Config: Rename network/address/port in Tunnel inbound and DNS outbound (#6084 )

https://github.com/XTLS/Xray-core/pull/6083#issuecomment-4387702965 https://github.com/XTLS/Xray-core/pull/6084#issuecomment-4395333530
Config: Rename inbounds' clients/accounts to users (#6083 )
2026-05-08 14:13:22 +00:00 · 2026-05-07 14:13:25 +00:00 · 2026-05-07 14:13:05 +00:00 · 2026-05-07 14:12:39 +00:00 · 2026-05-07 10:43:21 +00:00 · 2026-05-03 11:53:13 +00:00
379 changed files with 27852 additions and 10518 deletions
--- a/.github/build/friendly-filenames.json
+++ b/.github/build/friendly-filenames.json
@@ -29,6 +29,5 @@
  "openbsd-arm7": { "friendlyName": "openbsd-arm32-v7a" },
  "windows-386": { "friendlyName": "windows-32" },
  "windows-amd64": { "friendlyName": "windows-64" },
-  "windows-arm64": { "friendlyName": "windows-arm64-v8a" },
-  "windows-arm7": { "friendlyName": "windows-arm32-v7a" }
+  "windows-arm64": { "friendlyName": "windows-arm64-v8a" }
 }
--- a/.github/docker/Dockerfile
+++ b/.github/docker/Dockerfile
@@ -45,8 +45,8 @@ RUN mkdir -p /tmp/var/log/xray && touch \
 FROM gcr.io/distroless/static:nonroot

 COPY --from=build --chown=0:0 --chmod=755 /src/xray /usr/local/bin/xray
-COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /usr/local/share/xray
-COPY --from=build --chown=0:0 --chmod=644 /tmp/geodat/*.dat /usr/local/share/xray/
+COPY --from=build --chown=65532:65532 --chmod=755 /tmp/empty /usr/local/share/xray
+COPY --from=build --chown=65532:65532 --chmod=644 /tmp/geodat/*.dat /usr/local/share/xray/
 COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /usr/local/etc/xray
 COPY --from=build --chown=0:0 --chmod=644 /tmp/usr/local/etc/xray/*.json /usr/local/etc/xray/
 COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /var/log/xray
--- a/.github/docker/Dockerfile.usa
+++ b/.github/docker/Dockerfile.usa
@@ -54,8 +54,8 @@ RUN mkdir -p /tmp/var/log/xray && touch \
 FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot

 COPY --from=build --chown=0:0 --chmod=755 /src/xray /usr/local/bin/xray
-COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /usr/local/share/xray
-COPY --from=build --chown=0:0 --chmod=644 /tmp/geodat/*.dat /usr/local/share/xray/
+COPY --from=build --chown=65532:65532 --chmod=755 /tmp/empty /usr/local/share/xray
+COPY --from=build --chown=65532:65532 --chmod=644 /tmp/geodat/*.dat /usr/local/share/xray/
 COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /usr/local/etc/xray
 COPY --from=build --chown=0:0 --chmod=644 /tmp/usr/local/etc/xray/*.json /usr/local/etc/xray/
 COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /var/log/xray
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -68,13 +68,13 @@ jobs:
        uses: actions/checkout@v6

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -82,7 +82,7 @@ jobs:

      - name: Build Docker image (main architectures)
        id: build_main_arches
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: .github/docker/Dockerfile
@@ -97,7 +97,7 @@ jobs:

      - name: Build Docker image (additional architectures)
        id: build_additional_arches
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
        with:
          context: .
          file: .github/docker/Dockerfile.usa
--- a/.github/workflows/release-win7.yml
+++ b/.github/workflows/release-win7.yml
@@ -173,7 +173,7 @@ jobs:
          file_glob: true

      - name: Upload files to Artifacts
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: Xray-${{ env.ASSET_NAME }}
          path: |
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -40,7 +40,7 @@ jobs:
              break
            fi
          done
-          LIST=('amd64' 'x86' 'arm64' 'arm')
+          LIST=('amd64' 'x86' 'arm64')
          for ARCHITECTURE in "${LIST[@]}"
          do
            echo -e "Checking wintun.dll for ${ARCHITECTURE}..."
@@ -55,7 +55,7 @@ jobs:

      - name: Trigger Asset Update Workflow if Assets Missing
        if: steps.check-assets.outputs.missing == 'true'
-        uses: actions/github-script@v8
+        uses: actions/github-script@v9
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
@@ -114,9 +114,6 @@ jobs:
          # Windows ARM
          - goos: windows
            goarch: arm64
-          - goos: windows
-            goarch: arm
-            goarm: 7
          # BEGIN Other architectures
          # BEGIN riscv64 & ARM64 & LOONG64
          - goos: linux
@@ -250,9 +247,6 @@ jobs:
            if [[ ${GOARCH} == 'arm64' ]]; then
              mv resources/wintun/bin/arm64/wintun.dll build_assets/
            fi
-            if [[ ${GOARCH} == 'arm' ]]; then
-              mv resources/wintun/bin/arm/wintun.dll build_assets/
-            fi
            mv resources/wintun/LICENSE.txt build_assets/LICENSE-wintun.txt
          fi

@@ -286,7 +280,7 @@ jobs:
          file_glob: true

      - name: Upload files to Artifacts
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
        with:
          name: Xray-${{ env.ASSET_NAME }}
          path: |
--- a/.github/workflows/scheduled-assets-update.yml
+++ b/.github/workflows/scheduled-assets-update.yml
@@ -33,7 +33,7 @@ jobs:

      - name: Update Geodat
        id: update
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@v4
        with:
          timeout_minutes: 60
          retry_wait_seconds: 60
@@ -82,14 +82,14 @@ jobs:

      - name: Update Wintun
        id: update
-        uses: nick-fields/retry@v3
+        uses: nick-fields/retry@v4
        with:
          timeout_minutes: 60
          retry_wait_seconds: 60
          max_attempts: 60
          command: |
            [ -d 'resources' ] || mkdir resources
-            LIST=('amd64' 'x86' 'arm64' 'arm')
+            LIST=('amd64' 'x86' 'arm64')
            for ARCHITECTURE in "${LIST[@]}"
            do
              FILE_PATH="resources/wintun/bin/${ARCHITECTURE}/wintun.dll"
--- a/README.md
+++ b/README.md
@@ -10,6 +10,8 @@

 [![Happ](https://github.com/user-attachments/assets/14055dab-e8bb-48bd-89e8-962709e4098e)](https://happ.su)

+[![BlancVPN](https://github.com/user-attachments/assets/9145ea7d-5da3-446e-8143-710dba4292c3)](https://blanc.link/VMTSDqW)
+
 [**Sponsor Xray-core**](https://github.com/XTLS/Xray-core/issues/3668)

 ## Donation & NFTs
@@ -65,6 +67,7 @@
  - [Marzban](https://github.com/Gozargah/Marzban)
  - [Hiddify](https://github.com/hiddify/Hiddify-Manager)
  - [TX-UI](https://github.com/AghayeCoder/tx-ui)
+  - [CELERITY](https://github.com/ClickDevTech/CELERITY-panel)
 - One Click
  - [Xray-REALITY](https://github.com/zxcvos/Xray-script), [xray-reality](https://github.com/sajjaddg/xray-reality), [reality-ezpz](https://github.com/aleskxyz/reality-ezpz)
  - [Xray_bash_onekey](https://github.com/hello-yunshu/Xray_bash_onekey), [XTool](https://github.com/LordPenguin666/XTool), [VPainLess](https://github.com/vpainless/vpainless)
@@ -106,16 +109,22 @@
  - [Furious](https://github.com/LorenEteval/Furious)
  - [Invisible Man - Xray](https://github.com/InvisibleManVPN/InvisibleMan-XRayClient)
  - [AnyPortal](https://github.com/AnyPortal/AnyPortal)
+  - [GenyConnect](https://github.com/genyleap/GenyConnect)
+  - [OneXray](https://github.com/OneXray/OneXray)
+  - [XrayUI-dev](https://github.com/PhoenixNil/XrayUI-dev)
 - Android
  - [v2rayNG](https://github.com/2dust/v2rayNG)
  - [X-flutter](https://github.com/XTLS/X-flutter)
  - [SaeedDev94/Xray](https://github.com/SaeedDev94/Xray)
  - [SimpleXray](https://github.com/lhear/SimpleXray)
+  - [XrayFA](https://github.com/Q7DF1/XrayFA)
  - [AnyPortal](https://github.com/AnyPortal/AnyPortal)
+  - [OneXray](https://github.com/OneXray/OneXray)
 - iOS & macOS arm64 & tvOS
  - [Happ](https://apps.apple.com/app/happ-proxy-utility/id6504287215) | [Happ RU](https://apps.apple.com/ru/app/happ-proxy-utility-plus/id6746188973) | [Happ tvOS](https://apps.apple.com/us/app/happ-proxy-utility-for-tv/id6748297274)
  - [Streisand](https://apps.apple.com/app/streisand/id6450534064)
  - [OneXray](https://github.com/OneXray/OneXray)
+  - [INCY](https://apps.apple.com/en/app/incy/id6756943388)
 - macOS arm64 & x64
  - [Happ](https://apps.apple.com/app/happ-proxy-utility/id6504287215) | [Happ RU](https://apps.apple.com/ru/app/happ-proxy-utility-plus/id6746188973)
  - [V2rayU](https://github.com/yanue/V2rayU)
@@ -125,6 +134,8 @@
  - [GoXRay](https://github.com/goxray/desktop)
  - [AnyPortal](https://github.com/AnyPortal/AnyPortal)
  - [v2rayN](https://github.com/2dust/v2rayN)
+  - [GenyConnect](https://github.com/genyleap/GenyConnect)
+  - [INCY](https://apps.apple.com/en/app/incy/id6756943388)
 - Linux
  - [v2rayA](https://github.com/v2rayA/v2rayA)
  - [Furious](https://github.com/LorenEteval/Furious)
@@ -132,10 +143,13 @@
  - [GoXRay](https://github.com/goxray/desktop)
  - [AnyPortal](https://github.com/AnyPortal/AnyPortal)
  - [v2rayN](https://github.com/2dust/v2rayN)
+  - [GenyConnect](https://github.com/genyleap/GenyConnect)
+  - [OneXray](https://github.com/OneXray/OneXray)

 ## Others that support VLESS, XTLS, REALITY, XUDP, PLUX...

 - iOS & macOS arm64 & tvOS
+  - [Anywhere](https://github.com/NodePassProject/Anywhere)
  - [Shadowrocket](https://apps.apple.com/app/shadowrocket/id932747118)
  - [Loon](https://apps.apple.com/us/app/loon/id1373567447)
  - [Egern](https://apps.apple.com/us/app/egern/id1616105820)
--- a/app/commander/commander.go
+++ b/app/commander/commander.go
@@ -4,12 +4,14 @@ import (
 	"context"
 	"net"
 	"sync"
+    "strings"

 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/signal/done"
 	core "github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/features/outbound"
+    "github.com/xtls/xray-core/transport/internet"
 	"google.golang.org/grpc"
 )

@@ -73,14 +75,27 @@ func (c *Commander) Start() error {
 		}
 	}

+
 	if len(c.listen) > 0 {
-		if l, err := net.Listen("tcp", c.listen); err != nil {
+		var addr net.Addr
+		
+		if strings.HasPrefix(c.listen, "/") || strings.HasPrefix(c.listen, "@") {
+			addr = &net.UnixAddr{Name: c.listen, Net: "unix"}
+		} else {
+			tcpAddr, err := net.ResolveTCPAddr("tcp", c.listen)
+			if err != nil {
+				errors.LogErrorInner(context.Background(), err, "API server failed to parse listen address ", c.listen)
+				return err
+			}
+			addr = tcpAddr
+		}
+        l, err := internet.ListenSystem(context.Background(), addr, nil)
+		if err != nil {
 			errors.LogErrorInner(context.Background(), err, "API server failed to listen on ", c.listen)
 			return err
-		} else {
-			errors.LogInfo(context.Background(), "API server listening on ", l.Addr())
-			go listen(l)
 		}
+		errors.LogInfo(context.Background(), "API server listening on ", l.Addr())
+		go listen(l)
 		return nil
 	}

--- a/app/dispatcher/default.go
+++ b/app/dispatcher/default.go
@@ -2,7 +2,6 @@ package dispatcher

 import (
 	"context"
-	"regexp"
 	"strings"
 	"sync"
 	"time"
@@ -181,15 +180,7 @@ func (d *DefaultDispatcher) getLink(ctx context.Context) (*transport.Link, *tran
 		}

 		if p.Stats.UserOnline {
-			name := "user>>>" + user.Email + ">>>online"
-			if om, _ := stats.GetOrRegisterOnlineMap(d.stats, name); om != nil {
-				sessionInbounds := session.InboundFromContext(ctx)
-				userIP := sessionInbounds.Source.Address.String()
-				om.AddIP(userIP)
-				// log Online user with ips
-				// errors.LogDebug(ctx, "user>>>" + user.Email + ">>>online", om.Count(), om.List())
-
-			}
+			trackOnlineIP(ctx, d.stats, user.Email, sessionInbound.Source.Address.String())
 		}
 	}

@@ -223,41 +214,31 @@ func WrapLink(ctx context.Context, policyManager policy.Manager, statsManager st
 			}
 		}
 		if p.Stats.UserOnline {
-			name := "user>>>" + user.Email + ">>>online"
-			if om, _ := stats.GetOrRegisterOnlineMap(statsManager, name); om != nil {
-				sessionInbounds := session.InboundFromContext(ctx)
-				userIP := sessionInbounds.Source.Address.String()
-				om.AddIP(userIP)
-				// log Online user with ips
-				// errors.LogDebug(ctx, "user>>>" + user.Email + ">>>online", om.Count(), om.List())
-			}
+			trackOnlineIP(ctx, statsManager, user.Email, sessionInbound.Source.Address.String())
 		}
 	}

 	return link
 }

+func trackOnlineIP(ctx context.Context, sm stats.Manager, email, ip string) {
+	name := "user>>>" + email + ">>>online"
+	if om, _ := stats.GetOrRegisterOnlineMap(sm, name); om != nil {
+		om.AddIP(ip)
+		context.AfterFunc(ctx, func() { om.RemoveIP(ip) })
+	}
+}
+
 func (d *DefaultDispatcher) shouldOverride(ctx context.Context, result SniffResult, request session.SniffingRequest, destination net.Destination) bool {
 	domain := result.Domain()
 	if domain == "" {
 		return false
 	}
-	for _, d := range request.ExcludeForDomain {
-		if strings.HasPrefix(d, "regexp:") {
-			pattern := d[7:]
-			re, err := regexp.Compile(pattern)
-			if err != nil {
-				errors.LogInfo(ctx, "Unable to compile regex")
-				continue
-			}
-			if re.MatchString(domain) {
-				return false
-			}
-		} else {
-			if strings.ToLower(domain) == d {
-				return false
-			}
-		}
+	if request.ExcludeForDomain != nil && request.ExcludeForDomain.MatchAny(strings.ToLower(domain)) {
+		return false
+	}
+	if request.ExcludeForIP != nil && destination.Address.Family().IsIP() && request.ExcludeForIP.Match(destination.Address.IP()) {
+		return false
 	}
 	protocolString := result.Protocol()
 	if resComp, ok := result.(SnifferResultComposite); ok {
--- a/app/dns/config.go
+++ b/app/dns/config.go
@@ -2,48 +2,24 @@ package dns

 import (
 	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/geodata"
 	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/strmatcher"
 	"github.com/xtls/xray-core/common/uuid"
 )

-var typeMap = map[DomainMatchingType]strmatcher.Type{
-	DomainMatchingType_Full:      strmatcher.Full,
-	DomainMatchingType_Subdomain: strmatcher.Domain,
-	DomainMatchingType_Keyword:   strmatcher.Substr,
-	DomainMatchingType_Regex:     strmatcher.Regex,
-}
-
 // References:
 // https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml
 // https://unix.stackexchange.com/questions/92441/whats-the-difference-between-local-home-and-lan
-var localTLDsAndDotlessDomains = []*NameServer_PriorityDomain{
-	{Type: DomainMatchingType_Regex, Domain: "^[^.]+$"}, // This will only match domains without any dot
-	{Type: DomainMatchingType_Subdomain, Domain: "local"},
-	{Type: DomainMatchingType_Subdomain, Domain: "localdomain"},
-	{Type: DomainMatchingType_Subdomain, Domain: "localhost"},
-	{Type: DomainMatchingType_Subdomain, Domain: "lan"},
-	{Type: DomainMatchingType_Subdomain, Domain: "home.arpa"},
-	{Type: DomainMatchingType_Subdomain, Domain: "example"},
-	{Type: DomainMatchingType_Subdomain, Domain: "invalid"},
-	{Type: DomainMatchingType_Subdomain, Domain: "test"},
-}
-
-var localTLDsAndDotlessDomainsRule = &NameServer_OriginalRule{
-	Rule: "geosite:private",
-	Size: uint32(len(localTLDsAndDotlessDomains)),
-}
-
-func toStrMatcher(t DomainMatchingType, domain string) (strmatcher.Matcher, error) {
-	strMType, f := typeMap[t]
-	if !f {
-		return nil, errors.New("unknown mapping type", t).AtWarning()
-	}
-	matcher, err := strMType.New(domain)
-	if err != nil {
-		return nil, errors.New("failed to create str matcher").Base(err)
-	}
-	return matcher, nil
+var localTLDsAndDotlessDomainsRules = []*geodata.DomainRule{
+	{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Regex, Value: "^[^.]+$"}}}, // This will only match domains without any dot
+	{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "local"}}},
+	{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "localdomain"}}},
+	{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "localhost"}}},
+	{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "lan"}}},
+	{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "home.arpa"}}},
+	{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "example"}}},
+	{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "invalid"}}},
+	{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "test"}}},
 }

 func toNetIP(addrs []net.Address) ([]net.IP, error) {
--- a/app/dns/config.pb.go
+++ b/app/dns/config.pb.go
@@ -7,7 +7,7 @@
 package dns

 import (
-	router "github.com/xtls/xray-core/app/router"
+	geodata "github.com/xtls/xray-core/common/geodata"
 	net "github.com/xtls/xray-core/common/net"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
@@ -23,58 +23,6 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )

-type DomainMatchingType int32
-
-const (
-	DomainMatchingType_Full      DomainMatchingType = 0
-	DomainMatchingType_Subdomain DomainMatchingType = 1
-	DomainMatchingType_Keyword   DomainMatchingType = 2
-	DomainMatchingType_Regex     DomainMatchingType = 3
-)
-
-// Enum value maps for DomainMatchingType.
-var (
-	DomainMatchingType_name = map[int32]string{
-		0: "Full",
-		1: "Subdomain",
-		2: "Keyword",
-		3: "Regex",
-	}
-	DomainMatchingType_value = map[string]int32{
-		"Full":      0,
-		"Subdomain": 1,
-		"Keyword":   2,
-		"Regex":     3,
-	}
-)
-
-func (x DomainMatchingType) Enum() *DomainMatchingType {
-	p := new(DomainMatchingType)
-	*p = x
-	return p
-}
-
-func (x DomainMatchingType) String() string {
-	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
-}
-
-func (DomainMatchingType) Descriptor() protoreflect.EnumDescriptor {
-	return file_app_dns_config_proto_enumTypes[0].Descriptor()
-}
-
-func (DomainMatchingType) Type() protoreflect.EnumType {
-	return &file_app_dns_config_proto_enumTypes[0]
-}
-
-func (x DomainMatchingType) Number() protoreflect.EnumNumber {
-	return protoreflect.EnumNumber(x)
-}
-
-// Deprecated: Use DomainMatchingType.Descriptor instead.
-func (DomainMatchingType) EnumDescriptor() ([]byte, []int) {
-	return file_app_dns_config_proto_rawDescGZIP(), []int{0}
-}
-
 type QueryStrategy int32

 const (
@@ -111,11 +59,11 @@ func (x QueryStrategy) String() string {
 }

 func (QueryStrategy) Descriptor() protoreflect.EnumDescriptor {
-	return file_app_dns_config_proto_enumTypes[1].Descriptor()
+	return file_app_dns_config_proto_enumTypes[0].Descriptor()
 }

 func (QueryStrategy) Type() protoreflect.EnumType {
-	return &file_app_dns_config_proto_enumTypes[1]
+	return &file_app_dns_config_proto_enumTypes[0]
 }

 func (x QueryStrategy) Number() protoreflect.EnumNumber {
@@ -124,30 +72,29 @@ func (x QueryStrategy) Number() protoreflect.EnumNumber {

 // Deprecated: Use QueryStrategy.Descriptor instead.
 func (QueryStrategy) EnumDescriptor() ([]byte, []int) {
-	return file_app_dns_config_proto_rawDescGZIP(), []int{1}
+	return file_app_dns_config_proto_rawDescGZIP(), []int{0}
 }

 type NameServer struct {
-	state             protoimpl.MessageState       `protogen:"open.v1"`
-	Address           *net.Endpoint                `protobuf:"bytes,1,opt,name=address,proto3" json:"address,omitempty"`
-	ClientIp          []byte                       `protobuf:"bytes,5,opt,name=client_ip,json=clientIp,proto3" json:"client_ip,omitempty"`
-	SkipFallback      bool                         `protobuf:"varint,6,opt,name=skipFallback,proto3" json:"skipFallback,omitempty"`
-	PrioritizedDomain []*NameServer_PriorityDomain `protobuf:"bytes,2,rep,name=prioritized_domain,json=prioritizedDomain,proto3" json:"prioritized_domain,omitempty"`
-	ExpectedGeoip     []*router.GeoIP              `protobuf:"bytes,3,rep,name=expected_geoip,json=expectedGeoip,proto3" json:"expected_geoip,omitempty"`
-	OriginalRules     []*NameServer_OriginalRule   `protobuf:"bytes,4,rep,name=original_rules,json=originalRules,proto3" json:"original_rules,omitempty"`
-	QueryStrategy     QueryStrategy                `protobuf:"varint,7,opt,name=query_strategy,json=queryStrategy,proto3,enum=xray.app.dns.QueryStrategy" json:"query_strategy,omitempty"`
-	ActPrior          bool                         `protobuf:"varint,8,opt,name=actPrior,proto3" json:"actPrior,omitempty"`
-	Tag               string                       `protobuf:"bytes,9,opt,name=tag,proto3" json:"tag,omitempty"`
-	TimeoutMs         uint64                       `protobuf:"varint,10,opt,name=timeoutMs,proto3" json:"timeoutMs,omitempty"`
-	DisableCache      *bool                        `protobuf:"varint,11,opt,name=disableCache,proto3,oneof" json:"disableCache,omitempty"`
-	ServeStale        *bool                        `protobuf:"varint,15,opt,name=serveStale,proto3,oneof" json:"serveStale,omitempty"`
-	ServeExpiredTTL   *uint32                      `protobuf:"varint,16,opt,name=serveExpiredTTL,proto3,oneof" json:"serveExpiredTTL,omitempty"`
-	FinalQuery        bool                         `protobuf:"varint,12,opt,name=finalQuery,proto3" json:"finalQuery,omitempty"`
-	UnexpectedGeoip   []*router.GeoIP              `protobuf:"bytes,13,rep,name=unexpected_geoip,json=unexpectedGeoip,proto3" json:"unexpected_geoip,omitempty"`
-	ActUnprior        bool                         `protobuf:"varint,14,opt,name=actUnprior,proto3" json:"actUnprior,omitempty"`
-	PolicyID          uint32                       `protobuf:"varint,17,opt,name=policyID,proto3" json:"policyID,omitempty"`
-	unknownFields     protoimpl.UnknownFields
-	sizeCache         protoimpl.SizeCache
+	state           protoimpl.MessageState `protogen:"open.v1"`
+	Address         *net.Endpoint          `protobuf:"bytes,1,opt,name=address,proto3" json:"address,omitempty"`
+	ClientIp        []byte                 `protobuf:"bytes,5,opt,name=client_ip,json=clientIp,proto3" json:"client_ip,omitempty"`
+	SkipFallback    bool                   `protobuf:"varint,6,opt,name=skipFallback,proto3" json:"skipFallback,omitempty"`
+	Domain          []*geodata.DomainRule  `protobuf:"bytes,2,rep,name=domain,proto3" json:"domain,omitempty"`
+	ExpectedIp      []*geodata.IPRule      `protobuf:"bytes,3,rep,name=expected_ip,json=expectedIp,proto3" json:"expected_ip,omitempty"`
+	QueryStrategy   QueryStrategy          `protobuf:"varint,7,opt,name=query_strategy,json=queryStrategy,proto3,enum=xray.app.dns.QueryStrategy" json:"query_strategy,omitempty"`
+	ActPrior        bool                   `protobuf:"varint,8,opt,name=actPrior,proto3" json:"actPrior,omitempty"`
+	Tag             string                 `protobuf:"bytes,9,opt,name=tag,proto3" json:"tag,omitempty"`
+	TimeoutMs       uint64                 `protobuf:"varint,10,opt,name=timeoutMs,proto3" json:"timeoutMs,omitempty"`
+	DisableCache    *bool                  `protobuf:"varint,11,opt,name=disableCache,proto3,oneof" json:"disableCache,omitempty"`
+	ServeStale      *bool                  `protobuf:"varint,15,opt,name=serveStale,proto3,oneof" json:"serveStale,omitempty"`
+	ServeExpiredTTL *uint32                `protobuf:"varint,16,opt,name=serveExpiredTTL,proto3,oneof" json:"serveExpiredTTL,omitempty"`
+	FinalQuery      bool                   `protobuf:"varint,12,opt,name=finalQuery,proto3" json:"finalQuery,omitempty"`
+	UnexpectedIp    []*geodata.IPRule      `protobuf:"bytes,13,rep,name=unexpected_ip,json=unexpectedIp,proto3" json:"unexpected_ip,omitempty"`
+	ActUnprior      bool                   `protobuf:"varint,14,opt,name=actUnprior,proto3" json:"actUnprior,omitempty"`
+	PolicyID        uint32                 `protobuf:"varint,17,opt,name=policyID,proto3" json:"policyID,omitempty"`
+	unknownFields   protoimpl.UnknownFields
+	sizeCache       protoimpl.SizeCache
 }

 func (x *NameServer) Reset() {
@@ -201,23 +148,16 @@ func (x *NameServer) GetSkipFallback() bool {
 	return false
 }

-func (x *NameServer) GetPrioritizedDomain() []*NameServer_PriorityDomain {
+func (x *NameServer) GetDomain() []*geodata.DomainRule {
 	if x != nil {
-		return x.PrioritizedDomain
+		return x.Domain
 	}
 	return nil
 }

-func (x *NameServer) GetExpectedGeoip() []*router.GeoIP {
+func (x *NameServer) GetExpectedIp() []*geodata.IPRule {
 	if x != nil {
-		return x.ExpectedGeoip
-	}
-	return nil
-}
-
-func (x *NameServer) GetOriginalRules() []*NameServer_OriginalRule {
-	if x != nil {
-		return x.OriginalRules
+		return x.ExpectedIp
 	}
 	return nil
 }
@@ -278,9 +218,9 @@ func (x *NameServer) GetFinalQuery() bool {
 	return false
 }

-func (x *NameServer) GetUnexpectedGeoip() []*router.GeoIP {
+func (x *NameServer) GetUnexpectedIp() []*geodata.IPRule {
 	if x != nil {
-		return x.UnexpectedGeoip
+		return x.UnexpectedIp
 	}
 	return nil
 }
@@ -429,114 +369,9 @@ func (x *Config) GetEnableParallelQuery() bool {
 	return false
 }

-type NameServer_PriorityDomain struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Type          DomainMatchingType     `protobuf:"varint,1,opt,name=type,proto3,enum=xray.app.dns.DomainMatchingType" json:"type,omitempty"`
-	Domain        string                 `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *NameServer_PriorityDomain) Reset() {
-	*x = NameServer_PriorityDomain{}
-	mi := &file_app_dns_config_proto_msgTypes[2]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *NameServer_PriorityDomain) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*NameServer_PriorityDomain) ProtoMessage() {}
-
-func (x *NameServer_PriorityDomain) ProtoReflect() protoreflect.Message {
-	mi := &file_app_dns_config_proto_msgTypes[2]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use NameServer_PriorityDomain.ProtoReflect.Descriptor instead.
-func (*NameServer_PriorityDomain) Descriptor() ([]byte, []int) {
-	return file_app_dns_config_proto_rawDescGZIP(), []int{0, 0}
-}
-
-func (x *NameServer_PriorityDomain) GetType() DomainMatchingType {
-	if x != nil {
-		return x.Type
-	}
-	return DomainMatchingType_Full
-}
-
-func (x *NameServer_PriorityDomain) GetDomain() string {
-	if x != nil {
-		return x.Domain
-	}
-	return ""
-}
-
-type NameServer_OriginalRule struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Rule          string                 `protobuf:"bytes,1,opt,name=rule,proto3" json:"rule,omitempty"`
-	Size          uint32                 `protobuf:"varint,2,opt,name=size,proto3" json:"size,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *NameServer_OriginalRule) Reset() {
-	*x = NameServer_OriginalRule{}
-	mi := &file_app_dns_config_proto_msgTypes[3]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *NameServer_OriginalRule) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*NameServer_OriginalRule) ProtoMessage() {}
-
-func (x *NameServer_OriginalRule) ProtoReflect() protoreflect.Message {
-	mi := &file_app_dns_config_proto_msgTypes[3]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use NameServer_OriginalRule.ProtoReflect.Descriptor instead.
-func (*NameServer_OriginalRule) Descriptor() ([]byte, []int) {
-	return file_app_dns_config_proto_rawDescGZIP(), []int{0, 1}
-}
-
-func (x *NameServer_OriginalRule) GetRule() string {
-	if x != nil {
-		return x.Rule
-	}
-	return ""
-}
-
-func (x *NameServer_OriginalRule) GetSize() uint32 {
-	if x != nil {
-		return x.Size
-	}
-	return 0
-}
-
 type Config_HostMapping struct {
 	state  protoimpl.MessageState `protogen:"open.v1"`
-	Type   DomainMatchingType     `protobuf:"varint,1,opt,name=type,proto3,enum=xray.app.dns.DomainMatchingType" json:"type,omitempty"`
-	Domain string                 `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
+	Domain *geodata.DomainRule    `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
 	Ip     [][]byte               `protobuf:"bytes,3,rep,name=ip,proto3" json:"ip,omitempty"`
 	// ProxiedDomain indicates the mapped domain has the same IP address on this
 	// domain. Xray will use this domain for IP queries.
@@ -547,7 +382,7 @@ type Config_HostMapping struct {

 func (x *Config_HostMapping) Reset() {
 	*x = Config_HostMapping{}
-	mi := &file_app_dns_config_proto_msgTypes[4]
+	mi := &file_app_dns_config_proto_msgTypes[2]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -559,7 +394,7 @@ func (x *Config_HostMapping) String() string {
 func (*Config_HostMapping) ProtoMessage() {}

 func (x *Config_HostMapping) ProtoReflect() protoreflect.Message {
-	mi := &file_app_dns_config_proto_msgTypes[4]
+	mi := &file_app_dns_config_proto_msgTypes[2]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -575,18 +410,11 @@ func (*Config_HostMapping) Descriptor() ([]byte, []int) {
 	return file_app_dns_config_proto_rawDescGZIP(), []int{1, 0}
 }

-func (x *Config_HostMapping) GetType() DomainMatchingType {
-	if x != nil {
-		return x.Type
-	}
-	return DomainMatchingType_Full
-}
-
-func (x *Config_HostMapping) GetDomain() string {
+func (x *Config_HostMapping) GetDomain() *geodata.DomainRule {
 	if x != nil {
 		return x.Domain
 	}
-	return ""
+	return nil
 }

 func (x *Config_HostMapping) GetIp() [][]byte {
@@ -607,15 +435,15 @@ var File_app_dns_config_proto protoreflect.FileDescriptor

 const file_app_dns_config_proto_rawDesc = "" +
 	"\n" +
-	"\x14app/dns/config.proto\x12\fxray.app.dns\x1a\x1ccommon/net/destination.proto\x1a\x17app/router/config.proto\"\xdf\a\n" +
+	"\x14app/dns/config.proto\x12\fxray.app.dns\x1a\x1ccommon/net/destination.proto\x1a\x1bcommon/geodata/geodat.proto\"\xde\x05\n" +
 	"\n" +
 	"NameServer\x123\n" +
 	"\aaddress\x18\x01 \x01(\v2\x19.xray.common.net.EndpointR\aaddress\x12\x1b\n" +
 	"\tclient_ip\x18\x05 \x01(\fR\bclientIp\x12\"\n" +
-	"\fskipFallback\x18\x06 \x01(\bR\fskipFallback\x12V\n" +
-	"\x12prioritized_domain\x18\x02 \x03(\v2'.xray.app.dns.NameServer.PriorityDomainR\x11prioritizedDomain\x12=\n" +
-	"\x0eexpected_geoip\x18\x03 \x03(\v2\x16.xray.app.router.GeoIPR\rexpectedGeoip\x12L\n" +
-	"\x0eoriginal_rules\x18\x04 \x03(\v2%.xray.app.dns.NameServer.OriginalRuleR\roriginalRules\x12B\n" +
+	"\fskipFallback\x18\x06 \x01(\bR\fskipFallback\x127\n" +
+	"\x06domain\x18\x02 \x03(\v2\x1f.xray.common.geodata.DomainRuleR\x06domain\x12<\n" +
+	"\vexpected_ip\x18\x03 \x03(\v2\x1b.xray.common.geodata.IPRuleR\n" +
+	"expectedIp\x12B\n" +
 	"\x0equery_strategy\x18\a \x01(\x0e2\x1b.xray.app.dns.QueryStrategyR\rqueryStrategy\x12\x1a\n" +
 	"\bactPrior\x18\b \x01(\bR\bactPrior\x12\x10\n" +
 	"\x03tag\x18\t \x01(\tR\x03tag\x12\x1c\n" +
@@ -628,21 +456,15 @@ const file_app_dns_config_proto_rawDesc = "" +
 	"\x0fserveExpiredTTL\x18\x10 \x01(\rH\x02R\x0fserveExpiredTTL\x88\x01\x01\x12\x1e\n" +
 	"\n" +
 	"finalQuery\x18\f \x01(\bR\n" +
-	"finalQuery\x12A\n" +
-	"\x10unexpected_geoip\x18\r \x03(\v2\x16.xray.app.router.GeoIPR\x0funexpectedGeoip\x12\x1e\n" +
+	"finalQuery\x12@\n" +
+	"\runexpected_ip\x18\r \x03(\v2\x1b.xray.common.geodata.IPRuleR\funexpectedIp\x12\x1e\n" +
 	"\n" +
 	"actUnprior\x18\x0e \x01(\bR\n" +
 	"actUnprior\x12\x1a\n" +
-	"\bpolicyID\x18\x11 \x01(\rR\bpolicyID\x1a^\n" +
-	"\x0ePriorityDomain\x124\n" +
-	"\x04type\x18\x01 \x01(\x0e2 .xray.app.dns.DomainMatchingTypeR\x04type\x12\x16\n" +
-	"\x06domain\x18\x02 \x01(\tR\x06domain\x1a6\n" +
-	"\fOriginalRule\x12\x12\n" +
-	"\x04rule\x18\x01 \x01(\tR\x04rule\x12\x12\n" +
-	"\x04size\x18\x02 \x01(\rR\x04sizeB\x0f\n" +
+	"\bpolicyID\x18\x11 \x01(\rR\bpolicyIDB\x0f\n" +
 	"\r_disableCacheB\r\n" +
 	"\v_serveStaleB\x12\n" +
-	"\x10_serveExpiredTTL\"\x98\x05\n" +
+	"\x10_serveExpiredTTLJ\x04\b\x04\x10\x05\"\x82\x05\n" +
 	"\x06Config\x129\n" +
 	"\vname_server\x18\x05 \x03(\v2\x18.xray.app.dns.NameServerR\n" +
 	"nameServer\x12\x1b\n" +
@@ -658,17 +480,11 @@ const file_app_dns_config_proto_rawDesc = "" +
 	"\x0fdisableFallback\x18\n" +
 	" \x01(\bR\x0fdisableFallback\x126\n" +
 	"\x16disableFallbackIfMatch\x18\v \x01(\bR\x16disableFallbackIfMatch\x120\n" +
-	"\x13enableParallelQuery\x18\x0e \x01(\bR\x13enableParallelQuery\x1a\x92\x01\n" +
-	"\vHostMapping\x124\n" +
-	"\x04type\x18\x01 \x01(\x0e2 .xray.app.dns.DomainMatchingTypeR\x04type\x12\x16\n" +
-	"\x06domain\x18\x02 \x01(\tR\x06domain\x12\x0e\n" +
+	"\x13enableParallelQuery\x18\x0e \x01(\bR\x13enableParallelQuery\x1a}\n" +
+	"\vHostMapping\x127\n" +
+	"\x06domain\x18\x02 \x01(\v2\x1f.xray.common.geodata.DomainRuleR\x06domain\x12\x0e\n" +
 	"\x02ip\x18\x03 \x03(\fR\x02ip\x12%\n" +
-	"\x0eproxied_domain\x18\x04 \x01(\tR\rproxiedDomainJ\x04\b\a\x10\b*E\n" +
-	"\x12DomainMatchingType\x12\b\n" +
-	"\x04Full\x10\x00\x12\r\n" +
-	"\tSubdomain\x10\x01\x12\v\n" +
-	"\aKeyword\x10\x02\x12\t\n" +
-	"\x05Regex\x10\x03*B\n" +
+	"\x0eproxied_domain\x18\x04 \x01(\tR\rproxiedDomainJ\x04\b\a\x10\b*B\n" +
 	"\rQueryStrategy\x12\n" +
 	"\n" +
 	"\x06USE_IP\x10\x00\x12\v\n" +
@@ -689,36 +505,32 @@ func file_app_dns_config_proto_rawDescGZIP() []byte {
 	return file_app_dns_config_proto_rawDescData
 }

-var file_app_dns_config_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
-var file_app_dns_config_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_app_dns_config_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_app_dns_config_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
 var file_app_dns_config_proto_goTypes = []any{
-	(DomainMatchingType)(0),           // 0: xray.app.dns.DomainMatchingType
-	(QueryStrategy)(0),                // 1: xray.app.dns.QueryStrategy
-	(*NameServer)(nil),                // 2: xray.app.dns.NameServer
-	(*Config)(nil),                    // 3: xray.app.dns.Config
-	(*NameServer_PriorityDomain)(nil), // 4: xray.app.dns.NameServer.PriorityDomain
-	(*NameServer_OriginalRule)(nil),   // 5: xray.app.dns.NameServer.OriginalRule
-	(*Config_HostMapping)(nil),        // 6: xray.app.dns.Config.HostMapping
-	(*net.Endpoint)(nil),              // 7: xray.common.net.Endpoint
-	(*router.GeoIP)(nil),              // 8: xray.app.router.GeoIP
+	(QueryStrategy)(0),         // 0: xray.app.dns.QueryStrategy
+	(*NameServer)(nil),         // 1: xray.app.dns.NameServer
+	(*Config)(nil),             // 2: xray.app.dns.Config
+	(*Config_HostMapping)(nil), // 3: xray.app.dns.Config.HostMapping
+	(*net.Endpoint)(nil),       // 4: xray.common.net.Endpoint
+	(*geodata.DomainRule)(nil), // 5: xray.common.geodata.DomainRule
+	(*geodata.IPRule)(nil),     // 6: xray.common.geodata.IPRule
 }
 var file_app_dns_config_proto_depIdxs = []int32{
-	7,  // 0: xray.app.dns.NameServer.address:type_name -> xray.common.net.Endpoint
-	4,  // 1: xray.app.dns.NameServer.prioritized_domain:type_name -> xray.app.dns.NameServer.PriorityDomain
-	8,  // 2: xray.app.dns.NameServer.expected_geoip:type_name -> xray.app.router.GeoIP
-	5,  // 3: xray.app.dns.NameServer.original_rules:type_name -> xray.app.dns.NameServer.OriginalRule
-	1,  // 4: xray.app.dns.NameServer.query_strategy:type_name -> xray.app.dns.QueryStrategy
-	8,  // 5: xray.app.dns.NameServer.unexpected_geoip:type_name -> xray.app.router.GeoIP
-	2,  // 6: xray.app.dns.Config.name_server:type_name -> xray.app.dns.NameServer
-	6,  // 7: xray.app.dns.Config.static_hosts:type_name -> xray.app.dns.Config.HostMapping
-	1,  // 8: xray.app.dns.Config.query_strategy:type_name -> xray.app.dns.QueryStrategy
-	0,  // 9: xray.app.dns.NameServer.PriorityDomain.type:type_name -> xray.app.dns.DomainMatchingType
-	0,  // 10: xray.app.dns.Config.HostMapping.type:type_name -> xray.app.dns.DomainMatchingType
-	11, // [11:11] is the sub-list for method output_type
-	11, // [11:11] is the sub-list for method input_type
-	11, // [11:11] is the sub-list for extension type_name
-	11, // [11:11] is the sub-list for extension extendee
-	0,  // [0:11] is the sub-list for field type_name
+	4, // 0: xray.app.dns.NameServer.address:type_name -> xray.common.net.Endpoint
+	5, // 1: xray.app.dns.NameServer.domain:type_name -> xray.common.geodata.DomainRule
+	6, // 2: xray.app.dns.NameServer.expected_ip:type_name -> xray.common.geodata.IPRule
+	0, // 3: xray.app.dns.NameServer.query_strategy:type_name -> xray.app.dns.QueryStrategy
+	6, // 4: xray.app.dns.NameServer.unexpected_ip:type_name -> xray.common.geodata.IPRule
+	1, // 5: xray.app.dns.Config.name_server:type_name -> xray.app.dns.NameServer
+	3, // 6: xray.app.dns.Config.static_hosts:type_name -> xray.app.dns.Config.HostMapping
+	0, // 7: xray.app.dns.Config.query_strategy:type_name -> xray.app.dns.QueryStrategy
+	5, // 8: xray.app.dns.Config.HostMapping.domain:type_name -> xray.common.geodata.DomainRule
+	9, // [9:9] is the sub-list for method output_type
+	9, // [9:9] is the sub-list for method input_type
+	9, // [9:9] is the sub-list for extension type_name
+	9, // [9:9] is the sub-list for extension extendee
+	0, // [0:9] is the sub-list for field type_name
 }

 func init() { file_app_dns_config_proto_init() }
@@ -732,8 +544,8 @@ func file_app_dns_config_proto_init() {
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_app_dns_config_proto_rawDesc), len(file_app_dns_config_proto_rawDesc)),
-			NumEnums:      2,
-			NumMessages:   5,
+			NumEnums:      1,
+			NumMessages:   3,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
--- a/app/dns/config.proto
+++ b/app/dns/config.proto
@@ -7,26 +7,15 @@ option java_package = "com.xray.app.dns";
 option java_multiple_files = true;

 import "common/net/destination.proto";
-import "app/router/config.proto";
+import "common/geodata/geodat.proto";

 message NameServer {
  xray.common.net.Endpoint address = 1;
  bytes client_ip = 5;
  bool skipFallback = 6;
-
-  message PriorityDomain {
-    DomainMatchingType type = 1;
-    string domain = 2;
-  }
-
-  message OriginalRule {
-    string rule = 1;
-    uint32 size = 2;
-  }
-
-  repeated PriorityDomain prioritized_domain = 2;
-  repeated xray.app.router.GeoIP expected_geoip = 3;
-  repeated OriginalRule original_rules = 4;
+  repeated xray.common.geodata.DomainRule domain = 2;
+  repeated xray.common.geodata.IPRule expected_ip = 3;
+  reserved 4;
  QueryStrategy query_strategy = 7;
  bool actPrior = 8;
  string tag = 9;
@@ -35,18 +24,11 @@ message NameServer {
  optional bool serveStale = 15;
  optional uint32 serveExpiredTTL = 16;
  bool finalQuery = 12;
-  repeated xray.app.router.GeoIP unexpected_geoip = 13;
+  repeated xray.common.geodata.IPRule unexpected_ip = 13;
  bool actUnprior = 14;
  uint32 policyID = 17;
 }

-enum DomainMatchingType {
-  Full = 0;
-  Subdomain = 1;
-  Keyword = 2;
-  Regex = 3;
-}
-
 enum QueryStrategy {
  USE_IP = 0;
  USE_IP4 = 1;
@@ -64,8 +46,7 @@ message Config {
  bytes client_ip = 3;

  message HostMapping {
-    DomainMatchingType type = 1;
-    string domain = 2;
+    xray.common.geodata.DomainRule domain = 2;

    repeated bytes ip = 3;

--- a/app/dns/dns.go
+++ b/app/dns/dns.go
@@ -5,20 +5,16 @@ import (
 	"context"
 	go_errors "errors"
 	"fmt"
-	"os"
-	"runtime"
 	"sort"
 	"strings"
 	"sync"
-	"time"

-	"github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/geodata"
 	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/platform"
 	"github.com/xtls/xray-core/common/session"
-	"github.com/xtls/xray-core/common/strmatcher"
+	"github.com/xtls/xray-core/common/utils"
 	"github.com/xtls/xray-core/features/dns"
 )

@@ -32,15 +28,15 @@ type DNS struct {
 	hosts                  *StaticHosts
 	clients                []*Client
 	ctx                    context.Context
-	domainMatcher          strmatcher.IndexMatcher
+	domainMatcher          geodata.DomainMatcher
 	matcherInfos           []*DomainMatcherInfo
 	checkSystem            bool
 }

-// DomainMatcherInfo contains information attached to index returned by Server.domainMatcher
+// DomainMatcherInfo contains information attached to index returned by Server.domainMatcher.
 type DomainMatcherInfo struct {
-	clientIdx     uint16
-	domainRuleIdx uint16
+	clientIdx  uint16
+	domainRule string
 }

 // New creates a new DNS server with given configuration.
@@ -85,56 +81,40 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 		return nil, errors.New("unexpected query strategy ", config.QueryStrategy)
 	}

-	var hosts *StaticHosts
-	mphLoaded := false
-	domainMatcherPath := platform.NewEnvFlag(platform.MphCachePath).GetValue(func() string { return "" })
-	if domainMatcherPath != "" {
-		if f, err := os.Open(domainMatcherPath); err == nil {
-			defer f.Close()
-			if m, err := router.LoadGeoSiteMatcher(f, "HOSTS"); err == nil {
-				f.Seek(0, 0)
-				if hostIPs, err := router.LoadGeoSiteHosts(f); err == nil {
-					if sh, err := NewStaticHostsFromCache(m, hostIPs); err == nil {
-						hosts = sh
-						mphLoaded = true
-						errors.LogDebug(ctx, "MphDomainMatcher loaded from cache for DNS hosts, size: ", sh.matchers.Size())
-					}
-				}
-			}
-		}
+	hosts, err := NewStaticHosts(config.StaticHosts)
+	if err != nil {
+		return nil, errors.New("failed to create hosts").Base(err)
 	}

-	if !mphLoaded {
-		sh, err := NewStaticHosts(config.StaticHosts)
-		if err != nil {
-			return nil, errors.New("failed to create hosts").Base(err)
-		}
-		hosts = sh
-	}
-
-	var clients []*Client
-	domainRuleCount := 0
-
 	var defaultTag = config.Tag
 	if len(config.Tag) == 0 {
 		defaultTag = generateRandomTag()
 	}

-	for _, ns := range config.NameServer {
-		domainRuleCount += len(ns.PrioritizedDomain)
-	}
-
-	// MatcherInfos is ensured to cover the maximum index domainMatcher could return, where matcher's index starts from 1
-	matcherInfos := make([]*DomainMatcherInfo, domainRuleCount+1)
-	domainMatcher := &strmatcher.MatcherGroup{}
+	clients := make([]*Client, 0, len(config.NameServer))
+	matcherInfos := make([]*DomainMatcherInfo, 0)
+	effectiveRules := make([]*geodata.DomainRule, 0)

 	for _, ns := range config.NameServer {
 		clientIdx := len(clients)
-		updateDomain := func(domainRule strmatcher.Matcher, originalRuleIdx int, matcherInfos []*DomainMatcherInfo) {
-			midx := domainMatcher.Add(domainRule)
-			matcherInfos[midx] = &DomainMatcherInfo{
-				clientIdx:     uint16(clientIdx),
-				domainRuleIdx: uint16(originalRuleIdx),
+		updateRules := func(isLocalNameServer bool) {
+			// Prioritize local domains with specific TLDs or those without any dot for the local DNS
+			if isLocalNameServer {
+				effectiveRules = append(effectiveRules, localTLDsAndDotlessDomainsRules...)
+				for _, rule := range localTLDsAndDotlessDomainsRules {
+					matcherInfos = append(matcherInfos, &DomainMatcherInfo{
+						clientIdx:  uint16(clientIdx),
+						domainRule: rule.String(),
+					})
+				}
+			}
+
+			effectiveRules = append(effectiveRules, ns.Domain...)
+			for _, rule := range ns.Domain {
+				matcherInfos = append(matcherInfos, &DomainMatcherInfo{
+					clientIdx:  uint16(clientIdx),
+					domainRule: rule.String(),
+				})
 			}
 		}

@@ -163,18 +143,27 @@ func New(ctx context.Context, config *Config) (*DNS, error) {
 		if len(ns.Tag) > 0 {
 			tag = ns.Tag
 		}
+
 		clientIPOption := ResolveIpOptionOverride(ns.QueryStrategy, ipOption)
 		if !clientIPOption.IPv4Enable && !clientIPOption.IPv6Enable {
 			return nil, errors.New("no QueryStrategy available for ", ns.Address)
 		}

-		client, err := NewClient(ctx, ns, myClientIP, disableCache, serveStale, serveExpiredTTL, tag, clientIPOption, &matcherInfos, updateDomain)
+		client, err := NewClient(ctx, ns, myClientIP, disableCache, serveStale, serveExpiredTTL, tag, clientIPOption, updateRules)
 		if err != nil {
 			return nil, errors.New("failed to create client").Base(err)
 		}
 		clients = append(clients, client)
 	}

+	var domainMatcher geodata.DomainMatcher
+	if len(effectiveRules) > 0 {
+		domainMatcher, err = geodata.DomainReg.BuildDomainMatcher(effectiveRules)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// If there is no DNS client in config, add a `localhost` DNS client
 	if len(clients) == 0 {
 		clients = append(clients, NewLocalDNSClient(ipOption))
@@ -232,7 +221,7 @@ func (s *DNS) LookupIP(domain string, option dns.IPOption) ([]net.IP, uint32, er
 	}

 	if s.checkSystem {
-		supportIPv4, supportIPv6 := checkRoutes()
+		supportIPv4, supportIPv6 := utils.CheckRoutes()
 		option.IPv4Enable = option.IPv4Enable && supportIPv4
 		option.IPv6Enable = option.IPv6Enable && supportIPv6
 	} else {
@@ -283,24 +272,27 @@ func (s *DNS) sortClients(domain string) []*Client {

 	// Priority domain matching
 	hasMatch := false
-	MatchSlice := s.domainMatcher.Match(domain)
-	sort.Slice(MatchSlice, func(i, j int) bool {
-		return MatchSlice[i] < MatchSlice[j]
-	})
-	for _, match := range MatchSlice {
-		info := s.matcherInfos[match]
-		client := s.clients[info.clientIdx]
-		domainRule := client.domains[info.domainRuleIdx]
-		domainRules = append(domainRules, fmt.Sprintf("%s(DNS idx:%d)", domainRule, info.clientIdx))
-		if clientUsed[info.clientIdx] {
-			continue
-		}
-		clientUsed[info.clientIdx] = true
-		clients = append(clients, client)
-		clientNames = append(clientNames, client.Name())
-		hasMatch = true
-		if client.finalQuery {
-			return clients
+	if s.domainMatcher != nil {
+		matchSlice := s.domainMatcher.Match(strings.ToLower(domain))
+		sort.Slice(matchSlice, func(i, j int) bool {
+			return matchSlice[i] < matchSlice[j]
+		})
+		for _, match := range matchSlice {
+			info := s.matcherInfos[match]
+			client := s.clients[info.clientIdx]
+			domainRule := info.domainRule
+			domainRules = append(domainRules, fmt.Sprintf("%s(DNS idx:%d)", domainRule, info.clientIdx))
+			if clientUsed[info.clientIdx] {
+				continue
+			}
+			clientUsed[info.clientIdx] = true
+			clients = append(clients, client)
+			clientNames = append(clientNames, client.Name())
+			hasMatch = true
+			if client.finalQuery {
+				logDecision(s.ctx, domain, domainRules, clientNames)
+				return clients
+			}
 		}
 	}

@@ -314,17 +306,13 @@ func (s *DNS) sortClients(domain string) []*Client {
 			clients = append(clients, client)
 			clientNames = append(clientNames, client.Name())
 			if client.finalQuery {
+				logDecision(s.ctx, domain, domainRules, clientNames)
 				return clients
 			}
 		}
 	}

-	if len(domainRules) > 0 {
-		errors.LogDebug(s.ctx, "domain ", domain, " matches following rules: ", domainRules)
-	}
-	if len(clientNames) > 0 {
-		errors.LogDebug(s.ctx, "domain ", domain, " will use DNS in order: ", clientNames)
-	}
+	logDecision(s.ctx, domain, domainRules, clientNames)

 	if len(clients) == 0 {
 		if len(s.clients) > 0 {
@@ -339,6 +327,15 @@ func (s *DNS) sortClients(domain string) []*Client {
 	return clients
 }

