rules_dst_bypass
+	ss_rules_dst_bypass_all
+	ss_rules_dst_forward
+EOF
+}
+
+o_dst_bypass_="
+	0.0.0.0/8
+	10.0.0.0/8
+	100.64.0.0/10
+	127.0.0.0/8
+	169.254.0.0/16
+	172.16.0.0/12
+	192.0.0.0/24
+	192.0.2.0/24
+	192.31.196.0/24
+	192.52.193.0/24
+	192.88.99.0/24
+	192.168.0.0/16
+	192.175.48.0/24
+	198.18.0.0/15
+	198.51.100.0/24
+	203.0.113.0/24
+	224.0.0.0/4
+	240.0.0.0/4
+	255.255.255.255
+"
+o_src_default=bypass
+o_dst_default=bypass
+o_local_default=bypass
+
+__errmsg() {
+	echo "xray-rules: $*" >&2
+}
+
+xr_rules_parse_args() {
+	while [ "$#" -gt 0 ]; do
+		case "$1" in
+			-h|--help) xr_rules_usage; exit 0;;
+			-f|--flush) xr_rules_flush; exit 0;;
+			-l) o_redir_tcp_port="$2"; shift 2;;
+			-L) o_redir_udp_port="$2"; shift 2;;
+			-s) o_remote_servers="$2"; shift 2;;
+			--ifnames) o_ifnames="$2"; shift 2;;
+			--ipt-extra) o_ipt_extra="$2"; shift 2;;
+			--src-default) o_src_default="$2"; shift 2;;
+			--dst-default) o_dst_default="$2"; shift 2;;
+			--local-default) o_local_default="$2"; shift 2;;
+			--src-bypass) o_src_bypass="$2"; shift 2;;
+			--src-forward) o_src_forward="$2"; shift 2;;
+			--src-checkdst) o_src_checkdst="$2"; shift 2;;
+			--dst-bypass) o_dst_bypass="$2"; shift 2;;
+			--dst-bypass_all) o_dst_bypass_all="$2"; shift 2;;
+			--dst-forward) o_dst_forward="$2"; shift 2;;
+			--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
+			--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
+			--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
+			--rule-name) rule="$2"; shift 2;;
+			*) __errmsg "unknown option $1"; return 1;;
+		esac
+	done
+
+	if [ -z "$o_redir_tcp_port" -a -z "$o_redir_udp_port" ]; then
+		__errmsg "Requires at least -l or -L option"
+		return 1
+	fi
+	if [ -n "$o_dst_forward_recentrst" ] && ! $IPTABLES -w -m recent -h >/dev/null; then
+		__errmsg "Please install iptables-mod-conntrack-extra with opkg"
+		return 1
+	fi
+	o_remote_servers="$(for s in $o_remote_servers; do resolveip -4 "$s"; done)"
+}
+
+xr_rules_flush() {
+	local setname
+
+	$IPTABLESSAVE --counters 2>/dev/null | grep -v xr_ | $IPTABLESRESTORE --counters
+	while ip rule del fwmark 1 lookup 100 2>/dev/null; do true; done
+	ip route flush table 100 || true
+	for setname in $(ipset -n list | grep "ssr_${rule}"); do
+		ipset destroy "$setname" 2>/dev/null || true
+	done
+}
+
+xr_rules_ipset_init() {
+	ipset --exist restore <<-EOF
+		create ssr_${rule}_src_bypass hash:net hashsize 64
+		create ssr_${rule}_src_forward hash:net hashsize 64
+		create ssr_${rule}_src_checkdst hash:net hashsize 64
+		create ss_rules_dst_bypass_all hash:net hashsize 64
+		create ssr_${rule}_dst_bypass hash:net hashsize 64
+		create ssr_${rule}_dst_bypass_ hash:net hashsize 64
+		create ssr_${rule}_dst_forward hash:net hashsize 64
+		create ss_rules_dst_forward_recentrst_ hash:ip hashsize 64 timeout 3600
+		$(xr_rules_ipset_mkadd ssr_${rule}_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
+		$(xr_rules_ipset_mkadd ss_rules_dst_bypass_all "$o_dst_bypass_all")
+		$(xr_rules_ipset_mkadd ssr_${rule}_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')")
+		$(xr_rules_ipset_mkadd ssr_${rule}_src_bypass "$o_src_bypass")
+		$(xr_rules_ipset_mkadd ssr_${rule}_src_forward "$o_src_forward")
