Crazy sekai overturns the small pond

2025-04-03 20:07:36 +03:00 · 2024-10-21 23:38:34 +08:00 · 2024-10-21 23:38:34 +08:00 · 8304295c48
commit 8304295c48
parent 253b41936e
139 changed files with 2866 additions and 1559 deletions
--- a/route/rule/rule_abstract.go
+++ b/route/rule/rule_abstract.go
@ -0,0 +1,251 @@
+package rule
+
+import (
+	"io"
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing/common"
+	F "github.com/sagernet/sing/common/format"
+)
+
+type abstractDefaultRule struct {
+	items                   []RuleItem
+	sourceAddressItems      []RuleItem
+	sourcePortItems         []RuleItem
+	destinationAddressItems []RuleItem
+	destinationIPCIDRItems  []RuleItem
+	destinationPortItems    []RuleItem
+	allItems                []RuleItem
+	ruleSetItem             RuleItem
+	invert                  bool
+	action                  adapter.RuleAction
+}
+
+func (r *abstractDefaultRule) Type() string {
+	return C.RuleTypeDefault
+}
+
+func (r *abstractDefaultRule) Start() error {
+	for _, item := range r.allItems {
+		if starter, isStarter := item.(interface {
+			Start() error
+		}); isStarter {
+			err := starter.Start()
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (r *abstractDefaultRule) Close() error {
+	for _, item := range r.allItems {
+		err := common.Close(item)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *abstractDefaultRule) UpdateGeosite() error {
+	for _, item := range r.allItems {
+		if geositeItem, isSite := item.(*GeositeItem); isSite {
+			err := geositeItem.Update()
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+func (r *abstractDefaultRule) Match(metadata *adapter.InboundContext) bool {
+	if len(r.allItems) == 0 {
+		return true
+	}
+
+	if len(r.sourceAddressItems) > 0 && !metadata.SourceAddressMatch {
+		metadata.DidMatch = true
+		for _, item := range r.sourceAddressItems {
+			if item.Match(metadata) {
+				metadata.SourceAddressMatch = true
+				break
+			}
+		}
+	}
+
+	if len(r.sourcePortItems) > 0 && !metadata.SourcePortMatch {
+		metadata.DidMatch = true
+		for _, item := range r.sourcePortItems {
+			if item.Match(metadata) {
+				metadata.SourcePortMatch = true
+				break
+			}
+		}
+	}
+
+	if len(r.destinationAddressItems) > 0 && !metadata.DestinationAddressMatch {
+		metadata.DidMatch = true
+		for _, item := range r.destinationAddressItems {
+			if item.Match(metadata) {
+				metadata.DestinationAddressMatch = true
+				break
+			}
+		}
+	}
+
+	if !metadata.IgnoreDestinationIPCIDRMatch && len(r.destinationIPCIDRItems) > 0 && !metadata.DestinationAddressMatch {
+		metadata.DidMatch = true
+		for _, item := range r.destinationIPCIDRItems {
+			if item.Match(metadata) {
+				metadata.DestinationAddressMatch = true
+				break
+			}
+		}
+	}
+
+	if len(r.destinationPortItems) > 0 && !metadata.DestinationPortMatch {
+		metadata.DidMatch = true
+		for _, item := range r.destinationPortItems {
+			if item.Match(metadata) {
+				metadata.DestinationPortMatch = true
+				break
+			}
+		}
+	}
+
+	for _, item := range r.items {
+		if _, isRuleSet := item.(*RuleSetItem); !isRuleSet {
+			metadata.DidMatch = true
+		}
+		if !item.Match(metadata) {
+			return r.invert
+		}
+	}
+
+	if len(r.sourceAddressItems) > 0 && !metadata.SourceAddressMatch {
+		return r.invert
+	}
+
+	if len(r.sourcePortItems) > 0 && !metadata.SourcePortMatch {
+		return r.invert
+	}
+
+	if ((!metadata.IgnoreDestinationIPCIDRMatch && len(r.destinationIPCIDRItems) > 0) || len(r.destinationAddressItems) > 0) && !metadata.DestinationAddressMatch {
+		return r.invert
+	}
+
+	if len(r.destinationPortItems) > 0 && !metadata.DestinationPortMatch {
+		return r.invert
+	}
+
+	if !metadata.DidMatch {
+		return true
+	}
+
+	return !r.invert
+}
+
+func (r *abstractDefaultRule) Action() adapter.RuleAction {
+	return r.action
+}
+
+func (r *abstractDefaultRule) String() string {
+	if !r.invert {
+		return strings.Join(F.MapToString(r.allItems), " ")
+	} else {
+		return "!(" + strings.Join(F.MapToString(r.allItems), " ") + ")"
+	}
+}
+
+type abstractLogicalRule struct {
+	rules  []adapter.HeadlessRule
+	mode   string
+	invert bool
+	action adapter.RuleAction
+}
+
+func (r *abstractLogicalRule) Type() string {
+	return C.RuleTypeLogical
+}
+
+func (r *abstractLogicalRule) UpdateGeosite() error {
+	for _, rule := range common.FilterIsInstance(r.rules, func(it adapter.HeadlessRule) (adapter.Rule, bool) {
+		rule, loaded := it.(adapter.Rule)
+		return rule, loaded
+	}) {
+		err := rule.UpdateGeosite()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *abstractLogicalRule) Start() error {
+	for _, rule := range common.FilterIsInstance(r.rules, func(it adapter.HeadlessRule) (interface {
+		Start() error
+	}, bool,
+	) {
+		rule, loaded := it.(interface {
+			Start() error
+		})
+		return rule, loaded
+	}) {
+		err := rule.Start()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *abstractLogicalRule) Close() error {
+	for _, rule := range common.FilterIsInstance(r.rules, func(it adapter.HeadlessRule) (io.Closer, bool) {
+		rule, loaded := it.(io.Closer)
+		return rule, loaded
+	}) {
+		err := rule.Close()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (r *abstractLogicalRule) Match(metadata *adapter.InboundContext) bool {
+	if r.mode == C.LogicalTypeAnd {
+		return common.All(r.rules, func(it adapter.HeadlessRule) bool {
+			metadata.ResetRuleCache()
+			return it.Match(metadata)
+		}) != r.invert
+	} else {
+		return common.Any(r.rules, func(it adapter.HeadlessRule) bool {
+			metadata.ResetRuleCache()
+			return it.Match(metadata)
+		}) != r.invert
+	}
+}
+
+func (r *abstractLogicalRule) Action() adapter.RuleAction {
+	return r.action
+}
+
+func (r *abstractLogicalRule) String() string {
+	var op string
+	switch r.mode {
+	case C.LogicalTypeAnd:
+		op = "&&"
+	case C.LogicalTypeOr:
+		op = "||"
+	}
+	if !r.invert {
+		return strings.Join(F.MapToString(r.rules), " "+op+" ")
+	} else {
+		return "!(" + strings.Join(F.MapToString(r.rules), " "+op+" ") + ")"
+	}
+}
--- a/route/rule/rule_action.go
+++ b/route/rule/rule_action.go
@ -0,0 +1,228 @@
+package rule
+
+import (
+	"net/netip"
+	"strings"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/sniff"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-dns"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+)
+
+func NewRuleAction(action option.RuleAction) (adapter.RuleAction, error) {
+	switch action.Action {
+	case C.RuleActionTypeRoute:
+		return &RuleActionRoute{
+			Outbound:                  action.RouteOptions.Outbound,
+			UDPDisableDomainUnmapping: action.RouteOptions.UDPDisableDomainUnmapping,
+		}, nil
+	case C.RuleActionTypeReturn:
+		return &RuleActionReject{}, nil
+	case C.RuleActionTypeReject:
+		return &RuleActionReject{
+			Method: string(action.RejectOptions.Method),
+		}, nil
+	case C.RuleActionTypeHijackDNS:
+		return &RuleActionHijackDNS{}, nil
+	case C.RuleActionTypeSniff:
+		sniffAction := &RuleActionSniff{
+			snifferNames: action.SniffOptions.Sniffer,
+			Timeout:      time.Duration(action.SniffOptions.Timeout),
+		}
+		return sniffAction, sniffAction.build()
+	case C.RuleActionTypeResolve:
+		return &RuleActionResolve{
+			Strategy: dns.DomainStrategy(action.ResolveOptions.Strategy),
+			Server:   action.ResolveOptions.Server,
+		}, nil
+	default:
+		panic(F.ToString("unknown rule action: ", action.Action))
+	}
+}
+
+func NewDNSRuleAction(action option.DNSRuleAction) adapter.RuleAction {
+	switch action.Action {
+	case C.RuleActionTypeRoute:
+		return &RuleActionDNSRoute{
+			Server:       action.RouteOptions.Server,
+			DisableCache: action.RouteOptions.DisableCache,
+			RewriteTTL:   action.RouteOptions.RewriteTTL,
+			ClientSubnet: action.RouteOptions.ClientSubnet.Build(),
+		}
+	case C.RuleActionTypeReturn:
+		return &RuleActionReturn{}
+	case C.RuleActionTypeReject:
+		return &RuleActionReject{
+			Method: string(action.RejectOptions.Method),
+		}
+	default:
+		panic(F.ToString("unknown rule action: ", action.Action))
+	}
+}
+
+type RuleActionRoute struct {
+	Outbound                  string
+	UDPDisableDomainUnmapping bool
+}
+
+func (r *RuleActionRoute) Type() string {
+	return C.RuleActionTypeRoute
+}
+
+func (r *RuleActionRoute) String() string {
+	return F.ToString("route(", r.Outbound, ")")
+}
+
+type RuleActionDNSRoute struct {
+	Server       string
+	DisableCache bool
+	RewriteTTL   *uint32
+	ClientSubnet netip.Prefix
+}
+
+func (r *RuleActionDNSRoute) Type() string {
+	return C.RuleActionTypeRoute
+}
+
+func (r *RuleActionDNSRoute) String() string {
+	return F.ToString("route(", r.Server, ")")
+}
+
+type RuleActionReturn struct{}
+
+func (r *RuleActionReturn) Type() string {
+	return C.RuleActionTypeReturn
+}
+
+func (r *RuleActionReturn) String() string {
+	return "return"
+}
+
+type RuleActionReject struct {
+	Method string
+}
+
+func (r *RuleActionReject) Type() string {
+	return C.RuleActionTypeReject
+}
+
+func (r *RuleActionReject) String() string {
+	if r.Method == C.RuleActionRejectMethodDefault {
+		return "reject"
+	}
+	return F.ToString("reject(", r.Method, ")")
+}
+
+type RuleActionHijackDNS struct{}
+
+func (r *RuleActionHijackDNS) Type() string {
+	return C.RuleActionTypeHijackDNS
+}
+
+func (r *RuleActionHijackDNS) String() string {
+	return "hijack-dns"
+}
+
+type RuleActionSniff struct {
+	snifferNames   []string
+	StreamSniffers []sniff.StreamSniffer
+	PacketSniffers []sniff.PacketSniffer
+	Timeout        time.Duration
+	// Deprecated
+	OverrideDestination bool
+}
+
+func (r *RuleActionSniff) Type() string {
+	return C.RuleActionTypeSniff
+}
+
+func (r *RuleActionSniff) build() error {
+	if len(r.StreamSniffers) > 0 || len(r.PacketSniffers) > 0 {
+		return nil
+	}
+	if len(r.snifferNames) > 0 {
+		for _, name := range r.snifferNames {
+			switch name {
+			case C.ProtocolTLS:
+				r.StreamSniffers = append(r.StreamSniffers, sniff.TLSClientHello)
+			case C.ProtocolHTTP:
+				r.StreamSniffers = append(r.StreamSniffers, sniff.HTTPHost)
+			case C.ProtocolQUIC:
+				r.PacketSniffers = append(r.PacketSniffers, sniff.QUICClientHello)
+			case C.ProtocolDNS:
+				r.StreamSniffers = append(r.StreamSniffers, sniff.StreamDomainNameQuery)
+				r.PacketSniffers = append(r.PacketSniffers, sniff.DomainNameQuery)
+			case C.ProtocolSTUN:
+				r.PacketSniffers = append(r.PacketSniffers, sniff.STUNMessage)
+			case C.ProtocolBitTorrent:
+				r.StreamSniffers = append(r.StreamSniffers, sniff.BitTorrent)
+				r.PacketSniffers = append(r.PacketSniffers, sniff.UTP)
+				r.PacketSniffers = append(r.PacketSniffers, sniff.UDPTracker)
+			case C.ProtocolDTLS:
+				r.PacketSniffers = append(r.PacketSniffers, sniff.DTLSRecord)
+			case C.ProtocolSSH:
+				r.StreamSniffers = append(r.StreamSniffers, sniff.SSH)
+			case C.ProtocolRDP:
+				r.StreamSniffers = append(r.StreamSniffers, sniff.RDP)
+			default:
+				return E.New("unknown sniffer: ", name)
+			}
+		}
+	} else {
