diff --git a/package/lienol/luci-app-passwall/Makefile b/package/lienol/luci-app-passwall/Makefile
index ec21bb418f..aaaf97f432 100644
--- a/package/lienol/luci-app-passwall/Makefile
+++ b/package/lienol/luci-app-passwall/Makefile
@@ -7,8 +7,8 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=luci-app-passwall
 PKG_VERSION:=3.9
-PKG_RELEASE:=22
-PKG_DATE:=20200724
+PKG_RELEASE:=23
+PKG_DATE:=20200727
 
 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
 
diff --git a/package/lienol/luci-app-passwall/luasrc/controller/passwall.lua b/package/lienol/luci-app-passwall/luasrc/controller/passwall.lua
index 9d180b2f12..997ec88a7b 100644
--- a/package/lienol/luci-app-passwall/luasrc/controller/passwall.lua
+++ b/package/lienol/luci-app-passwall/luasrc/controller/passwall.lua
@@ -9,58 +9,61 @@ local v2ray = require "luci.model.cbi.passwall.api.v2ray"
 local trojan_go = require "luci.model.cbi.passwall.api.trojan_go"
 
 function index()
+	appname = "passwall"
+	entry({"admin", "services", appname}).dependent = true
+	entry({"admin", "services", appname, "reset_config"}, call("reset_config")).leaf = true
+	entry({"admin", "services", appname, "show"}, call("show_menu")).leaf = true
+	entry({"admin", "services", appname, "hide"}, call("hide_menu")).leaf = true
 	if not nixio.fs.access("/etc/config/passwall") then return end
-	entry({"admin", "services", "passwall", "reset_config"}, call("reset_config")).leaf = true
-	entry({"admin", "services", "passwall", "show"}, call("show_menu")).leaf = true
-	entry({"admin", "services", "passwall", "hide"}, call("hide_menu")).leaf = true
 	if nixio.fs.access("/etc/config/passwall_show") then
-		entry({"admin", "services", "passwall"}, alias("admin", "services", "passwall", "settings"), _("Pass Wall"), 1).dependent = true
+		entry({"admin", "services", appname}, alias("admin", "services", appname, "settings"), _("Pass Wall"), 1).dependent = true
 	end
-	entry({"admin", "services", "passwall", "settings"}, cbi("passwall/global"), _("Basic Settings"), 1).dependent = true
-	entry({"admin", "services", "passwall", "node_list"}, cbi("passwall/node_list"), _("Node List"), 2).dependent = true
-	entry({"admin", "services", "passwall", "auto_switch"}, cbi("passwall/auto_switch"), _("Auto Switch"), 3).leaf = true
-	entry({"admin", "services", "passwall", "other"}, cbi("passwall/other", {autoapply = true}), _("Other Settings"), 93).leaf = true
+	entry({"admin", "services", appname, "settings"}, cbi("passwall/global"), _("Basic Settings"), 1).dependent = true
+	entry({"admin", "services", appname, "node_list"}, cbi("passwall/node_list"), _("Node List"), 2).dependent = true
+	entry({"admin", "services", appname, "auto_switch"}, cbi("passwall/auto_switch"), _("Auto Switch"), 3).leaf = true
+	entry({"admin", "services", appname, "other"}, cbi("passwall/other", {autoapply = true}), _("Other Settings"), 93).leaf = true
 	if nixio.fs.access("/usr/sbin/haproxy") then
-		entry({"admin", "services", "passwall", "haproxy"}, cbi("passwall/haproxy"), _("Load Balancing"), 94).leaf = true
+		entry({"admin", "services", appname, "haproxy"}, cbi("passwall/haproxy"), _("Load Balancing"), 94).leaf = true
 	end
-	entry({"admin", "services", "passwall", "node_subscribe"}, cbi("passwall/node_subscribe"), _("Node Subscribe"), 95).dependent = true
-	entry({"admin", "services", "passwall", "rule"}, cbi("passwall/rule"), _("Rule Update"), 96).leaf = true
-	entry({"admin", "services", "passwall", "node_config"}, cbi("passwall/node_config")).leaf = true
-	entry({"admin", "services", "passwall", "shunt_rules"}, cbi("passwall/shunt_rules")).leaf = true
-	entry({"admin", "services", "passwall", "acl"}, cbi("passwall/acl"), _("Access control"), 97).leaf = true
-	entry({"admin", "services", "passwall", "log"}, form("passwall/log"), _("Watch Logs"), 999).leaf = true
-	entry({"admin", "services", "passwall", "server"}, cbi("passwall/server/index"), _("Server-Side"), 99).leaf = true
-	entry({"admin", "services", "passwall", "server_user"}, cbi("passwall/server/user")).leaf = true
+	entry({"admin", "services", appname, "node_subscribe"}, cbi("passwall/node_subscribe"), _("Node Subscribe"), 95).dependent = true
+	entry({"admin", "services", appname, "rule"}, cbi("passwall/rule"), _("Rule"), 96).leaf = true
+	entry({"admin", "services", appname, "app_update"}, cbi("passwall/app_update"), _("App Update"), 97).leaf = true
+	entry({"admin", "services", appname, "node_config"}, cbi("passwall/node_config")).leaf = true
+	entry({"admin", "services", appname, "shunt_rules"}, cbi("passwall/shunt_rules")).leaf = true
+	entry({"admin", "services", appname, "acl"}, cbi("passwall/acl"), _("Access control"), 98).leaf = true
+	entry({"admin", "services", appname, "log"}, form("passwall/log"), _("Watch Logs"), 999).leaf = true
+	entry({"admin", "services", appname, "server"}, cbi("passwall/server/index"), _("Server-Side"), 99).leaf = true
+	entry({"admin", "services", appname, "server_user"}, cbi("passwall/server/user")).leaf = true
 
