S3 Storage (Long-term availability not guaranteed)
https://release.dreamacro.workers.dev/
Changelog
2023.08.17
- upgrade to v1.18.0
- script and shortcut support
inbound_port exprengine support more builtin function https://github.com/antonmedv/expr/releases/tag/v1.14.0
2023.07.22
- fix return bind interface error correctly @Kr328
- fix udp inbound goroutine leak
- when the dns field is not set to ipv6, the global
ipv6: truewill affect the dns field.
2023.06.30
- upgrade to v1.17.0
- all
intervalandtolerancesupport human-friendly config (30s1h10m30setc.) - use eBPF to find the process name with kernel support, which is an order of magnitude faster than normal means, but it uses more memory @Kr328
- fix script and expr classical match
- make TUN faster in multi CPU core (> 2)
- should not add default route with gateway if not an ethernet @Kr328
- detect Windows default interface by syscall @Kr328
2023.05.29
- upgrade to 289025c
- fix rule match logic, recommend upgrade
2023.05.19
- upgrade to 1.16.0
- add
exprscript engine, 10x~20x faster than starlark (detail on expr.medv.io)
script:
engine: expr
shortcuts:
# hw-sh-pcdn-35.biliapi.net
# hw-gz-live-p2p-06.chat.bilibili.com
# cn-jsyz-ccc-live-tracker-02.chat.bilibili.com
bilibilishit: "any(['biliapi', 'bilibili'], host contains #) and any(['-live-tracker-', 'p2p', 'pcdn'], host contains #)"
douyushit: (network == 'udp' or host contains 'p2p') and host contains 'douyu'
quic: network == 'udp' and dst_port == 443
tailscale: network == 'udp' and dst_port == 12345- add new nestable "rule groups",
iffield is the same as the shortcut syntax and if none of the sub-rules match, then continue to match the next rule.
rules:
- if: network == 'tcp'
name: TCP
# engine: expr # the default engine is `expr`, `starlark` is also valid
rules:
- if: dst_port == 443
name: HTTPS
rules:
- MATCH,DIRECT
- DOMAIN-SUFFIX,baidu.com,DIRECT
- DOMAIN-KEYWORD,google,DIRECT
- DOMAIN-KEYWORD,www.bing.com,DIRECT
- MATCH,REJECT- fix ipv6 dns server hosts query timeout
- add
in_ipsetfor script and shortcut - old Linux kernel should be without zerocopy @Kr328
- fix
auto-routeissue for #2720 @Kr328
History Release Note
### 2023.04.16
* for security reasons, the path of all providers of `type: http` cannot use `path` outer clash config path (`~/.config/clash` by default) #2680
2023.04.13
- upgrade to 1.15.0
- reduce domain provider parse memory alloc, reduces memory alloc by 50% ~ 75% at the parsing time
- all rule provider support
format: text, one line per item, support#or//for comment. For security reasons,pathcan only be used under clash $HOMEDIR whenformat: text
# comment
// domain
.google.com
2023.03.18
- upgrade to 1.14.0
- improve Linux TCP upload throughput @Kr328
- fix
auto-detect-interfaceTUN loopback on Windows in some cases @Kr328
2023.03.04
- fix the problem of traffic statistics
2023.03.03
- upgrade to f78a7cb
- refactor system stack udp, reduces CPU usage and improves throughput @Kr328
- fix a fakeip udp bug, and you can try removing some of the
fake-ip-filterlists for the game - add tcp zero-copy support on linux, single-threaded tcp throughput would be better now @Kr328
- add
pprofoption for debug clash, It is under external-controller (also protected by secret). Whenexternal-controlleris 127.0.0.1:9090. The pprof path is http://127.0.0.1:9090/debug/pprof/heap. The default value isfalse
2023.02.16
- upgrade to 8173d66
- since
redir-hostbrings a lot of misunderstandings and problems (some of which are even hard to find). I decided to remove it. It is only used in thefake-ip-filterfor a few domain name mappings. I know that it can be bypassed and "recovered" in fake-ip mode. Iffake-ip-filterfinds that it has been abused, I will delete the domain mapping mode completely. auto-detect-interfacenow would follow the routing table instead of just selecting the default NIC. This will improve the situation where clash and vpn coexist.- add
remote-dns-resolveon wireguard, default value is true. - increase TUN CPU utilization on the Linux system stack. On i5-8259U Debian testing 4 core VM on PVE. running with
iperf3 -c 127.0.0.1.sslip.io -P 4(ensure 127.0.0.1.sslip.io resolve a fakeip). Increased throughput from 5.x Gbps to 10 Gbps, almost ~2x ⚡️. Butauto-redirstill the true God with 37 Gbps 😭.