+		r.StreamSniffers = []sniff.StreamSniffer{
+			sniff.TLSClientHello,
+			sniff.HTTPHost,
+			sniff.StreamDomainNameQuery,
+			sniff.BitTorrent,
+			sniff.SSH,
+			sniff.RDP,
+		}
+		r.PacketSniffers = []sniff.PacketSniffer{
+			sniff.DomainNameQuery,
+			sniff.QUICClientHello,
+			sniff.STUNMessage,
+			sniff.UTP,
+			sniff.UDPTracker,
+			sniff.DTLSRecord,
+		}
+	}
+	return nil
+}
+
+func (r *RuleActionSniff) String() string {
+	if len(r.snifferNames) == 0 && r.Timeout == 0 {
+		return "sniff"
+	} else if len(r.snifferNames) > 0 && r.Timeout == 0 {
+		return F.ToString("sniff(", strings.Join(r.snifferNames, ","), ")")
+	} else if len(r.snifferNames) == 0 && r.Timeout > 0 {
+		return F.ToString("sniff(", r.Timeout.String(), ")")
+	} else {
+		return F.ToString("sniff(", strings.Join(r.snifferNames, ","), ",", r.Timeout.String(), ")")
+	}
+}
+
+type RuleActionResolve struct {
+	Strategy dns.DomainStrategy
+	Server   string
+}
+
+func (r *RuleActionResolve) Type() string {
+	return C.RuleActionTypeResolve
+}
+
+func (r *RuleActionResolve) String() string {
+	if r.Strategy == dns.DomainStrategyAsIS && r.Server == "" {
+		return F.ToString("resolve")
+	} else if r.Strategy != dns.DomainStrategyAsIS && r.Server == "" {
+		return F.ToString("resolve(", option.DomainStrategy(r.Strategy).String(), ")")
+	} else if r.Strategy == dns.DomainStrategyAsIS && r.Server != "" {
+		return F.ToString("resolve(", r.Server, ")")
+	} else {
+		return F.ToString("resolve(", option.DomainStrategy(r.Strategy).String(), ",", r.Server, ")")
+	}
+}
--- a/route/rule/rule_default.go
+++ b/route/rule/rule_default.go
@ -0,0 +1,284 @@
+package rule
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/deprecated"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func NewRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.Rule, checkOutbound bool) (adapter.Rule, error) {
+	switch options.Type {
+	case "", C.RuleTypeDefault:
+		if !options.DefaultOptions.IsValid() {
+			return nil, E.New("missing conditions")
+		}
+		switch options.DefaultOptions.Action {
+		case "", C.RuleActionTypeRoute:
+			if options.DefaultOptions.RouteOptions.Outbound == "" && checkOutbound {
+				return nil, E.New("missing outbound field")
+			}
+		}
+		return NewDefaultRule(ctx, router, logger, options.DefaultOptions)
+	case C.RuleTypeLogical:
+		if !options.LogicalOptions.IsValid() {
+			return nil, E.New("missing conditions")
+		}
+		switch options.LogicalOptions.Action {
+		case "", C.RuleActionTypeRoute:
+			if options.LogicalOptions.RouteOptions.Outbound == "" && checkOutbound {
+				return nil, E.New("missing outbound field")
+			}
+		}
+		return NewLogicalRule(ctx, router, logger, options.LogicalOptions)
+	default:
+		return nil, E.New("unknown rule type: ", options.Type)
+	}
+}
+
+var _ adapter.Rule = (*DefaultRule)(nil)
+
+type DefaultRule struct {
+	abstractDefaultRule
+}
+
+type RuleItem interface {
+	Match(metadata *adapter.InboundContext) bool
+	String() string
+}
+
+func NewDefaultRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.DefaultRule) (*DefaultRule, error) {
+	action, err := NewRuleAction(options.RuleAction)
+	if err != nil {
+		return nil, E.Cause(err, "action")
+	}
+	rule := &DefaultRule{
+		abstractDefaultRule{
+			invert: options.Invert,
+			action: action,
+		},
+	}
+	if len(options.Inbound) > 0 {
+		item := NewInboundRule(options.Inbound)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if options.IPVersion > 0 {
+		switch options.IPVersion {
+		case 4, 6:
+			item := NewIPVersionItem(options.IPVersion == 6)
+			rule.items = append(rule.items, item)
+			rule.allItems = append(rule.allItems, item)
+		default:
+			return nil, E.New("invalid ip version: ", options.IPVersion)
+		}
+	}
+	if len(options.Network) > 0 {
+		item := NewNetworkItem(options.Network)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.AuthUser) > 0 {
+		item := NewAuthUserItem(options.AuthUser)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Protocol) > 0 {
+		item := NewProtocolItem(options.Protocol)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Client) > 0 {
+		item := NewClientItem(options.Client)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Domain) > 0 || len(options.DomainSuffix) > 0 {
+		item := NewDomainItem(options.Domain, options.DomainSuffix)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.DomainKeyword) > 0 {
+		item := NewDomainKeywordItem(options.DomainKeyword)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.DomainRegex) > 0 {
+		item, err := NewDomainRegexItem(options.DomainRegex)
+		if err != nil {
+			return nil, E.Cause(err, "domain_regex")
+		}
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Geosite) > 0 {
+		item := NewGeositeItem(router, logger, options.Geosite)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourceGeoIP) > 0 {
+		item := NewGeoIPItem(router, logger, true, options.SourceGeoIP)
+		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.GeoIP) > 0 {
+		item := NewGeoIPItem(router, logger, false, options.GeoIP)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourceIPCIDR) > 0 {
+		item, err := NewIPCIDRItem(true, options.SourceIPCIDR)
+		if err != nil {
+			return nil, E.Cause(err, "source_ip_cidr")
+		}
+		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if options.SourceIPIsPrivate {
+		item := NewIPIsPrivateItem(true)
+		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.IPCIDR) > 0 {
+		item, err := NewIPCIDRItem(false, options.IPCIDR)
+		if err != nil {
+			return nil, E.Cause(err, "ipcidr")
+		}
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if options.IPIsPrivate {
+		item := NewIPIsPrivateItem(false)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourcePort) > 0 {
+		item := NewPortItem(true, options.SourcePort)
+		rule.sourcePortItems = append(rule.sourcePortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourcePortRange) > 0 {
+		item, err := NewPortRangeItem(true, options.SourcePortRange)
+		if err != nil {
+			return nil, E.Cause(err, "source_port_range")
+		}
+		rule.sourcePortItems = append(rule.sourcePortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Port) > 0 {
+		item := NewPortItem(false, options.Port)
+		rule.destinationPortItems = append(rule.destinationPortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.PortRange) > 0 {
+		item, err := NewPortRangeItem(false, options.PortRange)
+		if err != nil {
+			return nil, E.Cause(err, "port_range")
+		}
+		rule.destinationPortItems = append(rule.destinationPortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ProcessName) > 0 {
+		item := NewProcessItem(options.ProcessName)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ProcessPath) > 0 {
+		item := NewProcessPathItem(options.ProcessPath)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ProcessPathRegex) > 0 {
+		item, err := NewProcessPathRegexItem(options.ProcessPathRegex)
+		if err != nil {
+			return nil, E.Cause(err, "process_path_regex")
+		}
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.PackageName) > 0 {
+		item := NewPackageNameItem(options.PackageName)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.User) > 0 {
+		item := NewUserItem(options.User)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.UserID) > 0 {
+		item := NewUserIDItem(options.UserID)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if options.ClashMode != "" {
+		item := NewClashModeItem(router, options.ClashMode)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.WIFISSID) > 0 {
+		item := NewWIFISSIDItem(router, options.WIFISSID)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.WIFIBSSID) > 0 {
+		item := NewWIFIBSSIDItem(router, options.WIFIBSSID)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.RuleSet) > 0 {
+		var matchSource bool
+		if options.RuleSetIPCIDRMatchSource {
+			matchSource = true
+		} else
+		//nolint:staticcheck
+		if options.Deprecated_RulesetIPCIDRMatchSource {
+			matchSource = true
+			deprecated.Report(ctx, deprecated.OptionBadMatchSource)
+		}
+		item := NewRuleSetItem(router, options.RuleSet, matchSource, false)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	return rule, nil
+}
+
+var _ adapter.Rule = (*LogicalRule)(nil)
+
+type LogicalRule struct {
+	abstractLogicalRule
+}
+
+func NewLogicalRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.LogicalRule) (*LogicalRule, error) {
+	action, err := NewRuleAction(options.RuleAction)
+	if err != nil {
+		return nil, E.Cause(err, "action")
+	}
+	rule := &LogicalRule{
+		abstractLogicalRule{
+			rules:  make([]adapter.HeadlessRule, len(options.Rules)),
+			invert: options.Invert,
+			action: action,
+		},
+	}
+	switch options.Mode {
+	case C.LogicalTypeAnd:
+		rule.mode = C.LogicalTypeAnd
+	case C.LogicalTypeOr:
+		rule.mode = C.LogicalTypeOr
+	default:
+		return nil, E.New("unknown logical mode: ", options.Mode)
+	}
+	for i, subOptions := range options.Rules {
+		subRule, err := NewRule(ctx, router, logger, subOptions, false)
+		if err != nil {
+			return nil, E.Cause(err, "sub rule[", i, "]")
+		}
+		rule.rules[i] = subRule
+	}
+	return rule, nil
+}
--- a/route/rule/rule_dns.go
+++ b/route/rule/rule_dns.go
@ -0,0 +1,357 @@
+package rule
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/experimental/deprecated"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func NewDNSRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.DNSRule, checkServer bool) (adapter.DNSRule, error) {
+	switch options.Type {
+	case "", C.RuleTypeDefault:
+		if !options.DefaultOptions.IsValid() {
+			return nil, E.New("missing conditions")
+		}
+		switch options.DefaultOptions.Action {
+		case "", C.RuleActionTypeRoute:
+			if options.DefaultOptions.RouteOptions.Server == "" && checkServer {
+				return nil, E.New("missing server field")
+			}
+		}
+		return NewDefaultDNSRule(ctx, router, logger, options.DefaultOptions)
+	case C.RuleTypeLogical:
+		if !options.LogicalOptions.IsValid() {
+			return nil, E.New("missing conditions")
+		}
+		switch options.LogicalOptions.Action {
+		case "", C.RuleActionTypeRoute:
+			if options.LogicalOptions.RouteOptions.Server == "" && checkServer {
+				return nil, E.New("missing server field")
+			}
+		}
+		return NewLogicalDNSRule(ctx, router, logger, options.LogicalOptions)
+	default:
+		return nil, E.New("unknown rule type: ", options.Type)
+	}
+}
+
+var _ adapter.DNSRule = (*DefaultDNSRule)(nil)
+
+type DefaultDNSRule struct {
+	abstractDefaultRule
+}
+
+func NewDefaultDNSRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.DefaultDNSRule) (*DefaultDNSRule, error) {
+	rule := &DefaultDNSRule{
+		abstractDefaultRule: abstractDefaultRule{
+			invert: options.Invert,
+			action: NewDNSRuleAction(options.DNSRuleAction),
+		},
+	}
+	if len(options.Inbound) > 0 {
+		item := NewInboundRule(options.Inbound)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if options.IPVersion > 0 {
+		switch options.IPVersion {
+		case 4, 6:
+			item := NewIPVersionItem(options.IPVersion == 6)
+			rule.items = append(rule.items, item)
+			rule.allItems = append(rule.allItems, item)
+		default:
+			return nil, E.New("invalid ip version: ", options.IPVersion)
+		}
+	}
+	if len(options.QueryType) > 0 {
+		item := NewQueryTypeItem(options.QueryType)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Network) > 0 {
+		item := NewNetworkItem(options.Network)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.AuthUser) > 0 {
+		item := NewAuthUserItem(options.AuthUser)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Protocol) > 0 {
+		item := NewProtocolItem(options.Protocol)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Domain) > 0 || len(options.DomainSuffix) > 0 {
+		item := NewDomainItem(options.Domain, options.DomainSuffix)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.DomainKeyword) > 0 {
+		item := NewDomainKeywordItem(options.DomainKeyword)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.DomainRegex) > 0 {
+		item, err := NewDomainRegexItem(options.DomainRegex)
+		if err != nil {
+			return nil, E.Cause(err, "domain_regex")
+		}
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Geosite) > 0 {
+		item := NewGeositeItem(router, logger, options.Geosite)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourceGeoIP) > 0 {
+		item := NewGeoIPItem(router, logger, true, options.SourceGeoIP)
+		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.GeoIP) > 0 {
+		item := NewGeoIPItem(router, logger, false, options.GeoIP)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourceIPCIDR) > 0 {
+		item, err := NewIPCIDRItem(true, options.SourceIPCIDR)
+		if err != nil {
+			return nil, E.Cause(err, "source_ip_cidr")
+		}
+		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.IPCIDR) > 0 {
+		item, err := NewIPCIDRItem(false, options.IPCIDR)
+		if err != nil {
+			return nil, E.Cause(err, "ip_cidr")
+		}
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if options.SourceIPIsPrivate {
+		item := NewIPIsPrivateItem(true)
+		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if options.IPIsPrivate {
+		item := NewIPIsPrivateItem(false)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourcePort) > 0 {
+		item := NewPortItem(true, options.SourcePort)
+		rule.sourcePortItems = append(rule.sourcePortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourcePortRange) > 0 {
+		item, err := NewPortRangeItem(true, options.SourcePortRange)
+		if err != nil {
+			return nil, E.Cause(err, "source_port_range")
+		}
+		rule.sourcePortItems = append(rule.sourcePortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Port) > 0 {
+		item := NewPortItem(false, options.Port)
+		rule.destinationPortItems = append(rule.destinationPortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.PortRange) > 0 {
+		item, err := NewPortRangeItem(false, options.PortRange)
+		if err != nil {
+			return nil, E.Cause(err, "port_range")
+		}
+		rule.destinationPortItems = append(rule.destinationPortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ProcessName) > 0 {
+		item := NewProcessItem(options.ProcessName)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ProcessPath) > 0 {
+		item := NewProcessPathItem(options.ProcessPath)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ProcessPathRegex) > 0 {
+		item, err := NewProcessPathRegexItem(options.ProcessPathRegex)
+		if err != nil {
+			return nil, E.Cause(err, "process_path_regex")
+		}
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.PackageName) > 0 {
+		item := NewPackageNameItem(options.PackageName)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.User) > 0 {
+		item := NewUserItem(options.User)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.UserID) > 0 {
+		item := NewUserIDItem(options.UserID)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Outbound) > 0 {
+		item := NewOutboundRule(options.Outbound)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if options.ClashMode != "" {
+		item := NewClashModeItem(router, options.ClashMode)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.WIFISSID) > 0 {
+		item := NewWIFISSIDItem(router, options.WIFISSID)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.WIFIBSSID) > 0 {
+		item := NewWIFIBSSIDItem(router, options.WIFIBSSID)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.RuleSet) > 0 {
+		var matchSource bool
+		if options.RuleSetIPCIDRMatchSource {
+			matchSource = true
+		} else
+		//nolint:staticcheck
+		if options.Deprecated_RulesetIPCIDRMatchSource {
+			matchSource = true
+			deprecated.Report(ctx, deprecated.OptionBadMatchSource)
+		}
+		item := NewRuleSetItem(router, options.RuleSet, matchSource, options.RuleSetIPCIDRAcceptEmpty)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	return rule, nil
+}
+
+func (r *DefaultDNSRule) Action() adapter.RuleAction {
+	return r.action
+}
+
+func (r *DefaultDNSRule) WithAddressLimit() bool {
+	if len(r.destinationIPCIDRItems) > 0 {
+		return true
+	}
+	for _, rawRule := range r.items {
+		ruleSet, isRuleSet := rawRule.(*RuleSetItem)
+		if !isRuleSet {
+			continue
+		}
+		if ruleSet.ContainsDestinationIPCIDRRule() {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *DefaultDNSRule) Match(metadata *adapter.InboundContext) bool {
+	metadata.IgnoreDestinationIPCIDRMatch = true
+	defer func() {
+		metadata.IgnoreDestinationIPCIDRMatch = false
+	}()
+	return r.abstractDefaultRule.Match(metadata)
+}
+
+func (r *DefaultDNSRule) MatchAddressLimit(metadata *adapter.InboundContext) bool {
+	return r.abstractDefaultRule.Match(metadata)
+}
+
+var _ adapter.DNSRule = (*LogicalDNSRule)(nil)
+
+type LogicalDNSRule struct {
+	abstractLogicalRule
+}
+
+func NewLogicalDNSRule(ctx context.Context, router adapter.Router, logger log.ContextLogger, options option.LogicalDNSRule) (*LogicalDNSRule, error) {
+	r := &LogicalDNSRule{
+		abstractLogicalRule: abstractLogicalRule{
+			rules:  make([]adapter.HeadlessRule, len(options.Rules)),
+			invert: options.Invert,
+			action: NewDNSRuleAction(options.DNSRuleAction),
+		},
+	}
+	switch options.Mode {
+	case C.LogicalTypeAnd:
+		r.mode = C.LogicalTypeAnd
+	case C.LogicalTypeOr:
+		r.mode = C.LogicalTypeOr
+	default:
+		return nil, E.New("unknown logical mode: ", options.Mode)
+	}
+	for i, subRule := range options.Rules {
+		rule, err := NewDNSRule(ctx, router, logger, subRule, false)
+		if err != nil {
+			return nil, E.Cause(err, "sub rule[", i, "]")
+		}
+		r.rules[i] = rule
+	}
+	return r, nil
+}
+
+func (r *LogicalDNSRule) Action() adapter.RuleAction {
+	return r.action
+}
+
+func (r *LogicalDNSRule) WithAddressLimit() bool {
+	for _, rawRule := range r.rules {
+		switch rule := rawRule.(type) {
+		case *DefaultDNSRule:
+			if rule.WithAddressLimit() {
+				return true
+			}
+		case *LogicalDNSRule:
+			if rule.WithAddressLimit() {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (r *LogicalDNSRule) Match(metadata *adapter.InboundContext) bool {
+	if r.mode == C.LogicalTypeAnd {
+		return common.All(r.rules, func(it adapter.HeadlessRule) bool {
+			metadata.ResetRuleCache()
+			return it.(adapter.DNSRule).Match(metadata)
+		}) != r.invert
+	} else {
+		return common.Any(r.rules, func(it adapter.HeadlessRule) bool {
+			metadata.ResetRuleCache()
+			return it.(adapter.DNSRule).Match(metadata)
+		}) != r.invert
+	}
+}
+
+func (r *LogicalDNSRule) MatchAddressLimit(metadata *adapter.InboundContext) bool {
+	if r.mode == C.LogicalTypeAnd {
+		return common.All(r.rules, func(it adapter.HeadlessRule) bool {
+			metadata.ResetRuleCache()
+			return it.(adapter.DNSRule).MatchAddressLimit(metadata)
+		}) != r.invert
+	} else {
+		return common.Any(r.rules, func(it adapter.HeadlessRule) bool {
+			metadata.ResetRuleCache()
+			return it.(adapter.DNSRule).MatchAddressLimit(metadata)
+		}) != r.invert
+	}
+}
--- a/route/rule/rule_headless.go
+++ b/route/rule/rule_headless.go
@ -0,0 +1,194 @@
+package rule
+
+import (
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func NewHeadlessRule(router adapter.Router, options option.HeadlessRule) (adapter.HeadlessRule, error) {
+	switch options.Type {
+	case "", C.RuleTypeDefault:
+		if !options.DefaultOptions.IsValid() {
+			return nil, E.New("missing conditions")
+		}
+		return NewDefaultHeadlessRule(router, options.DefaultOptions)
+	case C.RuleTypeLogical:
+		if !options.LogicalOptions.IsValid() {
+			return nil, E.New("missing conditions")
+		}
+		return NewLogicalHeadlessRule(router, options.LogicalOptions)
+	default:
+		return nil, E.New("unknown rule type: ", options.Type)
+	}
+}
+
+var _ adapter.HeadlessRule = (*DefaultHeadlessRule)(nil)
+
+type DefaultHeadlessRule struct {
+	abstractDefaultRule
+}
+
+func NewDefaultHeadlessRule(router adapter.Router, options option.DefaultHeadlessRule) (*DefaultHeadlessRule, error) {
+	rule := &DefaultHeadlessRule{
+		abstractDefaultRule{
+			invert: options.Invert,
+		},
+	}
+	if len(options.Network) > 0 {
+		item := NewNetworkItem(options.Network)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Domain) > 0 || len(options.DomainSuffix) > 0 {
+		item := NewDomainItem(options.Domain, options.DomainSuffix)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	} else if options.DomainMatcher != nil {
+		item := NewRawDomainItem(options.DomainMatcher)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.DomainKeyword) > 0 {
+		item := NewDomainKeywordItem(options.DomainKeyword)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.DomainRegex) > 0 {
+		item, err := NewDomainRegexItem(options.DomainRegex)
+		if err != nil {
+			return nil, E.Cause(err, "domain_regex")
+		}
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourceIPCIDR) > 0 {
+		item, err := NewIPCIDRItem(true, options.SourceIPCIDR)
+		if err != nil {
+			return nil, E.Cause(err, "source_ip_cidr")
+		}
+		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	} else if options.SourceIPSet != nil {
+		item := NewRawIPCIDRItem(true, options.SourceIPSet)
+		rule.sourceAddressItems = append(rule.sourceAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.IPCIDR) > 0 {
+		item, err := NewIPCIDRItem(false, options.IPCIDR)
+		if err != nil {
+			return nil, E.Cause(err, "ipcidr")
+		}
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
+		rule.allItems = append(rule.allItems, item)
+	} else if options.IPSet != nil {
+		item := NewRawIPCIDRItem(false, options.IPSet)
+		rule.destinationIPCIDRItems = append(rule.destinationIPCIDRItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourcePort) > 0 {
+		item := NewPortItem(true, options.SourcePort)
+		rule.sourcePortItems = append(rule.sourcePortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.SourcePortRange) > 0 {
+		item, err := NewPortRangeItem(true, options.SourcePortRange)
+		if err != nil {
+			return nil, E.Cause(err, "source_port_range")
+		}
+		rule.sourcePortItems = append(rule.sourcePortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.Port) > 0 {