-	entry({"admin", "services", "passwall", "server_user_status"}, call("server_user_status")).leaf = true
-	entry({"admin", "services", "passwall", "server_get_log"}, call("server_get_log")).leaf = true
-	entry({"admin", "services", "passwall", "server_clear_log"}, call("server_clear_log")).leaf = true
-	entry({"admin", "services", "passwall", "link_append_temp"}, call("link_append_temp")).leaf = true
-	entry({"admin", "services", "passwall", "link_load_temp"}, call("link_load_temp")).leaf = true
-	entry({"admin", "services", "passwall", "link_clear_temp"}, call("link_clear_temp")).leaf = true
-	entry({"admin", "services", "passwall", "link_add_node"}, call("link_add_node")).leaf = true
-	entry({"admin", "services", "passwall", "get_log"}, call("get_log")).leaf = true
-	entry({"admin", "services", "passwall", "clear_log"}, call("clear_log")).leaf = true
-	entry({"admin", "services", "passwall", "status"}, call("status")).leaf = true
-	entry({"admin", "services", "passwall", "socks_status"}, call("socks_status")).leaf = true
-	entry({"admin", "services", "passwall", "connect_status"}, call("connect_status")).leaf = true
-	entry({"admin", "services", "passwall", "check_port"}, call("check_port")).leaf = true
-	entry({"admin", "services", "passwall", "ping_node"}, call("ping_node")).leaf = true
-	entry({"admin", "services", "passwall", "set_node"}, call("set_node")).leaf = true
-	entry({"admin", "services", "passwall", "copy_node"}, call("copy_node")).leaf = true
-	entry({"admin", "services", "passwall", "clear_all_nodes"}, call("clear_all_nodes")).leaf = true
-	entry({"admin", "services", "passwall", "delete_select_nodes"}, call("delete_select_nodes")).leaf = true
-	entry({"admin", "services", "passwall", "update_rules"}, call("update_rules")).leaf = true
-	entry({"admin", "services", "passwall", "luci_check"}, call("luci_check")).leaf = true
-	entry({"admin", "services", "passwall", "luci_update"}, call("luci_update")).leaf = true
-	entry({"admin", "services", "passwall", "kcptun_check"}, call("kcptun_check")).leaf = true
-	entry({"admin", "services", "passwall", "kcptun_update"}, call("kcptun_update")).leaf = true
-	entry({"admin", "services", "passwall", "brook_check"}, call("brook_check")).leaf = true
-	entry({"admin", "services", "passwall", "brook_update"}, call("brook_update")).leaf = true
-	entry({"admin", "services", "passwall", "v2ray_check"}, call("v2ray_check")).leaf = true
-	entry({"admin", "services", "passwall", "v2ray_update"}, call("v2ray_update")).leaf = true
-	entry({"admin", "services", "passwall", "trojan_go_check"}, call("trojan_go_check")).leaf = true
-	entry({"admin", "services", "passwall", "trojan_go_update"}, call("trojan_go_update")).leaf = true
+	entry({"admin", "services", appname, "server_user_status"}, call("server_user_status")).leaf = true
+	entry({"admin", "services", appname, "server_get_log"}, call("server_get_log")).leaf = true
+	entry({"admin", "services", appname, "server_clear_log"}, call("server_clear_log")).leaf = true
+	entry({"admin", "services", appname, "link_append_temp"}, call("link_append_temp")).leaf = true
+	entry({"admin", "services", appname, "link_load_temp"}, call("link_load_temp")).leaf = true
+	entry({"admin", "services", appname, "link_clear_temp"}, call("link_clear_temp")).leaf = true
+	entry({"admin", "services", appname, "link_add_node"}, call("link_add_node")).leaf = true
+	entry({"admin", "services", appname, "get_log"}, call("get_log")).leaf = true
+	entry({"admin", "services", appname, "clear_log"}, call("clear_log")).leaf = true
+	entry({"admin", "services", appname, "status"}, call("status")).leaf = true
+	entry({"admin", "services", appname, "socks_status"}, call("socks_status")).leaf = true
+	entry({"admin", "services", appname, "connect_status"}, call("connect_status")).leaf = true
+	entry({"admin", "services", appname, "check_port"}, call("check_port")).leaf = true
+	entry({"admin", "services", appname, "ping_node"}, call("ping_node")).leaf = true
+	entry({"admin", "services", appname, "set_node"}, call("set_node")).leaf = true
+	entry({"admin", "services", appname, "copy_node"}, call("copy_node")).leaf = true
+	entry({"admin", "services", appname, "clear_all_nodes"}, call("clear_all_nodes")).leaf = true
+	entry({"admin", "services", appname, "delete_select_nodes"}, call("delete_select_nodes")).leaf = true
+	entry({"admin", "services", appname, "update_rules"}, call("update_rules")).leaf = true
+	entry({"admin", "services", appname, "luci_check"}, call("luci_check")).leaf = true
+	entry({"admin", "services", appname, "luci_update"}, call("luci_update")).leaf = true
+	entry({"admin", "services", appname, "kcptun_check"}, call("kcptun_check")).leaf = true
+	entry({"admin", "services", appname, "kcptun_update"}, call("kcptun_update")).leaf = true
+	entry({"admin", "services", appname, "brook_check"}, call("brook_check")).leaf = true
+	entry({"admin", "services", appname, "brook_update"}, call("brook_update")).leaf = true
+	entry({"admin", "services", appname, "v2ray_check"}, call("v2ray_check")).leaf = true
+	entry({"admin", "services", appname, "v2ray_update"}, call("v2ray_update")).leaf = true
+	entry({"admin", "services", appname, "trojan_go_check"}, call("trojan_go_check")).leaf = true
+	entry({"admin", "services", appname, "trojan_go_update"}, call("trojan_go_update")).leaf = true
 end
 
 local function http_write_json(content)
@@ -70,12 +73,12 @@ end
 
 function reset_config()
 	luci.sys.call('[ -f "/usr/share/passwall/config.default" ] && cp -f /usr/share/passwall/config.default /etc/config/passwall && /etc/init.d/passwall reload')
-	luci.http.redirect(luci.dispatcher.build_url("admin", "services", "passwall"))
+	luci.http.redirect(luci.dispatcher.build_url("admin", "services", appname))
 end
 
 function show_menu()
 	luci.sys.call("touch /etc/config/passwall_show")
-	luci.http.redirect(luci.dispatcher.build_url("admin", "services", "passwall"))
+	luci.http.redirect(luci.dispatcher.build_url("admin", "services", appname))
 end
 
 function hide_menu()
@@ -130,7 +133,7 @@ end
 function status()
 	-- local dns_mode = ucic:get(appname, "@global[0]", "dns_mode")
 	local e = {}
-	e.dns_mode_status = luci.sys.call("netstat -apn | grep 7913 >/dev/null") == 0
+	e.dns_mode_status = luci.sys.call("netstat -apn | grep ':7913 ' | grep 'LISTEN' >/dev/null") == 0
 	e.haproxy_status = luci.sys.call(string.format("ps -w | grep -v grep | grep '%s/bin/' | grep haproxy >/dev/null", appname)) == 0
 	local tcp_node_num = ucic:get(appname, "@global_other[0]", "tcp_node_num") or 1
 	for i = 1, tcp_node_num, 1 do
@@ -198,7 +201,7 @@ function set_node()
 	ucic:set(appname, "@global[0]", protocol .. "_node" .. number, section)
 	ucic:commit(appname)
 	luci.sys.call("/etc/init.d/passwall restart > /dev/null 2>&1 &")
-	luci.http.redirect(luci.dispatcher.build_url("admin", "services", "passwall", "log"))
+	luci.http.redirect(luci.dispatcher.build_url("admin", "services", appname, "log"))
 end
 
 function copy_node()
@@ -245,7 +248,7 @@ function check_port()
 	-- retstring = retstring .. "<font color='red'>暂时不支持UDP检测</font><br />"
 
 	retstring = retstring .. "<font color='green'>检测端口可用性</font><br />"
-	ucic:foreach("passwall", "nodes", function(s)
+	ucic:foreach(appname, "nodes", function(s)
 		local ret = ""
 		local tcp_socket
 		if (s.use_kcp and s.use_kcp == "1" and s.kcp_port) or
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/api/gen_v2ray.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/api/gen_v2ray.lua
index 61f5247a99..4af3ee8621 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/api/gen_v2ray.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/api/gen_v2ray.lua
@@ -75,6 +75,7 @@ local function gen_outbound(node, tag)
                     congestion = (node.mkcp_congestion == "1") and true or false,
                     readBufferSize = tonumber(node.mkcp_readBufferSize),
                     writeBufferSize = tonumber(node.mkcp_writeBufferSize),
+                    seed = (node.mkcp_seed and node.mkcp_seed ~= "") and node.mkcp_seed or nil,
                     header = {type = node.mkcp_guise}
                 } or nil,
                 wsSettings = (node.transport == "ws") and {
@@ -122,6 +123,12 @@ local function gen_outbound(node, tag)
             }
         }
     end
+
+    if node.transport == "mkcp" or node.transport == "ds" or node.transport == "quic" then
+        result.streamSettings.security = "none"
+        result.streamSettings.tlsSettings = nil
+    end
+
     return result
 end
 