+func logDecision(ctx context.Context, domain string, domainRules []string, clientNames []string) {
+	if len(domainRules) > 0 {
+		errors.LogDebug(ctx, "domain ", domain, " matches following rules: ", domainRules)
+	}
+	if len(clientNames) > 0 {
+		errors.LogDebug(ctx, "domain ", domain, " will use DNS in order: ", clientNames)
+	}
+}
+
 func mergeQueryErrors(domain string, errs []error) error {
 	if len(errs) == 0 {
 		return dns.ErrEmptyResponse
@@ -540,67 +537,3 @@ func init() {
 		return New(ctx, config.(*Config))
 	}))
 }
-
-func probeRoutes() (ipv4 bool, ipv6 bool) {
-	if conn, err := net.Dial("udp4", "192.33.4.12:53"); err == nil {
-		ipv4 = true
-		conn.Close()
-	}
-	if conn, err := net.Dial("udp6", "[2001:500:2::c]:53"); err == nil {
-		ipv6 = true
-		conn.Close()
-	}
-	return
-}
-
-var routeCache struct {
-	sync.Once
-	sync.RWMutex
-	expire     time.Time
-	ipv4, ipv6 bool
-}
-
-func checkRoutes() (bool, bool) {
-	if !isGUIPlatform {
-		routeCache.Once.Do(func() {
-			routeCache.ipv4, routeCache.ipv6 = probeRoutes()
-		})
-		return routeCache.ipv4, routeCache.ipv6
-	}
-
-	routeCache.RWMutex.RLock()
-	now := time.Now()
-	if routeCache.expire.After(now) {
-		routeCache.RWMutex.RUnlock()
-		return routeCache.ipv4, routeCache.ipv6
-	}
-	routeCache.RWMutex.RUnlock()
-
-	routeCache.RWMutex.Lock()
-	defer routeCache.RWMutex.Unlock()
-
-	now = time.Now()
-	if routeCache.expire.After(now) { // double-check
-		return routeCache.ipv4, routeCache.ipv6
-	}
-	routeCache.ipv4, routeCache.ipv6 = probeRoutes()    // ~2ms
-	routeCache.expire = now.Add(100 * time.Millisecond) // ttl
-	return routeCache.ipv4, routeCache.ipv6
-}
-
-var isGUIPlatform = detectGUIPlatform()
-
-func detectGUIPlatform() bool {
-	switch runtime.GOOS {
-	case "android", "ios", "windows", "darwin":
-		return true
-	case "linux", "freebsd", "openbsd":
-		if t := os.Getenv("XDG_SESSION_TYPE"); t == "wayland" || t == "x11" {
-			return true
-		}
-		if os.Getenv("DISPLAY") != "" || os.Getenv("WAYLAND_DISPLAY") != "" {
-			return true
-		}
-	}
-	return false
-}
--- a/app/dns/dns_test.go
+++ b/app/dns/dns_test.go
@@ -11,9 +11,9 @@ import (
 	"github.com/xtls/xray-core/app/policy"
 	"github.com/xtls/xray-core/app/proxyman"
 	_ "github.com/xtls/xray-core/app/proxyman/outbound"
-	"github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/geodata"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/serial"
 	"github.com/xtls/xray-core/core"
@@ -147,7 +147,9 @@ func TestUDPServerSubnet(t *testing.T) {
 		},
 		Outbound: []*core.OutboundHandlerConfig{
 			{
-				ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+				ProxySettings: serial.ToTypedMessage(&freedom.Config{
+					FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}},
+				}),
 			},
 		},
 	}
@@ -207,7 +209,9 @@ func TestUDPServer(t *testing.T) {
 		},
 		Outbound: []*core.OutboundHandlerConfig{
 			{
-				ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+				ProxySettings: serial.ToTypedMessage(&freedom.Config{
+					FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}},
+				}),
 			},
 		},
 	}
@@ -331,10 +335,9 @@ func TestPrioritizedDomain(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						PrioritizedDomain: []*NameServer_PriorityDomain{
+						Domain: []*geodata.DomainRule{
 							{
-								Type:   DomainMatchingType_Full,
-								Domain: "google.com",
+								Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Full, Value: "google.com"}},
 							},
 						},
 					},
@@ -346,7 +349,9 @@ func TestPrioritizedDomain(t *testing.T) {
 		},
 		Outbound: []*core.OutboundHandlerConfig{
 			{
-				ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+				ProxySettings: serial.ToTypedMessage(&freedom.Config{
+					FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}},
+				}),
 			},
 		},
 	}
@@ -415,7 +420,9 @@ func TestUDPServerIPv6(t *testing.T) {
 		},
 		Outbound: []*core.OutboundHandlerConfig{
 			{
-				ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+				ProxySettings: serial.ToTypedMessage(&freedom.Config{
+					FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}},
+				}),
 			},
 		},
 	}
@@ -471,8 +478,7 @@ func TestStaticHostDomain(t *testing.T) {
 				},
 				StaticHosts: []*Config_HostMapping{
 					{
-						Type:          DomainMatchingType_Full,
-						Domain:        "example.com",
+						Domain:        &geodata.DomainRule{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Full, Value: "example.com"}}},
 						ProxiedDomain: "google.com",
 					},
 				},
@@ -483,7 +489,9 @@ func TestStaticHostDomain(t *testing.T) {
 		},
 		Outbound: []*core.OutboundHandlerConfig{
 			{
-				ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+				ProxySettings: serial.ToTypedMessage(&freedom.Config{
+					FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}},
+				}),
 			},
 		},
 	}
@@ -539,17 +547,9 @@ func TestIPMatch(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						ExpectedGeoip: []*router.GeoIP{
-							{
-								CountryCode: "local",
-								Cidr: []*router.CIDR{
-									{
-										// inner ip, will not match
-										Ip:     []byte{192, 168, 11, 1},
-										Prefix: 32,
-									},
-								},
-							},
+						ExpectedIp: []*geodata.IPRule{
+							// inner ip, will not match
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{192, 168, 11, 1}, Prefix: 32}}}},
 						},
 					},
 					// second dns, match ip
@@ -563,25 +563,9 @@ func TestIPMatch(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						ExpectedGeoip: []*router.GeoIP{
-							{
-								CountryCode: "test",
-								Cidr: []*router.CIDR{
-									{
-										Ip:     []byte{8, 8, 8, 8},
-										Prefix: 32,
-									},
-								},
-							},
-							{
-								CountryCode: "test",
-								Cidr: []*router.CIDR{
-									{
-										Ip:     []byte{8, 8, 8, 4},
-										Prefix: 32,
-									},
-								},
-							},
+						ExpectedIp: []*geodata.IPRule{
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{8, 8, 8, 8}, Prefix: 32}}}},
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{8, 8, 8, 4}, Prefix: 32}}}},
 						},
 					},
 				},
@@ -592,7 +576,9 @@ func TestIPMatch(t *testing.T) {
 		},
 		Outbound: []*core.OutboundHandlerConfig{
 			{
-				ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+				ProxySettings: serial.ToTypedMessage(&freedom.Config{
+					FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}},
+				}),
 			},
 		},
 	}
@@ -663,19 +649,15 @@ func TestLocalDomain(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						PrioritizedDomain: []*NameServer_PriorityDomain{
+						Domain: []*geodata.DomainRule{
 							// Equivalent of dotless:localhost
-							{Type: DomainMatchingType_Regex, Domain: "^[^.]*localhost[^.]*$"},
+							{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Regex, Value: "^[^.]*localhost[^.]*$"}}},
 						},
-						ExpectedGeoip: []*router.GeoIP{
-							{ // Will match localhost, localhost-a and localhost-b,
-								CountryCode: "local",
-								Cidr: []*router.CIDR{
-									{Ip: []byte{127, 0, 0, 2}, Prefix: 32},
-									{Ip: []byte{127, 0, 0, 3}, Prefix: 32},
-									{Ip: []byte{127, 0, 0, 4}, Prefix: 32},
-								},
-							},
+						ExpectedIp: []*geodata.IPRule{
+							// Will match localhost, localhost-a and localhost-b,
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{127, 0, 0, 2}, Prefix: 32}}}},
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{127, 0, 0, 3}, Prefix: 32}}}},
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{127, 0, 0, 4}, Prefix: 32}}}},
 						},
 					},
 					{
@@ -688,23 +670,21 @@ func TestLocalDomain(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						PrioritizedDomain: []*NameServer_PriorityDomain{
+						Domain: []*geodata.DomainRule{
 							// Equivalent of dotless: and domain:local
-							{Type: DomainMatchingType_Regex, Domain: "^[^.]*$"},
-							{Type: DomainMatchingType_Subdomain, Domain: "local"},
-							{Type: DomainMatchingType_Subdomain, Domain: "localdomain"},
+							{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Regex, Value: "^[^.]*$"}}},
+							{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "local"}}},
+							{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "localdomain"}}},
 						},
 					},
 				},
 				StaticHosts: []*Config_HostMapping{
 					{
-						Type:   DomainMatchingType_Full,
-						Domain: "hostnamestatic",
+						Domain: &geodata.DomainRule{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Full, Value: "hostnamestatic"}}},
 						Ip:     [][]byte{{127, 0, 0, 53}},
 					},
 					{
-						Type:          DomainMatchingType_Full,
-						Domain:        "hostnamealias",
+						Domain:        &geodata.DomainRule{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Full, Value: "hostnamealias"}}},
 						ProxiedDomain: "hostname.localdomain",
 					},
 				},
@@ -715,7 +695,9 @@ func TestLocalDomain(t *testing.T) {
 		},
 		Outbound: []*core.OutboundHandlerConfig{
 			{
-				ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+				ProxySettings: serial.ToTypedMessage(&freedom.Config{
+					FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}},
+				}),
 			},
 		},
 	}
@@ -891,19 +873,15 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						PrioritizedDomain: []*NameServer_PriorityDomain{
+						Domain: []*geodata.DomainRule{
 							{
-								Type:   DomainMatchingType_Subdomain,
-								Domain: "google.com",
+								Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "google.com"}},
 							},
 						},
-						ExpectedGeoip: []*router.GeoIP{
-							{ // Will only match 8.8.8.8 and 8.8.4.4
-								Cidr: []*router.CIDR{
-									{Ip: []byte{8, 8, 8, 8}, Prefix: 32},
-									{Ip: []byte{8, 8, 4, 4}, Prefix: 32},
-								},
-							},
+						ExpectedIp: []*geodata.IPRule{
+							// Will only match 8.8.8.8 and 8.8.4.4
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{8, 8, 8, 8}, Prefix: 32}}}},
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{8, 8, 4, 4}, Prefix: 32}}}},
 						},
 					},
 					{
@@ -916,18 +894,14 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						PrioritizedDomain: []*NameServer_PriorityDomain{
+						Domain: []*geodata.DomainRule{
 							{
-								Type:   DomainMatchingType_Subdomain,
-								Domain: "google.com",
+								Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "google.com"}},
 							},
 						},
-						ExpectedGeoip: []*router.GeoIP{
-							{ // Will match 8.8.8.8 and 8.8.8.7, etc
-								Cidr: []*router.CIDR{
-									{Ip: []byte{8, 8, 8, 7}, Prefix: 24},
-								},
-							},
+						ExpectedIp: []*geodata.IPRule{
+							// Will match 8.8.8.8 and 8.8.8.7, etc
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{8, 8, 8, 7}, Prefix: 24}}}},
 						},
 					},
 					{
@@ -940,18 +914,14 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						PrioritizedDomain: []*NameServer_PriorityDomain{
+						Domain: []*geodata.DomainRule{
 							{
-								Type:   DomainMatchingType_Subdomain,
-								Domain: "api.google.com",
+								Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "api.google.com"}},
 							},
 						},
-						ExpectedGeoip: []*router.GeoIP{
-							{ // Will only match 8.8.7.7 (api.google.com)
-								Cidr: []*router.CIDR{
-									{Ip: []byte{8, 8, 7, 7}, Prefix: 32},
-								},
-							},
+						ExpectedIp: []*geodata.IPRule{
+							// Will only match 8.8.7.7 (api.google.com)
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{8, 8, 7, 7}, Prefix: 32}}}},
 						},
 					},
 					{
@@ -964,18 +934,14 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 							},
 							Port: uint32(port),
 						},
-						PrioritizedDomain: []*NameServer_PriorityDomain{
+						Domain: []*geodata.DomainRule{
 							{
-								Type:   DomainMatchingType_Full,
-								Domain: "v2.api.google.com",
+								Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Full, Value: "v2.api.google.com"}},
 							},
 						},
-						ExpectedGeoip: []*router.GeoIP{
-							{ // Will only match 8.8.7.8 (v2.api.google.com)
-								Cidr: []*router.CIDR{
-									{Ip: []byte{8, 8, 7, 8}, Prefix: 32},
-								},
-							},
+						ExpectedIp: []*geodata.IPRule{
+							// Will only match 8.8.7.8 (v2.api.google.com)
+							{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{8, 8, 7, 8}, Prefix: 32}}}},
 						},
 					},
 				},
@@ -986,7 +952,9 @@ func TestMultiMatchPrioritizedDomain(t *testing.T) {
 		},
 		Outbound: []*core.OutboundHandlerConfig{
 			{
-				ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+				ProxySettings: serial.ToTypedMessage(&freedom.Config{
+					FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}},
+				}),
 			},
 		},
 	}
--- a/app/dns/fakedns/fake.go
+++ b/app/dns/fakedns/fake.go
@@ -17,7 +17,7 @@ import (
 type Holder struct {
 	domainToIP cache.Lru
 	ipRange    *net.IPNet
-	mu         *sync.Mutex
+	mu         sync.Mutex

 	config *FakeDnsPool
 }
@@ -49,9 +49,7 @@ func (fkdns *Holder) Start() error {
 }

 func (fkdns *Holder) Close() error {
-	fkdns.domainToIP = nil
-	fkdns.ipRange = nil
-	fkdns.mu = nil
+	// nothing to do for now, just wait GC
 	return nil
 }

@@ -70,7 +68,7 @@ func NewFakeDNSHolder() (*Holder, error) {
 }

 func NewFakeDNSHolderConfigOnly(conf *FakeDnsPool) (*Holder, error) {
-	return &Holder{nil, nil, nil, conf}, nil
+	return &Holder{config: conf}, nil
 }

 func (fkdns *Holder) initializeFromConfig() error {
@@ -92,7 +90,6 @@ func (fkdns *Holder) initialize(ipPoolCidr string, lruSize int) error {
 	}
 	fkdns.domainToIP = cache.NewLru(lruSize)
 	fkdns.ipRange = ipRange
-	fkdns.mu = new(sync.Mutex)
 	return nil
 }

@@ -103,7 +100,7 @@ func (fkdns *Holder) GetFakeIPForDomain(domain string) []net.Address {
 	if v, ok := fkdns.domainToIP.Get(domain); ok {
 		return []net.Address{v.(net.Address)}
 	}
-	currentTimeMillis := uint64(time.Now().UnixNano() / 1e6)
+	currentTimeMillis := uint64(time.Now().UnixMilli())
 	ones, bits := fkdns.ipRange.Mask.Size()
 	rooms := bits - ones
 	if rooms < 64 {
@@ -202,12 +199,11 @@ func (h *HolderMulti) Start() error {
 }

 func (h *HolderMulti) Close() error {
+	var errs []error
 	for _, v := range h.holders {
-		if err := v.Close(); err != nil {
-			return errors.New("Cannot close all fake dns pools").Base(err)
-		}
+		errs = append(errs, v.Close())
 	}
-	return nil
+	return errors.Combine(errs...)
 }

 func (h *HolderMulti) createHolderGroups() error {
@@ -222,7 +218,7 @@ func (h *HolderMulti) createHolderGroups() error {
 }

 func NewFakeDNSHolderMulti(conf *FakeDnsPoolMulti) (*HolderMulti, error) {
-	holderMulti := &HolderMulti{nil, conf}
+	holderMulti := &HolderMulti{config: conf}
 	if err := holderMulti.createHolderGroups(); err != nil {
 		return nil, err
 	}
--- a/app/dns/hosts.go
+++ b/app/dns/hosts.go
@@ -2,39 +2,28 @@ package dns

 import (
 	"context"
-	"runtime"
 	"strconv"
+	"strings"

 	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/geodata"
 	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/strmatcher"
 	"github.com/xtls/xray-core/features/dns"
 )

 // StaticHosts represents static domain-ip mapping in DNS server.
 type StaticHosts struct {
-	ips      [][]net.Address
-	matchers strmatcher.IndexMatcher
+	responses [][]net.Address
+	matcher   geodata.DomainMatcher
 }

 // NewStaticHosts creates a new StaticHosts instance.
 func NewStaticHosts(hosts []*Config_HostMapping) (*StaticHosts, error) {
-	g := new(strmatcher.MatcherGroup)
-	sh := &StaticHosts{
-		ips:      make([][]net.Address, len(hosts)+16),
-		matchers: g,
-	}
+	reps := make([][]net.Address, 0, len(hosts))
+	rules := make([]*geodata.DomainRule, 0, len(hosts))

-	defer runtime.GC()
-	for i, mapping := range hosts {
-		hosts[i] = nil
-		matcher, err := toStrMatcher(mapping.Type, mapping.Domain)
-		if err != nil {
-			errors.LogErrorInner(context.Background(), err, "failed to create domain matcher, ignore domain rule [type: ", mapping.Type, ", domain: ", mapping.Domain, "]")
-			continue
-		}
-		id := g.Add(matcher)
-		ips := make([]net.Address, 0, len(mapping.Ip)+1)
+	for _, mapping := range hosts {
+		rep := make([]net.Address, 0, len(mapping.Ip))
 		switch {
 		case len(mapping.ProxiedDomain) > 0:
 			if mapping.ProxiedDomain[0] == '#' {
@@ -42,28 +31,36 @@ func NewStaticHosts(hosts []*Config_HostMapping) (*StaticHosts, error) {
 				if err != nil {
 					return nil, err
 				}
-				ips = append(ips, dns.RCodeError(rcode))
+				rep = append(rep, dns.RCodeError(rcode))
 			} else {
-				ips = append(ips, net.DomainAddress(mapping.ProxiedDomain))
+				rep = append(rep, net.DomainAddress(mapping.ProxiedDomain))
 			}
 		case len(mapping.Ip) > 0:
 			for _, ip := range mapping.Ip {
 				addr := net.IPAddress(ip)
 				if addr == nil {
-					errors.LogError(context.Background(), "invalid IP address in static hosts: ", ip, ", ignore this ip for rule [type: ", mapping.Type, ", domain: ", mapping.Domain, "]")
+					errors.LogError(context.Background(), "invalid IP address in static hosts: ", ip, ", ignore this ip for rule: ", mapping.Domain)
 					continue
 				}
-				ips = append(ips, addr)
-			}
-			if len(ips) == 0 {
-				continue
+				rep = append(rep, addr)
 			}
 		}
-
-		sh.ips[id] = ips
+		reps = append(reps, rep)
+		rules = append(rules, mapping.Domain)
 	}

-	return sh, nil
+	if len(rules) == 0 {
+		return &StaticHosts{}, nil
+	}
+
+	matcher, err := geodata.DomainReg.BuildDomainMatcher(rules)
+	if err != nil {
+		return nil, err
+	}
+	return &StaticHosts{
+		responses: reps,
+		matcher:   matcher,
+	}, nil
 }

 func filterIP(ips []net.Address, option dns.IPOption) []net.Address {
@@ -79,16 +76,16 @@ func filterIP(ips []net.Address, option dns.IPOption) []net.Address {
 func (h *StaticHosts) lookupInternal(domain string) ([]net.Address, error) {
 	ips := make([]net.Address, 0)
 	found := false
-	for _, id := range h.matchers.Match(domain) {
-		for _, v := range h.ips[id] {
-			if err, ok := v.(dns.RCodeError); ok {
+	for _, idx := range h.matcher.Match(domain) {
+		for _, rep := range h.responses[idx] {
+			if err, ok := rep.(dns.RCodeError); ok {
 				if uint16(err) == 0 {
 					return nil, dns.ErrEmptyResponse
 				}
 				return nil, err
 			}
 		}
-		ips = append(ips, h.ips[id]...)
+		ips = append(ips, h.responses[idx]...)
 		found = true
 	}
 	if !found {
@@ -98,10 +95,13 @@ func (h *StaticHosts) lookupInternal(domain string) ([]net.Address, error) {
 }

 func (h *StaticHosts) lookup(domain string, option dns.IPOption, maxDepth int) ([]net.Address, error) {
+	domain = strings.ToLower(domain)
 	switch addrs, err := h.lookupInternal(domain); {
 	case err != nil:
 		return nil, err
-	case len(addrs) == 0: // Not recorded in static hosts, return nil
+	case addrs == nil: // Not recorded in static hosts, return nil
+		return nil, nil
+	case len(addrs) == 0: // Domain recorded, but no valid IP returned
 		return addrs, nil
 	case len(addrs) == 1 && addrs[0].Family().IsDomain(): // Try to unwrap domain
 		errors.LogDebug(context.Background(), "found replaced domain: ", domain, " -> ", addrs[0].Domain(), ". Try to unwrap it")
@@ -122,52 +122,8 @@ func (h *StaticHosts) lookup(domain string, option dns.IPOption, maxDepth int) (

 // Lookup returns IP addresses or proxied domain for the given domain, if exists in this StaticHosts.
 func (h *StaticHosts) Lookup(domain string, option dns.IPOption) ([]net.Address, error) {
+	if h.matcher == nil {
+		return nil, nil
+	}
 	return h.lookup(domain, option, 5)
 }
-func NewStaticHostsFromCache(matcher strmatcher.IndexMatcher, hostIPs map[string][]string) (*StaticHosts, error) {
-	sh := &StaticHosts{
-		ips:      make([][]net.Address, matcher.Size()+1),
-		matchers: matcher,
-	}
-
-	order := hostIPs["_ORDER"]
-	var offset uint32
-
-	img, ok := matcher.(*strmatcher.IndexMatcherGroup)
-	if !ok {
-		// Single matcher (e.g. only manual or only one geosite)
-		if len(order) > 0 {
-			pattern := order[0]
-			ips := parseIPs(hostIPs[pattern])
-			for i := uint32(1); i <= matcher.Size(); i++ {
-				sh.ips[i] = ips
-			}
-		}
-		return sh, nil
-	}
-
-	for i, m := range img.Matchers {
-		if i < len(order) {
-			pattern := order[i]
-			ips := parseIPs(hostIPs[pattern])
-			for j := uint32(1); j <= m.Size(); j++ {
-				sh.ips[offset+j] = ips
-			}
-			offset += m.Size()
-		}
-	}
-	return sh, nil
-}
-
-func parseIPs(raw []string) []net.Address {
-	addrs := make([]net.Address, 0, len(raw))
-	for _, s := range raw {
-		if len(s) > 1 && s[0] == '#' {
-			rcode, _ := strconv.Atoi(s[1:])
-			addrs = append(addrs, dns.RCodeError(rcode))
-		} else {
-			addrs = append(addrs, net.ParseAddress(s))
-		}
-	}
-	return addrs
-}
--- a/app/dns/hosts_test.go
+++ b/app/dns/hosts_test.go
@@ -1,13 +1,12 @@
 package dns_test

 import (
-	"bytes"
 	"testing"

 	"github.com/google/go-cmp/cmp"
 	. "github.com/xtls/xray-core/app/dns"
-	"github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/geodata"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/features/dns"
 )
@@ -15,20 +14,17 @@ import (
 func TestStaticHosts(t *testing.T) {
 	pb := []*Config_HostMapping{
 		{
-			Type:          DomainMatchingType_Subdomain,
-			Domain:        "lan",
+			Domain:        &geodata.DomainRule{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "lan"}}},
 			ProxiedDomain: "#3",
 		},
 		{
-			Type:   DomainMatchingType_Full,
-			Domain: "example.com",
+			Domain: &geodata.DomainRule{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Full, Value: "example.com"}}},
 			Ip: [][]byte{
 				{1, 1, 1, 1},
 			},
 		},
 		{
-			Type:   DomainMatchingType_Full,
-			Domain: "proxy.xray.com",
+			Domain: &geodata.DomainRule{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Full, Value: "proxy.xray.com"}}},
 			Ip: [][]byte{
 				{1, 2, 3, 4},
 				{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1},
@@ -36,20 +32,17 @@ func TestStaticHosts(t *testing.T) {
 			ProxiedDomain: "another-proxy.xray.com",
 		},
 		{
-			Type:          DomainMatchingType_Full,
-			Domain:        "proxy2.xray.com",
+			Domain:        &geodata.DomainRule{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Full, Value: "proxy2.xray.com"}}},
 			ProxiedDomain: "proxy.xray.com",
 		},
 		{
-			Type:   DomainMatchingType_Subdomain,
-			Domain: "example.cn",
+			Domain: &geodata.DomainRule{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "example.cn"}}},
 			Ip: [][]byte{
 				{2, 2, 2, 2},
 			},
 		},
 		{
-			Type:   DomainMatchingType_Subdomain,
-			Domain: "baidu.com",
+			Domain: &geodata.DomainRule{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "baidu.com"}}},
 			Ip: [][]byte{
 				{127, 0, 0, 1},
 				{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1},
@@ -132,57 +125,3 @@ func TestStaticHosts(t *testing.T) {
 		}
 	}
 }
-func TestStaticHostsFromCache(t *testing.T) {
-	sites := []*router.GeoSite{
-		{
-			CountryCode: "cloudflare-dns.com",
-			Domain: []*router.Domain{
-				{Type: router.Domain_Full, Value: "example.com"},
-			},
-		},
-		{
-			CountryCode: "geosite:cn",
-			Domain: []*router.Domain{
-				{Type: router.Domain_Domain, Value: "baidu.cn"},
-			},
-		},
-	}
-	deps := map[string][]string{
-		"HOSTS": {"cloudflare-dns.com", "geosite:cn"},
-	}
-	hostIPs := map[string][]string{
-		"cloudflare-dns.com": {"1.1.1.1"},
-		"geosite:cn":         {"2.2.2.2"},
-		"_ORDER":             {"cloudflare-dns.com", "geosite:cn"},
-	}
-
-	var buf bytes.Buffer
-	err := router.SerializeGeoSiteList(sites, deps, hostIPs, &buf)
-	common.Must(err)
-
-	// Load matcher
-	m, err := router.LoadGeoSiteMatcher(bytes.NewReader(buf.Bytes()), "HOSTS")
-	common.Must(err)
-
-	// Load hostIPs
-	f := bytes.NewReader(buf.Bytes())
-	hips, err := router.LoadGeoSiteHosts(f)
-	common.Must(err)
-
-	hosts, err := NewStaticHostsFromCache(m, hips)
-	common.Must(err)
-
-	{
-		ips, _ := hosts.Lookup("example.com", dns.IPOption{IPv4Enable: true})
-		if len(ips) != 1 || ips[0].String() != "1.1.1.1" {
-			t.Error("failed to lookup example.com from cache")
-		}
-	}
-
-	{
-		ips, _ := hosts.Lookup("baidu.cn", dns.IPOption{IPv4Enable: true})
-		if len(ips) != 1 || ips[0].String() != "2.2.2.2" {
-			t.Error("failed to lookup baidu.cn from cache deps")
-		}
-	}
-}
--- a/app/dns/nameserver.go
+++ b/app/dns/nameserver.go
@@ -3,34 +3,19 @@ package dns
 import (
 	"context"
 	"net/url"
-	"runtime"
 	"strings"
 	"time"

-	"github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/geodata"
 	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/platform"
-	"github.com/xtls/xray-core/common/platform/filesystem"
 	"github.com/xtls/xray-core/common/session"
-	"github.com/xtls/xray-core/common/strmatcher"
+	"github.com/xtls/xray-core/common/utils"
 	"github.com/xtls/xray-core/core"
 	"github.com/xtls/xray-core/features/dns"
 	"github.com/xtls/xray-core/features/routing"
 )

-type mphMatcherWrapper struct {
-	m strmatcher.IndexMatcher
-}
-
-func (w *mphMatcherWrapper) Match(s string) bool {
-	return w.m.Match(s) != nil
-}
-
-func (w *mphMatcherWrapper) String() string {
-	return "mph-matcher"
-}
-
 // Server is the interface for Name Server.
 type Server interface {
 	// Name of the Client.
@@ -46,9 +31,8 @@ type Server interface {
 type Client struct {
 	server        Server
 	skipFallback  bool
-	domains       []string
-	expectedIPs   router.GeoIPMatcher
-	unexpectedIPs router.GeoIPMatcher
+	expectedIPs   geodata.IPMatcher
+	unexpectedIPs geodata.IPMatcher
 	actPrior      bool
 	actUnprior    bool
 	tag           string
@@ -111,11 +95,9 @@ func NewClient(
 	disableCache bool, serveStale bool, serveExpiredTTL uint32,
 	tag string,
 	ipOption dns.IPOption,
-	matcherInfos *[]*DomainMatcherInfo,
-	updateDomainRule func(strmatcher.Matcher, int, []*DomainMatcherInfo),
+	updateRules func(bool),
 ) (*Client, error) {
 	client := &Client{}
-
 	err := core.RequireFeatures(ctx, func(dispatcher routing.Dispatcher) error {
 		// Create a new server for each client for now
 		server, err := NewServer(ctx, ns.Address.AsDestination(), dispatcher, disableCache, serveStale, serveExpiredTTL, clientIP)
@@ -123,97 +105,25 @@ func NewClient(
 			return errors.New("failed to create nameserver").Base(err).AtWarning()
 		}

-		// Prioritize local domains with specific TLDs or those without any dot for the local DNS
-		if _, isLocalDNS := server.(*LocalNameServer); isLocalDNS {
-			ns.PrioritizedDomain = append(ns.PrioritizedDomain, localTLDsAndDotlessDomains...)
-			ns.OriginalRules = append(ns.OriginalRules, localTLDsAndDotlessDomainsRule)
-			// The following lines is a solution to avoid core panics（rule index out of range） when setting `localhost` DNS client in config.
-			// Because the `localhost` DNS client will append len(localTLDsAndDotlessDomains) rules into matcherInfos to match `geosite:private` default rule.
-			// But `matcherInfos` has no enough length to add rules, which leads to core panics (rule index out of range).
-			// To avoid this, the length of `matcherInfos` must be equal to the expected, so manually append it with Golang default zero value first for later modification.
-			// Related issues:
-			// https://github.com/v2fly/v2ray-core/issues/529
-			// https://github.com/v2fly/v2ray-core/issues/719
-			for i := 0; i < len(localTLDsAndDotlessDomains); i++ {
-				*matcherInfos = append(*matcherInfos, &DomainMatcherInfo{
-					clientIdx:     uint16(0),
-					domainRuleIdx: uint16(0),
-				})
-			}
-		}
-
-		// Establish domain rules
-		var rules []string
-		ruleCurr := 0
-		ruleIter := 0
-
-		// Check if domain matcher cache is provided via environment
-		domainMatcherPath := platform.NewEnvFlag(platform.MphCachePath).GetValue(func() string { return "" })
-		var mphLoaded bool
-
-		if domainMatcherPath != "" && ns.Tag != "" {
-			f, err := filesystem.NewFileReader(domainMatcherPath)
-			if err == nil {
-				defer f.Close()
-				g, err := router.LoadGeoSiteMatcher(f, ns.Tag)
-				if err == nil {
-					errors.LogDebug(ctx, "MphDomainMatcher loaded from cache for ", ns.Tag, " dns tag)")
-					updateDomainRule(&mphMatcherWrapper{m: g}, 0, *matcherInfos)
-					rules = append(rules, "[MPH Cache]")
-					mphLoaded = true
-				}
-			}
-		}
-
-		if !mphLoaded {
-			for i, domain := range ns.PrioritizedDomain {
-				ns.PrioritizedDomain[i] = nil
-				domainRule, err := toStrMatcher(domain.Type, domain.Domain)
-				if err != nil {
-					errors.LogErrorInner(ctx, err, "failed to create domain matcher, ignore domain rule [type: ", domain.Type, ", domain: ", domain.Domain, "]")
-					domainRule, _ = toStrMatcher(DomainMatchingType_Full, "hack.fix.index.for.illegal.domain.rule")
-				}
-				originalRuleIdx := ruleCurr
-				if ruleCurr < len(ns.OriginalRules) {
-					rule := ns.OriginalRules[ruleCurr]
-					if ruleCurr >= len(rules) {
-						rules = append(rules, rule.Rule)
-					}
-					ruleIter++
-					if ruleIter >= int(rule.Size) {
-						ruleIter = 0
-						ruleCurr++
-					}
-				} else { // No original rule, generate one according to current domain matcher (majorly for compatibility with tests)
-					rules = append(rules, domainRule.String())
-					ruleCurr++
-				}
-				updateDomainRule(domainRule, originalRuleIdx, *matcherInfos)
-			}
-		}
-		ns.PrioritizedDomain = nil
-		runtime.GC()
+		_, isLocalDNS := server.(*LocalNameServer)
+		updateRules(isLocalDNS)

 		// Establish expected IPs
-		var expectedMatcher router.GeoIPMatcher
-		if len(ns.ExpectedGeoip) > 0 {
-			expectedMatcher, err = router.BuildOptimizedGeoIPMatcher(ns.ExpectedGeoip...)
+		var expectedMatcher geodata.IPMatcher
+		if len(ns.ExpectedIp) > 0 {
+			expectedMatcher, err = geodata.IPReg.BuildIPMatcher(ns.ExpectedIp)
 			if err != nil {
 				return errors.New("failed to create expected ip matcher").Base(err).AtWarning()
 			}
-			ns.ExpectedGeoip = nil
-			runtime.GC()
 		}

 		// Establish unexpected IPs
-		var unexpectedMatcher router.GeoIPMatcher
-		if len(ns.UnexpectedGeoip) > 0 {
-			unexpectedMatcher, err = router.BuildOptimizedGeoIPMatcher(ns.UnexpectedGeoip...)
+		var unexpectedMatcher geodata.IPMatcher
+		if len(ns.UnexpectedIp) > 0 {
+			unexpectedMatcher, err = geodata.IPReg.BuildIPMatcher(ns.UnexpectedIp)
 			if err != nil {
 				return errors.New("failed to create unexpected ip matcher").Base(err).AtWarning()
 			}
-			ns.UnexpectedGeoip = nil
-			runtime.GC()
 		}

 		if len(clientIP) > 0 {
@@ -234,7 +144,6 @@ func NewClient(

 		client.server = server
 		client.skipFallback = ns.SkipFallback
-		client.domains = rules
 		client.expectedIPs = expectedMatcher
 		client.unexpectedIPs = unexpectedMatcher
 		client.actPrior = ns.ActPrior
@@ -258,7 +167,7 @@ func (c *Client) Name() string {
 // QueryIP sends DNS query to the name server with the client's IP.
 func (c *Client) QueryIP(ctx context.Context, domain string, option dns.IPOption) ([]net.IP, uint32, error) {
 	if c.checkSystem {
-		supportIPv4, supportIPv6 := checkRoutes()
+		supportIPv4, supportIPv6 := utils.CheckRoutes()
 		option.IPv4Enable = option.IPv4Enable && supportIPv4
 		option.IPv6Enable = option.IPv6Enable && supportIPv6
 	} else {
--- a/app/dns/nameserver_doh.go
+++ b/app/dns/nameserver_doh.go
@@ -214,7 +214,7 @@ func (s *DoHNameServer) dohHTTPSContext(ctx context.Context, b []byte) ([]byte,

 	req.Header.Add("Accept", "application/dns-message")
 	req.Header.Add("Content-Type", "application/dns-message")
-	req.Header.Set("User-Agent", utils.ChromeUA)
+	utils.TryDefaultHeadersWith(req.Header, "fetch")
 	req.Header.Set("X-Padding", utils.H2Base62Pad(crypto.RandBetween(100, 1000)))

 	hc := s.httpClient
--- a/app/geodata/config.pb.go
+++ b/app/geodata/config.pb.go
@@ -0,0 +1,198 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.11
+// 	protoc        v6.33.5
+// source: app/geodata/config.proto
+
+package geodata
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type Asset struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Url           string                 `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
+	File          string                 `protobuf:"bytes,2,opt,name=file,proto3" json:"file,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *Asset) Reset() {
+	*x = Asset{}
+	mi := &file_app_geodata_config_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Asset) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Asset) ProtoMessage() {}
+
+func (x *Asset) ProtoReflect() protoreflect.Message {
+	mi := &file_app_geodata_config_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Asset.ProtoReflect.Descriptor instead.
+func (*Asset) Descriptor() ([]byte, []int) {
+	return file_app_geodata_config_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Asset) GetUrl() string {
+	if x != nil {
+		return x.Url
+	}
+	return ""
+}
+
+func (x *Asset) GetFile() string {
+	if x != nil {
+		return x.File
+	}
+	return ""
+}
+
+type Config struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Cron          string                 `protobuf:"bytes,1,opt,name=cron,proto3" json:"cron,omitempty"`
+	Outbound      string                 `protobuf:"bytes,2,opt,name=outbound,proto3" json:"outbound,omitempty"`
+	Assets        []*Asset               `protobuf:"bytes,3,rep,name=assets,proto3" json:"assets,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *Config) Reset() {
+	*x = Config{}
+	mi := &file_app_geodata_config_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Config) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Config) ProtoMessage() {}
+
+func (x *Config) ProtoReflect() protoreflect.Message {
+	mi := &file_app_geodata_config_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Config.ProtoReflect.Descriptor instead.
+func (*Config) Descriptor() ([]byte, []int) {
+	return file_app_geodata_config_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *Config) GetCron() string {
+	if x != nil {
+		return x.Cron
+	}
+	return ""
+}
+
+func (x *Config) GetOutbound() string {
+	if x != nil {
+		return x.Outbound
+	}
+	return ""
+}
+
+func (x *Config) GetAssets() []*Asset {
+	if x != nil {
+		return x.Assets
+	}
+	return nil
+}
+
+var File_app_geodata_config_proto protoreflect.FileDescriptor
+
+const file_app_geodata_config_proto_rawDesc = "" +
+	"\n" +
+	"\x18app/geodata/config.proto\x12\x10xray.app.geodata\"-\n" +
+	"\x05Asset\x12\x10\n" +
+	"\x03url\x18\x01 \x01(\tR\x03url\x12\x12\n" +
+	"\x04file\x18\x02 \x01(\tR\x04file\"i\n" +
+	"\x06Config\x12\x12\n" +
+	"\x04cron\x18\x01 \x01(\tR\x04cron\x12\x1a\n" +
+	"\boutbound\x18\x02 \x01(\tR\boutbound\x12/\n" +
+	"\x06assets\x18\x03 \x03(\v2\x17.xray.app.geodata.AssetR\x06assetsBR\n" +
+	"\x14com.xray.app.geodataP\x01Z%github.com/xtls/xray-core/app/geodata\xaa\x02\x10Xray.App.Geodatab\x06proto3"
+
+var (
+	file_app_geodata_config_proto_rawDescOnce sync.Once
+	file_app_geodata_config_proto_rawDescData []byte
+)
+
+func file_app_geodata_config_proto_rawDescGZIP() []byte {
+	file_app_geodata_config_proto_rawDescOnce.Do(func() {
+		file_app_geodata_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_app_geodata_config_proto_rawDesc), len(file_app_geodata_config_proto_rawDesc)))
+	})
+	return file_app_geodata_config_proto_rawDescData
+}
+
+var file_app_geodata_config_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_app_geodata_config_proto_goTypes = []any{
+	(*Asset)(nil),  // 0: xray.app.geodata.Asset
+	(*Config)(nil), // 1: xray.app.geodata.Config
+}
+var file_app_geodata_config_proto_depIdxs = []int32{
+	0, // 0: xray.app.geodata.Config.assets:type_name -> xray.app.geodata.Asset
+	1, // [1:1] is the sub-list for method output_type
+	1, // [1:1] is the sub-list for method input_type
+	1, // [1:1] is the sub-list for extension type_name
+	1, // [1:1] is the sub-list for extension extendee
+	0, // [0:1] is the sub-list for field type_name
+}
+
+func init() { file_app_geodata_config_proto_init() }
+func file_app_geodata_config_proto_init() {
+	if File_app_geodata_config_proto != nil {
+		return
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_app_geodata_config_proto_rawDesc), len(file_app_geodata_config_proto_rawDesc)),
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_app_geodata_config_proto_goTypes,
+		DependencyIndexes: file_app_geodata_config_proto_depIdxs,
+		MessageInfos:      file_app_geodata_config_proto_msgTypes,
+	}.Build()
+	File_app_geodata_config_proto = out.File
+	file_app_geodata_config_proto_goTypes = nil
+	file_app_geodata_config_proto_depIdxs = nil
+}
--- a/app/geodata/config.proto
+++ b/app/geodata/config.proto
@@ -0,0 +1,21 @@
+syntax = "proto3";
+
+package xray.app.geodata;
+option csharp_namespace = "Xray.App.Geodata";
+option go_package = "github.com/xtls/xray-core/app/geodata";
+option java_package = "com.xray.app.geodata";
+option java_multiple_files = true;
+
+message Asset {
+  string url = 1;
+
+  string file = 2;
+}
+
+message Config {
+  string cron = 1;
+
+  string outbound = 2;
+
+  repeated Asset assets = 3;
+}
--- a/app/geodata/download.go
+++ b/app/geodata/download.go
@@ -0,0 +1,304 @@
+package geodata
+
+import (
+	"context"
+	go_errors "errors"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/common/platform/filesystem"
+	"github.com/xtls/xray-core/common/task"
+	"github.com/xtls/xray-core/common/utils"
+	"github.com/xtls/xray-core/features/routing"
+	"github.com/xtls/xray-core/transport/internet/tagged"
+)
+
+const idleTimeout = 30 * time.Second
+
+type stage struct {
+	target string
+	temp   string
+}
+
+type downloader struct {
+	ctx    context.Context
+	client *http.Client
+}
+
+type idleConn struct {
+	net.Conn
+}
+
+func (c *idleConn) Read(b []byte) (int, error) {
+	t := time.AfterFunc(idleTimeout, func() {
+		_ = c.Close()
+	})
+
+	n, err := c.Conn.Read(b)
+	if !t.Stop() {
+		_ = c.Close()
+		return n, errors.New("connection idle timeout")
+	}
+	return n, err
+}
+
+func (c *idleConn) Write(b []byte) (int, error) {
+	return c.Conn.Write(b)
+}
+
+func newDownloader(ctx context.Context, dispatcher routing.Dispatcher, outbound string) *downloader {
+	return &downloader{
+		ctx:    ctx,
+		client: newClient(ctx, dispatcher, outbound),
+	}
+}
+
+func newClient(baseCtx context.Context, dispatcher routing.Dispatcher, outbound string) *http.Client {
+	return &http.Client{
+		Transport: &http.Transport{
+			Proxy:             nil,
+			DisableKeepAlives: true,
+			DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
+				var conn net.Conn
+				err := task.Run(ctx, func() error {
+					if tagged.Dialer == nil {
+						return errors.New("tagged dialer is not initialized")
+					}
+					dest, err := net.ParseDestination(network + ":" + address)
+					if err != nil {
+						return errors.New("cannot understand address").Base(err)
+					}
+					c, err := tagged.Dialer(baseCtx, dispatcher, dest, outbound)
+					if err != nil {
+						return errors.New("cannot dial remote address ", dest).Base(err)
+					}
+					conn = c
+					return nil
+				})
+				if err != nil {
+					return nil, errors.New("cannot finish connection").Base(err)
+				}
+				return &idleConn{
+					Conn: conn,
+				}, nil
+			},
+			TLSHandshakeTimeout:   idleTimeout,
+			ResponseHeaderTimeout: idleTimeout,
+		},
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			if req.URL.Scheme != "https" {
+				return errors.New("redirected to non-https URL: ", req.URL.String())
+			}
+			if len(via) >= 10 {
+				return errors.New("stopped after 10 redirects")
+			}
+			return nil
+		},
+	}
+}
+
+func (d *downloader) download(assets []*Asset) ([]stage, error) {
+	staged := make([]stage, 0, len(assets))
+	for _, asset := range assets {
+		stage, err := d.downloadOne(asset)
+		if err != nil {
+			clean(staged)
+			return nil, err
+		}
+		staged = append(staged, stage)
+	}
+	return staged, nil
+}
+
+func (d *downloader) downloadOne(asset *Asset) (stage, error) {
+	target, err := filesystem.ResolveAsset(asset.File)
+	if err != nil {
+		return stage{}, err
+	}
+	errors.LogInfo(d.ctx, "downloading geodata asset from ", asset.Url, " to ", target)
+
+	temp, err := tempFile(target, ".tmp")
+	if err != nil {
+		return stage{}, err
+	}
+	tempName := temp.Name()
+	keepTemp := false
+	defer func() {
+		if !keepTemp {
+			os.Remove(tempName)
+		}
+	}()
+
+	if err := d.fetch(asset.Url, temp); err != nil {
+		temp.Close()
+		return stage{}, err
+	}
+	if err := temp.Chmod(0o644); err != nil {
+		temp.Close()
+		return stage{}, err
+	}
+	if err := temp.Close(); err != nil {
+		return stage{}, err
+	}
+
+	keepTemp = true
+	return stage{
+		target: target,
+		temp:   tempName,
+	}, nil
+}
+
+func (d *downloader) fetch(rawURL string, writer io.Writer) error {
+	req, err := http.NewRequestWithContext(d.ctx, http.MethodGet, rawURL, nil)
+	if err != nil {
+		return err
+	}
+	utils.TryDefaultHeadersWith(req.Header, "nav")
+
+	resp, err := d.client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		io.Copy(io.Discard, resp.Body)
+		return errors.New("unexpected status code: ", resp.StatusCode)
+	}
+
+	n, err := io.Copy(writer, resp.Body)
+	if err != nil {
+		return err
+	}
+	if n == 0 {
+		return errors.New("empty response body")
+	}
+	return nil
+}
+
+func clean(assets []stage) {
+	for _, asset := range assets {
+		if asset.temp != "" {
+			os.Remove(asset.temp)
+		}
+	}
+}
+
+type tx struct {
+	swaps []swap
+}
+
+type swap struct {
+	target      string
+	backup      string
+	hadOriginal bool
+}
+
+func swapAll(assets []stage) (*tx, error) {
+	t := &tx{}
+	for _, asset := range assets {
+		s, err := swapOne(asset)
+		if err != nil {
+			return nil, errors.Combine(err, t.rollback())
+		}
+		t.swaps = append(t.swaps, s)
+	}
+	return t, nil
+}
+
+func swapOne(asset stage) (swap, error) {
+	backup, err := backupFile(asset.target)
+	if err != nil {
+		return swap{}, err
+	}
+
+	s := swap{
+		target: asset.target,
+		backup: backup,
+	}
+	if err := os.Rename(asset.target, backup); err != nil {
+		if !go_errors.Is(err, os.ErrNotExist) {
+			return swap{}, err
+		}
+		if err := os.Remove(backup); err != nil && !go_errors.Is(err, os.ErrNotExist) {
+			return swap{}, err
+		}
+	} else {
+		s.hadOriginal = true
+	}
+
+	if err := os.Rename(asset.temp, asset.target); err != nil {
+		if s.hadOriginal {
+			if restoreErr := os.Rename(backup, asset.target); restoreErr != nil {
+				return swap{}, errors.Combine(err, restoreErr)
+			}
+		}
+		return swap{}, err
+	}
+
+	return s, nil
+}
+
+func (t *tx) rollback() error {
+	var errs []error
+	for i := len(t.swaps) - 1; i >= 0; i-- {
+		if err := t.swaps[i].rollback(); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	return errors.Combine(errs...)
+}
+
+func (s swap) rollback() error {
+	var errs []error
+	if err := os.Remove(s.target); err != nil && !go_errors.Is(err, os.ErrNotExist) {
+		errs = append(errs, err)
+	}
+	if s.hadOriginal {
+		if err := os.Rename(s.backup, s.target); err != nil {
+			errs = append(errs, err)
+		}
+	} else if err := os.Remove(s.backup); err != nil && !go_errors.Is(err, os.ErrNotExist) {
+		errs = append(errs, err)
+	}
+	return errors.Combine(errs...)
+}
+
+func (t *tx) commit() error {
+	var errs []error
+	for _, swap := range t.swaps {
+		if err := os.Remove(swap.backup); err != nil && !go_errors.Is(err, os.ErrNotExist) {
+			errs = append(errs, err)
+		}
+	}
+	return errors.Combine(errs...)
+}
+
+func tempFile(target string, suffix string) (*os.File, error) {
+	dir := filepath.Dir(target)
+	if err := os.MkdirAll(dir, 0o755); err != nil {
+		return nil, err
+	}
+	return os.CreateTemp(dir, "."+filepath.Base(target)+".*"+suffix)
+}
+
+func backupFile(target string) (string, error) {
+	file, err := tempFile(target, ".bak")
+	if err != nil {
+		return "", err
+	}
+	name := file.Name()
+	if err := file.Close(); err != nil {
+		os.Remove(name)
+		return "", err
+	}
+	if err := os.Remove(name); err != nil {
+		return "", err
+	}
+	return name, nil
+}
--- a/app/geodata/geodata.go
+++ b/app/geodata/geodata.go
@@ -0,0 +1,134 @@
+package geodata
+
+import (
+	"context"
+	"sync"
+
+	"github.com/robfig/cron/v3"
+	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/errors"
+	commongeodata "github.com/xtls/xray-core/common/geodata"
+	"github.com/xtls/xray-core/core"
+	"github.com/xtls/xray-core/features/routing"
+)
+
+type Instance struct {
+	assets     []*Asset
+	downloader *downloader
+	tasker     *cron.Cron
+
+	mu      sync.Mutex
+	running bool
+}
+
+func New(ctx context.Context, config *Config) (*Instance, error) {
+	if config.Cron == "" {
+		return &Instance{}, nil
+	}
+
+	g := &Instance{
+		assets: config.Assets,
+	}
+
+	if len(g.assets) > 0 {
+		var dispatcher routing.Dispatcher
+		if err := core.RequireFeatures(ctx, func(d routing.Dispatcher) {
+			dispatcher = d
+		}); err != nil {
+			return nil, errors.New("failed to get dispatcher for geodata downloader").Base(err)
+		}
+		g.downloader = newDownloader(ctx, dispatcher, config.Outbound)
+	}
+
+	g.tasker = cron.New(
+		cron.WithChain(cron.SkipIfStillRunning(cron.DiscardLogger)),
+		cron.WithLogger(cron.DiscardLogger),
+	)
+	if _, err := g.tasker.AddFunc(config.Cron, g.execute); err != nil {
+		return nil, errors.New("invalid geodata cron").Base(err)
+	}
+	errors.LogInfo(ctx, "scheduled geodata reload with cron: ", config.Cron)
+
+	return g, nil
+}
+
+func (g *Instance) execute() {
+	var err error
+	if g.downloader != nil {
+		err = g.reloadWithUpdate()
+	} else {
+		err = reload()
+	}
+	if err != nil {
+		errors.LogErrorInner(context.Background(), err, "scheduled geodata reload failed")
+	}
+}
+
+func (g *Instance) reloadWithUpdate() error {
+	staged, err := g.downloader.download(g.assets)
+	if err != nil {
+		return err
+	}
+	defer clean(staged)
+
+	tx, err := swapAll(staged)
+	if err != nil {
+		return err
+	}
+
+	if err := reload(); err != nil {
+		errors.LogErrorInner(context.Background(), err, "failed to reload geodata after downloading assets, rolling back")
+		rollbackErr := tx.rollback()
+		return errors.Combine(err, rollbackErr)
+	}
+
+	return tx.commit()
+}
+
+func reload() error {
+	return errors.Combine(commongeodata.IPReg.Reload(), commongeodata.DomainReg.Reload())
+}
+
+func (g *Instance) Type() interface{} {
+	return (*Instance)(nil)
+}
+
+func (g *Instance) Start() error {
+	g.mu.Lock()
+	defer g.mu.Unlock()
+
+	if g.running {
+		return nil
+	}
+
+	if g.tasker != nil {
+		g.tasker.Start()
+	}
+
+	g.running = true
+
+	return nil
+}
+
+func (g *Instance) Close() error {
+	g.mu.Lock()
+	defer g.mu.Unlock()
+
+	if !g.running {
+		return nil
+	}
+
+	if g.tasker != nil {
+		<-g.tasker.Stop().Done()
+	}
+
+	g.running = false
+
+	return nil
+}
+
+func init() {
+	common.Must(common.RegisterConfig((*Config)(nil), func(ctx context.Context, cfg interface{}) (interface{}, error) {
+		return New(ctx, cfg.(*Config))
+	}))
+}
--- a/app/metrics/metrics.go
+++ b/app/metrics/metrics.go
@@ -8,7 +8,6 @@ import (
 	"strings"

 	"github.com/xtls/xray-core/app/observatory"
-	"github.com/xtls/xray-core/app/stats"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/errors"
 	"github.com/xtls/xray-core/common/net"
@@ -39,16 +38,12 @@ func NewMetricsHandler(ctx context.Context, config *Config) (*MetricsHandler, er
 		c.ohm = om
 	}))
 	expvar.Publish("stats", expvar.Func(func() interface{} {
-		manager, ok := c.statsManager.(*stats.Manager)
-		if !ok {
-			return nil
-		}
 		resp := map[string]map[string]map[string]int64{
 			"inbound":  {},
 			"outbound": {},
 			"user":     {},
 		}
-		manager.VisitCounters(func(name string, counter feature_stats.Counter) bool {
+		c.statsManager.VisitCounters(func(name string, counter feature_stats.Counter) bool {
 			nameSplit := strings.Split(name, ">>>")
 			typeName, tagOrUser, direction := nameSplit[0], nameSplit[1], nameSplit[3]
 			if item, found := resp[typeName][tagOrUser]; found {
--- a/app/observatory/burst/burstobserver.go
+++ b/app/observatory/burst/burstobserver.go
@@ -32,6 +32,10 @@ func (o *Observer) GetObservation(ctx context.Context) (proto.Message, error) {
 	return &observatory.ObservationResult{Status: o.createResult()}, nil
 }