+		item := NewPortItem(false, options.Port)
+		rule.destinationPortItems = append(rule.destinationPortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.PortRange) > 0 {
+		item, err := NewPortRangeItem(false, options.PortRange)
+		if err != nil {
+			return nil, E.Cause(err, "port_range")
+		}
+		rule.destinationPortItems = append(rule.destinationPortItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ProcessName) > 0 {
+		item := NewProcessItem(options.ProcessName)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ProcessPath) > 0 {
+		item := NewProcessPathItem(options.ProcessPath)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.ProcessPathRegex) > 0 {
+		item, err := NewProcessPathRegexItem(options.ProcessPathRegex)
+		if err != nil {
+			return nil, E.Cause(err, "process_path_regex")
+		}
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.PackageName) > 0 {
+		item := NewPackageNameItem(options.PackageName)
+		rule.items = append(rule.items, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	if len(options.WIFISSID) > 0 {
+		if router != nil {
+			item := NewWIFISSIDItem(router, options.WIFISSID)
+			rule.items = append(rule.items, item)
+			rule.allItems = append(rule.allItems, item)
+		}
+	}
+	if len(options.WIFIBSSID) > 0 {
+		if router != nil {
+			item := NewWIFIBSSIDItem(router, options.WIFIBSSID)
+			rule.items = append(rule.items, item)
+			rule.allItems = append(rule.allItems, item)
+		}
+	}
+	if len(options.AdGuardDomain) > 0 {
+		item := NewAdGuardDomainItem(options.AdGuardDomain)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	} else if options.AdGuardDomainMatcher != nil {
+		item := NewRawAdGuardDomainItem(options.AdGuardDomainMatcher)
+		rule.destinationAddressItems = append(rule.destinationAddressItems, item)
+		rule.allItems = append(rule.allItems, item)
+	}
+	return rule, nil
+}
+
+var _ adapter.HeadlessRule = (*LogicalHeadlessRule)(nil)
+
+type LogicalHeadlessRule struct {
+	abstractLogicalRule
+}
+
+func NewLogicalHeadlessRule(router adapter.Router, options option.LogicalHeadlessRule) (*LogicalHeadlessRule, error) {
+	r := &LogicalHeadlessRule{
+		abstractLogicalRule{
+			rules:  make([]adapter.HeadlessRule, len(options.Rules)),
+			invert: options.Invert,
+		},
+	}
+	switch options.Mode {
+	case C.LogicalTypeAnd:
+		r.mode = C.LogicalTypeAnd
+	case C.LogicalTypeOr:
+		r.mode = C.LogicalTypeOr
+	default:
+		return nil, E.New("unknown logical mode: ", options.Mode)
+	}
+	for i, subRule := range options.Rules {
+		rule, err := NewHeadlessRule(router, subRule)
+		if err != nil {
+			return nil, E.Cause(err, "sub rule[", i, "]")
+		}
+		r.rules[i] = rule
+	}
+	return r, nil
+}
--- a/route/rule/rule_item_adguard.go
+++ b/route/rule/rule_item_adguard.go
@ -0,0 +1,43 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common/domain"
+)
+
+var _ RuleItem = (*AdGuardDomainItem)(nil)
+
+type AdGuardDomainItem struct {
+	matcher *domain.AdGuardMatcher
+}
+
+func NewAdGuardDomainItem(ruleLines []string) *AdGuardDomainItem {
+	return &AdGuardDomainItem{
+		domain.NewAdGuardMatcher(ruleLines),
+	}
+}
+
+func NewRawAdGuardDomainItem(matcher *domain.AdGuardMatcher) *AdGuardDomainItem {
+	return &AdGuardDomainItem{
+		matcher,
+	}
+}
+
+func (r *AdGuardDomainItem) Match(metadata *adapter.InboundContext) bool {
+	var domainHost string
+	if metadata.Domain != "" {
+		domainHost = metadata.Domain
+	} else {
+		domainHost = metadata.Destination.Fqdn
+	}
+	if domainHost == "" {
+		return false
+	}
+	return r.matcher.Match(strings.ToLower(domainHost))
+}
+
+func (r *AdGuardDomainItem) String() string {
+	return "!adguard_domain_rules=<binary>"
+}
--- a/route/rule/rule_item_auth_user.go
+++ b/route/rule/rule_item_auth_user.go
@ -0,0 +1,37 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*AuthUserItem)(nil)
+
+type AuthUserItem struct {
+	users   []string
+	userMap map[string]bool
+}
+
+func NewAuthUserItem(users []string) *AuthUserItem {
+	userMap := make(map[string]bool)
+	for _, protocol := range users {
+		userMap[protocol] = true
+	}
+	return &AuthUserItem{
+		users:   users,
+		userMap: userMap,
+	}
+}
+
+func (r *AuthUserItem) Match(metadata *adapter.InboundContext) bool {
+	return r.userMap[metadata.User]
+}
+
+func (r *AuthUserItem) String() string {
+	if len(r.users) == 1 {
+		return F.ToString("auth_user=", r.users[0])
+	}
+	return F.ToString("auth_user=[", strings.Join(r.users, " "), "]")
+}
--- a/route/rule/rule_item_cidr.go
+++ b/route/rule/rule_item_cidr.go
@ -0,0 +1,95 @@
+package rule
+
+import (
+	"net/netip"
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+
+	"go4.org/netipx"
+)
+
+var _ RuleItem = (*IPCIDRItem)(nil)
+
+type IPCIDRItem struct {
+	ipSet       *netipx.IPSet
+	isSource    bool
+	description string
+}
+
+func NewIPCIDRItem(isSource bool, prefixStrings []string) (*IPCIDRItem, error) {
+	var builder netipx.IPSetBuilder
+	for i, prefixString := range prefixStrings {
+		prefix, err := netip.ParsePrefix(prefixString)
+		if err == nil {
+			builder.AddPrefix(prefix)
+			continue
+		}
+		addr, addrErr := netip.ParseAddr(prefixString)
+		if addrErr == nil {
+			builder.Add(addr)
+			continue
+		}
+		return nil, E.Cause(err, "parse [", i, "]")
+	}
+	var description string
+	if isSource {
+		description = "source_ip_cidr="
+	} else {
+		description = "ip_cidr="
+	}
+	if dLen := len(prefixStrings); dLen == 1 {
+		description += prefixStrings[0]
+	} else if dLen > 3 {
+		description += "[" + strings.Join(prefixStrings[:3], " ") + "...]"
+	} else {
+		description += "[" + strings.Join(prefixStrings, " ") + "]"
+	}
+	ipSet, err := builder.IPSet()
+	if err != nil {
+		return nil, err
+	}
+	return &IPCIDRItem{
+		ipSet:       ipSet,
+		isSource:    isSource,
+		description: description,
+	}, nil
+}
+
+func NewRawIPCIDRItem(isSource bool, ipSet *netipx.IPSet) *IPCIDRItem {
+	var description string
+	if isSource {
+		description = "source_ip_cidr="
+	} else {
+		description = "ip_cidr="
+	}
+	description += "<binary>"
+	return &IPCIDRItem{
+		ipSet:       ipSet,
+		isSource:    isSource,
+		description: description,
+	}
+}
+
+func (r *IPCIDRItem) Match(metadata *adapter.InboundContext) bool {
+	if r.isSource || metadata.IPCIDRMatchSource {
+		return r.ipSet.Contains(metadata.Source.Addr)
+	}
+	if metadata.Destination.IsIP() {
+		return r.ipSet.Contains(metadata.Destination.Addr)
+	}
+	if len(metadata.DestinationAddresses) > 0 {
+		for _, address := range metadata.DestinationAddresses {
+			if r.ipSet.Contains(address) {
+				return true
+			}
+		}
+		return false
+	}
+	return metadata.IPCIDRAcceptEmpty
+}
+
+func (r *IPCIDRItem) String() string {
+	return r.description
+}
--- a/route/rule/rule_item_clash_mode.go
+++ b/route/rule/rule_item_clash_mode.go
@ -0,0 +1,33 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+)
+
+var _ RuleItem = (*ClashModeItem)(nil)
+
+type ClashModeItem struct {
+	router adapter.Router
+	mode   string
+}
+
+func NewClashModeItem(router adapter.Router, mode string) *ClashModeItem {
+	return &ClashModeItem{
+		router: router,
+		mode:   mode,
+	}
+}
+
+func (r *ClashModeItem) Match(metadata *adapter.InboundContext) bool {
+	clashServer := r.router.ClashServer()
+	if clashServer == nil {
+		return false
+	}
+	return strings.EqualFold(clashServer.Mode(), r.mode)
+}
+
+func (r *ClashModeItem) String() string {
+	return "clash_mode=" + r.mode
+}
--- a/route/rule/rule_item_client.go
+++ b/route/rule/rule_item_client.go
@ -0,0 +1,37 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*ClientItem)(nil)
+
+type ClientItem struct {
+	clients   []string
+	clientMap map[string]bool
+}
+
+func NewClientItem(clients []string) *ClientItem {
+	clientMap := make(map[string]bool)
+	for _, client := range clients {
+		clientMap[client] = true
+	}
+	return &ClientItem{
+		clients:   clients,
+		clientMap: clientMap,
+	}
+}
+
+func (r *ClientItem) Match(metadata *adapter.InboundContext) bool {
+	return r.clientMap[metadata.Client]
+}
+
+func (r *ClientItem) String() string {
+	if len(r.clients) == 1 {
+		return F.ToString("client=", r.clients[0])
+	}
+	return F.ToString("client=[", strings.Join(r.clients, " "), "]")
+}
--- a/route/rule/rule_item_domain.go
+++ b/route/rule/rule_item_domain.go
@ -0,0 +1,68 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common/domain"
+)
+
+var _ RuleItem = (*DomainItem)(nil)
+
+type DomainItem struct {
+	matcher     *domain.Matcher
+	description string
+}
+
+func NewDomainItem(domains []string, domainSuffixes []string) *DomainItem {
+	var description string
+	if dLen := len(domains); dLen > 0 {
+		if dLen == 1 {
+			description = "domain=" + domains[0]
+		} else if dLen > 3 {
+			description = "domain=[" + strings.Join(domains[:3], " ") + "...]"
+		} else {
+			description = "domain=[" + strings.Join(domains, " ") + "]"
+		}
+	}
+	if dsLen := len(domainSuffixes); dsLen > 0 {
+		if len(description) > 0 {
+			description += " "
+		}
+		if dsLen == 1 {
+			description += "domain_suffix=" + domainSuffixes[0]
+		} else if dsLen > 3 {
+			description += "domain_suffix=[" + strings.Join(domainSuffixes[:3], " ") + "...]"
+		} else {
+			description += "domain_suffix=[" + strings.Join(domainSuffixes, " ") + "]"
+		}
+	}
+	return &DomainItem{
+		domain.NewMatcher(domains, domainSuffixes, false),
+		description,
+	}
+}
+
+func NewRawDomainItem(matcher *domain.Matcher) *DomainItem {
+	return &DomainItem{
+		matcher,
+		"domain/domain_suffix=<binary>",
+	}
+}
+
+func (r *DomainItem) Match(metadata *adapter.InboundContext) bool {
+	var domainHost string
+	if metadata.Domain != "" {
+		domainHost = metadata.Domain
+	} else {
+		domainHost = metadata.Destination.Fqdn
+	}
+	if domainHost == "" {
+		return false
+	}
+	return r.matcher.Match(strings.ToLower(domainHost))
+}
+
+func (r *DomainItem) String() string {
+	return r.description
+}
--- a/route/rule/rule_item_domain_keyword.go
+++ b/route/rule/rule_item_domain_keyword.go
@ -0,0 +1,47 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+)
+
+var _ RuleItem = (*DomainKeywordItem)(nil)
+
+type DomainKeywordItem struct {
+	keywords []string
+}
+
+func NewDomainKeywordItem(keywords []string) *DomainKeywordItem {
+	return &DomainKeywordItem{keywords}
+}
+
+func (r *DomainKeywordItem) Match(metadata *adapter.InboundContext) bool {
+	var domainHost string
+	if metadata.Domain != "" {
+		domainHost = metadata.Domain
+	} else {
+		domainHost = metadata.Destination.Fqdn
+	}
+	if domainHost == "" {
+		return false
+	}
+	domainHost = strings.ToLower(domainHost)
+	for _, keyword := range r.keywords {
+		if strings.Contains(domainHost, keyword) {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *DomainKeywordItem) String() string {
+	kLen := len(r.keywords)
+	if kLen == 1 {
+		return "domain_keyword=" + r.keywords[0]
+	} else if kLen > 3 {
+		return "domain_keyword=[" + strings.Join(r.keywords[:3], " ") + "...]"