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/app_update.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/app_update.lua
new file mode 100644
index 0000000000..8a1713a769
--- /dev/null
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/app_update.lua
@@ -0,0 +1,47 @@
+local d = require "luci.dispatcher"
+local appname = "passwall"
+
+m = Map(appname)
+
+-- [[ App Settings ]]--
+s = m:section(TypedSection, "global_app", translate("App Update"),
+              "<font color='red'>" ..
+                  translate("Please confirm that your firmware supports FPU.") ..
+                  "</font>")
+s.anonymous = true
+s:append(Template(appname .. "/app_update/v2ray_version"))
+s:append(Template(appname .. "/app_update/trojan_go_version"))
+s:append(Template(appname .. "/app_update/kcptun_version"))
+s:append(Template(appname .. "/app_update/brook_version"))
+
+---- V2ray Path
+o = s:option(Value, "v2ray_file", translate("V2ray Path"), translatef("if you want to run from memory, change the path, such as %s, Then save the application and update it manually.", "/tmp/v2ray/"))
+o.default = "/usr/bin/v2ray/"
+o.rmempty = false
+
+---- Trojan-Go Path
+o = s:option(Value, "trojan_go_file", translate("Trojan-Go Path"), translatef("if you want to run from memory, change the path, such as %s, Then save the application and update it manually.", "/tmp/trojan-go"))
+o.default = "/usr/bin/trojan-go"
+o.rmempty = false
+
+o = s:option(Value, "trojan_go_latest", translate("Trojan-Go Version API"), translate("alternate API URL for version checking"))
+o.default = "https://api.github.com/repos/peter-tank/trojan-go/releases/latest"
+
+---- Kcptun client Path
+o = s:option(Value, "kcptun_client_file", translate("Kcptun Client Path"), translatef("if you want to run from memory, change the path, such as %s, Then save the application and update it manually.", "/tmp/kcptun-client"))
+o.default = "/usr/bin/kcptun-client"
+o.rmempty = false
+
+--[[
+o = s:option(Button,  "_check_kcptun",  translate("Manually update"), translatef("Make sure there is enough space to install %s", "kcptun"))
+o.template = appname .. "/kcptun"
+o.inputstyle = "apply"
+o.btnclick = "onBtnClick_kcptun(this);"
+o.id = "_kcptun-check_btn"]] --
+
+---- Brook Path
+o = s:option(Value, "brook_file", translate("Brook Path"), translatef("if you want to run from memory, change the path, such as %s, Then save the application and update it manually.", "/tmp/brook"))
+o.default = "/usr/bin/brook"
+o.rmempty = false
+
+return m
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/auto_switch.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/auto_switch.lua
index a98b01d2ac..9257d8cf45 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/auto_switch.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/auto_switch.lua
@@ -20,7 +20,7 @@ end)
 m = Map(appname)
 
 -- [[ Auto Switch Settings ]]--
-s = m:section(TypedSection, "auto_switch", translate("Auto Switch"))
+s = m:section(TypedSection, "auto_switch")
 s.anonymous = true
 
 ---- Enable
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua
index b9e615e72b..22464db365 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/global.lua
@@ -68,8 +68,7 @@ else
 end
 
 -- [[ Global Settings ]]--
-s = m:section(TypedSection, "global", translate("Main Settings"))
--- s.description = translate("If you can use it, very stable. If not, GG !!!")
+s = m:section(TypedSection, "global")
 s.anonymous = true
 s.addremove = false
 
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/haproxy.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/haproxy.lua
index 24ccde1daf..893a0ae88d 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/haproxy.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/haproxy.lua
@@ -19,7 +19,7 @@ end)
 m = Map(appname)
 
 -- [[ Haproxy Settings ]]--
-s = m:section(TypedSection, "global_haproxy", translate("Load Balancing"))
+s = m:section(TypedSection, "global_haproxy")
 s.anonymous = true
 
 s:append(Template(appname .. "/haproxy/status"))
@@ -47,7 +47,7 @@ o.default = "1188"
 o:depends("balancing_enable", 1)
 
 -- [[ Balancing Settings ]]--
-s = m:section(TypedSection, "haproxy_config", translate("Load Balancing Setting"),
+s = m:section(TypedSection, "haproxy_config", "",
               "<font color='red'>" .. translate("Add a node, Export Of Multi WAN Only support Multi Wan. Load specific gravity range 1-256. Multiple primary servers can be load balanced, standby will only be enabled when the primary server is offline! Multiple groups can be set, Haproxy port same one for each group.").."</font>")
 s.template = "cbi/tblsection"
 s.sortable = true
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/node_config.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/node_config.lua
index 8475882e29..76ed33680c 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/node_config.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/node_config.lua
@@ -414,26 +414,35 @@ for a, t in ipairs(header_type_list) do mkcp_guise:value(t) end
 mkcp_guise:depends("transport", "mkcp")
 
 mkcp_mtu = s:option(Value, "mkcp_mtu", translate("KCP MTU"))
+mkcp_mtu.default = "1350"
 mkcp_mtu:depends("transport", "mkcp")
 
 mkcp_tti = s:option(Value, "mkcp_tti", translate("KCP TTI"))
+mkcp_tti.default = "20"
 mkcp_tti:depends("transport", "mkcp")
 
 mkcp_uplinkCapacity = s:option(Value, "mkcp_uplinkCapacity", translate("KCP uplinkCapacity"))
+mkcp_uplinkCapacity.default = "5"
 mkcp_uplinkCapacity:depends("transport", "mkcp")
 
 mkcp_downlinkCapacity = s:option(Value, "mkcp_downlinkCapacity", translate("KCP downlinkCapacity"))
+mkcp_downlinkCapacity.default = "20"
 mkcp_downlinkCapacity:depends("transport", "mkcp")
 
 mkcp_congestion = s:option(Flag, "mkcp_congestion", translate("KCP Congestion"))
 mkcp_congestion:depends("transport", "mkcp")
 
 mkcp_readBufferSize = s:option(Value, "mkcp_readBufferSize", translate("KCP readBufferSize"))
+mkcp_readBufferSize.default = "1"
 mkcp_readBufferSize:depends("transport", "mkcp")
 
 mkcp_writeBufferSize = s:option(Value, "mkcp_writeBufferSize", translate("KCP writeBufferSize"))
+mkcp_writeBufferSize.default = "1"
 mkcp_writeBufferSize:depends("transport", "mkcp")
 
+mkcp_seed = s:option(Value, "mkcp_seed", translate("KCP Seed"))
+mkcp_seed:depends("transport", "mkcp")
+
 -- [[ WebSocket部分 ]]--
 ws_host = s:option(Value, "ws_host", translate("WebSocket Host"))
 ws_host:depends("transport", "ws")
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/rule.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/rule.lua
index e9e82b5093..4b0f68b110 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/rule.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/rule.lua
@@ -64,45 +64,4 @@ end
 
 o = s:option(DummyValue, "remarks", translate("Remarks"))
 