+func (o *Observer) Check(tag []string) {
+	o.hp.Check(tag)
+}
+
 func (o *Observer) createResult() []*observatory.OutboundStatus {
 	var result []*observatory.OutboundStatus
 	o.hp.access.Lock()
--- a/app/observatory/burst/ping.go
+++ b/app/observatory/burst/ping.go
@@ -62,7 +62,7 @@ func (s *pingClient) MeasureDelay(httpMethod string) (time.Duration, error) {
 	if err != nil {
 		return rttFailed, err
 	}
-	req.Header.Set("User-Agent", utils.ChromeUA)
+	utils.TryDefaultHeadersWith(req.Header, "nav")

 	start := time.Now()
 	resp, err := s.httpClient.Do(req)
--- a/app/observatory/observer.go
+++ b/app/observatory/observer.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"slices"
 	"sort"
 	"sync"
 	"time"
@@ -70,7 +71,7 @@ func (o *Observer) background() {

 		outbounds := hs.Select(o.config.SubjectSelector)

-		o.updateStatus(outbounds)
+		o.clearRemovedOutbounds(outbounds)

 		sleepTime := time.Second * 10
 		if o.config.ProbeInterval != 0 {
@@ -111,11 +112,19 @@ func (o *Observer) background() {
 	}
 }

-func (o *Observer) updateStatus(outbounds []string) {
+func (o *Observer) clearRemovedOutbounds(outbounds []string) {
 	o.statusLock.Lock()
 	defer o.statusLock.Unlock()
-	// TODO should remove old inbound that is removed
-	_ = outbounds
+	if len(o.status) == 0 {
+		return
+	}
+	var pruned []*OutboundStatus
+	for _, status := range o.status {
+		if slices.Contains(outbounds, status.OutboundTag) {
+			pruned = append(pruned, status)
+		}
+	}
+	o.status = pruned
 }

 func (o *Observer) probe(outbound string) ProbeResult {
@@ -164,7 +173,7 @@ func (o *Observer) probe(outbound string) ProbeResult {
 			probeURL = o.config.ProbeUrl
 		}
 		req, _ := http.NewRequest(http.MethodGet, probeURL, nil)
-		req.Header.Set("User-Agent", utils.ChromeUA)
+		utils.TryDefaultHeadersWith(req.Header, "nav")
 		response, err := httpClient.Do(req)
 		if err != nil {
 			return errors.New("outbound failed to relay connection").Base(err)
--- a/app/observatory/observer_test.go
+++ b/app/observatory/observer_test.go
@@ -0,0 +1,64 @@
+package observatory
+
+import "testing"
+
+func TestObserverUpdateStatusPrunesStaleOutbounds(t *testing.T) {
+	observer := &Observer{
+		status: []*OutboundStatus{
+			{
+				OutboundTag:     "keep",
+				Alive:           true,
+				Delay:           42,
+				LastErrorReason: "",
+				LastSeenTime:    111,
+				LastTryTime:     222,
+			},
+			{
+				OutboundTag:     "drop",
+				Alive:           false,
+				Delay:           99999999,
+				LastErrorReason: "probe failed",
+				LastSeenTime:    333,
+				LastTryTime:     444,
+			},
+		},
+	}
+
+	observer.clearRemovedOutbounds([]string{"keep"})
+
+	if len(observer.status) != 1 {
+		t.Fatalf("expected 1 status after pruning, got %d", len(observer.status))
+	}
+
+	got := observer.status[0]
+	if got.OutboundTag != "keep" {
+		t.Fatalf("expected remaining status for keep, got %q", got.OutboundTag)
+	}
+	if !got.Alive {
+		t.Fatal("expected remaining status to preserve Alive field")
+	}
+	if got.Delay != 42 {
+		t.Fatalf("expected remaining status to preserve Delay, got %d", got.Delay)
+	}
+	if got.LastSeenTime != 111 {
+		t.Fatalf("expected remaining status to preserve LastSeenTime, got %d", got.LastSeenTime)
+	}
+	if got.LastTryTime != 222 {
+		t.Fatalf("expected remaining status to preserve LastTryTime, got %d", got.LastTryTime)
+	}
+}
+
+func TestObserverUpdateStatusClearsWhenNoOutboundsRemain(t *testing.T) {
+	observer := &Observer{
+		status: []*OutboundStatus{
+			{OutboundTag: "drop-1"},
+			{OutboundTag: "drop-2"},
+		},
+	}
+
+	observer.clearRemovedOutbounds(nil)
+
+	if len(observer.status) != 0 {
+		t.Fatalf("expected all statuses to be removed, got %d", len(observer.status))
+	}
+}
--- a/app/proxyman/config.go
+++ b/app/proxyman/config.go
@@ -1 +1,34 @@
 package proxyman
+
+import (
+	"github.com/xtls/xray-core/common/geodata"
+	"github.com/xtls/xray-core/common/session"
+)
+
+func BuildSniffingRequest(config *SniffingConfig) (session.SniffingRequest, error) {
+	if config == nil {
+		return session.SniffingRequest{}, nil
+	}
+
+	request := session.SniffingRequest{
+		Enabled:                        config.Enabled,
+		OverrideDestinationForProtocol: config.DestinationOverride,
+		MetadataOnly:                   config.MetadataOnly,
+		RouteOnly:                      config.RouteOnly,
+	}
+	if len(config.DomainsExcluded) > 0 {
+		excludeForDomain, err := geodata.DomainReg.BuildDomainMatcher(config.DomainsExcluded)
+		if err != nil {
+			return session.SniffingRequest{}, err
+		}
+		request.ExcludeForDomain = excludeForDomain
+	}
+	if len(config.IpsExcluded) > 0 {
+		excludeForIP, err := geodata.IPReg.BuildIPMatcher(config.IpsExcluded)
+		if err != nil {
+			return session.SniffingRequest{}, err
+		}
+		request.ExcludeForIP = excludeForIP
+	}
+	return request, nil
+}
--- a/app/proxyman/config.pb.go
+++ b/app/proxyman/config.pb.go
@@ -7,6 +7,7 @@
 package proxyman

 import (
+	geodata "github.com/xtls/xray-core/common/geodata"
 	net "github.com/xtls/xray-core/common/net"
 	serial "github.com/xtls/xray-core/common/serial"
 	internet "github.com/xtls/xray-core/transport/internet"
@@ -66,8 +67,9 @@ type SniffingConfig struct {
 	Enabled bool `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"`
 	// Override target destination if sniff'ed protocol is in the given list.
 	// Supported values are "http", "tls", "fakedns".
-	DestinationOverride []string `protobuf:"bytes,2,rep,name=destination_override,json=destinationOverride,proto3" json:"destination_override,omitempty"`
-	DomainsExcluded     []string `protobuf:"bytes,3,rep,name=domains_excluded,json=domainsExcluded,proto3" json:"domains_excluded,omitempty"`
+	DestinationOverride []string              `protobuf:"bytes,2,rep,name=destination_override,json=destinationOverride,proto3" json:"destination_override,omitempty"`
+	DomainsExcluded     []*geodata.DomainRule `protobuf:"bytes,3,rep,name=domains_excluded,json=domainsExcluded,proto3" json:"domains_excluded,omitempty"`
+	IpsExcluded         []*geodata.IPRule     `protobuf:"bytes,6,rep,name=ips_excluded,json=ipsExcluded,proto3" json:"ips_excluded,omitempty"`
 	// Whether should only try to sniff metadata without waiting for client input.
 	// Can be used to support SMTP like protocol where server send the first
 	// message.
@@ -121,13 +123,20 @@ func (x *SniffingConfig) GetDestinationOverride() []string {
 	return nil
 }

-func (x *SniffingConfig) GetDomainsExcluded() []string {
+func (x *SniffingConfig) GetDomainsExcluded() []*geodata.DomainRule {
 	if x != nil {
 		return x.DomainsExcluded
 	}
 	return nil
 }

+func (x *SniffingConfig) GetIpsExcluded() []*geodata.IPRule {
+	if x != nil {
+		return x.IpsExcluded
+	}
+	return nil
+}
+
 func (x *SniffingConfig) GetMetadataOnly() bool {
 	if x != nil {
 		return x.MetadataOnly
@@ -477,12 +486,13 @@ var File_app_proxyman_config_proto protoreflect.FileDescriptor

 const file_app_proxyman_config_proto_rawDesc = "" +
 	"\n" +
-	"\x19app/proxyman/config.proto\x12\x11xray.app.proxyman\x1a\x18common/net/address.proto\x1a\x15common/net/port.proto\x1a\x1ftransport/internet/config.proto\x1a!common/serial/typed_message.proto\"\x0f\n" +
-	"\rInboundConfig\"\xcc\x01\n" +
+	"\x19app/proxyman/config.proto\x12\x11xray.app.proxyman\x1a\x18common/net/address.proto\x1a\x15common/net/port.proto\x1a\x1ftransport/internet/config.proto\x1a!common/serial/typed_message.proto\x1a\x1bcommon/geodata/geodat.proto\"\x0f\n" +
+	"\rInboundConfig\"\xad\x02\n" +
 	"\x0eSniffingConfig\x12\x18\n" +
 	"\aenabled\x18\x01 \x01(\bR\aenabled\x121\n" +
-	"\x14destination_override\x18\x02 \x03(\tR\x13destinationOverride\x12)\n" +
-	"\x10domains_excluded\x18\x03 \x03(\tR\x0fdomainsExcluded\x12#\n" +
+	"\x14destination_override\x18\x02 \x03(\tR\x13destinationOverride\x12J\n" +
+	"\x10domains_excluded\x18\x03 \x03(\v2\x1f.xray.common.geodata.DomainRuleR\x0fdomainsExcluded\x12>\n" +
+	"\fips_excluded\x18\x06 \x03(\v2\x1b.xray.common.geodata.IPRuleR\vipsExcluded\x12#\n" +
 	"\rmetadata_only\x18\x04 \x01(\bR\fmetadataOnly\x12\x1d\n" +
 	"\n" +
 	"route_only\x18\x05 \x01(\bR\trouteOnly\"\xe5\x02\n" +
@@ -532,30 +542,34 @@ var file_app_proxyman_config_proto_goTypes = []any{
 	(*OutboundConfig)(nil),        // 4: xray.app.proxyman.OutboundConfig
 	(*SenderConfig)(nil),          // 5: xray.app.proxyman.SenderConfig
 	(*MultiplexingConfig)(nil),    // 6: xray.app.proxyman.MultiplexingConfig
-	(*net.PortList)(nil),          // 7: xray.common.net.PortList
-	(*net.IPOrDomain)(nil),        // 8: xray.common.net.IPOrDomain
-	(*internet.StreamConfig)(nil), // 9: xray.transport.internet.StreamConfig
-	(*serial.TypedMessage)(nil),   // 10: xray.common.serial.TypedMessage
-	(*internet.ProxyConfig)(nil),  // 11: xray.transport.internet.ProxyConfig
-	(internet.DomainStrategy)(0),  // 12: xray.transport.internet.DomainStrategy
+	(*geodata.DomainRule)(nil),    // 7: xray.common.geodata.DomainRule
+	(*geodata.IPRule)(nil),        // 8: xray.common.geodata.IPRule
+	(*net.PortList)(nil),          // 9: xray.common.net.PortList
+	(*net.IPOrDomain)(nil),        // 10: xray.common.net.IPOrDomain
+	(*internet.StreamConfig)(nil), // 11: xray.transport.internet.StreamConfig
+	(*serial.TypedMessage)(nil),   // 12: xray.common.serial.TypedMessage
+	(*internet.ProxyConfig)(nil),  // 13: xray.transport.internet.ProxyConfig
+	(internet.DomainStrategy)(0),  // 14: xray.transport.internet.DomainStrategy
 }
 var file_app_proxyman_config_proto_depIdxs = []int32{
-	7,  // 0: xray.app.proxyman.ReceiverConfig.port_list:type_name -> xray.common.net.PortList
-	8,  // 1: xray.app.proxyman.ReceiverConfig.listen:type_name -> xray.common.net.IPOrDomain
-	9,  // 2: xray.app.proxyman.ReceiverConfig.stream_settings:type_name -> xray.transport.internet.StreamConfig
-	1,  // 3: xray.app.proxyman.ReceiverConfig.sniffing_settings:type_name -> xray.app.proxyman.SniffingConfig
-	10, // 4: xray.app.proxyman.InboundHandlerConfig.receiver_settings:type_name -> xray.common.serial.TypedMessage
-	10, // 5: xray.app.proxyman.InboundHandlerConfig.proxy_settings:type_name -> xray.common.serial.TypedMessage
-	8,  // 6: xray.app.proxyman.SenderConfig.via:type_name -> xray.common.net.IPOrDomain
-	9,  // 7: xray.app.proxyman.SenderConfig.stream_settings:type_name -> xray.transport.internet.StreamConfig
-	11, // 8: xray.app.proxyman.SenderConfig.proxy_settings:type_name -> xray.transport.internet.ProxyConfig
-	6,  // 9: xray.app.proxyman.SenderConfig.multiplex_settings:type_name -> xray.app.proxyman.MultiplexingConfig
-	12, // 10: xray.app.proxyman.SenderConfig.target_strategy:type_name -> xray.transport.internet.DomainStrategy
-	11, // [11:11] is the sub-list for method output_type
-	11, // [11:11] is the sub-list for method input_type
-	11, // [11:11] is the sub-list for extension type_name
-	11, // [11:11] is the sub-list for extension extendee
-	0,  // [0:11] is the sub-list for field type_name
+	7,  // 0: xray.app.proxyman.SniffingConfig.domains_excluded:type_name -> xray.common.geodata.DomainRule
+	8,  // 1: xray.app.proxyman.SniffingConfig.ips_excluded:type_name -> xray.common.geodata.IPRule
+	9,  // 2: xray.app.proxyman.ReceiverConfig.port_list:type_name -> xray.common.net.PortList
+	10, // 3: xray.app.proxyman.ReceiverConfig.listen:type_name -> xray.common.net.IPOrDomain
+	11, // 4: xray.app.proxyman.ReceiverConfig.stream_settings:type_name -> xray.transport.internet.StreamConfig
+	1,  // 5: xray.app.proxyman.ReceiverConfig.sniffing_settings:type_name -> xray.app.proxyman.SniffingConfig
+	12, // 6: xray.app.proxyman.InboundHandlerConfig.receiver_settings:type_name -> xray.common.serial.TypedMessage
+	12, // 7: xray.app.proxyman.InboundHandlerConfig.proxy_settings:type_name -> xray.common.serial.TypedMessage
+	10, // 8: xray.app.proxyman.SenderConfig.via:type_name -> xray.common.net.IPOrDomain
+	11, // 9: xray.app.proxyman.SenderConfig.stream_settings:type_name -> xray.transport.internet.StreamConfig
+	13, // 10: xray.app.proxyman.SenderConfig.proxy_settings:type_name -> xray.transport.internet.ProxyConfig
+	6,  // 11: xray.app.proxyman.SenderConfig.multiplex_settings:type_name -> xray.app.proxyman.MultiplexingConfig
+	14, // 12: xray.app.proxyman.SenderConfig.target_strategy:type_name -> xray.transport.internet.DomainStrategy
+	13, // [13:13] is the sub-list for method output_type
+	13, // [13:13] is the sub-list for method input_type
+	13, // [13:13] is the sub-list for extension type_name
+	13, // [13:13] is the sub-list for extension extendee
+	0,  // [0:13] is the sub-list for field type_name
 }

 func init() { file_app_proxyman_config_proto_init() }
--- a/app/proxyman/config.proto
+++ b/app/proxyman/config.proto
@@ -10,6 +10,7 @@ import "common/net/address.proto";
 import "common/net/port.proto";
 import "transport/internet/config.proto";
 import "common/serial/typed_message.proto";
+import "common/geodata/geodat.proto";

 message InboundConfig {}

@@ -20,7 +21,10 @@ message SniffingConfig {
  // Override target destination if sniff'ed protocol is in the given list.
  // Supported values are "http", "tls", "fakedns".
  repeated string destination_override = 2;
-  repeated string domains_excluded = 3;
+
+  repeated xray.common.geodata.DomainRule domains_excluded = 3;
+
+  repeated xray.common.geodata.IPRule ips_excluded = 6;

  // Whether should only try to sniff metadata without waiting for client input.
  // Can be used to support SMTP like protocol where server send the first
--- a/app/proxyman/inbound/always.go
+++ b/app/proxyman/inbound/always.go
@@ -53,18 +53,17 @@ type AlwaysOnInboundHandler struct {
 }

 func NewAlwaysOnInboundHandler(ctx context.Context, tag string, receiverConfig *proxyman.ReceiverConfig, proxyConfig interface{}) (*AlwaysOnInboundHandler, error) {
+	sniffingRequest, err := proxyman.BuildSniffingRequest(receiverConfig.SniffingSettings)
+	if err != nil {
+		return nil, err
+	}
+
 	// Set tag and sniffing config in context before creating proxy
 	// This allows proxies like TUN to access these settings
 	ctx = session.ContextWithInbound(ctx, &session.Inbound{Tag: tag})
 	if receiverConfig.SniffingSettings != nil {
 		ctx = session.ContextWithContent(ctx, &session.Content{
-			SniffingRequest: session.SniffingRequest{
-				Enabled:                        receiverConfig.SniffingSettings.Enabled,
-				OverrideDestinationForProtocol: receiverConfig.SniffingSettings.DestinationOverride,
-				ExcludeForDomain:               receiverConfig.SniffingSettings.DomainsExcluded,
-				MetadataOnly:                   receiverConfig.SniffingSettings.MetadataOnly,
-				RouteOnly:                      receiverConfig.SniffingSettings.RouteOnly,
-			},
+			SniffingRequest: sniffingRequest,
 		})
 	}
 	rawProxy, err := common.CreateObject(ctx, proxyConfig)
@@ -117,7 +116,7 @@ func NewAlwaysOnInboundHandler(ctx context.Context, tag string, receiverConfig *
 				stream:          mss,
 				tag:             tag,
 				dispatcher:      h.mux,
-				sniffingConfig:  receiverConfig.SniffingSettings,
+				sniffingRequest: sniffingRequest,
 				uplinkCounter:   uplinkCounter,
 				downlinkCounter: downlinkCounter,
 				ctx:             ctx,
@@ -139,7 +138,7 @@ func NewAlwaysOnInboundHandler(ctx context.Context, tag string, receiverConfig *
 						recvOrigDest:    receiverConfig.ReceiveOriginalDestination,
 						tag:             tag,
 						dispatcher:      h.mux,
-						sniffingConfig:  receiverConfig.SniffingSettings,
+						sniffingRequest: sniffingRequest,
 						uplinkCounter:   uplinkCounter,
 						downlinkCounter: downlinkCounter,
 						ctx:             ctx,
@@ -154,7 +153,7 @@ func NewAlwaysOnInboundHandler(ctx context.Context, tag string, receiverConfig *
 						address:         address,
 						port:            net.Port(port),
 						dispatcher:      h.mux,
-						sniffingConfig:  receiverConfig.SniffingSettings,
+						sniffingRequest: sniffingRequest,
 						uplinkCounter:   uplinkCounter,
 						downlinkCounter: downlinkCounter,
 						stream:          mss,
@@ -186,6 +185,7 @@ func (h *AlwaysOnInboundHandler) Close() error {
 		errs = append(errs, worker.Close())
 	}
 	errs = append(errs, h.mux.Close())
+	errs = append(errs, common.Close(h.proxy))
 	if err := errors.Combine(errs...); err != nil {
 		return errors.New("failed to close all resources").Base(err)
 	}
--- a/app/proxyman/inbound/worker.go
+++ b/app/proxyman/inbound/worker.go
@@ -6,7 +6,6 @@ import (
 	"sync/atomic"
 	"time"

-	"github.com/xtls/xray-core/app/proxyman"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	c "github.com/xtls/xray-core/common/ctx"
@@ -19,7 +18,9 @@ import (
 	"github.com/xtls/xray-core/features/routing"
 	"github.com/xtls/xray-core/features/stats"
 	"github.com/xtls/xray-core/proxy"
+	hysteria_proxy "github.com/xtls/xray-core/proxy/hysteria"
 	"github.com/xtls/xray-core/transport/internet"
+	"github.com/xtls/xray-core/transport/internet/hysteria"
 	"github.com/xtls/xray-core/transport/internet/stat"
 	"github.com/xtls/xray-core/transport/internet/tcp"
 	"github.com/xtls/xray-core/transport/internet/udp"
@@ -41,7 +42,7 @@ type tcpWorker struct {
 	recvOrigDest    bool
 	tag             string
 	dispatcher      routing.Dispatcher
-	sniffingConfig  *proxyman.SniffingConfig
+	sniffingRequest session.SniffingRequest
 	uplinkCounter   stats.Counter
 	downlinkCounter stats.Counter

@@ -116,13 +117,7 @@ func (w *tcpWorker) callback(conn stat.Connection) {
 	})

 	content := new(session.Content)
-	if w.sniffingConfig != nil {
-		content.SniffingRequest.Enabled = w.sniffingConfig.Enabled
-		content.SniffingRequest.OverrideDestinationForProtocol = w.sniffingConfig.DestinationOverride
-		content.SniffingRequest.ExcludeForDomain = w.sniffingConfig.DomainsExcluded
-		content.SniffingRequest.MetadataOnly = w.sniffingConfig.MetadataOnly
-		content.SniffingRequest.RouteOnly = w.sniffingConfig.RouteOnly
-	}
+	content.SniffingRequest = w.sniffingRequest
 	ctx = session.ContextWithContent(ctx, content)

 	if err := w.proxy.Process(ctx, net.Network_TCP, conn, w.dispatcher); err != nil {
@@ -138,6 +133,11 @@ func (w *tcpWorker) Proxy() proxy.Inbound {

 func (w *tcpWorker) Start() error {
 	ctx := context.Background()
+
+	if v, ok := w.proxy.(*hysteria_proxy.Server); ok {
+		ctx = hysteria.ContextWithValidator(ctx, v.HysteriaInboundValidator())
+	}
+
 	hub, err := internet.ListenTCP(ctx, w.address, w.port, w.stream, func(conn stat.Connection) {
 		go w.callback(conn)
 	})
@@ -266,7 +266,7 @@ type udpWorker struct {
 	tag             string
 	stream          *internet.MemoryStreamConfig
 	dispatcher      routing.Dispatcher
-	sniffingConfig  *proxyman.SniffingConfig
+	sniffingRequest session.SniffingRequest
 	uplinkCounter   stats.Counter
 	downlinkCounter stats.Counter

@@ -356,13 +356,7 @@ func (w *udpWorker) callback(b *buf.Buffer, source net.Destination, originalDest
 				Tag:     w.tag,
 			})
 			content := new(session.Content)
-			if w.sniffingConfig != nil {
-				content.SniffingRequest.Enabled = w.sniffingConfig.Enabled
-				content.SniffingRequest.OverrideDestinationForProtocol = w.sniffingConfig.DestinationOverride
-				content.SniffingRequest.ExcludeForDomain = w.sniffingConfig.DomainsExcluded
-				content.SniffingRequest.MetadataOnly = w.sniffingConfig.MetadataOnly
-				content.SniffingRequest.RouteOnly = w.sniffingConfig.RouteOnly
-			}
+			content.SniffingRequest = w.sniffingRequest
 			ctx = session.ContextWithContent(ctx, content)
 			if err := w.proxy.Process(ctx, net.Network_UDP, conn, w.dispatcher); err != nil {
 				errors.LogInfoInner(ctx, err, "connection ends")
@@ -478,7 +472,7 @@ type dsWorker struct {
 	stream          *internet.MemoryStreamConfig
 	tag             string
 	dispatcher      routing.Dispatcher
-	sniffingConfig  *proxyman.SniffingConfig
+	sniffingRequest session.SniffingRequest
 	uplinkCounter   stats.Counter
 	downlinkCounter stats.Counter

@@ -508,13 +502,7 @@ func (w *dsWorker) callback(conn stat.Connection) {
 	})

 	content := new(session.Content)
-	if w.sniffingConfig != nil {
-		content.SniffingRequest.Enabled = w.sniffingConfig.Enabled
-		content.SniffingRequest.OverrideDestinationForProtocol = w.sniffingConfig.DestinationOverride
-		content.SniffingRequest.ExcludeForDomain = w.sniffingConfig.DomainsExcluded
-		content.SniffingRequest.MetadataOnly = w.sniffingConfig.MetadataOnly
-		content.SniffingRequest.RouteOnly = w.sniffingConfig.RouteOnly
-	}
+	content.SniffingRequest = w.sniffingRequest
 	ctx = session.ContextWithContent(ctx, content)

 	if err := w.proxy.Process(ctx, net.Network_UNIX, conn, w.dispatcher); err != nil {
--- a/app/proxyman/outbound/handler_test.go
+++ b/app/proxyman/outbound/handler_test.go
@@ -48,7 +48,7 @@ func TestOutboundWithoutStatCounter(t *testing.T) {
 	ctx = session.ContextWithOutbounds(ctx, []*session.Outbound{{}})
 	h, _ := NewHandler(ctx, &core.OutboundHandlerConfig{
 		Tag:           "tag",
-		ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+		ProxySettings: serial.ToTypedMessage(&freedom.Config{FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}}}),
 	})
 	conn, _ := h.(*Handler).Dial(ctx, net.TCPDestination(net.DomainAddress("localhost"), 13146))
 	_, ok := conn.(*stat.CounterConnection)
@@ -78,7 +78,7 @@ func TestOutboundWithStatCounter(t *testing.T) {
 	ctx = session.ContextWithOutbounds(ctx, []*session.Outbound{{}})
 	h, _ := NewHandler(ctx, &core.OutboundHandlerConfig{
 		Tag:           "tag",
-		ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+		ProxySettings: serial.ToTypedMessage(&freedom.Config{FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}}}),
 	})
 	conn, _ := h.(*Handler).Dial(ctx, net.TCPDestination(net.DomainAddress("localhost"), 13146))
 	_, ok := conn.(*stat.CounterConnection)
@@ -118,7 +118,7 @@ func TestTagsCache(t *testing.T) {
 			tag := fmt.Sprintf("%s%d", tags_prefix, idx)
 			cfg := &core.OutboundHandlerConfig{
 				Tag:           tag,
-				ProxySettings: serial.ToTypedMessage(&freedom.Config{}),
+				ProxySettings: serial.ToTypedMessage(&freedom.Config{FinalRules: []*freedom.FinalRuleConfig{{Action: freedom.RuleAction_Allow}}}),
 			}
 			if h, err := NewHandler(ctx, cfg); err == nil {
 				if err := ohm.AddHandler(ctx, h); err == nil {
--- a/app/router/command/command_test.go
+++ b/app/router/command/command_test.go
@@ -12,6 +12,7 @@ import (
 	. "github.com/xtls/xray-core/app/router/command"
 	"github.com/xtls/xray-core/app/stats"
 	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/geodata"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/features/routing"
 	"github.com/xtls/xray-core/testing/mocks"
@@ -303,12 +304,12 @@ func TestServiceTestRoute(t *testing.T) {
 				TargetTag:      &router.RoutingRule_Tag{Tag: "out"},
 			},
 			{
-				Domain:    []*router.Domain{{Type: router.Domain_Domain, Value: "com"}},
+				Domain:    []*geodata.DomainRule{{Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "com"}}}},
 				TargetTag: &router.RoutingRule_Tag{Tag: "out"},
 			},
 			{
-				SourceGeoip: []*router.GeoIP{{CountryCode: "private", Cidr: []*router.CIDR{{Ip: []byte{127, 0, 0, 0}, Prefix: 8}}}},
-				TargetTag:   &router.RoutingRule_Tag{Tag: "out"},
+				SourceIp:  []*geodata.IPRule{{Value: &geodata.IPRule_Custom{Custom: &geodata.CIDRRule{Cidr: &geodata.CIDR{Ip: []byte{127, 0, 0, 0}, Prefix: 8}}}}},
+				TargetTag: &router.RoutingRule_Tag{Tag: "out"},
 			},
 			{
 				UserEmail: []string{"example@example.com"},
--- a/app/router/condition.go
+++ b/app/router/condition.go
@@ -2,7 +2,6 @@ package router

 import (
 	"context"
-	"io"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -10,9 +9,10 @@ import (
 	"strings"

 	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/geodata"
 	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/strmatcher"
 	"github.com/xtls/xray-core/features/routing"
+	"github.com/xtls/xray-core/features/routing/dns"
 )

 type Condition interface {
@@ -45,67 +45,18 @@ func (v *ConditionChan) Len() int {
 	return len(*v)
 }

-var matcherTypeMap = map[Domain_Type]strmatcher.Type{
-	Domain_Plain:  strmatcher.Substr,
-	Domain_Regex:  strmatcher.Regex,
-	Domain_Domain: strmatcher.Domain,
-	Domain_Full:   strmatcher.Full,
-}
+type DomainMatcher struct{ geodata.DomainMatcher }

-type DomainMatcher struct {
-	Matchers strmatcher.IndexMatcher
-}
-
-func SerializeDomainMatcher(domains []*Domain, w io.Writer) error {
-
-	g := strmatcher.NewMphMatcherGroup()
-	for _, d := range domains {
-		matcherType, f := matcherTypeMap[d.Type]
-		if !f {
-			continue
-		}
-
-		_, err := g.AddPattern(d.Value, matcherType)
-		if err != nil {
-			return err
-		}
-	}
-	g.Build()
-	// serialize
-	return g.Serialize(w)
-}
-
-func NewDomainMatcherFromBuffer(data []byte) (*strmatcher.MphMatcherGroup, error) {
-	matcher, err := strmatcher.NewMphMatcherGroupFromBuffer(data)
+func NewDomainMatcher(rules []*geodata.DomainRule) (*DomainMatcher, error) {
+	m, err := geodata.DomainReg.BuildDomainMatcher(rules)
 	if err != nil {
 		return nil, err
 	}
-	return matcher, nil
-}
-
-func NewMphMatcherGroup(domains []*Domain) (*DomainMatcher, error) {
-	g := strmatcher.NewMphMatcherGroup()
-	for i, d := range domains {
-		domains[i] = nil
-		matcherType, f := matcherTypeMap[d.Type]
-		if !f {
-			errors.LogError(context.Background(), "ignore unsupported domain type ", d.Type, " of rule ", d.Value)
-			continue
-		}
-		_, err := g.AddPattern(d.Value, matcherType)
-		if err != nil {
-			errors.LogErrorInner(context.Background(), err, "ignore domain rule ", d.Type, " ", d.Value)
-			continue
-		}
-	}
-	g.Build()
-	return &DomainMatcher{
-		Matchers: g,
-	}, nil
+	return &DomainMatcher{DomainMatcher: m}, nil
 }

 func (m *DomainMatcher) ApplyDomain(domain string) bool {
-	return len(m.Matchers.Match(strings.ToLower(domain))) > 0
+	return m.DomainMatcher.MatchAny(strings.ToLower(domain))
 }

 // Apply implements Condition.
@@ -114,7 +65,7 @@ func (m *DomainMatcher) Apply(ctx routing.Context) bool {
 	if len(domain) == 0 {
 		return false
 	}
-	return m.ApplyDomain(domain)
+	return m.DomainMatcher.MatchAny(strings.ToLower(domain))
 }

 type MatcherAsType byte
@@ -127,16 +78,16 @@ const (
 )

 type IPMatcher struct {
-	matcher GeoIPMatcher
+	matcher geodata.IPMatcher
 	asType  MatcherAsType
 }

-func NewIPMatcher(geoips []*GeoIP, asType MatcherAsType) (*IPMatcher, error) {
-	matcher, err := BuildOptimizedGeoIPMatcher(geoips...)
+func NewIPMatcher(rules []*geodata.IPRule, asType MatcherAsType) (*IPMatcher, error) {
+	m, err := geodata.IPReg.BuildIPMatcher(rules)
 	if err != nil {
 		return nil, err
 	}
-	return &IPMatcher{matcher: matcher, asType: asType}, nil
+	return &IPMatcher{matcher: m, asType: asType}, nil
 }

 // Apply implements Condition.
@@ -390,8 +341,10 @@ func (m *ProcessNameMatcher) Apply(ctx routing.Context) bool {
 	if len(ctx.GetSourceIPs()) == 0 {
 		return false
 	}
-	srcPort := ctx.GetSourcePort().String()
+
+	srcPort := uint16(ctx.GetSourcePort())
 	srcIP := ctx.GetSourceIPs()[0].String()
+
 	var network string
 	switch ctx.GetNetwork() {
 	case net.Network_TCP:
@@ -401,11 +354,21 @@ func (m *ProcessNameMatcher) Apply(ctx routing.Context) bool {
 	default:
 		return false
 	}
-	src, err := net.ParseDestination(strings.Join([]string{network, srcIP, srcPort}, ":"))
-	if err != nil {
-		return false
+
+	var dstIP string
+	var dstPort uint16 = 0
+
+	// do not use resolved IP because Android process lookup needs original dst ip
+	resolvableContext, ok := ctx.(*dns.ResolvableContext)
+	if ok && len(resolvableContext.Context.GetTargetIPs()) > 0 {
+		dstIP = resolvableContext.Context.GetTargetIPs()[0].String()
+		dstPort = uint16(resolvableContext.Context.GetTargetPort())
+	} else if len(ctx.GetTargetIPs()) > 0 {
+		dstIP = ctx.GetTargetIPs()[0].String()
+		dstPort = uint16(ctx.GetTargetPort())
 	}
-	pid, name, absPath, err := net.FindProcess(src)
+
+	pid, name, absPath, err := net.FindProcess(network, srcIP, uint16(srcPort), dstIP, uint16(dstPort))
 	if err != nil {
 		if err != net.ErrNotLocal {
 			errors.LogError(context.Background(), "Unables to find local process name: ", err)
--- a/app/router/condition_geoip_test.go
+++ b/app/router/condition_geoip_test.go
@@ -1,266 +0,0 @@
-package router_test
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/xtls/xray-core/app/router"
-	"github.com/xtls/xray-core/common"
-	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/platform"
-	"github.com/xtls/xray-core/common/platform/filesystem"
-	"google.golang.org/protobuf/proto"
-)
-
-func getAssetPath(file string) (string, error) {
-	path := platform.GetAssetLocation(file)
-	_, err := os.Stat(path)
-	if os.IsNotExist(err) {
-		path := filepath.Join("..", "..", "resources", file)
-		_, err := os.Stat(path)
-		if os.IsNotExist(err) {
-			return "", fmt.Errorf("can't find %s in standard asset locations or {project_root}/resources", file)
-		}
-		if err != nil {
-			return "", fmt.Errorf("can't stat %s: %v", path, err)
-		}
-		return path, nil
-	}
-	if err != nil {
-		return "", fmt.Errorf("can't stat %s: %v", path, err)
-	}
-
-	return path, nil
-}
-
-func TestGeoIPMatcher(t *testing.T) {
-	cidrList := []*router.CIDR{
-		{Ip: []byte{0, 0, 0, 0}, Prefix: 8},
-		{Ip: []byte{10, 0, 0, 0}, Prefix: 8},
-		{Ip: []byte{100, 64, 0, 0}, Prefix: 10},
-		{Ip: []byte{127, 0, 0, 0}, Prefix: 8},
-		{Ip: []byte{169, 254, 0, 0}, Prefix: 16},
-		{Ip: []byte{172, 16, 0, 0}, Prefix: 12},
-		{Ip: []byte{192, 0, 0, 0}, Prefix: 24},
-		{Ip: []byte{192, 0, 2, 0}, Prefix: 24},
-		{Ip: []byte{192, 168, 0, 0}, Prefix: 16},
-		{Ip: []byte{192, 18, 0, 0}, Prefix: 15},
-		{Ip: []byte{198, 51, 100, 0}, Prefix: 24},
-		{Ip: []byte{203, 0, 113, 0}, Prefix: 24},
-		{Ip: []byte{8, 8, 8, 8}, Prefix: 32},
-		{Ip: []byte{91, 108, 4, 0}, Prefix: 16},
-	}
-
-	matcher, err := router.BuildOptimizedGeoIPMatcher(&router.GeoIP{
-		Cidr: cidrList,
-	})
-	common.Must(err)
-
-	testCases := []struct {
-		Input  string
-		Output bool
-	}{
-		{
-			Input:  "192.168.1.1",
-			Output: true,
-		},
-		{
-			Input:  "192.0.0.0",
-			Output: true,
-		},
-		{
-			Input:  "192.0.1.0",
-			Output: false,
-		},
-		{
-			Input:  "0.1.0.0",
-			Output: true,
-		},
-		{
-			Input:  "1.0.0.1",
-			Output: false,
-		},
-		{
-			Input:  "8.8.8.7",
-			Output: false,
-		},
-		{
-			Input:  "8.8.8.8",
-			Output: true,
-		},
-		{
-			Input:  "2001:cdba::3257:9652",
-			Output: false,
-		},
-		{
-			Input:  "91.108.255.254",
-			Output: true,
-		},
-	}
-
-	for _, testCase := range testCases {
-		ip := net.ParseAddress(testCase.Input).IP()
-		actual := matcher.Match(ip)
-		if actual != testCase.Output {
-			t.Error("expect input", testCase.Input, "to be", testCase.Output, ", but actually", actual)
-		}
-	}
-}
-
-func TestGeoIPMatcherRegression(t *testing.T) {
-	cidrList := []*router.CIDR{
-		{Ip: []byte{98, 108, 20, 0}, Prefix: 22},
-		{Ip: []byte{98, 108, 20, 0}, Prefix: 23},
-	}
-
-	matcher, err := router.BuildOptimizedGeoIPMatcher(&router.GeoIP{
-		Cidr: cidrList,
-	})
-	common.Must(err)
-
-	testCases := []struct {
-		Input  string
-		Output bool
-	}{
-		{
-			Input:  "98.108.22.11",
-			Output: true,
-		},
-		{
-			Input:  "98.108.25.0",
-			Output: false,
-		},
-	}
-
-	for _, testCase := range testCases {
-		ip := net.ParseAddress(testCase.Input).IP()
-		actual := matcher.Match(ip)
-		if actual != testCase.Output {
-			t.Error("expect input", testCase.Input, "to be", testCase.Output, ", but actually", actual)
-		}
-	}
-}
-
-func TestGeoIPReverseMatcher(t *testing.T) {
-	cidrList := []*router.CIDR{
-		{Ip: []byte{8, 8, 8, 8}, Prefix: 32},
-		{Ip: []byte{91, 108, 4, 0}, Prefix: 16},
-	}
-	matcher, err := router.BuildOptimizedGeoIPMatcher(&router.GeoIP{
-		Cidr: cidrList,
-	})
-	common.Must(err)
-	matcher.SetReverse(true) // Reverse match
-
-	testCases := []struct {
-		Input  string
-		Output bool
-	}{
-		{
-			Input:  "8.8.8.8",
-			Output: false,
-		},
-		{
-			Input:  "2001:cdba::3257:9652",
-			Output: true,
-		},
-		{
-			Input:  "91.108.255.254",
-			Output: false,
-		},
-	}
-
-	for _, testCase := range testCases {
-		ip := net.ParseAddress(testCase.Input).IP()
-		actual := matcher.Match(ip)
-		if actual != testCase.Output {
-			t.Error("expect input", testCase.Input, "to be", testCase.Output, ", but actually", actual)
-		}
-	}
-}
-
-func TestGeoIPMatcher4CN(t *testing.T) {
-	ips, err := loadGeoIP("CN")
-	common.Must(err)
-
-	matcher, err := router.BuildOptimizedGeoIPMatcher(&router.GeoIP{
-		Cidr: ips,
-	})
-	common.Must(err)
-
-	if matcher.Match([]byte{8, 8, 8, 8}) {
-		t.Error("expect CN geoip doesn't contain 8.8.8.8, but actually does")
-	}
-}
-
-func TestGeoIPMatcher6US(t *testing.T) {
-	ips, err := loadGeoIP("US")
-	common.Must(err)
-
-	matcher, err := router.BuildOptimizedGeoIPMatcher(&router.GeoIP{
-		Cidr: ips,
-	})
-	common.Must(err)
-
-	if !matcher.Match(net.ParseAddress("2001:4860:4860::8888").IP()) {
-		t.Error("expect US geoip contain 2001:4860:4860::8888, but actually not")
-	}
-}
-
-func loadGeoIP(country string) ([]*router.CIDR, error) {
-	path, err := getAssetPath("geoip.dat")
-	if err != nil {
-		return nil, err
-	}
-	geoipBytes, err := filesystem.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	var geoipList router.GeoIPList
-	if err := proto.Unmarshal(geoipBytes, &geoipList); err != nil {
-		return nil, err
-	}
-
-	for _, geoip := range geoipList.Entry {
-		if geoip.CountryCode == country {
-			return geoip.Cidr, nil
-		}
-	}
-
-	panic("country not found: " + country)
-}
-
-func BenchmarkGeoIPMatcher4CN(b *testing.B) {
-	ips, err := loadGeoIP("CN")
-	common.Must(err)
-
-	matcher, err := router.BuildOptimizedGeoIPMatcher(&router.GeoIP{
-		Cidr: ips,
-	})
-	common.Must(err)
-
-	b.ResetTimer()
-
-	for i := 0; i < b.N; i++ {
-		_ = matcher.Match([]byte{8, 8, 8, 8})
-	}
-}
-
-func BenchmarkGeoIPMatcher6US(b *testing.B) {
-	ips, err := loadGeoIP("US")
-	common.Must(err)
-
-	matcher, err := router.BuildOptimizedGeoIPMatcher(&router.GeoIP{
-		Cidr: ips,
-	})
-	common.Must(err)
-
-	b.ResetTimer()
-
-	for i := 0; i < b.N; i++ {
-		_ = matcher.Match(net.ParseAddress("2001:4860:4860::8888").IP())
-	}
-}
--- a/app/router/condition_serialize_test.go
+++ b/app/router/condition_serialize_test.go
@@ -1,167 +0,0 @@
-package router_test
-
-import (
-	"bytes"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-	"github.com/xtls/xray-core/app/router"
-	"github.com/xtls/xray-core/common/platform/filesystem"
-)
-
-func TestDomainMatcherSerialization(t *testing.T) {
-
-	domains := []*router.Domain{
-		{Type: router.Domain_Domain, Value: "google.com"},
-		{Type: router.Domain_Domain, Value: "v2ray.com"},
-		{Type: router.Domain_Full, Value: "full.example.com"},
-	}
-
-	var buf bytes.Buffer
-	if err := router.SerializeDomainMatcher(domains, &buf); err != nil {
-		t.Fatalf("Serialize failed: %v", err)
-	}
-
-	matcher, err := router.NewDomainMatcherFromBuffer(buf.Bytes())
-	if err != nil {
-		t.Fatalf("Deserialize failed: %v", err)
-	}
-
-	dMatcher := &router.DomainMatcher{
-		Matchers: matcher,
-	}
-	testCases := []struct {
-		Input string
-		Match bool
-	}{
-		{"google.com", true},
-		{"maps.google.com", true},
-		{"v2ray.com", true},
-		{"full.example.com", true},
-
-		{"example.com", false},
-	}
-
-	for _, tc := range testCases {
-		if res := dMatcher.ApplyDomain(tc.Input); res != tc.Match {
-			t.Errorf("Match(%s) = %v, want %v", tc.Input, res, tc.Match)
-		}
-	}
-}
-
-func TestGeoSiteSerialization(t *testing.T) {
-	sites := []*router.GeoSite{
-		{
-			CountryCode: "CN",
-			Domain: []*router.Domain{
-				{Type: router.Domain_Domain, Value: "baidu.cn"},
-				{Type: router.Domain_Domain, Value: "qq.com"},
-			},
-		},
-		{
-			CountryCode: "US",
-			Domain: []*router.Domain{
-				{Type: router.Domain_Domain, Value: "google.com"},
-				{Type: router.Domain_Domain, Value: "facebook.com"},
-			},
-		},
-	}
-
-	var buf bytes.Buffer
-	if err := router.SerializeGeoSiteList(sites, nil, nil, &buf); err != nil {
-		t.Fatalf("SerializeGeoSiteList failed: %v", err)
-	}
-
-	tmp := t.TempDir()
-	path := filepath.Join(tmp, "matcher.cache")
-
-	f, err := os.Create(path)
-	require.NoError(t, err)
-	_, err = f.Write(buf.Bytes())
-	require.NoError(t, err)
-	f.Close()
-
-	f, err = os.Open(path)
-	require.NoError(t, err)
-	defer f.Close()
-
-	require.NoError(t, err)
-	data, _ := filesystem.ReadFile(path)
-
-	// cn
-	gp, err := router.LoadGeoSiteMatcher(bytes.NewReader(data), "CN")
-	if err != nil {
-		t.Fatalf("LoadGeoSiteMatcher(CN) failed: %v", err)
-	}
-
-	cnMatcher := &router.DomainMatcher{
-		Matchers: gp,
-	}
-
-	if !cnMatcher.ApplyDomain("baidu.cn") {
-		t.Error("CN matcher should match baidu.cn")
-	}
-	if cnMatcher.ApplyDomain("google.com") {
-		t.Error("CN matcher should NOT match google.com")
-	}
-
-	// us
-	gp, err = router.LoadGeoSiteMatcher(bytes.NewReader(data), "US")
-	if err != nil {
-		t.Fatalf("LoadGeoSiteMatcher(US) failed: %v", err)
-	}
-
-	usMatcher := &router.DomainMatcher{
-		Matchers: gp,
-	}
-	if !usMatcher.ApplyDomain("google.com") {
-		t.Error("US matcher should match google.com")
-	}
-	if usMatcher.ApplyDomain("baidu.cn") {
-		t.Error("US matcher should NOT match baidu.cn")
-	}
-
-	// unknown
-	_, err = router.LoadGeoSiteMatcher(bytes.NewReader(data), "unknown")
-	if err == nil {
-		t.Error("LoadGeoSiteMatcher(unknown) should fail")
-	}
-}
-func TestGeoSiteSerializationWithDeps(t *testing.T) {
-	sites := []*router.GeoSite{
-		{
-			CountryCode: "geosite:cn",
-			Domain: []*router.Domain{
-				{Type: router.Domain_Domain, Value: "baidu.cn"},
-			},
-		},
-		{
-			CountryCode: "geosite:google@cn",
-			Domain: []*router.Domain{
-				{Type: router.Domain_Domain, Value: "google.cn"},
-			},
-		},
-		{
-			CountryCode: "rule-1",
-			Domain: []*router.Domain{
-				{Type: router.Domain_Domain, Value: "google.com"},
-			},
-		},
-	}
-	deps := map[string][]string{
-		"rule-1": {"geosite:cn", "geosite:google@cn"},
-	}
-
-	var buf bytes.Buffer
-	err := router.SerializeGeoSiteList(sites, deps, nil, &buf)
-	require.NoError(t, err)
-
-	matcher, err := router.LoadGeoSiteMatcher(bytes.NewReader(buf.Bytes()), "rule-1")
-	require.NoError(t, err)
-
-	require.True(t, matcher.Match("google.com") != nil)
-	require.True(t, matcher.Match("baidu.cn") != nil)
-	require.True(t, matcher.Match("google.cn") != nil)
-}
--- a/app/router/condition_test.go
+++ b/app/router/condition_test.go
@@ -1,20 +1,19 @@
 package router_test

 import (
+	"path/filepath"
 	"strconv"
 	"testing"

 	. "github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common"
-	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/geodata"
 	"github.com/xtls/xray-core/common/net"
-	"github.com/xtls/xray-core/common/platform/filesystem"
 	"github.com/xtls/xray-core/common/protocol"
 	"github.com/xtls/xray-core/common/protocol/http"
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/features/routing"
 	routing_session "github.com/xtls/xray-core/features/routing/session"
-	"google.golang.org/protobuf/proto"
 )

 func withBackground() routing.Context {
@@ -45,18 +44,15 @@ func TestRoutingRule(t *testing.T) {
 	}{
 		{
 			rule: &RoutingRule{
-				Domain: []*Domain{
+				Domain: []*geodata.DomainRule{
 					{
-						Value: "example.com",
-						Type:  Domain_Plain,
+						Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Substr, Value: "example.com"}},
 					},
 					{
-						Value: "google.com",
-						Type:  Domain_Domain,
+						Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Domain, Value: "google.com"}},
 					},
 					{
-						Value: "^facebook\\.com$",
-						Type:  Domain_Regex,
+						Value: &geodata.DomainRule_Custom{Custom: &geodata.Domain{Type: geodata.Domain_Regex, Value: "^facebook\\.com$"}},
 					},
 				},
 			},
@@ -93,20 +89,25 @@ func TestRoutingRule(t *testing.T) {
 		},
 		{
 			rule: &RoutingRule{
-				Geoip: []*GeoIP{
+				Ip: []*geodata.IPRule{
 					{
-						Cidr: []*CIDR{
-							{
-								Ip:     []byte{8, 8, 8, 8},
-								Prefix: 32,
+						Value: &geodata.IPRule_Custom{
+							Custom: &geodata.CIDRRule{
+								Cidr: &geodata.CIDR{Ip: []byte{8, 8, 8, 8}, Prefix: 32},
 							},
-							{
-								Ip:     []byte{8, 8, 8, 8},
-								Prefix: 32,
+						},
+					},
+					{
+						Value: &geodata.IPRule_Custom{
+							Custom: &geodata.CIDRRule{
+								Cidr: &geodata.CIDR{Ip: []byte{8, 8, 8, 8}, Prefix: 32},
 							},
-							{
-								Ip:     net.ParseAddress("2001:0db8:85a3:0000:0000:8a2e:0370:7334").IP(),
-								Prefix: 128,
+						},
+					},
+					{
+						Value: &geodata.IPRule_Custom{
+							Custom: &geodata.CIDRRule{
+								Cidr: &geodata.CIDR{Ip: net.ParseAddress("2001:0db8:85a3:0000:0000:8a2e:0370:7334").IP(), Prefix: 128},
 							},
 						},
 					},
@@ -133,12 +134,11 @@ func TestRoutingRule(t *testing.T) {
 		},
 		{
 			rule: &RoutingRule{
-				SourceGeoip: []*GeoIP{
+				SourceIp: []*geodata.IPRule{
 					{
-						Cidr: []*CIDR{
-							{
-								Ip:     []byte{192, 168, 0, 0},
-								Prefix: 16,
+						Value: &geodata.IPRule_Custom{
+							Custom: &geodata.CIDRRule{
+								Cidr: &geodata.CIDR{Ip: []byte{192, 168, 0, 0}, Prefix: 16},
 							},
 						},
 					},
@@ -300,35 +300,12 @@ func TestRoutingRule(t *testing.T) {
 	}
 }

-func loadGeoSite(country string) ([]*Domain, error) {
-	path, err := getAssetPath("geosite.dat")
-	if err != nil {
-		return nil, err
-	}
-	geositeBytes, err := filesystem.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-
-	var geositeList GeoSiteList
-	if err := proto.Unmarshal(geositeBytes, &geositeList); err != nil {
-		return nil, err
-	}
-
-	for _, site := range geositeList.Entry {
-		if site.CountryCode == country {
-			return site.Domain, nil
-		}
-	}
-
-	return nil, errors.New("country not found: " + country)
-}
-
 func TestChinaSites(t *testing.T) {
-	domains, err := loadGeoSite("CN")
+	t.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+	rules, err := geodata.ParseDomainRules([]string{"geosite:cn"}, geodata.Domain_Substr)
 	common.Must(err)

-	acMatcher, err := NewMphMatcherGroup(domains)
+	matcher, err := NewDomainMatcher(rules)
 	common.Must(err)

 	type TestCase struct {
@@ -359,18 +336,19 @@ func TestChinaSites(t *testing.T) {
 	}

 	for _, testCase := range testCases {
-		r := acMatcher.ApplyDomain(testCase.Domain)
+		r := matcher.ApplyDomain(testCase.Domain)
 		if r != testCase.Output {
-			t.Error("ACDomainMatcher expected output ", testCase.Output, " for domain ", testCase.Domain, " but got ", r)
+			t.Error("DomainMatcher expected output ", testCase.Output, " for domain ", testCase.Domain, " but got ", r)
 		}
 	}
 }

 func BenchmarkMphDomainMatcher(b *testing.B) {
-	domains, err := loadGeoSite("CN")
+	b.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+	rules, err := geodata.ParseDomainRules([]string{"geosite:cn"}, geodata.Domain_Substr)
 	common.Must(err)

-	matcher, err := NewMphMatcherGroup(domains)
+	matcher, err := NewDomainMatcher(rules)
 	common.Must(err)

 	type TestCase struct {
@@ -409,45 +387,11 @@ func BenchmarkMphDomainMatcher(b *testing.B) {
 }

 func BenchmarkMultiGeoIPMatcher(b *testing.B) {
-	var geoips []*GeoIP
+	b.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+	rules, err := geodata.ParseIPRules([]string{"geoip:cn", "geoip:jp", "geoip:ca", "geoip:us"})
+	common.Must(err)

-	{
-		ips, err := loadGeoIP("CN")
-		common.Must(err)
-		geoips = append(geoips, &GeoIP{
-			CountryCode: "CN",
-			Cidr:        ips,
-		})
-	}
-
-	{
-		ips, err := loadGeoIP("JP")
-		common.Must(err)
-		geoips = append(geoips, &GeoIP{
-			CountryCode: "JP",
-			Cidr:        ips,
-		})
-	}
-
-	{
-		ips, err := loadGeoIP("CA")
-		common.Must(err)
-		geoips = append(geoips, &GeoIP{
-			CountryCode: "CA",
-			Cidr:        ips,
-		})
-	}
-
-	{
-		ips, err := loadGeoIP("US")
-		common.Must(err)
-		geoips = append(geoips, &GeoIP{
-			CountryCode: "US",
-			Cidr:        ips,
-		})
-	}
-
-	matcher, err := NewIPMatcher(geoips, MatcherAsType_Target)
+	matcher, err := NewIPMatcher(rules, MatcherAsType_Target)
 	common.Must(err)

 	ctx := withOutbound(&session.Outbound{Target: net.TCPDestination(net.ParseAddress("8.8.8.8"), 80)})
--- a/app/router/config.go
+++ b/app/router/config.go
@@ -3,12 +3,9 @@ package router
 import (
 	"context"
 	"regexp"
-	"runtime"
 	"strings"