+	} else {
+		return "domain_keyword=[" + strings.Join(r.keywords, " ") + "]"
+	}
+}
--- a/route/rule/rule_item_domain_regex.go
+++ b/route/rule/rule_item_domain_regex.go
@ -0,0 +1,61 @@
+package rule
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*DomainRegexItem)(nil)
+
+type DomainRegexItem struct {
+	matchers    []*regexp.Regexp
+	description string
+}
+
+func NewDomainRegexItem(expressions []string) (*DomainRegexItem, error) {
+	matchers := make([]*regexp.Regexp, 0, len(expressions))
+	for i, regex := range expressions {
+		matcher, err := regexp.Compile(regex)
+		if err != nil {
+			return nil, E.Cause(err, "parse expression ", i)
+		}
+		matchers = append(matchers, matcher)
+	}
+	description := "domain_regex="
+	eLen := len(expressions)
+	if eLen == 1 {
+		description += expressions[0]
+	} else if eLen > 3 {
+		description += F.ToString("[", strings.Join(expressions[:3], " "), "]")
+	} else {
+		description += F.ToString("[", strings.Join(expressions, " "), "]")
+	}
+	return &DomainRegexItem{matchers, description}, nil
+}
+
+func (r *DomainRegexItem) Match(metadata *adapter.InboundContext) bool {
+	var domainHost string
+	if metadata.Domain != "" {
+		domainHost = metadata.Domain
+	} else {
+		domainHost = metadata.Destination.Fqdn
+	}
+	if domainHost == "" {
+		return false
+	}
+	domainHost = strings.ToLower(domainHost)
+	for _, matcher := range r.matchers {
+		if matcher.MatchString(domainHost) {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *DomainRegexItem) String() string {
+	return r.description
+}
--- a/route/rule/rule_item_geoip.go
+++ b/route/rule/rule_item_geoip.go
@ -0,0 +1,98 @@
+package rule
+
+import (
+	"net/netip"
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	N "github.com/sagernet/sing/common/network"
+)
+
+var _ RuleItem = (*GeoIPItem)(nil)
+
+type GeoIPItem struct {
+	router   adapter.Router
+	logger   log.ContextLogger
+	isSource bool
+	codes    []string
+	codeMap  map[string]bool
+}
+
+func NewGeoIPItem(router adapter.Router, logger log.ContextLogger, isSource bool, codes []string) *GeoIPItem {
+	codeMap := make(map[string]bool)
+	for _, code := range codes {
+		codeMap[code] = true
+	}
+	return &GeoIPItem{
+		router:   router,
+		logger:   logger,
+		codes:    codes,
+		isSource: isSource,
+		codeMap:  codeMap,
+	}
+}
+
+func (r *GeoIPItem) Match(metadata *adapter.InboundContext) bool {
+	var geoipCode string
+	if r.isSource && metadata.SourceGeoIPCode != "" {
+		geoipCode = metadata.SourceGeoIPCode
+	} else if !r.isSource && metadata.GeoIPCode != "" {
+		geoipCode = metadata.GeoIPCode
+	}
+	if geoipCode != "" {
+		return r.codeMap[geoipCode]
+	}
+	var destination netip.Addr
+	if r.isSource {
+		destination = metadata.Source.Addr
+	} else {
+		destination = metadata.Destination.Addr
+	}
+	if destination.IsValid() {
+		return r.match(metadata, destination)
+	}
+	for _, destinationAddress := range metadata.DestinationAddresses {
+		if r.match(metadata, destinationAddress) {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *GeoIPItem) match(metadata *adapter.InboundContext, destination netip.Addr) bool {
+	var geoipCode string
+	geoReader := r.router.GeoIPReader()
+	if !N.IsPublicAddr(destination) {
+		geoipCode = "private"
+	} else if geoReader != nil {
+		geoipCode = geoReader.Lookup(destination)
+	}
+	if geoipCode == "" {
+		return false
+	}
+	if r.isSource {
+		metadata.SourceGeoIPCode = geoipCode
+	} else {
+		metadata.GeoIPCode = geoipCode
+	}
+	return r.codeMap[geoipCode]
+}
+
+func (r *GeoIPItem) String() string {
+	var description string
+	if r.isSource {
+		description = "source_geoip="
+	} else {
+		description = "geoip="
+	}
+	cLen := len(r.codes)
+	if cLen == 1 {
+		description += r.codes[0]
+	} else if cLen > 3 {
+		description += "[" + strings.Join(r.codes[:3], " ") + "...]"
+	} else {
+		description += "[" + strings.Join(r.codes, " ") + "]"
+	}
+	return description
+}
--- a/route/rule/rule_item_geosite.go
+++ b/route/rule/rule_item_geosite.go
@ -0,0 +1,61 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+var _ RuleItem = (*GeositeItem)(nil)
+
+type GeositeItem struct {
+	router   adapter.Router
+	logger   log.ContextLogger
+	codes    []string
+	matchers []adapter.Rule
+}
+
+func NewGeositeItem(router adapter.Router, logger log.ContextLogger, codes []string) *GeositeItem {
+	return &GeositeItem{
+		router: router,
+		logger: logger,
+		codes:  codes,
+	}
+}
+
+func (r *GeositeItem) Update() error {
+	matchers := make([]adapter.Rule, 0, len(r.codes))
+	for _, code := range r.codes {
+		matcher, err := r.router.LoadGeosite(code)
+		if err != nil {
+			return E.Cause(err, "read geosite")
+		}
+		matchers = append(matchers, matcher)
+	}
+	r.matchers = matchers
+	return nil
+}
+
+func (r *GeositeItem) Match(metadata *adapter.InboundContext) bool {
+	for _, matcher := range r.matchers {
+		if matcher.Match(metadata) {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *GeositeItem) String() string {
+	description := "geosite="
+	cLen := len(r.codes)
+	if cLen == 1 {
+		description += r.codes[0]
+	} else if cLen > 3 {
+		description += "[" + strings.Join(r.codes[:3], " ") + "...]"
+	} else {
+		description += "[" + strings.Join(r.codes, " ") + "]"
+	}
+	return description
+}
--- a/route/rule/rule_item_inbound.go
+++ b/route/rule/rule_item_inbound.go
@ -0,0 +1,35 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*InboundItem)(nil)
+
+type InboundItem struct {
+	inbounds   []string
+	inboundMap map[string]bool
+}
+
+func NewInboundRule(inbounds []string) *InboundItem {
+	rule := &InboundItem{inbounds, make(map[string]bool)}
+	for _, inbound := range inbounds {
+		rule.inboundMap[inbound] = true
+	}
+	return rule
+}
+
+func (r *InboundItem) Match(metadata *adapter.InboundContext) bool {
+	return r.inboundMap[metadata.Inbound]
+}
+
+func (r *InboundItem) String() string {
+	if len(r.inbounds) == 1 {
+		return F.ToString("inbound=", r.inbounds[0])
+	} else {
+		return F.ToString("inbound=[", strings.Join(r.inbounds, " "), "]")
+	}
+}
--- a/route/rule/rule_item_ip_is_private.go
+++ b/route/rule/rule_item_ip_is_private.go
@ -0,0 +1,46 @@
+package rule
+
+import (
+	"net/netip"
+
+	"github.com/sagernet/sing-box/adapter"
+	N "github.com/sagernet/sing/common/network"
+)
+
+var _ RuleItem = (*IPIsPrivateItem)(nil)
+
+type IPIsPrivateItem struct {
+	isSource bool
+}
+
+func NewIPIsPrivateItem(isSource bool) *IPIsPrivateItem {
+	return &IPIsPrivateItem{isSource}
+}
+
+func (r *IPIsPrivateItem) Match(metadata *adapter.InboundContext) bool {
+	var destination netip.Addr
+	if r.isSource {
+		destination = metadata.Source.Addr
+	} else {
+		destination = metadata.Destination.Addr
+	}
+	if destination.IsValid() {
+		return !N.IsPublicAddr(destination)
+	}
+	if !r.isSource {
+		for _, destinationAddress := range metadata.DestinationAddresses {
+			if !N.IsPublicAddr(destinationAddress) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func (r *IPIsPrivateItem) String() string {
+	if r.isSource {
+		return "source_ip_is_private=true"
+	} else {
+		return "ip_is_private=true"
+	}
+}
--- a/route/rule/rule_item_ipversion.go
+++ b/route/rule/rule_item_ipversion.go
@ -0,0 +1,30 @@
+package rule
+
+import (
+	"github.com/sagernet/sing-box/adapter"
+)
+
+var _ RuleItem = (*IPVersionItem)(nil)
+
+type IPVersionItem struct {
+	isIPv6 bool
+}
+
+func NewIPVersionItem(isIPv6 bool) *IPVersionItem {
+	return &IPVersionItem{isIPv6}
+}
+
+func (r *IPVersionItem) Match(metadata *adapter.InboundContext) bool {
+	return metadata.IPVersion != 0 && metadata.IPVersion == 6 == r.isIPv6 ||
+		metadata.Destination.IsIP() && metadata.Destination.IsIPv6() == r.isIPv6
+}
+
+func (r *IPVersionItem) String() string {
+	var versionStr string
+	if r.isIPv6 {
+		versionStr = "6"
+	} else {
+		versionStr = "4"
+	}
+	return "ip_version=" + versionStr
+}
--- a/route/rule/rule_item_network.go
+++ b/route/rule/rule_item_network.go
@ -0,0 +1,42 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*NetworkItem)(nil)
+
+type NetworkItem struct {
+	networks   []string
+	networkMap map[string]bool
+}
+
+func NewNetworkItem(networks []string) *NetworkItem {
+	networkMap := make(map[string]bool)
+	for _, network := range networks {
+		networkMap[network] = true
+	}
+	return &NetworkItem{
+		networks:   networks,
+		networkMap: networkMap,
+	}
+}
+
+func (r *NetworkItem) Match(metadata *adapter.InboundContext) bool {
+	return r.networkMap[metadata.Network]
+}
+
+func (r *NetworkItem) String() string {
+	description := "network="
+
+	pLen := len(r.networks)
+	if pLen == 1 {
+		description += F.ToString(r.networks[0])
+	} else {
+		description += "[" + strings.Join(F.MapToString(r.networks), " ") + "]"
+	}
+	return description
+}
--- a/route/rule/rule_item_outbound.go
+++ b/route/rule/rule_item_outbound.go
@ -0,0 +1,43 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*OutboundItem)(nil)
+
+type OutboundItem struct {
+	outbounds   []string
+	outboundMap map[string]bool
+	matchAny    bool
+}
+
+func NewOutboundRule(outbounds []string) *OutboundItem {
+	rule := &OutboundItem{outbounds: outbounds, outboundMap: make(map[string]bool)}
+	for _, outbound := range outbounds {
+		if outbound == "any" {
+			rule.matchAny = true
+		} else {
+			rule.outboundMap[outbound] = true
+		}
+	}
+	return rule
+}
+
+func (r *OutboundItem) Match(metadata *adapter.InboundContext) bool {
+	if r.matchAny && metadata.Outbound != "" {
+		return true
+	}
+	return r.outboundMap[metadata.Outbound]
+}
+
+func (r *OutboundItem) String() string {
+	if len(r.outbounds) == 1 {
+		return F.ToString("outbound=", r.outbounds[0])
+	} else {
+		return F.ToString("outbound=[", strings.Join(r.outbounds, " "), "]")
+	}
+}
--- a/route/rule/rule_item_package_name.go
+++ b/route/rule/rule_item_package_name.go
@ -0,0 +1,43 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+)
+
+var _ RuleItem = (*PackageNameItem)(nil)
+
+type PackageNameItem struct {
+	packageNames []string
+	packageMap   map[string]bool
+}
+
+func NewPackageNameItem(packageNameList []string) *PackageNameItem {
