Skip to content

Premium 2023.08.17

Choose a tag to compare
@Dreamacro Dreamacro released this 08 May 13:50
· 511 commits to master since this release

S3 Storage (Long-term availability not guaranteed)




  • fix return bind interface error correctly @Kr328
  • fix udp inbound goroutine leak
  • when the dns field is not set to ipv6, the global ipv6: true will affect the dns field.


  • upgrade to v1.17.0
  • all interval and tolerance support human-friendly config (30s 1h 10m30s etc.)
  • use eBPF to find the process name with kernel support, which is an order of magnitude faster than normal means, but it uses more memory @Kr328
  • fix script and expr classical match
  • make TUN faster in multi CPU core (> 2)
  • should not add default route with gateway if not an ethernet @Kr328
  • detect Windows default interface by syscall @Kr328


  • upgrade to 289025c
  • fix rule match logic, recommend upgrade


  • upgrade to 1.16.0
  • add expr script engine, 10x~20x faster than starlark (detail on
  engine: expr
    bilibilishit: "any(['biliapi', 'bilibili'], host contains #) and any(['-live-tracker-', 'p2p', 'pcdn'], host contains #)"
    douyushit: (network == 'udp' or host contains 'p2p') and host contains 'douyu'
    quic: network == 'udp' and dst_port == 443
    tailscale: network == 'udp' and dst_port == 12345
  • add new nestable "rule groups", if field is the same as the shortcut syntax and if none of the sub-rules match, then continue to match the next rule.
  - if: network == 'tcp'
    name: TCP
    # engine: expr # the default engine is `expr`, `starlark` is also valid
      - if: dst_port == 443
        name: HTTPS
          - MATCH,DIRECT
  • fix ipv6 dns server hosts query timeout
  • add in_ipset for script and shortcut
  • old Linux kernel should be without zerocopy @Kr328
  • fix auto-route issue for #2720 @Kr328

History Release Note

### 2023.04.16 * for security reasons, the path of all providers of `type: http` cannot use `path` outer clash config path (`~/.config/clash` by default) #2680


  • upgrade to 1.15.0
  • reduce domain provider parse memory alloc, reduces memory alloc by 50% ~ 75% at the parsing time
  • all rule provider support format: text, one line per item, support # or // for comment. For security reasons, path can only be used under clash $HOMEDIR when format: text
# comment
// domain


  • upgrade to 1.14.0
  • improve Linux TCP upload throughput @Kr328
  • fix auto-detect-interface TUN loopback on Windows in some cases @Kr328


  • fix the problem of traffic statistics


  • upgrade to f78a7cb
  • refactor system stack udp, reduces CPU usage and improves throughput @Kr328
  • fix a fakeip udp bug, and you can try removing some of the fake-ip-filter lists for the game
  • add tcp zero-copy support on linux, single-threaded tcp throughput would be better now @Kr328
  • add pprof option for debug clash, It is under external-controller (also protected by secret). When external-controller is The pprof path is The default value is false


  • upgrade to 8173d66
  • since redir-host brings a lot of misunderstandings and problems (some of which are even hard to find). I decided to remove it. It is only used in the fake-ip-filter for a few domain name mappings. I know that it can be bypassed and "recovered" in fake-ip mode. If fake-ip-filter finds that it has been abused, I will delete the domain mapping mode completely.
  • auto-detect-interface now would follow the routing table instead of just selecting the default NIC. This will improve the situation where clash and vpn coexist.
  • add remote-dns-resolve on wireguard, default value is true.
  • increase TUN CPU utilization on the Linux system stack. On i5-8259U Debian testing 4 core VM on PVE. running with iperf3 -c -P 4 (ensure resolve a fakeip). Increased throughput from 5.x Gbps to 10 Gbps, almost ~2x ⚡️. But auto-redir still the true God with 37 Gbps 😭.


