diff --git a/README.md b/README.md
index ed43f2c7..cd58ec55 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ Documentations are now moved to [GitHub Wiki](https://github.com/Dreamacro/clash
 
 ## Advanced usage for this fork branch
 ### TUN configuration
-Support macOS Linux and Windows.
+Support macOS,Linux and Windows.
 
 For Windows, you should download the [Wintun](https://www.wintun.net) driver and copy `wintun.dll` into the System32 directory.
 ```yaml
@@ -45,19 +45,19 @@ tun:
   auto-route: true # auto set global route
 ```
 ### Rules configuration
-- Support rule `GEOSITE`
-- Support `multiport` condition for rule `SRC-PORT` and `DST-PORT`
-- Support not match condition for rule `GEOIP`
-- Support `network` condition for all rules
+- Support rule `GEOSITE`.
+- Support `multiport` condition for rule `SRC-PORT` and `DST-PORT`.
+- Support not match condition for rule `GEOIP`.
+- Support `network` condition for all rules.
 
-The `GEOSITE` and `GEOIP` databases via https://github.com/Loyalsoldier/v2ray-rules-dat
+The `GEOSITE` and `GEOIP` databases via https://github.com/Loyalsoldier/v2ray-rules-dat.
 ```yaml
 rules:
   # network condition for rules
   - DOMAIN-SUFFIX,bilibili.com,DIRECT,tcp
   - DOMAIN-SUFFIX,bilibili.com,REJECT,udp
     
-  # multiport condition for rule SRC-PORT and DST-PORT
+  # multiport condition for rules SRC-PORT and DST-PORT
   - DST-PORT,123/136/137-139,DIRECT,udp
   
   # rule GEOSITE
@@ -84,21 +84,34 @@ rules:
 ```
 
 ### Proxies configuration
-Support outbound transport protocol `VLESS`
+Support outbound transport protocol `VLESS`.
+
+The XTLS only support TCP transport by the XRAY-CORE.
 ```yaml
 proxies:
-  - name: "vless"
+  - name: "vless-tcp"
     type: vless
     server: server
     port: 443
     uuid: uuid
+    network: tcp
+    servername: example.com # AKA SNI
     # udp: true
+    # flow: xtls-rprx-direct # xtls-rprx-origin  # enable XTLS
     # skip-cert-verify: true
-    # servername: example.com # priority over wss host
-    # network: ws # not support xtls
-    # ws-path: /path
-    # ws-headers:
-    #   Host: v2ray.com
+    
+  - name: "vless-ws"
+    type: vless
+    server: server
+    port: 443
+    uuid: uuid
+    udp: true
+    network: ws
+    servername: example.com # priority over wss host
+    # skip-cert-verify: true
+    ws-path: /path
+    ws-headers:
+      Host: example.com
 
   - name: "vless-h2"
     type: vless
@@ -106,7 +119,8 @@ proxies:
     port: 443
     uuid: uuid
     network: h2
-    # flow: xtls-rprx-direct # xtls-rprx-origin xtls-rprx-direct # enable xtls
+    servername: example.com
+    # skip-cert-verify: true
     h2-opts:
       host:
         - http.example.com
@@ -119,16 +133,17 @@ proxies:
     port: 443
     uuid: uuid
     # udp: true
-    # network: http
-    # flow: xtls-rprx-direct # xtls-rprx-origin xtls-rprx-direct # enable xtls
-    # http-opts:
-    #   # method: "GET"
-    #   # path:
-    #   #   - '/'
-    #   #   - '/video'
-    #   # headers:
-    #   #   Connection:
-    #   #     - keep-alive
+    network: http
+    servername: example.com
+    # skip-cert-verify: true
+    http-opts:
+      method: "GET"
+      path:
+        - '/'
+        - '/video'
+      headers:
+        Connection:
+          - keep-alive
 
   - name: vless-grpc
     server: server
@@ -136,7 +151,6 @@ proxies:
     type: vless
     uuid: uuid
     network: grpc
-    # flow: xtls-rprx-direct # xtls-rprx-origin xtls-rprx-direct # enable xtls
     servername: example.com
     # skip-cert-verify: true
     grpc-opts:
@@ -154,7 +168,7 @@ tproxy-port: 9898
 tun:
   enable: false
 ```
-Create user given name `clash`
+Create user given name `clash`.
 
 Run Clash by user `clash` as a daemon.
 
