Clash Versions Save

A rule-based tunnel in Go.

v1.5.0

3 years ago

Feature

add gRPC Transport for vmess/trojan (#1287)
add vmess aead header support (aka vmess-md5)

Changes

use mixed-port instead of port when initial config (#1319)
clash -v show golang version

Bugfixes

set metadata.AddrType if host is ip string after remove host (#1291)
vmess network http connection broken
HTTP server should close when Connection is close
don't resolve AAAA record when ipv6 is false and custom dns disable
domain dns (DoT/DoH) should follow hosts config
url-test group should reset fast node when proxy dead

v1.4.2

3 years ago

Bugfixes

remove host if the host is IP string
some HTTP proxy request broken
- e.g. curl -x localhost:7890 baidu.com:80

v1.4.1

3 years ago

Bugfixes

save cache correctly

v1.4.0

3 years ago

Feature

support darwin arm64 (Apple Silicon) (#1234)
support cache group selected node to cache (enable by default)

profile:
  # store the `select` results in $HOME/.config/clash/.cache
  # when two different configurations have groups with the same name, the selected values are shared
  # set false if you don't want this behavior
  store-selected: false

Changes

support unspecified UDP bind-address (#1159)
use singleDo to get interface info (improve slow net interface getter such as Windows)
standardized Dockerfile label (#1191)
use jsdelivr CDN for Country.mmdb (#1057)
API support patch ipv6 config (#1217)

Bugfixes

fallback bind interface fn should not bind global unicast
dns client should not bind local address
close http Response body on the provider (#1154)
unnecessary write operation on the provider (#1170 #1210)
get general should return ipv6 result (#1172)
wrap net.Conn to avoid using *net.TCPConn.(ReadFrom) (#1209)
refactor ssr for #995 #1163 #1121 #1058, Thanks @goomadao (#1189)

v1.3.5

3 years ago

Changes

health checks return immediately if completed (#1097)
log rule message on dial error

Bugfixes

PROCESS-NAME rule for UDP sessions on Windows (#1140)
snell should support the config without obfs obfs = off
handle keep alive on http connect proxy (support git proxy anyauth)

v1.3.0

3 years ago

Features

support round-robin strategy for load-balance group (#1044)
add TCP TPROXY support (#1049)
- redir-port means Redirect TCP and TProxy UDP
- tproxy-port means TProxy TCP and TProxy UDP
add disable-udp option for all proxy group
add lazy for proxy group and provider (the default value is true)
- when lazy open, proxy group and proxy provider that have not been used during the cycle will not be speed tested.

Changes

return empty record in SVCB/HTTPSSVC on fake-ip mode
use native syscall to bind interface on Linux and macOS
eliminate tracker race condition (#1048)
eliminate tunnel UDP race condition (#1043)
push image to github docker registry: due to https://www.docker.com/blog/checking-your-current-docker-pull-rate-limits-and-status/ , I decided to publish the image to the github registry
- open-source version: https://github.com/users/Dreamacro/packages/container/package/clash
- premium version https://github.com/users/Dreamacro/packages/container/package/clash-premium

Bugfixes

missing fake-ip record should return an error

v1.2.0

3 years ago

Features

add Windows ARM32 build (#902)
reuse DNS resolver cache when hot reload
vmess network: http support TLS (https)
support snell v2 (#952)
support VMess HTTP/2 transport (#903)
support domain in fallback filter (#964)
support custom sni on http outbound

Changes

use atomic for connection statistic (#938)
use only one goroutine to handle statistic (#940)
split enhanced mode instance (#936)

Bugfixes

vmess udp option should be effected
PROCESS-NAME potential PCB buffer overflow on bsd systems (#941 #947)
the priority of fake-ip-filter

v1.1.0

3 years ago

Features

support PROCESS-NAME on macOS, Linux, FreeBSD and Windows (#822 #855 #840 Thanks @icpz, @Kr328)
add ssr support (#805 Thanks @goomadao)
dns server could lookup hosts (#872)

Changes

optimized DNS cache logic (#812 #820)
add rule payload in log
fix go test race detect
protect alive with atomic value (#834)
adjust tolerance logic (#864)
migration go 1.15

Bugfixes

ss simple-obfs host should not have 80 port
ticker leak
should not write file on file provider
handle snell server reported error message properly (#848)

v1.0.0

3 years ago

Note

1.0 has many breaking changes: https://github.com/Dreamacro/clash/wiki/Breaking-Changes-in-1.0.0

Features

add Mixed(http+socks5) proxy (#685)
domain trie support wildcard alias (+.example.com = .example.com + example.com)
add tolerance for url-test
support vmess tcp tls custom servername
open ForceAttemptHTTP2 on DoH
provider path would auto "mkdir" on initial