 	"github.com/xtls/xray-core/common/errors"
-	"github.com/xtls/xray-core/common/platform"
-	"github.com/xtls/xray-core/common/platform/filesystem"
 	"github.com/xtls/xray-core/features/outbound"
 	"github.com/xtls/xray-core/features/routing"
 )
@@ -18,6 +15,7 @@ type Rule struct {
 	RuleTag   string
 	Balancer  *Balancer
 	Condition Condition
+	Webhook   *WebhookNotifier
 }

 func (r *Rule) GetTag() (string, error) {
@@ -75,60 +73,37 @@ func (rr *RoutingRule) BuildCondition() (Condition, error) {
 		conds.Add(&AttributeMatcher{configuredKeys})
 	}

-	if len(rr.Geoip) > 0 {
-		cond, err := NewIPMatcher(rr.Geoip, MatcherAsType_Target)
+	if len(rr.Ip) > 0 {
+		cond, err := NewIPMatcher(rr.Ip, MatcherAsType_Target)
 		if err != nil {
 			return nil, err
 		}
 		conds.Add(cond)
-		rr.Geoip = nil
-		runtime.GC()
 	}

-	if len(rr.SourceGeoip) > 0 {
-		cond, err := NewIPMatcher(rr.SourceGeoip, MatcherAsType_Source)
+	if len(rr.SourceIp) > 0 {
+		cond, err := NewIPMatcher(rr.SourceIp, MatcherAsType_Source)
 		if err != nil {
 			return nil, err
 		}
 		conds.Add(cond)
-		rr.SourceGeoip = nil
-		runtime.GC()
 	}

-	if len(rr.LocalGeoip) > 0 {
-		cond, err := NewIPMatcher(rr.LocalGeoip, MatcherAsType_Local)
+	if len(rr.LocalIp) > 0 {
+		cond, err := NewIPMatcher(rr.LocalIp, MatcherAsType_Local)
 		if err != nil {
 			return nil, err
 		}
 		conds.Add(cond)
 		errors.LogWarning(context.Background(), "Due to some limitations, in UDP connections, localIP is always equal to listen interface IP, so \"localIP\" rule condition does not work properly on UDP inbound connections that listen on all interfaces")
-		rr.LocalGeoip = nil
-		runtime.GC()
 	}

 	if len(rr.Domain) > 0 {
-		var matcher *DomainMatcher
-		var err error
-		// Check if domain matcher cache is provided via environment
-		domainMatcherPath := platform.NewEnvFlag(platform.MphCachePath).GetValue(func() string { return "" })
-
-		if domainMatcherPath != "" {
-			matcher, err = GetDomainMatcherWithRuleTag(domainMatcherPath, rr.RuleTag)
-			if err != nil {
-				return nil, errors.New("failed to build domain condition from cached MphDomainMatcher").Base(err)
-			}
-			errors.LogDebug(context.Background(), "MphDomainMatcher loaded from cache for ", rr.RuleTag, " rule tag)")
-
-		} else {
-			matcher, err = NewMphMatcherGroup(rr.Domain)
-			if err != nil {
-				return nil, errors.New("failed to build domain condition with MphDomainMatcher").Base(err)
-			}
-			errors.LogDebug(context.Background(), "MphDomainMatcher is enabled for ", len(rr.Domain), " domain rule(s)")
+		cond, err := NewDomainMatcher(rr.Domain)
+		if err != nil {
+			return nil, err
 		}
-		conds.Add(matcher)
-		rr.Domain = nil
-		runtime.GC()
+		conds.Add(cond)
 	}

 	if len(rr.Process) > 0 {
@@ -188,20 +163,3 @@ func (br *BalancingRule) Build(ohm outbound.Manager, dispatcher routing.Dispatch
 		return nil, errors.New("unrecognized balancer type")
 	}
 }
-
-func GetDomainMatcherWithRuleTag(domainMatcherPath string, ruleTag string) (*DomainMatcher, error) {
-	f, err := filesystem.NewFileReader(domainMatcherPath)
-	if err != nil {
-		return nil, errors.New("failed to load file: ", domainMatcherPath).Base(err)
-	}
-	defer f.Close()
-
-	g, err := LoadGeoSiteMatcher(f, ruleTag)
-	if err != nil {
-		return nil, errors.New("failed to load file:", domainMatcherPath).Base(err)
-	}
-	return &DomainMatcher{
-		Matchers: g,
-	}, nil
-
-}
--- a/app/router/config.pb.go
+++ b/app/router/config.pb.go
--- a/app/router/config.proto
+++ b/app/router/config.proto
@@ -9,67 +9,7 @@ option java_multiple_files = true;
 import "common/serial/typed_message.proto";
 import "common/net/port.proto";
 import "common/net/network.proto";
-
-// Domain for routing decision.
-message Domain {
-  // Type of domain value.
-  enum Type {
-    // The value is used as is.
-    Plain = 0;
-    // The value is used as a regular expression.
-    Regex = 1;
-    // The value is a root domain.
-    Domain = 2;
-    // The value is a domain.
-    Full = 3;
-  }
-
-  // Domain matching type.
-  Type type = 1;
-
-  // Domain value.
-  string value = 2;
-
-  message Attribute {
-    string key = 1;
-
-    oneof typed_value {
-      bool bool_value = 2;
-      int64 int_value = 3;
-    }
-  }
-
-  // Attributes of this domain. May be used for filtering.
-  repeated Attribute attribute = 3;
-}
-
-// IP for routing decision, in CIDR form.
-message CIDR {
-  // IP address, should be either 4 or 16 bytes.
-  bytes ip = 1;
-
-  // Number of leading ones in the network mask.
-  uint32 prefix = 2;
-}
-
-message GeoIP {
-  string country_code = 1;
-  repeated CIDR cidr = 2;
-  bool reverse_match = 3;
-}
-
-message GeoIPList {
-  repeated GeoIP entry = 1;
-}
-
-message GeoSite {
-  string country_code = 1;
-  repeated Domain domain = 2;
-}
-
-message GeoSiteList {
-  repeated GeoSite entry = 1;
-}
+import "common/geodata/geodat.proto";

 message RoutingRule {
  oneof target_tag {
@@ -79,26 +19,23 @@ message RoutingRule {
    // Tag of routing balancer.
    string balancing_tag = 12;
  }
-    string rule_tag = 19;
+
+  string rule_tag = 19;

  // List of domains for target domain matching.
-  repeated Domain domain = 2;
+  repeated xray.common.geodata.DomainRule domain = 2;

-  // List of GeoIPs for target IP address matching. If this entry exists, the
-  // cidr above will have no effect. GeoIP fields with the same country code are
-  // supposed to contain exactly same content. They will be merged during
-  // runtime. For customized GeoIPs, please leave country code empty.
-  repeated GeoIP geoip = 10;
+  // List of IPs for target IP address matching.
+  repeated xray.common.geodata.IPRule ip = 10;

-  // List of ports.
+  // List of ports for target port matching.
  xray.common.net.PortList port_list = 14;

  // List of networks for matching.
  repeated xray.common.net.Network networks = 13;

-  // List of GeoIPs for source IP address matching. If this entry exists, the
-  // source_cidr above will have no effect.
-  repeated GeoIP source_geoip = 11;
+  // List of IPs for source IP address matching.
+  repeated xray.common.geodata.IPRule source_ip = 11;

  // List of ports for source port matching.
  xray.common.net.PortList source_port_list = 16;
@@ -109,11 +46,22 @@ message RoutingRule {

  map<string, string> attributes = 15;

-  repeated GeoIP local_geoip = 17;
+  // List of IPs for local IP address matching.
+  repeated xray.common.geodata.IPRule local_ip = 17;
+
+  // List of ports for local port matching.
  xray.common.net.PortList local_port_list = 18;

  xray.common.net.PortList vless_route_list = 20;
+
  repeated string process = 21;
+  WebhookConfig webhook = 22;
+}
+
+message WebhookConfig {
+  string url = 1;
+  uint32 deduplication = 2;
+  map<string, string> headers = 3;
 }

 message BalancingRule {
@@ -148,8 +96,7 @@ message Config {
    // Use domain as is.
    AsIs = 0;

-    // [Deprecated] Always resolve IP for domains.
-    // UseIp = 1;
+    reserved 1;

    // Resolve to IP if the domain doesn't match any rules.
    IpIfNonMatch = 2;
--- a/app/router/geosite_compact.go
+++ b/app/router/geosite_compact.go
@@ -1,100 +0,0 @@
-package router
-
-import (
-	"encoding/gob"
-	"errors"
-	"io"
-	"runtime"
-
-	"github.com/xtls/xray-core/common/strmatcher"
-)
-
-type geoSiteListGob struct {
-	Sites map[string][]byte
-	Deps  map[string][]string
-	Hosts map[string][]string
-}
-
-func SerializeGeoSiteList(sites []*GeoSite, deps map[string][]string, hosts map[string][]string, w io.Writer) error {
-	data := geoSiteListGob{
-		Sites: make(map[string][]byte),
-		Deps:  deps,
-		Hosts: hosts,
-	}
-
-	for _, site := range sites {
-		if site == nil {
-			continue
-		}
-		var buf bytesWriter
-		if err := SerializeDomainMatcher(site.Domain, &buf); err != nil {
-			return err
-		}
-		data.Sites[site.CountryCode] = buf.Bytes()
-	}
-
-	return gob.NewEncoder(w).Encode(data)
-}
-
-type bytesWriter struct {
-	data []byte
-}
-
-func (w *bytesWriter) Write(p []byte) (n int, err error) {
-	w.data = append(w.data, p...)
-	return len(p), nil
-}
-
-func (w *bytesWriter) Bytes() []byte {
-	return w.data
-}
-
-func LoadGeoSiteMatcher(r io.Reader, countryCode string) (strmatcher.IndexMatcher, error) {
-	var data geoSiteListGob
-	if err := gob.NewDecoder(r).Decode(&data); err != nil {
-		return nil, err
-	}
-
-	return loadWithDeps(&data, countryCode, make(map[string]bool))
-}
-
-func loadWithDeps(data *geoSiteListGob, code string, visited map[string]bool) (strmatcher.IndexMatcher, error) {
-	if visited[code] {
-		return nil, errors.New("cyclic dependency")
-	}
-	visited[code] = true
-
-	var matchers []strmatcher.IndexMatcher
-
-	if siteData, ok := data.Sites[code]; ok {
-		m, err := NewDomainMatcherFromBuffer(siteData)
-		if err == nil {
-			matchers = append(matchers, m)
-		}
-	}
-
-	if deps, ok := data.Deps[code]; ok {
-		for _, dep := range deps {
-			m, err := loadWithDeps(data, dep, visited)
-			if err == nil {
-				matchers = append(matchers, m)
-			}
-		}
-	}
-
-	if len(matchers) == 0 {
-		return nil, errors.New("matcher not found for: " + code)
-	}
-	if len(matchers) == 1 {
-		return matchers[0], nil
-	}
-	runtime.GC()
-	return &strmatcher.IndexMatcherGroup{Matchers: matchers}, nil
-}
-func LoadGeoSiteHosts(r io.Reader) (map[string][]string, error) {
-	var data geoSiteListGob
-	if err := gob.NewDecoder(r).Decode(&data); err != nil {
-		return nil, err
-	}
-	return data.Hosts, nil
-}
--- a/app/router/router.go
+++ b/app/router/router.go
@@ -57,6 +57,7 @@ func (r *Router) Init(ctx context.Context, config *Config, d dns.Client, ohm out
 	for _, rule := range config.Rule {
 		cond, err := rule.BuildCondition()
 		if err != nil {
+			r.closeWebhooks()
 			return err
 		}
 		rr := &Rule{
@@ -64,10 +65,22 @@ func (r *Router) Init(ctx context.Context, config *Config, d dns.Client, ohm out
 			Tag:       rule.GetTag(),
 			RuleTag:   rule.GetRuleTag(),
 		}
+		if wh := rule.GetWebhook(); wh != nil {
+			notifier, err := NewWebhookNotifier(wh)
+			if err != nil {
+				r.closeWebhooks()
+				return err
+			}
+			rr.Webhook = notifier
+		}
 		btag := rule.GetBalancingTag()
 		if len(btag) > 0 {
 			brule, found := r.balancers[btag]
 			if !found {
+				if rr.Webhook != nil {
+					rr.Webhook.Close()
+				}
+				r.closeWebhooks()
 				return errors.New("balancer ", btag, " not found")
 			}
 			rr.Balancer = brule
@@ -80,6 +93,7 @@ func (r *Router) Init(ctx context.Context, config *Config, d dns.Client, ohm out

 // PickRoute implements routing.Router.
 func (r *Router) PickRoute(ctx routing.Context) (routing.Route, error) {
+	originalCtx := ctx
 	rule, ctx, err := r.pickRouteInternal(ctx)
 	if err != nil {
 		return nil, err
@@ -88,6 +102,9 @@ func (r *Router) PickRoute(ctx routing.Context) (routing.Route, error) {
 	if err != nil {
 		return nil, err
 	}
+	if rule.Webhook != nil {
+		rule.Webhook.Fire(originalCtx, tag)
+	}
 	return &Route{Context: ctx, outboundTag: tag, ruleTag: rule.RuleTag}, nil
 }

@@ -109,6 +126,11 @@ func (r *Router) ReloadRules(config *Config, shouldAppend bool) error {
 	defer r.mu.Unlock()

 	if !shouldAppend {
+		for _, rule := range r.rules {
+			if rule.Webhook != nil {
+				rule.Webhook.Close()
+			}
+		}
 		r.balancers = make(map[string]*Balancer, len(config.BalancingRule))
 		r.rules = make([]*Rule, 0, len(config.Rule))
 	}
@@ -125,12 +147,24 @@ func (r *Router) ReloadRules(config *Config, shouldAppend bool) error {
 		r.balancers[rule.Tag] = balancer
 	}

+	startIdx := len(r.rules)
+	closeNewWebhooks := func() {
+		for i := startIdx; i < len(r.rules); i++ {
+			if r.rules[i].Webhook != nil {
+				r.rules[i].Webhook.Close()
+			}
+		}
+		r.rules = r.rules[:startIdx]
+	}
+
 	for _, rule := range config.Rule {
 		if r.RuleExists(rule.GetRuleTag()) {
+			closeNewWebhooks()
 			return errors.New("duplicate ruleTag ", rule.GetRuleTag())
 		}
 		cond, err := rule.BuildCondition()
 		if err != nil {
+			closeNewWebhooks()
 			return err
 		}
 		rr := &Rule{
@@ -138,10 +172,22 @@ func (r *Router) ReloadRules(config *Config, shouldAppend bool) error {
 			Tag:       rule.GetTag(),
 			RuleTag:   rule.GetRuleTag(),
 		}
+		if wh := rule.GetWebhook(); wh != nil {
+			notifier, err := NewWebhookNotifier(wh)
+			if err != nil {
+				closeNewWebhooks()
+				return err
+			}
+			rr.Webhook = notifier
+		}
 		btag := rule.GetBalancingTag()
 		if len(btag) > 0 {
 			brule, found := r.balancers[btag]
 			if !found {
+				if rr.Webhook != nil {
+					rr.Webhook.Close()
+				}
+				closeNewWebhooks()
 				return errors.New("balancer ", btag, " not found")
 			}
 			rr.Balancer = brule
@@ -173,6 +219,8 @@ func (r *Router) RemoveRule(tag string) error {
 		for _, rule := range r.rules {
 			if rule.RuleTag != tag {
 				newRules = append(newRules, rule)
+			} else if rule.Webhook != nil {
+				rule.Webhook.Close()
 			}
 		}
 		r.rules = newRules
@@ -233,8 +281,20 @@ func (r *Router) Start() error {
 	return nil
 }

+// closeWebhooks closes all webhook notifiers in the current rule set.
+func (r *Router) closeWebhooks() {
+	for _, rule := range r.rules {
+		if rule.Webhook != nil {
+			rule.Webhook.Close()
+		}
+	}
+}
+
 // Close implements common.Closable.
 func (r *Router) Close() error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	r.closeWebhooks()
 	return nil
 }

--- a/app/router/router_test.go
+++ b/app/router/router_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/golang/mock/gomock"
 	. "github.com/xtls/xray-core/app/router"
 	"github.com/xtls/xray-core/common"
+	"github.com/xtls/xray-core/common/geodata"
 	"github.com/xtls/xray-core/common/net"
 	"github.com/xtls/xray-core/common/session"
 	"github.com/xtls/xray-core/features/dns"
@@ -155,12 +156,11 @@ func TestIPOnDemand(t *testing.T) {
 				TargetTag: &RoutingRule_Tag{
 					Tag: "test",
 				},
-				Geoip: []*GeoIP{
+				Ip: []*geodata.IPRule{
 					{
-						Cidr: []*CIDR{
-							{
-								Ip:     []byte{192, 168, 0, 0},
-								Prefix: 16,
+						Value: &geodata.IPRule_Custom{
+							Custom: &geodata.CIDRRule{
+								Cidr: &geodata.CIDR{Ip: []byte{192, 168, 0, 0}, Prefix: 16},
 							},
 						},
 					},
@@ -200,12 +200,11 @@ func TestIPIfNonMatchDomain(t *testing.T) {
 				TargetTag: &RoutingRule_Tag{
 					Tag: "test",
 				},
-				Geoip: []*GeoIP{
+				Ip: []*geodata.IPRule{
 					{
-						Cidr: []*CIDR{
-							{
-								Ip:     []byte{192, 168, 0, 0},
-								Prefix: 16,
+						Value: &geodata.IPRule_Custom{
+							Custom: &geodata.CIDRRule{
+								Cidr: &geodata.CIDR{Ip: []byte{192, 168, 0, 0}, Prefix: 16},
 							},
 						},
 					},
@@ -245,12 +244,11 @@ func TestIPIfNonMatchIP(t *testing.T) {
 				TargetTag: &RoutingRule_Tag{
 					Tag: "test",
 				},
-				Geoip: []*GeoIP{
+				Ip: []*geodata.IPRule{
 					{
-						Cidr: []*CIDR{
-							{
-								Ip:     []byte{127, 0, 0, 0},
-								Prefix: 8,
+						Value: &geodata.IPRule_Custom{
+							Custom: &geodata.CIDRRule{
+								Cidr: &geodata.CIDR{Ip: []byte{127, 0, 0, 0}, Prefix: 8},
 							},
 						},
 					},
--- a/app/router/webhook.go
+++ b/app/router/webhook.go
@@ -0,0 +1,287 @@
+package router
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io"
+	"net"
+	"net/http"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/features/routing"
+	routing_session "github.com/xtls/xray-core/features/routing/session"
+)
+
+// parseURL splits a webhook URL into an HTTP URL and an optional Unix socket
+// path. For regular http/https URLs the input is returned unchanged with an
+// empty socketPath. For Unix sockets the format is:
+//
+//	/path/to/socket.sock:/http/path
+//	@abstract:/http/path
+//	@@padded:/http/path
+//
+// The :/ separator after the socket path delimits the HTTP request path.
+// If omitted, "/" is used.
+func parseURL(raw string) (httpURL, socketPath string) {
+	if len(raw) == 0 || (!filepath.IsAbs(raw) && raw[0] != '@') {
+		return raw, ""
+	}
+	if idx := strings.Index(raw, ":/"); idx >= 0 {
+		return "http://localhost" + raw[idx+1:], raw[:idx]
+	}
+	return "http://localhost/", raw
+}
+
+// resolveSocketPath applies platform-specific transformations to a Unix
+// socket path, matching the behaviour of the listen side in
+// transport/internet/system_listener.go.
+//
+// For abstract sockets (prefix @) on Linux/Android:
+//   - single @ — used as-is (lock-free abstract socket)
+//   - double @@ — stripped to single @ and padded to
+//     syscall.RawSockaddrUnix{}.Path length (HAProxy compat)
+func resolveSocketPath(path string) string {
+	if len(path) == 0 || path[0] != '@' {
+		return path
+	}
+	if runtime.GOOS != "linux" && runtime.GOOS != "android" {
+		return path
+	}
+	if len(path) > 1 && path[1] == '@' {
+		fullAddr := make([]byte, len(syscall.RawSockaddrUnix{}.Path))
+		copy(fullAddr, path[1:])
+		return string(fullAddr)
+	}
+	return path
+}
+
+func ptr[T any](v T) *T { return &v }
+
+type event struct {
+	Email          *string `json:"email"`
+	Level          *uint32 `json:"level"`
+	Protocol       *string `json:"protocol"`
+	Network        *string `json:"network"`
+	Source         *string `json:"source"`
+	Destination    *string `json:"destination"`
+	OriginalTarget *string `json:"originalTarget"`
+	RouteTarget    *string `json:"routeTarget"`
+	InboundTag     *string `json:"inboundTag"`
+	InboundName    *string `json:"inboundName"`
+	InboundLocal   *string `json:"inboundLocal"`
+	OutboundTag    *string `json:"outboundTag"`
+	Timestamp      int64   `json:"ts"`
+}
+
+type WebhookNotifier struct {
+	url           string
+	headers       map[string]string
+	deduplication uint32
+	client        *http.Client
+	seen          sync.Map
+	done          chan struct{}
+	wg            sync.WaitGroup
+	closeOnce     sync.Once
+}
+
+func NewWebhookNotifier(cfg *WebhookConfig) (*WebhookNotifier, error) {
+	if cfg == nil || cfg.Url == "" {
+		return nil, nil
+	}
+
+	httpURL, socketPath := parseURL(cfg.Url)
+	h := &WebhookNotifier{
+		url:           httpURL,
+		deduplication: cfg.Deduplication,
+		client: &http.Client{
+			Timeout: 5 * time.Second,
+		},
+		done: make(chan struct{}),
+	}
+
+	if socketPath != "" {
+		dialAddr := resolveSocketPath(socketPath)
+		h.client.Transport = &http.Transport{
+			DialContext: func(ctx context.Context, _, _ string) (net.Conn, error) {
+				var d net.Dialer
+				return d.DialContext(ctx, "unix", dialAddr)
+			},
+		}
+	}
+
+	if len(cfg.Headers) > 0 {
+		h.headers = make(map[string]string, len(cfg.Headers))
+		for k, v := range cfg.Headers {
+			h.headers[k] = v
+		}
+	}
+
+	if h.deduplication > 0 {
+		h.wg.Add(1)
+		go h.cleanupLoop()
+	}
+
+	return h, nil
+}
+
+func (h *WebhookNotifier) Fire(ctx routing.Context, outboundTag string) {
+	ev := buildEvent(ctx, outboundTag)
+
+	email := ""
+	if ev.Email != nil {
+		email = *ev.Email
+	}
+	if h.isDuplicate(email) {
+		return
+	}
+
+	h.wg.Add(1)
+	select {
+	case <-h.done:
+		h.wg.Done()
+		return
+	default:
+	}
+	go func() {
+		defer h.wg.Done()
+		h.post(ev)
+	}()
+}
+
+func buildEvent(ctx routing.Context, outboundTag string) *event {
+	ev := &event{
+		Timestamp:   time.Now().Unix(),
+		OutboundTag: ptr(outboundTag),
+		InboundTag:  ptr(ctx.GetInboundTag()),
+		Protocol:    ptr(ctx.GetProtocol()),
+		Network:     ptr(ctx.GetNetwork().SystemString()),
+	}
+
+	if user := ctx.GetUser(); user != "" {
+		ev.Email = ptr(user)
+	}
+
+	if srcIPs := ctx.GetSourceIPs(); len(srcIPs) > 0 {
+		srcPort := ctx.GetSourcePort()
+		ev.Source = ptr(net.JoinHostPort(srcIPs[0].String(), srcPort.String()))
+	}
+
+	targetPort := ctx.GetTargetPort()
+	if domain := ctx.GetTargetDomain(); domain != "" {
+		ev.Destination = ptr(net.JoinHostPort(domain, targetPort.String()))
+	} else if targetIPs := ctx.GetTargetIPs(); len(targetIPs) > 0 {
+		ev.Destination = ptr(net.JoinHostPort(targetIPs[0].String(), targetPort.String()))
+	}
+
+	if localIPs := ctx.GetLocalIPs(); len(localIPs) > 0 {
+		localPort := ctx.GetLocalPort()
+		ev.InboundLocal = ptr(net.JoinHostPort(localIPs[0].String(), localPort.String()))
+	}
+
+	if sctx, ok := ctx.(*routing_session.Context); ok {
+		enrichFromSession(ev, sctx)
+	}
+
+	return ev
+}
+
+func enrichFromSession(ev *event, sctx *routing_session.Context) {
+	if sctx.Inbound != nil {
+		ev.InboundName = ptr(sctx.Inbound.Name)
+		if sctx.Inbound.User != nil {
+			ev.Level = ptr(sctx.Inbound.User.Level)
+		}
+	}
+	if sctx.Outbound != nil {
+		if sctx.Outbound.OriginalTarget.Address != nil {
+			ev.OriginalTarget = ptr(sctx.Outbound.OriginalTarget.String())
+		}
+		if sctx.Outbound.RouteTarget.Address != nil {
+			ev.RouteTarget = ptr(sctx.Outbound.RouteTarget.String())
+		}
+	}
+}
+
+func (h *WebhookNotifier) post(ev *event) {
+	body, err := json.Marshal(ev)
+	if err != nil {
+		errors.LogWarning(context.Background(), "webhook: marshal failed: ", err)
+		return
+	}
+
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, h.url, bytes.NewReader(body))
+	if err != nil {
+		errors.LogWarning(context.Background(), "webhook: request build failed: ", err)
+		return
+	}
+	req.Header.Set("Content-Type", "application/json")
+
+	for k, v := range h.headers {
+		req.Header.Set(k, v)
+	}
+
+	resp, err := h.client.Do(req)
+	if err != nil {
+		errors.LogInfo(context.Background(), "webhook: POST failed: ", err)
+		return
+	}
+	defer func() {
+		io.Copy(io.Discard, resp.Body)
+		resp.Body.Close()
+	}()
+	if resp.StatusCode >= 400 {
+		errors.LogWarning(context.Background(), "webhook: POST returned status ", resp.StatusCode)
+	}
+}
+
+func (h *WebhookNotifier) isDuplicate(email string) bool {
+	if h.deduplication == 0 || email == "" {
+		return false
+	}
+	ttl := time.Duration(h.deduplication) * time.Second
+	now := time.Now()
+	if v, loaded := h.seen.LoadOrStore(email, now); loaded {
+		if now.Sub(v.(time.Time)) < ttl {
+			return true
+		}
+		h.seen.Store(email, now)
+	}
+	return false
+}
+
+func (h *WebhookNotifier) cleanupLoop() {
+	defer h.wg.Done()
+	ttl := time.Duration(h.deduplication) * time.Second
+	ticker := time.NewTicker(ttl)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-h.done:
+			return
+		case <-ticker.C:
+			now := time.Now()
+			h.seen.Range(func(key, value any) bool {
+				if now.Sub(value.(time.Time)) >= ttl {
+					h.seen.Delete(key)
+				}
+				return true
+			})
+		}
+	}
+}
+
+func (h *WebhookNotifier) Close() error {
+	h.closeOnce.Do(func() {
+		close(h.done)
+	})
+	h.wg.Wait()
+	h.client.CloseIdleConnections()
+	return nil
+}
--- a/app/stats/command/command.go
+++ b/app/stats/command/command.go
@@ -3,12 +3,10 @@ package command
 import (
 	"context"
 	"runtime"
+	"strings"
 	"time"

-	"github.com/xtls/xray-core/app/stats"
 	"github.com/xtls/xray-core/common"
-	"github.com/xtls/xray-core/common/errors"
-	"github.com/xtls/xray-core/common/strmatcher"
 	"github.com/xtls/xray-core/core"
 	feature_stats "github.com/xtls/xray-core/features/stats"
 	grpc "google.golang.org/grpc"
@@ -70,9 +68,10 @@ func (s *statsServer) GetStatsOnlineIpList(ctx context.Context, request *GetStat
 	}

 	ips := make(map[string]int64)
-	for ip, t := range c.IpTimeMap() {
-		ips[ip] = t.Unix()
-	}
+	c.ForEach(func(ip string, lastSeen int64) bool {
+		ips[ip] = lastSeen
+		return true
+	})

 	return &GetStatsOnlineIpListResponse{
 		Name: request.Name,
@@ -86,21 +85,87 @@ func (s *statsServer) GetAllOnlineUsers(ctx context.Context, request *GetAllOnli
 	}, nil
 }

-func (s *statsServer) QueryStats(ctx context.Context, request *QueryStatsRequest) (*QueryStatsResponse, error) {
-	matcher, err := strmatcher.Substr.New(request.Pattern)
-	if err != nil {
-		return nil, err
+func (s *statsServer) GetUsersStats(ctx context.Context, request *GetUsersStatsRequest) (*GetUsersStatsResponse, error) {
+	userMap := make(map[string]*UserStat)
+
+	s.stats.VisitOnlineMaps(func(name string, om feature_stats.OnlineMap) bool {
+		if om.Count() == 0 {
+			return true
+		}
+
+		_, rest, _ := strings.Cut(name, ">>>")
+		email, _, _ := strings.Cut(rest, ">>>")
+
+		user := &UserStat{Email: email}
+		om.ForEach(func(ip string, lastSeen int64) bool {
+			user.Ips = append(user.Ips, &OnlineIPEntry{
+				Ip:       ip,
+				LastSeen: lastSeen,
+			})
+			return true
+		})
+		if len(user.Ips) > 0 {
+			userMap[email] = user
+		}
+		return true
+	})
+
+	if request.IncludeTraffic {
+		for _, u := range userMap {
+			u.Traffic = &TrafficUserStat{}
+		}
+		const (
+			prefixUser     = "user>>>"
+			suffixUplink   = ">>>traffic>>>uplink"
+			suffixDownlink = ">>>traffic>>>downlink"
+		)
+		s.stats.VisitCounters(func(name string, c feature_stats.Counter) bool {
+			var email string
+			var isUplink bool
+
+			if strings.HasSuffix(name, suffixUplink) {
+				email = name[len(prefixUser) : len(name)-len(suffixUplink)]
+				isUplink = true
+			} else if strings.HasSuffix(name, suffixDownlink) {
+				email = name[len(prefixUser) : len(name)-len(suffixDownlink)]
+			} else {
+				return true
+			}
+
+			u, ok := userMap[email]
+			if !ok {
+				return true
+			}
+
+			var value int64
+			if request.Reset_ {
+				value = c.Set(0)
+			} else {
+				value = c.Value()
+			}
+
+			if isUplink {
+				u.Traffic.Uplink = value
+			} else {
+				u.Traffic.Downlink = value
+			}
+			return true
+		})
 	}

+	resp := &GetUsersStatsResponse{}
+	for _, u := range userMap {
+		resp.Users = append(resp.Users, u)
+	}
+
+	return resp, nil
+}
+
+func (s *statsServer) QueryStats(ctx context.Context, request *QueryStatsRequest) (*QueryStatsResponse, error) {
 	response := &QueryStatsResponse{}

-	manager, ok := s.stats.(*stats.Manager)
-	if !ok {
-		return nil, errors.New("QueryStats only works its own stats.Manager.")
-	}
-
-	manager.VisitCounters(func(name string, c feature_stats.Counter) bool {
-		if matcher.Match(name) {
+	s.stats.VisitCounters(func(name string, c feature_stats.Counter) bool {
+		if strings.Contains(name, request.Pattern) {
 			var value int64
 			if request.Reset_ {
 				value = c.Set(0)
--- a/app/stats/command/command.pb.go
+++ b/app/stats/command/command.pb.go
@@ -551,6 +551,266 @@ func (x *GetAllOnlineUsersResponse) GetUsers() []string {
 	return nil
 }

+type OnlineIPEntry struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Ip            string                 `protobuf:"bytes,1,opt,name=ip,proto3" json:"ip,omitempty"`
+	LastSeen      int64                  `protobuf:"varint,2,opt,name=last_seen,json=lastSeen,proto3" json:"last_seen,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *OnlineIPEntry) Reset() {
+	*x = OnlineIPEntry{}
+	mi := &file_app_stats_command_command_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *OnlineIPEntry) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*OnlineIPEntry) ProtoMessage() {}
+
+func (x *OnlineIPEntry) ProtoReflect() protoreflect.Message {
+	mi := &file_app_stats_command_command_proto_msgTypes[10]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use OnlineIPEntry.ProtoReflect.Descriptor instead.
+func (*OnlineIPEntry) Descriptor() ([]byte, []int) {
+	return file_app_stats_command_command_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *OnlineIPEntry) GetIp() string {
+	if x != nil {
+		return x.Ip
+	}
+	return ""
+}
+
+func (x *OnlineIPEntry) GetLastSeen() int64 {
+	if x != nil {
+		return x.LastSeen
+	}
+	return 0
+}
+
+type TrafficUserStat struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Uplink        int64                  `protobuf:"varint,1,opt,name=uplink,proto3" json:"uplink,omitempty"`
+	Downlink      int64                  `protobuf:"varint,2,opt,name=downlink,proto3" json:"downlink,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *TrafficUserStat) Reset() {
+	*x = TrafficUserStat{}
+	mi := &file_app_stats_command_command_proto_msgTypes[11]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *TrafficUserStat) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*TrafficUserStat) ProtoMessage() {}
+
+func (x *TrafficUserStat) ProtoReflect() protoreflect.Message {
+	mi := &file_app_stats_command_command_proto_msgTypes[11]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use TrafficUserStat.ProtoReflect.Descriptor instead.
+func (*TrafficUserStat) Descriptor() ([]byte, []int) {
+	return file_app_stats_command_command_proto_rawDescGZIP(), []int{11}
+}
+
+func (x *TrafficUserStat) GetUplink() int64 {
+	if x != nil {
+		return x.Uplink
+	}
+	return 0
+}
+
+func (x *TrafficUserStat) GetDownlink() int64 {
+	if x != nil {
+		return x.Downlink
+	}
+	return 0
+}
+
+type UserStat struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Email         string                 `protobuf:"bytes,1,opt,name=email,proto3" json:"email,omitempty"`
+	Ips           []*OnlineIPEntry       `protobuf:"bytes,2,rep,name=ips,proto3" json:"ips,omitempty"`
+	Traffic       *TrafficUserStat       `protobuf:"bytes,3,opt,name=traffic,proto3" json:"traffic,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *UserStat) Reset() {
+	*x = UserStat{}
+	mi := &file_app_stats_command_command_proto_msgTypes[12]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *UserStat) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UserStat) ProtoMessage() {}
+
+func (x *UserStat) ProtoReflect() protoreflect.Message {
+	mi := &file_app_stats_command_command_proto_msgTypes[12]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UserStat.ProtoReflect.Descriptor instead.
+func (*UserStat) Descriptor() ([]byte, []int) {
+	return file_app_stats_command_command_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *UserStat) GetEmail() string {
+	if x != nil {
+		return x.Email
+	}
+	return ""
+}
+
+func (x *UserStat) GetIps() []*OnlineIPEntry {
+	if x != nil {
+		return x.Ips
+	}
+	return nil
+}
+
+func (x *UserStat) GetTraffic() *TrafficUserStat {
+	if x != nil {
+		return x.Traffic
+	}
+	return nil
+}
+
+type GetUsersStatsRequest struct {
+	state          protoimpl.MessageState `protogen:"open.v1"`
+	IncludeTraffic bool                   `protobuf:"varint,1,opt,name=include_traffic,json=includeTraffic,proto3" json:"include_traffic,omitempty"`
+	Reset_         bool                   `protobuf:"varint,2,opt,name=reset,proto3" json:"reset,omitempty"`
+	unknownFields  protoimpl.UnknownFields
+	sizeCache      protoimpl.SizeCache
+}
+
+func (x *GetUsersStatsRequest) Reset() {
+	*x = GetUsersStatsRequest{}
+	mi := &file_app_stats_command_command_proto_msgTypes[13]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GetUsersStatsRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetUsersStatsRequest) ProtoMessage() {}
+
+func (x *GetUsersStatsRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_app_stats_command_command_proto_msgTypes[13]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetUsersStatsRequest.ProtoReflect.Descriptor instead.
+func (*GetUsersStatsRequest) Descriptor() ([]byte, []int) {
+	return file_app_stats_command_command_proto_rawDescGZIP(), []int{13}
+}
+
+func (x *GetUsersStatsRequest) GetIncludeTraffic() bool {
+	if x != nil {
+		return x.IncludeTraffic
+	}
+	return false
+}
+
+func (x *GetUsersStatsRequest) GetReset_() bool {
+	if x != nil {
+		return x.Reset_
+	}
+	return false
+}
+
+type GetUsersStatsResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Users         []*UserStat            `protobuf:"bytes,1,rep,name=users,proto3" json:"users,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GetUsersStatsResponse) Reset() {
+	*x = GetUsersStatsResponse{}
+	mi := &file_app_stats_command_command_proto_msgTypes[14]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GetUsersStatsResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetUsersStatsResponse) ProtoMessage() {}
+
+func (x *GetUsersStatsResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_app_stats_command_command_proto_msgTypes[14]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetUsersStatsResponse.ProtoReflect.Descriptor instead.
+func (*GetUsersStatsResponse) Descriptor() ([]byte, []int) {
+	return file_app_stats_command_command_proto_rawDescGZIP(), []int{14}
+}
+
+func (x *GetUsersStatsResponse) GetUsers() []*UserStat {
+	if x != nil {
+		return x.Users
+	}
+	return nil
+}
+
 type Config struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
@@ -559,7 +819,7 @@ type Config struct {

 func (x *Config) Reset() {
 	*x = Config{}
-	mi := &file_app_stats_command_command_proto_msgTypes[10]
+	mi := &file_app_stats_command_command_proto_msgTypes[15]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -571,7 +831,7 @@ func (x *Config) String() string {
 func (*Config) ProtoMessage() {}

 func (x *Config) ProtoReflect() protoreflect.Message {
-	mi := &file_app_stats_command_command_proto_msgTypes[10]
+	mi := &file_app_stats_command_command_proto_msgTypes[15]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -584,7 +844,7 @@ func (x *Config) ProtoReflect() protoreflect.Message {

 // Deprecated: Use Config.ProtoReflect.Descriptor instead.
 func (*Config) Descriptor() ([]byte, []int) {
-	return file_app_stats_command_command_proto_rawDescGZIP(), []int{10}
+	return file_app_stats_command_command_proto_rawDescGZIP(), []int{15}
 }

 var File_app_stats_command_command_proto protoreflect.FileDescriptor
@@ -628,8 +888,23 @@ const file_app_stats_command_command_proto_rawDesc = "" +
 	"\x05value\x18\x02 \x01(\x03R\x05value:\x028\x01\"\x1a\n" +
 	"\x18GetAllOnlineUsersRequest\"1\n" +
 	"\x19GetAllOnlineUsersResponse\x12\x14\n" +
-	"\x05users\x18\x01 \x03(\tR\x05users\"\b\n" +
-	"\x06Config2\x96\x05\n" +
+	"\x05users\x18\x01 \x03(\tR\x05users\"<\n" +
+	"\rOnlineIPEntry\x12\x0e\n" +
+	"\x02ip\x18\x01 \x01(\tR\x02ip\x12\x1b\n" +
+	"\tlast_seen\x18\x02 \x01(\x03R\blastSeen\"E\n" +
+	"\x0fTrafficUserStat\x12\x16\n" +
+	"\x06uplink\x18\x01 \x01(\x03R\x06uplink\x12\x1a\n" +
+	"\bdownlink\x18\x02 \x01(\x03R\bdownlink\"\x9c\x01\n" +
+	"\bUserStat\x12\x14\n" +
+	"\x05email\x18\x01 \x01(\tR\x05email\x127\n" +
+	"\x03ips\x18\x02 \x03(\v2%.xray.app.stats.command.OnlineIPEntryR\x03ips\x12A\n" +
+	"\atraffic\x18\x03 \x01(\v2'.xray.app.stats.command.TrafficUserStatR\atraffic\"U\n" +
+	"\x14GetUsersStatsRequest\x12'\n" +
+	"\x0finclude_traffic\x18\x01 \x01(\bR\x0eincludeTraffic\x12\x14\n" +
+	"\x05reset\x18\x02 \x01(\bR\x05reset\"O\n" +
+	"\x15GetUsersStatsResponse\x126\n" +
+	"\x05users\x18\x01 \x03(\v2 .xray.app.stats.command.UserStatR\x05users\"\b\n" +
+	"\x06Config2\x86\x06\n" +
 	"\fStatsService\x12_\n" +
 	"\bGetStats\x12'.xray.app.stats.command.GetStatsRequest\x1a(.xray.app.stats.command.GetStatsResponse\"\x00\x12e\n" +
 	"\x0eGetStatsOnline\x12'.xray.app.stats.command.GetStatsRequest\x1a(.xray.app.stats.command.GetStatsResponse\"\x00\x12e\n" +
@@ -637,7 +912,8 @@ const file_app_stats_command_command_proto_rawDesc = "" +
 	"QueryStats\x12).xray.app.stats.command.QueryStatsRequest\x1a*.xray.app.stats.command.QueryStatsResponse\"\x00\x12b\n" +
 	"\vGetSysStats\x12'.xray.app.stats.command.SysStatsRequest\x1a(.xray.app.stats.command.SysStatsResponse\"\x00\x12w\n" +
 	"\x14GetStatsOnlineIpList\x12'.xray.app.stats.command.GetStatsRequest\x1a4.xray.app.stats.command.GetStatsOnlineIpListResponse\"\x00\x12z\n" +
-	"\x11GetAllOnlineUsers\x120.xray.app.stats.command.GetAllOnlineUsersRequest\x1a1.xray.app.stats.command.GetAllOnlineUsersResponse\"\x00Bd\n" +
+	"\x11GetAllOnlineUsers\x120.xray.app.stats.command.GetAllOnlineUsersRequest\x1a1.xray.app.stats.command.GetAllOnlineUsersResponse\"\x00\x12n\n" +
+	"\rGetUsersStats\x12,.xray.app.stats.command.GetUsersStatsRequest\x1a-.xray.app.stats.command.GetUsersStatsResponse\"\x00Bd\n" +
 	"\x1acom.xray.app.stats.commandP\x01Z+github.com/xtls/xray-core/app/stats/command\xaa\x02\x16Xray.App.Stats.Commandb\x06proto3"

 var (
@@ -652,7 +928,7 @@ func file_app_stats_command_command_proto_rawDescGZIP() []byte {
 	return file_app_stats_command_command_proto_rawDescData
 }

-var file_app_stats_command_command_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
+var file_app_stats_command_command_proto_msgTypes = make([]protoimpl.MessageInfo, 17)
 var file_app_stats_command_command_proto_goTypes = []any{
 	(*GetStatsRequest)(nil),              // 0: xray.app.stats.command.GetStatsRequest
 	(*Stat)(nil),                         // 1: xray.app.stats.command.Stat
@@ -664,30 +940,40 @@ var file_app_stats_command_command_proto_goTypes = []any{
 	(*GetStatsOnlineIpListResponse)(nil), // 7: xray.app.stats.command.GetStatsOnlineIpListResponse
 	(*GetAllOnlineUsersRequest)(nil),     // 8: xray.app.stats.command.GetAllOnlineUsersRequest
 	(*GetAllOnlineUsersResponse)(nil),    // 9: xray.app.stats.command.GetAllOnlineUsersResponse
-	(*Config)(nil),                       // 10: xray.app.stats.command.Config
-	nil,                                  // 11: xray.app.stats.command.GetStatsOnlineIpListResponse.IpsEntry
+	(*OnlineIPEntry)(nil),                // 10: xray.app.stats.command.OnlineIPEntry
+	(*TrafficUserStat)(nil),              // 11: xray.app.stats.command.TrafficUserStat
+	(*UserStat)(nil),                     // 12: xray.app.stats.command.UserStat
+	(*GetUsersStatsRequest)(nil),         // 13: xray.app.stats.command.GetUsersStatsRequest
+	(*GetUsersStatsResponse)(nil),        // 14: xray.app.stats.command.GetUsersStatsResponse
+	(*Config)(nil),                       // 15: xray.app.stats.command.Config
+	nil,                                  // 16: xray.app.stats.command.GetStatsOnlineIpListResponse.IpsEntry
 }
 var file_app_stats_command_command_proto_depIdxs = []int32{
 	1,  // 0: xray.app.stats.command.GetStatsResponse.stat:type_name -> xray.app.stats.command.Stat
 	1,  // 1: xray.app.stats.command.QueryStatsResponse.stat:type_name -> xray.app.stats.command.Stat
-	11, // 2: xray.app.stats.command.GetStatsOnlineIpListResponse.ips:type_name -> xray.app.stats.command.GetStatsOnlineIpListResponse.IpsEntry
-	0,  // 3: xray.app.stats.command.StatsService.GetStats:input_type -> xray.app.stats.command.GetStatsRequest
-	0,  // 4: xray.app.stats.command.StatsService.GetStatsOnline:input_type -> xray.app.stats.command.GetStatsRequest
-	3,  // 5: xray.app.stats.command.StatsService.QueryStats:input_type -> xray.app.stats.command.QueryStatsRequest
-	5,  // 6: xray.app.stats.command.StatsService.GetSysStats:input_type -> xray.app.stats.command.SysStatsRequest
-	0,  // 7: xray.app.stats.command.StatsService.GetStatsOnlineIpList:input_type -> xray.app.stats.command.GetStatsRequest
-	8,  // 8: xray.app.stats.command.StatsService.GetAllOnlineUsers:input_type -> xray.app.stats.command.GetAllOnlineUsersRequest
-	2,  // 9: xray.app.stats.command.StatsService.GetStats:output_type -> xray.app.stats.command.GetStatsResponse
-	2,  // 10: xray.app.stats.command.StatsService.GetStatsOnline:output_type -> xray.app.stats.command.GetStatsResponse
-	4,  // 11: xray.app.stats.command.StatsService.QueryStats:output_type -> xray.app.stats.command.QueryStatsResponse
-	6,  // 12: xray.app.stats.command.StatsService.GetSysStats:output_type -> xray.app.stats.command.SysStatsResponse
-	7,  // 13: xray.app.stats.command.StatsService.GetStatsOnlineIpList:output_type -> xray.app.stats.command.GetStatsOnlineIpListResponse
-	9,  // 14: xray.app.stats.command.StatsService.GetAllOnlineUsers:output_type -> xray.app.stats.command.GetAllOnlineUsersResponse
-	9,  // [9:15] is the sub-list for method output_type
-	3,  // [3:9] is the sub-list for method input_type
-	3,  // [3:3] is the sub-list for extension type_name
-	3,  // [3:3] is the sub-list for extension extendee
-	0,  // [0:3] is the sub-list for field type_name
+	16, // 2: xray.app.stats.command.GetStatsOnlineIpListResponse.ips:type_name -> xray.app.stats.command.GetStatsOnlineIpListResponse.IpsEntry
+	10, // 3: xray.app.stats.command.UserStat.ips:type_name -> xray.app.stats.command.OnlineIPEntry
+	11, // 4: xray.app.stats.command.UserStat.traffic:type_name -> xray.app.stats.command.TrafficUserStat
+	12, // 5: xray.app.stats.command.GetUsersStatsResponse.users:type_name -> xray.app.stats.command.UserStat
+	0,  // 6: xray.app.stats.command.StatsService.GetStats:input_type -> xray.app.stats.command.GetStatsRequest
+	0,  // 7: xray.app.stats.command.StatsService.GetStatsOnline:input_type -> xray.app.stats.command.GetStatsRequest
+	3,  // 8: xray.app.stats.command.StatsService.QueryStats:input_type -> xray.app.stats.command.QueryStatsRequest
+	5,  // 9: xray.app.stats.command.StatsService.GetSysStats:input_type -> xray.app.stats.command.SysStatsRequest
+	0,  // 10: xray.app.stats.command.StatsService.GetStatsOnlineIpList:input_type -> xray.app.stats.command.GetStatsRequest
+	8,  // 11: xray.app.stats.command.StatsService.GetAllOnlineUsers:input_type -> xray.app.stats.command.GetAllOnlineUsersRequest
+	13, // 12: xray.app.stats.command.StatsService.GetUsersStats:input_type -> xray.app.stats.command.GetUsersStatsRequest
+	2,  // 13: xray.app.stats.command.StatsService.GetStats:output_type -> xray.app.stats.command.GetStatsResponse
+	2,  // 14: xray.app.stats.command.StatsService.GetStatsOnline:output_type -> xray.app.stats.command.GetStatsResponse
+	4,  // 15: xray.app.stats.command.StatsService.QueryStats:output_type -> xray.app.stats.command.QueryStatsResponse
+	6,  // 16: xray.app.stats.command.StatsService.GetSysStats:output_type -> xray.app.stats.command.SysStatsResponse
+	7,  // 17: xray.app.stats.command.StatsService.GetStatsOnlineIpList:output_type -> xray.app.stats.command.GetStatsOnlineIpListResponse
+	9,  // 18: xray.app.stats.command.StatsService.GetAllOnlineUsers:output_type -> xray.app.stats.command.GetAllOnlineUsersResponse
+	14, // 19: xray.app.stats.command.StatsService.GetUsersStats:output_type -> xray.app.stats.command.GetUsersStatsResponse
+	13, // [13:20] is the sub-list for method output_type
+	6,  // [6:13] is the sub-list for method input_type
+	6,  // [6:6] is the sub-list for extension type_name
+	6,  // [6:6] is the sub-list for extension extendee
+	0,  // [0:6] is the sub-list for field type_name
 }

 func init() { file_app_stats_command_command_proto_init() }
@@ -701,7 +987,7 @@ func file_app_stats_command_command_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_app_stats_command_command_proto_rawDesc), len(file_app_stats_command_command_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   12,
+			NumMessages:   17,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/app/stats/command/command.proto
+++ b/app/stats/command/command.proto
@@ -57,6 +57,31 @@ message GetAllOnlineUsersResponse {
  repeated string users = 1;
 }

+message OnlineIPEntry {
+  string ip = 1;
+  int64 last_seen = 2;
+}
+
+message TrafficUserStat {
+  int64 uplink = 1;
+  int64 downlink = 2;
+}
+
+message UserStat {
+  string email = 1;
+  repeated OnlineIPEntry ips = 2;
+  TrafficUserStat traffic = 3;
+}
+
+message GetUsersStatsRequest {
+  bool include_traffic = 1;
+  bool reset = 2;
+}
+
+message GetUsersStatsResponse {
+  repeated UserStat users = 1;
+}
+
 service StatsService {
  rpc GetStats(GetStatsRequest) returns (GetStatsResponse) {}
  rpc GetStatsOnline(GetStatsRequest) returns (GetStatsResponse) {}
@@ -64,6 +89,7 @@ service StatsService {
  rpc GetSysStats(SysStatsRequest) returns (SysStatsResponse) {}
  rpc GetStatsOnlineIpList(GetStatsRequest) returns (GetStatsOnlineIpListResponse) {}
  rpc GetAllOnlineUsers(GetAllOnlineUsersRequest) returns (GetAllOnlineUsersResponse) {}
+  rpc GetUsersStats(GetUsersStatsRequest) returns (GetUsersStatsResponse) {}
 }

 message Config {}
--- a/app/stats/command/command_grpc.pb.go
+++ b/app/stats/command/command_grpc.pb.go
@@ -25,6 +25,7 @@ const (
 	StatsService_GetSysStats_FullMethodName          = "/xray.app.stats.command.StatsService/GetSysStats"
 	StatsService_GetStatsOnlineIpList_FullMethodName = "/xray.app.stats.command.StatsService/GetStatsOnlineIpList"
 	StatsService_GetAllOnlineUsers_FullMethodName    = "/xray.app.stats.command.StatsService/GetAllOnlineUsers"
+	StatsService_GetUsersStats_FullMethodName        = "/xray.app.stats.command.StatsService/GetUsersStats"
 )

 // StatsServiceClient is the client API for StatsService service.
@@ -37,6 +38,7 @@ type StatsServiceClient interface {
 	GetSysStats(ctx context.Context, in *SysStatsRequest, opts ...grpc.CallOption) (*SysStatsResponse, error)
 	GetStatsOnlineIpList(ctx context.Context, in *GetStatsRequest, opts ...grpc.CallOption) (*GetStatsOnlineIpListResponse, error)
 	GetAllOnlineUsers(ctx context.Context, in *GetAllOnlineUsersRequest, opts ...grpc.CallOption) (*GetAllOnlineUsersResponse, error)
+	GetUsersStats(ctx context.Context, in *GetUsersStatsRequest, opts ...grpc.CallOption) (*GetUsersStatsResponse, error)
 }

 type statsServiceClient struct {
@@ -107,6 +109,16 @@ func (c *statsServiceClient) GetAllOnlineUsers(ctx context.Context, in *GetAllOn
 	return out, nil
 }

+func (c *statsServiceClient) GetUsersStats(ctx context.Context, in *GetUsersStatsRequest, opts ...grpc.CallOption) (*GetUsersStatsResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(GetUsersStatsResponse)
+	err := c.cc.Invoke(ctx, StatsService_GetUsersStats_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // StatsServiceServer is the server API for StatsService service.
 // All implementations must embed UnimplementedStatsServiceServer
 // for forward compatibility.
@@ -117,6 +129,7 @@ type StatsServiceServer interface {
 	GetSysStats(context.Context, *SysStatsRequest) (*SysStatsResponse, error)
 	GetStatsOnlineIpList(context.Context, *GetStatsRequest) (*GetStatsOnlineIpListResponse, error)
 	GetAllOnlineUsers(context.Context, *GetAllOnlineUsersRequest) (*GetAllOnlineUsersResponse, error)
+	GetUsersStats(context.Context, *GetUsersStatsRequest) (*GetUsersStatsResponse, error)
 	mustEmbedUnimplementedStatsServiceServer()
 }