+		$(xr_rules_ipset_mkadd ssr_${rule}_src_checkdst "$o_src_checkdst")
+		$(xr_rules_ipset_mkadd ssr_${rule}_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}')")
+	EOF
+}
+
+xr_rules_ipset_mkadd() {
+	local setname="$1"; shift
+	local i
+
+	for i in $*; do
+		echo "add $setname $i"
+	done
+}
+
+xr_rules_iptchains_init() {
+	xr_rules_iptchains_init_mark
+	xr_rules_iptchains_init_tcp
+	xr_rules_iptchains_init_udp
+}
+
+xr_rules_iptchains_init_mark() {
+	if [ "$($IPTABLES -w -t mangle -L PREROUTING | grep ss_rules_dst_bypass_all)" = "" ]; then
+		$IPTABLESRESTORE --noflush <<-EOF
+			*mangle
+			-A PREROUTING -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
+			COMMIT
+		EOF
+	fi
+}
+
+xr_rules_iptchains_init_tcp() {
+	local local_target
+
+	[ -n "$o_redir_tcp_port" ] || return 0
+
+	xr_rules_iptchains_init_ nat tcp
+
+	case "$o_local_default" in
+		checkdst) local_target=xr_${rule}_dst ;;
+		forward) local_target=xr_${rule}_forward ;;
+		bypass|*) return 0;;
+	esac
+
+	$IPTABLESRESTORE --noflush <<-EOF
+		*nat
+		:xr_${rule}_local_out -
+		-I OUTPUT 1 -p tcp -j xr_${rule}_local_out
+		-A xr_${rule}_local_out -m set --match-set ssr_${rule}_dst_bypass dst -j RETURN
+		-A xr_${rule}_local_out -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
+		-A xr_${rule}_local_out -m set --match-set ssr_${rule}_dst_bypass_ dst -j RETURN
+		-A xr_${rule}_local_out -m mark --mark 0x539 -j RETURN
+		-A xr_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
+		COMMIT
+	EOF
+}
+
+xr_rules_iptchains_init_udp() {
+	[ -n "$o_redir_udp_port" ] || return 0
+	xr_rules_iptchains_init_ mangle udp
+}
+
+xr_rules_iptchains_init_() {
+	local table="$1"
+	local proto="$2"
+	local forward_rules
+	local src_default_target dst_default_target
+	local recentrst_mangle_rules recentrst_addset_rules
+
+	case "$proto" in
+		tcp)
+			forward_rules="-A xr_${rule}_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
+			if [ -n "$o_dst_forward_recentrst" ]; then
+				recentrst_mangle_rules="
+					*mangle
+					-I PREROUTING 1 -p tcp -m tcp --tcp-flags RST RST -m recent --name xr_recentrst --set --rsource
+					COMMIT
+				"
+				recentrst_addset_rules="
+					-A xr_${rule}_dst -m recent --name xr_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules_dst_forward_recentrst_ dst --exist
+					-A xr_${rule}_dst -m set --match-set ss_rules_dst_forward_recentrst_ dst -j xr_${rule}_forward
+				"
+			fi
+			;;
+		udp)
+			ip rule add fwmark 1 lookup 100 || true
+			ip route add local default dev lo table 100 || true
+			forward_rules="-A xr_${rule}_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01"
+			;;
+	esac
+	case "$o_src_default" in
+		forward) src_default_target=xr_${rule}_forward ;;
+		checkdst) src_default_target=xr_${rule}_dst ;;
+		bypass|*) src_default_target=RETURN ;;
+	esac
+	case "$o_dst_default" in
+		forward) dst_default_target=xr_${rule}_forward ;;
+		bypass|*) dst_default_target=RETURN ;;
+	esac
+	sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IPTABLESRESTORE --noflush
+		*$table
+		:xr_${rule}_pre_src -
+		:xr_${rule}_src -
+		:xr_${rule}_dst -
+		:xr_${rule}_forward -
+		$(xr_rules_iptchains_mkprerules "$proto")
+		-A xr_${rule}_pre_src -m set --match-set ssr_${rule}_dst_bypass_ dst -j RETURN
