Surge 5

- Support turning off Surge via widgets/Shortcuts when the always-on switch is turned on. - Support turning on Surge via widgets/Shortcuts when the Surge VPN Profile is not selected (or when other VPNs are running). - Fix an issue where DOMAIN-SUFFIX rules may become invalid if duplicate DOMAIN and DOMAIN-SUFFIX rules are included in the rule set. - Optimizations related to No Default Route mode, significantly improving usability. - Other bug fixes.

- Now you can see the number of times a rule has been used in the rule list. - Optimized the implementation method of blocking QUIC traffic to increase the likelihood of clients correctly falling back. - The Smart group will use the SUBSTITUTE policy (DIRECT) instead of failing directly when there are no sub-policies. - Fixed an issue where the `server-cert-fingerprint-sha256` parameter was not effective for TLS-like protocols with sni=off settings. - Added a new rule type `HOSTNAME-TYPE`, used to determine the type of request hostname. Optional values are: `IPv4`, `IPv6`, `DOMAIN`, `SIMPLE`. (`SIMPLE` refers to hostnames without a dot, such as `localhost`) - Optimized DNS request logs. Now more information is displayed. Additionally, if DIRECT policy connects directly without triggering DNS in the rule system, related DNS logs can still be shown. - When deleting a policy that is being used by a policy group, it is now allowed to delete it directly and automatically remove it from all policy groups. - Bug fixes and other Improvements.

- Optimize the matching performance of small rule sets, especially evident on older model CPUs. - The external resource update page can display error information generated by rule set processing. - Automatically ignore invalid empty lines in the rule set. - Corrected the issue where applying temporary rules and then experiencing a policy change does not disrupt existing connections. - Corrected the issue when using Ponte policy within Smart group, if the target device is itself, it failed to automatically switch to DIRECT policy. - Corrected the problem of incorrect time displayed in request logs for Ponte device requests. - Corrected crashes that may occur when external policy groups change. - Fixed an issue where configuration upgrade functionality did not correctly take effect for managed configurations and enterprise configurations. - During Smart group initialization phase, no longer displays most frequently used tags to avoid misunderstanding. - Fixed an issue where local script files could not be automatically reloaded after being edited. - Optimized indexing process for large rule sets. - Limited maximum number of files for iCloud background auto auto-sync to 200 to avoid memory usage issues. - Fixed potential UI display issues when adjusting policies through remote controller。

Smart Group This is a new type of policy group, driven by our carefully designed algorithm engine, which can automatically select the appropriate policy from the sub-policies of this policy group. The goal of the Smart policy group is to replace the original automatic testing groups (url/load-balance/fallback), greatly optimizing the experience while minimizing the need for manual intervention in policy groups. Users only need to put the available policies into this group. For details, see: https://kb.nssurge.com/surge-knowledge-base/guidelines/smart-group Rule System - Overall performance optimization of the rule system. - Significant optimization of the indexing algorithm in large domain rule sets, improving the search efficiency by more than ten times for rule sets with more than 100,000 rules. - Corrected the issue where sub-rules of logical rules within a rule set could not be covered by the `no-resolve` and `extended-matching` parameters of the rule set. - Added a new rule type `DOMAIN-WILDCARD`, supporting `?` and `*` domain name matching. - `DOMAIN-SET` and `RULE-SET` are changed to strict validation. If there are invalid lines in the file, the entire rule set will be invalidated to avoid problems caused by misuse. IPv6 - The behavior of the `ipv6-vif` parameter has been modified. When set to always, IPv6 functionality will be enabled even if `ipv6=true` is not set. - Added a warning for the `ipv6-vif=always` parameter. - Adjusted the automatic retry mechanism. Accessing IPv6 addresses in a non-IPv6 network will no longer enter the retry process, and the request will fail immediately (solving the problem of some applications stalling when IPv6 VIF is enabled in a non-IPv6 environment, but the application will still continue to send IPv6 requests). Other Optimizations - Enhanced `$notification.post`, adding support for media resources, sound hints, and automatic dismissal. - Optimized WireGuard failure handling. - Reduced the power consumption of the TUIC protocol during sleep. - Improved the precision of time statistics in the request log system, now accurate to µs level. - Optimized various abnormal retry mechanisms, avoiding high resource usage caused by continuous retry in the face of some specific problems. For operations that need to be retried continuously (such as WireGuard reconnection, Ponte server reporting to iCloud), Surge will now retry after 0.1s, 0.5s, 1s, 5s, 10s, 30s after an error. - Optimized the caching system for external resources. - Added the profile line modifier `#!REQUIREMENT`. - When the current network is found to be managed by Surge Mac Gateway, Surge iOS will now automatically pause. (This can be adjusted via the auto-suspend option, enabled by default.) - Optimized TUN takeover and specific app performance compatibility issues. - Optimized memory usage, infrequently used and large scripts will not be cached in memory anymore. - The network diagnostics page adds SSID/BSSID with copy functionality. - Now, when uploading logs in the log interface, the engine currently running will automatically generate the most recent verbose logs (the new version has cached 256KB of logs in memory), so when reporting problems, you can upload directly without needing to reproduce in verbose mode. - For external resources related to policy groups and script types, the maximum size is now limited to 2MB, to avoid memory overflow in case of configuration errors. Check the knowledge base for complete release note.

