update from upstream

.github/workflows/lint.yml

@@ -17,7 +17,7 @@ jobs:
         with:
           go-version: ^1.22
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v5
+        uses: golangci/golangci-lint-action@v6
         with:
           version: latest
           args: --timeout=30m

adapter/router.go

@@ -86,7 +86,7 @@ type DNSRule interface {
 	Rule
 	DisableCache() bool
 	RewriteTTL() *uint32
-	ClientSubnet() *netip.Addr
+	ClientSubnet() *netip.Prefix
 	WithAddressLimit() bool
 	MatchAddressLimit(metadata *InboundContext) bool
 }

docs/changelog.md

@@ -2,6 +2,23 @@
 icon: material/alert-decagram
 ---
 
+#### 1.9.0-rc.18
+
+* Add custom prefix support in EDNS0 client subnet options
+* Fix hysteria2 crash
+* Fix `store_rdrc` corrupted
+* Update quic-go to v0.43.1
+* Fixes and improvements
+
+#### 1.9.0-rc.16
+
+* Mitigating TunnelVision attacks **1**
+* Fixes and improvements
+
+**1**:
+
+See [TunnelVision](/manual/misc/tunnelvision).
+
 #### 1.9.0-rc.15
 
 * Fixes and improvements

docs/configuration/dns/index.md

@@ -73,6 +73,8 @@ problematic in environments such as macOS, where DNS is proxied and cached by th
 
 !!! question "Since sing-box 1.9.0"
 
-Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
 Can be overrides by `servers.[].client_subnet` or `rules.[].client_subnet`.

docs/configuration/dns/index.zh.md

@@ -71,8 +71,10 @@ icon: material/new-box
 
 !!! question "自 sing-box 1.9.0 起"
 
-默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
-
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
+
 可以被 `servers.[].client_subnet` 或 `rules.[].client_subnet` 覆盖。
 
 #### fakeip

docs/configuration/dns/rule.md

@@ -125,7 +125,7 @@ icon: material/new-box
         "server": "local",
         "disable_cache": false,
         "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1"
+        "client_subnet": "127.0.0.1/24"
       },
       {
         "type": "logical",
@@ -134,7 +134,7 @@ icon: material/new-box
         "server": "local",
         "disable_cache": false,
         "rewrite_ttl": 100,
-        "client_subnet": "127.0.0.1"
+        "client_subnet": "127.0.0.1/24"
       }
     ]
   }
@@ -339,7 +339,9 @@ Rewrite TTL in DNS responses.
 
 !!! question "Since sing-box 1.9.0"
 
-Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
 Will overrides `dns.client_subnet` and `servers.[].client_subnet`.
 

docs/configuration/dns/rule.zh.md

@@ -124,15 +124,15 @@ icon: material/new-box
         ],
         "server": "local",
         "disable_cache": false,
-        "client_subnet": "127.0.0.1"
+        "client_subnet": "127.0.0.1/24"
       },
       {
         "type": "logical",
         "mode": "and",
         "rules": [],
         "server": "local",
         "disable_cache": false,
-        "client_subnet": "127.0.0.1"
+        "client_subnet": "127.0.0.1/24"
       }
     ]
   }
@@ -337,7 +337,9 @@ DNS 查询类型。值可以为整数或者类型名称字符串。
 
 !!! question "自 sing-box 1.9.0 起"
 
-默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
 
 将覆盖 `dns.client_subnet` 与 `servers.[].client_subnet`。
 

docs/configuration/dns/server.md

@@ -100,7 +100,9 @@ Default outbound will be used if empty.
 
 !!! question "Since sing-box 1.9.0"
 
-Append a `edns0-subnet` OPT extra record with the specified IP address to every query by default.
+Append a `edns0-subnet` OPT extra record with the specified IP prefix to every query by default.
+
+If value is an IP address instead of prefix, `/32` or `/128` will be appended automatically.
 
 Can be overrides by `rules.[].client_subnet`.
 

docs/configuration/dns/server.zh.md

@@ -100,7 +100,9 @@ DNS 服务器的地址。
 
 !!! question "自 sing-box 1.9.0 起"
 
-默认情况下，将带有指定 IP 地址的 `edns0-subnet` OPT 附加记录附加到每个查询。
+默认情况下，将带有指定 IP 前缀的 `edns0-subnet` OPT 附加记录附加到每个查询。
+
+如果值是 IP 地址而不是前缀，则会自动附加 `/32` 或 `/128`。
 
 可以被 `rules.[].client_subnet` 覆盖。
 

docs/manual/misc/tunnelvision.md

@@ -0,0 +1,38 @@
+---
+icon: material/book-lock-open
+---
+
+# TunnelVision
+
+TunnelVision is an attack that uses DHCP option 121 to set higher priority routes
+so that traffic does not go through the VPN.
+
+Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661
+
+## Status
+
+### Android
+
+Android does not handle DHCP option 121 and is not affected.
+
+### Apple platforms
+
+Update [sing-box graphical client](/clients/apple/#download) to `1.9.0-rc.16` or newer,
+then enable `includeAllNetworks` in `Settings` — `Packet Tunnel` and you will be unaffected.
+
+Note: when `includeAllNetworks` is enabled, the default TUN stack is changed to `gvisor`,
+and the `system` and `mixed` stacks are not available.
+
+### Linux
+
+Update sing-box to `1.9.0-rc.16` or newer, rules generated by `auto-route` are unaffected.
+
+### Windows
+
+No solution yet.
+
+## Workarounds
+
+* Don't connect to untrusted networks
+* Relay untrusted network through another device
+* Just ignore it