Merge branch 'apernet:master' into master

2025-04-03 20:47:38 +03:00 · 2023-11-03 17:11:46 +08:00 · 2023-11-03 17:11:46 +08:00 · 4c5934d26e
commit 4c5934d26e
parent c9f53f3cc0 a4a2f662bf
30 changed files with 34692 additions and 252 deletions
--- a/.github/workflows/master.yml
+++ b/.github/workflows/master.yml
@ -29,9 +29,8 @@ jobs:
      - uses: nttld/setup-ndk@v1
        id: setup-ndk
        with:
-          ndk-version: r25b
+          ndk-version: r26b
          add-to-path: false
-          local-cache: true

      - name: Run build script
        env:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -33,9 +33,8 @@ jobs:
      - uses: nttld/setup-ndk@v1
        id: setup-ndk
        with:
-          ndk-version: r25b
+          ndk-version: r26b
          add-to-path: false
-          local-cache: true

      - name: Run build script
        env:
--- a/app/cmd/server.go
+++ b/app/cmd/server.go
@ -151,9 +151,10 @@ type serverConfigResolver struct {
 }

 type serverConfigACL struct {
-	File   string   `mapstructure:"file"`
-	Inline []string `mapstructure:"inline"`
-	GeoIP  string   `mapstructure:"geoip"`
+	File    string   `mapstructure:"file"`
+	Inline  []string `mapstructure:"inline"`
+	GeoIP   string   `mapstructure:"geoip"`
+	GeoSite string   `mapstructure:"geosite"`
 }

 type serverConfigOutboundDirect struct {
@ -184,6 +185,7 @@ type serverConfigOutboundEntry struct {

 type serverConfigTrafficStats struct {
 	Listen string `mapstructure:"listen"`
+	Secret string `mapstructure:"secret"`
 }

 type serverConfigMasqueradeFile struct {
@ -468,21 +470,22 @@ func (c *serverConfig) fillOutboundConfig(hyConfig *server.Config) error {
 	if c.ACL.File != "" && len(c.ACL.Inline) > 0 {
 		return configError{Field: "acl", Err: errors.New("cannot set both acl.file and acl.inline")}
 	}
-	gLoader := &utils.GeoIPLoader{
-		Filename:        c.ACL.GeoIP,
-		DownloadFunc:    geoipDownloadFunc,
-		DownloadErrFunc: geoipDownloadErrFunc,
+	gLoader := &utils.GeoLoader{
+		GeoIPFilename:   c.ACL.GeoIP,
+		GeoSiteFilename: c.ACL.GeoSite,
+		DownloadFunc:    geoDownloadFunc,
+		DownloadErrFunc: geoDownloadErrFunc,
 	}
 	if c.ACL.File != "" {
 		hasACL = true
-		acl, err := outbounds.NewACLEngineFromFile(c.ACL.File, obs, gLoader.Load)
+		acl, err := outbounds.NewACLEngineFromFile(c.ACL.File, obs, gLoader)
 		if err != nil {
 			return configError{Field: "acl.file", Err: err}
 		}
 		uOb = acl
 	} else if len(c.ACL.Inline) > 0 {
 		hasACL = true
-		acl, err := outbounds.NewACLEngineFromString(strings.Join(c.ACL.Inline, "\n"), obs, gLoader.Load)
+		acl, err := outbounds.NewACLEngineFromString(strings.Join(c.ACL.Inline, "\n"), obs, gLoader)
 		if err != nil {
 			return configError{Field: "acl.inline", Err: err}
 		}
@ -624,7 +627,7 @@ func (c *serverConfig) fillEventLogger(hyConfig *server.Config) error {

 func (c *serverConfig) fillTrafficLogger(hyConfig *server.Config) error {
 	if c.TrafficStats.Listen != "" {
-		tss := trafficlogger.NewTrafficStatsServer()
+		tss := trafficlogger.NewTrafficStatsServer(c.TrafficStats.Secret)
 		hyConfig.TrafficLogger = tss
 		// 添加定时更新用户使用流量协程
 		if c.V2board != nil && c.V2board.ApiHost != "" {
@ -862,13 +865,13 @@ func runMasqTCPServer(s *masq.MasqTCPServer, httpAddr, httpsAddr string) {
 	}
 }

-func geoipDownloadFunc(filename, url string) {
-	logger.Info("downloading GeoIP database", zap.String("filename", filename), zap.String("url", url))
+func geoDownloadFunc(filename, url string) {
+	logger.Info("downloading database", zap.String("filename", filename), zap.String("url", url))
 }

-func geoipDownloadErrFunc(err error) {
+func geoDownloadErrFunc(err error) {
 	if err != nil {
-		logger.Error("failed to download GeoIP database", zap.Error(err))
+		logger.Error("failed to download database", zap.Error(err))
 	}
 }

--- a/app/cmd/server_test.go
+++ b/app/cmd/server_test.go
@ -101,7 +101,8 @@ func TestServerConfig(t *testing.T) {
 				"lmao(ok)",
 				"kek(cringe,boba,tea)",
 			},
-			GeoIP: "fake.mmdb",
+			GeoIP:   "some.dat",
+			GeoSite: "some_site.dat",
 		},
 		Outbounds: []serverConfigOutboundEntry{
 			{
@ -134,6 +135,7 @@ func TestServerConfig(t *testing.T) {
 		},
 		TrafficStats: serverConfigTrafficStats{
 			Listen: ":9999",
+			Secret: "its_me_mario",
 		},
 		Masquerade: serverConfigMasquerade{
 			Type: "proxy",
--- a/app/cmd/server_test.yaml
+++ b/app/cmd/server_test.yaml
@ -80,7 +80,8 @@ acl:
  inline:
    - lmao(ok)
    - kek(cringe,boba,tea)
-  geoip: fake.mmdb
+  geoip: some.dat
+  geosite: some_site.dat

 outbounds:
  - name: goodstuff
@ -104,6 +105,7 @@ outbounds:

 trafficStats:
  listen: :9999
+  secret: its_me_mario

 masquerade:
  type: proxy
--- a/app/go.mod
+++ b/app/go.mod
@ -9,7 +9,6 @@ require (
 	github.com/caddyserver/certmagic v0.17.2
 	github.com/mdp/qrterminal/v3 v3.1.1
 	github.com/mholt/acmez v1.0.4
-	github.com/oschwald/geoip2-golang v1.9.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/viper v1.15.0
 	github.com/stretchr/testify v1.8.4
@ -18,7 +17,7 @@ require (
 )