New Features - New subscription feature: Body Rewrite. Surge now can rewrite the body of HTTP request or response, replacing the original content with regular expressions. If you need to make more flexible modifications, try scripting. Improvements - Comprehensive enhancement of the Mock (Map Local) function, adding data types such as text, tiny-gif, base64 to facilitate inline data return. Also added the ability to customize status codes. - Optimized the request list filter, now displaying the filter at the top and allowing quick toggling of filter activation. Long-pressing a filter item displays a menu for deletion or reversing the item to a negative filter. - Added recognition for STUN packets, which can be matched with PROTOCOL,STUN. - Optimized the external resource management page. - Optimized the script editor page. - Optimized the module management page. - Added a long-press shortcut menu to the Utilities tab. - Added a new URL scheme for the iOS version: surge:///install-module?url=… Optimizations - When configuring Shortcuts to execute Surge scripts, the script list of the current configuration can now be directly accessed. - Enhanced compatibility when decompressing HTTP Body. - Optimized the script engine, limiting the number of concurrent JSC engine processes to 2 to avoid memory issues. - The GeoIP database can now be updated by the main application without needing a restart to take effect. - Optimized the request log, now displaying the specific rules matched for URL Rewrite and Header Rewrite. - Adjusted the logic of the DNS engine handling empty results, now not waiting for all servers to respond with empty results when multiple DNS servers are configured, to avoid additional waiting when AAAA records do not exist.. - The module page allows undoing modifications to avoid misoperations that change the order of effectiveness. Fixes - Fixed the issue where warnings generated by module configurations were not displayed. - Fixed a crash in Surge caused by passing some incorrect types of parameters in scripts. - Fixed compatibility issues with non-https WebSockets in proxy mode with the new version of Safari. - Fixed the issue where deleting an entry in the rule search page would delete all duplicate entries. - Fixed some missing highlights in the editor. - Other bug fixes.

Module - Added several new official modules; official modules can now be dynamically updated. - Modules have a new classification field for convenient access and categorization in the UI. - Modules now accept parameter tables, supporting multiple parameters. Parameters will be used to modify module content through text replacement. Script - New script execution engine. Optimized execution performance and memory usage. - $httpClient has added several practical parameters. For more details on the updates above, see the documentation. Enhancements - Added desktop shortcut jumps for remote controllers; see the configuration guide at the bottom of the device page for details. - New parameter: always-raw-tcp-keywords. For usage, refer to documentation. - Added SRC-PORT rule to match client port numbers. - IN-PORT/SRC-PORT/DEST-POT three rules are categorized as port number rule class, supporting more usages. - The UI can now maintain pure empty lines from original configurations after editing. Fixes - Corrected a detail issue with QUIC flow control and optimized latency performance for Ponte/TUIC/Hysteria2 protocols. - After editing a single rule, the notification-related parameters will be retained.. - Corrected an issue where switching outbound modes via widget was not possible in newer iOS versions. - Fixed potential sudden memory overruns that could occur when when processing huge external resources leading to stops.

- Rewrote the virtual IP database, now the database can automatically clean up data based on last use time. - Added viewing of the virtual IP table. (at the top right corner of the DNS result page) - For DNS requests with illegal domain names, an empty result response will be generated instead of being ignored directly. - Surge Ponte connections no longer validate peer addresses to ensure normal operation in certain special scenarios. - Removed include-all-network option from UI to avoid misuse. - Support configuring no-resolve for built-in rule sets/Inline rule sets. - Other improvements and bug fixes.