+	rule := &PackageNameItem{
+		packageNames: packageNameList,
+		packageMap:   make(map[string]bool),
+	}
+	for _, packageName := range packageNameList {
+		rule.packageMap[packageName] = true
+	}
+	return rule
+}
+
+func (r *PackageNameItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.ProcessInfo == nil || metadata.ProcessInfo.PackageName == "" {
+		return false
+	}
+	return r.packageMap[metadata.ProcessInfo.PackageName]
+}
+
+func (r *PackageNameItem) String() string {
+	var description string
+	pLen := len(r.packageNames)
+	if pLen == 1 {
+		description = "package_name=" + r.packageNames[0]
+	} else {
+		description = "package_name=[" + strings.Join(r.packageNames, " ") + "]"
+	}
+	return description
+}
--- a/route/rule/rule_item_port.go
+++ b/route/rule/rule_item_port.go
@ -0,0 +1,52 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*PortItem)(nil)
+
+type PortItem struct {
+	ports    []uint16
+	portMap  map[uint16]bool
+	isSource bool
+}
+
+func NewPortItem(isSource bool, ports []uint16) *PortItem {
+	portMap := make(map[uint16]bool)
+	for _, port := range ports {
+		portMap[port] = true
+	}
+	return &PortItem{
+		ports:    ports,
+		portMap:  portMap,
+		isSource: isSource,
+	}
+}
+
+func (r *PortItem) Match(metadata *adapter.InboundContext) bool {
+	if r.isSource {
+		return r.portMap[metadata.Source.Port]
+	} else {
+		return r.portMap[metadata.Destination.Port]
+	}
+}
+
+func (r *PortItem) String() string {
+	var description string
+	if r.isSource {
+		description = "source_port="
+	} else {
+		description = "port="
+	}
+	pLen := len(r.ports)
+	if pLen == 1 {
+		description += F.ToString(r.ports[0])
+	} else {
+		description += "[" + strings.Join(F.MapToString(r.ports), " ") + "]"
+	}
+	return description
+}
--- a/route/rule/rule_item_port_range.go
+++ b/route/rule/rule_item_port_range.go
@ -0,0 +1,87 @@
+package rule
+
+import (
+	"strconv"
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+var ErrBadPortRange = E.New("bad port range")
+
+var _ RuleItem = (*PortRangeItem)(nil)
+
+type PortRangeItem struct {
+	isSource      bool
+	portRanges    []string
+	portRangeList []rangeItem
+}
+
+type rangeItem struct {
+	start uint16
+	end   uint16
+}
+
+func NewPortRangeItem(isSource bool, rangeList []string) (*PortRangeItem, error) {
+	portRangeList := make([]rangeItem, 0, len(rangeList))
+	for _, portRange := range rangeList {
+		if !strings.Contains(portRange, ":") {
+			return nil, E.Extend(ErrBadPortRange, portRange)
+		}
+		subIndex := strings.Index(portRange, ":")
+		var start, end uint64
+		var err error
+		if subIndex > 0 {
+			start, err = strconv.ParseUint(portRange[:subIndex], 10, 16)
+			if err != nil {
+				return nil, E.Cause(err, E.Extend(ErrBadPortRange, portRange))
+			}
+		}
+		if subIndex == len(portRange)-1 {
+			end = 0xFFFF
+		} else {
+			end, err = strconv.ParseUint(portRange[subIndex+1:], 10, 16)
+			if err != nil {
+				return nil, E.Cause(err, E.Extend(ErrBadPortRange, portRange))
+			}
+		}
+		portRangeList = append(portRangeList, rangeItem{uint16(start), uint16(end)})
+	}
+	return &PortRangeItem{
+		isSource:      isSource,
+		portRanges:    rangeList,
+		portRangeList: portRangeList,
+	}, nil
+}
+
+func (r *PortRangeItem) Match(metadata *adapter.InboundContext) bool {
+	var port uint16
+	if r.isSource {
+		port = metadata.Source.Port
+	} else {
+		port = metadata.Destination.Port
+	}
+	for _, portRange := range r.portRangeList {
+		if port >= portRange.start && port <= portRange.end {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *PortRangeItem) String() string {
+	var description string
+	if r.isSource {
+		description = "source_port_range="
+	} else {
+		description = "port_range="
+	}
+	pLen := len(r.portRanges)
+	if pLen == 1 {
+		description += r.portRanges[0]
+	} else {
+		description += "[" + strings.Join(r.portRanges, " ") + "]"
+	}
+	return description
+}
--- a/route/rule/rule_item_process_name.go
+++ b/route/rule/rule_item_process_name.go
@ -0,0 +1,44 @@
+package rule
+
+import (
+	"path/filepath"
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+)
+
+var _ RuleItem = (*ProcessItem)(nil)
+
+type ProcessItem struct {
+	processes  []string
+	processMap map[string]bool
+}
+
+func NewProcessItem(processNameList []string) *ProcessItem {
+	rule := &ProcessItem{
+		processes:  processNameList,
+		processMap: make(map[string]bool),
+	}
+	for _, processName := range processNameList {
+		rule.processMap[processName] = true
+	}
+	return rule
+}
+
+func (r *ProcessItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.ProcessInfo == nil || metadata.ProcessInfo.ProcessPath == "" {
+		return false
+	}
+	return r.processMap[filepath.Base(metadata.ProcessInfo.ProcessPath)]
+}
+
+func (r *ProcessItem) String() string {
+	var description string
+	pLen := len(r.processes)
+	if pLen == 1 {
+		description = "process_name=" + r.processes[0]
+	} else {
+		description = "process_name=[" + strings.Join(r.processes, " ") + "]"
+	}
+	return description
+}
--- a/route/rule/rule_item_process_path.go
+++ b/route/rule/rule_item_process_path.go
@ -0,0 +1,43 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+)
+
+var _ RuleItem = (*ProcessPathItem)(nil)
+
+type ProcessPathItem struct {
+	processes  []string
+	processMap map[string]bool
+}
+
+func NewProcessPathItem(processNameList []string) *ProcessPathItem {
+	rule := &ProcessPathItem{
+		processes:  processNameList,
+		processMap: make(map[string]bool),
+	}
+	for _, processName := range processNameList {
+		rule.processMap[processName] = true
+	}
+	return rule
+}
+
+func (r *ProcessPathItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.ProcessInfo == nil || metadata.ProcessInfo.ProcessPath == "" {
+		return false
+	}
+	return r.processMap[metadata.ProcessInfo.ProcessPath]
+}
+
+func (r *ProcessPathItem) String() string {
+	var description string
+	pLen := len(r.processes)
+	if pLen == 1 {
+		description = "process_path=" + r.processes[0]
+	} else {
+		description = "process_path=[" + strings.Join(r.processes, " ") + "]"
+	}
+	return description
+}
--- a/route/rule/rule_item_process_path_regex.go
+++ b/route/rule/rule_item_process_path_regex.go
@ -0,0 +1,54 @@
+package rule
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*ProcessPathRegexItem)(nil)
+
+type ProcessPathRegexItem struct {
+	matchers    []*regexp.Regexp
+	description string
+}
+
+func NewProcessPathRegexItem(expressions []string) (*ProcessPathRegexItem, error) {
+	matchers := make([]*regexp.Regexp, 0, len(expressions))
+	for i, regex := range expressions {
+		matcher, err := regexp.Compile(regex)
+		if err != nil {
+			return nil, E.Cause(err, "parse expression ", i)
+		}
+		matchers = append(matchers, matcher)
+	}
+	description := "process_path_regex="
+	eLen := len(expressions)
+	if eLen == 1 {
+		description += expressions[0]
+	} else if eLen > 3 {
+		description += F.ToString("[", strings.Join(expressions[:3], " "), "]")
+	} else {
+		description += F.ToString("[", strings.Join(expressions, " "), "]")
+	}
+	return &ProcessPathRegexItem{matchers, description}, nil
+}
+
+func (r *ProcessPathRegexItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.ProcessInfo == nil || metadata.ProcessInfo.ProcessPath == "" {
+		return false
+	}
+	for _, matcher := range r.matchers {
+		if matcher.MatchString(metadata.ProcessInfo.ProcessPath) {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *ProcessPathRegexItem) String() string {
+	return r.description
+}
--- a/route/rule/rule_item_protocol.go
+++ b/route/rule/rule_item_protocol.go
@ -0,0 +1,37 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*ProtocolItem)(nil)
+
+type ProtocolItem struct {
+	protocols   []string
+	protocolMap map[string]bool
+}
+
+func NewProtocolItem(protocols []string) *ProtocolItem {
+	protocolMap := make(map[string]bool)
+	for _, protocol := range protocols {
+		protocolMap[protocol] = true
+	}
+	return &ProtocolItem{
+		protocols:   protocols,
+		protocolMap: protocolMap,
+	}
+}
+
+func (r *ProtocolItem) Match(metadata *adapter.InboundContext) bool {
+	return r.protocolMap[metadata.Protocol]
+}
+
+func (r *ProtocolItem) String() string {
+	if len(r.protocols) == 1 {
+		return F.ToString("protocol=", r.protocols[0])
+	}
+	return F.ToString("protocol=[", strings.Join(r.protocols, " "), "]")
+}
--- a/route/rule/rule_item_query_type.go
+++ b/route/rule/rule_item_query_type.go
@ -0,0 +1,47 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+)
+
+var _ RuleItem = (*QueryTypeItem)(nil)
+
+type QueryTypeItem struct {
+	typeList []uint16
+	typeMap  map[uint16]bool
+}
+
+func NewQueryTypeItem(typeList []option.DNSQueryType) *QueryTypeItem {
+	rule := &QueryTypeItem{
+		typeList: common.Map(typeList, func(it option.DNSQueryType) uint16 {
+			return uint16(it)
+		}),
+		typeMap: make(map[uint16]bool),
+	}
+	for _, userId := range rule.typeList {
+		rule.typeMap[userId] = true
+	}
+	return rule
+}
+
+func (r *QueryTypeItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.QueryType == 0 {
+		return false
+	}
+	return r.typeMap[metadata.QueryType]
+}
+
+func (r *QueryTypeItem) String() string {
+	var description string
+	pLen := len(r.typeList)
+	if pLen == 1 {
+		description = "query_type=" + option.DNSQueryTypeToString(r.typeList[0])
+	} else {
+		description = "query_type=[" + strings.Join(common.Map(r.typeList, option.DNSQueryTypeToString), " ") + "]"
+	}
+	return description
+}
--- a/route/rule/rule_item_rule_set.go
+++ b/route/rule/rule_item_rule_set.go
@ -0,0 +1,69 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*RuleSetItem)(nil)
+
+type RuleSetItem struct {
+	router            adapter.Router
+	tagList           []string
+	setList           []adapter.RuleSet
+	ipCidrMatchSource bool
+	ipCidrAcceptEmpty bool
+}
+
+func NewRuleSetItem(router adapter.Router, tagList []string, ipCIDRMatchSource bool, ipCidrAcceptEmpty bool) *RuleSetItem {
+	return &RuleSetItem{
+		router:            router,
+		tagList:           tagList,
+		ipCidrMatchSource: ipCIDRMatchSource,
+		ipCidrAcceptEmpty: ipCidrAcceptEmpty,