+		-A xr_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j MARK --set-mark 0x539
+		-A xr_${rule}_pre_src -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
+		-A xr_${rule}_pre_src -m set --match-set ssr_${rule}_dst_bypass dst -j RETURN
+		-A xr_${rule}_pre_src -m mark --mark 0x539 -j RETURN
+		-A xr_${rule}_dst -m set --match-set ss_rules_dst_bypass_all dst -j RETURN
+		-A xr_${rule}_dst -m set --match-set ssr_${rule}_dst_bypass dst -j RETURN
+		-A xr_${rule}_pre_src -p $proto $o_ipt_extra -j xr_${rule}_src
+		-A xr_${rule}_src -m set --match-set ssr_${rule}_src_bypass src -j RETURN
+		-A xr_${rule}_src -m set --match-set ssr_${rule}_src_forward src -j xr_${rule}_forward
+		-A xr_${rule}_src -m set --match-set ssr_${rule}_src_checkdst src -j xr_${rule}_dst
+		-A xr_${rule}_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
+		-A xr_${rule}_dst -m set --match-set ssr_${rule}_dst_forward dst -j xr_${rule}_forward
+		$recentrst_addset_rules
+		-A xr_${rule}_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
+		$forward_rules
+		COMMIT
+		$recentrst_mangle_rules
+	EOF
+}
+
+xr_rules_iptchains_mkprerules() {
+	local proto="$1"
+
+	if [ -z "$o_ifnames" ]; then
+		echo "-A PREROUTING -p $proto -j xr_${rule}_pre_src"
+	else
+		echo $o_ifnames \
+			| tr ' ' '\n' \
+			| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j xr_${rule}_pre_src/"
+	fi
+}
+
+xr_rules_fw_drop() {
+	fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
+	while IFS=$"\n" read -r c; do
+		fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/')
+		if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
+			eval "$IPTABLES -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
+		fi
+	done
+	fw3 -4 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
+	while IFS=$"\n" read -r c; do
+		fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/')
+		if [ -n "$fwrule" ] && [ -z "$($IPTABLESSAVE 2>/dev/null | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
+			eval "$IPTABLES -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
+		fi
+	done
+}
+
+xr_rules_parse_args "$@"
+#xr_rules_flush
+xr_rules_ipset_init
+xr_rules_iptchains_init
+xr_rules_fw_drop
--- a/xray-core/files/usr/bin/xray-rules6
+++ b/xray-core/files/usr/bin/xray-rules6
@ -0,0 +1,310 @@
+#!/bin/sh -e
+#
+# Copyright (C) 2017 Yousong Zhou <yszhou4tech@gmail.com>
+# Copyright (C) 2018-2021 Ycarus (Yannick Chabanois) <ycarus@zugaina.org>
+#
+# The design idea was derived from ss-rules by Jian Chang <aa65535@live.com>
+#
+# This is free software, licensed under the GNU General Public License v3.
+# See /LICENSE for more information.
+#
+
+if [ -f /usr/sbin/iptables-legacy ]; then
+	IP6TABLES="/usr/sbin/ip6tables-legacy"
+	IP6TABLESRESTORE="/usr/sbin/ip6tables-legacy-restore"
+	IP6TABLESSAVE="/usr/sbin/ip6tables-legacy-save"
+else
+	IP6TABLES="/usr/sbin/ip6tables"
+	IP6TABLESRESTORE="/usr/sbin/ip6tables-restore"
+	IP6TABLESSAVE="/usr/sbin/ip6tables-save"
+fi
+
+
+
+xray_rules6_usage() {
+	cat >&2 <<EOF
+Usage: xray-rules6 [options]
+
+	-h, --help      Show this help message then exit
+	-f, --flush     Flush rules, ipset then exit
+	-l <port>       Local port number of ss-redir with TCP mode
+	-L <port>       Local port number of ss-redir with UDP mode