Changes

mode use lower case (backward compatible)
use actions build docker image (multi-platform support)
add default hosts localhost
API for connections add rule payload
local resolve DNS on UDP request due to TURN failed
dns ipv6 logic
move experimental features to stable
remove forward compatibility code

Bugfixes

provider initial return the current error
panic of socks5 client when missing authentication
trim FQDN on http and socks5 proxy request
don't auto health check on provider health check disabled
fake-ip-filter on fakeip mode should lookup ip-host mapping (#743)
cannot listen socks5 port on wsl (#748)
domain trie should backtrack to the parent if the match fails (#758)

premium

4 years ago

S3 Storage (Long-term availability not guaranteed)

https://release.dreamacro.workers.dev/

Changelog

2023.08.17

upgrade to v1.18.0
script and shortcut support inbound_port
expr engine support more builtin function https://github.com/antonmedv/expr/releases/tag/v1.14.0

2023.07.22

fix return bind interface error correctly @Kr328
fix udp inbound goroutine leak
when the dns field is not set to ipv6, the global ipv6: true will affect the dns field.

2023.06.30

upgrade to v1.17.0
all interval and tolerance support human-friendly config (30s 1h 10m30s etc.)
use eBPF to find the process name with kernel support, which is an order of magnitude faster than normal means, but it uses more memory @Kr328
fix script and expr classical match
make TUN faster in multi CPU core (> 2)
should not add default route with gateway if not an ethernet @Kr328
detect Windows default interface by syscall @Kr328

2023.05.29

upgrade to 289025c
fix rule match logic, recommend upgrade

2023.05.19

upgrade to 1.16.0
add expr script engine, 10x~20x faster than starlark (detail on expr.medv.io)

script:
  engine: expr
  shortcuts:
    # hw-sh-pcdn-35.biliapi.net
    # hw-gz-live-p2p-06.chat.bilibili.com
    # cn-jsyz-ccc-live-tracker-02.chat.bilibili.com
    bilibilishit: "any(['biliapi', 'bilibili'], host contains #) and any(['-live-tracker-', 'p2p', 'pcdn'], host contains #)"
    douyushit: (network == 'udp' or host contains 'p2p') and host contains 'douyu'
    quic: network == 'udp' and dst_port == 443
    tailscale: network == 'udp' and dst_port == 12345

add new nestable "rule groups", if field is the same as the shortcut syntax and if none of the sub-rules match, then continue to match the next rule.

rules:
  - if: network == 'tcp'
    name: TCP
    # engine: expr # the default engine is `expr`, `starlark` is also valid
    rules:
      - if: dst_port == 443
        name: HTTPS
        rules:
          - MATCH,DIRECT
      - DOMAIN-SUFFIX,baidu.com,DIRECT
  - DOMAIN-KEYWORD,google,DIRECT
  - DOMAIN-KEYWORD,www.bing.com,DIRECT
  - MATCH,REJECT

fix ipv6 dns server hosts query timeout
add in_ipset for script and shortcut
old Linux kernel should be without zerocopy @Kr328
fix auto-route issue for #2720 @Kr328

History Release Note

### 2023.04.16 * for security reasons, the path of all providers of `type: http` cannot use `path` outer clash config path (`~/.config/clash` by default) #2680

2023.04.13

upgrade to 1.15.0
reduce domain provider parse memory alloc, reduces memory alloc by 50% ~ 75% at the parsing time
all rule provider support format: text, one line per item, support # or // for comment. For security reasons, path can only be used under clash $HOMEDIR when format: text

# comment
// domain
.google.com

2023.03.18

upgrade to 1.14.0
improve Linux TCP upload throughput @Kr328
fix auto-detect-interface TUN loopback on Windows in some cases @Kr328

2023.03.04

fix the problem of traffic statistics

2023.03.03

upgrade to f78a7cb
refactor system stack udp, reduces CPU usage and improves throughput @Kr328
fix a fakeip udp bug, and you can try removing some of the fake-ip-filter lists for the game
add tcp zero-copy support on linux, single-threaded tcp throughput would be better now @Kr328
add pprof option for debug clash, It is under external-controller (also protected by secret). When external-controller is 127.0.0.1:9090. The pprof path is http://127.0.0.1:9090/debug/pprof/heap. The default value is false

2023.02.16

upgrade to 8173d66
since redir-host brings a lot of misunderstandings and problems (some of which are even hard to find). I decided to remove it. It is only used in the fake-ip-filter for a few domain name mappings. I know that it can be bypassed and "recovered" in fake-ip mode. If fake-ip-filter finds that it has been abused, I will delete the domain mapping mode completely.
auto-detect-interface now would follow the routing table instead of just selecting the default NIC. This will improve the situation where clash and vpn coexist.
add remote-dns-resolve on wireguard, default value is true.
increase TUN CPU utilization on the Linux system stack. On i5-8259U Debian testing 4 core VM on PVE. running with iperf3 -c 127.0.0.1.sslip.io -P 4 (ensure 127.0.0.1.sslip.io resolve a fakeip). Increased throughput from 5.x Gbps to 10 Gbps, almost ~2x ⚡️. But auto-redir still the true God with 37 Gbps 😭.