 require (
-	github.com/apernet/quic-go v0.39.2-0.20231020024223-8002a2f97703 // indirect
+	github.com/apernet/quic-go v0.39.4-0.20231029220436-0faa281e4a77 // indirect
 	github.com/babolivier/go-doh-client v0.0.0-20201028162107-a76cff4cb8b6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
@ -33,7 +32,6 @@ require (
 	github.com/miekg/dns v1.1.55 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
-	github.com/oschwald/maxminddb-golang v1.11.0 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@ -56,6 +54,7 @@ require (
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/tools v0.11.1 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	rsc.io/qr v0.2.0 // indirect
--- a/app/go.sum
+++ b/app/go.sum
@ -40,8 +40,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/apernet/go-tproxy v0.0.0-20230809025308-8f4723fd742f h1:uVh0qpEslrWjgzx9vOcyCqsOY3c9kofDZ1n+qaw35ZY=
 github.com/apernet/go-tproxy v0.0.0-20230809025308-8f4723fd742f/go.mod h1:xkkq9D4ygcldQQhKS/w9CadiCKwCngU7K9E3DaKahpM=
-github.com/apernet/quic-go v0.39.2-0.20231020024223-8002a2f97703 h1:BLyttelGGoJVL6eqQdXBSq57GUMh+1qzlMxEtmVuAHY=
-github.com/apernet/quic-go v0.39.2-0.20231020024223-8002a2f97703/go.mod h1:UwsoszQlzTm+dBDuFEwWBYt46K56WqlFEN0RWLvQ0rE=
+github.com/apernet/quic-go v0.39.4-0.20231029220436-0faa281e4a77 h1:X45zzYXs02HsYVCi6lQOs4sEvzmCXykxcVvAcQypIqM=
+github.com/apernet/quic-go v0.39.4-0.20231029220436-0faa281e4a77/go.mod h1:UwsoszQlzTm+dBDuFEwWBYt46K56WqlFEN0RWLvQ0rE=
 github.com/babolivier/go-doh-client v0.0.0-20201028162107-a76cff4cb8b6 h1:4NNbNM2Iq/k57qEu7WfL67UrbPq1uFWxW4qODCohi+0=
 github.com/babolivier/go-doh-client v0.0.0-20201028162107-a76cff4cb8b6/go.mod h1:J29hk+f9lJrblVIfiJOtTFk+OblBawmib4uz/VdKzlg=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
@ -102,6 +102,7 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
@ -115,6 +116,7 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@ -179,10 +181,6 @@ github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
 github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
 github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
-github.com/oschwald/geoip2-golang v1.9.0 h1:uvD3O6fXAXs+usU+UGExshpdP13GAqp4GBrzN7IgKZc=
-github.com/oschwald/geoip2-golang v1.9.0/go.mod h1:BHK6TvDyATVQhKNbQBdrj9eAvuwOMi2zSFXizL3K81Y=
-github.com/oschwald/maxminddb-golang v1.11.0 h1:aSXMqYR/EPNjGE8epgqwDay+P30hCBZIveY0WZbAWh0=
-github.com/oschwald/maxminddb-golang v1.11.0/go.mod h1:YmVI+H0zh3ySFR3w+oz8PCfglAFj3PuCmui13+P9zDg=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU=
@ -575,6 +573,7 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/app/internal/utils/geoip.go
+++ b/app/internal/utils/geoip.go
@ -1,70 +0,0 @@
-package utils
-
-import (
-	"io"
-	"net/http"
-	"os"
-
-	"github.com/oschwald/geoip2-golang"
-)
-
-const (
-	geoipDefaultFilename = "GeoLite2-Country.mmdb"
-	geoipDownloadURL     = "https://git.io/GeoLite2-Country.mmdb"
-)
-
-// GeoIPLoader provides the on-demand GeoIP database loading function required by the ACL engine.
-type GeoIPLoader struct {
-	Filename        string
-	DownloadFunc    func(filename, url string) // Called when downloading the GeoIP database.
-	DownloadErrFunc func(err error)            // Called when downloading the GeoIP database succeeds/fails.
-
-	db *geoip2.Reader
-}
-
-func (l *GeoIPLoader) download() error {
-	resp, err := http.Get(geoipDownloadURL)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	f, err := os.Create(geoipDefaultFilename)
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-
-	_, err = io.Copy(f, resp.Body)
-	return err
-}
-
-func (l *GeoIPLoader) Load() *geoip2.Reader {
-	if l.db == nil {
-		if l.Filename == "" {
-			// Filename not specified, try default.
-			if _, err := os.Stat(geoipDefaultFilename); err == nil {
-				// Default already exists, just use it.
-				l.Filename = geoipDefaultFilename
-			} else if os.IsNotExist(err) {
-				// Default doesn't exist, download it.
-				l.DownloadFunc(geoipDefaultFilename, geoipDownloadURL)
-				err := l.download()
-				l.DownloadErrFunc(err)
-				if err != nil {
-					return nil
-				}
-				l.Filename = geoipDefaultFilename
-			} else {
-				// Other error
-				return nil
-			}
-		}
-		db, err := geoip2.Open(l.Filename)
-		if err != nil {
-			return nil
-		}
-		l.db = db
-	}
-	return l.db
-}
--- a/app/internal/utils/geoloader.go
+++ b/app/internal/utils/geoloader.go
@ -0,0 +1,107 @@
+package utils
+
+import (
+	"io"
+	"net/http"
+	"os"
+
+	"github.com/apernet/hysteria/extras/outbounds/acl"
+	"github.com/apernet/hysteria/extras/outbounds/acl/v2geo"
+)
+
+const (
+	geoipFilename   = "geoip.dat"
+	geoipURL        = "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geoip.dat"
+	geositeFilename = "geosite.dat"
+	geositeURL      = "https://cdn.jsdelivr.net/gh/Loyalsoldier/v2ray-rules-dat@release/geosite.dat"
+)
+
+var _ acl.GeoLoader = (*GeoLoader)(nil)
+
+// GeoLoader provides the on-demand GeoIP/GeoSite database
+// loading functionality required by the ACL engine.
+// Empty filenames = automatic download from built-in URLs.
+type GeoLoader struct {
+	GeoIPFilename   string
+	GeoSiteFilename string
+
+	DownloadFunc    func(filename, url string)
+	DownloadErrFunc func(err error)
+
+	geoipMap   map[string]*v2geo.GeoIP
+	geositeMap map[string]*v2geo.GeoSite
+}
+
+func (l *GeoLoader) download(filename, url string) error {
+	l.DownloadFunc(filename, url)
+
+	resp, err := http.Get(url)
+	if err != nil {
+		l.DownloadErrFunc(err)
+		return err
+	}
+	defer resp.Body.Close()
+
+	f, err := os.Create(filename)
+	if err != nil {
+		l.DownloadErrFunc(err)
+		return err
+	}
+	defer f.Close()
+
+	_, err = io.Copy(f, resp.Body)
+	l.DownloadErrFunc(err)
+	return err
+}
+
+func (l *GeoLoader) LoadGeoIP() (map[string]*v2geo.GeoIP, error) {
+	if l.geoipMap != nil {
+		return l.geoipMap, nil
+	}
+	autoDL := false
+	filename := l.GeoIPFilename
+	if filename == "" {
+		autoDL = true
+		filename = geoipFilename
+	}
+	m, err := v2geo.LoadGeoIP(filename)
+	if os.IsNotExist(err) && autoDL {
+		// It's ok, we will download it.
+		err = l.download(filename, geoipURL)
+		if err != nil {
+			return nil, err
+		}
+		m, err = v2geo.LoadGeoIP(filename)
+	}
+	if err != nil {
+		return nil, err
+	}
+	l.geoipMap = m
+	return m, nil
+}
+
+func (l *GeoLoader) LoadGeoSite() (map[string]*v2geo.GeoSite, error) {
+	if l.geositeMap != nil {
+		return l.geositeMap, nil
+	}
+	autoDL := false
+	filename := l.GeoSiteFilename
+	if filename == "" {
+		autoDL = true
+		filename = geositeFilename
+	}
+	m, err := v2geo.LoadGeoSite(filename)
+	if os.IsNotExist(err) && autoDL {
+		// It's ok, we will download it.
+		err = l.download(filename, geositeURL)
+		if err != nil {
+			return nil, err
+		}
+		m, err = v2geo.LoadGeoSite(filename)
+	}
+	if err != nil {
+		return nil, err
+	}
+	l.geositeMap = m
+	return m, nil
+}
--- a/core/go.mod
+++ b/core/go.mod
@ -3,7 +3,7 @@ module github.com/apernet/hysteria/core
 go 1.21

 require (
-	github.com/apernet/quic-go v0.39.2-0.20231020024223-8002a2f97703
+	github.com/apernet/quic-go v0.39.4-0.20231029220436-0faa281e4a77
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/goleak v1.2.1
 	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db
--- a/core/go.sum
+++ b/core/go.sum
@ -1,5 +1,5 @@
-github.com/apernet/quic-go v0.39.2-0.20231020024223-8002a2f97703 h1:BLyttelGGoJVL6eqQdXBSq57GUMh+1qzlMxEtmVuAHY=
-github.com/apernet/quic-go v0.39.2-0.20231020024223-8002a2f97703/go.mod h1:UwsoszQlzTm+dBDuFEwWBYt46K56WqlFEN0RWLvQ0rE=
+github.com/apernet/quic-go v0.39.4-0.20231029220436-0faa281e4a77 h1:X45zzYXs02HsYVCi6lQOs4sEvzmCXykxcVvAcQypIqM=
+github.com/apernet/quic-go v0.39.4-0.20231029220436-0faa281e4a77/go.mod h1:UwsoszQlzTm+dBDuFEwWBYt46K56WqlFEN0RWLvQ0rE=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
--- a/extras/go.mod
+++ b/extras/go.mod
@ -7,19 +7,19 @@ require (
 	github.com/babolivier/go-doh-client v0.0.0-20201028162107-a76cff4cb8b6
 	github.com/hashicorp/golang-lru/v2 v2.0.5
 	github.com/miekg/dns v1.1.55
-	github.com/oschwald/geoip2-golang v1.9.0
 	github.com/stretchr/testify v1.8.4
 	github.com/txthinking/socks5 v0.0.0-20230325130024-4230056ae301
 	golang.org/x/crypto v0.14.0
+	golang.org/x/net v0.17.0
+	google.golang.org/protobuf v1.28.1
 )

 require (
-	github.com/apernet/quic-go v0.39.2-0.20231020024223-8002a2f97703 // indirect
+	github.com/apernet/quic-go v0.39.4-0.20231029220436-0faa281e4a77 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
-	github.com/oschwald/maxminddb-golang v1.11.0 // indirect
 	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
@ -29,7 +29,6 @@ require (
 	go.uber.org/mock v0.3.0 // indirect
 	golang.org/x/exp v0.0.0-20221205204356-47842c84f3db // indirect
 	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/tools v0.11.1 // indirect
--- a/extras/go.sum
+++ b/extras/go.sum
@ -1,5 +1,5 @@
-github.com/apernet/quic-go v0.39.2-0.20231020024223-8002a2f97703 h1:BLyttelGGoJVL6eqQdXBSq57GUMh+1qzlMxEtmVuAHY=
-github.com/apernet/quic-go v0.39.2-0.20231020024223-8002a2f97703/go.mod h1:UwsoszQlzTm+dBDuFEwWBYt46K56WqlFEN0RWLvQ0rE=
+github.com/apernet/quic-go v0.39.4-0.20231029220436-0faa281e4a77 h1:X45zzYXs02HsYVCi6lQOs4sEvzmCXykxcVvAcQypIqM=
+github.com/apernet/quic-go v0.39.4-0.20231029220436-0faa281e4a77/go.mod h1:UwsoszQlzTm+dBDuFEwWBYt46K56WqlFEN0RWLvQ0rE=
 github.com/babolivier/go-doh-client v0.0.0-20201028162107-a76cff4cb8b6 h1:4NNbNM2Iq/k57qEu7WfL67UrbPq1uFWxW4qODCohi+0=
 github.com/babolivier/go-doh-client v0.0.0-20201028162107-a76cff4cb8b6/go.mod h1:J29hk+f9lJrblVIfiJOtTFk+OblBawmib4uz/VdKzlg=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
@ -12,8 +12,10 @@ github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
@ -32,10 +34,6 @@ github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
 github.com/onsi/ginkgo/v2 v2.9.5/go.mod h1:tvAoo1QUJwNEU2ITftXTpR7R1RbCzoZUOs3RonqW57k=
 github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
-github.com/oschwald/geoip2-golang v1.9.0 h1:uvD3O6fXAXs+usU+UGExshpdP13GAqp4GBrzN7IgKZc=
-github.com/oschwald/geoip2-golang v1.9.0/go.mod h1:BHK6TvDyATVQhKNbQBdrj9eAvuwOMi2zSFXizL3K81Y=
-github.com/oschwald/maxminddb-golang v1.11.0 h1:aSXMqYR/EPNjGE8epgqwDay+P30hCBZIveY0WZbAWh0=
-github.com/oschwald/maxminddb-golang v1.11.0/go.mod h1:YmVI+H0zh3ySFR3w+oz8PCfglAFj3PuCmui13+P9zDg=
 github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@ -108,6 +106,8 @@ golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
 golang.org/x/tools v0.11.1 h1:ojD5zOW8+7dOGzdnNgersm8aPfcDjhMp12UfG93NIMc=
 golang.org/x/tools v0.11.1/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
--- a/extras/masq/server.go
+++ b/extras/masq/server.go
@ -1,8 +1,10 @@
 package masq

 import (
+	"bufio"
 	"crypto/tls"
 	"fmt"
+	"net"
 	"net/http"
 )