+	-s <ips>        List of ip addresses of remote shadowsocks server
+	--ifnames       Only apply rules on packets from these ifnames
+	--src-bypass <ips|cidr>
+	--src-forward <ips|cidr>
+	--src-checkdst <ips|cidr>
+	--src-default <bypass|forward|checkdst>
+	                Packets will have their src ip checked in order against
+	                bypass, forward, checkdst list and will bypass, forward
+	                through, or continue to have their dst ip checked
+	                respectively on the first match.  Otherwise, --src-default
+	                decide the default action
+	--dst-bypass <ips|cidr>
+	--dst-forward <ips|cidr>
+	--dst-bypass-file <file>
+	--dst-forward-file <file>
+	--dst-default <bypass|forward>
+	                Same as with their --src-xx equivalent
+	--dst-forward-recentrst
+	                Forward those packets whose destinations have recently
+	                sent to us multiple tcp-rst packets
+	--local-default <bypass|forward|checkdst>
+	                Default action for local out TCP traffic
+
+The following ipsets will be created by xray-rules.  They are also intended to be
+populated by other programs like dnsmasq with ipset support
+
+	xray_rules6_src_bypass
+	xray_rules6_src_forward
+	xray_rules6_src_checkdst
+	xray_rules6_dst_bypass
+	xray_rules6_dst_forward
+EOF
+}
+
+o_dst_bypass_="
+	fe80::/10
+	fd00::/8
+	::1
+"
+o_src_default=bypass
+o_dst_default=bypass
+o_local_default=bypass
+
+__errmsg() {
+	echo "xray-rules6: $*" >&2
+}
+
+xray_rules6_parse_args() {
+	while [ "$#" -gt 0 ]; do
+		case "$1" in
+			-h|--help) xray_rules6_usage; exit 0;;
+			-f|--flush) xray_rules6_flush; exit 0;;
+			-l) o_redir_tcp_port="$2"; shift 2;;
+			-L) o_redir_udp_port="$2"; shift 2;;
+			-s) o_remote_servers="$2"; shift 2;;
+			--ifnames) o_ifnames="$2"; shift 2;;
+			--ipt-extra) o_ipt_extra="$2"; shift 2;;
+			--src-default) o_src_default="$2"; shift 2;;
+			--dst-default) o_dst_default="$2"; shift 2;;
+			--local-default) o_local_default="$2"; shift 2;;
+			--src-bypass) o_src_bypass="$2"; shift 2;;
+			--src-forward) o_src_forward="$2"; shift 2;;
+			--src-checkdst) o_src_checkdst="$2"; shift 2;;
+			--dst-bypass) o_dst_bypass="$2"; shift 2;;
+			--dst-bypass_all) o_dst_bypass_all="$2"; shift 2;;
+			--dst-forward) o_dst_forward="$2"; shift 2;;
+			--dst-forward-recentrst) o_dst_forward_recentrst=1; shift 1;;
+			--dst-bypass-file) o_dst_bypass_file="$2"; shift 2;;
+			--dst-forward-file) o_dst_forward_file="$2"; shift 2;;
+			--rule-name) rule="$2"; shift 2;;
+			*) __errmsg "unknown option $1"; return 1;;
+		esac
+	done
+
+	if [ -z "$o_redir_tcp_port" -a -z "$o_redir_udp_port" ]; then
+		__errmsg "Requires at least -l or -L option"
+		return 1
+	fi
+	if [ -n "$o_dst_forward_recentrst" ] && ! $IP6TABLES -w -m recent -h >/dev/null; then
+		__errmsg "Please install ip6tables-mod-conntrack-extra with opkg"
+		return 1
+	fi
+	o_remote_servers="$(for s in $o_remote_servers; do resolveip -6 "$s"; done)"
+}
+
+xray_rules6_flush() {
+	local setname
+
+	$IP6TABLESSAVE --counters 2>/dev/null | grep -v xr6_ | $IP6TABLESRESTORE --counters
+	while ip -f inet6 rule del fwmark 1 lookup 100 2>/dev/null; do true; done
+	ip -f inet6 route flush table 100 || true
+	for setname in $(ipset -n list | grep "ssr6_${rule}"); do
