Move WFP manipulation to strict route

docs/changelog.md

@@ -3,6 +3,7 @@
 * Split bind_address into ipv4 and ipv6
 * Fix WireGuard outbound panic when close
 * Fix macOS Ventura process name match
+* Move WFP manipulation to strict route
 
 #### 1.1-beta12
 

docs/configuration/inbound/tun.md

@@ -93,16 +93,23 @@ Set the default route to the Tun.
 
 #### strict_route
 
-*In Linux*:
-
 Enforce strict routing rules when `auto_route` is enabled:
 
+*In Linux*:
+
 * Let unsupported network unreachable
 * Route all connections to tun
 
 It prevents address leaks and makes DNS hijacking work on Android and Linux with systemd-resolved, but your device will
 not be accessible by others.
 
+*In Windows*:
+
+* Add firewall rules to prevent DNS leak caused by
+  Windows' [ordinary multihomed DNS resolution behavior](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
+
+It may prevent some applications (such as VirtualBox) from working properly in certain situations.
+
 #### inet4_route_address
 
 Use custom routes instead of default when `auto_route` is enabled.

docs/configuration/inbound/tun.zh.md

@@ -8,7 +8,6 @@
 {
   "type": "tun",
   "tag": "tun-in",
-
   "interface_name": "tun0",
   "inet4_address": "172.19.0.1/30",
   "inet6_address": "fdfe:dcba:9876::1/126",
@@ -47,8 +46,8 @@
   "exclude_package": [
     "com.android.captiveportallogin"
   ],
-
-  ... // 监听字段
+  ...
+  // 监听字段
 }
 ```
 
@@ -94,15 +93,23 @@ tun 接口的 IPv6 前缀。
 
 #### strict_route
 
-*在 Linux 中*:
-
 启用 `auto_route` 时执行严格的路由规则。
 
+*在 Linux 中*:
+
 * 让不支持的网络无法到达
 * 将所有连接路由到 tun
 
 它可以防止地址泄漏，并使 DNS 劫持在 Android 和使用 systemd-resolved 的 Linux 上工作，但你的设备将无法其他设备被访问。
 
+*在 Windows 中*:
+
+* 添加防火墙规则以阻止 Windows
+  的 [普通多宿主 DNS 解析行为](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552%28v%3Dws.10%29)
+  造成的 DNS 泄露
+
+它可能会使某些应用程序（如 VirtualBox）在某些情况下无法正常工作。
+
 #### inet4_route_address
 
 启用 `auto_route` 时使用自定义路由而不是默认路由。

go.mod

@@ -26,7 +26,7 @@ require (
 	github.com/sagernet/sing v0.0.0-20221008120626-60a9910eefe4
 	github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403
 	github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6
-	github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07
+	github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f
 	github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685
 	github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195
 	github.com/sagernet/websocket v0.0.0-20220913015213-615516348b4e

go.sum

@@ -138,8 +138,8 @@ github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403 h1:kKDO97rx+JVJ4
 github.com/sagernet/sing-dns v0.0.0-20221031055845-7de76401d403/go.mod h1:cyL9DHbBZ0Xlt/8VD0i6yeiDayH0KzWGNQb8MYhhz7g=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6 h1:JJfDeYYhWunvtxsU/mOVNTmFQmnzGx9dY034qG6G3g4=
 github.com/sagernet/sing-shadowsocks v0.0.0-20220819002358-7461bb09a8f6/go.mod h1:EX3RbZvrwAkPI2nuGa78T2iQXmrkT+/VQtskjou42xM=
-github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07 h1:zupkkVVFWv0QsLPjxEzlzXlLfDk1hUujK8ctJSIKFCI=
-github.com/sagernet/sing-tun v0.0.0-20221028015259-ea5c35f62f07/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU=
+github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f h1:CXF+nErOb9f7qiHingSgTa2/lJAgmEFtAQ47oVwdRGU=
+github.com/sagernet/sing-tun v0.0.0-20221104121441-66c48a57776f/go.mod h1:1u3pjXA9HmH7kRiBJqM3C/zPxrxnCLd3svmqtub/RFU=
 github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685 h1:AZzFNRR/ZwMTceUQ1b/mxx6oyKqmFymdMn/yleJmoVM=
 github.com/sagernet/sing-vmess v0.0.0-20220925083655-063bc85ea685/go.mod h1:bwhAdSNET1X+j9DOXGj9NIQR39xgcWIk1rOQ9lLD+gM=
 github.com/sagernet/smux v0.0.0-20220831015742-e0f1988e3195 h1:5VBIbVw9q7aKbrFdT83mjkyvQ+VaRsQ6yflTepfln38=