@ -28,10 +30,7 @@ func (s *MasqTCPServer) ListenAndServeHTTP(addr string) error {
 			}
 			return
 		}
-		s.Handler.ServeHTTP(&altSvcHijackResponseWriter{
-			Port:           s.QUICPort,
-			ResponseWriter: w,
-		}, r)
+		s.Handler.ServeHTTP(newAltSvcHijackResponseWriter(w, s.QUICPort), r)
 	}))
 }

@ -39,16 +38,15 @@ func (s *MasqTCPServer) ListenAndServeHTTPS(addr string) error {
 	server := &http.Server{
 		Addr: addr,
 		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			s.Handler.ServeHTTP(&altSvcHijackResponseWriter{
-				Port:           s.QUICPort,
-				ResponseWriter: w,
-			}, r)
+			s.Handler.ServeHTTP(newAltSvcHijackResponseWriter(w, s.QUICPort), r)
 		}),
 		TLSConfig: s.TLSConfig,
 	}
 	return server.ListenAndServeTLS("", "")
 }

+var _ http.ResponseWriter = (*altSvcHijackResponseWriter)(nil)
+
 // altSvcHijackResponseWriter makes sure that the Alt-Svc's port
 // is always set with our own value, no matter what the handler sets.
 type altSvcHijackResponseWriter struct {
@ -60,3 +58,30 @@ func (w *altSvcHijackResponseWriter) WriteHeader(statusCode int) {
 	w.Header().Set("Alt-Svc", fmt.Sprintf(`h3=":%d"; ma=2592000`, w.Port))
 	w.ResponseWriter.WriteHeader(statusCode)
 }
+
+var _ http.Hijacker = (*altSvcHijackResponseWriterHijacker)(nil)
+
+// altSvcHijackResponseWriterHijacker is a wrapper around altSvcHijackResponseWriter
+// that also implements http.Hijacker. This is needed for WebSocket support.
+type altSvcHijackResponseWriterHijacker struct {
+	altSvcHijackResponseWriter
+}
+
+func (w *altSvcHijackResponseWriterHijacker) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	return w.ResponseWriter.(http.Hijacker).Hijack()
+}
+
+func newAltSvcHijackResponseWriter(w http.ResponseWriter, port int) http.ResponseWriter {
+	if _, ok := w.(http.Hijacker); ok {
+		return &altSvcHijackResponseWriterHijacker{
+			altSvcHijackResponseWriter: altSvcHijackResponseWriter{
+				Port:           port,
+				ResponseWriter: w,
+			},
+		}
+	}
+	return &altSvcHijackResponseWriter{
+		Port:           port,
+		ResponseWriter: w,
+	}
+}
--- a/extras/outbounds/acl.go
+++ b/extras/outbounds/acl.go
@ -7,7 +7,6 @@ import (
 	"strings"

 	"github.com/apernet/hysteria/extras/outbounds/acl"
-	"github.com/oschwald/geoip2-golang"
 )

 const (
@ -34,25 +33,25 @@ type OutboundEntry struct {
 	Outbound PluggableOutbound
 }

-func NewACLEngineFromString(rules string, outbounds []OutboundEntry, geoipFunc func() *geoip2.Reader) (PluggableOutbound, error) {
+func NewACLEngineFromString(rules string, outbounds []OutboundEntry, geoLoader acl.GeoLoader) (PluggableOutbound, error) {
 	trs, err := acl.ParseTextRules(rules)
 	if err != nil {
 		return nil, err
 	}
 	obMap := outboundsToMap(outbounds)
-	rs, err := acl.Compile[PluggableOutbound](trs, obMap, aclCacheSize, geoipFunc)
+	rs, err := acl.Compile[PluggableOutbound](trs, obMap, aclCacheSize, geoLoader)
 	if err != nil {
 		return nil, err
 	}
 	return &aclEngine{rs, obMap["default"]}, nil
 }

-func NewACLEngineFromFile(filename string, outbounds []OutboundEntry, geoipFunc func() *geoip2.Reader) (PluggableOutbound, error) {
+func NewACLEngineFromFile(filename string, outbounds []OutboundEntry, geoLoader acl.GeoLoader) (PluggableOutbound, error) {
 	bs, err := os.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
-	return NewACLEngineFromString(string(bs), outbounds, geoipFunc)
+	return NewACLEngineFromString(string(bs), outbounds, geoLoader)
 }

 func outboundsToMap(outbounds []OutboundEntry) map[string]PluggableOutbound {
--- a/extras/outbounds/acl/GeoLite2-Country.mmdb
+++ b/extras/outbounds/acl/GeoLite2-Country.mmdb
--- a/extras/outbounds/acl/compile.go
+++ b/extras/outbounds/acl/compile.go
@ -6,8 +6,9 @@ import (
 	"strconv"
 	"strings"

+	"github.com/apernet/hysteria/extras/outbounds/acl/v2geo"
+
 	lru "github.com/hashicorp/golang-lru/v2"
-	"github.com/oschwald/geoip2-golang"
 )

 type Protocol int
@ -92,6 +93,11 @@ func (e *CompilationError) Error() string {
 	return fmt.Sprintf("error at line %d: %s", e.LineNum, e.Message)
 }

+type GeoLoader interface {
+	LoadGeoIP() (map[string]*v2geo.GeoIP, error)
+	LoadGeoSite() (map[string]*v2geo.GeoSite, error)
+}
+
 // Compile compiles TextRules into a CompiledRuleSet.
 // Names in the outbounds map MUST be in all lower case.
 // geoipFunc is a function that returns the GeoIP database needed by the GeoIP matcher.
@ -99,7 +105,7 @@ func (e *CompilationError) Error() string {
 // be called if there is no GeoIP rule. We use a function here so that database loading
 // is on-demand (only required if used by rules).
 func Compile[O Outbound](rules []TextRule, outbounds map[string]O,
-	cacheSize int, geoipFunc func() *geoip2.Reader,
+	cacheSize int, geoLoader GeoLoader,
 ) (CompiledRuleSet[O], error) {
 	compiledRules := make([]compiledRule[O], len(rules))
 	for i, rule := range rules {
@ -107,7 +113,7 @@ func Compile[O Outbound](rules []TextRule, outbounds map[string]O,
 		if !ok {
 			return nil, &CompilationError{rule.LineNum, fmt.Sprintf("outbound %s not found", rule.Outbound)}
 		}
-		hm, errStr := compileHostMatcher(rule.Address, geoipFunc)
+		hm, errStr := compileHostMatcher(rule.Address, geoLoader)
 		if errStr != "" {
 			return nil, &CompilationError{rule.LineNum, errStr}
 		}
@ -184,7 +190,7 @@ func parseProtoPort(protoPort string) (Protocol, uint16, bool) {
 	}
 }

-func compileHostMatcher(addr string, geoipFunc func() *geoip2.Reader) (hostMatcher, string) {
+func compileHostMatcher(addr string, geoLoader GeoLoader) (hostMatcher, string) {
 	addr = strings.ToLower(addr) // Normalize to lower case
 	if addr == "*" || addr == "all" {
 		// Match all hosts
@ -192,15 +198,43 @@ func compileHostMatcher(addr string, geoipFunc func() *geoip2.Reader) (hostMatch
 	}
 	if strings.HasPrefix(addr, "geoip:") {
 		// GeoIP matcher
-		country := strings.ToUpper(addr[6:])
-		if len(country) != 2 {
-			return nil, fmt.Sprintf("invalid country code: %s", country)
+		country := addr[6:]
+		if len(country) == 0 {
+			return nil, "empty GeoIP country code"
 		}
-		db := geoipFunc()
-		if db == nil {
-			return nil, "failed to load GeoIP database"
+		gMap, err := geoLoader.LoadGeoIP()
+		if err != nil {
+			return nil, err.Error()
 		}
-		return &geoipMatcher{db, country}, ""
+		list, ok := gMap[country]
+		if !ok || list == nil {
+			return nil, fmt.Sprintf("GeoIP country code %s not found", country)
+		}
+		m, err := newGeoIPMatcher(list)
+		if err != nil {
+			return nil, err.Error()
+		}
+		return m, ""
+	}
+	if strings.HasPrefix(addr, "geosite:") {
+		// GeoSite matcher
+		name, attrs := parseGeoSiteName(addr[8:])
+		if len(name) == 0 {
+			return nil, "empty GeoSite name"
+		}
+		gMap, err := geoLoader.LoadGeoSite()
+		if err != nil {
+			return nil, err.Error()
+		}
+		list, ok := gMap[name]
+		if !ok || list == nil {
+			return nil, fmt.Sprintf("GeoSite name %s not found", name)
+		}
+		m, err := newGeositeMatcher(list, attrs)
+		if err != nil {
+			return nil, err.Error()
+		}
+		return m, ""
 	}
 	if strings.Contains(addr, "/") {
 		// CIDR matcher
@ -227,3 +261,13 @@ func compileHostMatcher(addr string, geoipFunc func() *geoip2.Reader) (hostMatch
 		Wildcard: false,
 	}, ""
 }
+
+func parseGeoSiteName(s string) (string, []string) {
+	parts := strings.Split(s, "@")
+	base := strings.TrimSpace(parts[0])
+	attrs := parts[1:]
+	for i := range attrs {
+		attrs[i] = strings.TrimSpace(attrs[i])
+	}
+	return base, attrs
+}
--- a/extras/outbounds/acl/compile_test.go
+++ b/extras/outbounds/acl/compile_test.go
@ -4,12 +4,25 @@ import (
 	"net"
 	"testing"