@@ -186,9 +200,9 @@ $ systemctl start clash
 ```
 
 ### Display Process name
-Add field `Process` to `Metadata` and prepare to get process name for Restful API `GET /connections`
+Add field `Process` to `Metadata` and prepare to get process name for Restful API `GET /connections`.
 
-To display process name in GUI please use https://yaling888.github.io/yacd/
+To display process name in GUI please use https://yaling888.github.io/yacd/.
 
 ## Premium Release
 [Release](https://github.com/Dreamacro/clash/releases/tag/premium)
diff --git a/adapter/outbound/vless.go b/adapter/outbound/vless.go
index 9e44740c..187ccf74 100644
--- a/adapter/outbound/vless.go
+++ b/adapter/outbound/vless.go
@@ -35,7 +35,7 @@ type VlessOption struct {
 	Port           int               `proxy:"port"`
 	UUID           string            `proxy:"uuid"`
 	Flow           string            `proxy:"flow,omitempty"`
-	FlowShow       bool              `proxy:"flow_show,omitempty"`
+	FlowShow       bool              `proxy:"flow-show,omitempty"`
 	TLS            bool              `proxy:"tls,omitempty"`
 	UDP            bool              `proxy:"udp,omitempty"`
 	Network        string            `proxy:"network,omitempty"`
diff --git a/hub/executor/executor.go b/hub/executor/executor.go
index e26a1bdf..d5c90572 100644
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@@ -304,6 +304,8 @@ func updateIPTables(dns *config.DNS, general *config.General) {
 		return
 	}
 
+	tproxy.CleanUpTProxyLinuxIPTables()
+
 	err = tproxy.SetTProxyLinuxIPTables(general.Interface, general.TProxyPort, dnsPort)
 
 	if err != nil {
diff --git a/listener/tproxy/tproxy_linux_iptables.go b/listener/tproxy/tproxy_linux_iptables.go
index 68b86fb2..2ca5a216 100644
--- a/listener/tproxy/tproxy_linux_iptables.go
+++ b/listener/tproxy/tproxy_linux_iptables.go
@@ -29,17 +29,13 @@ func SetTProxyLinuxIPTables(ifname string, tport int, dport int) error {
 		return fmt.Errorf("current operations system [%s] are not support iptables or command iptables does not exist", runtime.GOOS)
 	}
 
-	//if _, err = execCmd("modprobe xt_TPROXY"); err != nil {
-	//	return errors.New("xt_TPROXY module does not exist, please install it")
-	//}
-
 	user, err := U.Lookup(USERNAME)
 	if err != nil {
 		return fmt.Errorf("the user \" %s\" does not exist, please create it", USERNAME)
 	}
 
 	if ifname == "" {
-		return errors.New("interface name can not be empty")
+		return errors.New("the 'interface-name' can not be empty")
 	}
 
 	ownerUid := user.Uid
diff --git a/rule/port.go b/rule/port.go
index e6118fc6..7a3610ff 100644
--- a/rule/port.go
+++ b/rule/port.go
@@ -68,6 +68,7 @@ func (p *Port) matchPortReal(portRef string) bool {
 }
 
 func NewPort(port string, adapter string, isSource bool, network C.NetWork) (*Port, error) {
+	//the port format should be like this: "123/136/137-139" or "[123]/[136-139]"
 	ports := strings.Split(port, "/")
 	if len(ports) > 28 {
 		return nil, fmt.Errorf("%s, too many ports to use, maximum support 28 ports", errPayload.Error())
@@ -79,22 +80,22 @@ func NewPort(port string, adapter string, isSource bool, network C.NetWork) (*Po
 			continue
 		}
 
-		subPort := strings.Split(strings.Trim(p, "[ ]"), "-")
-		subPortLen := len(subPort)
-		if subPortLen > 2 {
+		subPorts := strings.Split(p, "-")
+		subPortsLen := len(subPorts)
+		if subPortsLen > 2 {
 			return nil, errPayload
 		}
 
-		portStart, err := strconv.Atoi(subPort[0])
+		portStart, err := strconv.Atoi(strings.Trim(subPorts[0], "[ ]"))
 		if err != nil || portStart < 0 || portStart > 65535 {
 			return nil, errPayload
 		}
 
-		if subPortLen == 1 {
+		if subPortsLen == 1 {
 			portList = append(portList, portReal{portStart, -1})
 
-		} else if subPortLen == 2 {
-			portEnd, err1 := strconv.Atoi(subPort[1])
+		} else if subPortsLen == 2 {
+			portEnd, err1 := strconv.Atoi(strings.Trim(subPorts[1], "[ ]"))
 			if err1 != nil || portEnd < 0 || portEnd > 65535 {
 				return nil, errPayload
 			}