@@ -145,6 +158,9 @@ func (UnimplementedStatsServiceServer) GetStatsOnlineIpList(context.Context, *Ge
 func (UnimplementedStatsServiceServer) GetAllOnlineUsers(context.Context, *GetAllOnlineUsersRequest) (*GetAllOnlineUsersResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method GetAllOnlineUsers not implemented")
 }
+func (UnimplementedStatsServiceServer) GetUsersStats(context.Context, *GetUsersStatsRequest) (*GetUsersStatsResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method GetUsersStats not implemented")
+}
 func (UnimplementedStatsServiceServer) mustEmbedUnimplementedStatsServiceServer() {}
 func (UnimplementedStatsServiceServer) testEmbeddedByValue()                      {}

@@ -274,6 +290,24 @@ func _StatsService_GetAllOnlineUsers_Handler(srv interface{}, ctx context.Contex
 	return interceptor(ctx, in, info, handler)
 }

+func _StatsService_GetUsersStats_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetUsersStatsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(StatsServiceServer).GetUsersStats(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: StatsService_GetUsersStats_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(StatsServiceServer).GetUsersStats(ctx, req.(*GetUsersStatsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // StatsService_ServiceDesc is the grpc.ServiceDesc for StatsService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -305,6 +339,10 @@ var StatsService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetAllOnlineUsers",
 			Handler:    _StatsService_GetAllOnlineUsers_Handler,
 		},
+		{
+			MethodName: "GetUsersStats",
+			Handler:    _StatsService_GetUsersStats_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "app/stats/command/command.proto",
--- a/app/stats/online_map.go
+++ b/app/stats/online_map.go
@@ -2,84 +2,86 @@ package stats

 import (
 	"sync"
+	"sync/atomic"
 	"time"
 )

-// OnlineMap is an implementation of stats.OnlineMap.
-type OnlineMap struct {
-	ipList        map[string]time.Time
-	access        sync.RWMutex
-	lastCleanup   time.Time
-	cleanupPeriod time.Duration
+const (
+	localhostIPv4 = "127.0.0.1"
+	localhostIPv6 = "[::1]"
+)
+
+type ipEntry struct {
+	refCount int
+	lastSeen int64
 }

-// NewOnlineMap creates a new instance of OnlineMap.
+// OnlineMap is a refcount-based implementation of stats.OnlineMap.
+// IPs are tracked by reference counting: AddIP increments, RemoveIP decrements.
+// An IP is removed from the map when its reference count reaches zero.
+type OnlineMap struct {
+	entries map[string]ipEntry
+	access  sync.Mutex
+	count   atomic.Int64
+}
+
+// NewOnlineMap creates a new OnlineMap instance.
 func NewOnlineMap() *OnlineMap {
 	return &OnlineMap{
-		ipList:        make(map[string]time.Time),
-		lastCleanup:   time.Now(),
-		cleanupPeriod: 10 * time.Second,
+		entries: make(map[string]ipEntry),
+	}
+}
+
+// AddIP implements stats.OnlineMap.
+func (om *OnlineMap) AddIP(ip string) {
+	if ip == localhostIPv4 || ip == localhostIPv6 {
+		return
+	}
+	now := time.Now().Unix()
+	om.access.Lock()
+	defer om.access.Unlock()
+	if e, ok := om.entries[ip]; ok {
+		e.refCount++
+		e.lastSeen = now
+		om.entries[ip] = e
+	} else {
+		om.entries[ip] = ipEntry{
+			refCount: 1,
+			lastSeen: now,
+		}
+		om.count.Add(1)
+	}
+}
+
+// RemoveIP implements stats.OnlineMap.
+func (om *OnlineMap) RemoveIP(ip string) {
+	om.access.Lock()
+	defer om.access.Unlock()
+	e, ok := om.entries[ip]
+	if !ok {
+		return
+	}
+	e.refCount--
+	if e.refCount <= 0 {
+		delete(om.entries, ip)
+		om.count.Add(-1)
+	} else {
+		om.entries[ip] = e
 	}
 }

 // Count implements stats.OnlineMap.
-func (c *OnlineMap) Count() int {
-	c.access.RLock()
-	defer c.access.RUnlock()
-
-	return len(c.ipList)
+func (om *OnlineMap) Count() int {
+	return int(om.count.Load())
 }

-// List implements stats.OnlineMap.
-func (c *OnlineMap) List() []string {
-	return c.GetKeys()
-}
-
-// AddIP implements stats.OnlineMap.
-func (c *OnlineMap) AddIP(ip string) {
-	if ip == "127.0.0.1" {
-		return
-	}
-
-	c.access.Lock()
-	c.ipList[ip] = time.Now()
-	c.access.Unlock()
-
-	if time.Since(c.lastCleanup) > c.cleanupPeriod {
-		c.RemoveExpiredIPs()
-		c.lastCleanup = time.Now()
-	}
-}
-
-func (c *OnlineMap) GetKeys() []string {
-	c.access.RLock()
-	defer c.access.RUnlock()
-
-	keys := []string{}
-	for k := range c.ipList {
-		keys = append(keys, k)
-	}
-	return keys
-}
-
-func (c *OnlineMap) RemoveExpiredIPs() {
-	c.access.Lock()
-	defer c.access.Unlock()
-
-	now := time.Now()
-	for k, t := range c.ipList {
-		diff := now.Sub(t)
-		if diff.Seconds() > 20 {
-			delete(c.ipList, k)
+// ForEach calls fn for each online IP. If fn returns false, iteration stops.
+func (om *OnlineMap) ForEach(fn func(string, int64) bool) {
+	om.access.Lock()
+	defer om.access.Unlock()
+	for ip, e := range om.entries {
+		if !fn(ip, e.lastSeen) {
+			break
 		}
 	}
 }
-
-func (c *OnlineMap) IpTimeMap() map[string]time.Time {
-	if time.Since(c.lastCleanup) > c.cleanupPeriod {
-		c.RemoveExpiredIPs()
-		c.lastCleanup = time.Now()
-	}
-
-	return c.ipList
-}
--- a/app/stats/stats.go
+++ b/app/stats/stats.go
@@ -11,19 +11,19 @@ import (

 // Manager is an implementation of stats.Manager.
 type Manager struct {
-	access    sync.RWMutex
-	counters  map[string]*Counter
-	onlineMap map[string]*OnlineMap
-	channels  map[string]*Channel
-	running   bool
+	access     sync.RWMutex
+	counters   map[string]*Counter
+	onlineMaps map[string]*OnlineMap
+	channels   map[string]*Channel
+	running    bool
 }

 // NewManager creates an instance of Statistics Manager.
 func NewManager(ctx context.Context, config *Config) (*Manager, error) {
 	m := &Manager{
-		counters:  make(map[string]*Counter),
-		onlineMap: make(map[string]*OnlineMap),
-		channels:  make(map[string]*Channel),
+		counters:   make(map[string]*Counter),
+		onlineMaps: make(map[string]*OnlineMap),
+		channels:   make(map[string]*Channel),
 	}

 	return m, nil
@@ -88,12 +88,12 @@ func (m *Manager) RegisterOnlineMap(name string) (stats.OnlineMap, error) {
 	m.access.Lock()
 	defer m.access.Unlock()

-	if _, found := m.onlineMap[name]; found {
-		return nil, errors.New("onlineMap ", name, " already registered.")
+	if _, found := m.onlineMaps[name]; found {
+		return nil, errors.New("OnlineMap ", name, " already registered.")
 	}
-	errors.LogDebug(context.Background(), "create new onlineMap ", name)
+	errors.LogDebug(context.Background(), "create new OnlineMap ", name)
 	om := NewOnlineMap()
-	m.onlineMap[name] = om
+	m.onlineMaps[name] = om
 	return om, nil
 }

@@ -102,9 +102,9 @@ func (m *Manager) UnregisterOnlineMap(name string) error {
 	m.access.Lock()
 	defer m.access.Unlock()

-	if _, found := m.onlineMap[name]; found {
-		errors.LogDebug(context.Background(), "remove onlineMap ", name)
-		delete(m.onlineMap, name)
+	if _, found := m.onlineMaps[name]; found {
+		errors.LogDebug(context.Background(), "remove OnlineMap ", name)
+		delete(m.onlineMaps, name)
 	}
 	return nil
 }
@@ -114,12 +114,24 @@ func (m *Manager) GetOnlineMap(name string) stats.OnlineMap {
 	m.access.RLock()
 	defer m.access.RUnlock()

-	if om, found := m.onlineMap[name]; found {
+	if om, found := m.onlineMaps[name]; found {
 		return om
 	}
 	return nil
 }

+// VisitOnlineMaps calls visitor function on all managed online maps.
+// The visitor runs under a read lock; it must not call RegisterOnlineMap or UnregisterOnlineMap (would deadlock).
+func (m *Manager) VisitOnlineMaps(visitor func(string, stats.OnlineMap) bool) {
+	m.access.RLock()
+	defer m.access.RUnlock()
+	for name, om := range m.onlineMaps {
+		if !visitor(name, om) {
+			break
+		}
+	}
+}
+
 // RegisterChannel implements stats.Manager.
 func (m *Manager) RegisterChannel(name string) (stats.Channel, error) {
 	m.access.Lock()
@@ -163,12 +175,12 @@ func (m *Manager) GetChannel(name string) stats.Channel {

 // GetAllOnlineUsers implements stats.Manager.
 func (m *Manager) GetAllOnlineUsers() []string {
-	m.access.Lock()
-	defer m.access.Unlock()
+	m.access.RLock()
+	defer m.access.RUnlock()

-	usersOnline := make([]string, 0, len(m.onlineMap))
-	for user, onlineMap := range m.onlineMap {
-		if len(onlineMap.IpTimeMap()) > 0 {
+	usersOnline := make([]string, 0, len(m.onlineMaps))
+	for user, om := range m.onlineMaps {
+		if om.Count() > 0 {
 			usersOnline = append(usersOnline, user)
 		}
 	}
@@ -198,6 +210,10 @@ func (m *Manager) Close() error {
 	m.access.Lock()
 	defer m.access.Unlock()
 	m.running = false
+	for name := range m.onlineMaps {
+		errors.LogDebug(context.Background(), "remove OnlineMap ", name)
+		delete(m.onlineMaps, name)
+	}
 	errs := []error{}
 	for name, channel := range m.channels {
 		errors.LogDebug(context.Background(), "remove channel ", name)
--- a/common/buf/readv_posix.go
+++ b/common/buf/readv_posix.go
@@ -1,5 +1,5 @@
-//go:build !windows && !wasm && !illumos
-// +build !windows,!wasm,!illumos
+//go:build !windows && !wasm && !illumos && !openbsd
+// +build !windows,!wasm,!illumos,!openbsd

 package buf

--- a/common/buf/readv_reader.go
+++ b/common/buf/readv_reader.go
@@ -1,5 +1,5 @@
-//go:build !wasm
-// +build !wasm
+//go:build !wasm && !openbsd
+// +build !wasm,!openbsd

 package buf

--- a/common/buf/readv_reader_stub.go
+++ b/common/buf/readv_reader_stub.go
@@ -0,0 +1,17 @@
+//go:build wasm || openbsd
+// +build wasm openbsd
+
+package buf
+
+import (
+	"io"
+	"syscall"
+
+	"github.com/xtls/xray-core/features/stats"
+)
+
+const useReadv = false
+
+func NewReadVReader(reader io.Reader, rawConn syscall.RawConn, counter stats.Counter) Reader {
+	panic("not implemented")
+}
--- a/common/buf/readv_reader_wasm.go
+++ b/common/buf/readv_reader_wasm.go
@@ -1,15 +0,0 @@
-//go:build wasm
-// +build wasm
-
-package buf
-
-import (
-	"io"
-	"syscall"
-)
-
-const useReadv = false
-
-func NewReadVReader(reader io.Reader, rawConn syscall.RawConn) Reader {
-	panic("not implemented")
-}
--- a/common/buf/readv_test.go
+++ b/common/buf/readv_test.go
@@ -1,5 +1,5 @@
-//go:build !wasm
-// +build !wasm
+//go:build !wasm && !openbsd
+// +build !wasm,!openbsd

 package buf_test

--- a/common/crypto/crypto.go
+++ b/common/crypto/crypto.go
@@ -4,8 +4,11 @@ package crypto // import "github.com/xtls/xray-core/common/crypto"
 import (
 	"crypto/rand"
 	"math/big"
+
+	"github.com/xtls/xray-core/common"
 )

+// [,)
 func RandBetween(from int64, to int64) int64 {
 	if from == to {
 		return from
@@ -16,3 +19,20 @@ func RandBetween(from int64, to int64) int64 {
 	bigInt, _ := rand.Int(rand.Reader, big.NewInt(to-from))
 	return from + bigInt.Int64()
 }
+
+// [,]
+func RandBytesBetween(b []byte, from, to byte) {
+	common.Must2(rand.Read(b))
+
+	if from > to {
+		from, to = to, from
+	}
+
+	if to-from == 255 {
+		return
+	}
+
+	for i := range b {
+		b[i] = from + b[i]%(to-from+1)
+	}
+}
--- a/common/geodata/domain_matcher.go
+++ b/common/geodata/domain_matcher.go
@@ -0,0 +1,237 @@
+package geodata
+
+import (
+	"context"
+	"runtime"
+	"strings"
+	"sync"
+
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+type DomainMatcher interface {
+	// Match returns the indices of all rules that match the input domain.
+	// The returned slice is owned by the caller and may be safely modified.
+	// Note: the slice may contain duplicates and the order is unspecified.
+	Match(input string) []uint32
+
+	MatchAny(input string) bool
+}
+
+type DomainMatcherFactory interface {
+	BuildMatcher(rules []*DomainRule) (DomainMatcher, error)
+}
+
+type MphDomainMatcherFactory struct {
+	sync.Mutex
+	shared map[string]strmatcher.MatcherGroup // TODO: cleanup
+}
+
+func buildDomainRulesKey(rules []*DomainRule) string {
+	var sb strings.Builder
+	cache := false
+	for _, r := range rules {
+		switch v := r.Value.(type) {
+		case *DomainRule_Custom:
+			sb.WriteString(v.Custom.Type.String())
+			sb.WriteString(":")
+			sb.WriteString(v.Custom.Value)
+			sb.WriteString(",")
+		case *DomainRule_Geosite:
+			cache = true
+			sb.WriteString(v.Geosite.File)
+			sb.WriteString(":")
+			sb.WriteString(v.Geosite.Code)
+			sb.WriteString("@")
+			sb.WriteString(v.Geosite.Attrs)
+			sb.WriteString(",")
+		default:
+			panic("unknown domain rule type")
+		}
+	}
+	if !cache {
+		return ""
+	}
+	return sb.String()
+}
+
+// BuildMatcher implements DomainMatcherFactory.
+func (f *MphDomainMatcherFactory) BuildMatcher(rules []*DomainRule) (DomainMatcher, error) {
+	if len(rules) == 0 {
+		return nil, errors.New("empty domain rule list")
+	}
+	key := buildDomainRulesKey(rules)
+	if key != "" {
+		f.Lock()
+		defer f.Unlock()
+		if g := f.shared[key]; g != nil {
+			errors.LogDebug(context.Background(), "geodata mph domain matcher cache HIT for ", len(rules), " rules")
+			return g, nil
+		}
+		errors.LogDebug(context.Background(), "geodata mph domain matcher cache MISS for ", len(rules), " rules")
+	}
+	g := strmatcher.NewMphValueMatcher()
+	for i, r := range rules {
+		switch v := r.Value.(type) {
+		case *DomainRule_Custom:
+			m, err := parseDomain(v.Custom)
+			if err != nil {
+				return nil, err
+			}
+			g.Add(m, uint32(i))
+		case *DomainRule_Geosite:
+			domains, err := loadSiteWithAttrs(v.Geosite.File, v.Geosite.Code, v.Geosite.Attrs)
+			if err != nil {
+				return nil, err
+			}
+			for j, d := range domains {
+				domains[j] = nil // peak mem
+				m, err := parseDomain(d)
+				if err != nil {
+					errors.LogError(context.Background(), "ignore invalid geosite entry in ", v.Geosite.File, ":", v.Geosite.Code, " at index ", j, ", ", err)
+					continue
+				}
+				g.Add(m, uint32(i))
+			}
+		default:
+			panic("unknown domain rule type")
+		}
+	}
+	if err := g.Build(); err != nil {
+		return nil, err
+	}
+	if key != "" {
+		f.shared[key] = g
+	}
+	return g, nil
+}
+
+type CompactDomainMatcherFactory struct {
+	sync.Mutex
+	shared map[string]strmatcher.MatcherSet // TODO: cleanup
+}
+
+func (f *CompactDomainMatcherFactory) getOrCreateFrom(rule *GeoSiteRule) (strmatcher.MatcherSet, error) {
+	key := rule.File + ":" + rule.Code + "@" + rule.Attrs
+
+	f.Lock()
+	defer f.Unlock()
+
+	if s := f.shared[key]; s != nil {
+		errors.LogDebug(context.Background(), "geodata geosite matcher cache HIT ", key)
+		return s, nil
+	}
+	errors.LogDebug(context.Background(), "geodata geosite matcher cache MISS ", key)
+
+	s := strmatcher.NewLinearAnyMatcher()
+	domains, err := loadSiteWithAttrs(rule.File, rule.Code, rule.Attrs)
+	if err != nil {
+		return nil, err
+	}
+	for i, d := range domains {
+		domains[i] = nil // peak mem
+		m, err := parseDomain(d)
+		if err != nil {
+			errors.LogError(context.Background(), "ignore invalid geosite entry in ", rule.File, ":", rule.Code, " at index ", i, ", ", err)
+			continue
+		}
+		s.Add(m)
+	}
+	f.shared[key] = s
+	return s, err
+}
+
+// BuildMatcher implements DomainMatcherFactory.
+func (f *CompactDomainMatcherFactory) BuildMatcher(rules []*DomainRule) (DomainMatcher, error) {
+	if len(rules) == 0 {
+		return nil, errors.New("empty domain rule list")
+	}
+	compact := &CompactDomainMatcher{
+		matchers: make([]strmatcher.MatcherSet, 0, len(rules)),
+		values:   make([]uint32, 0, len(rules)),
+	}
+	for i, r := range rules {
+		switch v := r.Value.(type) {
+		case *DomainRule_Custom:
+			m, err := parseDomain(v.Custom)
+			if err != nil {
+				return nil, err
+			}
+			if compact.custom == nil {
+				compact.custom = strmatcher.NewLinearValueMatcher()
+			}
+			compact.custom.Add(m, uint32(i))
+		case *DomainRule_Geosite:
+			m, err := f.getOrCreateFrom(v.Geosite)
+			if err != nil {
+				return nil, err
+			}
+			compact.matchers = append(compact.matchers, m)
+			compact.values = append(compact.values, uint32(i))
+		default:
+			panic("unknown domain rule type")
+		}
+	}
+	return compact, nil
+}
+
+type CompactDomainMatcher struct {
+	custom   strmatcher.ValueMatcher
+	matchers []strmatcher.MatcherSet
+	values   []uint32
+}
+
+// Match implements DomainMatcher.
+func (c *CompactDomainMatcher) Match(input string) []uint32 {
+	var result []uint32
+	if c.custom != nil {
+		result = append(result, c.custom.Match(input)...)
+	}
+	for i, m := range c.matchers {
+		if m.MatchAny(input) {
+			result = append(result, c.values[i])
+		}
+	}
+	return result
+}
+
+// MatchAny implements DomainMatcher.
+func (c *CompactDomainMatcher) MatchAny(input string) bool {
+	if c.custom != nil && c.custom.MatchAny(input) {
+		return true
+	}
+	for _, m := range c.matchers {
+		if m.MatchAny(input) {
+			return true
+		}
+	}
+	return false
+}
+
+func parseDomain(d *Domain) (strmatcher.Matcher, error) {
+	if d == nil {
+		return nil, errors.New("domain must not be nil")
+	}
+	switch d.Type {
+	case Domain_Substr:
+		return strmatcher.Substr.New(strings.ToLower(d.Value))
+	case Domain_Regex:
+		return strmatcher.Regex.New(d.Value)
+	case Domain_Domain:
+		return strmatcher.Domain.New(d.Value)
+	case Domain_Full:
+		return strmatcher.Full.New(strings.ToLower(d.Value))
+	default:
+		return nil, errors.New("unknown domain type: ", d.Type)
+	}
+}
+
+func newDomainMatcherFactory() DomainMatcherFactory {
+	switch runtime.GOOS {
+	case "ios", "android":
+		return &CompactDomainMatcherFactory{shared: make(map[string]strmatcher.MatcherSet)}
+	default:
+		return &MphDomainMatcherFactory{shared: make(map[string]strmatcher.MatcherGroup)}
+	}
+}
--- a/common/geodata/domain_matcher_test.go
+++ b/common/geodata/domain_matcher_test.go
@@ -0,0 +1,72 @@
+package geodata
+
+import (
+	"path/filepath"
+	"reflect"
+	"slices"
+	"testing"
+
+	"github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func TestCompactDomainMatcher_PreservesCustomRuleIndices(t *testing.T) {
+	factory := &CompactDomainMatcherFactory{shared: make(map[string]strmatcher.MatcherSet)}
+	matcher, err := factory.BuildMatcher([]*DomainRule{
+		{Value: &DomainRule_Custom{Custom: &Domain{Type: Domain_Full, Value: "example.com"}}},
+		{Value: &DomainRule_Custom{Custom: &Domain{Type: Domain_Domain, Value: "example.com"}}},
+	})
+	if err != nil {
+		t.Fatalf("BuildMatcher() failed: %v", err)
+	}
+
+	got := matcher.Match("example.com")
+	slices.Sort(got)
+
+	want := []uint32{0, 1}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("Match() = %v, want %v", got, want)
+	}
+}
+
+func TestCompactDomainMatcher_PreservesMixedRuleIndices(t *testing.T) {
+	t.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+
+	factory := &CompactDomainMatcherFactory{shared: make(map[string]strmatcher.MatcherSet)}
+	matcher, err := factory.BuildMatcher([]*DomainRule{
+		{Value: &DomainRule_Geosite{Geosite: &GeoSiteRule{File: DefaultGeoSiteDat, Code: "CN"}}},
+		{Value: &DomainRule_Custom{Custom: &Domain{Type: Domain_Full, Value: "163.com"}}},
+	})
+	if err != nil {
+		t.Fatalf("BuildMatcher() failed: %v", err)
+	}
+
+	got := matcher.Match("163.com")
+	slices.Sort(got)
+
+	want := []uint32{0, 1}
+	if !reflect.DeepEqual(got, want) {
+		t.Fatalf("Match() = %v, want %v", got, want)
+	}
+}
+
+func TestMphDomainMatcher_MatchReturnsDetachedSlice(t *testing.T) {
+	matcher, err := (&MphDomainMatcherFactory{shared: make(map[string]strmatcher.MatcherGroup)}).BuildMatcher([]*DomainRule{
+		{Value: &DomainRule_Custom{Custom: &Domain{Type: Domain_Full, Value: "example.com"}}},
+		{Value: &DomainRule_Custom{Custom: &Domain{Type: Domain_Domain, Value: "example.com"}}},
+	})
+	if err != nil {
+		t.Fatalf("BuildMatcher() failed: %v", err)
+	}
+
+	got := matcher.Match("example.com")
+	if !reflect.DeepEqual(got, []uint32{0, 1}) {
+		t.Fatalf("Match() = %v, want %v", got, []uint32{0, 1})
+	}
+
+	got[0] = 1
+
+	gotAgain := matcher.Match("example.com")
+	if !reflect.DeepEqual(gotAgain, []uint32{0, 1}) {
+		t.Fatalf("Match() after caller mutation = %v, want %v", gotAgain, []uint32{0, 1})
+	}
+}
--- a/common/geodata/domain_registry.go
+++ b/common/geodata/domain_registry.go
@@ -0,0 +1,94 @@
+package geodata
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+
+	"github.com/xtls/xray-core/common/errors"
+)
+
+type DomainRegistry struct {
+	mu       sync.Mutex
+	factory  DomainMatcherFactory
+	matchers []*DynamicDomainMatcher
+}
+
+func (r *DomainRegistry) BuildDomainMatcher(rules []*DomainRule) (DomainMatcher, error) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	m, err := r.factory.BuildMatcher(rules)
+	if err != nil {
+		return nil, err
+	}
+
+	d := NewDynamicDomainMatcher(rules, m)
+	r.matchers = append(r.matchers, d)
+	return d, nil
+}
+
+func (r *DomainRegistry) Reload() error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	errors.LogInfo(context.Background(), "reloading GeoSite data for ", len(r.matchers), " domain matcher(s)")
+
+	factory := newDomainMatcherFactory()
+	type reloadEntry struct {
+		dynamic *DynamicDomainMatcher
+		matcher DomainMatcher
+	}
+	reloaded := make([]reloadEntry, len(r.matchers))
+	for i, d := range r.matchers {
+		m, err := factory.BuildMatcher(d.rules)
+		if err != nil {
+			errors.LogErrorInner(context.Background(), err, "failed to reload GeoSite data for domain matcher ", i)
+			return err
+		}
+		reloaded[i] = reloadEntry{dynamic: d, matcher: m}
+	}
+	for _, entry := range reloaded {
+		entry.dynamic.Reload(entry.matcher)
+	}
+	r.factory = factory
+	errors.LogInfo(context.Background(), "reloaded GeoSite data for ", len(r.matchers), " domain matcher(s)")
+	return nil
+}
+
+func newDomainRegistry() *DomainRegistry {
+	return &DomainRegistry{
+		factory: newDomainMatcherFactory(),
+	}
+}
+
+var DomainReg = newDomainRegistry()
+
+type domainMatcherState struct {
+	matcher DomainMatcher
+}
+
+type DynamicDomainMatcher struct {
+	rules []*DomainRule
+	state atomic.Pointer[domainMatcherState]
+}
+
+// Match implements DomainMatcher.
+func (d *DynamicDomainMatcher) Match(input string) []uint32 {
+	return d.state.Load().matcher.Match(input)
+}
+
+// MatchAny implements DomainMatcher.
+func (d *DynamicDomainMatcher) MatchAny(input string) bool {
+	return d.state.Load().matcher.MatchAny(input)
+}
+
+func (d *DynamicDomainMatcher) Reload(newMatcher DomainMatcher) {
+	d.state.Store(&domainMatcherState{matcher: newMatcher})
+}
+
+func NewDynamicDomainMatcher(rules []*DomainRule, matcher DomainMatcher) *DynamicDomainMatcher {
+	d := &DynamicDomainMatcher{rules: rules}
+	d.Reload(matcher)
+	return d
+}
--- a/common/geodata/geodat.pb.go
+++ b/common/geodata/geodat.pb.go
@@ -0,0 +1,965 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.36.11
+// 	protoc        v6.33.5
+// source: common/geodata/geodat.proto
+
+package geodata
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+	unsafe "unsafe"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// Type of domain value.
+type Domain_Type int32
+
+const (
+	// The value is used as a sub string.
+	Domain_Substr Domain_Type = 0
+	// The value is used as a regular expression.
+	Domain_Regex Domain_Type = 1
+	// The value is a domain.
+	Domain_Domain Domain_Type = 2
+	// The value is a full domain.
+	Domain_Full Domain_Type = 3
+)
+
+// Enum value maps for Domain_Type.
+var (
+	Domain_Type_name = map[int32]string{
+		0: "Substr",
+		1: "Regex",
+		2: "Domain",
+		3: "Full",
+	}
+	Domain_Type_value = map[string]int32{
+		"Substr": 0,
+		"Regex":  1,
+		"Domain": 2,
+		"Full":   3,
+	}
+)
+
+func (x Domain_Type) Enum() *Domain_Type {
+	p := new(Domain_Type)
+	*p = x
+	return p
+}
+
+func (x Domain_Type) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (Domain_Type) Descriptor() protoreflect.EnumDescriptor {
+	return file_common_geodata_geodat_proto_enumTypes[0].Descriptor()
+}
+
+func (Domain_Type) Type() protoreflect.EnumType {
+	return &file_common_geodata_geodat_proto_enumTypes[0]
+}
+
+func (x Domain_Type) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use Domain_Type.Descriptor instead.
+func (Domain_Type) EnumDescriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{0, 0}
+}
+
+type Domain struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Domain matching type.
+	Type Domain_Type `protobuf:"varint,1,opt,name=type,proto3,enum=xray.common.geodata.Domain_Type" json:"type,omitempty"`
+	// Domain value.
+	Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
+	// Attributes of this domain. May be used for filtering.
+	Attribute     []*Domain_Attribute `protobuf:"bytes,3,rep,name=attribute,proto3" json:"attribute,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *Domain) Reset() {
+	*x = Domain{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[0]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Domain) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Domain) ProtoMessage() {}
+
+func (x *Domain) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[0]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Domain.ProtoReflect.Descriptor instead.
+func (*Domain) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Domain) GetType() Domain_Type {
+	if x != nil {
+		return x.Type
+	}
+	return Domain_Substr
+}
+
+func (x *Domain) GetValue() string {
+	if x != nil {
+		return x.Value
+	}
+	return ""
+}
+
+func (x *Domain) GetAttribute() []*Domain_Attribute {
+	if x != nil {
+		return x.Attribute
+	}
+	return nil
+}
+
+type GeoSite struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Code          string                 `protobuf:"bytes,1,opt,name=code,proto3" json:"code,omitempty"`
+	Domain        []*Domain              `protobuf:"bytes,2,rep,name=domain,proto3" json:"domain,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GeoSite) Reset() {
+	*x = GeoSite{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[1]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GeoSite) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoSite) ProtoMessage() {}
+
+func (x *GeoSite) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[1]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoSite.ProtoReflect.Descriptor instead.
+func (*GeoSite) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *GeoSite) GetCode() string {
+	if x != nil {
+		return x.Code
+	}
+	return ""
+}
+
+func (x *GeoSite) GetDomain() []*Domain {
+	if x != nil {
+		return x.Domain
+	}
+	return nil
+}
+
+type GeoSiteList struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Entry         []*GeoSite             `protobuf:"bytes,1,rep,name=entry,proto3" json:"entry,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GeoSiteList) Reset() {
+	*x = GeoSiteList{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[2]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GeoSiteList) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoSiteList) ProtoMessage() {}
+
+func (x *GeoSiteList) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[2]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoSiteList.ProtoReflect.Descriptor instead.
+func (*GeoSiteList) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *GeoSiteList) GetEntry() []*GeoSite {
+	if x != nil {
+		return x.Entry
+	}
+	return nil
+}
+
+type GeoSiteRule struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	File          string                 `protobuf:"bytes,1,opt,name=file,proto3" json:"file,omitempty"`
+	Code          string                 `protobuf:"bytes,2,opt,name=code,proto3" json:"code,omitempty"`
+	Attrs         string                 `protobuf:"bytes,3,opt,name=attrs,proto3" json:"attrs,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GeoSiteRule) Reset() {
+	*x = GeoSiteRule{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[3]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GeoSiteRule) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoSiteRule) ProtoMessage() {}
+
+func (x *GeoSiteRule) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[3]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoSiteRule.ProtoReflect.Descriptor instead.
+func (*GeoSiteRule) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *GeoSiteRule) GetFile() string {
+	if x != nil {
+		return x.File
+	}
+	return ""
+}
+
+func (x *GeoSiteRule) GetCode() string {
+	if x != nil {
+		return x.Code
+	}
+	return ""
+}
+
+func (x *GeoSiteRule) GetAttrs() string {
+	if x != nil {
+		return x.Attrs
+	}
+	return ""
+}
+
+type DomainRule struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Value:
+	//
+	//	*DomainRule_Geosite
+	//	*DomainRule_Custom
+	Value         isDomainRule_Value `protobuf_oneof:"value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *DomainRule) Reset() {
+	*x = DomainRule{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[4]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *DomainRule) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DomainRule) ProtoMessage() {}
+
+func (x *DomainRule) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[4]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DomainRule.ProtoReflect.Descriptor instead.
+func (*DomainRule) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *DomainRule) GetValue() isDomainRule_Value {
+	if x != nil {
+		return x.Value
+	}
+	return nil
+}
+
+func (x *DomainRule) GetGeosite() *GeoSiteRule {
+	if x != nil {
+		if x, ok := x.Value.(*DomainRule_Geosite); ok {
+			return x.Geosite
+		}
+	}
+	return nil
+}
+
+func (x *DomainRule) GetCustom() *Domain {
+	if x != nil {
+		if x, ok := x.Value.(*DomainRule_Custom); ok {
+			return x.Custom
+		}
+	}
+	return nil
+}
+
+type isDomainRule_Value interface {
+	isDomainRule_Value()
+}
+
+type DomainRule_Geosite struct {
+	Geosite *GeoSiteRule `protobuf:"bytes,1,opt,name=geosite,proto3,oneof"`
+}
+
+type DomainRule_Custom struct {
+	Custom *Domain `protobuf:"bytes,2,opt,name=custom,proto3,oneof"`
+}
+
+func (*DomainRule_Geosite) isDomainRule_Value() {}
+
+func (*DomainRule_Custom) isDomainRule_Value() {}
+
+type CIDR struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// IP address, should be either 4 or 16 bytes.
+	Ip []byte `protobuf:"bytes,1,opt,name=ip,proto3" json:"ip,omitempty"`
+	// Number of leading ones in the network mask.
+	Prefix        uint32 `protobuf:"varint,2,opt,name=prefix,proto3" json:"prefix,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *CIDR) Reset() {
+	*x = CIDR{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *CIDR) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CIDR) ProtoMessage() {}
+
+func (x *CIDR) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CIDR.ProtoReflect.Descriptor instead.
+func (*CIDR) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *CIDR) GetIp() []byte {
+	if x != nil {
+		return x.Ip
+	}
+	return nil
+}
+
+func (x *CIDR) GetPrefix() uint32 {
+	if x != nil {
+		return x.Prefix
+	}
+	return 0
+}
+
+type CIDRRule struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Cidr          *CIDR                  `protobuf:"bytes,1,opt,name=cidr,proto3" json:"cidr,omitempty"`
+	ReverseMatch  bool                   `protobuf:"varint,2,opt,name=reverse_match,json=reverseMatch,proto3" json:"reverse_match,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *CIDRRule) Reset() {
+	*x = CIDRRule{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[6]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *CIDRRule) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CIDRRule) ProtoMessage() {}
+
+func (x *CIDRRule) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[6]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CIDRRule.ProtoReflect.Descriptor instead.
+func (*CIDRRule) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *CIDRRule) GetCidr() *CIDR {
+	if x != nil {
+		return x.Cidr
+	}
+	return nil
+}
+
+func (x *CIDRRule) GetReverseMatch() bool {
+	if x != nil {
+		return x.ReverseMatch
+	}
+	return false
+}
+
+type GeoIP struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Code          string                 `protobuf:"bytes,1,opt,name=code,proto3" json:"code,omitempty"`
+	Cidr          []*CIDR                `protobuf:"bytes,2,rep,name=cidr,proto3" json:"cidr,omitempty"`
+	ReverseMatch  bool                   `protobuf:"varint,3,opt,name=reverse_match,json=reverseMatch,proto3" json:"reverse_match,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GeoIP) Reset() {
+	*x = GeoIP{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[7]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GeoIP) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoIP) ProtoMessage() {}
+
+func (x *GeoIP) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[7]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoIP.ProtoReflect.Descriptor instead.
+func (*GeoIP) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *GeoIP) GetCode() string {
+	if x != nil {
+		return x.Code
+	}
+	return ""
+}
+
+func (x *GeoIP) GetCidr() []*CIDR {
+	if x != nil {
+		return x.Cidr
+	}
+	return nil
+}
+
+func (x *GeoIP) GetReverseMatch() bool {
+	if x != nil {
+		return x.ReverseMatch
+	}
+	return false
+}
+
+type GeoIPList struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Entry         []*GeoIP               `protobuf:"bytes,1,rep,name=entry,proto3" json:"entry,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GeoIPList) Reset() {
+	*x = GeoIPList{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[8]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GeoIPList) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoIPList) ProtoMessage() {}
+
+func (x *GeoIPList) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[8]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoIPList.ProtoReflect.Descriptor instead.
+func (*GeoIPList) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{8}
+}
+
+func (x *GeoIPList) GetEntry() []*GeoIP {
+	if x != nil {
+		return x.Entry
+	}
+	return nil
+}
+
+type GeoIPRule struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	File          string                 `protobuf:"bytes,1,opt,name=file,proto3" json:"file,omitempty"`
+	Code          string                 `protobuf:"bytes,2,opt,name=code,proto3" json:"code,omitempty"`
+	ReverseMatch  bool                   `protobuf:"varint,3,opt,name=reverse_match,json=reverseMatch,proto3" json:"reverse_match,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GeoIPRule) Reset() {
+	*x = GeoIPRule{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[9]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GeoIPRule) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GeoIPRule) ProtoMessage() {}
+
+func (x *GeoIPRule) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[9]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GeoIPRule.ProtoReflect.Descriptor instead.
+func (*GeoIPRule) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{9}
+}
+
+func (x *GeoIPRule) GetFile() string {
+	if x != nil {
+		return x.File
+	}
+	return ""
+}
+
+func (x *GeoIPRule) GetCode() string {
+	if x != nil {
+		return x.Code
+	}
+	return ""
+}
+
+func (x *GeoIPRule) GetReverseMatch() bool {
+	if x != nil {
+		return x.ReverseMatch
+	}
+	return false
+}
+
+type IPRule struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Value:
+	//
+	//	*IPRule_Geoip
+	//	*IPRule_Custom
+	Value         isIPRule_Value `protobuf_oneof:"value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *IPRule) Reset() {
+	*x = IPRule{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[10]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *IPRule) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*IPRule) ProtoMessage() {}
+
+func (x *IPRule) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[10]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use IPRule.ProtoReflect.Descriptor instead.
+func (*IPRule) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{10}
+}
+
+func (x *IPRule) GetValue() isIPRule_Value {
+	if x != nil {
+		return x.Value
+	}
+	return nil
+}
+
+func (x *IPRule) GetGeoip() *GeoIPRule {
+	if x != nil {
+		if x, ok := x.Value.(*IPRule_Geoip); ok {
+			return x.Geoip
+		}
+	}
+	return nil
+}
+
+func (x *IPRule) GetCustom() *CIDRRule {
+	if x != nil {
+		if x, ok := x.Value.(*IPRule_Custom); ok {
+			return x.Custom
+		}
+	}
+	return nil
+}
+
+type isIPRule_Value interface {
+	isIPRule_Value()
+}
+
+type IPRule_Geoip struct {
+	Geoip *GeoIPRule `protobuf:"bytes,1,opt,name=geoip,proto3,oneof"`
+}
+
+type IPRule_Custom struct {
+	Custom *CIDRRule `protobuf:"bytes,2,opt,name=custom,proto3,oneof"`
+}
+
+func (*IPRule_Geoip) isIPRule_Value() {}
+
+func (*IPRule_Custom) isIPRule_Value() {}
+
+type Domain_Attribute struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	Key   string                 `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
+	// Types that are valid to be assigned to TypedValue:
+	//
+	//	*Domain_Attribute_BoolValue
+	//	*Domain_Attribute_IntValue
+	TypedValue    isDomain_Attribute_TypedValue `protobuf_oneof:"typed_value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *Domain_Attribute) Reset() {
+	*x = Domain_Attribute{}
+	mi := &file_common_geodata_geodat_proto_msgTypes[11]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *Domain_Attribute) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Domain_Attribute) ProtoMessage() {}
+
+func (x *Domain_Attribute) ProtoReflect() protoreflect.Message {
+	mi := &file_common_geodata_geodat_proto_msgTypes[11]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Domain_Attribute.ProtoReflect.Descriptor instead.
+func (*Domain_Attribute) Descriptor() ([]byte, []int) {
+	return file_common_geodata_geodat_proto_rawDescGZIP(), []int{0, 0}
+}
+
+func (x *Domain_Attribute) GetKey() string {
+	if x != nil {
+		return x.Key
+	}
+	return ""
+}
+
+func (x *Domain_Attribute) GetTypedValue() isDomain_Attribute_TypedValue {
+	if x != nil {
+		return x.TypedValue
+	}
+	return nil
+}
+
+func (x *Domain_Attribute) GetBoolValue() bool {
+	if x != nil {
+		if x, ok := x.TypedValue.(*Domain_Attribute_BoolValue); ok {
+			return x.BoolValue
+		}
+	}
+	return false
+}
+
+func (x *Domain_Attribute) GetIntValue() int64 {
+	if x != nil {
+		if x, ok := x.TypedValue.(*Domain_Attribute_IntValue); ok {
+			return x.IntValue
+		}
+	}
+	return 0
+}
+
+type isDomain_Attribute_TypedValue interface {
+	isDomain_Attribute_TypedValue()
+}
+
+type Domain_Attribute_BoolValue struct {
+	BoolValue bool `protobuf:"varint,2,opt,name=bool_value,json=boolValue,proto3,oneof"`
+}
+
+type Domain_Attribute_IntValue struct {
+	IntValue int64 `protobuf:"varint,3,opt,name=int_value,json=intValue,proto3,oneof"`
+}
+
+func (*Domain_Attribute_BoolValue) isDomain_Attribute_TypedValue() {}
+
+func (*Domain_Attribute_IntValue) isDomain_Attribute_TypedValue() {}
+
+var File_common_geodata_geodat_proto protoreflect.FileDescriptor
+
+const file_common_geodata_geodat_proto_rawDesc = "" +
+	"\n" +
+	"\x1bcommon/geodata/geodat.proto\x12\x13xray.common.geodata\"\xbc\x02\n" +
+	"\x06Domain\x124\n" +
+	"\x04type\x18\x01 \x01(\x0e2 .xray.common.geodata.Domain.TypeR\x04type\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value\x12C\n" +
+	"\tattribute\x18\x03 \x03(\v2%.xray.common.geodata.Domain.AttributeR\tattribute\x1al\n" +
+	"\tAttribute\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x1f\n" +
+	"\n" +
+	"bool_value\x18\x02 \x01(\bH\x00R\tboolValue\x12\x1d\n" +
+	"\tint_value\x18\x03 \x01(\x03H\x00R\bintValueB\r\n" +
+	"\vtyped_value\"3\n" +
+	"\x04Type\x12\n" +
+	"\n" +
+	"\x06Substr\x10\x00\x12\t\n" +
+	"\x05Regex\x10\x01\x12\n" +
+	"\n" +
+	"\x06Domain\x10\x02\x12\b\n" +
+	"\x04Full\x10\x03\"R\n" +
+	"\aGeoSite\x12\x12\n" +
+	"\x04code\x18\x01 \x01(\tR\x04code\x123\n" +
+	"\x06domain\x18\x02 \x03(\v2\x1b.xray.common.geodata.DomainR\x06domain\"A\n" +
+	"\vGeoSiteList\x122\n" +
+	"\x05entry\x18\x01 \x03(\v2\x1c.xray.common.geodata.GeoSiteR\x05entry\"K\n" +
+	"\vGeoSiteRule\x12\x12\n" +
+	"\x04file\x18\x01 \x01(\tR\x04file\x12\x12\n" +
+	"\x04code\x18\x02 \x01(\tR\x04code\x12\x14\n" +
+	"\x05attrs\x18\x03 \x01(\tR\x05attrs\"\x8a\x01\n" +
+	"\n" +
+	"DomainRule\x12<\n" +
+	"\ageosite\x18\x01 \x01(\v2 .xray.common.geodata.GeoSiteRuleH\x00R\ageosite\x125\n" +
+	"\x06custom\x18\x02 \x01(\v2\x1b.xray.common.geodata.DomainH\x00R\x06customB\a\n" +
+	"\x05value\".\n" +
+	"\x04CIDR\x12\x0e\n" +
+	"\x02ip\x18\x01 \x01(\fR\x02ip\x12\x16\n" +
+	"\x06prefix\x18\x02 \x01(\rR\x06prefix\"^\n" +
+	"\bCIDRRule\x12-\n" +
+	"\x04cidr\x18\x01 \x01(\v2\x19.xray.common.geodata.CIDRR\x04cidr\x12#\n" +
+	"\rreverse_match\x18\x02 \x01(\bR\freverseMatch\"o\n" +
+	"\x05GeoIP\x12\x12\n" +
+	"\x04code\x18\x01 \x01(\tR\x04code\x12-\n" +
+	"\x04cidr\x18\x02 \x03(\v2\x19.xray.common.geodata.CIDRR\x04cidr\x12#\n" +
+	"\rreverse_match\x18\x03 \x01(\bR\freverseMatch\"=\n" +
+	"\tGeoIPList\x120\n" +
+	"\x05entry\x18\x01 \x03(\v2\x1a.xray.common.geodata.GeoIPR\x05entry\"X\n" +
+	"\tGeoIPRule\x12\x12\n" +
+	"\x04file\x18\x01 \x01(\tR\x04file\x12\x12\n" +
+	"\x04code\x18\x02 \x01(\tR\x04code\x12#\n" +
+	"\rreverse_match\x18\x03 \x01(\bR\freverseMatch\"\x82\x01\n" +
+	"\x06IPRule\x126\n" +
+	"\x05geoip\x18\x01 \x01(\v2\x1e.xray.common.geodata.GeoIPRuleH\x00R\x05geoip\x127\n" +
+	"\x06custom\x18\x02 \x01(\v2\x1d.xray.common.geodata.CIDRRuleH\x00R\x06customB\a\n" +
+	"\x05valueB[\n" +
+	"\x17com.xray.common.geodataP\x01Z(github.com/xtls/xray-core/common/geodata\xaa\x02\x13Xray.Common.Geodatab\x06proto3"
+
+var (
+	file_common_geodata_geodat_proto_rawDescOnce sync.Once
+	file_common_geodata_geodat_proto_rawDescData []byte
+)
+
+func file_common_geodata_geodat_proto_rawDescGZIP() []byte {
+	file_common_geodata_geodat_proto_rawDescOnce.Do(func() {
+		file_common_geodata_geodat_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_common_geodata_geodat_proto_rawDesc), len(file_common_geodata_geodat_proto_rawDesc)))
+	})
+	return file_common_geodata_geodat_proto_rawDescData
+}
+
+var file_common_geodata_geodat_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_common_geodata_geodat_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
+var file_common_geodata_geodat_proto_goTypes = []any{
+	(Domain_Type)(0),         // 0: xray.common.geodata.Domain.Type
+	(*Domain)(nil),           // 1: xray.common.geodata.Domain
+	(*GeoSite)(nil),          // 2: xray.common.geodata.GeoSite
+	(*GeoSiteList)(nil),      // 3: xray.common.geodata.GeoSiteList
+	(*GeoSiteRule)(nil),      // 4: xray.common.geodata.GeoSiteRule
+	(*DomainRule)(nil),       // 5: xray.common.geodata.DomainRule
+	(*CIDR)(nil),             // 6: xray.common.geodata.CIDR
+	(*CIDRRule)(nil),         // 7: xray.common.geodata.CIDRRule
+	(*GeoIP)(nil),            // 8: xray.common.geodata.GeoIP
+	(*GeoIPList)(nil),        // 9: xray.common.geodata.GeoIPList
+	(*GeoIPRule)(nil),        // 10: xray.common.geodata.GeoIPRule
+	(*IPRule)(nil),           // 11: xray.common.geodata.IPRule
+	(*Domain_Attribute)(nil), // 12: xray.common.geodata.Domain.Attribute
+}
+var file_common_geodata_geodat_proto_depIdxs = []int32{
+	0,  // 0: xray.common.geodata.Domain.type:type_name -> xray.common.geodata.Domain.Type
+	12, // 1: xray.common.geodata.Domain.attribute:type_name -> xray.common.geodata.Domain.Attribute
+	1,  // 2: xray.common.geodata.GeoSite.domain:type_name -> xray.common.geodata.Domain
+	2,  // 3: xray.common.geodata.GeoSiteList.entry:type_name -> xray.common.geodata.GeoSite
+	4,  // 4: xray.common.geodata.DomainRule.geosite:type_name -> xray.common.geodata.GeoSiteRule
+	1,  // 5: xray.common.geodata.DomainRule.custom:type_name -> xray.common.geodata.Domain
+	6,  // 6: xray.common.geodata.CIDRRule.cidr:type_name -> xray.common.geodata.CIDR
+	6,  // 7: xray.common.geodata.GeoIP.cidr:type_name -> xray.common.geodata.CIDR
+	8,  // 8: xray.common.geodata.GeoIPList.entry:type_name -> xray.common.geodata.GeoIP
+	10, // 9: xray.common.geodata.IPRule.geoip:type_name -> xray.common.geodata.GeoIPRule
+	7,  // 10: xray.common.geodata.IPRule.custom:type_name -> xray.common.geodata.CIDRRule
+	11, // [11:11] is the sub-list for method output_type
+	11, // [11:11] is the sub-list for method input_type
+	11, // [11:11] is the sub-list for extension type_name
+	11, // [11:11] is the sub-list for extension extendee
+	0,  // [0:11] is the sub-list for field type_name
+}
+
+func init() { file_common_geodata_geodat_proto_init() }
+func file_common_geodata_geodat_proto_init() {
+	if File_common_geodata_geodat_proto != nil {
+		return
+	}
+	file_common_geodata_geodat_proto_msgTypes[4].OneofWrappers = []any{
+		(*DomainRule_Geosite)(nil),
+		(*DomainRule_Custom)(nil),
+	}
+	file_common_geodata_geodat_proto_msgTypes[10].OneofWrappers = []any{
+		(*IPRule_Geoip)(nil),
+		(*IPRule_Custom)(nil),
+	}
+	file_common_geodata_geodat_proto_msgTypes[11].OneofWrappers = []any{
+		(*Domain_Attribute_BoolValue)(nil),
+		(*Domain_Attribute_IntValue)(nil),
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_common_geodata_geodat_proto_rawDesc), len(file_common_geodata_geodat_proto_rawDesc)),
+			NumEnums:      1,
+			NumMessages:   12,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_common_geodata_geodat_proto_goTypes,
+		DependencyIndexes: file_common_geodata_geodat_proto_depIdxs,
+		EnumInfos:         file_common_geodata_geodat_proto_enumTypes,
+		MessageInfos:      file_common_geodata_geodat_proto_msgTypes,
+	}.Build()
+	File_common_geodata_geodat_proto = out.File
+	file_common_geodata_geodat_proto_goTypes = nil
+	file_common_geodata_geodat_proto_depIdxs = nil
+}
--- a/common/geodata/geodat.proto
+++ b/common/geodata/geodat.proto
@@ -0,0 +1,95 @@
+syntax = "proto3";
+
+package xray.common.geodata;
+option csharp_namespace = "Xray.Common.Geodata";
+option go_package = "github.com/xtls/xray-core/common/geodata";
+option java_package = "com.xray.common.geodata";
+option java_multiple_files = true;
+
+message Domain {
+  // Type of domain value.
+  enum Type {
+    // The value is used as a sub string.
+    Substr = 0;
+    // The value is used as a regular expression.
+    Regex = 1;
+    // The value is a domain.
+    Domain = 2;
+    // The value is a full domain.
+    Full = 3;
+  }
+  // Domain matching type.
+  Type type = 1;
+
+  // Domain value.
+  string value = 2;
+
+  message Attribute {
+    string key = 1;
+
+    oneof typed_value {
+      bool bool_value = 2;
+      int64 int_value = 3;
+    }
+  }
+  // Attributes of this domain. May be used for filtering.
+  repeated Attribute attribute = 3;
+}
+
+message GeoSite {
+  string code = 1;
+  repeated Domain domain = 2;
+}
+
+message GeoSiteList {
+  repeated GeoSite entry = 1;
+}
+
+message GeoSiteRule {
+  string file = 1;
+  string code = 2;
+  string attrs = 3;
+}
+
+message DomainRule {
+  oneof value {
+    GeoSiteRule geosite = 1;
+    Domain custom = 2;
+  }
+}
+
+message CIDR {
+  // IP address, should be either 4 or 16 bytes.
+  bytes ip = 1;
+
+  // Number of leading ones in the network mask.
+  uint32 prefix = 2;
+}
+
+message CIDRRule {
+  CIDR cidr = 1;
+  bool reverse_match = 2;
+}
+
+message GeoIP {
+  string code = 1;
+  repeated CIDR cidr = 2;
+  bool reverse_match = 3;
+}
+
+message GeoIPList {
+  repeated GeoIP entry = 1;
+}
+
+message GeoIPRule {
+  string file = 1;
+  string code = 2;
+  bool reverse_match = 3;
+}
+
+message IPRule {
+  oneof value {
+    GeoIPRule geoip = 1;
+    CIDRRule custom = 2;
+  }
+}
--- a/common/geodata/geodat_loader.go
+++ b/common/geodata/geodat_loader.go
@@ -0,0 +1,207 @@
+package geodata
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"runtime"
+	"strings"
+
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/platform/filesystem"
+
+	"google.golang.org/protobuf/proto"
+)
+
+func checkFile(file, code string) error {
+	r, err := filesystem.OpenAsset(file)
+	if err != nil {
+		return errors.New("failed to open ", file).Base(err)
+	}
+	defer r.Close()
+	if _, err := find(r, []byte(code), false); err != nil {
+		return errors.New("failed to check code ", code, " from ", file).Base(err)
+	}
+	return nil
+}
+
+func loadFile(file, code string) ([]byte, error) {
+	runtime.GC() // peak mem
+	r, err := filesystem.OpenAsset(file)
+	if err != nil {
+		return nil, errors.New("failed to open ", file).Base(err)
+	}
+	defer r.Close()
+	bs, err := find(r, []byte(code), true)
+	if err != nil {
+		return nil, errors.New("failed to load code ", code, " from ", file).Base(err)
+	}
+	return bs, nil
+}
+
+func loadIP(file, code string) ([]*CIDR, error) {
+	bs, err := loadFile(file, code)
+	if err != nil {
+		return nil, err
+	}
+	defer runtime.GC() // peak mem
+	var geoip GeoIP
+	if err := proto.Unmarshal(bs, &geoip); err != nil {
+		return nil, errors.New("error unmarshal IP in ", file, ":", code).Base(err)
+	}
+	return geoip.Cidr, nil
+}
+
+func loadSite(file, code string) ([]*Domain, error) {
+	bs, err := loadFile(file, code)
+	if err != nil {
+		return nil, err
+	}
+	defer runtime.GC() // peak mem
+	var geosite GeoSite
+	if err := proto.Unmarshal(bs, &geosite); err != nil {
+		return nil, errors.New("error unmarshal Site in ", file, ":", code).Base(err)
+	}
+	return geosite.Domain, nil
+}
+
+func decodeVarint(br *bufio.Reader) (uint64, error) {
+	var x uint64
+	for shift := uint(0); shift < 64; shift += 7 {
+		b, err := br.ReadByte()
+		if err != nil {
+			return 0, err
+		}
+		x |= (uint64(b) & 0x7F) << shift
+		if (b & 0x80) == 0 {
+			return x, nil
+		}
+	}
+	// The number is too large to represent in a 64-bit value.
+	return 0, errors.New("varint overflow")
+}
+
+func find(r io.Reader, code []byte, readBody bool) ([]byte, error) {
+	codeL := len(code)
+	if codeL == 0 {
+		return nil, errors.New("empty code")
+	}
+
+	br := bufio.NewReaderSize(r, 64*1024)
+	need := 2 + codeL // TODO: if code too long
+	prefixBuf := make([]byte, need)
+
+	for {
+		if _, err := br.ReadByte(); err != nil {
+			return nil, err
+		}
+
+		x, err := decodeVarint(br)
+		if err != nil {
+			return nil, err
+		}
+		bodyL := int(x)
+		if bodyL <= 0 {
+			return nil, errors.New("invalid body length: ", bodyL)
+		}
+
+		prefixL := bodyL
+		if prefixL > need {
+			prefixL = need
+		}
+		prefix := prefixBuf[:prefixL]
+		if _, err := io.ReadFull(br, prefix); err != nil {
+			return nil, err
+		}
+
+		match := false
+		if bodyL >= need {
+			if int(prefix[1]) == codeL && bytes.Equal(prefix[2:need], code) {
+				if !readBody {
+					return nil, nil
+				}
+				match = true
+			}
+		}
+
+		remain := bodyL - prefixL
+		if match {
+			out := make([]byte, bodyL)
+			copy(out, prefix)
+			if remain > 0 {
+				if _, err := io.ReadFull(br, out[prefixL:]); err != nil {
+					return nil, err
+				}
+			}
+			return out, nil
+		}
+
+		if remain > 0 {
+			if _, err := br.Discard(remain); err != nil {
+				return nil, err
+			}
+		}
+	}
+}
+
+type AttributeMatcher interface {
+	Match(*Domain) bool
+}
+
+type HasAttrMatcher string
+
+// Match reports whether this matcher matches any attribute on the domain.
+func (m HasAttrMatcher) Match(domain *Domain) bool {
+	for _, attr := range domain.Attribute {
+		if attr.Key == string(m) {
+			return true
+		}
+	}
+	return false
+}
+
+type AllAttrsMatcher struct {
+	matchers []AttributeMatcher
+}
+
+// Match reports whether the domain matches every matcher in the list.
+func (m *AllAttrsMatcher) Match(domain *Domain) bool {
+	for _, matcher := range m.matchers {
+		if !matcher.Match(domain) {
+			return false
+		}
+	}
+	return true
+}
+
+func NewAllAttrsMatcher(attrs string) AttributeMatcher {
+	if attrs == "" {
+		return nil
+	}
+	m := new(AllAttrsMatcher)
+	for _, attr := range strings.Split(attrs, "@") {
+		m.matchers = append(m.matchers, HasAttrMatcher(attr))
+	}
+	return m
+}
+
+func loadSiteWithAttrs(file, code, attrs string) ([]*Domain, error) {
+	domains, err := loadSite(file, code)
+	if err != nil {
+		return nil, err
+	}
+
+	matcher := NewAllAttrsMatcher(attrs)
+	if matcher == nil {
+		return domains, nil
+	}
+
+	filtered := make([]*Domain, 0, len(domains))
+	for _, d := range domains {
+		if matcher.Match(d) {
+			filtered = append(filtered, d)
+		}
+	}
+
+	return filtered, nil
+}
--- a/app/router/condition_geoip.go
+++ b/app/router/condition_geoip.go
@@ -1,8 +1,10 @@
-package router
+package geodata

 import (
 	"context"
 	"net/netip"
+	"runtime"
+	"slices"
 	"sort"
 	"strings"
 	"sync"
@@ -13,7 +15,7 @@ import (
 	"go4.org/netipx"
 )