+	}
+}
+
+func (r *RuleSetItem) Start() error {
+	for _, tag := range r.tagList {
+		ruleSet, loaded := r.router.RuleSet(tag)
+		if !loaded {
+			return E.New("rule-set not found: ", tag)
+		}
+		ruleSet.IncRef()
+		r.setList = append(r.setList, ruleSet)
+	}
+	return nil
+}
+
+func (r *RuleSetItem) Match(metadata *adapter.InboundContext) bool {
+	metadata.IPCIDRMatchSource = r.ipCidrMatchSource
+	metadata.IPCIDRAcceptEmpty = r.ipCidrAcceptEmpty
+	for _, ruleSet := range r.setList {
+		if ruleSet.Match(metadata) {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *RuleSetItem) ContainsDestinationIPCIDRRule() bool {
+	if r.ipCidrMatchSource {
+		return false
+	}
+	return common.Any(r.setList, func(ruleSet adapter.RuleSet) bool {
+		return ruleSet.Metadata().ContainsIPCIDRRule
+	})
+}
+
+func (r *RuleSetItem) String() string {
+	if len(r.tagList) == 1 {
+		return F.ToString("rule_set=", r.tagList[0])
+	} else {
+		return F.ToString("rule_set=[", strings.Join(r.tagList, " "), "]")
+	}
+}
--- a/route/rule/rule_item_user.go
+++ b/route/rule/rule_item_user.go
@ -0,0 +1,40 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*UserItem)(nil)
+
+type UserItem struct {
+	users   []string
+	userMap map[string]bool
+}
+
+func NewUserItem(users []string) *UserItem {
+	userMap := make(map[string]bool)
+	for _, protocol := range users {
+		userMap[protocol] = true
+	}
+	return &UserItem{
+		users:   users,
+		userMap: userMap,
+	}
+}
+
+func (r *UserItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.ProcessInfo == nil || metadata.ProcessInfo.User == "" {
+		return false
+	}
+	return r.userMap[metadata.ProcessInfo.User]
+}
+
+func (r *UserItem) String() string {
+	if len(r.users) == 1 {
+		return F.ToString("user=", r.users[0])
+	}
+	return F.ToString("user=[", strings.Join(r.users, " "), "]")
+}
--- a/route/rule/rule_item_user_id.go
+++ b/route/rule/rule_item_user_id.go
@ -0,0 +1,44 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*UserIdItem)(nil)
+
+type UserIdItem struct {
+	userIds   []int32
+	userIdMap map[int32]bool
+}
+
+func NewUserIDItem(userIdList []int32) *UserIdItem {
+	rule := &UserIdItem{
+		userIds:   userIdList,
+		userIdMap: make(map[int32]bool),
+	}
+	for _, userId := range userIdList {
+		rule.userIdMap[userId] = true
+	}
+	return rule
+}
+
+func (r *UserIdItem) Match(metadata *adapter.InboundContext) bool {
+	if metadata.ProcessInfo == nil || metadata.ProcessInfo.UserId == -1 {
+		return false
+	}
+	return r.userIdMap[metadata.ProcessInfo.UserId]
+}
+
+func (r *UserIdItem) String() string {
+	var description string
+	pLen := len(r.userIds)
+	if pLen == 1 {
+		description = "user_id=" + F.ToString(r.userIds[0])
+	} else {
+		description = "user_id=[" + strings.Join(F.MapToString(r.userIds), " ") + "]"
+	}
+	return description
+}
--- a/route/rule/rule_item_wifi_bssid.go
+++ b/route/rule/rule_item_wifi_bssid.go
@ -0,0 +1,39 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*WIFIBSSIDItem)(nil)
+
+type WIFIBSSIDItem struct {
+	bssidList []string
+	bssidMap  map[string]bool
+	router    adapter.Router
+}
+
+func NewWIFIBSSIDItem(router adapter.Router, bssidList []string) *WIFIBSSIDItem {
+	bssidMap := make(map[string]bool)
+	for _, bssid := range bssidList {
+		bssidMap[bssid] = true
+	}
+	return &WIFIBSSIDItem{
+		bssidList,
+		bssidMap,
+		router,
+	}
+}
+
+func (r *WIFIBSSIDItem) Match(metadata *adapter.InboundContext) bool {
+	return r.bssidMap[r.router.WIFIState().BSSID]
+}
+
+func (r *WIFIBSSIDItem) String() string {
+	if len(r.bssidList) == 1 {
+		return F.ToString("wifi_bssid=", r.bssidList[0])
+	}
+	return F.ToString("wifi_bssid=[", strings.Join(r.bssidList, " "), "]")
+}
--- a/route/rule/rule_item_wifi_ssid.go
+++ b/route/rule/rule_item_wifi_ssid.go
@ -0,0 +1,39 @@
+package rule
+
+import (
+	"strings"
+
+	"github.com/sagernet/sing-box/adapter"
+	F "github.com/sagernet/sing/common/format"
+)
+
+var _ RuleItem = (*WIFISSIDItem)(nil)
+
+type WIFISSIDItem struct {
+	ssidList []string
+	ssidMap  map[string]bool
+	router   adapter.Router
+}
+
+func NewWIFISSIDItem(router adapter.Router, ssidList []string) *WIFISSIDItem {
+	ssidMap := make(map[string]bool)
+	for _, ssid := range ssidList {
+		ssidMap[ssid] = true
+	}
+	return &WIFISSIDItem{
+		ssidList,
+		ssidMap,
+		router,
+	}
+}
+
+func (r *WIFISSIDItem) Match(metadata *adapter.InboundContext) bool {
+	return r.ssidMap[r.router.WIFIState().SSID]
+}
+
+func (r *WIFISSIDItem) String() string {
+	if len(r.ssidList) == 1 {
+		return F.ToString("wifi_ssid=", r.ssidList[0])
+	}
+	return F.ToString("wifi_ssid=[", strings.Join(r.ssidList, " "), "]")
+}
--- a/route/rule/rule_set.go
+++ b/route/rule/rule_set.go
@ -0,0 +1,71 @@
+package rule
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	"github.com/sagernet/sing/common/logger"
+
+	"go4.org/netipx"
+)
+
+func NewRuleSet(ctx context.Context, router adapter.Router, logger logger.ContextLogger, options option.RuleSet) (adapter.RuleSet, error) {
+	switch options.Type {
+	case C.RuleSetTypeInline, C.RuleSetTypeLocal, "":
+		return NewLocalRuleSet(ctx, router, logger, options)
+	case C.RuleSetTypeRemote:
+		return NewRemoteRuleSet(ctx, router, logger, options), nil
+	default:
+		return nil, E.New("unknown rule-set type: ", options.Type)
+	}
+}
+
+func extractIPSetFromRule(rawRule adapter.HeadlessRule) []*netipx.IPSet {
+	switch rule := rawRule.(type) {
+	case *DefaultHeadlessRule:
+		return common.FlatMap(rule.destinationIPCIDRItems, func(rawItem RuleItem) []*netipx.IPSet {
+			switch item := rawItem.(type) {
+			case *IPCIDRItem:
+				return []*netipx.IPSet{item.ipSet}
+			default:
+				return nil
+			}
+		})
+	case *LogicalHeadlessRule:
+		return common.FlatMap(rule.rules, extractIPSetFromRule)
+	default:
+		panic("unexpected rule type")
+	}
+}
+
+func hasHeadlessRule(rules []option.HeadlessRule, cond func(rule option.DefaultHeadlessRule) bool) bool {
+	for _, rule := range rules {
+		switch rule.Type {
+		case C.RuleTypeDefault:
+			if cond(rule.DefaultOptions) {
+				return true
+			}
+		case C.RuleTypeLogical:
+			if hasHeadlessRule(rule.LogicalOptions.Rules, cond) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func isProcessHeadlessRule(rule option.DefaultHeadlessRule) bool {
+	return len(rule.ProcessName) > 0 || len(rule.ProcessPath) > 0 || len(rule.ProcessPathRegex) > 0 || len(rule.PackageName) > 0
+}
+
+func isWIFIHeadlessRule(rule option.DefaultHeadlessRule) bool {
+	return len(rule.WIFISSID) > 0 || len(rule.WIFIBSSID) > 0
+}
+
+func isIPCIDRHeadlessRule(rule option.DefaultHeadlessRule) bool {
+	return len(rule.IPCIDR) > 0 || rule.IPSet != nil
+}
--- a/route/rule/rule_set_local.go
+++ b/route/rule/rule_set_local.go
@ -0,0 +1,194 @@
+package rule
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/sagernet/fswatch"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/srs"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/atomic"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/logger"
+	"github.com/sagernet/sing/common/x/list"
+	"github.com/sagernet/sing/service/filemanager"
+
+	"go4.org/netipx"
+)
+
+var _ adapter.RuleSet = (*LocalRuleSet)(nil)
+
+type LocalRuleSet struct {
+	router     adapter.Router
+	logger     logger.Logger
+	tag        string
+	rules      []adapter.HeadlessRule
+	metadata   adapter.RuleSetMetadata
+	fileFormat string
+	watcher    *fswatch.Watcher
+	refs       atomic.Int32
+}
+
+func NewLocalRuleSet(ctx context.Context, router adapter.Router, logger logger.Logger, options option.RuleSet) (*LocalRuleSet, error) {
+	ruleSet := &LocalRuleSet{
+		router:     router,
+		logger:     logger,
+		tag:        options.Tag,
+		fileFormat: options.Format,
+	}
+	if options.Type == C.RuleSetTypeInline {
+		if len(options.InlineOptions.Rules) == 0 {
+			return nil, E.New("empty inline rule-set")
+		}
+		err := ruleSet.reloadRules(options.InlineOptions.Rules)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		err := ruleSet.reloadFile(filemanager.BasePath(ctx, options.LocalOptions.Path))
+		if err != nil {
+			return nil, err
+		}
+	}
+	if options.Type == C.RuleSetTypeLocal {
+		filePath, _ := filepath.Abs(options.LocalOptions.Path)
+		watcher, err := fswatch.NewWatcher(fswatch.Options{
+			Path: []string{filePath},
+			Callback: func(path string) {
+				uErr := ruleSet.reloadFile(path)
+				if uErr != nil {
+					logger.Error(E.Cause(uErr, "reload rule-set ", options.Tag))
+				}
+			},
+		})
+		if err != nil {
+			return nil, err
+		}
+		ruleSet.watcher = watcher
+	}
+	return ruleSet, nil
+}
+
+func (s *LocalRuleSet) Name() string {
+	return s.tag
+}
+
+func (s *LocalRuleSet) String() string {
+	return strings.Join(F.MapToString(s.rules), " ")
+}
+
+func (s *LocalRuleSet) StartContext(ctx context.Context, startContext *adapter.HTTPStartContext) error {
+	if s.watcher != nil {
+		err := s.watcher.Start()
+		if err != nil {
+			s.logger.Error(E.Cause(err, "watch rule-set file"))
+		}
+	}
+	return nil
+}
+
+func (s *LocalRuleSet) reloadFile(path string) error {
+	var ruleSet option.PlainRuleSetCompat
+	switch s.fileFormat {
+	case C.RuleSetFormatSource, "":
+		content, err := os.ReadFile(path)
+		if err != nil {
+			return err
+		}
+		ruleSet, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		if err != nil {
+			return err
+		}
+
+	case C.RuleSetFormatBinary:
+		setFile, err := os.Open(path)
+		if err != nil {
+			return err
+		}
+		ruleSet, err = srs.Read(setFile, false)
+		if err != nil {
+			return err
+		}
+	default:
+		return E.New("unknown rule-set format: ", s.fileFormat)
+	}
+	plainRuleSet, err := ruleSet.Upgrade()
+	if err != nil {
+		return err
+	}
+	return s.reloadRules(plainRuleSet.Rules)
+}
+
+func (s *LocalRuleSet) reloadRules(headlessRules []option.HeadlessRule) error {
+	rules := make([]adapter.HeadlessRule, len(headlessRules))
+	var err error
+	for i, ruleOptions := range headlessRules {
+		rules[i], err = NewHeadlessRule(s.router, ruleOptions)
+		if err != nil {
+			return E.Cause(err, "parse rule_set.rules.[", i, "]")
+		}
+	}