Rule Engine Optimizations - The implementation of RULE-SET and DOMAIN-SET has been completely rewritten. Now, Surge automatically preprocesses and indexes rule sets during resource updates, significantly increasing the matching speed. 1. There is no longer any difference in performance and memory usage between RULE-SET and DOMAIN-SET types of rule sets, allowing flexible usage. 2. There is no longer a restriction in DOMAIN-SET rule sets that prevents the use of eTLDs. 3. The matching speed for DOMAIN, DOMAIN-SUFFIX, IP-CIDR, and IP-CIDR6 rules in RULE-SET has been greatly improved. - A DOMAIN/DOMAIN-SUFFIX rule set with approximately 100,000 entries used to take 100ms for a single match in the old version; now, it only takes single-digit ms. - An IP-CIDR rule set with approximately 10,000 entries used to take about 0.1ms for a single match in the old version. The new version only needs 0.0002ms, an improvement of about 500 times. The performance improvement for IP-CIDR6 rules is even greater. 4. In the new version, building a regional IP address collection using the IP-CIDR rule set offers the same performance as directly using the internal GEOIP rule. 5. The Inline Ruleset added in the previous version does not benefit from this optimization, but there is virtually no difference at the scale of hundreds of entries. 6. In previous versions, rules within a Ruleset were matched one by one from top to bottom. If rules requiring DNS resolution were included, DNS would only be triggered when starting to match that sub-rule. In the new version, if any rule requiring DNS resolution is included in the rule set, DNS resolution will occur before testing that rule set. (In most cases, there is no difference) - Main ruleset matching efficiency has been slightly optimized. - The efficiency of IP-CIDR6 rules has been significantly improved even in non-indexed situations. - RULE-SET rules can now be configured directly with parameters no-resolve and extended-matching, which are equivalent to configuring all sub-rules with these parameters. - DOMAIN-SET rule sets also support configuration with extended-matching. Minor Optimizations - Now, when performing MITM, the certificate used for signing will be sent to the client together, to support using intermediate certificates for MITM. - All comments (at the beginning and end of lines) can now use `#`, `//`, `;` three common comment symbols. - Profile error message prompt optimization, now it can give the exact line number where the error occurred more accurately. - Fixed an issue that BSSID related matching rules might fail. - Optimize Surge Ponte error handling process, correct the issue where device information is not automatically updated under certain errors. - Bug fixes.

New Features · New Inky icon · Protocol sniffing Requests to port 80 and 443 will wait for the client to send the first packet, then extract the SNI and other information for the rule system to judge. · DOMAIN, DOMAIN-SUFFIX, DOMAIN-KEYWORD rules add an optional parameter called extended-matching. When this parameter is enabled, the rule will try to match both the SNI and the HTTP Host Header (or :authority). · Added a parameter called always-raw-tcp-hosts, used to forcibly turn off active protocol detection for specific hostnames. · New proxy protocol support: Hysteria 2 Hysteria 2 is a proxy protocol optimized for unstable and packet-loss-prone network environments, based on UDP/QUIC. · Automatic QUIC blocking Since most proxy protocols are not suitable for forwarding QUIC traffic, Surge will now automatically block QUIC traffic to make it fallback to HTTPS/TCP protocol, ensuring performance. For QUIC traffic that hits the MITM hostname, it will also be automatically rejected. · ECN (Explicit Congestion Notification) support for QUIC-based protocols Significantly improved the performance of the Vector(Surge Ponte)/TUIC/Hysteria 2 protocol. Optimizations · Reworked HTTP capture functionality · The related settings are no longer stored in the configuration, the [Replica] section has been deprecated. · Added an automatic shut-off setting after turning on the capture switch, which can automatically stop capturing based on time, size, or the number of requests. · Added automatic activation of MITM after turning on the capture switch, which can be additionally turned on for specific hostnames. (Even if the main MITM switch is off). · Added an option to only save HTTP/HTTPS requests after turning on the capture switch. · VIF performance optimization, tested to achieve full speed of a 2.5Gbps wired network card on iPhone 15 Pro with VIF taking over a single thread. (Proxy mode performs even better) · Wi-Fi Assist and Hybrid features will only take effect after the device is unlocked, to avoid unnecessary power and data consumption. · From this version on, the size of external resources is limited to no more than 10MB to prevent excessive memory usage caused by abnormal external resources. (Except for domain-set) · The parameters udp-policy-not-supported-behaviour, include-apns, include-cellular-services have been added to the UI settings. · Improved compatibility with some non-standard protocols. · When testing the Ponte policy, the test URL has been changed from proxy-test-url to internet-test-url. · Following the WireGuard protocol standard recommendation, WireGuard handshake packets will now be tagged with 0x88 (AF41) DSCP to increase the success rate. · When forwarding UDP packets via WireGuard, it supports retaining the TOS(DSCP/ECN) tag of packets inside the tunnel. · Based on the WireGuard protocol standard recommendation, Surge will copy the ECN tag from packets inside the tunnel to packets outside. When receiving packets with an ECN tag, they will be strictly merged according to RFC6040. (ecn=true must be set for the strategy). · UDP NAT can close the UDP session early based on ICMP messages. · Improved PMTU support for QUIC. Bug Fixes · Fixed the issue where the external resources of rule sets needed to be reloaded to take effect after updates. · After a network switch, it will forcefully break the original long connection of DoH/DoQ/DoH3 to avoid obtaining results that are not suitable for the current network environment. · Fixed the issue where invalid certificates might cause the key store interface to crash. · Fixed the issue where the Ponte device option in the policy group page might not display text. · When performing MITM on HTTPS requests that directly connect using an IP address, the IP address should not be sent as SNI, as this might cause compatibility issues. · Other bug fixes.