diff --git a/.github/genReleaseNote.sh b/.github/genReleaseNote.sh
index 0425061d..ab617fd0 100755
--- a/.github/genReleaseNote.sh
+++ b/.github/genReleaseNote.sh
@@ -18,15 +18,15 @@ if [ -z "$version_range" ]; then
 fi
 
 echo "## What's Changed" > release.md
-git log --pretty=format:"* %s by @%an" --grep="^feat" -i $version_range | sort -f | uniq >> release.md
+git log --pretty=format:"* %h %s by @%an" --grep="^feat" -i $version_range | sort -f | uniq >> release.md
 echo "" >> release.md
 
 echo "## BUG & Fix" >> release.md
-git log --pretty=format:"* %s by @%an" --grep="^fix" -i $version_range | sort -f | uniq >> release.md
+git log --pretty=format:"* %h %s by @%an" --grep="^fix" -i $version_range | sort -f | uniq >> release.md
 echo "" >> release.md
 
 echo "## Maintenance" >> release.md
-git log --pretty=format:"* %s by @%an" --grep="^chore\|^docs\|^refactor" -i $version_range | sort -f | uniq >> release.md
+git log --pretty=format:"* %h %s by @%an" --grep="^chore\|^docs\|^refactor" -i $version_range | sort -f | uniq >> release.md
 echo "" >> release.md
 
-echo "**Full Changelog**: https://github.com/MetaCubeX/Clash.Meta/compare/$version_range" >> release.md
+echo "**Full Changelog**: https://github.com/MetaCubeX/mihomo/compare/$version_range" >> release.md
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index bad84cd1..f9bbbba9 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -141,6 +141,12 @@ jobs:
       run: |
         go test ./...
 
+    - name: Update UA
+      run: |
+        sudo apt-get install ca-certificates
+        sudo update-ca-certificates
+        cp -f /etc/ssl/certs/ca-certificates.crt component/ca/ca-certificates.crt
+
     - name: Build core
       env:
         GOOS: ${{matrix.jobs.goos}}
diff --git a/component/ca/ca-certificates.crt b/component/ca/ca-certificates.crt
new file mode 100644
index 00000000..e69de29b
diff --git a/component/ca/config.go b/component/ca/config.go
index 03fb007c..53cb98ab 100644
--- a/component/ca/config.go
+++ b/component/ca/config.go
@@ -5,10 +5,12 @@ import (
 	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
+	_ "embed"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 	"sync"
 )
@@ -18,6 +20,11 @@ var globalCertPool *x509.CertPool
 var mutex sync.RWMutex
 var errNotMatch = errors.New("certificate fingerprints do not match")
 
+//go:embed ca-certificates.crt
+var _CaCertificates []byte
+var DisableEmbedCa, _ = strconv.ParseBool(os.Getenv("DISABLE_EMBED_CA"))
+var DisableSystemCa, _ = strconv.ParseBool(os.Getenv("DISABLE_SYSTEM_CA"))
+
 func AddCertificate(certificate string) error {
 	mutex.Lock()
 	defer mutex.Unlock()
@@ -34,13 +41,20 @@ func AddCertificate(certificate string) error {
 
 func initializeCertPool() {
 	var err error
-	globalCertPool, err = x509.SystemCertPool()
-	if err != nil {
+	if DisableSystemCa {
 		globalCertPool = x509.NewCertPool()
+	} else {
+		globalCertPool, err = x509.SystemCertPool()
+		if err != nil {
+			globalCertPool = x509.NewCertPool()
+		}
 	}
 	for _, cert := range trustCerts {
 		globalCertPool.AddCert(cert)
 	}
+	if !DisableEmbedCa {
+		globalCertPool.AppendCertsFromPEM(_CaCertificates)
+	}
 }
 
 func ResetCertificate() {
diff --git a/component/iface/iface.go b/component/iface/iface.go
index dd932b46..1d0219df 100644
--- a/component/iface/iface.go
+++ b/component/iface/iface.go
@@ -40,16 +40,23 @@ func ResolveInterface(name string) (*Interface, error) {
 
 			ipNets := make([]netip.Prefix, 0, len(addrs))
 			for _, addr := range addrs {
-				ipNet := addr.(*net.IPNet)
-				ip, _ := netip.AddrFromSlice(ipNet.IP)
-
-				ones, bits := ipNet.Mask.Size()
-				if bits == 32 {
+				var pf netip.Prefix
+				switch ipNet := addr.(type) {
+				case *net.IPNet:
+					ip, _ := netip.AddrFromSlice(ipNet.IP)
+					ones, bits := ipNet.Mask.Size()
+					if bits == 32 {
+						ip = ip.Unmap()
+					}
+					pf = netip.PrefixFrom(ip, ones)
+				case *net.IPAddr:
+					ip, _ := netip.AddrFromSlice(ipNet.IP)
 					ip = ip.Unmap()
+					pf = netip.PrefixFrom(ip, ip.BitLen())
+				}
+				if pf.IsValid() {
+					ipNets = append(ipNets, pf)
 				}
-
-				pf := netip.PrefixFrom(ip, ones)
-				ipNets = append(ipNets, pf)
 			}
 
 			r[iface.Name] = &Interface{
diff --git a/config/config.go b/config/config.go
index ca866491..ca179ed0 100644
--- a/config/config.go
+++ b/config/config.go
@@ -265,6 +265,7 @@ type RawTun struct {
 	EndpointIndependentNat   bool           `yaml:"endpoint-independent-nat" json:"endpoint_independent_nat,omitempty"`
 	UDPTimeout               int64          `yaml:"udp-timeout" json:"udp_timeout,omitempty"`
 	FileDescriptor           int            `yaml:"file-descriptor" json:"file-descriptor"`
+	TableIndex               int            `yaml:"table-index" json:"table-index"`
 }
 