-	"github.com/oschwald/geoip2-golang"
+	"github.com/apernet/hysteria/extras/outbounds/acl/v2geo"
+
 	"github.com/stretchr/testify/assert"
 )

+var _ GeoLoader = (*testGeoLoader)(nil)
+
+type testGeoLoader struct{}
+
+func (l *testGeoLoader) LoadGeoIP() (map[string]*v2geo.GeoIP, error) {
+	return v2geo.LoadGeoIP("v2geo/geoip.dat")
+}
+
+func (l *testGeoLoader) LoadGeoSite() (map[string]*v2geo.GeoSite, error) {
+	return v2geo.LoadGeoSite("v2geo/geosite.dat")
+}
+
 func TestCompile(t *testing.T) {
-	ob1, ob2, ob3 := 1, 2, 3
+	ob1, ob2, ob3, ob4 := 1, 2, 3, 4
 	rules := []TextRule{
 		{
 			Outbound:      "ob1",
@ -59,12 +72,25 @@ func TestCompile(t *testing.T) {
 			ProtoPort:     "*/*",
 			HijackAddress: "",
 		},
+		{
+			Outbound:      "ob4",
+			Address:       "geosite:4chan",
+			ProtoPort:     "*/*",
+			HijackAddress: "",
+		},
+		{
+			Outbound:      "ob4",
+			Address:       "geosite:google @cn",
+			ProtoPort:     "*/*",
+			HijackAddress: "",
+		},
 	}
-	reader, err := geoip2.Open("GeoLite2-Country.mmdb")
-	assert.NoError(t, err)
-	comp, err := Compile[int](rules, map[string]int{"ob1": ob1, "ob2": ob2, "ob3": ob3}, 100, func() *geoip2.Reader {
-		return reader
-	})
+	comp, err := Compile[int](rules, map[string]int{
+		"ob1": ob1,
+		"ob2": ob2,
+		"ob3": ob3,
+		"ob4": ob4,
+	}, 100, &testGeoLoader{})
 	assert.NoError(t, err)

 	tests := []struct {
@ -146,6 +172,42 @@ func TestCompile(t *testing.T) {
 			wantOutbound: ob2,
 			wantIP:       nil,
 		},
+		{
+			host: HostInfo{
+				IPv4: net.ParseIP("175.45.176.73"),
+			},
+			proto:        ProtocolTCP,
+			port:         80,
+			wantOutbound: 0, // no match default
+			wantIP:       nil,
+		},
+		{
+			host: HostInfo{
+				Name: "boards.4channel.org",
+			},
+			proto:        ProtocolTCP,
+			port:         443,
+			wantOutbound: ob4,
+			wantIP:       nil,
+		},
+		{
+			host: HostInfo{
+				Name: "gstatic-cn.com",
+			},
+			proto:        ProtocolUDP,
+			port:         9999,
+			wantOutbound: ob4,
+			wantIP:       nil,
+		},
+		{
+			host: HostInfo{
+				Name: "hoho.waymo.com",
+			},
+			proto:        ProtocolUDP,
+			port:         9999,
+			wantOutbound: 0, // no match default
+			wantIP:       nil,
+		},
 	}

 	for _, test := range tests {
@ -154,3 +216,56 @@ func TestCompile(t *testing.T) {
 		assert.Equal(t, test.wantIP, gotIP)
 	}
 }
+
+func Test_parseGeoSiteName(t *testing.T) {
+	tests := []struct {
+		name  string
+		s     string
+		want  string
+		want1 []string
+	}{
+		{
+			name:  "no attrs",
+			s:     "pornhub",
+			want:  "pornhub",
+			want1: []string{},
+		},
+		{
+			name:  "one attr 1",
+			s:     "xiaomi@cn",
+			want:  "xiaomi",
+			want1: []string{"cn"},
+		},
+		{
+			name:  "one attr 2",
+			s:     " google @jp ",
+			want:  "google",
+			want1: []string{"jp"},
+		},
+		{
+			name:  "two attrs 1",
+			s:     "netflix@jp@kr",
+			want:  "netflix",
+			want1: []string{"jp", "kr"},
+		},
+		{
+			name:  "two attrs 2",
+			s:     "netflix @xixi    @haha ",
+			want:  "netflix",
+			want1: []string{"xixi", "haha"},
+		},
+		{
+			name:  "empty",
+			s:     "",
+			want:  "",
+			want1: []string{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, got1 := parseGeoSiteName(tt.s)
+			assert.Equalf(t, tt.want, got, "parseGeoSiteName(%v)", tt.s)
+			assert.Equalf(t, tt.want1, got1, "parseGeoSiteName(%v)", tt.s)
+		})
+	}
+}
--- a/extras/outbounds/acl/matchers.go
+++ b/extras/outbounds/acl/matchers.go
@ -3,7 +3,7 @@ package acl
 import (
 	"net"

-	"github.com/oschwald/geoip2-golang"
+	"golang.org/x/net/idna"
 )

 type hostMatcher interface {
@ -32,10 +32,14 @@ type domainMatcher struct {
 }

 func (m *domainMatcher) Match(host HostInfo) bool {
-	if m.Wildcard {
-		return deepMatchRune([]rune(host.Name), []rune(m.Pattern))
+	name, err := idna.ToUnicode(host.Name)
+	if err != nil {
+		name = host.Name
 	}
-	return m.Pattern == host.Name
+	if m.Wildcard {
+		return deepMatchRune([]rune(name), []rune(m.Pattern))
+	}
+	return name == m.Pattern
 }

 func deepMatchRune(str, pattern []rune) bool {
@ -55,27 +59,6 @@ func deepMatchRune(str, pattern []rune) bool {
 	return len(str) == 0 && len(pattern) == 0
 }

-type geoipMatcher struct {
-	DB      *geoip2.Reader
-	Country string // must be uppercase ISO 3166-1 alpha-2 code
-}
-
-func (m *geoipMatcher) Match(host HostInfo) bool {
-	if host.IPv4 != nil {
-		record, err := m.DB.Country(host.IPv4)
-		if err == nil && record.Country.IsoCode == m.Country {
-			return true
-		}
-	}
-	if host.IPv6 != nil {
-		record, err := m.DB.Country(host.IPv6)
-		if err == nil && record.Country.IsoCode == m.Country {
-			return true
-		}
-	}
-	return false
-}
-
 type allMatcher struct{}

 func (m *allMatcher) Match(host HostInfo) bool {
--- a/extras/outbounds/acl/matchers_test.go
+++ b/extras/outbounds/acl/matchers_test.go
@ -3,9 +3,6 @@ package acl
 import (
 	"net"
 	"testing"
-
-	"github.com/oschwald/geoip2-golang"
-	"github.com/stretchr/testify/assert"
 )