--- [[ App Settings ]]--
-s = m:section(TypedSection, "global_app", translate("App Update"),
-              "<font color='red'>" ..
-                  translate("Please confirm that your firmware supports FPU.") ..
-                  "</font>")
-s.anonymous = true
-s:append(Template(appname .. "/rule/v2ray_version"))
-s:append(Template(appname .. "/rule/trojan_go_version"))
-s:append(Template(appname .. "/rule/kcptun_version"))
-s:append(Template(appname .. "/rule/brook_version"))
-
----- V2ray Path
-o = s:option(Value, "v2ray_file", translate("V2ray Path"), translatef("if you want to run from memory, change the path, such as %s, Then save the application and update it manually.", "/tmp/v2ray/"))
-o.default = "/usr/bin/v2ray/"
-o.rmempty = false
-
----- Trojan-Go Path
-o = s:option(Value, "trojan_go_file", translate("Trojan-Go Path"), translatef("if you want to run from memory, change the path, such as %s, Then save the application and update it manually.", "/tmp/trojan-go"))
-o.default = "/usr/bin/trojan-go"
-o.rmempty = false
-
-o = s:option(Value, "trojan_go_latest", translate("Trojan-Go Version API"), translate("alternate API URL for version checking"))
-o.default = "https://api.github.com/repos/peter-tank/trojan-go/releases/latest"
-
----- Kcptun client Path
-o = s:option(Value, "kcptun_client_file", translate("Kcptun Client Path"), translatef("if you want to run from memory, change the path, such as %s, Then save the application and update it manually.", "/tmp/kcptun-client"))
-o.default = "/usr/bin/kcptun-client"
-o.rmempty = false
-
---[[
-o = s:option(Button,  "_check_kcptun",  translate("Manually update"), translatef("Make sure there is enough space to install %s", "kcptun"))
-o.template = appname .. "/kcptun"
-o.inputstyle = "apply"
-o.btnclick = "onBtnClick_kcptun(this);"
-o.id = "_kcptun-check_btn"]] --
-
----- Brook Path
-o = s:option(Value, "brook_file", translate("Brook Path"), translatef("if you want to run from memory, change the path, such as %s, Then save the application and update it manually.", "/tmp/brook"))
-o.default = "/usr/bin/brook"
-o.rmempty = false
-
 return m
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua
index a0d8e5250c..27dac1d5b6 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/api/v2ray.lua
@@ -89,8 +89,7 @@ function gen_config(user)
                     tlsSettings = (node.stream_security == "tls") and {
                         disableSessionResumption = node.sessionTicket ~= "1" and true or false,
                         serverName = node.tls_serverName,
-                        allowInsecure = (node.tls_allowInsecure == "1") and true or
-                            false
+                        allowInsecure = (node.tls_allowInsecure == "1") and true or false
                     } or nil,
                     tcpSettings = (node.transport == "tcp") and {
                         header = {
@@ -107,25 +106,23 @@ function gen_config(user)
                         mtu = tonumber(node.mkcp_mtu),
                         tti = tonumber(node.mkcp_tti),
                         uplinkCapacity = tonumber(node.mkcp_uplinkCapacity),
-                        downlinkCapacity = tonumber(
-                            node.mkcp_downlinkCapacity),
-                        congestion = (node.mkcp_congestion == "1") and
-                            true or false,
+                        downlinkCapacity = tonumber(node.mkcp_downlinkCapacity),
+                        congestion = (node.mkcp_congestion == "1") and true or false,
                         readBufferSize = tonumber(node.mkcp_readBufferSize),
-                        writeBufferSize = tonumber(
-                            node.mkcp_writeBufferSize),
+                        writeBufferSize = tonumber(node.mkcp_writeBufferSize),
+                        seed = (node.mkcp_seed and node.mkcp_seed ~= "") and node.mkcp_seed or nil,
                         header = {type = node.mkcp_guise}
                     } or nil,
                     wsSettings = (node.transport == "ws") and {
                         path = node.ws_path or "",
-                        headers = (node.ws_host ~= nil) and
-                            {Host = node.ws_host} or nil
+                        headers = (node.ws_host ~= nil) and {Host = node.ws_host} or nil
+                    } or nil,
+                    httpSettings = (node.transport == "h2") and {
+                        path = node.h2_path, host = node.h2_host
+                    } or nil,
+                    dsSettings = (node.transport == "ds") and {
+                        path = node.ds_path
                     } or nil,
-                    httpSettings = (node.transport == "h2") and
-                        {path = node.h2_path, host = node.h2_host} or
-                        nil,
-                    dsSettings = (node.transport == "ds") and
-                        {path = node.ds_path} or nil,
                     quicSettings = (node.transport == "quic") and {
                         security = node.quic_security,
                         key = node.quic_key,
@@ -165,6 +162,12 @@ function gen_config(user)
                     } or nil
                 }
             }
+
+            if node.transport == "mkcp" or node.transport == "ds" or node.transport == "quic" then
+                transit_node.streamSettings.security = "none"
+                transit_node.streamSettings.tlsSettings = nil
+            end
+
             table.insert(outbounds, 1, transit_node)
         end
     end
@@ -214,6 +217,7 @@ function gen_config(user)
                         congestion = (user.mkcp_congestion == "1") and true or false,
                         readBufferSize = tonumber(user.mkcp_readBufferSize),
                         writeBufferSize = tonumber(user.mkcp_writeBufferSize),
+                        seed = (user.mkcp_seed and user.mkcp_seed ~= "") and user.mkcp_seed or nil,
                         header = {type = user.mkcp_guise}
                     } or nil,
                     wsSettings = (user.transport == "ws") and {
@@ -238,5 +242,11 @@ function gen_config(user)
         outbounds = outbounds,
         routing = routing
     }
+
+    if user.transport == "mkcp" or user.transport == "ds" or user.transport == "quic" then
+        user.streamSettings.security = "none"
+        user.streamSettings.tlsSettings = nil
+    end
+
     return config
 end
diff --git a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/user.lua b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/user.lua
index 27bd046fcf..eca29b7291 100644
--- a/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/user.lua
+++ b/package/lienol/luci-app-passwall/luasrc/model/cbi/passwall/server/user.lua
@@ -294,26 +294,35 @@ for a, t in ipairs(header_type_list) do mkcp_guise:value(t) end
 mkcp_guise:depends("transport", "mkcp")
 
 mkcp_mtu = s:option(Value, "mkcp_mtu", translate("KCP MTU"))
+mkcp_mtu.default = "1350"
 mkcp_mtu:depends("transport", "mkcp")
 
 mkcp_tti = s:option(Value, "mkcp_tti", translate("KCP TTI"))
+mkcp_tti.default = "20"
 mkcp_tti:depends("transport", "mkcp")
 
 mkcp_uplinkCapacity = s:option(Value, "mkcp_uplinkCapacity", translate("KCP uplinkCapacity"))
+mkcp_uplinkCapacity.default = "5"
 mkcp_uplinkCapacity:depends("transport", "mkcp")
 
 mkcp_downlinkCapacity = s:option(Value, "mkcp_downlinkCapacity", translate("KCP downlinkCapacity"))
+mkcp_downlinkCapacity.default = "20"
 mkcp_downlinkCapacity:depends("transport", "mkcp")
 
 mkcp_congestion = s:option(Flag, "mkcp_congestion", translate("KCP Congestion"))
 mkcp_congestion:depends("transport", "mkcp")
 
 mkcp_readBufferSize = s:option(Value, "mkcp_readBufferSize", translate("KCP readBufferSize"))
+mkcp_readBufferSize.default = "1"
 mkcp_readBufferSize:depends("transport", "mkcp")
 
 mkcp_writeBufferSize = s:option(Value, "mkcp_writeBufferSize", translate("KCP writeBufferSize"))
+mkcp_writeBufferSize.default = "1"
 mkcp_writeBufferSize:depends("transport", "mkcp")
 
+mkcp_seed = s:option(Value, "mkcp_seed", translate("KCP Seed"))
+mkcp_seed:depends("transport", "mkcp")
+
 -- [[ WebSocket部分 ]]--
 
 ws_host = s:option(Value, "ws_host", translate("WebSocket Host"))
diff --git a/package/lienol/luci-app-passwall/luasrc/view/passwall/rule/brook_version.htm b/package/lienol/luci-app-passwall/luasrc/view/passwall/app_update/brook_version.htm
similarity index 100%
rename from package/lienol/luci-app-passwall/luasrc/view/passwall/rule/brook_version.htm
rename to package/lienol/luci-app-passwall/luasrc/view/passwall/app_update/brook_version.htm
diff --git a/package/lienol/luci-app-passwall/luasrc/view/passwall/rule/kcptun_version.htm b/package/lienol/luci-app-passwall/luasrc/view/passwall/app_update/kcptun_version.htm
similarity index 100%
rename from package/lienol/luci-app-passwall/luasrc/view/passwall/rule/kcptun_version.htm
rename to package/lienol/luci-app-passwall/luasrc/view/passwall/app_update/kcptun_version.htm
diff --git a/package/lienol/luci-app-passwall/luasrc/view/passwall/rule/trojan_go_version.htm b/package/lienol/luci-app-passwall/luasrc/view/passwall/app_update/trojan_go_version.htm
similarity index 100%
rename from package/lienol/luci-app-passwall/luasrc/view/passwall/rule/trojan_go_version.htm
rename to package/lienol/luci-app-passwall/luasrc/view/passwall/app_update/trojan_go_version.htm
diff --git a/package/lienol/luci-app-passwall/luasrc/view/passwall/rule/v2ray_version.htm b/package/lienol/luci-app-passwall/luasrc/view/passwall/app_update/v2ray_version.htm
similarity index 100%
rename from package/lienol/luci-app-passwall/luasrc/view/passwall/rule/v2ray_version.htm
rename to package/lienol/luci-app-passwall/luasrc/view/passwall/app_update/v2ray_version.htm
diff --git a/package/lienol/luci-app-passwall/po/zh-cn/passwall.po b/package/lienol/luci-app-passwall/po/zh-cn/passwall.po
index c411319c63..097283d997 100644
--- a/package/lienol/luci-app-passwall/po/zh-cn/passwall.po
+++ b/package/lienol/luci-app-passwall/po/zh-cn/passwall.po
@@ -67,8 +67,8 @@ msgstr "负载均衡"
 msgid "Enter interface"
 msgstr "进入界面"
 