+		ipset destroy "$setname" 2>/dev/null || true
+	done
+}
+
+xray_rules6_ipset_init() {
+	ipset --exist restore <<-EOF
+		create ssr6_${rule}_src_bypass hash:net family inet6 hashsize 64
+		create ssr6_${rule}_src_forward hash:net family inet6 hashsize 64
+		create ssr6_${rule}_src_checkdst hash:net family inet6 hashsize 64
+		create ssr6_${rule}_dst_bypass hash:net family inet6 hashsize 64
+		create ss_rules6_dst_bypass_all hash:net family inet6 hashsize 64
+		create ssr6_${rule}_dst_bypass_ hash:net family inet6 hashsize 64
+		create ssr6_${rule}_dst_forward hash:net family inet6 hashsize 64
+		create ss_rules6_dst_forward_recrst_ hash:ip family inet6 hashsize 64 timeout 3600
+		$(xray_rules6_ipset_mkadd ssr6_${rule}_dst_bypass_ "$o_dst_bypass_ $o_remote_servers")
+		$(xray_rules6_ipset_mkadd ss_rules6_dst_bypass_all "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')")
+		$(xray_rules6_ipset_mkadd ssr6_${rule}_dst_bypass "$o_dst_bypass $(cat "$o_dst_bypass_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')")
+		$(xray_rules6_ipset_mkadd ssr6_${rule}_src_bypass "$o_src_bypass")
+		$(xray_rules6_ipset_mkadd ssr6_${rule}_src_forward "$o_src_forward")
+		$(xray_rules6_ipset_mkadd ssr6_${rule}_src_checkdst "$o_src_checkdst")
+		$(xray_rules6_ipset_mkadd ssr6_${rule}_dst_forward "$o_dst_forward $(cat "$o_dst_forward_file" 2>/dev/null | grep -o '\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}')")
+	EOF
+}
+
+xray_rules6_ipset_mkadd() {
+	local setname="$1"; shift
+	local i
+
+	for i in $*; do
+		echo "add $setname $i"
+	done
+}
+
+xray_rules6_iptchains_init() {
+	xray_rules6_iptchains_init_mark
+	xray_rules6_iptchains_init_tcp
+	xray_rules6_iptchains_init_udp
+}
+
+xray_rules6_iptchains_init_mark() {
+	$IP6TABLESRESTORE --noflush <<-EOF
+		*mangle
+		-A PREROUTING -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
+		COMMIT
+	EOF
+}
+
+
+xray_rules6_iptchains_init_tcp() {
+	local local_target
+
+	[ -n "$o_redir_tcp_port" ] || return 0
+
+	#xray_rules6_iptchains_init_ nat tcp
+	xray_rules6_iptchains_init_ mangle tcp
+
+	case "$o_local_default" in
+		checkdst) local_target=xr6_${rule}_dst ;;
+		forward) local_target=xr6_${rule}_forward ;;
+		bypass|*) return 0;;
+	esac
+
+#	echo "tcp mangle"
+#	$IP6TABLESRESTORE --noflush <<-EOF
+#		*mangle
+#		:xr6_${rule}_local_out -
+#		-I OUTPUT 1 -p tcp -j xr6_${rule}_local_out
+#		-A xr6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass dst -j RETURN
+#		-A xr6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
+#		-A xr6_${rule}_local_out -m set --match-set ss_rules6_dst_bypass_ dst -j RETURN
+#		-A xr6_${rule}_local_out -m mark --mark 0x6539 -j RETURN
+#		-A xr6_${rule}_local_out -p tcp $o_ipt_extra -j $local_target -m comment --comment "local_default: $o_local_default"
+#		COMMIT
+#	EOF
+#	echo "done"
+}
+
+xray_rules6_iptchains_init_udp() {
+	[ -n "$o_redir_udp_port" ] || return 0
+	xray_rules6_iptchains_init_ mangle udp
+}
+
+xray_rules6_iptchains_init_() {
+	local table="$1"
+	local proto="$2"
+	local forward_rules
+	local src_default_target dst_default_target
+	local recentrst_mangle_rules recentrst_addset_rules
+
+	case "$proto" in
+		tcp)
+			#forward_rules="-A xr6_${rule}_forward -p tcp -j REDIRECT --to-ports $o_redir_tcp_port"