  • upgrade to 1.13.0
    • DNS API with additional Server field for debug source
  • resolve_process_path should not throw error
  • block ipv6 to clash for auto-route @Kr328


  • upgrade to 1.12.0
  • reduce structured log api alloc
  • refactor TUN code
  • upgrade gvisor
  • use fixed GUID for Wintun @Kr328
  • enforce loading only trusted Wintun dll @Kr328
  • fix fatal log on stdout
  • add process helper to shortcut and script
    curl: resolve_process_name() == 'curl'
    # curl: resolve_process_path() == '/usr/bin/curl'
interface Context {
  resolve_process_path: (metadata: Metadata) => string
  • support userspace wireguard outbound @CzBiX
  - name: "wg"
    type: wireguard
    port: 443
    # ipv6: your_ipv6
    private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
    public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
    # preshared-key: base64
    # dns: [,]
    # mtu: 1420
    udp: true

For some complicated reason, wireguard does not support relay, but you can use tunnel to support this feature in disguise

  - udp,,yourendpoint:port,ss
  - name: ss
    # ...
  - name: "wg"
    type: wireguard
    port: 2043
    # ipv6: your_ipv6
    private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
    public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
    # preshared-key: base64
    # dns: [,]
    # mtu: 1420
    udp: true


  • upgrade to 1.11.8
  • unknown slice out-of-bounds on system stack
  • wildcard domain config parse panic
  • improve large domain ruleset parse memory alloc
  • fix quic sniff irl @nekohasekai
  • passthrough dns for auto-redir @Kr328


  • using structured logs, log messages are more detailed and transparent.
  • log API now receives format=structured for structured log json
  • now show DNS resolve detail on the debug log
DBG [DNS] dns response source=dhcp:// qType=A answer=[""]


  • upgrade to 1.11.4
  • auto-route bypass icmp on linux
  • add experimental sniff-tls-sni
    • sniff https/tls on 443 port
    • sniff http3/quic on udp 443 port @nekohasekai

This will replace the original domain name, but not all sni are domain, so clash will only replace the host is empty and the sni that is a domain
If you find any network requests that are not working properly, remove it

  sniff-tls-sni: true


  • upgrade to 1.11.0
  • fix ipv6 lookup logic
  • udp would use the first DNS record instead of a random one
  • add auto redir (wiki)


  • fix domain set match edge case


  • upgrade to dev (b384449)
  • improve linux auto-route compatibility @Kr328
  • rule provider on rules support no-resolve @Kr328
  - RULE-SET,microsoft,policy,no-resolve
  • add match_provider to script shortcuts @Kr328
    BilibiliUdp: |
      network == "udp" and match_provider("Bilibili")

  - SCRIPT,BilibiliUdp,REJECT
  • ebpf redirect bypass ICMP


  • fix auto-route on Linux (#2071)
  • dns-hijack support hijack same port traffic
  enable: true
  stack: system # or gvisor
    - any:53
    - tcp://any:53
  • add new ebpf moudle redirect-to-tun
    It requires kernel support, only hook traffic of the egress NIC and conflict with auto-route
interface-name: eth0
routing-mark: 7777
    - eth0


  • fix interface cache initial bug


  • fix rule provider wrong match result
  • add auto-route and auto-detect-interface on Linux @Kr328

Explore but not in this release

  • use eBPF and tc to hook NIC to implement similar feature like auto-route
  • Is clean-dns-bpf still working? Does it make sense to integrate into clash?