-msgid "Rule Update"
-msgstr "自动更新"
+msgid "Rule"
+msgstr "规则"
 
 msgid "Access control"
 msgstr "访问控制"
@@ -586,9 +586,6 @@ msgstr "在浏览器输入路由IP加端口访问，如：192.168.1.1:1188"
 msgid "Haproxy Port"
 msgstr "负载均衡端口"
 
-msgid "Load Balancing Setting"
-msgstr "负载均衡设置"
-
 msgid "Add a node, Export Of Multi WAN Only support Multi Wan. Load specific gravity range 1-256. Multiple primary servers can be load balanced, standby will only be enabled when the primary server is offline! Multiple groups can be set, Haproxy port same one for each group."
 msgstr "添加节点，指定出口功能是为多WAN用户准备的。负载比重范围1-256。多个主服务器可以负载均衡，备用只有在主服务器离线时才会启用！可以设置多个组，负载均衡端口相同则为一组。"
 
diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh
index 8ef83f2d6d..d10b86f09e 100755
--- a/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh
+++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/app.sh
@@ -95,8 +95,8 @@ hosts_foreach() {
 	[ -z "${__hosts}" ] && return 0
 	local __ip __port
 	for __host in $(echo $__hosts | sed 's/[ ,]/\n/g'); do
-		__ip=$(echo $__host | sed -n 's/\(^[^:#]*\).*$/\1/p')
-		[ -n "${__default_port}" ] && __port=$(echo $__host | sed -n 's/^[^:#]*[:#]\([0-9]*\).*$/\1/p')
+		__port=$(echo $__host | sed -n 's/^.*[:#]\(^[0-9]*\)$/\1/p')
+		__ip="${__host%%${__port:+[:#]${__port}*}}"
 		eval "$__func \"${__host}\" \"\${__ip}\" \"\${__port:-${__default_port}}\" $@"
 		__ret=$?
 		[ ${__ret} -ge ${ERROR_NO_CATCH:-1} ] && return ${__ret}
@@ -278,7 +278,7 @@ run_socks() {
 	local port=$(config_n_get $node port)
 	local msg
 
-	echolog "分析 Socks 服务 ${bind}:${local_port} 的代理服务器配置...."
+	echolog "  启用 ${bind}:${local_port}"
 	if [ -n "$server_host" ] && [ -n "$port" ]; then
 		server_host=$(echo $server_host | sed 's/^\(https:\/\/\|http:\/\/\)//g' | awk -F '/' '{print $1}')
 		[ -n "$(echo -n $server_host | awk '{print gensub(/[!-~]/,"","g",$0)}')" ] && msg="$remarks，非法的代理服务器地址，无法启动 ！"
@@ -287,13 +287,13 @@ run_socks() {
 	fi
 
 	[ -n "${msg}" ] && {
-		echolog ${msg}
+		echolog "    ${msg}"
 		return 1
 	}
-	echolog "使用代理服务器：$remarks，地址：${server_host}:${port}"
+	echolog "    节点：$remarks，${server_host}:${port}"
 
 	if [ "$type" == "socks" ]; then
-		echolog "Socks节点不能使用Socks代理节点！"
+		echolog "    不能使用 Socks 类型的代理节点"
 	elif [ "$type" == "v2ray" ]; then
 		lua $API_GEN_V2RAY $node nil nil $local_port > $config_file
 		ln_start_bin $(config_t_get global_app v2ray_file $(find_bin v2ray))/v2ray v2ray "-config=$config_file"
@@ -314,11 +314,6 @@ run_socks() {
 		lua $API_GEN_SS $node $local_port > $config_file
 		ln_start_bin $(find_bin ${type}-local) ${type}-local "-c $config_file -b $bind -u"
 	fi
-
-	msg="此 Sock 服务启动失败！"
-	netstat -netplu | grep ":${local_port} "
-	[ $? -eq 0 ] && msg="看起来这个 Socks 服务已经成功开启了。"
-	echolog $msg
 }
 
 run_redir() {
@@ -488,6 +483,7 @@ start_redir() {
 
 start_socks() {
 	local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
+	echolog "分析 Socks 服务的节点配置..."
 	for id in $ids; do
 		local enabled=$(config_n_get $id enabled 0)
 		[ "$enabled" == "0" ] && continue
@@ -732,6 +728,7 @@ gen_pdnsd_config() {
 	local perm_cache=2048
 	local _cache="on"
 	[ "$DNS_CACHE" == "0" ] && _cache="off" && perm_cache=0
+	echolog "准备 pdnsd 配置文件..."
 	cat > $pdnsd_dir/pdnsd.conf <<-EOF
 		global {
 			perm_cache = $perm_cache;
@@ -754,8 +751,8 @@ gen_pdnsd_config() {
 	EOF
 
 	append_pdnsd_updns() {
-		[ -z "${2}" ] && echolog "略过错误配置的 DNS : [${1}]" && return 0
-		echolog "配置 pdnsd 的上游DNS[${2}:${3}]"
+		[ -z "${2}" ] && echolog "    略过错误 : [${1}]" && return 0
+		echolog "    上游DNS[${2}:${3}]"
 		cat >> $pdnsd_dir/pdnsd.conf <<-EOF
 			server {
 				label = "node-${2}_${3}";
@@ -936,6 +933,7 @@ start() {
 		add_dnsmasq
 		source $APP_PATH/iptables.sh start
 		/etc/init.d/dnsmasq restart >/dev/null 2>&1
+		echolog "重启 dnsmasq 服务[$?]"
 	}
 	start_crontab
 	echolog "运行完成！\n"
@@ -953,6 +951,7 @@ stop() {
 	stop_crontab
 	del_dnsmasq
 	/etc/init.d/dnsmasq restart >/dev/null 2>&1
+	echolog "重启 dnsmasq 服务[$?]"
 	echolog "清空并关闭相关程序和缓存完成。"
 }
 
diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh
index d7fe10e5fe..81218b16cf 100755
--- a/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh
+++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/iptables.sh
@@ -30,6 +30,19 @@ comment() {
 	echo "-m comment --comment '$1'"
 }
 
+RULE_LAST_INDEX() {
+	[ $# -ge 3 ] || {
+		echolog "索引列举方式不正确（iptables），终止执行！"
+		exit 1
+	}
+	local ipt_tmp=${1}; shift
+	local chain=${1}; shift
+	local list=${1}; shift
+	local default=${1:-0}; shift
+	local _index=$($ipt_tmp -n -L $chain --line-numbers 2>/dev/null | grep "$list" | sed -n '$p' | awk '{print $1}')
+	echo "${_index:-${default}}"
+}
+
 REDIRECT() {
 	local redirect="-j REDIRECT --to-ports $1"
 	[ "$2" == "TPROXY" ] && redirect="-j TPROXY --tproxy-mark 0x1/0x1 --on-port $1"
@@ -136,7 +149,12 @@ load_acl() {
 				[ "$TCP_NODE" != "nil" ] && {
 					eval TCP_NODE_TYPE=$(echo $(config_n_get $TCP_NODE type) | tr 'A-Z' 'a-z')
 					local is_tproxy
-					[ "$TCP_NODE_TYPE" == "brook" -a "$(config_n_get $TCP_NODE brook_protocol client)" == "client" ] && ipt_tmp=$ipt_m && is_tproxy="TPROXY"
+					if [ "$TCP_NODE_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE brook_protocol client)" == "client" ]; then
+						echolog "为 brook 启用 TCP TPROXY 模式"
+						ipt_tmp=$ipt_m && is_tproxy="TPROXY"
+					else
+						echolog "使用 TCP FORWARD 模式"
+					fi
 					[ "$tcp_no_redir_ports" != "disable" ] && $ipt_tmp -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p tcp -m multiport --dport $tcp_no_redir_ports -j RETURN
 					eval tcp_port=\$TCP_REDIR_PORT$tcp_node
 					$ipt_tmp -A PSW $(comment "$remarks") -p tcp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $tcp_redir_ports "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $tcp_port $is_tproxy)
@@ -149,6 +167,7 @@ load_acl() {
 			
