documentation: TLS fragment

docs/configuration/route/rule_action.md

@@ -2,6 +2,11 @@
 icon: material/new-box
 ---
 
+!!! quote "Changes in sing-box 1.12.0"
+
+    :material-plus: [tls_fragment](#tls_fragment)  
+    :material-plus: [tls_fragment_fallback_delay](#tls_fragment_fallback_delay)
+
 ## Final actions
 
 ### route
@@ -81,7 +86,9 @@ Not available when `method` is set to drop.
   "fallback_delay": "",
   "udp_disable_domain_unmapping": false,
   "udp_connect": false,
-  "udp_timeout": ""
+  "udp_timeout": "",
+  "tls_fragment": false,
+  "tls_fragment_fallback_delay": ""
 }
 ```
 
@@ -148,6 +155,28 @@ If no protocol is sniffed, the following ports will be recognized as protocols b
 | 443  | `quic`   |
 | 3478 | `stun`   |
 
+#### tls_fragment
+
+!!! question "Since sing-box 1.12.0"
+
+Fragment TLS handshakes to bypass firewalls.
+
+This feature is intended to circumvent simple firewalls based on **plaintext packet matching**, and should not be used to circumvent real censorship.
+
+Since it is not designed for performance, it should not be applied to all connections, but only to server names that are known to be blocked.
+
+On Linux, Apple platforms, (administrator privileges required) Windows, the wait time can be automatically detected, otherwise it will fall back to waiting for a fixed time specified by `tls_fragment_fallback_delay`.
+
+In addition, if the actual wait time is less than 20ms, it will also fall back to waiting for a fixed time, because the target is considered to be local or behind a transparent proxy.
+
+#### tls_fragment_fallback_delay
+
+!!! question "Since sing-box 1.12.0"
+
+The fallback value used when TLS segmentation cannot automatically determine the wait time.
+
+`500ms` is used by default.
+
 ### sniff
 
 ```json