+			forward_rules="-A xr6_${rule}_forward -p tcp -j TPROXY --on-port $o_redir_tcp_port --tproxy-mark 0x01/0x01"
+			if [ -n "$o_dst_forward_recentrst" ]; then
+				recentrst_mangle_rules="
+					*mangle
+					-I PREROUTING 1 -p tcp -m tcp --tcp-flags RST RST -m recent --name ss_rules6_recentrst --set --rsource
+					COMMIT
+				"
+				recentrst_addset_rules="
+					-A xr6_${rule}_dst -m recent --name ss_rules6_recentrst --rcheck --rdest --seconds 3 --hitcount 3 -j SET --add-set ss_rules6_dst_forward_recrst_ dst --exist
+					-A xr6_${rule}_dst -m set --match-set ss_rules6_dst_forward_recrst_ dst -j xr6_${rule}_forward
+				"
+			fi
+			;;
+		udp)
+			ip -f inet6 rule add fwmark 1 lookup 100 || true
+			ip -f inet6 route add local default dev lo table 100 || true
+			forward_rules="
+				-A xr6_${rule}_forward -p udp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01
+				-A xr6_${rule}_forward -p tcp -j TPROXY --on-port "$o_redir_udp_port" --tproxy-mark 0x01/0x01
+			"
+			;;
+	esac
+	case "$o_src_default" in
+		forward) src_default_target=xr6_${rule}_forward ;;
+		checkdst) src_default_target=xr6_${rule}_dst ;;
+		bypass|*) src_default_target=RETURN ;;
+	esac
+	case "$o_dst_default" in
+		forward) dst_default_target=xr6_${rule}_forward ;;
+		bypass|*) dst_default_target=RETURN ;;
+	esac
+	sed -e '/^\s*$/d' -e 's/^\s\+//' <<-EOF | $IP6TABLESRESTORE --noflush
+		*$table
+		:xr6_${rule}_pre_src -
+		:xr6_${rule}_src -
+		:xr6_${rule}_dst -
+		:xr6_${rule}_forward -
+		$(xray_rules6_iptchains_mkprerules "udp")
+		$(xray_rules6_iptchains_mkprerules "tcp")
+		-A xr6_${rule}_pre_src -m set --match-set ssr6_${rule}_dst_bypass_ dst -j RETURN
+		-A xr6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j MARK --set-mark 0x6539
+		-A xr6_${rule}_pre_src -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
+		-A xr6_${rule}_pre_src -m set --match-set ssr6_${rule}_dst_bypass dst -j RETURN
+		-A xr6_${rule}_pre_src -m mark --mark 0x6539 -j RETURN
+		-A xr6_${rule}_dst -m set --match-set ss_rules6_dst_bypass_all dst -j RETURN
+		-A xr6_${rule}_dst -m set --match-set ssr6_${rule}_dst_bypass dst -j RETURN
+		-A xr6_${rule}_pre_src -p tcp $o_ipt_extra -j xr6_${rule}_src
+		-A xr6_${rule}_pre_src -p udp $o_ipt_extra -j xr6_${rule}_src
+		-A xr6_${rule}_src -m set --match-set ssr6_${rule}_src_bypass src -j RETURN
+		-A xr6_${rule}_src -m set --match-set ssr6_${rule}_src_forward src -j xr6_${rule}_forward
+		-A xr6_${rule}_src -m set --match-set ssr6_${rule}_src_checkdst src -j xr6_${rule}_dst
+		-A xr6_${rule}_src -j $src_default_target -m comment --comment "src_default: $o_src_default"
+		-A xr6_${rule}_dst -m set --match-set ssr6_${rule}_dst_forward dst -j xr6_${rule}_forward
+		$recentrst_addset_rules
+		-A xr6_${rule}_dst -j $dst_default_target -m comment --comment "dst_default: $o_dst_default"
+		$forward_rules
+		COMMIT
+		$recentrst_mangle_rules
+	EOF
+}
+
+xray_rules6_iptchains_mkprerules() {
+	local proto="$1"
+
+	if [ -z "$o_ifnames" ]; then
+		echo "-A PREROUTING -p $proto -j xr6_${rule}_pre_src"
+	else
+		echo $o_ifnames \
+			| tr ' ' '\n' \
+			| sed "s/.*/-I PREROUTING 1 -i \\0 -p $proto -j xr6_${rule}_pre_src/"
+	fi
+}
+
+xray_rules6_fw_drop() {