2023.01.29
- upgrade to 1.13.0
- DNS API with additional
Serverfield for debug source
- DNS API with additional
- resolve_process_path should not throw error
- block ipv6 to clash for auto-route @Kr328
2022.11.25
- upgrade to 1.12.0
- reduce structured log api alloc
- refactor TUN code
- upgrade gvisor
- use fixed GUID for Wintun @Kr328
- enforce loading only trusted Wintun dll @Kr328
- fix fatal log on stdout
- add process helper to shortcut and script
script:
shortcuts:
curl: resolve_process_name() == 'curl'
# curl: resolve_process_path() == '/usr/bin/curl'interface Context {
resolve_process_path: (metadata: Metadata) => string
}- support userspace wireguard outbound @CzBiX
proxies:
- name: "wg"
type: wireguard
server: 127.0.0.1
port: 443
ip: 172.16.0.2
# ipv6: your_ipv6
private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
# preshared-key: base64
# dns: [1.1.1.1, 8.8.8.8]
# mtu: 1420
udp: trueFor some complicated reason, wireguard does not support relay, but you can use tunnel to support this feature in disguise
tunnels:
- udp,127.0.0.1:2043,yourendpoint:port,ss
proxies:
- name: ss
# ...
- name: "wg"
type: wireguard
server: 127.0.0.1
port: 2043
ip: 172.16.0.2
# ipv6: your_ipv6
private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
# preshared-key: base64
# dns: [1.1.1.1, 8.8.8.8]
# mtu: 1420
udp: true2022.08.26
- upgrade to 1.11.8
- unknown slice out-of-bounds on system stack
- wildcard domain config parse panic
- improve large domain ruleset parse memory alloc
- fix quic sniff irl @nekohasekai
- passthrough dns for auto-redir @Kr328
Highlight
- using structured logs, log messages are more detailed and transparent.
- log API now receives
format=structuredfor structured log json - now show DNS resolve detail on the debug log
DBG [DNS] dns response source=dhcp://119.29.29.29:53(en0) qType=A name=google.com. answer=["10.19.10.139"]
2022.07.07
- upgrade to 1.11.4
auto-routebypass icmp on linux- add experimental
sniff-tls-sni- sniff https/tls on 443 port
- sniff http3/quic on udp 443 port @nekohasekai
Note
This will replace the original domain name, but not all sni are domain, so clash will only replace the host is empty and the sni that is a domain
If you find any network requests that are not working properly, remove it
experimental:
sniff-tls-sni: true2022.06.19
- upgrade to 1.11.0
- fix ipv6 lookup logic
- udp would use the first DNS record instead of a random one
- add auto redir (wiki)
2022.05.18
- fix domain set match edge case
2022.05.17
- upgrade to dev (b384449)
- improve linux
auto-routecompatibility @Kr328 - rule provider on rules support no-resolve @Kr328
rules:
- RULE-SET,microsoft,policy,no-resolve- add
match_providerto script shortcuts @Kr328
script:
shortcuts:
BilibiliUdp: |
network == "udp" and match_provider("Bilibili")
rules:
- SCRIPT,BilibiliUdp,REJECT- ebpf redirect bypass ICMP
2022.04.17
- fix
auto-routeon Linux (#2071) dns-hijacksupport hijack same port traffic
tun:
enable: true
stack: system # or gvisor
dns-hijack:
- any:53
- tcp://any:53- add new ebpf moudle
redirect-to-tun
It requires kernel support, only hook traffic of the egress NIC and conflict withauto-route
interface-name: eth0
routing-mark: 7777
ebpf:
redirect-to-tun:
- eth02022.04.11
- fix interface cache initial bug
2022.04.10
- fix rule provider wrong match result
- add
auto-routeandauto-detect-interfaceon Linux @Kr328
Explore but not in this release
- use eBPF and tc to hook NIC to implement similar feature like
auto-route - Is
clean-dns-bpfstill working? Does it make sense to integrate into clash?