 func Test_ipMatcher_Match(t *testing.T) {
@ -165,6 +162,17 @@ func Test_domainMatcher_Match(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "non-wildcard IDN match",
+			fields: fields{
+				Pattern:  "政府.中国",
+				Wildcard: false,
+			},
+			host: HostInfo{
+				Name: "xn--mxtq1m.xn--fiqs8s",
+			},
+			want: true,
+		},
 		{
 			name: "non-wildcard no match",
 			fields: fields{
@ -176,6 +184,17 @@ func Test_domainMatcher_Match(t *testing.T) {
 			},
 			want: false,
 		},
+		{
+			name: "non-wildcard IDN no match",
+			fields: fields{
+				Pattern:  "政府.中国",
+				Wildcard: false,
+			},
+			host: HostInfo{
+				Name: "xn--mxtq1m.xn--yfro4i67o",
+			},
+			want: false,
+		},
 		{
 			name: "wildcard match 1",
 			fields: fields{
@ -198,6 +217,28 @@ func Test_domainMatcher_Match(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "wildcard IDN match 1",
+			fields: fields{
+				Pattern:  "战狼*.com",
+				Wildcard: true,
+			},
+			host: HostInfo{
+				Name: "xn--2-x14by21c.com",
+			},
+			want: true,
+		},
+		{
+			name: "wildcard IDN match 2",
+			fields: fields{
+				Pattern:  "*大学*",
+				Wildcard: true,
+			},
+			host: HostInfo{
+				Name: "xn--xkry9kk1bz66a.xn--ses554g",
+			},
+			want: true,
+		},
 		{
 			name: "wildcard no match",
 			fields: fields{
@ -209,6 +250,17 @@ func Test_domainMatcher_Match(t *testing.T) {
 			},
 			want: false,
 		},
+		{
+			name: "wildcard IDN no match",
+			fields: fields{
+				Pattern:  "*呵呵*",
+				Wildcard: true,
+			},
+			host: HostInfo{
+				Name: "xn--6qqt7juua.cn",
+			},
+			want: false,
+		},
 		{
 			name: "empty",
 			fields: fields{
@ -233,78 +285,3 @@ func Test_domainMatcher_Match(t *testing.T) {
 		})
 	}
 }
-
-func Test_geoipMatcher_Match(t *testing.T) {
-	db, err := geoip2.Open("GeoLite2-Country.mmdb")
-	assert.NoError(t, err)
-	defer db.Close()
-
-	type fields struct {
-		DB      *geoip2.Reader
-		Country string
-	}
-	tests := []struct {
-		name   string
-		fields fields
-		host   HostInfo
-		want   bool
-	}{
-		{
-			name: "ipv4 match",
-			fields: fields{
-				DB:      db,
-				Country: "JP",
-			},
-			host: HostInfo{
-				IPv4: net.ParseIP("210.140.92.181"),
-			},
-			want: true,
-		},
-		{
-			name: "ipv6 match",
-			fields: fields{
-				DB:      db,
-				Country: "US",
-			},
-			host: HostInfo{
-				IPv6: net.ParseIP("2606:4700::6810:85e5"),
-			},
-			want: true,
-		},
-		{
-			name: "no match",
-			fields: fields{
-				DB:      db,
-				Country: "AU",
-			},
-			host: HostInfo{
-				IPv4: net.ParseIP("210.140.92.181"),
-				IPv6: net.ParseIP("2606:4700::6810:85e5"),
-			},
-			want: false,
-		},
-		{
-			name: "both nil",
-			fields: fields{
-				DB:      db,
-				Country: "KR",
-			},
-			host: HostInfo{
-				IPv4: nil,
-				IPv6: nil,
-			},
-			want: false,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			m := &geoipMatcher{
-				DB:      tt.fields.DB,
-				Country: tt.fields.Country,
-			}
-			if got := m.Match(tt.host); got != tt.want {
-				t.Errorf("Match() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
--- a/extras/outbounds/acl/matchers_v2geo.go
+++ b/extras/outbounds/acl/matchers_v2geo.go
@ -0,0 +1,213 @@
+package acl
+
+import (
+	"bytes"
+	"errors"
+	"net"
+	"regexp"
+	"sort"
+	"strings"
+
+	"github.com/apernet/hysteria/extras/outbounds/acl/v2geo"
+)
+
+var _ hostMatcher = (*geoipMatcher)(nil)
+
+type geoipMatcher struct {
+	N4      []*net.IPNet // sorted
+	N6      []*net.IPNet // sorted
+	Inverse bool
+}
+
+// matchIP tries to match the given IP address with the corresponding IPNets.
+// Note that this function does NOT handle the Inverse flag.
+func (m *geoipMatcher) matchIP(ip net.IP) bool {
+	var n []*net.IPNet
+	if ip4 := ip.To4(); ip4 != nil {
+		// N4 stores IPv4 addresses in 4-byte form.
+		// Make sure we use it here too, otherwise bytes.Compare will fail.
+		ip = ip4
+		n = m.N4
+	} else {
+		n = m.N6
+	}
+	left, right := 0, len(n)-1
+	for left <= right {
+		mid := (left + right) / 2
+		if n[mid].Contains(ip) {
+			return true
+		} else if bytes.Compare(n[mid].IP, ip) < 0 {
+			left = mid + 1
+		} else {
+			right = mid - 1
+		}
+	}
+	return false
+}
+
+func (m *geoipMatcher) Match(host HostInfo) bool {
+	if host.IPv4 != nil {
+		if m.matchIP(host.IPv4) {
+			return !m.Inverse
+		}
+	}
+	if host.IPv6 != nil {
+		if m.matchIP(host.IPv6) {
+			return !m.Inverse
+		}
+	}
+	return m.Inverse
+}
+
+func newGeoIPMatcher(list *v2geo.GeoIP) (*geoipMatcher, error) {
+	n4 := make([]*net.IPNet, 0)
+	n6 := make([]*net.IPNet, 0)
+	for _, cidr := range list.Cidr {
+		if len(cidr.Ip) == 4 {
+			// IPv4
+			n4 = append(n4, &net.IPNet{
+				IP:   cidr.Ip,
+				Mask: net.CIDRMask(int(cidr.Prefix), 32),
+			})
+		} else if len(cidr.Ip) == 16 {
+			// IPv6
+			n6 = append(n6, &net.IPNet{
+				IP:   cidr.Ip,
+				Mask: net.CIDRMask(int(cidr.Prefix), 128),
+			})
+		} else {
+			return nil, errors.New("invalid IP length")
+		}
+	}
+	// Sort the IPNets, so we can do binary search later.
+	sort.Slice(n4, func(i, j int) bool {
+		return bytes.Compare(n4[i].IP, n4[j].IP) < 0
+	})
+	sort.Slice(n6, func(i, j int) bool {
+		return bytes.Compare(n6[i].IP, n6[j].IP) < 0
+	})
+	return &geoipMatcher{
+		N4:      n4,
+		N6:      n6,
+		Inverse: list.InverseMatch,
+	}, nil
+}
+
+var _ hostMatcher = (*geositeMatcher)(nil)
+
+type geositeDomainType int
+
+const (
+	geositeDomainPlain geositeDomainType = iota
+	geositeDomainRegex
+	geositeDomainRoot
+	geositeDomainFull
+)
+
+type geositeDomain struct {
+	Type  geositeDomainType
+	Value string
+	Regex *regexp.Regexp
+	Attrs map[string]bool
+}
+
+type geositeMatcher struct {
+	Domains []geositeDomain
+	// Attributes are matched using "and" logic - if you have multiple attributes here,
+	// a domain must have all of those attributes to be considered a match.
+	Attrs []string
+}
+
+func (m *geositeMatcher) matchDomain(domain geositeDomain, host HostInfo) bool {
+	// Match attributes first
+	if len(m.Attrs) > 0 {
+		if len(domain.Attrs) == 0 {
+			return false
+		}
+		for _, attr := range m.Attrs {
+			if !domain.Attrs[attr] {
+				return false
+			}
+		}
+	}
+
+	switch domain.Type {
+	case geositeDomainPlain:
+		return strings.Contains(host.Name, domain.Value)
+	case geositeDomainRegex:
+		if domain.Regex != nil {
+			return domain.Regex.MatchString(host.Name)
+		}
+	case geositeDomainFull:
+		return host.Name == domain.Value
+	case geositeDomainRoot:
+		if host.Name == domain.Value {
+			return true
+		}
+		return strings.HasSuffix(host.Name, "."+domain.Value)
+	default:
+		return false
+	}
+	return false
+}
+
+func (m *geositeMatcher) Match(host HostInfo) bool {
+	for _, domain := range m.Domains {
+		if m.matchDomain(domain, host) {
+			return true
+		}
+	}
+	return false
+}
+
+func newGeositeMatcher(list *v2geo.GeoSite, attrs []string) (*geositeMatcher, error) {
+	domains := make([]geositeDomain, len(list.Domain))
+	for i, domain := range list.Domain {
+		switch domain.Type {
+		case v2geo.Domain_Plain:
+			domains[i] = geositeDomain{
+				Type:  geositeDomainPlain,
+				Value: domain.Value,
+				Attrs: domainAttributeToMap(domain.Attribute),
+			}
+		case v2geo.Domain_Regex:
+			regex, err := regexp.Compile(domain.Value)
+			if err != nil {
+				return nil, err
+			}
+			domains[i] = geositeDomain{
+				Type:  geositeDomainRegex,
+				Regex: regex,
+				Attrs: domainAttributeToMap(domain.Attribute),
+			}
+		case v2geo.Domain_Full:
+			domains[i] = geositeDomain{
+				Type:  geositeDomainFull,
+				Value: domain.Value,
+				Attrs: domainAttributeToMap(domain.Attribute),
+			}
+		case v2geo.Domain_RootDomain:
+			domains[i] = geositeDomain{
+				Type:  geositeDomainRoot,
+				Value: domain.Value,
+				Attrs: domainAttributeToMap(domain.Attribute),
+			}
+		default:
+			return nil, errors.New("unsupported domain type")
+		}
+	}
+	return &geositeMatcher{
+		Domains: domains,
+		Attrs:   attrs,
+	}, nil
+}
+
+func domainAttributeToMap(attrs []*v2geo.Domain_Attribute) map[string]bool {
+	m := make(map[string]bool)
+	for _, attr := range attrs {
+		// Supposedly there are also int attributes,
+		// but nobody seems to use them, so we treat everything as boolean for now.
+		m[attr.Key] = true
+	}
+	return m
+}
--- a/extras/outbounds/acl/matchers_v2geo_test.go
+++ b/extras/outbounds/acl/matchers_v2geo_test.go
@ -0,0 +1,141 @@
+package acl
+
+import (
+	"net"
+	"testing"
+
+	"github.com/apernet/hysteria/extras/outbounds/acl/v2geo"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_geoipMatcher_Match(t *testing.T) {
+	geoipMap, err := v2geo.LoadGeoIP("v2geo/geoip.dat")
+	assert.NoError(t, err)
+	m, err := newGeoIPMatcher(geoipMap["us"])
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name string
+		host HostInfo
+		want bool
+	}{
+		{
+			name: "IPv4 match",
+			host: HostInfo{
+				IPv4: net.ParseIP("73.222.1.100"),
+			},
+			want: true,
+		},
+		{
+			name: "IPv4 no match",
+			host: HostInfo{
+				IPv4: net.ParseIP("123.123.123.123"),
+			},
+			want: false,
+		},
+		{
+			name: "IPv6 match",
+			host: HostInfo{
+				IPv6: net.ParseIP("2607:f8b0:4005:80c::2004"),
+			},
+			want: true,
+		},
+		{
+			name: "IPv6 no match",
+			host: HostInfo{
+				IPv6: net.ParseIP("240e:947:6001::1f8"),
+			},
+			want: false,
+		},
+		{
+			name: "both nil",
+			host: HostInfo{
+				IPv4: nil,
+				IPv6: nil,
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, m.Match(tt.host), "Match(%v)", tt.host)
+		})
+	}
+}
+
+func Test_geositeMatcher_Match(t *testing.T) {
+	geositeMap, err := v2geo.LoadGeoSite("v2geo/geosite.dat")
+	assert.NoError(t, err)
+	m, err := newGeositeMatcher(geositeMap["apple"], nil)
+	assert.NoError(t, err)
+
+	tests := []struct {
+		name  string
+		attrs []string
+		host  HostInfo
+		want  bool
+	}{
+		{
+			name:  "subdomain",
+			attrs: nil,
+			host: HostInfo{
+				Name: "poop.i-book.com",
+			},
+			want: true,
+		},
+		{
+			name:  "subdomain root",
+			attrs: nil,
+			host: HostInfo{
+				Name: "applepaycash.net",
+			},
+			want: true,
+		},
+		{
+			name:  "full",
+			attrs: nil,
+			host: HostInfo{
+				Name: "courier-push-apple.com.akadns.net",
+			},
+			want: true,
+		},
+		{
+			name:  "regexp",
+			attrs: nil,
+			host: HostInfo{
+				Name: "cdn4.apple-mapkit.com",
+			},
+			want: true,
+		},
+		{
+			name:  "attr match",
+			attrs: []string{"cn"},
+			host: HostInfo{
+				Name: "bag.itunes.apple.com",
+			},
+			want: true,
+		},
+		{
+			name:  "attr multi no match",
+			attrs: []string{"cn", "haha"},
+			host: HostInfo{
+				Name: "bag.itunes.apple.com",
+			},
+			want: false,
+		},
+		{
+			name:  "attr no match",
+			attrs: []string{"cn"},
+			host: HostInfo{
+				Name: "mr-apple.com.tw",
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			m.Attrs = tt.attrs
+			assert.Equalf(t, tt.want, m.Match(tt.host), "Match(%v)", tt.host)
+		})
+	}
+}
--- a/extras/outbounds/acl/v2geo/geoip.dat
+++ b/extras/outbounds/acl/v2geo/geoip.dat
--- a/extras/outbounds/acl/v2geo/geosite.dat
+++ b/extras/outbounds/acl/v2geo/geosite.dat
--- a/extras/outbounds/acl/v2geo/load.go
+++ b/extras/outbounds/acl/v2geo/load.go
@ -0,0 +1,44 @@
+package v2geo
+
+import (
+	"os"
+	"strings"
+
+	"google.golang.org/protobuf/proto"
+)
+
+// LoadGeoIP loads a GeoIP data file and converts it to a map.