+	fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j reject/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
+	while IFS=$"\n" read -r c; do
+		fwrule=$(echo "$c" | sed 's/reject/REDIRECT --to-ports 65535/')
+		if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
+			eval "$IP6TABLES -w -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
+		fi
+	done
+	fw3 -6 print 2>/dev/null | awk '/iptables/&&/zone_lan_forward/&&/tcp/&&/-t filter/&&/-j drop/ {for(i=6; i<=NF; i++) { printf "%s ",$i } print "\n" }' |
+	while IFS=$"\n" read -r c; do
+		fwrule=$(echo "$c" | sed 's/drop/REDIRECT --to-ports 65535/')
+		if [ -n "$fwrule" ] && [ -z "$(iptables-save | grep zone_lan_prerouting | grep '${fwrule}')" ]; then
+			eval "$IP6TABLES -t nat -A zone_lan_prerouting ${fwrule} 2>&1 >/dev/null"
+		fi
+	done
+}
+
+xray_rules6_parse_args "$@"
+xray_rules6_flush
+xray_rules6_ipset_init
+xray_rules6_iptchains_init
+xray_rules6_fw_drop
--- a/xray-core/patches/001-fix-wireguard-go.patch
+++ b/xray-core/patches/001-fix-wireguard-go.patch
@ -0,0 +1,97 @@
+diff -aurN xray-core-1.8.5.old/go.mod xray-core-1.8.5/go.mod
+--- a/go.mod	2023-09-18 16:14:12.554956393 +0200
+++ b/go.mod	2023-09-18 16:16:56.304259547 +0200
+@@ -12,13 +12,13 @@
+ 	github.com/pires/go-proxyproto v0.7.0
+ 	github.com/quic-go/quic-go v0.38.1
+ 	github.com/refraction-networking/utls v1.4.3
+-	github.com/sagernet/sing v0.2.9
+	github.com/sagernet/sing v0.2.10-0.20230807080248-4db0062caa0a
+ 	github.com/sagernet/sing-shadowsocks v0.2.4
+-	github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c
+ 	github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb
+ 	github.com/stretchr/testify v1.8.4
+ 	github.com/v2fly/ss-bloomring v0.0.0-20210312155135-28617310f63e
+ 	github.com/xtls/reality v0.0.0-20230828171259-e426190d57f6
+	github.com/xtls/wireguard-go v0.0.0-20230303120718-56f003b3a66e
+ 	go4.org/netipx v0.0.0-20230824141953-6213f710f925
+ 	golang.org/x/crypto v0.12.0
+ 	golang.org/x/net v0.14.0
+@@ -47,7 +47,7 @@
+ 	github.com/pmezard/go-difflib v1.0.0 // indirect
+ 	github.com/quic-go/qtls-go1-20 v0.3.3 // indirect
+ 	github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 // indirect
+-	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/atomic v1.10.0 // indirect
+ 	golang.org/x/exp v0.0.0-20230725093048-515e97ebf090 // indirect
+ 	golang.org/x/mod v0.12.0 // indirect
+ 	golang.org/x/text v0.12.0 // indirect
+diff -aurN xray-core-1.8.5.old/go.sum xray-core-1.8.5/go.sum
+--- a/go.sum	2023-09-18 16:14:12.554956393 +0200
+++ b/go.sum	2023-09-18 16:16:56.304259547 +0200
+@@ -123,12 +123,10 @@
+ github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3 h1:f/FNXud6gA3MNr8meMVVGxhp+QBTqY91tM8HjEuMjGg=
+ github.com/riobard/go-bloom v0.0.0-20200614022211-cdc8013cb5b3/go.mod h1:HgjTstvQsPGkxUsCd2KWxErBblirPizecHcpD3ffK+s=
+ github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+-github.com/sagernet/sing v0.2.9 h1:3wsTz+JG5Wzy65eZnh6AuCrD2QqcRF6Iq6f7ttmJsAo=
+-github.com/sagernet/sing v0.2.9/go.mod h1:Ta8nHnDLAwqySzKhGoKk4ZIB+vJ3GTKj7UPrWYvM+4w=
+github.com/sagernet/sing v0.2.10-0.20230807080248-4db0062caa0a h1:b89t6Mjgk4rJ5lrNMnCzy1/J116XkhgdB3YNd9FHyF4=
+github.com/sagernet/sing v0.2.10-0.20230807080248-4db0062caa0a/go.mod h1:9uOZwWkhT2Z2WldolLxX34s+1svAX4i4vvz5hy8u1MA=
