Skip to content

0.9.4

Choose a tag to compare

@yandexru45 yandexru45 released this 05 Jul 09:03

0.9.4 (Hotfix + hardening after 0.9.3)

• Fixed: Global proxy was routing everything DIRECT in 0.9.3.
Sections with global_proxy enabled were bypassing their lists and sending
all traffic straight out the WAN, ignoring community_lists / Discord /
Telegram / etc. rules. Fixed in configure_routing_for_section_lists:
the global_proxy branch now builds route rules with the section's own
outbound tag the same way non-global-proxy sections do, so route.final
and per-list rule_sets both point to the section's outbound instead of
direct-out. community_lists and every other list again route through
the chosen proxy.
✅ tested on real hardware - twitter.com resolves to FakeIP 198.18.0.x,
route.rules[i].outbound == main-out, sing-box check passes.

• Fixed: I/O timeout in sing-box when device WAN is on a non-wan interface
(#28 hardening, d516fda from rustnomicon). The route-final pass used a
hardcoded ubus call network.interface.wan status to pick the egress
device, which returns empty on multi-WAN setups (wan2 / wanb / cellular /
etc.) — sing-box then had no outbound interface and every connection
timed out. New detect_wan_device() resolves the egress device in order:
ip route show defaultnetwork.interface.wan{,6,wwan,internet,2..5}
→ fallback to auto_detect_interface: true in the generated config.
✅ tested on real hardware - both single-WAN and a simulated second
default route; no more i/o timeout.

• Selected subscription server now survives reboot (#21, kjljxybr hardening

  • 0.9.4 race guard). sing-box persists the user's group/proxy selection
    in its own cache.db, but that file lives in tmpfs ( and is wiped on every reboot, so the selector always jumped back to the default after a restart. Now the live cache is snaps the overlay (/etc/netshift/cache.db) on a clean st a Clash-API PATCH succeeds, and restored into /tmp b — the picker choice survives both clean restarts AND Plus: a flock-guarded critical section serialises so two near-simultaneous server picks no longer race on cp + mvand waste a flash write. Acmpbyte-equality guard short-circuits the snapshot when neither the selection nor FakeIP state reload / WAN-flap does NOT touch the overlay. ✅ tested on real hardware - pick a server,reboot`
    on the same server after sing-box comes back; two concurrent PATCHes
    end on an identical cache.db with one flash write.

• Fixed: httpupgrade transport in subscription outbo
zet694). The frontend link validator already listed httpupgrade as a
valid scheme, but the backend fell through to "Unkno
'httpupgrade' detected" and built a TLS-only outboun
showed N/A in URLTest. Added sing_box_cm_set_httpup that emits a proper transport:{type:"httpupgrade", path, host}block, falling backhosttosni` for TLS-fronted setups.
stock sing-box and the extended core (httpupgrade is an upstream
transport since 1.8, no extended-core requirement).
✅ tested with a sandbox subscription - the node now appears in URLTest
and reports a real latency.

• dns-in queries now route through the proxy in multi/
settings.dns_outbound_mode = multi|paranoid (new U
single for backward compat) appends a dns.rules
that forwards every query landing on the 127.0.0.42:53 inbound through
the section's chosen outbound. Recursive-aware multi-resolver proxy
works through your VPN, not around it.
✅ tested on real hardware - multi mode forwards all dns-in queries
through the configured outbound; single mode is by
0.9.2 (verified by smoke test).

• Fixed: backup_sing_box_cache would crash with can't create : nonexistent directory on the flock-redirect line wh
constant was missing or pointed outside the snapshot directory (a
partial apk upgrade, a constants.sh drift, or a user
NETSHIFT_STATE_DIR). Lock path is now derived from t
location itself, so the function is self-consistent
how constants.sh was packaged — and a stale constants.sh is now
logged once at warn level instead of crashing the wh
✅ tested by reproducing the original bug, deploying the fix, and
re-running the restart cleanly on 192.168.1.101.


Telegram Channel Telegram Chat