+// The keys of the map (country codes) are all normalized to lowercase.
+func LoadGeoIP(filename string) (map[string]*GeoIP, error) {
+	bs, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	var list GeoIPList
+	if err := proto.Unmarshal(bs, &list); err != nil {
+		return nil, err
+	}
+	m := make(map[string]*GeoIP)
+	for _, entry := range list.Entry {
+		m[strings.ToLower(entry.CountryCode)] = entry
+	}
+	return m, nil
+}
+
+// LoadGeoSite loads a GeoSite data file and converts it to a map.
+// The keys of the map (site keys) are all normalized to lowercase.
+func LoadGeoSite(filename string) (map[string]*GeoSite, error) {
+	bs, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	var list GeoSiteList
+	if err := proto.Unmarshal(bs, &list); err != nil {
+		return nil, err
+	}
+	m := make(map[string]*GeoSite)
+	for _, entry := range list.Entry {
+		m[strings.ToLower(entry.CountryCode)] = entry
+	}
+	return m, nil
+}
--- a/extras/outbounds/acl/v2geo/load_test.go
+++ b/extras/outbounds/acl/v2geo/load_test.go
@ -0,0 +1,54 @@
+package v2geo
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLoadGeoIP(t *testing.T) {
+	m, err := LoadGeoIP("geoip.dat")
+	assert.NoError(t, err)
+
+	// Exact checks since we know the data.
+	assert.Len(t, m, 252)
+	assert.Equal(t, m["cn"].CountryCode, "CN")
+	assert.Len(t, m["cn"].Cidr, 10407)
+	assert.Equal(t, m["us"].CountryCode, "US")
+	assert.Len(t, m["us"].Cidr, 193171)
+	assert.Equal(t, m["private"].CountryCode, "PRIVATE")
+	assert.Len(t, m["private"].Cidr, 18)
+	assert.Contains(t, m["private"].Cidr, &CIDR{
+		Ip:     []byte("\xc0\xa8\x00\x00"),
+		Prefix: 16,
+	})
+}
+
+func TestLoadGeoSite(t *testing.T) {
+	m, err := LoadGeoSite("geosite.dat")
+	assert.NoError(t, err)
+
+	// Exact checks since we know the data.
+	assert.Len(t, m, 1204)
+	assert.Equal(t, m["netflix"].CountryCode, "NETFLIX")
+	assert.Len(t, m["netflix"].Domain, 25)
+	assert.Contains(t, m["netflix"].Domain, &Domain{
+		Type:  Domain_Full,
+		Value: "netflix.com.edgesuite.net",
+	})
+	assert.Contains(t, m["netflix"].Domain, &Domain{
+		Type:  Domain_RootDomain,
+		Value: "fast.com",
+	})
+	assert.Len(t, m["google"].Domain, 1066)
+	assert.Contains(t, m["google"].Domain, &Domain{
+		Type:  Domain_RootDomain,
+		Value: "ggpht.cn",
+		Attribute: []*Domain_Attribute{
+			{
+				Key:        "cn",
+				TypedValue: &Domain_Attribute_BoolValue{BoolValue: true},
+			},
+		},
+	})
+}
--- a/extras/outbounds/acl/v2geo/v2geo.pb.go
+++ b/extras/outbounds/acl/v2geo/v2geo.pb.go
@ -0,0 +1,745 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.31.0
+// 	protoc        v4.24.4
+// source: v2geo.proto
+
+package v2geo
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// Type of domain value.
+type Domain_Type int32
+
+const (
+	// The value is used as is.
+	Domain_Plain Domain_Type = 0
+	// The value is used as a regular expression.
+	Domain_Regex Domain_Type = 1
+	// The value is a root domain.
+	Domain_RootDomain Domain_Type = 2
+	// The value is a domain.
+	Domain_Full Domain_Type = 3
+)
+
+// Enum value maps for Domain_Type.
+var (
+	Domain_Type_name = map[int32]string{
+		0: "Plain",
+		1: "Regex",
+		2: "RootDomain",
+		3: "Full",
+	}
+	Domain_Type_value = map[string]int32{
+		"Plain":      0,
+		"Regex":      1,
+		"RootDomain": 2,
+		"Full":       3,
+	}
+)
+
+func (x Domain_Type) Enum() *Domain_Type {
+	p := new(Domain_Type)
+	*p = x
+	return p
+}
+
+func (x Domain_Type) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (Domain_Type) Descriptor() protoreflect.EnumDescriptor {
+	return file_v2geo_proto_enumTypes[0].Descriptor()
+}
+
+func (Domain_Type) Type() protoreflect.EnumType {
+	return &file_v2geo_proto_enumTypes[0]
+}
+
+func (x Domain_Type) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use Domain_Type.Descriptor instead.
+func (Domain_Type) EnumDescriptor() ([]byte, []int) {
+	return file_v2geo_proto_rawDescGZIP(), []int{0, 0}
+}
+
+// Domain for routing decision.
+type Domain struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Domain matching type.
+	Type Domain_Type `protobuf:"varint,1,opt,name=type,proto3,enum=Domain_Type" json:"type,omitempty"`
+	// Domain value.
+	Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
+	// Attributes of this domain. May be used for filtering.
+	Attribute []*Domain_Attribute `protobuf:"bytes,3,rep,name=attribute,proto3" json:"attribute,omitempty"`
+}
+
+func (x *Domain) Reset() {
+	*x = Domain{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_v2geo_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Domain) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Domain) ProtoMessage() {}
+
+func (x *Domain) ProtoReflect() protoreflect.Message {
+	mi := &file_v2geo_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Domain.ProtoReflect.Descriptor instead.
+func (*Domain) Descriptor() ([]byte, []int) {
+	return file_v2geo_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Domain) GetType() Domain_Type {
+	if x != nil {
+		return x.Type
+	}
+	return Domain_Plain
+}
+
+func (x *Domain) GetValue() string {
+	if x != nil {
+		return x.Value
+	}
+	return ""
+}
+
+func (x *Domain) GetAttribute() []*Domain_Attribute {
+	if x != nil {
+		return x.Attribute
+	}
+	return nil
+}
+
+// IP for routing decision, in CIDR form.
+type CIDR struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// IP address, should be either 4 or 16 bytes.
+	Ip []byte `protobuf:"bytes,1,opt,name=ip,proto3" json:"ip,omitempty"`
+	// Number of leading ones in the network mask.
+	Prefix uint32 `protobuf:"varint,2,opt,name=prefix,proto3" json:"prefix,omitempty"`
+}
+
+func (x *CIDR) Reset() {
+	*x = CIDR{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_v2geo_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *CIDR) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CIDR) ProtoMessage() {}
+
+func (x *CIDR) ProtoReflect() protoreflect.Message {
+	mi := &file_v2geo_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CIDR.ProtoReflect.Descriptor instead.
+func (*CIDR) Descriptor() ([]byte, []int) {
+	return file_v2geo_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *CIDR) GetIp() []byte {
+	if x != nil {
+		return x.Ip
+	}
+	return nil
+}
+
+func (x *CIDR) GetPrefix() uint32 {
+	if x != nil {
+		return x.Prefix
+	}
+	return 0
+}
+
+type GeoIP struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	CountryCode  string  `protobuf:"bytes,1,opt,name=country_code,json=countryCode,proto3" json:"country_code,omitempty"`
+	Cidr         []*CIDR `protobuf:"bytes,2,rep,name=cidr,proto3" json:"cidr,omitempty"`
+	InverseMatch bool    `protobuf:"varint,3,opt,name=inverse_match,json=inverseMatch,proto3" json:"inverse_match,omitempty"`
+	// resource_hash instruct simplified config converter to load domain from geo file.
+	ResourceHash []byte `protobuf:"bytes,4,opt,name=resource_hash,json=resourceHash,proto3" json:"resource_hash,omitempty"`
+	Code         string `protobuf:"bytes,5,opt,name=code,proto3" json:"code,omitempty"`
+}
+
+func (x *GeoIP) Reset() {
+	*x = GeoIP{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_v2geo_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GeoIP) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoIP) ProtoMessage() {}
+
+func (x *GeoIP) ProtoReflect() protoreflect.Message {
+	mi := &file_v2geo_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoIP.ProtoReflect.Descriptor instead.
+func (*GeoIP) Descriptor() ([]byte, []int) {
+	return file_v2geo_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *GeoIP) GetCountryCode() string {
+	if x != nil {
+		return x.CountryCode
+	}
+	return ""
+}
+
+func (x *GeoIP) GetCidr() []*CIDR {
+	if x != nil {
+		return x.Cidr
+	}
+	return nil
+}
+
+func (x *GeoIP) GetInverseMatch() bool {
+	if x != nil {
+		return x.InverseMatch
+	}
+	return false
+}
+
+func (x *GeoIP) GetResourceHash() []byte {
+	if x != nil {
+		return x.ResourceHash
+	}
+	return nil
+}
+
+func (x *GeoIP) GetCode() string {
+	if x != nil {
+		return x.Code
+	}
+	return ""
+}
+
+type GeoIPList struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Entry []*GeoIP `protobuf:"bytes,1,rep,name=entry,proto3" json:"entry,omitempty"`
+}
+
+func (x *GeoIPList) Reset() {
+	*x = GeoIPList{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_v2geo_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GeoIPList) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoIPList) ProtoMessage() {}
+
+func (x *GeoIPList) ProtoReflect() protoreflect.Message {
+	mi := &file_v2geo_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoIPList.ProtoReflect.Descriptor instead.
+func (*GeoIPList) Descriptor() ([]byte, []int) {
+	return file_v2geo_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *GeoIPList) GetEntry() []*GeoIP {
+	if x != nil {
+		return x.Entry
+	}
+	return nil
+}
+
+type GeoSite struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	CountryCode string    `protobuf:"bytes,1,opt,name=country_code,json=countryCode,proto3" json:"country_code,omitempty"`
+	Domain      []*Domain `protobuf:"bytes,2,rep,name=domain,proto3" json:"domain,omitempty"`
+	// resource_hash instruct simplified config converter to load domain from geo file.
+	ResourceHash []byte `protobuf:"bytes,3,opt,name=resource_hash,json=resourceHash,proto3" json:"resource_hash,omitempty"`
+	Code         string `protobuf:"bytes,4,opt,name=code,proto3" json:"code,omitempty"`
+}
+
+func (x *GeoSite) Reset() {
+	*x = GeoSite{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_v2geo_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GeoSite) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoSite) ProtoMessage() {}
+
+func (x *GeoSite) ProtoReflect() protoreflect.Message {
+	mi := &file_v2geo_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoSite.ProtoReflect.Descriptor instead.
+func (*GeoSite) Descriptor() ([]byte, []int) {
+	return file_v2geo_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *GeoSite) GetCountryCode() string {
+	if x != nil {
+		return x.CountryCode
+	}
+	return ""
+}
+
+func (x *GeoSite) GetDomain() []*Domain {
+	if x != nil {
+		return x.Domain
+	}
+	return nil
+}
+
+func (x *GeoSite) GetResourceHash() []byte {
+	if x != nil {
+		return x.ResourceHash
+	}
+	return nil
+}
+
+func (x *GeoSite) GetCode() string {
+	if x != nil {
+		return x.Code
+	}
+	return ""
+}
+
+type GeoSiteList struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Entry []*GeoSite `protobuf:"bytes,1,rep,name=entry,proto3" json:"entry,omitempty"`
+}
+
+func (x *GeoSiteList) Reset() {
+	*x = GeoSiteList{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_v2geo_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GeoSiteList) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoSiteList) ProtoMessage() {}
+
+func (x *GeoSiteList) ProtoReflect() protoreflect.Message {
+	mi := &file_v2geo_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoSiteList.ProtoReflect.Descriptor instead.
+func (*GeoSiteList) Descriptor() ([]byte, []int) {
+	return file_v2geo_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *GeoSiteList) GetEntry() []*GeoSite {
+	if x != nil {
+		return x.Entry
+	}
+	return nil
+}
+
+type Domain_Attribute struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
+	// Types that are assignable to TypedValue:
+	//
+	//	*Domain_Attribute_BoolValue