+ github.com/sagernet/sing-shadowsocks v0.2.4 h1:s/CqXlvFAZhlIoHWUwPw5CoNnQ9Ibki9pckjuugtVfY=
+ github.com/sagernet/sing-shadowsocks v0.2.4/go.mod h1:80fNKP0wnqlu85GZXV1H1vDPC/2t+dQbFggOw4XuFUM=
+-github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c h1:vK2wyt9aWYHHvNLWniwijBu/n4pySypiKRhN32u/JGo=
+-github.com/sagernet/wireguard-go v0.0.0-20221116151939-c99467f53f2c/go.mod h1:euOmN6O5kk9dQmgSS8Df4psAl3TCjxOz0NW60EWkSaI=
+ github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb h1:XfLJSPIOUX+osiMraVgIrMR27uMXnRJWGm1+GL8/63U=
+ github.com/seiflotfy/cuckoofilter v0.0.0-20220411075957-e3b120b3f5fb/go.mod h1:bR6DqgcAl1zTcOX8/pE2Qkj9XO00eCNqmKb7lXP8EAg=
+ github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
+@@ -168,10 +166,12 @@
+ github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
+ github.com/xtls/reality v0.0.0-20230828171259-e426190d57f6 h1:T+YCYGfFdzyaKTDCdZn/hEiKvsw6yUfd+e4hze0rCUw=
+ github.com/xtls/reality v0.0.0-20230828171259-e426190d57f6/go.mod h1:rkuAY1S9F8eI8gDiPDYvACE8e2uwkyg8qoOTuwWov7Y=
+github.com/xtls/wireguard-go v0.0.0-20230303120718-56f003b3a66e h1:Y0CxNt+TeOhFUS2J/EF6osq9RukduvGYUNk2xPdKW60=
+github.com/xtls/wireguard-go v0.0.0-20230303120718-56f003b3a66e/go.mod h1:XFvPXP1gUqy/12j+KbdShku+YWiZJjaYLEAn4ZXaRGU=
+ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+ go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
+-go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+-go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
+go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+ go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
+ go4.org/netipx v0.0.0-20230824141953-6213f710f925 h1:eeQDDVKFkx0g4Hyy8pHgmZaK0EqB4SD6rvKbUdN3ziQ=
+ go4.org/netipx v0.0.0-20230824141953-6213f710f925/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
+diff -aurN xray-core-1.8.5.old/proxy/wireguard/bind.go xray-core-1.8.5/proxy/wireguard/bind.go
+--- a/proxy/wireguard/bind.go	2023-09-18 16:14:12.562956262 +0200
+++ b/proxy/wireguard/bind.go	2023-09-18 16:15:43.597456179 +0200
+@@ -9,7 +9,7 @@
+ 	"strconv"
+ 	"sync"
+ 
+-	"github.com/sagernet/wireguard-go/conn"
+	"github.com/xtls/wireguard-go/conn"
+ 	xnet "github.com/xtls/xray-core/common/net"
+ 	"github.com/xtls/xray-core/features/dns"
+ 	"github.com/xtls/xray-core/transport/internet"
+diff -aurN xray-core-1.8.5.old/proxy/wireguard/tun.go xray-core-1.8.5/proxy/wireguard/tun.go
+--- a/proxy/wireguard/tun.go	2023-09-18 16:14:12.562956262 +0200
+++ b/proxy/wireguard/tun.go	2023-09-18 16:15:52.413310983 +0200
+@@ -12,7 +12,7 @@
+ 	"net/netip"
+ 	"os"
+ 
+-	"github.com/sagernet/wireguard-go/tun"
+	"github.com/xtls/wireguard-go/tun"
+ 	"github.com/xtls/xray-core/features/dns"
+ 	"gvisor.dev/gvisor/pkg/buffer"
+ 	"gvisor.dev/gvisor/pkg/tcpip"
+diff -aurN xray-core-1.8.5.old/proxy/wireguard/wireguard.go xray-core-1.8.5/proxy/wireguard/wireguard.go
+--- a/proxy/wireguard/wireguard.go	2023-09-18 16:14:12.562956262 +0200
+++ b/proxy/wireguard/wireguard.go	2023-09-18 16:16:01.109167878 +0200
+@@ -27,7 +27,7 @@
+ 	"net/netip"
+ 	"strings"
+ 
+-	"github.com/sagernet/wireguard-go/device"
+	"github.com/xtls/wireguard-go/device"
+ 	"github.com/xtls/xray-core/common"
+ 	"github.com/xtls/xray-core/common/buf"
+ 	"github.com/xtls/xray-core/common/log"