  • gvisor adaptation (memory leak), every time it is updated it must have problems 🥶
  • fix rule provider wrong match result


  • upgrade to 1.10.0
  • upgrade gvisor
  • use generic and net/netip as much as possiable
  • memory-optimized domain rule provider
    • benchmark result, use a ~57000 lines rule (, memory 29MB (Old) --> 1.9MB (New)
goos: darwin
goarch: arm64
pkg: test
BenchmarkNew-10              	 3464176	       345.4 ns/op	       0 B/op	       0 allocs/op
BenchmarkOld-10              	11119957	       106.1 ns/op	      48 B/op	       1 allocs/op


  • upgrade to dev (b1a639f)
    • support snell v3
    • trojan vmess tls handshake requires a timeout
    • change provider file modify time when updated
    • domain trie search (effect hosts fake-ip-filter fallback-filter nameserver-policy domain rule provider)
  • adapted gvisor new udp packet API to solve the memory leak problem caused by gvisor @nekohasekai
  • make tun hot reload as much as possible again @Fndroid


  • fix inbound http auth failed
  • ignore bind6 error on Windows


  • upgrade to 1.9.0
  • build with go1.18beta1
    • use netip.Addr to replace net.IP where possible (reduce memory usage, especially with system TUN)
    • use generics where possible


  • upgrade to dev (08607fb)
    • bind interface error
    • revert ssr udp fix
    • add filter on proxy provider (#1511)
  • use SIMD for arm64 system stack checksum @Kr328
  • system stack tun should use a independent fakeip pool
    • how to cleanup persistence fakeip (If you don't know what this is, ignore it): use curl -X POST controllerip:port/cache/fakeip/flush to flush persistence fakeip
  • system stack udp behavior (e.g. csgo)
  • broken connectivity check for UWP apps under Windows 11 @icpz
  • native syscall bind Windows interface
  • auto detect interface on Windows loop on switch network


  • upgrade to v1.8.0
  • adaptive wintun 0.14, drop < 0.14 support
  • use SIMD for amd64 system stack checksum @Kr328
    • Increased throughput by 20% on my macbook 2018
  • adjust system stack behavior


  • upgrade to v1.7.1
  • shortcut now output short access log


  • upgrade to v1.7.0
  • upgrade gvisor
  • support script shortcut
  • support auto-route on FreeBSD @icpz
  • fix tun packet size invalid panic
  • fix gvisor addr NPE
  • fix auto-detect-interface auto-route in PPPoE networks on Windows @icpz


  • upgrade to v1.6.5
  • upgrade gvisor
  • fix broken connectivity check on Windows TUN (@icpz)


  • upgrade to v1.6.0
  • support TUN on FreeBSD (@icpz)
  • support both system and gvisor TUN stack on Windows (@icpz)
  • fix auto detect interface on macOS 11.3
  • fix tracing API panic
  • rename macOS-auto-* to auto-* (will be backward compatible with several versions)


  • upgrade to v1.5.0
  • upgrade gvisor to support 32bit system again
  • tracing API is non-blocking now
  • huge reduce rule provider behavior: ipcidr memory
    • 488k lines ip-cidr take up only 1.1MiB after parse config
  • add time module to script
def main(ctx, metadata):
  now =
  if metadata["src_ip"] == "ip" and now.hour >= 18 and now.hour <= 22:
    return "REJECT"

  return "DIRECT"


  • upgrade to v1.4.2
    • solved the problem of not reaching some servers as a gateway in fakeip mode
    • solved the problem that HTTP Connect proxy broken when system proxy and fakeip were both enabled


  • upgrade to v1.4.1


  # open tracing exporter API
  tracing: true

2020.12.27 (hotfix version)

  • upgrade to v1.3.5
  • fix PROCESS-NAME can't match UDP process on Windows
  • fix panic and loop TUN config on Windows TUN


  • upgrade to dev(4b1b494)
  • script support resolve_process_name Doc
  • experimental support TUN on Windows with zero setups by hands (Doc), Thanks @CzBiX hard work!


  • upgrade to v1.3.0


  • upgrade to v1.2.0


  • fix a redir-host bug on 2020.09.27


  • upgrade latest dev (e09931d)
  • fix classical rule provider resolve ip logic


  • upgrade to v1.1.0
  • script support path
    path: ./
  • upgrade gvisor
  • bug fixed


  • upgrade to v1.0.0
  • macOS-auto-detect-interface can detect PPPoE
  • add classical rule provider