+	//	*Domain_Attribute_IntValue
+	TypedValue isDomain_Attribute_TypedValue `protobuf_oneof:"typed_value"`
+}
+
+func (x *Domain_Attribute) Reset() {
+	*x = Domain_Attribute{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_v2geo_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Domain_Attribute) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Domain_Attribute) ProtoMessage() {}
+
+func (x *Domain_Attribute) ProtoReflect() protoreflect.Message {
+	mi := &file_v2geo_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Domain_Attribute.ProtoReflect.Descriptor instead.
+func (*Domain_Attribute) Descriptor() ([]byte, []int) {
+	return file_v2geo_proto_rawDescGZIP(), []int{0, 0}
+}
+
+func (x *Domain_Attribute) GetKey() string {
+	if x != nil {
+		return x.Key
+	}
+	return ""
+}
+
+func (m *Domain_Attribute) GetTypedValue() isDomain_Attribute_TypedValue {
+	if m != nil {
+		return m.TypedValue
+	}
+	return nil
+}
+
+func (x *Domain_Attribute) GetBoolValue() bool {
+	if x, ok := x.GetTypedValue().(*Domain_Attribute_BoolValue); ok {
+		return x.BoolValue
+	}
+	return false
+}
+
+func (x *Domain_Attribute) GetIntValue() int64 {
+	if x, ok := x.GetTypedValue().(*Domain_Attribute_IntValue); ok {
+		return x.IntValue
+	}
+	return 0
+}
+
+type isDomain_Attribute_TypedValue interface {
+	isDomain_Attribute_TypedValue()
+}
+
+type Domain_Attribute_BoolValue struct {
+	BoolValue bool `protobuf:"varint,2,opt,name=bool_value,json=boolValue,proto3,oneof"`
+}
+
+type Domain_Attribute_IntValue struct {
+	IntValue int64 `protobuf:"varint,3,opt,name=int_value,json=intValue,proto3,oneof"`
+}
+
+func (*Domain_Attribute_BoolValue) isDomain_Attribute_TypedValue() {}
+
+func (*Domain_Attribute_IntValue) isDomain_Attribute_TypedValue() {}
+
+var File_v2geo_proto protoreflect.FileDescriptor
+
+var file_v2geo_proto_rawDesc = []byte{
+	0x0a, 0x0b, 0x76, 0x32, 0x67, 0x65, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x97, 0x02,
+	0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x20, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x0c, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x2e,
+	0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61,
+	0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65,
+	0x12, 0x2f, 0x0a, 0x09, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x18, 0x03, 0x20,
+	0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x2e, 0x41, 0x74, 0x74,
+	0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x09, 0x61, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74,
+	0x65, 0x1a, 0x6c, 0x0a, 0x09, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x12, 0x10,
+	0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79,
+	0x12, 0x1f, 0x0a, 0x0a, 0x62, 0x6f, 0x6f, 0x6c, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x08, 0x48, 0x00, 0x52, 0x09, 0x62, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75,
+	0x65, 0x12, 0x1d, 0x0a, 0x09, 0x69, 0x6e, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x03, 0x48, 0x00, 0x52, 0x08, 0x69, 0x6e, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65,
+	0x42, 0x0d, 0x0a, 0x0b, 0x74, 0x79, 0x70, 0x65, 0x64, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22,
+	0x36, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x09, 0x0a, 0x05, 0x50, 0x6c, 0x61, 0x69, 0x6e,
+	0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x52, 0x65, 0x67, 0x65, 0x78, 0x10, 0x01, 0x12, 0x0e, 0x0a,
+	0x0a, 0x52, 0x6f, 0x6f, 0x74, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x10, 0x02, 0x12, 0x08, 0x0a,
+	0x04, 0x46, 0x75, 0x6c, 0x6c, 0x10, 0x03, 0x22, 0x2e, 0x0a, 0x04, 0x43, 0x49, 0x44, 0x52, 0x12,
+	0x0e, 0x0a, 0x02, 0x69, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x02, 0x69, 0x70, 0x12,
+	0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d, 0x52,
+	0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0xa3, 0x01, 0x0a, 0x05, 0x47, 0x65, 0x6f, 0x49,
+	0x50, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x72, 0x79, 0x5f, 0x63, 0x6f, 0x64,
+	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x72, 0x79,
+	0x43, 0x6f, 0x64, 0x65, 0x12, 0x19, 0x0a, 0x04, 0x63, 0x69, 0x64, 0x72, 0x18, 0x02, 0x20, 0x03,
+	0x28, 0x0b, 0x32, 0x05, 0x2e, 0x43, 0x49, 0x44, 0x52, 0x52, 0x04, 0x63, 0x69, 0x64, 0x72, 0x12,
+	0x23, 0x0a, 0x0d, 0x69, 0x6e, 0x76, 0x65, 0x72, 0x73, 0x65, 0x5f, 0x6d, 0x61, 0x74, 0x63, 0x68,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x69, 0x6e, 0x76, 0x65, 0x72, 0x73, 0x65, 0x4d,
+	0x61, 0x74, 0x63, 0x68, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
+	0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x72, 0x65, 0x73,
+	0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x61, 0x73, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x6f, 0x64,
+	0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x22, 0x29, 0x0a,
+	0x09, 0x47, 0x65, 0x6f, 0x49, 0x50, 0x4c, 0x69, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x05, 0x65, 0x6e,
+	0x74, 0x72, 0x79, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x06, 0x2e, 0x47, 0x65, 0x6f, 0x49,
+	0x50, 0x52, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x22, 0x86, 0x01, 0x0a, 0x07, 0x47, 0x65, 0x6f,
+	0x53, 0x69, 0x74, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x72, 0x79, 0x5f,
+	0x63, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x6f, 0x75, 0x6e,
+	0x74, 0x72, 0x79, 0x43, 0x6f, 0x64, 0x65, 0x12, 0x1f, 0x0a, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69,
+	0x6e, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x07, 0x2e, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
+	0x52, 0x06, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x73, 0x6f,
+	0x75, 0x72, 0x63, 0x65, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0c, 0x52,
+	0x0c, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x61, 0x73, 0x68, 0x12, 0x12, 0x0a,
+	0x04, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x63, 0x6f, 0x64,
+	0x65, 0x22, 0x2d, 0x0a, 0x0b, 0x47, 0x65, 0x6f, 0x53, 0x69, 0x74, 0x65, 0x4c, 0x69, 0x73, 0x74,
+	0x12, 0x1e, 0x0a, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x08, 0x2e, 0x47, 0x65, 0x6f, 0x53, 0x69, 0x74, 0x65, 0x52, 0x05, 0x65, 0x6e, 0x74, 0x72, 0x79,
+	0x42, 0x09, 0x5a, 0x07, 0x2e, 0x2f, 0x76, 0x32, 0x67, 0x65, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x33,
+}
+
+var (
+	file_v2geo_proto_rawDescOnce sync.Once
+	file_v2geo_proto_rawDescData = file_v2geo_proto_rawDesc
+)
+
+func file_v2geo_proto_rawDescGZIP() []byte {
+	file_v2geo_proto_rawDescOnce.Do(func() {
+		file_v2geo_proto_rawDescData = protoimpl.X.CompressGZIP(file_v2geo_proto_rawDescData)
+	})
+	return file_v2geo_proto_rawDescData
+}
+
+var file_v2geo_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_v2geo_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_v2geo_proto_goTypes = []interface{}{
+	(Domain_Type)(0),         // 0: Domain.Type
+	(*Domain)(nil),           // 1: Domain
+	(*CIDR)(nil),             // 2: CIDR
+	(*GeoIP)(nil),            // 3: GeoIP
+	(*GeoIPList)(nil),        // 4: GeoIPList
+	(*GeoSite)(nil),          // 5: GeoSite
+	(*GeoSiteList)(nil),      // 6: GeoSiteList
+	(*Domain_Attribute)(nil), // 7: Domain.Attribute
+}
+var file_v2geo_proto_depIdxs = []int32{
+	0, // 0: Domain.type:type_name -> Domain.Type
+	7, // 1: Domain.attribute:type_name -> Domain.Attribute
+	2, // 2: GeoIP.cidr:type_name -> CIDR
+	3, // 3: GeoIPList.entry:type_name -> GeoIP
+	1, // 4: GeoSite.domain:type_name -> Domain
+	5, // 5: GeoSiteList.entry:type_name -> GeoSite
+	6, // [6:6] is the sub-list for method output_type
+	6, // [6:6] is the sub-list for method input_type
+	6, // [6:6] is the sub-list for extension type_name
+	6, // [6:6] is the sub-list for extension extendee
+	0, // [0:6] is the sub-list for field type_name
+}
+
+func init() { file_v2geo_proto_init() }
+func file_v2geo_proto_init() {
+	if File_v2geo_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_v2geo_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Domain); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_v2geo_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*CIDR); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_v2geo_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GeoIP); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_v2geo_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GeoIPList); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_v2geo_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GeoSite); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_v2geo_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GeoSiteList); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_v2geo_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Domain_Attribute); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	file_v2geo_proto_msgTypes[6].OneofWrappers = []interface{}{
+		(*Domain_Attribute_BoolValue)(nil),
+		(*Domain_Attribute_IntValue)(nil),
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_v2geo_proto_rawDesc,
+			NumEnums:      1,
+			NumMessages:   7,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_v2geo_proto_goTypes,
+		DependencyIndexes: file_v2geo_proto_depIdxs,
+		EnumInfos:         file_v2geo_proto_enumTypes,
+		MessageInfos:      file_v2geo_proto_msgTypes,
+	}.Build()
+	File_v2geo_proto = out.File
+	file_v2geo_proto_rawDesc = nil
+	file_v2geo_proto_goTypes = nil
+	file_v2geo_proto_depIdxs = nil
+}
--- a/extras/outbounds/acl/v2geo/v2geo.proto
+++ b/extras/outbounds/acl/v2geo/v2geo.proto
@ -0,0 +1,76 @@
+syntax = "proto3";
+
+option go_package = "./v2geo";
+
+// This file is copied from
+// https://github.com/v2fly/v2ray-core/blob/master/app/router/routercommon/common.proto
+// with some modifications.
+
+// Domain for routing decision.
+message Domain {
+  // Type of domain value.
+  enum Type {
+    // The value is used as is.
+    Plain = 0;
+    // The value is used as a regular expression.
+    Regex = 1;
+    // The value is a root domain.
+    RootDomain = 2;
+    // The value is a domain.
+    Full = 3;
+  }
+
+  // Domain matching type.
+  Type type = 1;
+
+  // Domain value.
+  string value = 2;
+
+  message Attribute {
+    string key = 1;
+
+    oneof typed_value {
+      bool bool_value = 2;
+      int64 int_value = 3;
+    }
+  }
+
+  // Attributes of this domain. May be used for filtering.
+  repeated Attribute attribute = 3;
+}
+
+// IP for routing decision, in CIDR form.
+message CIDR {
+  // IP address, should be either 4 or 16 bytes.
+  bytes ip = 1;
+
+  // Number of leading ones in the network mask.
+  uint32 prefix = 2;
+}
+
+message GeoIP {
+  string country_code = 1;
+  repeated CIDR cidr = 2;
+  bool inverse_match = 3;
+
+  // resource_hash instruct simplified config converter to load domain from geo file.
+  bytes resource_hash = 4;
+  string code = 5;
+}
+
+message GeoIPList {
+  repeated GeoIP entry = 1;
+}
+
+message GeoSite {
+  string country_code = 1;
+  repeated Domain domain = 2;
+
+  // resource_hash instruct simplified config converter to load domain from geo file.
+  bytes resource_hash = 3;
+  string code = 4;
+}
+
+message GeoSiteList {
+  repeated GeoSite entry = 1;
+}
--- a/extras/trafficlogger/http.go
+++ b/extras/trafficlogger/http.go
@ -24,10 +24,11 @@ type TrafficStatsServer interface {
 	http.Handler
 }