2023.01.29

upgrade to 1.13.0
- DNS API with additional Server field for debug source
resolve_process_path should not throw error
block ipv6 to clash for auto-route @Kr328

2022.11.25

upgrade to 1.12.0
reduce structured log api alloc
refactor TUN code
upgrade gvisor
use fixed GUID for Wintun @Kr328
enforce loading only trusted Wintun dll @Kr328
fix fatal log on stdout
add process helper to shortcut and script

script:
  shortcuts:
    curl: resolve_process_name() == 'curl'
    # curl: resolve_process_path() == '/usr/bin/curl'

interface Context {
  resolve_process_path: (metadata: Metadata) => string
}

support userspace wireguard outbound @CzBiX

proxies:
  - name: "wg"
    type: wireguard
    server: 127.0.0.1
    port: 443
    ip: 172.16.0.2
    # ipv6: your_ipv6
    private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
    public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
    # preshared-key: base64
    # dns: [1.1.1.1, 8.8.8.8]
    # mtu: 1420
    udp: true

For some complicated reason, wireguard does not support relay, but you can use tunnel to support this feature in disguise

tunnels:
  - udp,127.0.0.1:2043,yourendpoint:port,ss
proxies:
  - name: ss
    # ...
  - name: "wg"
    type: wireguard
    server: 127.0.0.1
    port: 2043
    ip: 172.16.0.2
    # ipv6: your_ipv6
    private-key: eCtXsJZ27+4PbhDkHnB923tkUn2Gj59wZw5wFA75MnU=
    public-key: Cr8hWlKvtDt7nrvf+f0brNQQzabAqrjfBvas9pmowjo=
    # preshared-key: base64
    # dns: [1.1.1.1, 8.8.8.8]
    # mtu: 1420
    udp: true

2022.08.26

upgrade to 1.11.8
unknown slice out-of-bounds on system stack
wildcard domain config parse panic
improve large domain ruleset parse memory alloc
fix quic sniff irl @nekohasekai
passthrough dns for auto-redir @Kr328

Highlight

using structured logs, log messages are more detailed and transparent.
log API now receives format=structured for structured log json
now show DNS resolve detail on the debug log

DBG [DNS] dns response source=dhcp://119.29.29.29:53(en0) qType=A name=google.com. answer=["10.19.10.139"]

2022.07.07

upgrade to 1.11.4
auto-route bypass icmp on linux
add experimental sniff-tls-sni
- sniff https/tls on 443 port
- sniff http3/quic on udp 443 port @nekohasekai

Note This will replace the original domain name, but not all sni are domain, so clash will only replace the host is empty and the sni that is a domain If you find any network requests that are not working properly, remove it

experimental:
  sniff-tls-sni: true

2022.06.19

upgrade to 1.11.0
fix ipv6 lookup logic
udp would use the first DNS record instead of a random one
add auto redir (wiki)

2022.05.18

fix domain set match edge case

2022.05.17

upgrade to dev (b384449)
improve linux auto-route compatibility @Kr328
rule provider on rules support no-resolve @Kr328

rules:
  - RULE-SET,microsoft,policy,no-resolve

add match_provider to script shortcuts @Kr328

script:
  shortcuts: 
    BilibiliUdp: |
      network == "udp" and match_provider("Bilibili")

rules:
  - SCRIPT,BilibiliUdp,REJECT

ebpf redirect bypass ICMP

2022.04.17

fix auto-route on Linux (#2071)
dns-hijack support hijack same port traffic

tun:
  enable: true
  stack: system # or gvisor
  dns-hijack:
    - any:53
    - tcp://any:53

add new ebpf moudle redirect-to-tun It requires kernel support, only hook traffic of the egress NIC and conflict with auto-route

interface-name: eth0
routing-mark: 7777
ebpf:
  redirect-to-tun:
    - eth0

2022.04.11

fix interface cache initial bug

2022.04.10

fix rule provider wrong match result
add auto-route and auto-detect-interface on Linux @Kr328

Explore but not in this release

use eBPF and tc to hook NIC to implement similar feature like auto-route
Is clean-dns-bpf still working? Does it make sense to integrate into clash?