 			[ "$udp_proxy_mode" != "disable" ] && {
 				[ "$UDP_NODE" != "nil" ] && {
+					echolog "UDP 代理启用 TPROXY 模式"
 					eval udp_port=\$UDP_REDIR_PORT$udp_node
 					[ "$udp_no_redir_ports" != "disable" ] && $ipt_m -A PSW $(comment "$remarks") $(factor $ip "-s") $(factor $mac "-m mac --mac-source") -p udp -m multiport --dport $udp_no_redir_ports -j RETURN
 					$ipt_m -A PSW $(comment "$remarks") -p udp $(factor $ip "-s") $(factor $mac "-m mac --mac-source") $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $udp_port TPROXY)
@@ -165,7 +184,12 @@ load_acl() {
 	[ "$TCP_NODE1" != "nil" -a "$TCP_PROXY_MODE" != "disable" ] && {
 		local TCP_NODE1_TYPE=$(echo $(config_n_get $TCP_NODE1 type) | tr 'A-Z' 'a-z')
 		local is_tproxy
-		[ "$TCP_NODE1_TYPE" == "brook" -a "$(config_n_get $TCP_NODE1 brook_protocol client)" == "client" ] && ipt_tmp=$ipt_m && is_tproxy="TPROXY"
+		if [ "$TCP_NODE1_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE1 brook_protocol client)" == "client" ]; then
+			ipt_tmp=$ipt_m && is_tproxy="TPROXY"
+			echolog "为 brook TCP默认代理启用 TPROXY 模式！"
+		else
+			echolog "TCP默认代理使用 FORWARD 模式"
+		fi
 		[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_tmp -A PSW $(comment "默认") -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
 		$ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $TCP_REDIR_PORT1 $is_tproxy)
 		$ipt_tmp -A PSW $(comment "默认") -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $TCP_PROXY_MODE $TCP_REDIR_PORT1 $is_tproxy)
@@ -174,11 +198,12 @@ load_acl() {
 	echolog "TCP默认代理模式：$(get_action_chain_name $TCP_PROXY_MODE)"
 	
 	#  加载UDP默认代理模式
-	[ "$UDP_NODE1" != "nil" -a "$UDP_PROXY_MODE" != "disable" ] && {
+	if [ "$UDP_NODE1" != "nil" ] && [ "$UDP_PROXY_MODE" != "disable" ]; then
+		echolog "UDP默认代理使用 TPROXY 模式"
 		[ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW $(comment "默认") -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
 		$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT $UDP_REDIR_PORT1 TPROXY)
 		$ipt_m -A PSW $(comment "默认") -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $UDP_PROXY_MODE $UDP_REDIR_PORT1 TPROXY)
-	}
+	fi
 	$ipt_m -A PSW $(comment "默认") -p udp -j RETURN
 	echolog "UDP默认代理模式：$(get_action_chain_name $UDP_PROXY_MODE)"
 }
@@ -187,71 +212,87 @@ filter_vpsip() {
 	echolog "开始过滤所有节点到白名单"
 	uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIPLIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
 	#uci show $CONFIG | grep ".address=" | cut -d "'" -f 2 | grep -E "([[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){0,7}::[a-f0-9]{0,4}(:[a-f0-9]{1,4}){0,7}])" | sed -e "/^$/d" | sed -e "s/^/add $IPSET_VPSIP6LIST &/g" | awk '{print $0} END{print "COMMIT"}' | ipset -! -R
-	echolog "过滤所有节点完成"
+	echolog "过滤所有节点直接 IP 地址完成"
 }
 
 filter_node() {
+	local proxy_node=${1} stream=$(echo ${2} | tr 'A-Z' 'a-z')
+	local proxy_port=${3}
 	filter_rules() {
-		[ -n "$1" ] && [ "$1" != "nil" ] && {
-			local type=$(echo $(config_n_get $1 type) | tr 'A-Z' 'a-z')
-			local i=$ipt_n
-			[ "$2" == "udp" ] || [ "$type" == "brook" -a "$(config_n_get $1 brook_protocol client)" == "client" ] && i=$ipt_m
-			local address=$(config_n_get $1 address)
-			local port=$(config_n_get $1 port)
-			
-			if [ -n "$3" ] && [ "$3" == "1" ] && [ -n "$4" ]; then
-				is_exist=$($i -n -L PSW_OUTPUT 2>/dev/null | grep -c "$address:$port")
-				[ "$is_exist" == 0 ] && {
-					if [ "$i" == "$ipt_m" ]; then
-						$i -I PSW_OUTPUT 2 $(comment "$address:$port") -p $2 -d $address --dport $port $(REDIRECT 1 MARK)
-					else
-						$i -I PSW_OUTPUT 2 $(comment "$address:$port") -p $2 -d $address --dport $port $(REDIRECT $4)
-					fi
-				}
-			else
-				is_exist=$($i -n -L PSW_OUTPUT 2>/dev/null | grep -c "$address:$port")
-				[ "$is_exist" == 0 ] && {
-					local ADD_INDEX=2
-					local INDEX=$($i -n -L PSW_OUTPUT --line-numbers | grep "$IPSET_VPSIPLIST" | sed -n '$p' | awk '{print $1}')
-					[ -n "$INDEX" ] && ADD_INDEX=$INDEX
-					$i -I PSW_OUTPUT $ADD_INDEX $(comment "$address:$port") -p $2 -d $address --dport $port -j RETURN
-				}
+		local msg node=${1} stream=${2}
+		local _proxy=${3} _port=${4}
+		if [ -n "$node" ] && [ "$node" != "nil" ]; then
+			local type=$(echo $(config_n_get $node type) | tr 'A-Z' 'a-z')
+			local address=$(config_n_get $node address)
+			local port=$(config_n_get $node port)
+			local ipt_tmp=$ipt_n
+			if [ "$stream" == "udp" ] || [ "$type" == "brook" -a "$(config_n_get $node brook_protocol client)" == "client" ]; then
+				ipt_tmp=$ipt_m
+				echolog "    为 udp 或 brook 启用 TPROXY 模式"
 			fi
-		}
+		else
+				echolog "    节点配置不正常，略过"
+				return 0
+		fi
+
+		local ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" PSW_OUT_PUT "$IPSET_VPSIPLIST" 2)
+		$ipt_tmp -n -L PSW_OUTPUT | grep -q "${address}:${port}"
+		if [ $? -ne 0 ]; then
+			local dst_rule=$(REDIRECT 1 MARK)
+			msg="按规则路由"
+			[ "$ipt_tmp" == "$ipt_m" ] || {
+				dst_rule=$(REDIRECT $_port)
+				msg="套娃使用"
+			}
+			[ -n "$_proxy" ] && [ "$_proxy" == "1" ] && [ -n "$_port" ] || {
+				dst_rule=" -j RETURN"
+				msg="直连代理"
+			}
+			$ipt_tmp -I PSW_OUTPUT $ADD_INDEX $(comment "${address}:${port}") -p $stream -d $address --dport $port $dst_rule
+		else
+			msg="转发条目已存在，略过"
+		fi
+		msg="${msg}[$?]，节点（${type}）：${address}:${port}"
+		echolog "    $msg"
 	}
-	local v2ray_protocol=$(config_n_get $1 protocol)
-	if [ "$v2ray_protocol" == "_shunt" ]; then
-		local default_node=$(config_n_get $1 default_node nil)
-		filter_rules $default_node $2
+	local proxy_protocol=$(config_n_get $proxy_node protocol)
+	local proxy_type=$(echo $(config_n_get $proxy_node type nil) | tr 'A-Z' 'a-z')
+	[ "$proxy_type" == "nil" ] && echolog "    节点配置不正常，略过！：${proxy_node}" && return 0
+	if [ "$proxy_protocol" == "_shunt" ]; then
+		echolog "  按请求目的地址分流（${proxy_type}）..."
+		local default_node=$(config_n_get $proxy_node default_node nil)
+		filter_rules $default_node $stream
 		local default_node_address=$(get_host_ip ipv4 $(config_n_get $default_node address) 1)
 		local default_node_port=$(config_n_get $default_node port)
 		