 type RawTuicServer struct {
@@ -1448,6 +1449,7 @@ func parseTun(rawTun RawTun, general *General) error {
 		EndpointIndependentNat:   rawTun.EndpointIndependentNat,
 		UDPTimeout:               rawTun.UDPTimeout,
 		FileDescriptor:           rawTun.FileDescriptor,
+		TableIndex:               rawTun.TableIndex,
 	}
 
 	return nil
diff --git a/hub/route/configs.go b/hub/route/configs.go
index ec0b464c..653e4351 100644
--- a/hub/route/configs.go
+++ b/hub/route/configs.go
@@ -91,6 +91,7 @@ type tunSchema struct {
 	EndpointIndependentNat   *bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
 	UDPTimeout               *int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
 	FileDescriptor           *int            `yaml:"file-descriptor" json:"file-descriptor"`
+	TableIndex               *int            `yaml:"table-index" json:"table-index"`
 }
 
 type tuicServerSchema struct {
@@ -209,6 +210,9 @@ func pointerOrDefaultTun(p *tunSchema, def LC.Tun) LC.Tun {
 		if p.FileDescriptor != nil {
 			def.FileDescriptor = *p.FileDescriptor
 		}
+		if p.TableIndex != nil {
+			def.TableIndex = *p.TableIndex
+		}
 	}
 	return def
 }
diff --git a/listener/config/tun.go b/listener/config/tun.go
index 1772c6f5..7467e4a6 100644
--- a/listener/config/tun.go
+++ b/listener/config/tun.go
@@ -49,4 +49,5 @@ type Tun struct {
 	EndpointIndependentNat   bool           `yaml:"endpoint-independent-nat" json:"endpoint-independent-nat,omitempty"`
 	UDPTimeout               int64          `yaml:"udp-timeout" json:"udp-timeout,omitempty"`
 	FileDescriptor           int            `yaml:"file-descriptor" json:"file-descriptor"`
+	TableIndex               int            `yaml:"table-index" json:"table-index"`
 }
diff --git a/listener/inbound/tun.go b/listener/inbound/tun.go
index a1fdebfa..51747c46 100644
--- a/listener/inbound/tun.go
+++ b/listener/inbound/tun.go
@@ -40,6 +40,7 @@ type TunOption struct {
 	EndpointIndependentNat   bool     `inbound:"endpoint_independent_nat,omitempty"`
 	UDPTimeout               int64    `inbound:"udp_timeout,omitempty"`
 	FileDescriptor           int      `inbound:"file-descriptor,omitempty"`
+	TableIndex               int      `inbound:"table-index,omitempty"`
 }
 
 func (o TunOption) Equal(config C.InboundConfig) bool {
@@ -118,6 +119,7 @@ func NewTun(options *TunOption) (*Tun, error) {
 			EndpointIndependentNat:   options.EndpointIndependentNat,
 			UDPTimeout:               options.UDPTimeout,
 			FileDescriptor:           options.FileDescriptor,
+			TableIndex:               options.TableIndex,
 		},
 	}, nil
 }
diff --git a/listener/listener.go b/listener/listener.go
index ac602971..e3506188 100644
--- a/listener/listener.go
+++ b/listener/listener.go
@@ -823,7 +823,8 @@ func hasTunConfigChange(tunConf *LC.Tun) bool {
 		LastTunConf.StrictRoute != tunConf.StrictRoute ||
 		LastTunConf.EndpointIndependentNat != tunConf.EndpointIndependentNat ||
 		LastTunConf.UDPTimeout != tunConf.UDPTimeout ||
-		LastTunConf.FileDescriptor != tunConf.FileDescriptor {
+		LastTunConf.FileDescriptor != tunConf.FileDescriptor ||
+		LastTunConf.TableIndex != tunConf.TableIndex {
 		return true
 	}
 
diff --git a/listener/sing_tun/server.go b/listener/sing_tun/server.go
index cc26d37d..96ec1573 100644
--- a/listener/sing_tun/server.go
+++ b/listener/sing_tun/server.go
@@ -112,6 +112,10 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 	} else {
 		udpTimeout = int64(sing.UDPTimeout.Seconds())
 	}
+	tableIndex := options.TableIndex
+	if tableIndex == 0 {
+		tableIndex = 2022
+	}
 	includeUID := uidToRange(options.IncludeUID)
 	if len(options.IncludeUIDRange) > 0 {
 		var err error
@@ -225,7 +229,7 @@ func New(options LC.Tun, tunnel C.Tunnel, additions ...inbound.Addition) (l *Lis
 		ExcludePackage:           options.ExcludePackage,
 		FileDescriptor:           options.FileDescriptor,
 		InterfaceMonitor:         defaultInterfaceMonitor,
-		TableIndex:               2022,
+		TableIndex:               tableIndex,
 	}
 
 	err = l.buildAndroidRules(&tunOptions)
diff --git a/transport/vmess/http.go b/transport/vmess/http.go
index 6da9759e..b023fee4 100644
--- a/transport/vmess/http.go
+++ b/transport/vmess/http.go
@@ -3,6 +3,7 @@ package vmess
 import (
 	"bufio"
 	"bytes"
+	"errors"
 	"fmt"
 	"net"
 	"net/http"
@@ -54,6 +55,10 @@ func (hc *httpConn) Write(b []byte) (int, error) {
 		return hc.Conn.Write(b)
 	}
 
+	if len(hc.cfg.Path) == 0 {
+		return -1, errors.New("path is empty")
+	}
+
 	path := hc.cfg.Path[fastrand.Intn(len(hc.cfg.Path))]
 	host := hc.cfg.Host
 	if header := hc.cfg.Headers["Host"]; len(header) != 0 {