2022.03.21

gvisor adaptation (memory leak), every time it is updated it must have problems 🥶
fix rule provider wrong match result

2022.03.19

upgrade to 1.10.0
upgrade gvisor
use generic and net/netip as much as possiable
memory-optimized domain rule provider
- benchmark result, use a ~57000 lines rule (+.example.com), memory 29MB (Old) --> 1.9MB (New)

goos: darwin
goarch: arm64
pkg: test
BenchmarkNew-10              	 3464176	       345.4 ns/op	       0 B/op	       0 allocs/op
BenchmarkOld-10              	11119957	       106.1 ns/op	      48 B/op	       1 allocs/op

2022.01.27

upgrade to dev (b1a639f)
- support snell v3
- trojan vmess tls handshake requires a timeout
- change provider file modify time when updated
- domain trie search (effect hosts fake-ip-filter fallback-filter nameserver-policy domain rule provider)
adapted gvisor new udp packet API to solve the memory leak problem caused by gvisor @nekohasekai
make tun hot reload as much as possible again @Fndroid

2022.01.03

fix inbound http auth failed
ignore bind6 error on Windows

2022.01.02

upgrade to 1.9.0
build with go1.18beta1
- use netip.Addr to replace net.IP where possible (reduce memory usage, especially with system TUN)
- use generics where possible

2021.12.07

upgrade to dev (08607fb)
- bind interface error
- revert ssr udp fix
- add filter on proxy provider (#1511)
use SIMD for arm64 system stack checksum @Kr328
system stack tun should use a independent fakeip pool
- how to cleanup persistence fakeip (If you don't know what this is, ignore it): use curl -X POST controllerip:port/cache/fakeip/flush to flush persistence fakeip
system stack udp behavior (e.g. csgo)
broken connectivity check for UWP apps under Windows 11 @icpz
native syscall bind Windows interface
auto detect interface on Windows loop on switch network

2021.11.08

upgrade to v1.8.0
adaptive wintun 0.14, drop < 0.14 support
use SIMD for amd64 system stack checksum @Kr328
- Increased throughput by 20% on my macbook 2018
adjust system stack behavior

2021.09.15

upgrade to v1.7.1
shortcut now output short access log

2021.09.07

upgrade to v1.7.0
upgrade gvisor
support script shortcut
support auto-route on FreeBSD @icpz
fix tun packet size invalid panic
fix gvisor addr NPE
fix auto-detect-interface auto-route in PPPoE networks on Windows @icpz

2021.07.03

upgrade to v1.6.5
upgrade gvisor
fix broken connectivity check on Windows TUN (@icpz)

2021.05.08

upgrade to v1.6.0
support TUN on FreeBSD (@icpz)
support both system and gvisor TUN stack on Windows (@icpz)
fix auto detect interface on macOS 11.3
fix tracing API panic
rename macOS-auto-* to auto-* (will be backward compatible with several versions)

2021.04.08

upgrade to v1.5.0
upgrade gvisor to support 32bit system again
tracing API is non-blocking now
huge reduce rule provider behavior: ipcidr memory
- 488k lines ip-cidr take up only 1.1MiB after parse config
add time module to script

def main(ctx, metadata):
  now = time.now()
  if metadata["src_ip"] == "ip" and now.hour >= 18 and now.hour <= 22:
    return "REJECT"

  return "DIRECT"

2021.03.10

upgrade to v1.4.2
- solved the problem of not reaching some servers as a gateway in fakeip mode
- solved the problem that HTTP Connect proxy broken when system proxy and fakeip were both enabled

2021.02.21

upgrade to v1.4.1

2021.02.19

upgrade to v1.4.0
upgrade gvisor to google/gvisor@8226803c1070
experimental tracing exporter API (example https://github.com/Dreamacro/clash-tracing)

profile:
  # open tracing exporter API
  tracing: true

2020.12.27 (hotfix version)

upgrade to v1.3.5
fix PROCESS-NAME can't match UDP process on Windows
fix panic and loop TUN config on Windows TUN

2020.12.21

upgrade to dev(4b1b494164b4b87af4ae44db1c890e64ca3fedd0)
script support resolve_process_name Doc
experimental support TUN on Windows with zero setups by hands (Doc), Thanks @CzBiX hard work!

2020.11.20

upgrade to v1.3.0

2020.10.09

upgrade to v1.2.0

2020.10.08

fix a redir-host bug on 2020.09.27

2020.09.27

upgrade latest dev (e09931d)
fix classical rule provider resolve ip logic

2020.08.16

upgrade to v1.1.0
script support path

script:
    path: ./script.star

upgrade gvisor
bug fixed

2020.06.27

upgrade to v1.0.0
macOS-auto-detect-interface can detect PPPoE
add classical rule provider

Documentations

https://dreamacro.github.io/clash/premium/introduction.html