 		local shunt_ids=$(uci show $CONFIG | grep "=shunt_rules" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
 		for shunt_id in $shunt_ids; do
-			local _proxy=$(config_n_get $1 "${shunt_id}_proxy" 0)
-			local _node=$(config_n_get $1 "${shunt_id}" nil)
-			[ "$_proxy" == 1 ] && {
-				local _node_address=$(get_host_ip ipv4 $(config_n_get $_node address) 1)
-				local _node_port=$(config_n_get $_node port)
-				[ "$_node_address" == "$default_node_address" ] && [ "$_node_port" == "$default_node_port" ] && {
-					_proxy=0
+			local shunt_proxy=$(config_n_get $proxy_node "${shunt_id}_proxy" 0)
+			local shunt_node=$(config_n_get $proxy_node "${shunt_id}" nil)
+			[ "$shunt_proxy" == 1 ] && {
+				local shunt_node_address=$(get_host_ip ipv4 $(config_n_get $shunt_node address) 1)
+				local shunt_node_port=$(config_n_get $shunt_node port)
+				[ "$shunt_node_address" == "$default_node_address" ] && [ "$shunt_node_port" == "$default_node_port" ] && {
+					shunt_proxy=0
 				}
 			}
-			filter_rules $(config_n_get $1 $shunt_id) $2 $_proxy $3
+			filter_rules "$(config_n_get $proxy_node $shunt_id)" "$stream" "$shunt_proxy" "$proxy_port"
 		done
-	elif [ "$v2ray_protocol" == "_balancing" ]; then
-		local balancing_node=$(config_n_get $1 balancing_node)
-		for node_id in $balancing_node
-		do
-			filter_rules $node_id $2
+	elif [ "$proxy_protocol" == "_balancing" ]; then
+		echolog "  多节点负载均衡（${proxy_type}）..."
+		proxy_node=$(config_n_get $proxy_node balancing_node)
+		for _node in $proxy_node; do
+			filter_rules "$_node" "$stream"
 		done
 	else
-		filter_rules $1 $2
+		echolog "  普通节点（${proxy_type}）..."
+		filter_rules "$proxy_node" "$stream"
 	fi
 }
 
 dns_hijack() {
 	$ipt_n -I PSW -p udp --dport 53 -j REDIRECT --to-ports 53
+	echolog "强制转发本机DNS端口 UDP/53 的请求[$?]"
 }
 
 add_firewall_rule() {
@@ -272,16 +313,20 @@ add_firewall_rule() {
 	EOF
 	
 	# 忽略特殊IP段
+	local lan_ifname lan_ip
 	lan_ifname=$(uci -q -p /var/state get network.lan.ifname)
 	[ -n "$lan_ifname" ] && {
 		lan_ip=$(ip address show $lan_ifname | grep -w "inet" | awk '{print $2}')
+		echolog "本机网段互访直连：${lan_ip}"
 		[ -n "$lan_ip" ] && ipset -! add $IPSET_LANIPLIST $lan_ip >/dev/null 2>&1 &
 	}
 
-	ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
+	local ISP_DNS=$(cat $RESOLVFILE 2>/dev/null | grep -E -o "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" | sort -u | grep -v 0.0.0.0 | grep -v 127.0.0.1)
 	[ -n "$ISP_DNS" ] && {
+		echolog "处理 ISP DNS 例外..."
 		for ispip in $ISP_DNS; do
 			ipset -! add $IPSET_WHITELIST $ispip >/dev/null 2>&1 &
+			echolog "    追加到白名单：${ispip}"
 		done
 	}
 	
@@ -311,27 +356,6 @@ add_firewall_rule() {
 	ip rule add fwmark 1 lookup 100
 	ip route add local 0.0.0.0/0 dev lo table 100
 	
-	# 过滤Socks节点
-	local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
-	for id in $ids; do
-		local enabled=$(config_n_get $id enabled 0)
-		[ "$enabled" == "0" ] && continue
-		local node=$(config_n_get $id node nil)
-		if [ "$(echo $node | grep ^tcp)" ]; then
-			local num=$(echo $node | sed "s/tcp//g")
-			eval node=\$TCP_NODE$num
-		fi
-		[ "$node" == "nil" ] && continue
-		filter_node $node tcp
-		filter_node $node udp
-	done
-	
-	for i in $(seq 1 $TCP_NODE_NUM); do
-		eval node=\$TCP_NODE$i
-		eval port=\$TCP_REDIR_PORT$i
-		[ "$node" != "nil" ] && filter_node $node tcp $port
-	done
-	
 	# 加载路由器自身代理 TCP
 	if [ "$TCP_NODE1" != "nil" ]; then
 		local ipt_tmp=$ipt_n
@@ -340,7 +364,9 @@ add_firewall_rule() {
 		local blist_r=$(REDIRECT $TCP_REDIR_PORT1)
 		local p_r=$(get_redirect_ipt $LOCALHOST_TCP_PROXY_MODE $TCP_REDIR_PORT1)
 		TCP_NODE1_TYPE=$(echo $(config_n_get $TCP_NODE1 type) | tr 'A-Z' 'a-z')
+		echolog "加载路由器自身 TCP 代理..."
 		if [ "$TCP_NODE1_TYPE" == "brook" ] && [ "$(config_n_get $TCP_NODE1 brook_protocol client)" == "client" ]; then
+			echolog "    为 brook 启用 TCP TPROXY 模式"
 			ipt_tmp=$ipt_m
 			dns_l="PSW"
 			dns_r="$(REDIRECT $TCP_REDIR_PORT1 TPROXY)"
@@ -350,66 +376,122 @@ add_firewall_rule() {
 		_proxy_tcp_access() {
 			[ -n "${2}" ] || return 0
 			ipset test $IPSET_LANIPLIST ${2} 2>/dev/null
-			[ $? == 0 ] && return 0
-			$ipt_tmp -I $dns_l 2 -p tcp -d ${2} --dport ${3} $dns_r
-			[ "$ipt_tmp" == "$ipt_m" ] && $ipt_tmp -I PSW_OUTPUT 2 -p tcp -d ${2} --dport ${3} $(REDIRECT 1 MARK)
+			[ $? -eq 0 ] && {
+				echolog "    上游 DNS 服务器 ${2} 已在直接访问的列表中，不强制向 TCP 代理转发对该服务器 TCP/${3} 端口的访问"
+				return 0
+			}
+			local ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" "$dns_l" "$IPSET_VPSIPLIST" 2)
+			$ipt_tmp -I $dns_l $ADD_INDEX -p tcp -d ${2} --dport ${3} $dns_r
+			[ "$ipt_tmp" == "$ipt_m" ] && $ipt_tmp -I PSW_OUTPUT $ADD_INDEX -p tcp -d ${2} --dport ${3} $(REDIRECT 1 MARK)
+			echolog "    将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 TCP 转发链${ADD_INDEX}[$?]"
 		}
 		[ "$use_tcp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_tcp_access 53
 		$ipt_tmp -A OUTPUT -p tcp -j PSW_OUTPUT
-		[ "$TCP_NO_REDIR_PORTS" != "disable" ] && $ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+		[ "$TCP_NO_REDIR_PORTS" != "disable" ] && {
+			$ipt_tmp -A PSW_OUTPUT -p tcp -m multiport --dport $TCP_NO_REDIR_PORTS -j RETURN
+			echolog "    按要求设置全局例外 TCP 端口[$?]：$TCP_NO_REDIR_PORTS"
+		}
 		$ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $blist_r
 		$ipt_tmp -A PSW_OUTPUT -p tcp $(factor $TCP_REDIR_PORTS "-m multiport --dport") $p_r
 	fi
-	
-	local PRE_INDEX=1
-	ADBYBY_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "ADBYBY" | sed -n '$p' | awk '{print $1}')
-	if [ -n "$ADBYBY_INDEX" ]; then
-		PRE_INDEX=$(expr $ADBYBY_INDEX + 1)
+
+	local PR_INDEX=$(RULE_LAST_INDEX "$ipt_n" PREROUTING ADBYBY)
+	if [ "$PR_INDEX" == "0" ]; then
+		PR_INDEX=$(RULE_LAST_INDEX "$ipt_n" PREROUTING prerouting_rule)
 	else
-		PR_INDEX=$($ipt_n -L PREROUTING --line-numbers | grep "prerouting_rule" | sed -n '$p' | awk '{print $1}')
-		[ -n "$PR_INDEX" ] && PRE_INDEX=$(expr $PR_INDEX + 1)
+		echolog "发现 adbyby 规则链，adbyby 规则优先..."
 	fi
-	$ipt_n -I PREROUTING $PRE_INDEX -p tcp -j PSW
+	PR_INDEX=$((PR_INDEX + 1))
+	$ipt_n -I PREROUTING $PR_INDEX -p tcp -j PSW
+	echolog "使用链表 PREROUTING 排列索引${PR_INDEX}[$?]"
 	