-type GeoIPMatcher interface {
+type IPMatcher interface {
 	// TODO: (PERF) all net.IP -> netipx.Addr

 	// Invalid IP always return false.
@@ -33,13 +35,13 @@ type GeoIPMatcher interface {
 	SetReverse(reverse bool)
 }

-type GeoIPSet struct {
+type IPSet struct {
 	ipv4, ipv6 *netipx.IPSet
 	max4, max6 uint8
 }

-type HeuristicGeoIPMatcher struct {
-	ipset   *GeoIPSet
+type HeuristicIPMatcher struct {
+	ipset   *IPSet
 	reverse bool
 }

@@ -48,8 +50,8 @@ type ipBucket struct {
 	ips []net.IP
 }

-// Match implements GeoIPMatcher.
-func (m *HeuristicGeoIPMatcher) Match(ip net.IP) bool {
+// Match implements IPMatcher.
+func (m *HeuristicIPMatcher) Match(ip net.IP) bool {
 	ipx, ok := netipx.FromStdIP(ip)
 	if !ok {
 		return false
@@ -57,18 +59,24 @@ func (m *HeuristicGeoIPMatcher) Match(ip net.IP) bool {
 	return m.matchAddr(ipx)
 }

-func (m *HeuristicGeoIPMatcher) matchAddr(ipx netip.Addr) bool {
+func (m *HeuristicIPMatcher) matchAddr(ipx netip.Addr) bool {
 	if ipx.Is4() {
+		if m.ipset.max4 == 0xff {
+			return false
+		}
 		return m.ipset.ipv4.Contains(ipx) != m.reverse
 	}
 	if ipx.Is6() {
+		if m.ipset.max6 == 0xff {
+			return false
+		}
 		return m.ipset.ipv6.Contains(ipx) != m.reverse
 	}
 	return false
 }

-// AnyMatch implements GeoIPMatcher.
-func (m *HeuristicGeoIPMatcher) AnyMatch(ips []net.IP) bool {
+// AnyMatch implements IPMatcher.
+func (m *HeuristicIPMatcher) AnyMatch(ips []net.IP) bool {
 	n := len(ips)
 	if n == 0 {
 		return false
@@ -117,8 +125,8 @@ func (m *HeuristicGeoIPMatcher) AnyMatch(ips []net.IP) bool {
 	return false
 }

-// Matches implements GeoIPMatcher.
-func (m *HeuristicGeoIPMatcher) Matches(ips []net.IP) bool {
+// Matches implements IPMatcher.
+func (m *HeuristicIPMatcher) Matches(ips []net.IP) bool {
 	n := len(ips)
 	if n == 0 {
 		return false
@@ -205,8 +213,8 @@ func prefixKeyFromIP(ip net.IP) (key [9]byte, ok bool) {
 	return key, false // illegal
 }

-// FilterIPs implements GeoIPMatcher.
-func (m *HeuristicGeoIPMatcher) FilterIPs(ips []net.IP) (matched []net.IP, unmatched []net.IP) {
+// FilterIPs implements IPMatcher.
+func (m *HeuristicIPMatcher) FilterIPs(ips []net.IP) (matched []net.IP, unmatched []net.IP) {
 	n := len(ips)
 	if n == 0 {
 		return []net.IP{}, []net.IP{}
@@ -295,22 +303,22 @@ func (m *HeuristicGeoIPMatcher) FilterIPs(ips []net.IP) (matched []net.IP, unmat
 	return
 }

-// ToggleReverse implements GeoIPMatcher.
-func (m *HeuristicGeoIPMatcher) ToggleReverse() {
+// ToggleReverse implements IPMatcher.
+func (m *HeuristicIPMatcher) ToggleReverse() {
 	m.reverse = !m.reverse
 }

-// SetReverse implements GeoIPMatcher.
-func (m *HeuristicGeoIPMatcher) SetReverse(reverse bool) {
+// SetReverse implements IPMatcher.
+func (m *HeuristicIPMatcher) SetReverse(reverse bool) {
 	m.reverse = reverse
 }

-type GeneralMultiGeoIPMatcher struct {
-	matchers []GeoIPMatcher
+type GeneralMultiIPMatcher struct {
+	matchers []IPMatcher
 }

-// Match implements GeoIPMatcher.
-func (mm *GeneralMultiGeoIPMatcher) Match(ip net.IP) bool {
+// Match implements IPMatcher.
+func (mm *GeneralMultiIPMatcher) Match(ip net.IP) bool {
 	for _, m := range mm.matchers {
 		if m.Match(ip) {
 			return true
@@ -319,8 +327,8 @@ func (mm *GeneralMultiGeoIPMatcher) Match(ip net.IP) bool {
 	return false
 }

-// AnyMatch implements GeoIPMatcher.
-func (mm *GeneralMultiGeoIPMatcher) AnyMatch(ips []net.IP) bool {
+// AnyMatch implements IPMatcher.
+func (mm *GeneralMultiIPMatcher) AnyMatch(ips []net.IP) bool {
 	for _, m := range mm.matchers {
 		if m.AnyMatch(ips) {
 			return true
@@ -329,8 +337,8 @@ func (mm *GeneralMultiGeoIPMatcher) AnyMatch(ips []net.IP) bool {
 	return false
 }

-// Matches implements GeoIPMatcher.
-func (mm *GeneralMultiGeoIPMatcher) Matches(ips []net.IP) bool {
+// Matches implements IPMatcher.
+func (mm *GeneralMultiIPMatcher) Matches(ips []net.IP) bool {
 	for _, m := range mm.matchers {
 		if m.Matches(ips) {
 			return true
@@ -339,8 +347,8 @@ func (mm *GeneralMultiGeoIPMatcher) Matches(ips []net.IP) bool {
 	return false
 }

-// FilterIPs implements GeoIPMatcher.
-func (mm *GeneralMultiGeoIPMatcher) FilterIPs(ips []net.IP) (matched []net.IP, unmatched []net.IP) {
+// FilterIPs implements IPMatcher.
+func (mm *GeneralMultiIPMatcher) FilterIPs(ips []net.IP) (matched []net.IP, unmatched []net.IP) {
 	matched = make([]net.IP, 0, len(ips))
 	unmatched = ips
 	for _, m := range mm.matchers {
@@ -356,26 +364,26 @@ func (mm *GeneralMultiGeoIPMatcher) FilterIPs(ips []net.IP) (matched []net.IP, u
 	return
 }

-// ToggleReverse implements GeoIPMatcher.
-func (mm *GeneralMultiGeoIPMatcher) ToggleReverse() {
+// ToggleReverse implements IPMatcher.
+func (mm *GeneralMultiIPMatcher) ToggleReverse() {
 	for _, m := range mm.matchers {
 		m.ToggleReverse()
 	}
 }

-// SetReverse implements GeoIPMatcher.
-func (mm *GeneralMultiGeoIPMatcher) SetReverse(reverse bool) {
+// SetReverse implements IPMatcher.
+func (mm *GeneralMultiIPMatcher) SetReverse(reverse bool) {
 	for _, m := range mm.matchers {
 		m.SetReverse(reverse)
 	}
 }

-type HeuristicMultiGeoIPMatcher struct {
-	matchers []*HeuristicGeoIPMatcher
+type HeuristicMultiIPMatcher struct {
+	matchers []*HeuristicIPMatcher
 }

-// Match implements GeoIPMatcher.
-func (mm *HeuristicMultiGeoIPMatcher) Match(ip net.IP) bool {
+// Match implements IPMatcher.
+func (mm *HeuristicMultiIPMatcher) Match(ip net.IP) bool {
 	ipx, ok := netipx.FromStdIP(ip)
 	if !ok {
 		return false
@@ -389,8 +397,8 @@ func (mm *HeuristicMultiGeoIPMatcher) Match(ip net.IP) bool {
 	return false
 }

-// AnyMatch implements GeoIPMatcher.
-func (mm *HeuristicMultiGeoIPMatcher) AnyMatch(ips []net.IP) bool {
+// AnyMatch implements IPMatcher.
+func (mm *HeuristicMultiIPMatcher) AnyMatch(ips []net.IP) bool {
 	n := len(ips)
 	if n == 0 {
 		return false
@@ -439,8 +447,8 @@ func (mm *HeuristicMultiGeoIPMatcher) AnyMatch(ips []net.IP) bool {
 	return false
 }

-// Matches implements GeoIPMatcher.
-func (mm *HeuristicMultiGeoIPMatcher) Matches(ips []net.IP) bool {
+// Matches implements IPMatcher.
+func (mm *HeuristicMultiIPMatcher) Matches(ips []net.IP) bool {
 	n := len(ips)
 	if n == 0 {
 		return false
@@ -503,7 +511,7 @@ type ipViews struct {
 	precise4, precise6 []netip.Addr
 }

-func (v *ipViews) ensureForMatcher(m *HeuristicGeoIPMatcher, ips []net.IP) bool {
+func (v *ipViews) ensureForMatcher(m *HeuristicIPMatcher, ips []net.IP) bool {
 	needHeur4 := m.ipset.max4 <= 24 && v.buckets4 == nil
 	needHeur6 := m.ipset.max6 <= 64 && v.buckets6 == nil
 	needPrec4 := m.ipset.max4 > 24 && v.precise4 == nil
@@ -581,8 +589,8 @@ func (v *ipViews) ensureForMatcher(m *HeuristicGeoIPMatcher, ips []net.IP) bool
 	return true
 }

-// FilterIPs implements GeoIPMatcher.
-func (mm *HeuristicMultiGeoIPMatcher) FilterIPs(ips []net.IP) (matched []net.IP, unmatched []net.IP) {
+// FilterIPs implements IPMatcher.
+func (mm *HeuristicMultiIPMatcher) FilterIPs(ips []net.IP) (matched []net.IP, unmatched []net.IP) {
 	n := len(ips)
 	if n == 0 {
 		return []net.IP{}, []net.IP{}
@@ -694,7 +702,7 @@ type ipBucketViews struct {
 	precise4, precise6 map[netip.Addr]net.IP
 }

-func (v *ipBucketViews) ensureForMatcher(m *HeuristicGeoIPMatcher, ips []net.IP) {
+func (v *ipBucketViews) ensureForMatcher(m *HeuristicIPMatcher, ips []net.IP) {
 	needHeur4 := m.ipset.max4 <= 24 && v.buckets4 == nil
 	needHeur6 := m.ipset.max6 <= 64 && v.buckets6 == nil
 	needPrec4 := m.ipset.max4 > 24 && v.precise4 == nil
@@ -782,70 +790,123 @@ func (v *ipBucketViews) ensureForMatcher(m *HeuristicGeoIPMatcher, ips []net.IP)
 	}
 }

-// ToggleReverse implements GeoIPMatcher.
-func (mm *HeuristicMultiGeoIPMatcher) ToggleReverse() {
+// ToggleReverse implements IPMatcher.
+func (mm *HeuristicMultiIPMatcher) ToggleReverse() {
 	for _, m := range mm.matchers {
 		m.ToggleReverse()
 	}
 }

-// SetReverse implements GeoIPMatcher.
-func (mm *HeuristicMultiGeoIPMatcher) SetReverse(reverse bool) {
+// SetReverse implements IPMatcher.
+func (mm *HeuristicMultiIPMatcher) SetReverse(reverse bool) {
 	for _, m := range mm.matchers {
 		m.SetReverse(reverse)
 	}
 }

-type GeoIPSetFactory struct {
+type IPSetFactory struct {
 	sync.Mutex
-	shared map[string]*GeoIPSet // TODO: cleanup
+	shared map[string]*IPSet // TODO: cleanup
 }

-var ipsetFactory = GeoIPSetFactory{shared: make(map[string]*GeoIPSet)}
+func (f *IPSetFactory) GetOrCreateFromGeoIPRules(rules []*GeoIPRule) (*IPSet, error) {
+	key := buildGeoIPRulesKey(rules)

-func (f *GeoIPSetFactory) GetOrCreate(key string, cidrGroups [][]*CIDR) (*GeoIPSet, error) {
 	f.Lock()
 	defer f.Unlock()

 	if ipset := f.shared[key]; ipset != nil {
+		errors.LogDebug(context.Background(), "geodata geoip matcher cache HIT ", key)
 		return ipset, nil
 	}
+	errors.LogDebug(context.Background(), "geodata geoip matcher cache MISS ", key)

-	ipset, err := f.Create(cidrGroups...)
+	ipset, err := f.createFrom(func(add func(*CIDR)) error {
+		for _, r := range rules {
+			cidrs, err := loadIP(r.File, r.Code)
+			if err != nil {
+				return err
+			}
+			for i, c := range cidrs {
+				add(c)
+				cidrs[i] = nil // peak mem
+			}
+		}
+		return nil
+	})
 	if err == nil {
 		f.shared[key] = ipset
 	}
 	return ipset, err
 }

-func (f *GeoIPSetFactory) Create(cidrGroups ...[]*CIDR) (*GeoIPSet, error) {
-	var ipv4Builder, ipv6Builder netipx.IPSetBuilder
+func buildGeoIPRulesKey(rules []*GeoIPRule) string {
+	rules = slices.Clone(rules)

-	for _, cidrGroup := range cidrGroups {
-		for i, cidrEntry := range cidrGroup {
-			cidrGroup[i] = nil
-			ipBytes := cidrEntry.GetIp()
-			prefixLen := int(cidrEntry.GetPrefix())
+	sort.Slice(rules, func(i, j int) bool {
+		ri, rj := rules[i], rules[j]
+		if ri.File != rj.File {
+			return ri.File < rj.File
+		}
+		return ri.Code < rj.Code
+	})

-			addr, ok := netip.AddrFromSlice(ipBytes)
-			if !ok {
-				errors.LogError(context.Background(), "ignore invalid IP byte slice: ", ipBytes)
-				continue
-			}
-
-			prefix := netip.PrefixFrom(addr, prefixLen)
-			if !prefix.IsValid() {
-				errors.LogError(context.Background(), "ignore created invalid prefix from addr ", addr, " and length ", prefixLen)
-				continue
-			}
-
-			if addr.Is4() {
-				ipv4Builder.AddPrefix(prefix)
-			} else if addr.Is6() {
-				ipv6Builder.AddPrefix(prefix)
-			}
+	var sb strings.Builder
+	sb.Grow(len(rules) * 20) // geoip.dat:xx,
+	var last *GeoIPRule
+	for i, r := range rules {
+		if i == 0 || (r.File != last.File || r.Code != last.Code) {
+			last = r
+			sb.WriteString(r.File)
+			sb.WriteString(":")
+			sb.WriteString(r.Code)
+			sb.WriteString(",")
 		}
 	}
+	return sb.String()
+}
+
+func (f *IPSetFactory) CreateFromCIDRs(cidrs []*CIDR) (*IPSet, error) {
+	return f.createFrom(func(add func(*CIDR)) error {
+		for _, c := range cidrs {
+			add(c)
+		}
+		return nil
+	})
+}
+
+func (f *IPSetFactory) createFrom(yield func(func(*CIDR)) error) (*IPSet, error) {
+	var ipv4Builder, ipv6Builder netipx.IPSetBuilder
+
+	err := yield(func(c *CIDR) {
+		ipBytes := c.GetIp()
+		prefixLen := int(c.GetPrefix())
+
+		addr, ok := netip.AddrFromSlice(ipBytes)
+		if !ok {
+			errors.LogError(context.Background(), "ignore invalid IP byte slice: ", ipBytes)
+			return
+		}
+
+		prefix := netip.PrefixFrom(addr, prefixLen)
+		if !prefix.IsValid() {
+			errors.LogError(context.Background(), "ignore created invalid prefix from addr ", addr, " and length ", prefixLen)
+			return
+		}
+
+		if addr.Is4() {
+			ipv4Builder.AddPrefix(prefix)
+		} else if addr.Is6() {
+			ipv6Builder.AddPrefix(prefix)
+		}
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// peak mem
+	runtime.GC()
+	defer runtime.GC()

 	ipv4, err := ipv4Builder.IPSet()
 	if err != nil {
@@ -856,107 +917,106 @@ func (f *GeoIPSetFactory) Create(cidrGroups ...[]*CIDR) (*GeoIPSet, error) {
 		return nil, errors.New("failed to build IPv6 set").Base(err)
 	}

+	var has4, has6 bool
 	var max4, max6 int

 	for _, p := range ipv4.Prefixes() {
+		has4 = true
 		if b := p.Bits(); b > max4 {
 			max4 = b
 		}
 	}
 	for _, p := range ipv6.Prefixes() {
+		has6 = true
 		if b := p.Bits(); b > max6 {
 			max6 = b
 		}
 	}

-	if max4 == 0 {
+	if !has4 {
 		max4 = 0xff
+	} else if max4 == 0 {
+		max4 = 0xfe
 	}
-	if max6 == 0 {
+	if !has6 {
 		max6 = 0xff
+	} else if max6 == 0 {
+		max6 = 0xfe
 	}

-	return &GeoIPSet{ipv4: ipv4, ipv6: ipv6, max4: uint8(max4), max6: uint8(max6)}, nil
+	return &IPSet{ipv4: ipv4, ipv6: ipv6, max4: uint8(max4), max6: uint8(max6)}, nil
 }

-func BuildOptimizedGeoIPMatcher(geoips ...*GeoIP) (GeoIPMatcher, error) {
-	n := len(geoips)
-	if n == 0 {
-		return nil, errors.New("no geoip configs provided")
-	}
+func buildOptimizedIPMatcher(f *IPSetFactory, rules []*IPRule) (IPMatcher, error) {
+	n := len(rules)
+	posCustom := make([]*CIDR, 0, n)
+	negCustom := make([]*CIDR, 0, n)
+	posGeoip := make([]*GeoIPRule, 0, n)
+	negGeoip := make([]*GeoIPRule, 0, n)

-	var subs []*HeuristicGeoIPMatcher
-	pos := make([]*GeoIP, 0, n)
-	neg := make([]*GeoIP, 0, n/2)
-
-	for _, geoip := range geoips {
-		if geoip == nil {
-			return nil, errors.New("geoip entry is nil")
-		}
-		if geoip.CountryCode == "" {
-			ipset, err := ipsetFactory.Create(geoip.Cidr)
-			if err != nil {
-				return nil, err
+	for _, r := range rules {
+		switch v := r.Value.(type) {
+		case *IPRule_Custom:
+			if !v.Custom.ReverseMatch {
+				posCustom = append(posCustom, v.Custom.Cidr)
+			} else {
+				negCustom = append(negCustom, v.Custom.Cidr)
 			}
-			subs = append(subs, &HeuristicGeoIPMatcher{ipset: ipset, reverse: geoip.ReverseMatch})
-			continue
-		}
-		if !geoip.ReverseMatch {
-			pos = append(pos, geoip)
-		} else {
-			neg = append(neg, geoip)
-		}
-	}
-
-	buildIPSet := func(mergeables []*GeoIP) (*GeoIPSet, error) {
-		n := len(mergeables)
-		if n == 0 {
-			return nil, nil
-		}
-
-		sort.Slice(mergeables, func(i, j int) bool {
-			gi, gj := mergeables[i], mergeables[j]
-			return gi.CountryCode < gj.CountryCode
-		})
-
-		var sb strings.Builder
-		sb.Grow(n * 3) // xx,
-		cidrGroups := make([][]*CIDR, 0, n)
-		var last *GeoIP
-		for i, geoip := range mergeables {
-			if i == 0 || (geoip.CountryCode != last.CountryCode) {
-				last = geoip
-				sb.WriteString(geoip.CountryCode)
-				sb.WriteString(",")
-				cidrGroups = append(cidrGroups, geoip.Cidr)
+		case *IPRule_Geoip:
+			if !v.Geoip.ReverseMatch {
+				posGeoip = append(posGeoip, v.Geoip)
+			} else {
+				negGeoip = append(negGeoip, v.Geoip)
 			}
+		default:
+			panic("unknown ip rule type")
 		}
-
-		return ipsetFactory.GetOrCreate(sb.String(), cidrGroups)
 	}

-	ipset, err := buildIPSet(pos)
-	if err != nil {
-		return nil, err
-	}
-	if ipset != nil {
-		subs = append(subs, &HeuristicGeoIPMatcher{ipset: ipset, reverse: false})
+	subs := make([]*HeuristicIPMatcher, 0, 4)
+
+	if len(posCustom) > 0 {
+		ipset, err := f.CreateFromCIDRs(posCustom)
+		if err != nil {
+			return nil, err
+		}
+		subs = append(subs, &HeuristicIPMatcher{ipset: ipset, reverse: false})
 	}

-	ipset, err = buildIPSet(neg)
-	if err != nil {
-		return nil, err
+	if len(negCustom) > 0 {
+		ipset, err := f.CreateFromCIDRs(negCustom)
+		if err != nil {
+			return nil, err
+		}
+		subs = append(subs, &HeuristicIPMatcher{ipset: ipset, reverse: true})
 	}
-	if ipset != nil {
-		subs = append(subs, &HeuristicGeoIPMatcher{ipset: ipset, reverse: true})
+
+	if len(posGeoip) > 0 {
+		ipset, err := f.GetOrCreateFromGeoIPRules(posGeoip)
+		if err != nil {
+			return nil, err
+		}
+		subs = append(subs, &HeuristicIPMatcher{ipset: ipset, reverse: false})
+	}
+
+	if len(negGeoip) > 0 {
+		ipset, err := f.GetOrCreateFromGeoIPRules(negGeoip)
+		if err != nil {
+			return nil, err
+		}
+		subs = append(subs, &HeuristicIPMatcher{ipset: ipset, reverse: true})
 	}