+	var metadata adapter.RuleSetMetadata
+	metadata.ContainsProcessRule = hasHeadlessRule(headlessRules, isProcessHeadlessRule)
+	metadata.ContainsWIFIRule = hasHeadlessRule(headlessRules, isWIFIHeadlessRule)
+	metadata.ContainsIPCIDRRule = hasHeadlessRule(headlessRules, isIPCIDRHeadlessRule)
+	s.rules = rules
+	s.metadata = metadata
+	return nil
+}
+
+func (s *LocalRuleSet) PostStart() error {
+	return nil
+}
+
+func (s *LocalRuleSet) Metadata() adapter.RuleSetMetadata {
+	return s.metadata
+}
+
+func (s *LocalRuleSet) ExtractIPSet() []*netipx.IPSet {
+	return common.FlatMap(s.rules, extractIPSetFromRule)
+}
+
+func (s *LocalRuleSet) IncRef() {
+	s.refs.Add(1)
+}
+
+func (s *LocalRuleSet) DecRef() {
+	if s.refs.Add(-1) < 0 {
+		panic("rule-set: negative refs")
+	}
+}
+
+func (s *LocalRuleSet) Cleanup() {
+	if s.refs.Load() == 0 {
+		s.rules = nil
+	}
+}
+
+func (s *LocalRuleSet) RegisterCallback(callback adapter.RuleSetUpdateCallback) *list.Element[adapter.RuleSetUpdateCallback] {
+	return nil
+}
+
+func (s *LocalRuleSet) UnregisterCallback(element *list.Element[adapter.RuleSetUpdateCallback]) {
+}
+
+func (s *LocalRuleSet) Close() error {
+	s.rules = nil
+	return common.Close(common.PtrOrNil(s.watcher))
+}
+
+func (s *LocalRuleSet) Match(metadata *adapter.InboundContext) bool {
+	for _, rule := range s.rules {
+		if rule.Match(metadata) {
+			return true
+		}
+	}
+	return false
+}
--- a/route/rule/rule_set_remote.go
+++ b/route/rule/rule_set_remote.go
@ -0,0 +1,320 @@
+package rule
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/srs"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
+	"github.com/sagernet/sing/common/atomic"
+	E "github.com/sagernet/sing/common/exceptions"
+	F "github.com/sagernet/sing/common/format"
+	"github.com/sagernet/sing/common/json"
+	"github.com/sagernet/sing/common/logger"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+	"github.com/sagernet/sing/common/x/list"
+	"github.com/sagernet/sing/service"
+	"github.com/sagernet/sing/service/pause"
+
+	"go4.org/netipx"
+)
+
+var _ adapter.RuleSet = (*RemoteRuleSet)(nil)
+
+type RemoteRuleSet struct {
+	ctx            context.Context
+	cancel         context.CancelFunc
+	router         adapter.Router
+	logger         logger.ContextLogger
+	options        option.RuleSet
+	metadata       adapter.RuleSetMetadata
+	updateInterval time.Duration
+	dialer         N.Dialer
+	rules          []adapter.HeadlessRule
+	lastUpdated    time.Time
+	lastEtag       string
+	updateTicker   *time.Ticker
+	cacheFile      adapter.CacheFile
+	pauseManager   pause.Manager
+	callbackAccess sync.Mutex
+	callbacks      list.List[adapter.RuleSetUpdateCallback]
+	refs           atomic.Int32
+}
+
+func NewRemoteRuleSet(ctx context.Context, router adapter.Router, logger logger.ContextLogger, options option.RuleSet) *RemoteRuleSet {
+	ctx, cancel := context.WithCancel(ctx)
+	var updateInterval time.Duration
+	if options.RemoteOptions.UpdateInterval > 0 {
+		updateInterval = time.Duration(options.RemoteOptions.UpdateInterval)
+	} else {
+		updateInterval = 24 * time.Hour
+	}
+	return &RemoteRuleSet{
+		ctx:            ctx,
+		cancel:         cancel,
+		router:         router,
+		logger:         logger,
+		options:        options,
+		updateInterval: updateInterval,
+		pauseManager:   service.FromContext[pause.Manager](ctx),
+	}
+}
+
+func (s *RemoteRuleSet) Name() string {
+	return s.options.Tag
+}
+
+func (s *RemoteRuleSet) String() string {
+	return strings.Join(F.MapToString(s.rules), " ")
+}
+
+func (s *RemoteRuleSet) StartContext(ctx context.Context, startContext *adapter.HTTPStartContext) error {
+	s.cacheFile = service.FromContext[adapter.CacheFile](s.ctx)
+	var dialer N.Dialer
+	if s.options.RemoteOptions.DownloadDetour != "" {
+		outbound, loaded := s.router.Outbound(s.options.RemoteOptions.DownloadDetour)
+		if !loaded {
+			return E.New("download_detour not found: ", s.options.RemoteOptions.DownloadDetour)
+		}
+		dialer = outbound
+	} else {
+		outbound, err := s.router.DefaultOutbound(N.NetworkTCP)
+		if err != nil {
+			return err
+		}
+		dialer = outbound
+	}
+	s.dialer = dialer
+	if s.cacheFile != nil {
+		if savedSet := s.cacheFile.LoadRuleSet(s.options.Tag); savedSet != nil {
+			err := s.loadBytes(savedSet.Content)
+			if err != nil {
+				return E.Cause(err, "restore cached rule-set")
+			}
+			s.lastUpdated = savedSet.LastUpdated
+			s.lastEtag = savedSet.LastEtag
+		}
+	}
+	if s.lastUpdated.IsZero() {
+		err := s.fetchOnce(ctx, startContext)
+		if err != nil {
+			return E.Cause(err, "initial rule-set: ", s.options.Tag)
+		}
+	}
+	s.updateTicker = time.NewTicker(s.updateInterval)
+	return nil
+}
+
+func (s *RemoteRuleSet) PostStart() error {
+	go s.loopUpdate()
+	return nil
+}
+
+func (s *RemoteRuleSet) Metadata() adapter.RuleSetMetadata {
+	return s.metadata
+}
+
+func (s *RemoteRuleSet) ExtractIPSet() []*netipx.IPSet {
+	return common.FlatMap(s.rules, extractIPSetFromRule)
+}
+
+func (s *RemoteRuleSet) IncRef() {
+	s.refs.Add(1)
+}
+
+func (s *RemoteRuleSet) DecRef() {
+	if s.refs.Add(-1) < 0 {
+		panic("rule-set: negative refs")
+	}
+}
+
+func (s *RemoteRuleSet) Cleanup() {
+	if s.refs.Load() == 0 {
+		s.rules = nil
+	}
+}
+
+func (s *RemoteRuleSet) RegisterCallback(callback adapter.RuleSetUpdateCallback) *list.Element[adapter.RuleSetUpdateCallback] {
+	s.callbackAccess.Lock()
+	defer s.callbackAccess.Unlock()
+	return s.callbacks.PushBack(callback)
+}
+
+func (s *RemoteRuleSet) UnregisterCallback(element *list.Element[adapter.RuleSetUpdateCallback]) {
+	s.callbackAccess.Lock()
+	defer s.callbackAccess.Unlock()
+	s.callbacks.Remove(element)
+}
+
+func (s *RemoteRuleSet) loadBytes(content []byte) error {
+	var (
+		ruleSet option.PlainRuleSetCompat
+		err     error
+	)
+	switch s.options.Format {
+	case C.RuleSetFormatSource:
+		ruleSet, err = json.UnmarshalExtended[option.PlainRuleSetCompat](content)
+		if err != nil {
+			return err
+		}
+	case C.RuleSetFormatBinary:
+		ruleSet, err = srs.Read(bytes.NewReader(content), false)
+		if err != nil {
+			return err
+		}
+	default:
+		return E.New("unknown rule-set format: ", s.options.Format)
+	}
+	plainRuleSet, err := ruleSet.Upgrade()
+	if err != nil {
+		return err
+	}
+	rules := make([]adapter.HeadlessRule, len(plainRuleSet.Rules))
+	for i, ruleOptions := range plainRuleSet.Rules {
+		rules[i], err = NewHeadlessRule(s.router, ruleOptions)
+		if err != nil {
+			return E.Cause(err, "parse rule_set.rules.[", i, "]")
+		}
+	}
+	s.metadata.ContainsProcessRule = hasHeadlessRule(plainRuleSet.Rules, isProcessHeadlessRule)
+	s.metadata.ContainsWIFIRule = hasHeadlessRule(plainRuleSet.Rules, isWIFIHeadlessRule)
+	s.metadata.ContainsIPCIDRRule = hasHeadlessRule(plainRuleSet.Rules, isIPCIDRHeadlessRule)
+	s.rules = rules
+	s.callbackAccess.Lock()
+	callbacks := s.callbacks.Array()
+	s.callbackAccess.Unlock()
+	for _, callback := range callbacks {
+		callback(s)
+	}
+	return nil
+}
+
+func (s *RemoteRuleSet) loopUpdate() {
+	if time.Since(s.lastUpdated) > s.updateInterval {
+		err := s.fetchOnce(s.ctx, nil)
+		if err != nil {
+			s.logger.Error("fetch rule-set ", s.options.Tag, ": ", err)
+		} else if s.refs.Load() == 0 {
+			s.rules = nil
+		}
+	}
+	for {
+		runtime.GC()
+		select {
+		case <-s.ctx.Done():
+			return
+		case <-s.updateTicker.C:
+			s.pauseManager.WaitActive()
+			err := s.fetchOnce(s.ctx, nil)
+			if err != nil {
+				s.logger.Error("fetch rule-set ", s.options.Tag, ": ", err)
+			} else if s.refs.Load() == 0 {
+				s.rules = nil
+			}
+		}
+	}
+}
+
+func (s *RemoteRuleSet) fetchOnce(ctx context.Context, startContext *adapter.HTTPStartContext) error {
+	s.logger.Debug("updating rule-set ", s.options.Tag, " from URL: ", s.options.RemoteOptions.URL)
+	var httpClient *http.Client
+	if startContext != nil {
+		httpClient = startContext.HTTPClient(s.options.RemoteOptions.DownloadDetour, s.dialer)
+	} else {
+		httpClient = &http.Client{
+			Transport: &http.Transport{
+				ForceAttemptHTTP2:   true,
+				TLSHandshakeTimeout: C.TCPTimeout,
+				DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+					return s.dialer.DialContext(ctx, network, M.ParseSocksaddr(addr))
+				},
+			},
+		}
+	}
+	request, err := http.NewRequest("GET", s.options.RemoteOptions.URL, nil)
+	if err != nil {
+		return err
+	}
+	if s.lastEtag != "" {
+		request.Header.Set("If-None-Match", s.lastEtag)
+	}
+	response, err := httpClient.Do(request.WithContext(ctx))
+	if err != nil {
+		return err
+	}
+	switch response.StatusCode {
+	case http.StatusOK:
+	case http.StatusNotModified:
+		s.lastUpdated = time.Now()
+		if s.cacheFile != nil {
+			savedRuleSet := s.cacheFile.LoadRuleSet(s.options.Tag)
+			if savedRuleSet != nil {
+				savedRuleSet.LastUpdated = s.lastUpdated
+				err = s.cacheFile.SaveRuleSet(s.options.Tag, savedRuleSet)
+				if err != nil {
+					s.logger.Error("save rule-set updated time: ", err)
+					return nil
+				}
+			}
+		}
+		s.logger.Info("update rule-set ", s.options.Tag, ": not modified")
+		return nil
+	default:
+		return E.New("unexpected status: ", response.Status)
+	}
+	content, err := io.ReadAll(response.Body)
+	if err != nil {
+		response.Body.Close()
+		return err
+	}
+	err = s.loadBytes(content)
+	if err != nil {
+		response.Body.Close()
+		return err
+	}
+	response.Body.Close()
+	eTagHeader := response.Header.Get("Etag")
+	if eTagHeader != "" {
+		s.lastEtag = eTagHeader
+	}
+	s.lastUpdated = time.Now()
+	if s.cacheFile != nil {
+		err = s.cacheFile.SaveRuleSet(s.options.Tag, &adapter.SavedRuleSet{
+			LastUpdated: s.lastUpdated,
+			Content:     content,
+			LastEtag:    s.lastEtag,
+		})
+		if err != nil {
+			s.logger.Error("save rule-set cache: ", err)
+		}
+	}
+	s.logger.Info("updated rule-set ", s.options.Tag)
+	return nil
+}
+
+func (s *RemoteRuleSet) Close() error {
+	s.rules = nil
+	s.updateTicker.Stop()
+	s.cancel()
+	return nil
+}
+
+func (s *RemoteRuleSet) Match(metadata *adapter.InboundContext) bool {
+	for _, rule := range s.rules {
+		if rule.Match(metadata) {
+			return true
+		}
+	}
+	return false
+}