 	if [ "$PROXY_IPV6" == "1" ]; then
+		local msg="IPv6 配置不当，无法代理"
 		[ -n "$lan_ifname" ] && {
 			lan_ipv6=$(ip address show $lan_ifname | grep -w "inet6" | awk '{print $2}') #当前LAN IPv6段
 			[ -n "$lan_ipv6" ] && {
 				$ip6t_n -N PSW
 				$ip6t_n -A PREROUTING -j PSW
+				msg="接管 IPv6 流量[$?]"
 				[ -n "$lan_ipv6" ] && {
 					for ip in $lan_ipv6; do
 						$ip6t_n -A PSW -d $ip -j RETURN
 					done
 				}
-				[ "$use_ipv6" == "1" -a -n "$server_ip" ] && $ip6t_n -A PSW -d $server_ip -j RETURN
+				[ "$use_ipv6" == "1" ] && [ -n "$server_ip" ] && $ip6t_n -A PSW -d $server_ip -j RETURN
 				$ip6t_n -A PSW -p tcp $(REDIRECT $TCP_REDIR_PORT1)
 				#$ip6t_n -I OUTPUT -p tcp -j PSW
+				msg="${msg}，转发 IPv6 TCP 流量到节点1[$?]"
 			}
 		}
+		echolog "$msg"
 	fi
-	
-	for i in $(seq 1 $UDP_NODE_NUM); do
-		eval node=\$UDP_NODE$i
-		eval port=\$UDP_REDIR_PORT$i
-		[ "$node" == "tcp" ] && eval node=\$TCP_NODE$i && eval port=\$TCP_REDIR_PORT$i
-		[ "$node" != "nil" ] && filter_node $node udp $port
+
+	# 过滤Socks节点
+	local ids=$(uci show $CONFIG | grep "=socks" | awk -F '.' '{print $2}' | awk -F '=' '{print $1}')
+	echolog "分析 Socks 服务所使用节点..."
+	for id in $ids; do
+		local enabled=$(config_n_get $id enabled 0)
+		[ "$enabled" == "1" ] || continue
+		local node=$(config_n_get $id node nil)
+		local port=$(config_n_get $id port 0)
+		local msg="Socks 服务 [:${port}]"
+		if [ "$node" == "nil" ] || [ "$port" == "0" ]; then
+			msg="${msg} 未配置完全，略过"
+		elif [ "$(echo $node | grep ^tcp)" ]; then
+			local num=$(echo $node | sed "s/tcp//g")
+			eval "node=\${TCP_NODE$num}"
+			msg="${msg} 使用与 TCP 代理自动切换${num} 相同的节点，延后处理"
+		else
+			filter_node $node tcp
+			filter_node $node udp
+		fi
+		echolog "    $msg[$?]"
+	done
+
+	# 处理轮换节点的分流或套娃
+	local node port stream
+	for stream in TCP UDP; do
+		for switch in $(eval "seq 1 \${${stream}_NODE_NUM}"); do
+			eval "node=\${${stream}_NODE$switch}"
+			eval "port=\${${stream}_REDIR_PORT$switch}"
+			echolog "分析 $stream 代理自动切换$switch..."
+			[ "$node" == "tcp" ] && [ "$stream" == "UDP" ] && {
+				eval "node=\${TCP_NODE$switch}"
+				eval "port=\${TCP_REDIR_PORT$switch}"
+				echolog "  采用 TCP 代理的配置"
+			}
+
+			if [ "$node" != "nil" ]; then
+				filter_node $node $stream $port
+			else
+				echolog "  忽略无效的 $stream 代理自动切换$switch"
+			fi
+		done
 	done
 	
 	# 加载路由器自身代理 UDP
 	if [ "$UDP_NODE1" != "nil" ]; then
+		echolog "加载路由器自身 UDP 代理..."
 		local UDP_NODE1_TYPE=$(echo $(config_n_get $UDP_NODE1 type) | tr 'A-Z' 'a-z')
 		_proxy_udp_access() {
 			[ -n "${2}" ] || return 0
 			ipset test $IPSET_LANIPLIST ${2} 2>/dev/null
-			[ $? == 0 ] && return 0
-			local ADD_INDEX=2
+			[ $? == 0 ] && {
+				echolog "    上游 DNS 服务器 ${2} 已在直接访问的列表中，不强制向 UDP 代理转发对该服务器 UDP/${3} 端口的访问"
+				return 0
+			}
+			local ADD_INDEX=$(RULE_LAST_INDEX "$ipt_tmp" "$dns_l" "$IPSET_VPSIPLIST" 2)
 			$ipt_m -I PSW $ADD_INDEX -p udp -d ${2} --dport ${3} $(REDIRECT $UDP_REDIR_PORT1 TPROXY)
 			$ipt_m -I PSW_OUTPUT $ADD_INDEX -p udp -d ${2} --dport ${3} $(REDIRECT 1 MARK)
+			echolog "    将上游 DNS 服务器 ${2}:${3} 加入到路由器自身代理的 UDP 转发链${ADD_INDEX}[$?]"
 		}
 		[ "$use_udp_node_resolve_dns" == 1 ] && hosts_foreach DNS_FORWARD _proxy_udp_access 53
 		$ipt_m -A OUTPUT -p udp -j PSW_OUTPUT
-		[ "$UDP_NO_REDIR_PORTS" != "disable" ] && $ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+		[ "$UDP_NO_REDIR_PORTS" != "disable" ] && {
+			$ipt_m -A PSW_OUTPUT -p udp -m multiport --dport $UDP_NO_REDIR_PORTS -j RETURN
+			echolog "    按要求配置例外 UDP 端口[$?]：$UDP_NO_REDIR_PORTS"
+		}
 		$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(dst $IPSET_BLACKLIST) $(REDIRECT 1 MARK)
 		$ipt_m -A PSW_OUTPUT -p udp $(factor $UDP_REDIR_PORTS "-m multiport --dport") $(get_redirect_ipt $LOCALHOST_UDP_PROXY_MODE 1 MARK)
 	fi
diff --git a/package/lienol/luci-app-passwall/root/usr/share/passwall/rules/proxy_host b/package/lienol/luci-app-passwall/root/usr/share/passwall/rules/proxy_host
index f3f716ef58..a59a361d67 100644
--- a/package/lienol/luci-app-passwall/root/usr/share/passwall/rules/proxy_host
+++ b/package/lienol/luci-app-passwall/root/usr/share/passwall/rules/proxy_host
@@ -49,6 +49,8 @@ fox.com
 gamer.com.tw
 ggpht.com
 github-production-release-asset-2e65be.s3.amazonaws.com
+githubapp.com
+githubassets.com
 github.com
 github.io
 githubusercontent.com