 	switch len(subs) {
 	case 0:
-		return nil, errors.New("no valid geoip matcher")
+		return nil, errors.New("no valid ip matcher")
 	case 1:
 		return subs[0], nil
 	default:
-		return &HeuristicMultiGeoIPMatcher{matchers: subs}, nil
+		return &HeuristicMultiIPMatcher{matchers: subs}, nil
 	}
 }
+
+func newIPSetFactory() *IPSetFactory {
+	return &IPSetFactory{shared: make(map[string]*IPSet)}
+}
--- a/common/geodata/ip_matcher_test.go
+++ b/common/geodata/ip_matcher_test.go
@@ -0,0 +1,437 @@
+package geodata
+
+import (
+	"net"
+	"path/filepath"
+	"reflect"
+	"slices"
+	"testing"
+
+	"github.com/xtls/xray-core/common"
+	xnet "github.com/xtls/xray-core/common/net"
+)
+
+func buildIPMatcher(rawRules ...string) IPMatcher {
+	rules, err := ParseIPRules(rawRules)
+	common.Must(err)
+
+	matcher, err := newIPRegistry().BuildIPMatcher(rules)
+	common.Must(err)
+
+	return matcher
+}
+
+func sortIPStrings(ips []net.IP) []string {
+	output := make([]string, 0, len(ips))
+	for _, ip := range ips {
+		output = append(output, ip.String())
+	}
+	slices.Sort(output)
+	return output
+}
+
+func TestIPMatcher(t *testing.T) {
+	matcher := buildIPMatcher(
+		"0.0.0.0/8",
+		"10.0.0.0/8",
+		"100.64.0.0/10",
+		"127.0.0.0/8",
+		"169.254.0.0/16",
+		"172.16.0.0/12",
+		"192.0.0.0/24",
+		"192.0.2.0/24",
+		"192.168.0.0/16",
+		"192.18.0.0/15",
+		"198.51.100.0/24",
+		"203.0.113.0/24",
+		"8.8.8.8/32",
+		"91.108.4.0/16",
+	)
+
+	testCases := []struct {
+		Input  string
+		Output bool
+	}{
+		{
+			Input:  "192.168.1.1",
+			Output: true,
+		},
+		{
+			Input:  "192.0.0.0",
+			Output: true,
+		},
+		{
+			Input:  "192.0.1.0",
+			Output: false,
+		},
+		{
+			Input:  "0.1.0.0",
+			Output: true,
+		},
+		{
+			Input:  "1.0.0.1",
+			Output: false,
+		},
+		{
+			Input:  "8.8.8.7",
+			Output: false,
+		},
+		{
+			Input:  "8.8.8.8",
+			Output: true,
+		},
+		{
+			Input:  "2001:cdba::3257:9652",
+			Output: false,
+		},
+		{
+			Input:  "91.108.255.254",
+			Output: true,
+		},
+	}
+
+	for _, test := range testCases {
+		if v := matcher.Match(xnet.ParseAddress(test.Input).IP()); v != test.Output {
+			t.Error("unexpected output: ", v, " for test case ", test)
+		}
+	}
+}
+
+func TestIPMatcherFullCIDR4(t *testing.T) {
+	matcher := buildIPMatcher(
+		"0.0.0.0/0",
+	)
+
+	testCases := []struct {
+		Input  string
+		Output bool
+	}{
+		{
+			Input:  "192.168.1.1",
+			Output: true,
+		},
+		{
+			Input:  "0.0.0.0",
+			Output: true,
+		},
+		{
+			Input:  "255.255.255.255",
+			Output: true,
+		},
+		{
+			Input:  "2001:cdba::3257:9652",
+			Output: false,
+		},
+		{
+			Input:  "::0",
+			Output: false,
+		},
+		{
+			Input:  "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
+			Output: false,
+		},
+	}
+
+	for _, test := range testCases {
+		if v := matcher.Match(xnet.ParseAddress(test.Input).IP()); v != test.Output {
+			t.Error("unexpected output: ", v, " for test case ", test)
+		}
+	}
+}
+
+func TestIPMatcherFullCIDR6(t *testing.T) {
+	matcher := buildIPMatcher(
+		"::0/0",
+	)
+
+	testCases := []struct {
+		Input  string
+		Output bool
+	}{
+		{
+			Input:  "192.168.1.1",
+			Output: false,
+		},
+		{
+			Input:  "0.0.0.0",
+			Output: false,
+		},
+		{
+			Input:  "255.255.255.255",
+			Output: false,
+		},
+		{
+			Input:  "2001:cdba::3257:9652",
+			Output: true,
+		},
+		{
+			Input:  "::0",
+			Output: true,
+		},
+		{
+			Input:  "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
+			Output: true,
+		},
+	}
+
+	for _, test := range testCases {
+		if v := matcher.Match(xnet.ParseAddress(test.Input).IP()); v != test.Output {
+			t.Error("unexpected output: ", v, " for test case ", test)
+		}
+	}
+}
+
+func TestIPMatcherRegression(t *testing.T) {
+	matcher := buildIPMatcher(
+		"98.108.20.0/22",
+		"98.108.20.0/23",
+	)
+
+	testCases := []struct {
+		Input  string
+		Output bool
+	}{
+		{
+			Input:  "98.108.22.11",
+			Output: true,
+		},
+		{
+			Input:  "98.108.25.0",
+			Output: false,
+		},
+	}
+
+	for _, test := range testCases {
+		if v := matcher.Match(xnet.ParseAddress(test.Input).IP()); v != test.Output {
+			t.Error("unexpected output: ", v, " for test case ", test)
+		}
+	}
+}
+
+func TestIPReverseMatcher(t *testing.T) {
+	matcher := buildIPMatcher(
+		"8.8.8.8/32",
+		"91.108.4.0/16",
+	)
+	matcher.SetReverse(true)
+
+	testCases := []struct {
+		Input  string
+		Output bool
+	}{
+		{
+			Input:  "8.8.8.8",
+			Output: false,
+		},
+		{
+			Input:  "2001:cdba::3257:9652",
+			Output: false,
+		},
+		{
+			Input:  "91.108.255.254",
+			Output: false,
+		},
+	}
+
+	for _, test := range testCases {
+		if v := matcher.Match(xnet.ParseAddress(test.Input).IP()); v != test.Output {
+			t.Error("unexpected output: ", v, " for test case ", test)
+		}
+	}
+}
+
+func TestIPReverseMatcher2(t *testing.T) {
+	matcher := buildIPMatcher(
+		"8.8.8.8/32",
+		"91.108.4.0/16",
+		"fe80::", // Keep IPv6 family non-empty so reverse matching can evaluate IPv6 input.
+	)
+	matcher.SetReverse(true)
+
+	testCases := []struct {
+		Input  string
+		Output bool
+	}{
+		{
+			Input:  "8.8.8.8",
+			Output: false,
+		},
+		{
+			Input:  "2001:cdba::3257:9652",
+			Output: true,
+		},
+		{
+			Input:  "91.108.255.254",
+			Output: false,
+		},
+	}
+
+	for _, test := range testCases {
+		if v := matcher.Match(xnet.ParseAddress(test.Input).IP()); v != test.Output {
+			t.Error("unexpected output: ", v, " for test case ", test)
+		}
+	}
+}
+
+func TestIPCustomReverseMatcher(t *testing.T) {
+	matcher := buildIPMatcher("!8.8.8.8/32")
+
+	testCases := []struct {
+		Input  string
+		Output bool
+	}{
+		{
+			Input:  "8.8.8.8",
+			Output: false,
+		},
+		{
+			Input:  "1.1.1.1",
+			Output: true,
+		},
+		{
+			Input:  "2001:cdba::3257:9652",
+			Output: false,
+		},
+	}
+
+	for _, test := range testCases {
+		if v := matcher.Match(xnet.ParseAddress(test.Input).IP()); v != test.Output {
+			t.Error("unexpected output: ", v, " for test case ", test)
+		}
+	}
+}
+
+func TestIPMatcherAnyMatchAndMatches(t *testing.T) {
+	matcher := buildIPMatcher(
+		"8.8.8.8/32",
+		"2001:4860:4860::8888/128",
+	)
+	ip := func(raw string) net.IP {
+		return xnet.ParseAddress(raw).IP()
+	}
+
+	if matcher.AnyMatch(nil) {
+		t.Fatal("expect AnyMatch(nil) to be false")
+	}
+
+	if !matcher.AnyMatch([]net.IP{
+		net.IP{},
+		ip("1.1.1.1"),
+		ip("8.8.8.8"),
+	}) {
+		t.Fatal("expect AnyMatch to ignore invalid IPs and return true when one valid IP matches")
+	}
+
+	if matcher.AnyMatch([]net.IP{
+		ip("1.1.1.1"),
+		ip("2001:db8::1"),
+	}) {
+		t.Fatal("expect AnyMatch to be false when no valid IP matches")
+	}
+
+	if !matcher.Matches([]net.IP{
+		ip("8.8.8.8"),
+		ip("2001:4860:4860::8888"),
+	}) {
+		t.Fatal("expect Matches to be true when all valid IPs match")
+	}
+
+	if matcher.Matches([]net.IP{
+		ip("8.8.8.8"),
+		ip("1.1.1.1"),
+	}) {
+		t.Fatal("expect Matches to be false when one valid IP does not match")
+	}
+
+	if matcher.Matches([]net.IP{
+		ip("8.8.8.8"),
+		net.IP{},
+	}) {
+		t.Fatal("expect Matches to be false when any IP is invalid")
+	}
+}
+
+func TestIPMatcherFilterIPs(t *testing.T) {
+	matcher := buildIPMatcher(
+		"8.8.8.8/32",
+		"91.108.4.0/16",
+		"2001:4860:4860::8888/128",
+	)
+	ip := func(raw string) net.IP {
+		return xnet.ParseAddress(raw).IP()
+	}
+
+	matched, unmatched := matcher.FilterIPs([]net.IP{
+		net.IP{},
+		ip("8.8.8.8"),
+		ip("91.108.255.254"),
+		ip("1.1.1.1"),
+		ip("2001:4860:4860::8888"),
+		ip("2001:db8::1"),
+	})
+
+	wantMatched := []string{
+		"2001:4860:4860::8888",
+		"8.8.8.8",
+		"91.108.255.254",
+	}
+	slices.Sort(wantMatched)
+	if v := sortIPStrings(matched); !reflect.DeepEqual(v, wantMatched) {
+		t.Error("unexpected output: ", v, " want ", wantMatched)
+	}
+
+	wantUnmatched := []string{
+		"1.1.1.1",
+		"2001:db8::1",
+	}
+	slices.Sort(wantUnmatched)
+	if v := sortIPStrings(unmatched); !reflect.DeepEqual(v, wantUnmatched) {
+		t.Error("unexpected output: ", v, " want ", wantUnmatched)
+	}
+}
+
+func TestIPMatcher4CN(t *testing.T) {
+	t.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+
+	matcher := buildIPMatcher("geoip:cn")
+
+	if matcher.Match([]byte{8, 8, 8, 8}) {
+		t.Error("expect CN geoip doesn't contain 8.8.8.8, but actually does")
+	}
+}
+
+func TestIPMatcher6US(t *testing.T) {
+	t.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+
+	matcher := buildIPMatcher("geoip:us")
+
+	if !matcher.Match(xnet.ParseAddress("2001:4860:4860::8888").IP()) {
+		t.Error("expect US geoip contain 2001:4860:4860::8888, but actually not")
+	}
+}
+
+func BenchmarkIPMatcher4CN(b *testing.B) {
+	b.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+
+	matcher := buildIPMatcher("geoip:cn")
+	ip := net.IP{8, 8, 8, 8}
+
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		_ = matcher.Match(ip)
+	}
+}
+
+func BenchmarkIPMatcher6US(b *testing.B) {
+	b.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+
+	matcher := buildIPMatcher("geoip:us")
+	ip := xnet.ParseAddress("2001:4860:4860::8888").IP()
+
+	b.ResetTimer()
+
+	for i := 0; i < b.N; i++ {
+		_ = matcher.Match(ip)
+	}
+}
--- a/common/geodata/ip_registry.go
+++ b/common/geodata/ip_registry.go
@@ -0,0 +1,135 @@
+package geodata
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/net"
+)
+
+type IPRegistry struct {
+	mu           sync.Mutex
+	ipsetFactory *IPSetFactory
+	matchers     []*DynamicIPMatcher
+}
+
+func (r *IPRegistry) BuildIPMatcher(rules []*IPRule) (IPMatcher, error) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	m, err := buildOptimizedIPMatcher(r.ipsetFactory, rules)
+	if err != nil {
+		return nil, err
+	}
+
+	d := NewDynamicIPMatcher(rules, m)
+	r.matchers = append(r.matchers, d)
+	return d, nil
+}
+
+func (r *IPRegistry) Reload() error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	errors.LogInfo(context.Background(), "reloading GeoIP data for ", len(r.matchers), " IP matcher(s)")
+
+	factory := newIPSetFactory()
+	type reloadEntry struct {
+		dynamic *DynamicIPMatcher
+		matcher IPMatcher
+	}
+	reloaded := make([]reloadEntry, len(r.matchers))
+	for i, d := range r.matchers {
+		m, err := buildOptimizedIPMatcher(factory, d.rules)
+		if err != nil {
+			errors.LogErrorInner(context.Background(), err, "failed to reload GeoIP data for IP matcher ", i)
+			return err
+		}
+		reloaded[i] = reloadEntry{dynamic: d, matcher: m}
+	}
+	for _, entry := range reloaded {
+		entry.dynamic.Reload(entry.matcher)
+	}
+	r.ipsetFactory = factory
+	errors.LogInfo(context.Background(), "reloaded GeoIP data for ", len(r.matchers), " IP matcher(s)")
+	return nil
+}
+
+func newIPRegistry() *IPRegistry {
+	return &IPRegistry{
+		ipsetFactory: newIPSetFactory(),
+	}
+}
+
+var IPReg = newIPRegistry()
+
+type ipMatcherState struct {
+	matcher IPMatcher
+}
+
+type DynamicIPMatcher struct {
+	rules      []*IPRule
+	state      atomic.Pointer[ipMatcherState]
+	mu         sync.Mutex
+	reverse    bool
+	reverseSet bool
+}
+
+// Match implements IPMatcher.
+func (d *DynamicIPMatcher) Match(ip net.IP) bool {
+	return d.state.Load().matcher.Match(ip)
+}
+
+// AnyMatch implements IPMatcher.
+func (d *DynamicIPMatcher) AnyMatch(ips []net.IP) bool {
+	return d.state.Load().matcher.AnyMatch(ips)
+}
+
+// Matches implements IPMatcher.
+func (d *DynamicIPMatcher) Matches(ips []net.IP) bool {
+	return d.state.Load().matcher.Matches(ips)
+}
+
+// FilterIPs implements IPMatcher.
+func (d *DynamicIPMatcher) FilterIPs(ips []net.IP) (matched []net.IP, unmatched []net.IP) {
+	return d.state.Load().matcher.FilterIPs(ips)
+}
+
+// ToggleReverse implements IPMatcher.
+func (d *DynamicIPMatcher) ToggleReverse() {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	d.reverse = !d.reverse
+	d.state.Load().matcher.ToggleReverse()
+}
+
+// SetReverse implements IPMatcher.
+func (d *DynamicIPMatcher) SetReverse(reverse bool) {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	d.reverse = reverse
+	d.reverseSet = true
+	d.state.Load().matcher.SetReverse(reverse)
+}
+
+func (d *DynamicIPMatcher) Reload(newMatcher IPMatcher) {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+
+	if d.reverseSet {
+		newMatcher.SetReverse(d.reverse)
+	} else if d.reverse {
+		newMatcher.ToggleReverse()
+	}
+	d.state.Store(&ipMatcherState{matcher: newMatcher})
+}
+
+func NewDynamicIPMatcher(rules []*IPRule, matcher IPMatcher) *DynamicIPMatcher {
+	d := &DynamicIPMatcher{rules: rules}
+	d.Reload(matcher)
+	return d
+}
--- a/common/geodata/rule_parser.go
+++ b/common/geodata/rule_parser.go
@@ -0,0 +1,265 @@
+package geodata
+
+import (
+	"strconv"
+	"strings"
+
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/net"
+)
+
+const (
+	DefaultGeoIPDat   = "geoip.dat"
+	DefaultGeoSiteDat = "geosite.dat"
+)
+
+func ParseIPRules(rules []string) ([]*IPRule, error) {
+	var ipRules []*IPRule
+
+	for i, r := range rules {
+		r, reverse := cutReversePrefix(r)
+
+		if strings.HasPrefix(r, "geoip:") {
+			r = "ext:" + DefaultGeoIPDat + ":" + r[len("geoip:"):]
+		}
+
+		prefix := 0
+		for _, ext := range [...]string{"ext:", "ext-ip:"} {
+			if strings.HasPrefix(r, ext) {
+				prefix = len(ext)
+				break
+			}
+		}
+
+		var rule isIPRule_Value
+		var err error
+		if prefix > 0 {
+			rule, err = parseGeoIPRule(r[prefix:], reverse)
+		} else {
+			rule, err = parseCustomIPRule(r, reverse)
+		}
+		if err != nil {
+			return nil, errors.New("illegal ip rule: ", rules[i]).Base(err)
+		}
+		ipRules = append(ipRules, &IPRule{Value: rule})
+	}
+
+	return ipRules, nil
+}
+
+func cutReversePrefix(s string) (string, bool) {
+	reverse := false
+	for strings.HasPrefix(s, "!") {
+		s = s[1:]
+		reverse = !reverse
+	}
+	return s, reverse
+}
+
+func parseGeoIPRule(rule string, reverse bool) (*IPRule_Geoip, error) {
+	file, code, ok := strings.Cut(rule, ":")
+	if !ok {
+		return nil, errors.New("syntax error")
+	}
+
+	if file == "" {
+		return nil, errors.New("empty file")
+	}
+
+	code, codeReverse := cutReversePrefix(code)
+	reverse = reverse != codeReverse
+	if code == "" {
+		return nil, errors.New("empty code")
+	}
+	code = strings.ToUpper(code)
+
+	if err := checkFile(file, code); err != nil {
+		return nil, err
+	}
+
+	return &IPRule_Geoip{
+		Geoip: &GeoIPRule{
+			File:         file,
+			Code:         code,
+			ReverseMatch: reverse,
+		},
+	}, nil
+}
+
+func parseCustomIPRule(rule string, reverse bool) (*IPRule_Custom, error) {
+	cidr, err := parseCIDR(rule)
+	if err != nil {
+		return nil, err
+	}
+	return &IPRule_Custom{
+		Custom: &CIDRRule{
+			Cidr:         cidr,
+			ReverseMatch: reverse,
+		},
+	}, nil
+}
+
+func parseCIDR(s string) (*CIDR, error) {
+	ipStr, prefixStr, _ := strings.Cut(s, "/")
+
+	ipAddr := net.ParseAddress(ipStr)
+
+	var maxPrefix uint32
+	switch ipAddr.Family() {
+	case net.AddressFamilyIPv4:
+		maxPrefix = 32
+	case net.AddressFamilyIPv6:
+		maxPrefix = 128
+	default:
+		return nil, errors.New("unsupported address family")
+	}
+
+	prefixBits := maxPrefix
+	if prefixStr != "" {
+		parsedPrefix, err := strconv.ParseUint(prefixStr, 10, 32)
+		if err != nil {
+			return nil, errors.New("invalid CIDR prefix length: ", prefixStr).Base(err)
+		}
+		prefixBits = uint32(parsedPrefix)
+	}
+	if prefixBits > maxPrefix {
+		return nil, errors.New("CIDR prefix length ", prefixBits, " exceeds max ", maxPrefix)
+	}
+
+	return &CIDR{
+		Ip:     []byte(ipAddr.IP()),
+		Prefix: prefixBits,
+	}, nil
+}
+
+func ParseDomainRule(r string, defaultType Domain_Type) (*DomainRule, error) {
+	if strings.HasPrefix(r, "geosite:") {
+		r = "ext:" + DefaultGeoSiteDat + ":" + r[len("geosite:"):]
+	}
+
+	prefix := 0
+	for _, ext := range [...]string{"ext:", "ext-domain:"} {
+		if strings.HasPrefix(r, ext) {
+			prefix = len(ext)
+			break
+		}
+	}
+
+	var rule isDomainRule_Value
+	var err error
+	if prefix > 0 {
+		rule, err = parseGeoSiteRule(r[prefix:])
+	} else {
+		rule, err = parseCustomDomainRule(r, defaultType)
+	}
+	if err != nil {
+		return nil, errors.New("illegal domain rule: ", r).Base(err)
+	}
+	return &DomainRule{Value: rule}, nil
+}
+
+func ParseDomainRules(rules []string, defaultType Domain_Type) ([]*DomainRule, error) {
+	var domainRules []*DomainRule
+
+	for i, r := range rules {
+		if strings.HasPrefix(r, "geosite:") {
+			r = "ext:" + DefaultGeoSiteDat + ":" + r[len("geosite:"):]
+		}
+
+		prefix := 0
+		for _, ext := range [...]string{"ext:", "ext-domain:"} {
+			if strings.HasPrefix(r, ext) {
+				prefix = len(ext)
+				break
+			}
+		}
+
+		var rule isDomainRule_Value
+		var err error
+		if prefix > 0 {
+			rule, err = parseGeoSiteRule(r[prefix:])
+		} else {
+			rule, err = parseCustomDomainRule(r, defaultType)
+		}
+		if err != nil {
+			return nil, errors.New("illegal domain rule: ", rules[i]).Base(err)
+		}
+		domainRules = append(domainRules, &DomainRule{Value: rule})
+	}
+
+	return domainRules, nil
+}
+
+func parseGeoSiteRule(rule string) (*DomainRule_Geosite, error) {
+	file, codeWithAttrs, ok := strings.Cut(rule, ":")
+	if !ok {
+		return nil, errors.New("syntax error")
+	}
+
+	if file == "" {
+		return nil, errors.New("empty file")
+	}
+
+	if strings.HasSuffix(codeWithAttrs, "@") || strings.Contains(codeWithAttrs, "@@") {
+		return nil, errors.New("empty attr")
+	}
+	code, attrs, _ := strings.Cut(codeWithAttrs, "@")
+
+	if code == "" {
+		return nil, errors.New("empty code")
+	}
+	code = strings.ToUpper(code)
+
+	if err := checkFile(file, code); err != nil {
+		return nil, err
+	}
+
+	return &DomainRule_Geosite{
+		Geosite: &GeoSiteRule{
+			File:  file,
+			Code:  code,
+			Attrs: strings.ToLower(attrs),
+		},
+	}, nil
+}
+
+func parseCustomDomainRule(rule string, defaultType Domain_Type) (*DomainRule_Custom, error) {
+	domain := new(Domain)
+
+	switch {
+	case strings.HasPrefix(rule, "regexp:"):
+		domain.Type = Domain_Regex
+		domain.Value = rule[7:]
+
+	case strings.HasPrefix(rule, "domain:"):
+		domain.Type = Domain_Domain
+		domain.Value = rule[7:]
+
+	case strings.HasPrefix(rule, "full:"):
+		domain.Type = Domain_Full
+		domain.Value = rule[5:]
+
+	case strings.HasPrefix(rule, "keyword:"):
+		domain.Type = Domain_Substr
+		domain.Value = rule[8:]
+
+	case strings.HasPrefix(rule, "dotless:"):
+		domain.Type = Domain_Regex
+		switch substr := rule[8:]; {
+		case substr == "":
+			domain.Value = "^[^.]*$"
+		case !strings.Contains(substr, "."):
+			domain.Value = "^[^.]*" + substr + "[^.]*$"
+		default:
+			return nil, errors.New("substr in dotless rule should not contain a dot")
+		}
+
+	default:
+		domain.Type = defaultType
+		domain.Value = rule
+	}
+
+	return &DomainRule_Custom{
+		Custom: domain,
+	}, nil
+}
--- a/common/geodata/rule_parser_test.go
+++ b/common/geodata/rule_parser_test.go
@@ -0,0 +1,106 @@
+package geodata_test
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/xtls/xray-core/common/geodata"
+)
+
+func TestParseIPRules(t *testing.T) {
+	t.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+
+	rules := []string{
+		"geoip:us",
+		"geoip:cn",
+		"!geoip:cn",
+		"!!geoip:cn",
+		"geoip:!cn",
+		"geoip:!!cn",
+		"!geoip:!cn",
+		"ext:geoip.dat:!cn",
+		"ext:geoip.dat:!!cn",
+		"ext:geoip.dat:ca",
+		"ext-ip:geoip.dat:!cn",
+		"ext-ip:geoip.dat:!ca",
+		"192.168.0.0/24",
+		"!192.168.0.0/24",
+		"!!192.168.0.0/24",
+		"!!!192.168.0.0/24",
+		"192.168.0.1",
+		"fe80::/64",
+		"fe80::",
+	}
+
+	_, err := geodata.ParseIPRules(rules)
+	if err != nil {
+		t.Fatalf("Failed to parse ip rules, got %s", err)
+	}
+}
+
+func TestParseIPRuleReverse(t *testing.T) {
+	t.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+
+	for _, tt := range []struct {
+		rule    string
+		reverse bool
+	}{
+		{rule: "!192.168.0.0/24", reverse: true},
+		{rule: "!!192.168.0.0/24", reverse: false},
+		{rule: "!!!192.168.0.0/24", reverse: true},
+		{rule: "!!!!192.168.0.0/24", reverse: false},
+		{rule: "geoip:cn", reverse: false},
+		{rule: "!geoip:cn", reverse: true},
+		{rule: "!!geoip:cn", reverse: false},
+		{rule: "geoip:!cn", reverse: true},
+		{rule: "geoip:!!cn", reverse: false},
+		{rule: "!geoip:!cn", reverse: false},
+		{rule: "!!geoip:!cn", reverse: true},
+		{rule: "!geoip:!!cn", reverse: true},
+		{rule: "ext:geoip.dat:!!!cn", reverse: true},
+	} {
+		t.Run(tt.rule, func(t *testing.T) {
+			rules, err := geodata.ParseIPRules([]string{tt.rule})
+			if err != nil {
+				t.Fatalf("Failed to parse ip rules, got %s", err)
+			}
+
+			if len(rules) != 1 {
+				t.Fatalf("Expected 1 rule, got %d", len(rules))
+			}
+
+			switch rule := rules[0]; {
+			case rule.GetGeoip() != nil:
+				if rule.GetGeoip().GetReverseMatch() != tt.reverse {
+					t.Fatalf("Expected geoip reverse match to be %t", tt.reverse)
+				}
+			case rule.GetCustom() != nil:
+				if rule.GetCustom().GetReverseMatch() != tt.reverse {
+					t.Fatalf("Expected custom reverse match to be %t", tt.reverse)
+				}
+			default:
+				t.Fatal("Expected ip rule")
+			}
+		})
+	}
+}
+
+func TestParseDomainRules(t *testing.T) {
+	t.Setenv("xray.location.asset", filepath.Join("..", "..", "resources"))
+
+	rules := []string{
+		"geosite:cn",
+		"geosite:geolocation-!cn",
+		"geosite:cn@!cn",
+		"ext:geosite.dat:geolocation-!cn",
+		"ext:geosite.dat:cn@!cn",
+		"ext-site:geosite.dat:geolocation-!cn",
+		"ext-site:geosite.dat:cn@!cn",
+		"domain:google.com",
+	}
+
+	_, err := geodata.ParseDomainRules(rules, geodata.Domain_Domain)
+	if err != nil {
+		t.Fatalf("Failed to parse domain rules, got %s", err)
+	}
+}
--- a/common/geodata/strmatcher/anymatcher_linear.go
+++ b/common/geodata/strmatcher/anymatcher_linear.go
@@ -0,0 +1,53 @@
+package strmatcher
+
+// LinearAnyMatcher is an implementation of AnyMatcher.
+type LinearAnyMatcher struct {
+	full   *FullMatcherSet
+	domain *DomainMatcherSet
+	substr *SubstrMatcherSet
+	regex  *SimpleMatcherSet
+}
+
+func NewLinearAnyMatcher() *LinearAnyMatcher {
+	return new(LinearAnyMatcher)
+}
+
+// Add implements AnyMatcher.Add.
+func (s *LinearAnyMatcher) Add(matcher Matcher) {
+	switch matcher := matcher.(type) {
+	case FullMatcher:
+		if s.full == nil {
+			s.full = NewFullMatcherSet()
+		}
+		s.full.AddFullMatcher(matcher)
+	case DomainMatcher:
+		if s.domain == nil {
+			s.domain = NewDomainMatcherSet()
+		}
+		s.domain.AddDomainMatcher(matcher)
+	case SubstrMatcher:
+		if s.substr == nil {
+			s.substr = new(SubstrMatcherSet)
+		}
+		s.substr.AddSubstrMatcher(matcher)
+	default:
+		if s.regex == nil {
+			s.regex = new(SimpleMatcherSet)
+		}
+		s.regex.AddMatcher(matcher)
+	}
+}
+
+// MatchAny implements AnyMatcher.MatchAny.
+func (s *LinearAnyMatcher) MatchAny(input string) bool {
+	if s.full != nil && s.full.MatchAny(input) {
+		return true
+	}
+	if s.domain != nil && s.domain.MatchAny(input) {
+		return true
+	}
+	if s.substr != nil && s.substr.MatchAny(input) {
+		return true
+	}
+	return s.regex != nil && s.regex.MatchAny(input)
+}
--- a/common/geodata/strmatcher/benchmark_indexmatcher_test.go
+++ b/common/geodata/strmatcher/benchmark_indexmatcher_test.go
@@ -0,0 +1,58 @@
+package strmatcher_test
+
+import (
+	"testing"
+
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func BenchmarkLinearIndexMatcher(b *testing.B) {
+	benchmarkIndexMatcher(b, func() IndexMatcher {
+		return NewLinearIndexMatcher()
+	})
+}
+
+func BenchmarkMphIndexMatcher(b *testing.B) {
+	benchmarkIndexMatcher(b, func() IndexMatcher {
+		return NewMphIndexMatcher()
+	})
+}
+
+func benchmarkIndexMatcher(b *testing.B, ctor func() IndexMatcher) {
+	b.Run("Match", func(b *testing.B) {
+		b.Run("Domain------------", func(b *testing.B) {
+			benchmarkMatch(b, ctor(), map[Type]bool{Domain: true})
+		})
+		b.Run("Domain+Full-------", func(b *testing.B) {
+			benchmarkMatch(b, ctor(), map[Type]bool{Domain: true, Full: true})
+		})
+		b.Run("Domain+Full+Substr", func(b *testing.B) {
+			benchmarkMatch(b, ctor(), map[Type]bool{Domain: true, Full: true, Substr: true})
+		})
+		b.Run("All-Fail----------", func(b *testing.B) {
+			benchmarkMatch(b, ctor(), map[Type]bool{Domain: false, Full: false, Substr: false})
+		})
+	})
+	b.Run("Match/Dotless", func(b *testing.B) { // Dotless domain matcher automatically inserted in DNS app when "localhost" DNS is used.
+		b.Run("All-Succ", func(b *testing.B) {
+			benchmarkMatch(b, ctor(), map[Type]bool{Domain: true, Full: true, Substr: true, Regex: true})
+		})
+		b.Run("All-Fail", func(b *testing.B) {
+			benchmarkMatch(b, ctor(), map[Type]bool{Domain: false, Full: false, Substr: false, Regex: false})
+		})
+	})
+	b.Run("MatchAny", func(b *testing.B) {
+		b.Run("First-Full--", func(b *testing.B) {
+			benchmarkMatchAny(b, ctor(), map[Type]bool{Full: true, Domain: true, Substr: true})
+		})
+		b.Run("First-Domain", func(b *testing.B) {
+			benchmarkMatchAny(b, ctor(), map[Type]bool{Full: false, Domain: true, Substr: true})
+		})
+		b.Run("First-Substr", func(b *testing.B) {
+			benchmarkMatchAny(b, ctor(), map[Type]bool{Full: false, Domain: false, Substr: true})
+		})
+		b.Run("All-Fail----", func(b *testing.B) {
+			benchmarkMatchAny(b, ctor(), map[Type]bool{Full: false, Domain: false, Substr: false})
+		})
+	})
+}
--- a/common/geodata/strmatcher/benchmark_matchers_test.go
+++ b/common/geodata/strmatcher/benchmark_matchers_test.go
@@ -0,0 +1,149 @@
+package strmatcher_test
+
+import (
+	"strconv"
+	"testing"
+
+	"github.com/xtls/xray-core/common"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func BenchmarkFullMatcher(b *testing.B) {
+	b.Run("SimpleMatcherGroup------", func(b *testing.B) {
+		benchmarkMatcherType(b, Full, func() MatcherGroup {
+			return new(SimpleMatcherGroup)
+		})
+	})
+	b.Run("FullMatcherGroup--------", func(b *testing.B) {
+		benchmarkMatcherType(b, Full, func() MatcherGroup {
+			return NewFullMatcherGroup()
+		})
+	})
+	b.Run("ACAutomationMatcherGroup", func(b *testing.B) {
+		benchmarkMatcherType(b, Full, func() MatcherGroup {
+			return NewACAutomatonMatcherGroup()
+		})
+	})
+	b.Run("MphMatcherGroup---------", func(b *testing.B) {
+		benchmarkMatcherType(b, Full, func() MatcherGroup {
+			return NewMphMatcherGroup()
+		})
+	})
+}
+
+func BenchmarkDomainMatcher(b *testing.B) {
+	b.Run("SimpleMatcherGroup------", func(b *testing.B) {
+		benchmarkMatcherType(b, Domain, func() MatcherGroup {
+			return new(SimpleMatcherGroup)
+		})
+	})
+	b.Run("DomainMatcherGroup------", func(b *testing.B) {
+		benchmarkMatcherType(b, Domain, func() MatcherGroup {
+			return NewDomainMatcherGroup()
+		})
+	})
+	b.Run("ACAutomationMatcherGroup", func(b *testing.B) {
+		benchmarkMatcherType(b, Domain, func() MatcherGroup {
+			return NewACAutomatonMatcherGroup()
+		})
+	})
+	b.Run("MphMatcherGroup---------", func(b *testing.B) {
+		benchmarkMatcherType(b, Domain, func() MatcherGroup {
+			return NewMphMatcherGroup()
+		})
+	})
+}
+
+func BenchmarkSubstrMatcher(b *testing.B) {
+	b.Run("SimpleMatcherGroup------", func(b *testing.B) {
+		benchmarkMatcherType(b, Substr, func() MatcherGroup {
+			return new(SimpleMatcherGroup)
+		})
+	})
+	b.Run("SubstrMatcherGroup------", func(b *testing.B) {
+		benchmarkMatcherType(b, Substr, func() MatcherGroup {
+			return new(SubstrMatcherGroup)
+		})
+	})
+	b.Run("ACAutomationMatcherGroup", func(b *testing.B) {
+		benchmarkMatcherType(b, Substr, func() MatcherGroup {
+			return NewACAutomatonMatcherGroup()
+		})
+	})
+}
+
+// Utility functions for benchmark
+
+func benchmarkMatcherType(b *testing.B, t Type, ctor func() MatcherGroup) {
+	b.Run("Match", func(b *testing.B) {
+		b.Run("Succ", func(b *testing.B) {
+			benchmarkMatch(b, ctor(), map[Type]bool{t: true})
+		})
+		b.Run("Fail", func(b *testing.B) {
+			benchmarkMatch(b, ctor(), map[Type]bool{t: false})
+		})
+	})
+	b.Run("MatchAny", func(b *testing.B) {
+		b.Run("Succ", func(b *testing.B) {
+			benchmarkMatchAny(b, ctor(), map[Type]bool{t: true})
+		})
+		b.Run("Fail", func(b *testing.B) {
+			benchmarkMatchAny(b, ctor(), map[Type]bool{t: false})
+		})
+	})
+}
+
+func benchmarkMatch(b *testing.B, g MatcherGroup, enabledTypes map[Type]bool) {
+	prepareMatchers(g, enabledTypes)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_ = g.Match("0.example.com")
+	}
+}
+
+func benchmarkMatchAny(b *testing.B, g MatcherGroup, enabledTypes map[Type]bool) {
+	prepareMatchers(g, enabledTypes)
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_ = g.MatchAny("0.example.com")
+	}
+}
+
+func prepareMatchers(g MatcherGroup, enabledTypes map[Type]bool) {
+	for matcherType, hasMatch := range enabledTypes {
+		switch matcherType {
+		case Domain:
+			if hasMatch {
+				AddMatcherToGroup(g, DomainMatcher("example.com"), 0)
+			}
+			for i := 1; i < 1024; i++ {
+				AddMatcherToGroup(g, DomainMatcher(strconv.Itoa(i)+".example.com"), uint32(i))
+			}
+		case Full:
+			if hasMatch {
+				AddMatcherToGroup(g, FullMatcher("0.example.com"), 0)
+			}
+			for i := 1; i < 64; i++ {
+				AddMatcherToGroup(g, FullMatcher(strconv.Itoa(i)+".example.com"), uint32(i))
+			}
+		case Substr:
+			if hasMatch {
+				AddMatcherToGroup(g, SubstrMatcher("example.com"), 0)
+			}
+			for i := 1; i < 4; i++ {
+				AddMatcherToGroup(g, SubstrMatcher(strconv.Itoa(i)+".example.com"), uint32(i))
+			}
+		case Regex:
+			matcher, err := Regex.New("^[^.]*$") // Dotless domain matcher automatically inserted in DNS app when "localhost" DNS is used.
+			common.Must(err)
+			AddMatcherToGroup(g, matcher, 0)
+		}
+	}
+	if g, ok := g.(buildable); ok {
+		common.Must(g.Build())
+	}
+}
+
+type buildable interface {
+	Build() error
+}
--- a/common/geodata/strmatcher/indexmatcher_linear.go
+++ b/common/geodata/strmatcher/indexmatcher_linear.go
@@ -0,0 +1,96 @@
+package strmatcher
+
+// LinearIndexMatcher is an implementation of IndexMatcher.
+type LinearIndexMatcher struct {
+	count  uint32
+	full   *FullMatcherGroup
+	domain *DomainMatcherGroup
+	substr *SubstrMatcherGroup
+	regex  *SimpleMatcherGroup
+}
+
+func NewLinearIndexMatcher() *LinearIndexMatcher {
+	return new(LinearIndexMatcher)
+}
+
+// Add implements IndexMatcher.Add.
+func (g *LinearIndexMatcher) Add(matcher Matcher) uint32 {
+	g.count++
+	index := g.count
+
+	switch matcher := matcher.(type) {
+	case FullMatcher:
+		if g.full == nil {
+			g.full = NewFullMatcherGroup()
+		}
+		g.full.AddFullMatcher(matcher, index)
+	case DomainMatcher:
+		if g.domain == nil {
+			g.domain = NewDomainMatcherGroup()
+		}
+		g.domain.AddDomainMatcher(matcher, index)
+	case SubstrMatcher:
+		if g.substr == nil {
+			g.substr = new(SubstrMatcherGroup)
+		}
+		g.substr.AddSubstrMatcher(matcher, index)
+	default:
+		if g.regex == nil {
+			g.regex = new(SimpleMatcherGroup)
+		}
+		g.regex.AddMatcher(matcher, index)
+	}
+
+	return index
+}
+
+// Build implements IndexMatcher.Build.
+func (*LinearIndexMatcher) Build() error {
+	return nil
+}
+
+// Match implements IndexMatcher.Match.
+func (g *LinearIndexMatcher) Match(input string) []uint32 {
+	// Allocate capacity to prevent matches escaping to heap
+	result := make([][]uint32, 0, 5)
+	if g.full != nil {
+		if matches := g.full.Match(input); len(matches) > 0 {
+			result = append(result, matches)
+		}
+	}
+	if g.domain != nil {
+		if matches := g.domain.Match(input); len(matches) > 0 {
+			result = append(result, matches)
+		}
+	}
+	if g.substr != nil {
+		if matches := g.substr.Match(input); len(matches) > 0 {
+			result = append(result, matches)
+		}
+	}
+	if g.regex != nil {
+		if matches := g.regex.Match(input); len(matches) > 0 {
+			result = append(result, matches)
+		}
+	}
+	return CompositeMatches(result)
+}
+
+// MatchAny implements IndexMatcher.MatchAny.
+func (g *LinearIndexMatcher) MatchAny(input string) bool {
+	if g.full != nil && g.full.MatchAny(input) {
+		return true
+	}
+	if g.domain != nil && g.domain.MatchAny(input) {
+		return true
+	}
+	if g.substr != nil && g.substr.MatchAny(input) {
+		return true
+	}
+	return g.regex != nil && g.regex.MatchAny(input)
+}
+
+// Size implements IndexMatcher.Size.
+func (g *LinearIndexMatcher) Size() uint32 {
+	return g.count
+}
--- a/common/geodata/strmatcher/indexmatcher_linear_test.go
+++ b/common/geodata/strmatcher/indexmatcher_linear_test.go
@@ -0,0 +1,95 @@
+package strmatcher_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/xtls/xray-core/common"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+// See https://github.com/v2fly/v2ray-core/issues/92#issuecomment-673238489
+func TestLinearIndexMatcher(t *testing.T) {
+	rules := []struct {
+		Type   Type
+		Domain string
+	}{
+		{
+			Type:   Regex,
+			Domain: "apis\\.us$",
+		},
+		{
+			Type:   Substr,
+			Domain: "apis",
+		},
+		{
+			Type:   Domain,
+			Domain: "googleapis.com",
+		},
+		{
+			Type:   Domain,
+			Domain: "com",
+		},
+		{
+			Type:   Full,
+			Domain: "www.baidu.com",
+		},
+		{
+			Type:   Substr,
+			Domain: "apis",
+		},
+		{
+			Type:   Domain,
+			Domain: "googleapis.com",
+		},
+		{
+			Type:   Full,
+			Domain: "fonts.googleapis.com",
+		},
+		{
+			Type:   Full,
+			Domain: "www.baidu.com",
+		},
+		{
+			Type:   Domain,
+			Domain: "example.com",
+		},
+	}
+	cases := []struct {
+		Input  string
+		Output []uint32
+	}{
+		{
+			Input:  "www.baidu.com",
+			Output: []uint32{5, 9, 4},
+		},
+		{
+			Input:  "fonts.googleapis.com",
+			Output: []uint32{8, 3, 7, 4, 2, 6},
+		},
+		{
+			Input:  "example.googleapis.com",
+			Output: []uint32{3, 7, 4, 2, 6},
+		},
+		{
+			Input:  "testapis.us",
+			Output: []uint32{2, 6, 1},
+		},
+		{
+			Input:  "example.com",
+			Output: []uint32{10, 4},
+		},
+	}
+	matcherGroup := NewLinearIndexMatcher()
+	for _, rule := range rules {
+		matcher, err := rule.Type.New(rule.Domain)
+		common.Must(err)
+		matcherGroup.Add(matcher)
+	}
+	matcherGroup.Build()
+	for _, test := range cases {
+		if m := matcherGroup.Match(test.Input); !reflect.DeepEqual(m, test.Output) {
+			t.Error("unexpected output: ", m, " for test case ", test)
+		}
+	}
+}
--- a/common/geodata/strmatcher/indexmatcher_mph.go
+++ b/common/geodata/strmatcher/indexmatcher_mph.go
@@ -0,0 +1,100 @@
+package strmatcher
+
+import "runtime"
+
+// A MphIndexMatcher is divided into three parts:
+// 1. `full` and `domain` patterns are matched by Rabin-Karp algorithm and minimal perfect hash table;
+// 2. `substr` patterns are matched by ac automaton;
+// 3. `regex` patterns are matched with the regex library.
+type MphIndexMatcher struct {
+	count uint32
+	mph   *MphMatcherGroup
+	ac    *ACAutomatonMatcherGroup
+	regex *SimpleMatcherGroup
+}
+
+func NewMphIndexMatcher() *MphIndexMatcher {
+	return new(MphIndexMatcher)
+}
+
+// Add implements IndexMatcher.Add.
+func (g *MphIndexMatcher) Add(matcher Matcher) uint32 {
+	g.count++
+	index := g.count
+
+	switch matcher := matcher.(type) {
+	case FullMatcher:
+		if g.mph == nil {
+			g.mph = NewMphMatcherGroup()
+		}
+		g.mph.AddFullMatcher(matcher, index)
+	case DomainMatcher:
+		if g.mph == nil {
+			g.mph = NewMphMatcherGroup()
+		}
+		g.mph.AddDomainMatcher(matcher, index)
+	case SubstrMatcher:
+		if g.ac == nil {
+			g.ac = NewACAutomatonMatcherGroup()
+		}
+		g.ac.AddSubstrMatcher(matcher, index)
+	case *RegexMatcher:
+		if g.regex == nil {
+			g.regex = &SimpleMatcherGroup{}
+		}
+		g.regex.AddMatcher(matcher, index)
+	}
+
+	return index
+}
+
+// Build implements IndexMatcher.Build.
+func (g *MphIndexMatcher) Build() error {
+	if g.mph != nil {
+		runtime.GC() // peak mem
+		g.mph.Build()
+	}
+	runtime.GC() // peak mem
+	if g.ac != nil {
+		g.ac.Build()
+		runtime.GC() // peak mem
+	}
+	return nil
+}
+
+// Match implements IndexMatcher.Match.
+func (g *MphIndexMatcher) Match(input string) []uint32 {
+	result := make([][]uint32, 0, 5)
+	if g.mph != nil {
+		if matches := g.mph.Match(input); len(matches) > 0 {
+			result = append(result, matches)
+		}
+	}
+	if g.ac != nil {
+		if matches := g.ac.Match(input); len(matches) > 0 {
+			result = append(result, matches)
+		}
+	}
+	if g.regex != nil {
+		if matches := g.regex.Match(input); len(matches) > 0 {
+			result = append(result, matches)
+		}
+	}
+	return CompositeMatches(result)
+}
+
+// MatchAny implements IndexMatcher.MatchAny.
+func (g *MphIndexMatcher) MatchAny(input string) bool {
+	if g.mph != nil && g.mph.MatchAny(input) {
+		return true
+	}
+	if g.ac != nil && g.ac.MatchAny(input) {
+		return true
+	}
+	return g.regex != nil && g.regex.MatchAny(input)
+}
+
+// Size implements IndexMatcher.Size.
+func (g *MphIndexMatcher) Size() uint32 {
+	return g.count
+}
--- a/common/geodata/strmatcher/indexmatcher_mph_test.go
+++ b/common/geodata/strmatcher/indexmatcher_mph_test.go
@@ -0,0 +1,94 @@
+package strmatcher_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/xtls/xray-core/common"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func TestMphIndexMatcher(t *testing.T) {
+	rules := []struct {
+		Type   Type
+		Domain string
+	}{
+		{
+			Type:   Regex,
+			Domain: "apis\\.us$",
+		},
+		{
+			Type:   Substr,
+			Domain: "apis",
+		},
+		{
+			Type:   Domain,
+			Domain: "googleapis.com",
+		},
+		{
+			Type:   Domain,
+			Domain: "com",
+		},
+		{
+			Type:   Full,
+			Domain: "www.baidu.com",
+		},
+		{
+			Type:   Substr,
+			Domain: "apis",
+		},
+		{
+			Type:   Domain,
+			Domain: "googleapis.com",
+		},
+		{
+			Type:   Full,
+			Domain: "fonts.googleapis.com",
+		},
+		{
+			Type:   Full,
+			Domain: "www.baidu.com",
+		},
+		{
+			Type:   Domain,
+			Domain: "example.com",
+		},
+	}
+	cases := []struct {
+		Input  string
+		Output []uint32
+	}{
+		{
+			Input:  "www.baidu.com",
+			Output: []uint32{5, 9, 4},
+		},
+		{
+			Input:  "fonts.googleapis.com",
+			Output: []uint32{8, 3, 7, 4, 2, 6},
+		},
+		{
+			Input:  "example.googleapis.com",
+			Output: []uint32{3, 7, 4, 2, 6},
+		},
+		{
+			Input:  "testapis.us",
+			Output: []uint32{2, 6, 1},
+		},
+		{
+			Input:  "example.com",
+			Output: []uint32{10, 4},
+		},
+	}
+	matcherGroup := NewMphIndexMatcher()
+	for _, rule := range rules {
+		matcher, err := rule.Type.New(rule.Domain)
+		common.Must(err)
+		matcherGroup.Add(matcher)
+	}
+	matcherGroup.Build()
+	for _, test := range cases {
+		if m := matcherGroup.Match(test.Input); !reflect.DeepEqual(m, test.Output) {
+			t.Error("unexpected output: ", m, " for test case ", test)
+		}
+	}
+}
--- a/common/geodata/strmatcher/matchergroup_ac_automation.go
+++ b/common/geodata/strmatcher/matchergroup_ac_automation.go
@@ -0,0 +1,282 @@
+package strmatcher
+
+import (
+	"container/list"
+)
+
+const (
+	acValidCharCount = 39 // aA-zZ (26), 0-9 (10), - (1), . (1), invalid(1)
+	acMatchTypeCount = 3  // Full, Domain and Substr
+)
+
+type acEdge byte
+
+const (
+	acTrieEdge acEdge = 1
+	acFailEdge acEdge = 0
+)
+
+type acNode struct {
+	next  [acValidCharCount]uint32 // EdgeIdx -> Next NodeIdx (Next trie node or fail node)
+	edge  [acValidCharCount]acEdge // EdgeIdx -> Trie Edge / Fail Edge
+	fail  uint32                   // NodeIdx of *next matched* Substr Pattern on its fail path
+	match uint32                   // MatchIdx of matchers registered on this node, 0 indicates no match
+} // Sizeof acNode: (4+1)*acValidCharCount + <padding> + 4 + 4
+
+type acValue [acMatchTypeCount][]uint32 // MatcherType -> Registered Matcher Values
+
+// ACAutoMationMatcherGroup is an implementation of MatcherGroup.
+// It uses an AC Automata to provide support for Full, Domain and Substr matcher. Trie node is char based.
+//
+// NOTICE: ACAutomatonMatcherGroup currently uses a restricted charset (LDH Subset),
+// upstream should manually in a way to ensure all patterns and inputs passed to it to be in this charset.
+type ACAutomatonMatcherGroup struct {
+	nodes  []acNode  // NodeIdx -> acNode
+	values []acValue // MatchIdx -> acValue
+}
+
+func NewACAutomatonMatcherGroup() *ACAutomatonMatcherGroup {
+	ac := new(ACAutomatonMatcherGroup)
+	ac.addNode()       // Create root node (NodeIdx 0)
+	ac.addMatchEntry() // Create sentinel match entry (MatchIdx 0)
+	return ac
+}
+
+// AddFullMatcher implements MatcherGroupForFull.AddFullMatcher.
+func (ac *ACAutomatonMatcherGroup) AddFullMatcher(matcher FullMatcher, value uint32) {
+	ac.addPattern(0, matcher.Pattern(), matcher.Type(), value)
+}
+
+// AddDomainMatcher implements MatcherGroupForDomain.AddDomainMatcher.
+func (ac *ACAutomatonMatcherGroup) AddDomainMatcher(matcher DomainMatcher, value uint32) {
+	node := ac.addPattern(0, matcher.Pattern(), matcher.Type(), value) // For full domain match
+	ac.addPattern(node, ".", matcher.Type(), value)                    // For partial domain match
+}
+
+// AddSubstrMatcher implements MatcherGroupForSubstr.AddSubstrMatcher.
+func (ac *ACAutomatonMatcherGroup) AddSubstrMatcher(matcher SubstrMatcher, value uint32) {
+	ac.addPattern(0, matcher.Pattern(), matcher.Type(), value)
+}
+
+func (ac *ACAutomatonMatcherGroup) addPattern(nodeIdx uint32, pattern string, matcherType Type, value uint32) uint32 {
+	node := &ac.nodes[nodeIdx]
+	for i := len(pattern) - 1; i >= 0; i-- {
+		edgeIdx := acCharset[pattern[i]]
+		nextIdx := node.next[edgeIdx]
+		if nextIdx == 0 { // Add new Trie Edge
+			nextIdx = ac.addNode()
+			ac.nodes[nodeIdx].next[edgeIdx] = nextIdx
+			ac.nodes[nodeIdx].edge[edgeIdx] = acTrieEdge
+		}
+		nodeIdx = nextIdx
+		node = &ac.nodes[nodeIdx]
+	}
+	if node.match == 0 { // Add new match entry
+		node.match = ac.addMatchEntry()
+	}
+	ac.values[node.match][matcherType] = append(ac.values[node.match][matcherType], value)
+	return nodeIdx
+}
+
+func (ac *ACAutomatonMatcherGroup) addNode() uint32 {
+	ac.nodes = append(ac.nodes, acNode{})
+	return uint32(len(ac.nodes) - 1)
+}
+
+func (ac *ACAutomatonMatcherGroup) addMatchEntry() uint32 {
+	ac.values = append(ac.values, acValue{})
+	return uint32(len(ac.values) - 1)
+}
+
+func (ac *ACAutomatonMatcherGroup) Build() error {
+	fail := make([]uint32, len(ac.nodes))
+	queue := list.New()
+	for edgeIdx := 0; edgeIdx < acValidCharCount; edgeIdx++ {
+		if nextIdx := ac.nodes[0].next[edgeIdx]; nextIdx != 0 {
+			queue.PushBack(nextIdx)
+		}
+	}
+	for {
+		front := queue.Front()
+		if front == nil {
+			break
+		}
+		queue.Remove(front)
+		nodeIdx := front.Value.(uint32)
+		node := &ac.nodes[nodeIdx]           // Current node
+		failNode := &ac.nodes[fail[nodeIdx]] // Fail node of currrent node
+		for edgeIdx := 0; edgeIdx < acValidCharCount; edgeIdx++ {
+			nodeIdx := node.next[edgeIdx]     // Next node through trie edge
+			failIdx := failNode.next[edgeIdx] // Next node through fail edge
+			if nodeIdx != 0 {
+				queue.PushBack(nodeIdx)
+				fail[nodeIdx] = failIdx
+				if match := ac.nodes[failIdx].match; match != 0 && len(ac.values[match][Substr]) > 0 { // Fail node is a Substr match node
+					ac.nodes[nodeIdx].fail = failIdx
+				} else { // Use path compression to reduce fail path to only contain match nodes
+					ac.nodes[nodeIdx].fail = ac.nodes[failIdx].fail
+				}
+			} else { // Add new fail edge
+				node.next[edgeIdx] = failIdx
+				node.edge[edgeIdx] = acFailEdge
+			}
+		}
+	}
+	return nil
+}
+
+// Match implements MatcherGroup.Match.
+func (ac *ACAutomatonMatcherGroup) Match(input string) []uint32 {
+	suffixMatches := make([][]uint32, 0, 5)
+	substrMatches := make([][]uint32, 0, 5)
+	fullMatch := true    // fullMatch indicates no fail edge traversed so far.
+	node := &ac.nodes[0] // start from root node.
+	// 1. the match string is all through trie edge. FULL MATCH or DOMAIN
+	// 2. the match string is through a fail edge. NOT FULL MATCH
+	// 2.1 Through a fail edge, but there exists a valid node. SUBSTR
+	for i := len(input) - 1; i >= 0; i-- {
+		edge := acCharset[input[i]]
+		fullMatch = fullMatch && (node.edge[edge] == acTrieEdge)
+		node = &ac.nodes[node.next[edge]] // Advance to next node
+		// When entering a new node, traverse the fail path to find all possible Substr patterns:
+		//   1. The fail path is compressed to only contains match nodes and root node (for terminate condition).
+		//   2. node.fail != 0 is added here for better performance (as shown by benchmark), possibly it helps branch prediction.
+		if node.fail != 0 {
+			for failIdx, failNode := node.fail, &ac.nodes[node.fail]; failIdx != 0; failIdx, failNode = failNode.fail, &ac.nodes[failIdx] {
+				substrMatches = append(substrMatches, ac.values[failNode.match][Substr])
+			}
+		}
+		// When entering a new node, check whether this node is a match.
+		// For Substr matchers:
+		//   1. Matched in any situation, whether a failNode edge is traversed or not.
+		// For Domain matchers:
+		//   1. Should not traverse any fail edge (fullMatch).
+		//   2. Only check on dot separator (input[i] == '.').
+		if node.match != 0 {
+			values := ac.values[node.match]
+			if len(values[Substr]) > 0 {
+				substrMatches = append(substrMatches, values[Substr])
+			}
+			if fullMatch && input[i] == '.' && len(values[Domain]) > 0 {
+				suffixMatches = append(suffixMatches, values[Domain])
+			}
+		}
+	}
+	// At the end of input, check if the whole string matches a pattern.
+	// For Domain matchers:
+	//   1. Exact match on Domain Matcher works like Full Match. e.g. foo.com is a full match for domain:foo.com.
+	// For Full matchers:
+	//   1. Only when no fail edge is traversed (fullMatch).
+	//   2. Takes the highest priority (added at last).
+	if fullMatch && node.match != 0 {
+		values := ac.values[node.match]
+		if len(values[Domain]) > 0 {
+			suffixMatches = append(suffixMatches, values[Domain])
+		}
+		if len(values[Full]) > 0 {
+			suffixMatches = append(suffixMatches, values[Full])
+		}
+	}
+	if len(substrMatches) == 0 {
+		return CompositeMatchesReverse(suffixMatches)
+	}
+	return CompositeMatchesReverse(append(substrMatches, suffixMatches...))
+}
+
+// MatchAny implements MatcherGroup.MatchAny.
+func (ac *ACAutomatonMatcherGroup) MatchAny(input string) bool {
+	fullMatch := true
+	node := &ac.nodes[0]
+	for i := len(input) - 1; i >= 0; i-- {
+		edge := acCharset[input[i]]
+		fullMatch = fullMatch && (node.edge[edge] == acTrieEdge)
+		node = &ac.nodes[node.next[edge]]
+		if node.fail != 0 { // There is a match on this node's fail path
+			return true
+		}
+		if node.match != 0 { // There is a match on this node
+			values := ac.values[node.match]
+			if len(values[Substr]) > 0 { // Substr match succeeds unconditionally
+				return true
+			}
+			if fullMatch && input[i] == '.' && len(values[Domain]) > 0 { // Domain match only succeeds with dot separator on trie path
+				return true
+			}
+		}
+	}
+	return fullMatch && node.match != 0 // At the end of input, Domain and Full match will succeed if no fail edge is traversed
+}
+
+// Letter-Digit-Hyphen (LDH) subset (https://tools.ietf.org/html/rfc952):
+//   - Letters A to Z (no distinction is made between uppercase and lowercase)
+//   - Digits 0 to 9
+//   - Hyphens(-) and Periods(.)
+//
+// If for future the strmatcher are used for other scenarios than domain,
+// we could add a new Charset interface to represent variable charsets.
+var acCharset = [256]int{
+	'A': 1,
+	'a': 1,
+	'B': 2,
+	'b': 2,
+	'C': 3,
+	'c': 3,
+	'D': 4,
+	'd': 4,
+	'E': 5,
+	'e': 5,
+	'F': 6,
+	'f': 6,
+	'G': 7,
+	'g': 7,
+	'H': 8,
+	'h': 8,
+	'I': 9,
+	'i': 9,
+	'J': 10,
+	'j': 10,
+	'K': 11,
+	'k': 11,
+	'L': 12,
+	'l': 12,
+	'M': 13,
+	'm': 13,
+	'N': 14,
+	'n': 14,
+	'O': 15,
+	'o': 15,
+	'P': 16,
+	'p': 16,
+	'Q': 17,
+	'q': 17,
+	'R': 18,
+	'r': 18,
+	'S': 19,
+	's': 19,
+	'T': 20,
+	't': 20,
+	'U': 21,
+	'u': 21,
+	'V': 22,
+	'v': 22,
+	'W': 23,
+	'w': 23,
+	'X': 24,
+	'x': 24,
+	'Y': 25,
+	'y': 25,
+	'Z': 26,
+	'z': 26,
+	'-': 27,
+	'.': 28,
+	'0': 29,
+	'1': 30,
+	'2': 31,
+	'3': 32,
+	'4': 33,
+	'5': 34,
+	'6': 35,
+	'7': 36,
+	'8': 37,
+	'9': 38,
+}
--- a/common/geodata/strmatcher/matchergroup_ac_automation_test.go
+++ b/common/geodata/strmatcher/matchergroup_ac_automation_test.go
@@ -0,0 +1,365 @@
+package strmatcher_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/xtls/xray-core/common"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func TestACAutomatonMatcherGroup(t *testing.T) {
+	cases1 := []struct {
+		pattern string
+		mType   Type
+		input   string
+		output  bool
+	}{
+		{
+			pattern: "example.com",
+			mType:   Domain,
+			input:   "www.example.com",
+			output:  true,
+		},
+		{
+			pattern: "example.com",
+			mType:   Domain,
+			input:   "example.com",
+			output:  true,
+		},
+		{
+			pattern: "example.com",
+			mType:   Domain,
+			input:   "www.e3ample.com",
+			output:  false,
+		},
+		{
+			pattern: "example.com",
+			mType:   Domain,
+			input:   "xample.com",
+			output:  false,
+		},
+		{
+			pattern: "example.com",
+			mType:   Domain,
+			input:   "xexample.com",
+			output:  false,
+		},
+		{
+			pattern: "example.com",
+			mType:   Full,
+			input:   "example.com",
+			output:  true,
+		},
+		{
+			pattern: "example.com",
+			mType:   Full,
+			input:   "xexample.com",
+			output:  false,
+		},
+	}
+	for _, test := range cases1 {
+		ac := NewACAutomatonMatcherGroup()
+		matcher, err := test.mType.New(test.pattern)
+		common.Must(err)
+		common.Must(AddMatcherToGroup(ac, matcher, 0))
+		ac.Build()
+		if m := ac.MatchAny(test.input); m != test.output {
+			t.Error("unexpected output: ", m, " for test case ", test)
+		}
+	}
+	{
+		cases2Input := []struct {
+			pattern string
+			mType   Type
+		}{
+			{
+				pattern: "163.com",
+				mType:   Domain,
+			},
+			{
+				pattern: "m.126.com",
+				mType:   Full,
+			},
+			{
+				pattern: "3.com",
+				mType:   Full,
+			},
+			{
+				pattern: "google.com",
+				mType:   Substr,
+			},
+			{
+				pattern: "vgoogle.com",
+				mType:   Substr,
+			},
+		}
+		ac := NewACAutomatonMatcherGroup()
+		for _, test := range cases2Input {
+			matcher, err := test.mType.New(test.pattern)
+			common.Must(err)
+			common.Must(AddMatcherToGroup(ac, matcher, 0))
+		}
+		ac.Build()
+		cases2Output := []struct {
+			pattern string
+			res     bool
+		}{
+			{
+				pattern: "126.com",
+				res:     false,
+			},
+			{
+				pattern: "m.163.com",
+				res:     true,
+			},
+			{
+				pattern: "mm163.com",
+				res:     false,
+			},
+			{
+				pattern: "m.126.com",
+				res:     true,
+			},
+			{
+				pattern: "163.com",
+				res:     true,
+			},
+			{
+				pattern: "63.com",
+				res:     false,
+			},
+			{
+				pattern: "oogle.com",
+				res:     false,
+			},
+			{
+				pattern: "vvgoogle.com",
+				res:     true,
+			},
+		}
+		for _, test := range cases2Output {
+			if m := ac.MatchAny(test.pattern); m != test.res {
+				t.Error("unexpected output: ", m, " for test case ", test)
+			}
+		}
+	}
+
+	{
+		cases3Input := []struct {
+			pattern string
+			mType   Type
+		}{
+			{
+				pattern: "video.google.com",
+				mType:   Domain,
+			},
+			{
+				pattern: "gle.com",
+				mType:   Domain,
+			},
+		}
+		ac := NewACAutomatonMatcherGroup()
+		for _, test := range cases3Input {
+			matcher, err := test.mType.New(test.pattern)
+			common.Must(err)
+			common.Must(AddMatcherToGroup(ac, matcher, 0))
+		}
+		ac.Build()
+		cases3Output := []struct {
+			pattern string
+			res     bool
+		}{
+			{
+				pattern: "google.com",
+				res:     false,
+			},
+		}
+		for _, test := range cases3Output {
+			if m := ac.MatchAny(test.pattern); m != test.res {
+				t.Error("unexpected output: ", m, " for test case ", test)
+			}
+		}
+	}
+
+	{
+		cases4Input := []struct {
+			pattern string
+			mType   Type
+		}{
+			{
+				pattern: "apis",
+				mType:   Substr,
+			},
+			{
+				pattern: "googleapis.com",
+				mType:   Domain,
+			},
+		}
+		ac := NewACAutomatonMatcherGroup()
+		for _, test := range cases4Input {
+			matcher, err := test.mType.New(test.pattern)
+			common.Must(err)
+			common.Must(AddMatcherToGroup(ac, matcher, 0))
+		}
+		ac.Build()
+		cases4Output := []struct {
+			pattern string
+			res     bool
+		}{
+			{
+				pattern: "gapis.com",
+				res:     true,
+			},
+		}
+		for _, test := range cases4Output {
+			if m := ac.MatchAny(test.pattern); m != test.res {
+				t.Error("unexpected output: ", m, " for test case ", test)
+			}
+		}
+	}
+}
+
+func TestACAutomatonMatcherGroupSubstr(t *testing.T) {
+	patterns := []struct {
+		pattern string
+		mType   Type
+	}{
+		{
+			pattern: "apis",
+			mType:   Substr,
+		},
+		{
+			pattern: "google",
+			mType:   Substr,
+		},
+		{
+			pattern: "apis",
+			mType:   Substr,
+		},
+	}
+	cases := []struct {
+		input  string
+		output []uint32
+	}{
+		{
+			input:  "google.com",
+			output: []uint32{1},
+		},
+		{
+			input:  "apis.com",
+			output: []uint32{0, 2},
+		},
+		{
+			input:  "googleapis.com",
+			output: []uint32{1, 0, 2},
+		},
+		{
+			input:  "fonts.googleapis.com",
+			output: []uint32{1, 0, 2},
+		},
+		{
+			input:  "apis.googleapis.com",
+			output: []uint32{0, 2, 1, 0, 2},
+		},
+	}
+	matcherGroup := NewACAutomatonMatcherGroup()
+	for id, entry := range patterns {
+		matcher, err := entry.mType.New(entry.pattern)
+		common.Must(err)
+		common.Must(AddMatcherToGroup(matcherGroup, matcher, uint32(id)))
+	}
+	matcherGroup.Build()
+	for _, test := range cases {
+		if r := matcherGroup.Match(test.input); !reflect.DeepEqual(r, test.output) {
+			t.Error("unexpected output: ", r, " for test case ", test)
+		}
+	}
+}
+
+// See https://github.com/v2fly/v2ray-core/issues/92#issuecomment-673238489
+func TestACAutomatonMatcherGroupAsIndexMatcher(t *testing.T) {
+	rules := []struct {
+		Type   Type
+		Domain string
+	}{
+		// Regex not supported by ACAutomationMatcherGroup
+		// {
+		// 	Type:   Regex,
+		// 	Domain: "apis\\.us$",
+		// },
+		{
+			Type:   Substr,
+			Domain: "apis",
+		},
+		{
+			Type:   Domain,
+			Domain: "googleapis.com",
+		},
+		{
+			Type:   Domain,
+			Domain: "com",
+		},
+		{
+			Type:   Full,
+			Domain: "www.baidu.com",
+		},
+		{
+			Type:   Substr,
+			Domain: "apis",
+		},
+		{
+			Type:   Domain,
+			Domain: "googleapis.com",
+		},
+		{
+			Type:   Full,
+			Domain: "fonts.googleapis.com",
+		},
+		{
+			Type:   Full,
+			Domain: "www.baidu.com",
+		},
+		{
+			Type:   Domain,
+			Domain: "example.com",
+		},
+	}
+	cases := []struct {
+		Input  string
+		Output []uint32
+	}{
+		{
+			Input:  "www.baidu.com",
+			Output: []uint32{5, 9, 4},
+		},
+		{
+			Input:  "fonts.googleapis.com",
+			Output: []uint32{8, 3, 7, 4, 2, 6},
+		},
+		{
+			Input:  "example.googleapis.com",
+			Output: []uint32{3, 7, 4, 2, 6},
+		},
+		{
+			Input:  "testapis.us",
+			Output: []uint32{2, 6 /*, 1*/},
+		},
+		{
+			Input:  "example.com",
+			Output: []uint32{10, 4},
+		},
+	}
+	matcherGroup := NewACAutomatonMatcherGroup()
+	for i, rule := range rules {
+		matcher, err := rule.Type.New(rule.Domain)
+		common.Must(err)
+		common.Must(AddMatcherToGroup(matcherGroup, matcher, uint32(i+2)))
+	}
+	matcherGroup.Build()
+	for _, test := range cases {
+		if m := matcherGroup.Match(test.Input); !reflect.DeepEqual(m, test.Output) {
+			t.Error("unexpected output: ", m, " for test case ", test)
+		}
+	}
+}
--- a/common/geodata/strmatcher/matchergroup_domain.go
+++ b/common/geodata/strmatcher/matchergroup_domain.go
@@ -0,0 +1,109 @@
+package strmatcher
+
+type trieNode struct {
+	values   []uint32
+	children map[string]*trieNode
+}
+
+// DomainMatcherGroup is an implementation of MatcherGroup.
+// It uses trie to optimize both memory consumption and lookup speed. Trie node is domain label based.
+type DomainMatcherGroup struct {
+	root *trieNode
+}
+
+func NewDomainMatcherGroup() *DomainMatcherGroup {
+	return &DomainMatcherGroup{
+		root: new(trieNode),
+	}
+}
+
+// AddDomainMatcher implements MatcherGroupForDomain.AddDomainMatcher.
+func (g *DomainMatcherGroup) AddDomainMatcher(matcher DomainMatcher, value uint32) {
+	node := g.root
+	pattern := matcher.Pattern()
+	for i := len(pattern); i > 0; {
+		var part string
+		for j := i - 1; ; j-- {
+			if pattern[j] == '.' {
+				part = pattern[j+1 : i]
+				i = j
+				break
+			}
+			if j == 0 {
+				part = pattern[j:i]
+				i = j
+				break
+			}
+		}
+		if node.children == nil {
+			node.children = make(map[string]*trieNode)
+		}
+		next := node.children[part]
+		if next == nil {
+			next = new(trieNode)
+			node.children[part] = next
+		}
+		node = next
+	}
+
+	node.values = append(node.values, value)
+}
+
+// Match implements MatcherGroup.Match.
+func (g *DomainMatcherGroup) Match(input string) []uint32 {
+	matches := make([][]uint32, 0, 5)
+	node := g.root
+	for i := len(input); i > 0; {
+		for j := i - 1; ; j-- {
+			if input[j] == '.' { // Domain label found
+				node = node.children[input[j+1:i]]
+				i = j
+				break
+			}
+			if j == 0 { // The last part of domain label
+				node = node.children[input[j:i]]
+				i = j
+				break
+			}
+		}
+		if node == nil { // No more match if no trie edge transition
+			break
+		}
+		if len(node.values) > 0 { // Found matched matchers
+			matches = append(matches, node.values)
+		}
+		if node.children == nil { // No more match if leaf node reached
+			break
+		}
+	}
+	return CompositeMatchesReverse(matches)
+}
+
+// MatchAny implements MatcherGroup.MatchAny.
+func (g *DomainMatcherGroup) MatchAny(input string) bool {
+	node := g.root
+	for i := len(input); i > 0; {
+		for j := i - 1; ; j-- {
+			if input[j] == '.' {
+				node = node.children[input[j+1:i]]
+				i = j
+				break
+			}
+			if j == 0 {
+				node = node.children[input[j:i]]
+				i = j
+				break
+			}
+		}
+		if node == nil {
+			return false
+		}
+		if len(node.values) > 0 {
+			return true
+		}
+		if node.children == nil {
+			return false
+		}
+	}
+	return false
+}
--- a/common/geodata/strmatcher/matchergroup_domain_test.go
+++ b/common/geodata/strmatcher/matchergroup_domain_test.go
@@ -4,19 +4,43 @@ import (
 	"reflect"
 	"testing"

-	. "github.com/xtls/xray-core/common/strmatcher"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
 )

 func TestDomainMatcherGroup(t *testing.T) {
-	g := new(DomainMatcherGroup)
-	g.Add("example.com", 1)
-	g.Add("google.com", 2)
-	g.Add("x.a.com", 3)
-	g.Add("a.b.com", 4)
-	g.Add("c.a.b.com", 5)
-	g.Add("x.y.com", 4)
-	g.Add("x.y.com", 6)
-
+	patterns := []struct {
+		Pattern string
+		Value   uint32
+	}{
+		{
+			Pattern: "example.com",
+			Value:   1,
+		},
+		{
+			Pattern: "google.com",
+			Value:   2,
+		},
+		{
+			Pattern: "x.a.com",
+			Value:   3,
+		},
+		{
+			Pattern: "a.b.com",
+			Value:   4,
+		},
+		{
+			Pattern: "c.a.b.com",
+			Value:   5,
+		},
+		{
+			Pattern: "x.y.com",
+			Value:   4,
+		},
+		{
+			Pattern: "x.y.com",
+			Value:   6,
+		},
+	}
 	testCases := []struct {
 		Domain string
 		Result []uint32
@@ -58,7 +82,10 @@ func TestDomainMatcherGroup(t *testing.T) {
 			Result: []uint32{4, 6},
 		},
 	}
-
+	g := NewDomainMatcherGroup()
+	for _, pattern := range patterns {
+		AddMatcherToGroup(g, DomainMatcher(pattern.Pattern), pattern.Value)
+	}
 	for _, testCase := range testCases {
 		r := g.Match(testCase.Domain)
 		if !reflect.DeepEqual(r, testCase.Result) {
@@ -68,7 +95,7 @@ func TestDomainMatcherGroup(t *testing.T) {
 }

 func TestEmptyDomainMatcherGroup(t *testing.T) {
-	g := new(DomainMatcherGroup)
+	g := NewDomainMatcherGroup()
 	r := g.Match("example.com")
 	if len(r) != 0 {
 		t.Error("Expect [], but ", r)
--- a/common/geodata/strmatcher/matchergroup_full.go
+++ b/common/geodata/strmatcher/matchergroup_full.go
@@ -0,0 +1,30 @@
+package strmatcher
+
+// FullMatcherGroup is an implementation of MatcherGroup.
+// It uses a hash table to facilitate exact match lookup.
+type FullMatcherGroup struct {
+	matchers map[string][]uint32
+}
+
+func NewFullMatcherGroup() *FullMatcherGroup {
+	return &FullMatcherGroup{
+		matchers: make(map[string][]uint32),
+	}
+}
+
+// AddFullMatcher implements MatcherGroupForFull.AddFullMatcher.
+func (g *FullMatcherGroup) AddFullMatcher(matcher FullMatcher, value uint32) {
+	domain := matcher.Pattern()
+	g.matchers[domain] = append(g.matchers[domain], value)
+}
+
+// Match implements MatcherGroup.Match.
+func (g *FullMatcherGroup) Match(input string) []uint32 {
+	return g.matchers[input]
+}
+
+// MatchAny implements MatcherGroup.Any.
+func (g *FullMatcherGroup) MatchAny(input string) bool {
+	_, found := g.matchers[input]
+	return found
+}
--- a/common/geodata/strmatcher/matchergroup_full_test.go
+++ b/common/geodata/strmatcher/matchergroup_full_test.go
@@ -4,17 +4,35 @@ import (
 	"reflect"
 	"testing"

-	. "github.com/xtls/xray-core/common/strmatcher"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
 )

 func TestFullMatcherGroup(t *testing.T) {
-	g := new(FullMatcherGroup)
-	g.Add("example.com", 1)
-	g.Add("google.com", 2)
-	g.Add("x.a.com", 3)
-	g.Add("x.y.com", 4)
-	g.Add("x.y.com", 6)
-
+	patterns := []struct {
+		Pattern string
+		Value   uint32
+	}{
+		{
+			Pattern: "example.com",
+			Value:   1,
+		},
+		{
+			Pattern: "google.com",
+			Value:   2,
+		},
+		{
+			Pattern: "x.a.com",
+			Value:   3,
+		},
+		{
+			Pattern: "x.y.com",
+			Value:   4,
+		},
+		{
+			Pattern: "x.y.com",
+			Value:   6,
+		},
+	}
 	testCases := []struct {
 		Domain string
 		Result []uint32
@@ -32,7 +50,10 @@ func TestFullMatcherGroup(t *testing.T) {
 			Result: []uint32{4, 6},
 		},
 	}
-
+	g := NewFullMatcherGroup()
+	for _, pattern := range patterns {
+		AddMatcherToGroup(g, FullMatcher(pattern.Pattern), pattern.Value)
+	}
 	for _, testCase := range testCases {
 		r := g.Match(testCase.Domain)
 		if !reflect.DeepEqual(r, testCase.Result) {
@@ -42,7 +63,7 @@ func TestFullMatcherGroup(t *testing.T) {
 }

 func TestEmptyFullMatcherGroup(t *testing.T) {
-	g := new(FullMatcherGroup)
+	g := NewFullMatcherGroup()
 	r := g.Match("example.com")
 	if len(r) != 0 {
 		t.Error("Expect [], but ", r)
--- a/common/geodata/strmatcher/matchergroup_mph.go
+++ b/common/geodata/strmatcher/matchergroup_mph.go
@@ -0,0 +1,198 @@
+package strmatcher
+
+import (
+	"math/bits"
+	"runtime"
+	"sort"
+	"strings"
+	"unsafe"
+)
+
+// PrimeRK is the prime base used in Rabin-Karp algorithm.
+const PrimeRK = 16777619
+
+// RollingHash calculates the rolling murmurHash of given string based on a provided suffix hash.
+func RollingHash(hash uint32, input string) uint32 {
+	for i := len(input) - 1; i >= 0; i-- {
+		hash = hash*PrimeRK + uint32(input[i])
+	}
+	return hash
+}
+
+// MemHash is the hash function used by go map, it utilizes available hardware instructions(behaves
+// as aeshash if aes instruction is available).
+// With different seed, each MemHash<seed> performs as distinct hash functions.
+func MemHash(seed uint32, input string) uint32 {
+	return uint32(strhash(unsafe.Pointer(&input), uintptr(seed))) // nosemgrep
+}
+
+const (
+	mphMatchTypeCount = 2 // Full and Domain
+)
+
+type mphRuleInfo struct {
+	rollingHash uint32
+	matchers    [mphMatchTypeCount][]uint32
+}
+
+// MphMatcherGroup is an implementation of MatcherGroup.
+// It implements Rabin-Karp algorithm and minimal perfect hash table for Full and Domain matcher.
+type MphMatcherGroup struct {
+	rules      []string   // RuleIdx -> pattern string, index 0 reserved for failed lookup
+	values     [][]uint32 // RuleIdx -> registered matcher values for the pattern (Full Matcher takes precedence)
+	level0     []uint32   // RollingHash & Mask -> seed for Memhash
+	level0Mask uint32     // Mask restricting RollingHash to 0 ~ len(level0)
+	level1     []uint32   // Memhash<seed> & Mask -> stored index for rules
+	level1Mask uint32     // Mask for restricting Memhash<seed> to 0 ~ len(level1)
+	ruleInfos  *map[string]mphRuleInfo
+}
+
+func NewMphMatcherGroup() *MphMatcherGroup {
+	return &MphMatcherGroup{
+		rules:      []string{""},
+		values:     [][]uint32{nil},
+		level0:     nil,
+		level0Mask: 0,
+		level1:     nil,
+		level1Mask: 0,
+		ruleInfos:  &map[string]mphRuleInfo{}, // Only used for building, destroyed after build complete
+	}
+}
+
+// AddFullMatcher implements MatcherGroupForFull.
+func (g *MphMatcherGroup) AddFullMatcher(matcher FullMatcher, value uint32) {
+	pattern := strings.ToLower(matcher.Pattern())
+	g.addPattern(0, "", pattern, matcher.Type(), value)
+}
+
+// AddDomainMatcher implements MatcherGroupForDomain.
+func (g *MphMatcherGroup) AddDomainMatcher(matcher DomainMatcher, value uint32) {
+	pattern := strings.ToLower(matcher.Pattern())
+	hash := g.addPattern(0, "", pattern, matcher.Type(), value) // For full domain match
+	g.addPattern(hash, pattern, ".", matcher.Type(), value)     // For partial domain match
+}
+
+func (g *MphMatcherGroup) addPattern(suffixHash uint32, suffixPattern string, pattern string, matcherType Type, value uint32) uint32 {
+	fullPattern := pattern + suffixPattern
+	info, found := (*g.ruleInfos)[fullPattern]
+	if !found {
+		info = mphRuleInfo{rollingHash: RollingHash(suffixHash, pattern)}
+		g.rules = append(g.rules, fullPattern)
+		g.values = append(g.values, nil)
+	}
+	info.matchers[matcherType] = append(info.matchers[matcherType], value)
+	(*g.ruleInfos)[fullPattern] = info
+	return info.rollingHash
+}
+
+// Build builds a minimal perfect hash table for insert rules.
+// Algorithm used: Hash, displace, and compress. See http://cmph.sourceforge.net/papers/esa09.pdf
+func (g *MphMatcherGroup) Build() error {
+	ruleCount := len(*g.ruleInfos)
+	g.level0 = make([]uint32, nextPow2(ruleCount/4))
+	g.level0Mask = uint32(len(g.level0) - 1)
+	g.level1 = make([]uint32, nextPow2(ruleCount))
+	g.level1Mask = uint32(len(g.level1) - 1)
+
+	// Create buckets based on all rule's rolling hash
+	buckets := make([][]uint32, len(g.level0))
+	for ruleIdx := 1; ruleIdx < len(g.rules); ruleIdx++ { // Traverse rules starting from index 1 (0 reserved for failed lookup)
+		ruleInfo := (*g.ruleInfos)[g.rules[ruleIdx]]
+		bucketIdx := ruleInfo.rollingHash & g.level0Mask
+		buckets[bucketIdx] = append(buckets[bucketIdx], uint32(ruleIdx))
+		g.values[ruleIdx] = append(ruleInfo.matchers[Full], ruleInfo.matchers[Domain]...) // nolint:gocritic
+	}
+	g.ruleInfos = nil // Set ruleInfos nil to release memory
+	runtime.GC()      // peak mem
+
+	// Sort buckets in descending order with respect to each bucket's size
+	bucketIdxs := make([]int, len(buckets))
+	for bucketIdx := range buckets {
+		bucketIdxs[bucketIdx] = bucketIdx
+	}
+	sort.Slice(bucketIdxs, func(i, j int) bool { return len(buckets[bucketIdxs[i]]) > len(buckets[bucketIdxs[j]]) })
+
+	// Exercise Hash, Displace, and Compress algorithm to construct minimal perfect hash table
+	occupied := make([]bool, len(g.level1)) // Whether a second-level hash has been already used
+	hashedBucket := make([]uint32, 0, 4)    // Second-level hashes for each rule in a specific bucket
+	for _, bucketIdx := range bucketIdxs {
+		bucket := buckets[bucketIdx]
+		hashedBucket = hashedBucket[:0]
+		seed := uint32(0)
+		for len(hashedBucket) != len(bucket) {
+			for _, ruleIdx := range bucket {
+				memHash := MemHash(seed, g.rules[ruleIdx]) & g.level1Mask
+				if occupied[memHash] { // Collision occurred with this seed
+					for _, hash := range hashedBucket { // Revert all values in this hashed bucket
+						occupied[hash] = false
+						g.level1[hash] = 0
+					}
+					hashedBucket = hashedBucket[:0]
+					seed++ // Try next seed
+					break
+				}
+				occupied[memHash] = true
+				g.level1[memHash] = ruleIdx // The final value in the hash table
+				hashedBucket = append(hashedBucket, memHash)
+			}
+		}
+		g.level0[bucketIdx] = seed // Displacement value for this bucket
+	}
+	return nil
+}
+
+// Lookup searches for input in minimal perfect hash table and returns its index. 0 indicates not found.
+func (g *MphMatcherGroup) Lookup(rollingHash uint32, input string) uint32 {
+	i0 := rollingHash & g.level0Mask
+	seed := g.level0[i0]
+	i1 := MemHash(seed, input) & g.level1Mask
+	if n := g.level1[i1]; g.rules[n] == input {
+		return n
+	}
+	return 0
+}
+
+// Match implements MatcherGroup.Match.
+func (g *MphMatcherGroup) Match(input string) []uint32 {
+	matches := make([][]uint32, 0, 5)
+	hash := uint32(0)
+	for i := len(input) - 1; i >= 0; i-- {
+		hash = hash*PrimeRK + uint32(input[i])
+		if input[i] == '.' {
+			if mphIdx := g.Lookup(hash, input[i:]); mphIdx != 0 {
+				matches = append(matches, g.values[mphIdx])
+			}
+		}
+	}
+	if mphIdx := g.Lookup(hash, input); mphIdx != 0 {
+		matches = append(matches, g.values[mphIdx])
+	}
+	return CompositeMatchesReverse(matches)
+}
+
+// MatchAny implements MatcherGroup.MatchAny.
+func (g *MphMatcherGroup) MatchAny(input string) bool {
+	hash := uint32(0)
+	for i := len(input) - 1; i >= 0; i-- {
+		hash = hash*PrimeRK + uint32(input[i])
+		if input[i] == '.' {
+			if g.Lookup(hash, input[i:]) != 0 {
+				return true
+			}
+		}
+	}
+	return g.Lookup(hash, input) != 0
+}
+
+func nextPow2(v int) int {
+	if v <= 1 {
+		return 1
+	}
+	const MaxUInt = ^uint(0)
+	n := (MaxUInt >> bits.LeadingZeros(uint(v))) + 1
+	return int(n)
+}
+
+//go:noescape
+//go:linkname strhash runtime.strhash
+func strhash(p unsafe.Pointer, h uintptr) uintptr
--- a/common/geodata/strmatcher/matchergroup_mph_test.go
+++ b/common/geodata/strmatcher/matchergroup_mph_test.go
@@ -5,94 +5,10 @@ import (
 	"testing"