-func NewTrafficStatsServer() TrafficStatsServer {
+func NewTrafficStatsServer(secret string) TrafficStatsServer {
 	return &trafficStatsServerImpl{
 		StatsMap: make(map[string]*trafficStatsEntry),
 		KickMap:  make(map[string]struct{}),
+		Secret:   secret,
 	}
 }

@ -98,6 +99,7 @@ type trafficStatsServerImpl struct {
 	Mutex    sync.RWMutex
 	StatsMap map[string]*trafficStatsEntry
 	KickMap  map[string]struct{}
+	Secret   string
 }

 type trafficStatsEntry struct {
@ -127,6 +129,10 @@ func (s *trafficStatsServerImpl) Log(id string, tx, rx uint64) (ok bool) {
 }

 func (s *trafficStatsServerImpl) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if s.Secret != "" && r.Header.Get("Authorization") != s.Secret {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
 	if r.Method == http.MethodGet && r.URL.Path == "/" {
 		_, _ = w.Write([]byte(indexHTML))
 		return
--- a/hyperbole.py
+++ b/hyperbole.py
@ -217,13 +217,13 @@ def cmd_build(pprof=False, release=False, race=False):
                + "/toolchains/llvm/prebuilt/linux-x86_64/bin"
            )
            if arch == "arm64":
-                env["CC"] = ANDROID_NDK_HOME + "/aarch64-linux-android33-clang"
+                env["CC"] = ANDROID_NDK_HOME + "/aarch64-linux-android29-clang"
            elif arch == "armv7":
-                env["CC"] = ANDROID_NDK_HOME + "/armv7a-linux-androideabi33-clang"
+                env["CC"] = ANDROID_NDK_HOME + "/armv7a-linux-androideabi29-clang"
            elif arch == "386":
-                env["CC"] = ANDROID_NDK_HOME + "/i686-linux-android33-clang"
+                env["CC"] = ANDROID_NDK_HOME + "/i686-linux-android29-clang"
            elif arch == "amd64":
-                env["CC"] = ANDROID_NDK_HOME + "/x86_64-linux-android33-clang"
+                env["CC"] = ANDROID_NDK_HOME + "/x86_64-linux-android29-clang"
            else:
                print("Unsupported arch for android: %s" % arch)
                return
@ -257,7 +257,7 @@ def cmd_build(pprof=False, release=False, race=False):
            subprocess.check_call(cmd, env=env)
        except Exception:
            print("Failed to build for %s/%s" % (os_name, arch))
-            return
+            sys.exit(1)

        print("Built %s" % out_name)

@ -331,6 +331,27 @@ def cmd_mockgen():
                print("Failed to generate mocks for %s" % dirpath)


+def cmd_protogen():
+    if not check_command(["protoc", "--version"]):
+        print("protoc is not installed. Please install protoc and try again.")
+        return
+
+    for dirpath, dirnames, filenames in os.walk("."):
+        dirnames[:] = [d for d in dirnames if not d.startswith(".")]
+        proto_files = [f for f in filenames if f.endswith(".proto")]
+
+        if len(proto_files) > 0:
+            for proto_file in proto_files:
+                print("Generating protobuf for %s..." % proto_file)
+                try:
+                    subprocess.check_call(
+                        ["protoc", "--go_out=paths=source_relative:.", proto_file],
+                        cwd=dirpath,
+                    )
+                except Exception:
+                    print("Failed to generate protobuf for %s" % proto_file)
+
+
 def cmd_tidy():
    if not check_build_env():
        return
@ -442,6 +463,9 @@ def main():
    # Mockgen
    p_cmd.add_parser("mockgen", help="Generate mock interfaces")

+    # Protogen
+    p_cmd.add_parser("protogen", help="Generate protobuf interfaces")
+
    # Tidy
    p_cmd.add_parser("tidy", help="Tidy the go modules")

@ -471,6 +495,8 @@ def main():
        cmd_format()
    elif args.command == "mockgen":
        cmd_mockgen()
+    elif args.command == "protogen":
+        cmd_protogen()
    elif args.command == "tidy":
        cmd_tidy()
    elif args.command == "test":