2022.03.21
- gvisor adaptation (memory leak), every time it is updated it must have problems 🥶
- fix rule provider wrong match result
2022.03.19
- upgrade to 1.10.0
- upgrade gvisor
- use generic and net/netip as much as possiable
- memory-optimized domain rule provider
- benchmark result, use a ~57000 lines rule (
+.example.com), memory 29MB (Old) --> 1.9MB (New)
- benchmark result, use a ~57000 lines rule (
goos: darwin
goarch: arm64
pkg: test
BenchmarkNew-10 3464176 345.4 ns/op 0 B/op 0 allocs/op
BenchmarkOld-10 11119957 106.1 ns/op 48 B/op 1 allocs/op
2022.01.27
- upgrade to dev (b1a639f)
- support snell v3
- trojan vmess tls handshake requires a timeout
- change provider file modify time when updated
- domain trie search (effect
hostsfake-ip-filterfallback-filternameserver-policydomainrule provider)
- adapted gvisor new udp packet API to solve the memory leak problem caused by gvisor @nekohasekai
- make tun hot reload as much as possible again @Fndroid
2022.01.03
- fix inbound http auth failed
- ignore bind6 error on Windows
2022.01.02
- upgrade to 1.9.0
- build with go1.18beta1
- use
netip.Addrto replacenet.IPwhere possible (reduce memory usage, especially with system TUN) - use generics where possible
- use
2021.12.07
- upgrade to dev (08607fb)
- bind interface error
- revert ssr udp fix
- add filter on proxy provider (#1511)
- use SIMD for arm64 system stack checksum @Kr328
- system stack tun should use a independent fakeip pool
- how to cleanup persistence fakeip (If you don't know what this is, ignore it): use curl -X POST controllerip:port/cache/fakeip/flush to flush persistence fakeip
- system stack udp behavior (e.g. csgo)
- broken connectivity check for UWP apps under Windows 11 @icpz
- native syscall bind Windows interface
- auto detect interface on Windows loop on switch network
2021.11.08
- upgrade to v1.8.0
- adaptive wintun 0.14, drop < 0.14 support
- use SIMD for amd64 system stack checksum @Kr328
- Increased throughput by 20% on my macbook 2018
- adjust system stack behavior
2021.09.15
- upgrade to v1.7.1
- shortcut now output short access log
2021.09.07
- upgrade to v1.7.0
- upgrade gvisor
- support script shortcut
- support
auto-routeon FreeBSD @icpz - fix tun packet size invalid panic
- fix gvisor addr NPE
- fix
auto-detect-interfaceauto-routein PPPoE networks on Windows @icpz
2021.07.03
- upgrade to v1.6.5
- upgrade gvisor
- fix broken connectivity check on Windows TUN (@icpz)
2021.05.08
- upgrade to v1.6.0
- support TUN on FreeBSD (@icpz)
- support both
systemandgvisorTUN stack on Windows (@icpz) - fix auto detect interface on macOS 11.3
- fix tracing API panic
- rename
macOS-auto-*toauto-*(will be backward compatible with several versions)
2021.04.08
- upgrade to v1.5.0
- upgrade gvisor to support 32bit system again
- tracing API is non-blocking now
- huge reduce rule provider
behavior: ipcidrmemory- 488k lines ip-cidr take up only 1.1MiB after parse config
- add time module to script
def main(ctx, metadata):
now = time.now()
if metadata["src_ip"] == "ip" and now.hour >= 18 and now.hour <= 22:
return "REJECT"
return "DIRECT"2021.03.10
- upgrade to v1.4.2
- solved the problem of not reaching some servers as a gateway in fakeip mode
- solved the problem that HTTP Connect proxy broken when system proxy and fakeip were both enabled
2021.02.21
- upgrade to v1.4.1
2021.02.19
- upgrade to v1.4.0
- upgrade gvisor to google/gvisor@8226803c1070
- experimental tracing exporter API (example https://github.com/Dreamacro/clash-tracing)
profile:
# open tracing exporter API
tracing: true2020.12.27 (hotfix version)
- upgrade to v1.3.5
- fix PROCESS-NAME can't match UDP process on Windows
- fix panic and loop TUN config on Windows TUN
2020.12.21
- upgrade to dev(4b1b494)
- script support
resolve_process_nameDoc - experimental support TUN on Windows with zero setups by hands (Doc), Thanks @CzBiX hard work!
2020.11.20
- upgrade to v1.3.0
2020.10.09
- upgrade to v1.2.0
2020.10.08
- fix a
redir-hostbug on 2020.09.27
2020.09.27
- upgrade latest dev (e09931d)
- fix classical rule provider resolve ip logic
2020.08.16
- upgrade to v1.1.0
- script support
path
script:
path: ./script.star- upgrade gvisor
- bug fixed
2020.06.27
- upgrade to v1.0.0
- macOS-auto-detect-interface can detect PPPoE
- add
classicalrule provider