 	"github.com/xtls/xray-core/common"
-	. "github.com/xtls/xray-core/common/strmatcher"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
 )

-func TestMatcherGroup(t *testing.T) {
-	rules := []struct {
-		Type   Type
-		Domain string
-	}{
-		{
-			Type:   Regex,
-			Domain: "apis\\.us$",
-		},
-		{
-			Type:   Substr,
-			Domain: "apis",
-		},
-		{
-			Type:   Domain,
-			Domain: "googleapis.com",
-		},
-		{
-			Type:   Domain,
-			Domain: "com",
-		},
-		{
-			Type:   Full,
-			Domain: "www.baidu.com",
-		},
-		{
-			Type:   Substr,
-			Domain: "apis",
-		},
-		{
-			Type:   Domain,
-			Domain: "googleapis.com",
-		},
-		{
-			Type:   Full,
-			Domain: "fonts.googleapis.com",
-		},
-		{
-			Type:   Full,
-			Domain: "www.baidu.com",
-		},
-		{
-			Type:   Domain,
-			Domain: "example.com",
-		},
-	}
-	cases := []struct {
-		Input  string
-		Output []uint32
-	}{
-		{
-			Input:  "www.baidu.com",
-			Output: []uint32{5, 9, 4},
-		},
-		{
-			Input:  "fonts.googleapis.com",
-			Output: []uint32{8, 3, 7, 4, 2, 6},
-		},
-		{
-			Input:  "example.googleapis.com",
-			Output: []uint32{3, 7, 4, 2, 6},
-		},
-		{
-			Input:  "testapis.us",
-			Output: []uint32{1, 2, 6},
-		},
-		{
-			Input:  "example.com",
-			Output: []uint32{10, 4},
-		},
-	}
-	matcherGroup := &MatcherGroup{}
-	for _, rule := range rules {
-		matcher, err := rule.Type.New(rule.Domain)
-		common.Must(err)
-		matcherGroup.Add(matcher)
-	}
-	for _, test := range cases {
-		if m := matcherGroup.Match(test.Input); !reflect.DeepEqual(m, test.Output) {
-			t.Error("unexpected output: ", m, " for test case ", test)
-		}
-	}
-}
-
-func TestACAutomaton(t *testing.T) {
+func TestMphMatcherGroup(t *testing.T) {
 	cases1 := []struct {
 		pattern string
 		mType   Type
@@ -100,53 +16,55 @@ func TestACAutomaton(t *testing.T) {
 		output  bool
 	}{
 		{
-			pattern: "xtls.github.io",
+			pattern: "example.com",
 			mType:   Domain,
-			input:   "www.xtls.github.io",
+			input:   "www.example.com",
 			output:  true,
 		},
 		{
-			pattern: "xtls.github.io",
+			pattern: "example.com",
 			mType:   Domain,
-			input:   "xtls.github.io",
+			input:   "example.com",
 			output:  true,
 		},
 		{
-			pattern: "xtls.github.io",
+			pattern: "example.com",
 			mType:   Domain,
-			input:   "www.xtis.github.io",
+			input:   "www.e3ample.com",
 			output:  false,
 		},
 		{
-			pattern: "xtls.github.io",
+			pattern: "example.com",
 			mType:   Domain,
-			input:   "tls.github.io",
+			input:   "xample.com",
 			output:  false,
 		},
 		{
-			pattern: "xtls.github.io",
+			pattern: "example.com",
 			mType:   Domain,
-			input:   "xxtls.github.io",
+			input:   "xexample.com",
 			output:  false,
 		},
 		{
-			pattern: "xtls.github.io",
+			pattern: "example.com",
 			mType:   Full,
-			input:   "xtls.github.io",
+			input:   "example.com",
 			output:  true,
 		},
 		{
-			pattern: "xtls.github.io",
+			pattern: "example.com",
 			mType:   Full,
-			input:   "xxtls.github.io",
+			input:   "xexample.com",
 			output:  false,
 		},
 	}
 	for _, test := range cases1 {
-		ac := NewACAutomaton()
-		ac.Add(test.pattern, test.mType)
-		ac.Build()
-		if m := ac.Match(test.input); m != test.output {
+		mph := NewMphMatcherGroup()
+		matcher, err := test.mType.New(test.pattern)
+		common.Must(err)
+		common.Must(AddMatcherToGroup(mph, matcher, 0))
+		mph.Build()
+		if m := mph.MatchAny(test.input); m != test.output {
 			t.Error("unexpected output: ", m, " for test case ", test)
 		}
 	}
@@ -167,20 +85,14 @@ func TestACAutomaton(t *testing.T) {
 				pattern: "3.com",
 				mType:   Full,
 			},
-			{
-				pattern: "google.com",
-				mType:   Substr,
-			},
-			{
-				pattern: "vgoogle.com",
-				mType:   Substr,
-			},
 		}
-		ac := NewACAutomaton()
+		mph := NewMphMatcherGroup()
 		for _, test := range cases2Input {
-			ac.Add(test.pattern, test.mType)
+			matcher, err := test.mType.New(test.pattern)
+			common.Must(err)
+			common.Must(AddMatcherToGroup(mph, matcher, 0))
 		}
-		ac.Build()
+		mph.Build()
 		cases2Output := []struct {
 			pattern string
 			res     bool
@@ -215,15 +127,11 @@ func TestACAutomaton(t *testing.T) {
 			},
 			{
 				pattern: "vvgoogle.com",
-				res:     true,
-			},
-			{
-				pattern: "½",
 				res:     false,
 			},
 		}
 		for _, test := range cases2Output {
-			if m := ac.Match(test.pattern); m != test.res {
+			if m := mph.MatchAny(test.pattern); m != test.res {
 				t.Error("unexpected output: ", m, " for test case ", test)
 			}
 		}
@@ -242,11 +150,13 @@ func TestACAutomaton(t *testing.T) {
 				mType:   Domain,
 			},
 		}
-		ac := NewACAutomaton()
+		mph := NewMphMatcherGroup()
 		for _, test := range cases3Input {
-			ac.Add(test.pattern, test.mType)
+			matcher, err := test.mType.New(test.pattern)
+			common.Must(err)
+			common.Must(AddMatcherToGroup(mph, matcher, 0))
 		}
-		ac.Build()
+		mph.Build()
 		cases3Output := []struct {
 			pattern string
 			res     bool
@@ -257,9 +167,112 @@ func TestACAutomaton(t *testing.T) {
 			},
 		}
 		for _, test := range cases3Output {
-			if m := ac.Match(test.pattern); m != test.res {
+			if m := mph.MatchAny(test.pattern); m != test.res {
 				t.Error("unexpected output: ", m, " for test case ", test)
 			}
 		}
 	}
 }
+
+// See https://github.com/v2fly/v2ray-core/issues/92#issuecomment-673238489
+func TestMphMatcherGroupAsIndexMatcher(t *testing.T) {
+	rules := []struct {
+		Type   Type
+		Domain string
+	}{
+		// Regex not supported by MphMatcherGroup
+		// {
+		// 	Type:   Regex,
+		// 	Domain: "apis\\.us$",
+		// },
+		// Substr not supported by MphMatcherGroup
+		// {
+		// 	Type:   Substr,
+		// 	Domain: "apis",
+		// },
+		{
+			Type:   Domain,
+			Domain: "googleapis.com",
+		},
+		{
+			Type:   Domain,
+			Domain: "com",
+		},
+		{
+			Type:   Full,
+			Domain: "www.baidu.com",
+		},
+		// Substr not supported by MphMatcherGroup, We add another matcher to preserve index
+		{
+			Type:   Domain,        // Substr,
+			Domain: "example.com", // "apis",
+		},
+		{
+			Type:   Domain,
+			Domain: "googleapis.com",
+		},
+		{
+			Type:   Full,
+			Domain: "fonts.googleapis.com",
+		},
+		{
+			Type:   Full,
+			Domain: "www.baidu.com",
+		},
+		{ // This matcher (index 10) is swapped with matcher (index 6) to test that full matcher takes high priority.
+			Type:   Full,
+			Domain: "example.com",
+		},
+		{
+			Type:   Domain,
+			Domain: "example.com",
+		},
+	}
+	cases := []struct {
+		Input  string
+		Output []uint32
+	}{
+		{
+			Input:  "www.baidu.com",
+			Output: []uint32{5, 9, 4},
+		},
+		{
+			Input:  "fonts.googleapis.com",
+			Output: []uint32{8, 3, 7, 4 /*2, 6*/},
+		},
+		{
+			Input:  "example.googleapis.com",
+			Output: []uint32{3, 7, 4 /*2, 6*/},
+		},
+		{
+			Input: "testapis.us",
+			// Output: []uint32{ /*2, 6*/ /*1,*/ },
+			Output: nil,
+		},
+		{
+			Input:  "example.com",
+			Output: []uint32{10, 6, 11, 4},
+		},
+	}
+	matcherGroup := NewMphMatcherGroup()
+	for i, rule := range rules {
+		matcher, err := rule.Type.New(rule.Domain)
+		common.Must(err)
+		common.Must(AddMatcherToGroup(matcherGroup, matcher, uint32(i+3)))
+	}
+	matcherGroup.Build()
+	for _, test := range cases {
+		if m := matcherGroup.Match(test.Input); !reflect.DeepEqual(m, test.Output) {
+			t.Error("unexpected output: ", m, " for test case ", test)
+		}
+	}
+}
+
+func TestEmptyMphMatcherGroup(t *testing.T) {
+	g := NewMphMatcherGroup()
+	g.Build()
+	r := g.Match("example.com")
+	if len(r) != 0 {
+		t.Error("Expect [], but ", r)
+	}
+}
--- a/common/geodata/strmatcher/matchergroup_simple.go
+++ b/common/geodata/strmatcher/matchergroup_simple.go
@@ -0,0 +1,41 @@
+package strmatcher
+
+type matcherEntry struct {
+	matcher Matcher
+	value   uint32
+}
+
+// SimpleMatcherGroup is an implementation of MatcherGroup.
+// It simply stores all matchers in an array and sequentially matches them.
+type SimpleMatcherGroup struct {
+	matchers []matcherEntry
+}
+
+// AddMatcher implements MatcherGroupForAll.AddMatcher.
+func (g *SimpleMatcherGroup) AddMatcher(matcher Matcher, value uint32) {
+	g.matchers = append(g.matchers, matcherEntry{
+		matcher: matcher,
+		value:   value,
+	})
+}
+
+// Match implements MatcherGroup.Match.
+func (g *SimpleMatcherGroup) Match(input string) []uint32 {
+	result := []uint32{}
+	for _, e := range g.matchers {
+		if e.matcher.Match(input) {
+			result = append(result, e.value)
+		}
+	}
+	return result
+}
+
+// MatchAny implements MatcherGroup.MatchAny.
+func (g *SimpleMatcherGroup) MatchAny(input string) bool {
+	for _, e := range g.matchers {
+		if e.matcher.Match(input) {
+			return true
+		}
+	}
+	return false
+}
--- a/common/geodata/strmatcher/matchergroup_simple_test.go
+++ b/common/geodata/strmatcher/matchergroup_simple_test.go
@@ -0,0 +1,69 @@
+package strmatcher_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/xtls/xray-core/common"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func TestSimpleMatcherGroup(t *testing.T) {
+	patterns := []struct {
+		pattern string
+		mType   Type
+	}{
+		{
+			pattern: "example.com",
+			mType:   Domain,
+		},
+		{
+			pattern: "example.com",
+			mType:   Full,
+		},
+		{
+			pattern: "example.com",
+			mType:   Regex,
+		},
+	}
+	cases := []struct {
+		input  string
+		output []uint32
+	}{
+		{
+			input:  "www.example.com",
+			output: []uint32{0, 2},
+		},
+		{
+			input:  "example.com",
+			output: []uint32{0, 1, 2},
+		},
+		{
+			input:  "www.e3ample.com",
+			output: []uint32{},
+		},
+		{
+			input:  "xample.com",
+			output: []uint32{},
+		},
+		{
+			input:  "xexample.com",
+			output: []uint32{2},
+		},
+		{
+			input:  "examplexcom",
+			output: []uint32{2},
+		},
+	}
+	matcherGroup := &SimpleMatcherGroup{}
+	for id, entry := range patterns {
+		matcher, err := entry.mType.New(entry.pattern)
+		common.Must(err)
+		common.Must(AddMatcherToGroup(matcherGroup, matcher, uint32(id)))
+	}
+	for _, test := range cases {
+		if r := matcherGroup.Match(test.input); !reflect.DeepEqual(r, test.output) {
+			t.Error("unexpected output: ", r, " for test case ", test)
+		}
+	}
+}
--- a/common/geodata/strmatcher/matchergroup_substr.go
+++ b/common/geodata/strmatcher/matchergroup_substr.go
@@ -0,0 +1,61 @@
+package strmatcher
+
+import (
+	"sort"
+	"strings"
+)
+
+// SubstrMatcherGroup is implementation of MatcherGroup,
+// It is simply implmeneted to comply with the priority specification of Substr matchers.
+type SubstrMatcherGroup struct {
+	patterns []string
+	values   []uint32
+}
+
+// AddSubstrMatcher implements MatcherGroupForSubstr.AddSubstrMatcher.
+func (g *SubstrMatcherGroup) AddSubstrMatcher(matcher SubstrMatcher, value uint32) {
+	g.patterns = append(g.patterns, matcher.Pattern())
+	g.values = append(g.values, value)
+}
+
+// Match implements MatcherGroup.Match.
+func (g *SubstrMatcherGroup) Match(input string) []uint32 {
+	var result []uint32
+	for i, pattern := range g.patterns {
+		for j := strings.LastIndex(input, pattern); j != -1; j = strings.LastIndex(input[:j], pattern) {
+			result = append(result, uint32(j)<<16|uint32(i)&0xffff) // uint32: position (higher 16 bit) | patternIdx (lower 16 bit)
+		}
+	}
+	// sort.Slice will trigger allocation no matter what input is. See https://github.com/golang/go/issues/17332
+	// We optimize the sorting by length to prevent memory allocation as possible.
+	switch len(result) {
+	case 0:
+		return nil
+	case 1:
+		// No need to sort
+	case 2:
+		// Do a simple swap if unsorted
+		if result[0] > result[1] {
+			result[0], result[1] = result[1], result[0]
+		}
+	default:
+		// Sort the match results in dictionary order, so that:
+		//   1. Pattern matched at smaller position (meaning matched further) takes precedence.
+		//   2. When patterns matched at same position, pattern with smaller index (meaning inserted early) takes precedence.
+		sort.Slice(result, func(i, j int) bool { return result[i] < result[j] })
+	}
+	for i, entry := range result {
+		result[i] = g.values[entry&0xffff] // Get pattern value from its index (the lower 16 bit)
+	}
+	return result
+}
+
+// MatchAny implements MatcherGroup.MatchAny.
+func (g *SubstrMatcherGroup) MatchAny(input string) bool {
+	for _, pattern := range g.patterns {
+		if strings.Contains(input, pattern) {
+			return true
+		}
+	}
+	return false
+}
--- a/common/geodata/strmatcher/matchergroup_substr_test.go
+++ b/common/geodata/strmatcher/matchergroup_substr_test.go
@@ -0,0 +1,65 @@
+package strmatcher_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/xtls/xray-core/common"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func TestSubstrMatcherGroup(t *testing.T) {
+	patterns := []struct {
+		pattern string
+		mType   Type
+	}{
+		{
+			pattern: "apis",
+			mType:   Substr,
+		},
+		{
+			pattern: "google",
+			mType:   Substr,
+		},
+		{
+			pattern: "apis",
+			mType:   Substr,
+		},
+	}
+	cases := []struct {
+		input  string
+		output []uint32
+	}{
+		{
+			input:  "google.com",
+			output: []uint32{1},
+		},
+		{
+			input:  "apis.com",
+			output: []uint32{0, 2},
+		},
+		{
+			input:  "googleapis.com",
+			output: []uint32{1, 0, 2},
+		},
+		{
+			input:  "fonts.googleapis.com",
+			output: []uint32{1, 0, 2},
+		},
+		{
+			input:  "apis.googleapis.com",
+			output: []uint32{0, 2, 1, 0, 2},
+		},
+	}
+	matcherGroup := &SubstrMatcherGroup{}
+	for id, entry := range patterns {
+		matcher, err := entry.mType.New(entry.pattern)
+		common.Must(err)
+		common.Must(AddMatcherToGroup(matcherGroup, matcher, uint32(id)))
+	}
+	for _, test := range cases {
+		if r := matcherGroup.Match(test.input); !reflect.DeepEqual(r, test.output) {
+			t.Error("unexpected output: ", r, " for test case ", test)
+		}
+	}
+}
--- a/common/geodata/strmatcher/matchers.go
+++ b/common/geodata/strmatcher/matchers.go
@@ -0,0 +1,348 @@
+package strmatcher
+
+import (
+	"errors"
+	"regexp"
+	"slices"
+	"strings"
+	"unicode/utf8"
+
+	"golang.org/x/net/idna"
+)
+
+// FullMatcher is an implementation of Matcher.
+type FullMatcher string
+
+func (FullMatcher) Type() Type {
+	return Full
+}
+
+func (m FullMatcher) Pattern() string {
+	return string(m)
+}
+
+func (m FullMatcher) String() string {
+	return "full:" + m.Pattern()
+}
+
+func (m FullMatcher) Match(s string) bool {
+	return string(m) == s
+}
+
+// DomainMatcher is an implementation of Matcher.
+type DomainMatcher string
+
+func (DomainMatcher) Type() Type {
+	return Domain
+}
+
+func (m DomainMatcher) Pattern() string {
+	return string(m)
+}
+
+func (m DomainMatcher) String() string {
+	return "domain:" + m.Pattern()
+}
+
+func (m DomainMatcher) Match(s string) bool {
+	pattern := m.Pattern()
+	if !strings.HasSuffix(s, pattern) {
+		return false
+	}
+	return len(s) == len(pattern) || s[len(s)-len(pattern)-1] == '.'
+}
+
+// SubstrMatcher is an implementation of Matcher.
+type SubstrMatcher string
+
+func (SubstrMatcher) Type() Type {
+	return Substr
+}
+
+func (m SubstrMatcher) Pattern() string {
+	return string(m)
+}
+
+func (m SubstrMatcher) String() string {
+	return "keyword:" + m.Pattern()
+}
+
+func (m SubstrMatcher) Match(s string) bool {
+	return strings.Contains(s, m.Pattern())
+}
+
+// RegexMatcher is an implementation of Matcher.
+type RegexMatcher struct {
+	pattern *regexp.Regexp
+}
+
+func (*RegexMatcher) Type() Type {
+	return Regex
+}
+
+func (m *RegexMatcher) Pattern() string {
+	return m.pattern.String()
+}
+
+func (m *RegexMatcher) String() string {
+	return "regexp:" + m.Pattern()
+}
+
+func (m *RegexMatcher) Match(s string) bool {
+	return m.pattern.MatchString(s)
+}
+
+// New creates a new Matcher based on the given pattern.
+func (t Type) New(pattern string) (Matcher, error) {
+	switch t {
+	case Full:
+		return FullMatcher(pattern), nil
+	case Substr:
+		return SubstrMatcher(pattern), nil
+	case Domain:
+		return DomainMatcher(pattern), nil
+	case Regex: // 1. regex matching is case-sensitive
+		regex, err := regexp.Compile(pattern)
+		if err != nil {
+			return nil, err
+		}
+		return &RegexMatcher{pattern: regex}, nil
+	default:
+		return nil, errors.New("unknown matcher type")
+	}
+}
+
+// NewDomainPattern creates a new Matcher based on the given domain pattern.
+// It works like `Type.New`, but will do validation and conversion to ensure it's a valid domain pattern.
+func (t Type) NewDomainPattern(pattern string) (Matcher, error) {
+	switch t {
+	case Full:
+		pattern, err := ToDomain(pattern)
+		if err != nil {
+			return nil, err
+		}
+		return FullMatcher(pattern), nil
+	case Substr:
+		pattern, err := ToDomain(pattern)
+		if err != nil {
+			return nil, err
+		}
+		return SubstrMatcher(pattern), nil
+	case Domain:
+		pattern, err := ToDomain(pattern)
+		if err != nil {
+			return nil, err
+		}
+		return DomainMatcher(pattern), nil
+	case Regex: // Regex's charset not in LDH subset
+		regex, err := regexp.Compile(pattern)
+		if err != nil {
+			return nil, err
+		}
+		return &RegexMatcher{pattern: regex}, nil
+	default:
+		return nil, errors.New("unknown matcher type")
+	}
+}
+
+// ToDomain converts input pattern to a domain string, and return error if such a conversion cannot be made.
+//  1. Conforms to Letter-Digit-Hyphen (LDH) subset (https://tools.ietf.org/html/rfc952):
+//     * Letters A to Z (no distinction between uppercase and lowercase, we convert to lowers)
+//     * Digits 0 to 9
+//     * Hyphens(-) and Periods(.)
+//  2. If any non-ASCII characters, domain are converted from Internationalized domain name to Punycode.
+func ToDomain(pattern string) (string, error) {
+	for {
+		isASCII, hasUpper := true, false
+		for i := 0; i < len(pattern); i++ {
+			c := pattern[i]
+			if c >= utf8.RuneSelf {
+				isASCII = false
+				break
+			}
+			switch {
+			case 'A' <= c && c <= 'Z':
+				hasUpper = true
+			case 'a' <= c && c <= 'z':
+			case '0' <= c && c <= '9':
+			case c == '-':
+			case c == '.':
+			default:
+				return "", errors.New("pattern string does not conform to Letter-Digit-Hyphen (LDH) subset")
+			}
+		}
+		if !isASCII {
+			var err error
+			pattern, err = idna.Punycode.ToASCII(pattern)
+			if err != nil {
+				return "", err
+			}
+			continue
+		}
+		if hasUpper {
+			pattern = strings.ToLower(pattern)
+		}
+		break
+	}
+	return pattern, nil
+}
+
+// MatcherGroupForAll is an interface indicating a MatcherGroup could accept all types of matchers.
+type MatcherGroupForAll interface {
+	AddMatcher(matcher Matcher, value uint32)
+}
+
+// MatcherGroupForFull is an interface indicating a MatcherGroup could accept FullMatchers.
+type MatcherGroupForFull interface {
+	AddFullMatcher(matcher FullMatcher, value uint32)
+}
+
+// MatcherGroupForDomain is an interface indicating a MatcherGroup could accept DomainMatchers.
+type MatcherGroupForDomain interface {
+	AddDomainMatcher(matcher DomainMatcher, value uint32)
+}
+
+// MatcherGroupForSubstr is an interface indicating a MatcherGroup could accept SubstrMatchers.
+type MatcherGroupForSubstr interface {
+	AddSubstrMatcher(matcher SubstrMatcher, value uint32)
+}
+
+// MatcherGroupForRegex is an interface indicating a MatcherGroup could accept RegexMatchers.
+type MatcherGroupForRegex interface {
+	AddRegexMatcher(matcher *RegexMatcher, value uint32)
+}
+
+// AddMatcherToGroup is a helper function to try to add a Matcher to any kind of MatcherGroup.
+// It returns error if the MatcherGroup does not accept the provided Matcher's type.
+// This function is provided to help writing code to test a MatcherGroup.
+func AddMatcherToGroup(g MatcherGroup, matcher Matcher, value uint32) error {
+	if g, ok := g.(IndexMatcher); ok {
+		g.Add(matcher)
+		return nil
+	}
+	if g, ok := g.(MatcherGroupForAll); ok {
+		g.AddMatcher(matcher, value)
+		return nil
+	}
+	switch matcher := matcher.(type) {
+	case FullMatcher:
+		if g, ok := g.(MatcherGroupForFull); ok {
+			g.AddFullMatcher(matcher, value)
+			return nil
+		}
+	case DomainMatcher:
+		if g, ok := g.(MatcherGroupForDomain); ok {
+			g.AddDomainMatcher(matcher, value)
+			return nil
+		}
+	case SubstrMatcher:
+		if g, ok := g.(MatcherGroupForSubstr); ok {
+			g.AddSubstrMatcher(matcher, value)
+			return nil
+		}
+	case *RegexMatcher:
+		if g, ok := g.(MatcherGroupForRegex); ok {
+			g.AddRegexMatcher(matcher, value)
+			return nil
+		}
+	}
+	return errors.New("cannot add matcher to matcher group")
+}
+
+// CompositeMatches flattens the matches slice to produce a single matched indices slice.
+func CompositeMatches(matches [][]uint32) []uint32 {
+	switch len(matches) {
+	case 0:
+		return nil
+	case 1:
+		return slices.Clone(matches[0])
+	default:
+		result := make([]uint32, 0, 5)
+		for i := 0; i < len(matches); i++ {
+			result = append(result, matches[i]...)
+		}
+		return result
+	}
+}
+
+// CompositeMatches flattens the matches slice to produce a single matched indices slice.
+// It is designed that:
+//  1. All matchers are concatenated in reverse order, so the matcher that matches further ranks higher.
+//  2. Indices in the same matcher keeps their original order.
+//  3. Avoid new memory allocation as possible.
+func CompositeMatchesReverse(matches [][]uint32) []uint32 {
+	switch len(matches) {
+	case 0:
+		return nil
+	case 1:
+		return matches[0]
+	default:
+		result := make([]uint32, 0, 5)
+		for i := len(matches) - 1; i >= 0; i-- {
+			result = append(result, matches[i]...)
+		}
+		return result
+	}
+}
+
+// MatcherSetForAll is an interface indicating a MatcherSet could accept all types of matchers.
+type MatcherSetForAll interface {
+	AddMatcher(matcher Matcher)
+}
+
+// MatcherSetForFull is an interface indicating a MatcherSet could accept FullMatchers.
+type MatcherSetForFull interface {
+	AddFullMatcher(matcher FullMatcher)
+}
+
+// MatcherSetForDomain is an interface indicating a MatcherSet could accept DomainMatchers.
+type MatcherSetForDomain interface {
+	AddDomainMatcher(matcher DomainMatcher)
+}
+
+// MatcherSetForSubstr is an interface indicating a MatcherSet could accept SubstrMatchers.
+type MatcherSetForSubstr interface {
+	AddSubstrMatcher(matcher SubstrMatcher)
+}
+
+// MatcherSetForRegex is an interface indicating a MatcherSet could accept RegexMatchers.
+type MatcherSetForRegex interface {
+	AddRegexMatcher(matcher *RegexMatcher)
+}
+
+// AddMatcherToSet is a helper function to try to add a Matcher to any kind of MatcherSet.
+// It returns error if the MatcherSet does not accept the provided Matcher's type.
+// This function is provided to help writing code to test a MatcherSet.
+func AddMatcherToSet(s MatcherSet, matcher Matcher) error {
+	if s, ok := s.(IndexMatcher); ok {
+		s.Add(matcher)
+		return nil
+	}
+	if s, ok := s.(MatcherSetForAll); ok {
+		s.AddMatcher(matcher)
+		return nil
+	}
+	switch matcher := matcher.(type) {
+	case FullMatcher:
+		if s, ok := s.(MatcherSetForFull); ok {
+			s.AddFullMatcher(matcher)
+			return nil
+		}
+	case DomainMatcher:
+		if s, ok := s.(MatcherSetForDomain); ok {
+			s.AddDomainMatcher(matcher)
+			return nil
+		}
+	case SubstrMatcher:
+		if s, ok := s.(MatcherSetForSubstr); ok {
+			s.AddSubstrMatcher(matcher)
+			return nil
+		}
+	case *RegexMatcher:
+		if s, ok := s.(MatcherSetForRegex); ok {
+			s.AddRegexMatcher(matcher)
+			return nil
+		}
+	}
+	return errors.New("cannot add matcher to matcher set")
+}
--- a/common/geodata/strmatcher/matchers_test.go
+++ b/common/geodata/strmatcher/matchers_test.go
@@ -0,0 +1,149 @@
+package strmatcher_test
+
+import (
+	"reflect"
+	"testing"
+	"unsafe"
+
+	"github.com/xtls/xray-core/common"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func TestMatcher(t *testing.T) {
+	cases := []struct {
+		pattern string
+		mType   Type
+		input   string
+		output  bool
+	}{
+		{
+			pattern: "example.com",
+			mType:   Domain,
+			input:   "www.example.com",
+			output:  true,
+		},
+		{
+			pattern: "example.com",
+			mType:   Domain,
+			input:   "example.com",
+			output:  true,
+		},
+		{
+			pattern: "example.com",
+			mType:   Domain,
+			input:   "www.e3ample.com",
+			output:  false,
+		},
+		{
+			pattern: "example.com",
+			mType:   Domain,
+			input:   "xample.com",
+			output:  false,
+		},
+		{
+			pattern: "example.com",
+			mType:   Domain,
+			input:   "xexample.com",
+			output:  false,
+		},
+		{
+			pattern: "example.com",
+			mType:   Full,
+			input:   "example.com",
+			output:  true,
+		},
+		{
+			pattern: "example.com",
+			mType:   Full,
+			input:   "xexample.com",
+			output:  false,
+		},
+		{
+			pattern: "example.com",
+			mType:   Regex,
+			input:   "examplexcom",
+			output:  true,
+		},
+	}
+	for _, test := range cases {
+		matcher, err := test.mType.New(test.pattern)
+		common.Must(err)
+		if m := matcher.Match(test.input); m != test.output {
+			t.Error("unexpected output: ", m, " for test case ", test)
+		}
+	}
+}
+
+func TestToDomain(t *testing.T) {
+	{ // Test normal ASCII domain, which should not trigger new string data allocation
+		input := "example.com"
+		domain, err := ToDomain(input)
+		if err != nil {
+			t.Error("unexpected error: ", err)
+		}
+		if domain != input {
+			t.Error("unexpected output: ", domain, " for test case ", input)
+		}
+		if (*reflect.StringHeader)(unsafe.Pointer(&input)).Data != (*reflect.StringHeader)(unsafe.Pointer(&domain)).Data {
+			t.Error("different string data of output: ", domain, " and test case ", input)
+		}
+	}
+	{ // Test ASCII domain containing upper case letter, which should be converted to lower case
+		input := "eXAMPLE.cOm"
+		domain, err := ToDomain(input)
+		if err != nil {
+			t.Error("unexpected error: ", err)
+		}
+		if domain != "example.com" {
+			t.Error("unexpected output: ", domain, " for test case ", input)
+		}
+	}
+	{ // Test internationalized domain, which should be translated to ASCII punycode
+		input := "example.公益"
+		domain, err := ToDomain(input)
+		if err != nil {
+			t.Error("unexpected error: ", err)
+		}
+		if domain != "example.xn--55qw42g" {
+			t.Error("unexpected output: ", domain, " for test case ", input)
+		}
+	}
+	{ // Test internationalized domain containing upper case letter
+		input := "eXAMPLE.公益"
+		domain, err := ToDomain(input)
+		if err != nil {
+			t.Error("unexpected error: ", err)
+		}
+		if domain != "example.xn--55qw42g" {
+			t.Error("unexpected output: ", domain, " for test case ", input)
+		}
+	}
+	{ // Test domain name of invalid character, which should return with error
+		input := "{"
+		_, err := ToDomain(input)
+		if err == nil {
+			t.Error("unexpected non error for test case ", input)
+		}
+	}
+	{ // Test domain name containing a space, which should return with error
+		input := "Mijia Cloud"
+		_, err := ToDomain(input)
+		if err == nil {
+			t.Error("unexpected non error for test case ", input)
+		}
+	}
+	{ // Test domain name containing an underscore, which should return with error
+		input := "Mijia_Cloud.com"
+		_, err := ToDomain(input)
+		if err == nil {
+			t.Error("unexpected non error for test case ", input)
+		}
+	}
+	{ // Test internationalized domain containing invalid character
+		input := "Mijia Cloud.公司"
+		_, err := ToDomain(input)
+		if err == nil {
+			t.Error("unexpected non error for test case ", input)
+		}
+	}
+}
--- a/common/geodata/strmatcher/matcherset_domain.go
+++ b/common/geodata/strmatcher/matcherset_domain.go
@@ -0,0 +1,79 @@
+package strmatcher
+
+type trieNode2 struct {
+	matched  bool
+	children map[string]*trieNode2
+}
+
+// DomainMatcherSet is an implementation of MatcherSet.
+// It uses trie to optimize both memory consumption and lookup speed. Trie node is domain label based.
+type DomainMatcherSet struct {
+	root *trieNode2
+}
+
+func NewDomainMatcherSet() *DomainMatcherSet {
+	return &DomainMatcherSet{
+		root: new(trieNode2),
+	}
+}
+
+// AddDomainMatcher implements MatcherSetForDomain.AddDomainMatcher.
+func (s *DomainMatcherSet) AddDomainMatcher(matcher DomainMatcher) {
+	node := s.root
+	pattern := matcher.Pattern()
+	for i := len(pattern); i > 0; {
+		var part string
+		for j := i - 1; ; j-- {
+			if pattern[j] == '.' {
+				part = pattern[j+1 : i]
+				i = j
+				break
+			}
+			if j == 0 {
+				part = pattern[j:i]
+				i = j
+				break
+			}
+		}
+		if node.children == nil {
+			node.children = make(map[string]*trieNode2)
+		}
+		next := node.children[part]
+		if next == nil {
+			next = new(trieNode2)
+			node.children[part] = next
+		}
+		node = next
+	}
+
+	node.matched = true
+}
+
+// MatchAny implements MatcherSet.MatchAny.
+func (s *DomainMatcherSet) MatchAny(input string) bool {
+	node := s.root
+	for i := len(input); i > 0; {
+		for j := i - 1; ; j-- {
+			if input[j] == '.' {
+				node = node.children[input[j+1:i]]
+				i = j
+				break
+			}
+			if j == 0 {
+				node = node.children[input[j:i]]
+				i = j
+				break
+			}
+		}
+		if node == nil {
+			return false
+		}
+		if node.matched {
+			return true
+		}
+		if node.children == nil {
+			return false
+		}
+	}
+	return false
+}
--- a/common/geodata/strmatcher/matcherset_domain_test.go
+++ b/common/geodata/strmatcher/matcherset_domain_test.go
@@ -0,0 +1,95 @@
+package strmatcher_test
+
+import (
+	"reflect"
+	"testing"
+
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func TestDomainMatcherSet(t *testing.T) {
+	patterns := []struct {
+		Pattern string
+	}{
+		{
+			Pattern: "example.com",
+		},
+		{
+			Pattern: "google.com",
+		},
+		{
+			Pattern: "x.a.com",
+		},
+		{
+			Pattern: "a.b.com",
+		},
+		{
+			Pattern: "c.a.b.com",
+		},
+		{
+			Pattern: "x.y.com",
+		},
+		{
+			Pattern: "x.y.com",
+		},
+	}
+	testCases := []struct {
+		Domain string
+		Result bool
+	}{
+		{
+			Domain: "x.example.com",
+			Result: true,
+		},
+		{
+			Domain: "y.com",
+			Result: false,
+		},
+		{
+			Domain: "a.b.com",
+			Result: true,
+		},
+		{
+			Domain: "c.a.b.com",
+			Result: true,
+		},
+		{
+			Domain: "c.a..b.com",
+			Result: false,
+		},
+		{
+			Domain: ".com",
+			Result: false,
+		},
+		{
+			Domain: "com",
+			Result: false,
+		},
+		{
+			Domain: "",
+			Result: false,
+		},
+		{
+			Domain: "x.y.com",
+			Result: true,
+		},
+	}
+	s := NewDomainMatcherSet()
+	for _, pattern := range patterns {
+		AddMatcherToSet(s, DomainMatcher(pattern.Pattern))
+	}
+	for _, testCase := range testCases {
+		r := s.MatchAny(testCase.Domain)
+		if !reflect.DeepEqual(r, testCase.Result) {
+			t.Error("Failed to match domain: ", testCase.Domain, ", expect ", testCase.Result, ", but got ", r)
+		}
+	}
+}
+
+func TestEmptyDomainMatcherSet(t *testing.T) {
+	s := NewDomainMatcherSet()
+	r := s.MatchAny("example.com")
+	if r {
+		t.Error("Expect false, but ", r)
+	}
+}
--- a/common/geodata/strmatcher/matcherset_full.go
+++ b/common/geodata/strmatcher/matcherset_full.go
@@ -0,0 +1,24 @@
+package strmatcher
+
+// FullMatcherSet is an implementation of MatcherSet.
+// It uses a hash table to facilitate exact match lookup.
+type FullMatcherSet struct {
+	matchers map[string]struct{}
+}
+
+func NewFullMatcherSet() *FullMatcherSet {
+	return &FullMatcherSet{
+		matchers: make(map[string]struct{}),
+	}
+}
+
+// AddFullMatcher implements MatcherSetForFull.AddFullMatcher.
+func (s *FullMatcherSet) AddFullMatcher(matcher FullMatcher) {
+	s.matchers[matcher.Pattern()] = struct{}{}
+}
+
+// MatchAny implements MatcherSet.Any.
+func (s *FullMatcherSet) MatchAny(input string) bool {
+	_, found := s.matchers[input]
+	return found
+}
--- a/common/geodata/strmatcher/matcherset_full_test.go
+++ b/common/geodata/strmatcher/matcherset_full_test.go
@@ -0,0 +1,65 @@
+package strmatcher_test
+
+import (
+	"reflect"
+	"testing"
+
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func TestFullMatcherSet(t *testing.T) {
+	patterns := []struct {
+		Pattern string
+	}{
+		{
+			Pattern: "example.com",
+		},
+		{
+			Pattern: "google.com",
+		},
+		{
+			Pattern: "x.a.com",
+		},
+		{
+			Pattern: "x.y.com",
+		},
+		{
+			Pattern: "x.y.com",
+		},
+	}
+	testCases := []struct {
+		Domain string
+		Result bool
+	}{
+		{
+			Domain: "example.com",
+			Result: true,
+		},
+		{
+			Domain: "y.com",
+			Result: false,
+		},
+		{
+			Domain: "x.y.com",
+			Result: true,
+		},
+	}
+	s := NewFullMatcherSet()
+	for _, pattern := range patterns {
+		AddMatcherToSet(s, FullMatcher(pattern.Pattern))
+	}
+	for _, testCase := range testCases {
+		r := s.MatchAny(testCase.Domain)
+		if !reflect.DeepEqual(r, testCase.Result) {
+			t.Error("Failed to match domain: ", testCase.Domain, ", expect ", testCase.Result, ", but got ", r)
+		}
+	}
+}
+
+func TestEmptyFullMatcherSet(t *testing.T) {
+	s := NewFullMatcherSet()
+	r := s.MatchAny("example.com")
+	if r {
+		t.Error("Expect false, but ", r)
+	}
+}
--- a/common/geodata/strmatcher/matcherset_simple.go
+++ b/common/geodata/strmatcher/matcherset_simple.go
@@ -0,0 +1,22 @@
+package strmatcher
+
+// SimpleMatcherSet is an implementation of MatcherSet.
+// It simply stores all matchers in an array and sequentially matches them.
+type SimpleMatcherSet struct {
+	matchers []Matcher
+}
+
+// AddMatcher implements MatcherSetForAll.AddMatcher.
+func (s *SimpleMatcherSet) AddMatcher(matcher Matcher) {
+	s.matchers = append(s.matchers, matcher)
+}
+
+// MatchAny implements MatcherSet.MatchAny.
+func (s *SimpleMatcherSet) MatchAny(input string) bool {
+	for _, m := range s.matchers {
+		if m.Match(input) {
+			return true
+		}
+	}
+	return false
+}
--- a/common/geodata/strmatcher/matcherset_simple_test.go
+++ b/common/geodata/strmatcher/matcherset_simple_test.go
@@ -0,0 +1,69 @@
+package strmatcher_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/xtls/xray-core/common"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func TestSimpleMatcherSet(t *testing.T) {
+	patterns := []struct {
+		pattern string
+		mType   Type
+	}{
+		{
+			pattern: "example.com",
+			mType:   Domain,
+		},
+		{
+			pattern: "example.com",
+			mType:   Full,
+		},
+		{
+			pattern: "example.com",
+			mType:   Regex,
+		},
+	}
+	cases := []struct {
+		input  string
+		output bool
+	}{
+		{
+			input:  "www.example.com",
+			output: true,
+		},
+		{
+			input:  "example.com",
+			output: true,
+		},
+		{
+			input:  "www.e3ample.com",
+			output: false,
+		},
+		{
+			input:  "xample.com",
+			output: false,
+		},
+		{
+			input:  "xexample.com",
+			output: true,
+		},
+		{
+			input:  "examplexcom",
+			output: true,
+		},
+	}
+	matcherSet := &SimpleMatcherSet{}
+	for _, entry := range patterns {
+		matcher, err := entry.mType.New(entry.pattern)
+		common.Must(err)
+		common.Must(AddMatcherToSet(matcherSet, matcher))
+	}
+	for _, test := range cases {
+		if r := matcherSet.MatchAny(test.input); !reflect.DeepEqual(r, test.output) {
+			t.Error("unexpected output: ", r, " for test case ", test)
+		}
+	}
+}
--- a/common/geodata/strmatcher/matcherset_substr.go
+++ b/common/geodata/strmatcher/matcherset_substr.go
@@ -0,0 +1,24 @@
+package strmatcher
+
+import "strings"
+
+// SubstrMatcherSet is implementation of MatcherSet,
+// It is simply implmeneted to comply with the priority specification of Substr matchers.
+type SubstrMatcherSet struct {
+	patterns []string
+}
+
+// AddSubstrMatcher implements MatcherSetForSubstr.AddSubstrMatcher.
+func (s *SubstrMatcherSet) AddSubstrMatcher(matcher SubstrMatcher) {
+	s.patterns = append(s.patterns, matcher.Pattern())
+}
+
+// MatchAny implements MatcherSet.MatchAny.
+func (s *SubstrMatcherSet) MatchAny(input string) bool {
+	for _, pattern := range s.patterns {
+		if strings.Contains(input, pattern) {
+			return true
+		}
+	}
+	return false
+}
--- a/common/geodata/strmatcher/matcherset_substr_test.go
+++ b/common/geodata/strmatcher/matcherset_substr_test.go
@@ -0,0 +1,77 @@
+package strmatcher_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/xtls/xray-core/common"
+	. "github.com/xtls/xray-core/common/geodata/strmatcher"
+)
+
+func TestSubstrMatcherSet(t *testing.T) {
+	patterns := []struct {
+		pattern string
+		mType   Type
+	}{
+		{
+			pattern: "apis",
+			mType:   Substr,
+		},
+		{
+			pattern: "google",
+			mType:   Substr,
+		},
+		{
+			pattern: "apis",
+			mType:   Substr,
+		},
+	}
+	cases := []struct {
+		input  string
+		output bool
+	}{
+		{
+			input:  "google.com",
+			output: true,
+		},
+		{
+			input:  "apis.com",
+			output: true,
+		},
+		{
+			input:  "googleapis.com",
+			output: true,
+		},
+		{
+			input:  "fonts.googleapis.com",
+			output: true,
+		},
+		{
+			input:  "apis.googleapis.com",
+			output: true,
+		},
+		{
+			input:  "baidu.com",
+			output: false,
+		},
+		{
+			input:  "goog",
+			output: false,
+		},
+		{
+			input:  "api",
+			output: false,
+		},
+	}
+	matcherSet := &SubstrMatcherSet{}
+	for _, entry := range patterns {
+		matcher, err := entry.mType.New(entry.pattern)
+		common.Must(err)
+		common.Must(AddMatcherToSet(matcherSet, matcher))
+	}
+	for _, test := range cases {
+		if r := matcherSet.MatchAny(test.input); !reflect.DeepEqual(r, test.output) {
+			t.Error("unexpected output: ", r, " for test case ", test)
+		}
+	}
+}
--- a/common/geodata/strmatcher/strmatcher.go
+++ b/common/geodata/strmatcher/strmatcher.go
@@ -0,0 +1,121 @@
+package strmatcher
+
+// Type is the type of the matcher.
+type Type byte
+
+const (
+	// Full is the type of matcher that the input string must exactly equal to the pattern.
+	Full Type = 0
+	// Domain is the type of matcher that the input string must be a sub-domain or itself of the pattern.
+	Domain Type = 1
+	// Substr is the type of matcher that the input string must contain the pattern as a sub-string.
+	Substr Type = 2
+	// Regex is the type of matcher that the input string must matches the regular-expression pattern.
+	Regex Type = 3
+)
+
+// Matcher is the interface to determine a string matches a pattern.
+//   - This is a basic matcher to represent a certain kind of match semantic (full, substr, domain or regex).
+type Matcher interface {
+	// Type returns the matcher's type.
+	Type() Type
+
+	// Pattern returns the matcher's raw string representation.
+	Pattern() string
+
+	// String returns a string representation of the matcher containing its type and pattern.
+	String() string
+
+	// Match returns true if the given string matches a predefined pattern.
+	//   * This method is seldom used for performance reason
+	//     and is generally taken over by their corresponding MatcherGroup.
+	Match(input string) bool
+}
+
+// MatcherGroup is an advanced type of matcher to accept a bunch of basic Matchers (of certain type, not all matcher types).
+// For example:
+//   - FullMatcherGroup accepts FullMatcher and uses a hash table to facilitate lookup.
+//   - DomainMatcherGroup accepts DomainMatcher and uses a trie to optimize both memory consumption and lookup speed.
+type MatcherGroup interface {
+	// Match returns all matched matchers with their corresponding values.
+	Match(input string) []uint32
+
+	// MatchAny returns true as soon as one matching matcher is found.
+	MatchAny(input string) bool
+}
+
+// IndexMatcher is a general type of matcher thats accepts all kinds of basic matchers.
+// It should:
+//   - Accept all Matcher types with no exception.
+//   - Optimize string matching with a combination of MatcherGroups.
+//   - Obey certain priority order specification when returning matched Matchers.
+type IndexMatcher interface {
+	// Size returns number of matchers added to IndexMatcher.
+	Size() uint32
+
+	// Add adds a new Matcher to IndexMatcher, and returns its index. The index will never be 0.
+	Add(matcher Matcher) uint32
+
+	// Build builds the IndexMatcher to be ready for matching.
+	Build() error
+
+	// Match returns the indices of all matchers that matches the input.
+	//   * Empty array is returned if no such matcher exists.
+	//   * The order of returned matchers should follow priority specification.
+	//   * The returned slice is owned by the caller and may be safely modified.
+	// Priority specification:
+	//   1. Priority between matcher types: full > domain > substr > regex.
+	//   2. Priority of same-priority matchers matching at same position: the early added takes precedence.
+	//   3. Priority of domain matchers matching at different levels: the further matched domain takes precedence.
+	//   4. Priority of substr matchers matching at different positions: the further matched substr takes precedence.
+	Match(input string) []uint32
+
+	// MatchAny returns true as soon as one matching matcher is found.
+	MatchAny(input string) bool
+}
+
+// ValueMatcher is a general type of matcher that accepts all kinds of basic matchers.
+// It should:
+//   - Accept all Matcher types with no exception.
+//   - Optimize string matching with a combination of MatcherGroups.
+//   - Obey certain priority order specification when returning matched values.
+type ValueMatcher interface {
+	// Add adds a new Matcher to ValueMatcher, binding it to the provided value.
+	Add(matcher Matcher, value uint32)
+
+	// Build builds the ValueMatcher to be ready for matching.
+	Build() error
+
+	// Match returns the values of all matchers that matches the input.
+	//   * Empty array is returned if no such matcher exists.
+	//   * The order of returned values should follow priority specification.
+	//   * Same value may appear multiple times if multiple matched matchers were added with that value.
+	//   * The returned slice is owned by the caller and may be safely modified.
+	// Priority specification:
+	//   1. Priority between matcher types: full > domain > substr > regex.
+	//   2. Priority of same-priority matchers matching at same position: the early added takes precedence.
+	//   3. Priority of domain matchers matching at different levels: the further matched domain takes precedence.
+	//   4. Priority of substr matchers matching at different positions: the further matched substr takes precedence.
+	Match(input string) []uint32
+
+	// MatchAny returns true as soon as one matching matcher is found.
+	MatchAny(input string) bool
+}
+
+// MatcherSet is an advanced type of matcher to accept a bunch of basic Matchers (of certain type, not all matcher types).
+// For example:
+//   - FullMatcherSet accepts FullMatcher and uses a hash table to facilitate lookup.
+//   - DomainMatcherSet accepts DomainMatcher and uses a trie to optimize both memory consumption and lookup speed.
+type MatcherSet interface {
+	// MatchAny returns true as soon as one matching matcher is found.
+	MatchAny(input string) bool
+}
+
+// AnyMatcher is a lightweight matcher for callers that only need existence checks.
+type AnyMatcher interface {
+	// Add adds a new Matcher to AnyMatcher.
+	Add(matcher Matcher)
+
+	// MatchAny returns true as soon as one matching matcher is found.
+	MatchAny(input string) bool
+}
--- a/Show More
+++ b/Show More