diff --git a/binaries/aarch64/nfqws b/binaries/aarch64/nfqws
index f2b8684..4fd9fb0 100755
Binary files a/binaries/aarch64/nfqws and b/binaries/aarch64/nfqws differ
diff --git a/binaries/aarch64/tpws b/binaries/aarch64/tpws
index c223c49..05a9062 100755
Binary files a/binaries/aarch64/tpws and b/binaries/aarch64/tpws differ
diff --git a/binaries/armhf/nfqws b/binaries/armhf/nfqws
index 9af0dca..20edc2a 100755
Binary files a/binaries/armhf/nfqws and b/binaries/armhf/nfqws differ
diff --git a/binaries/armhf/tpws b/binaries/armhf/tpws
index 2b9d800..cd2ec1b 100755
Binary files a/binaries/armhf/tpws and b/binaries/armhf/tpws differ
diff --git a/binaries/mips32r1-lsb/nfqws b/binaries/mips32r1-lsb/nfqws
index 1108cdb..f05156e 100755
Binary files a/binaries/mips32r1-lsb/nfqws and b/binaries/mips32r1-lsb/nfqws differ
diff --git a/binaries/mips32r1-lsb/tpws b/binaries/mips32r1-lsb/tpws
index feb9c25..e9bd370 100755
Binary files a/binaries/mips32r1-lsb/tpws and b/binaries/mips32r1-lsb/tpws differ
diff --git a/binaries/mips32r1-msb/nfqws b/binaries/mips32r1-msb/nfqws
index e35e039..cfd9a32 100755
Binary files a/binaries/mips32r1-msb/nfqws and b/binaries/mips32r1-msb/nfqws differ
diff --git a/binaries/mips32r1-msb/tpws b/binaries/mips32r1-msb/tpws
index ac868f9..02ac868 100755
Binary files a/binaries/mips32r1-msb/tpws and b/binaries/mips32r1-msb/tpws differ
diff --git a/binaries/mips64r2-msb/nfqws b/binaries/mips64r2-msb/nfqws
index c113d47..d8dfb8d 100755
Binary files a/binaries/mips64r2-msb/nfqws and b/binaries/mips64r2-msb/nfqws differ
diff --git a/binaries/mips64r2-msb/tpws b/binaries/mips64r2-msb/tpws
index 6fe4e63..e92791b 100755
Binary files a/binaries/mips64r2-msb/tpws and b/binaries/mips64r2-msb/tpws differ
diff --git a/binaries/ppc/nfqws b/binaries/ppc/nfqws
index 805ffcf..973eb55 100755
Binary files a/binaries/ppc/nfqws and b/binaries/ppc/nfqws differ
diff --git a/binaries/ppc/tpws b/binaries/ppc/tpws
index 910e5fc..219ac7f 100755
Binary files a/binaries/ppc/tpws and b/binaries/ppc/tpws differ
diff --git a/binaries/x86/nfqws b/binaries/x86/nfqws
index 39a5809..4334665 100755
Binary files a/binaries/x86/nfqws and b/binaries/x86/nfqws differ
diff --git a/binaries/x86/tpws b/binaries/x86/tpws
index 56aa5f0..d0878cd 100755
Binary files a/binaries/x86/tpws and b/binaries/x86/tpws differ
diff --git a/binaries/x86_64/nfqws b/binaries/x86_64/nfqws
index 81b24b9..50cda9e 100755
Binary files a/binaries/x86_64/nfqws and b/binaries/x86_64/nfqws differ
diff --git a/binaries/x86_64/tpws b/binaries/x86_64/tpws
index 17fb0ee..820f054 100755
Binary files a/binaries/x86_64/tpws and b/binaries/x86_64/tpws differ
diff --git a/nfq/nfqws.c b/nfq/nfqws.c
index 2304aee..3696978 100644
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
@@ -365,31 +365,52 @@ static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
 	return nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL);
 }
 
-bool dropcaps()
+bool setpcap(cap_value_t *caps,int ncaps)
 {
-	cap_value_t cap_values[] = {CAP_NET_ADMIN};
 	cap_t capabilities;
+	
 	if (!(capabilities = cap_init()))
-	{
-		perror("cap_init");
 		return false;
-	}
-	if (cap_set_flag(capabilities, CAP_PERMITTED, sizeof(cap_values)/sizeof(*cap_values), cap_values, CAP_SET) ||
-	    cap_set_flag(capabilities, CAP_EFFECTIVE, sizeof(cap_values)/sizeof(*cap_values), cap_values, CAP_SET))
+	
+	if (ncaps && (cap_set_flag(capabilities, CAP_PERMITTED, ncaps, caps, CAP_SET) ||
+		cap_set_flag(capabilities, CAP_EFFECTIVE, ncaps, caps, CAP_SET)))
 	{
-		perror("cap_set_flag");
 		cap_free(capabilities);
 		return false;
 	}
 	if (cap_set_proc(capabilities))
 	{
-		perror("cap_set_proc");
 		cap_free(capabilities);
 		return false;
 	}
 	cap_free(capabilities);
 	return true;
 }
+bool dropcaps()
+{
+	// must have CAP_SETPCAP at the end. its required to clear bounding set
+	cap_value_t cap_values[] = {CAP_NET_ADMIN,CAP_SETPCAP};
+	int capct=sizeof(cap_values)/sizeof(*cap_values);
+
+	if (setpcap(cap_values, capct))
+	{
+		for(int cap=0;cap<=CAP_LAST_CAP;cap++)
+		{
+			if (cap_drop_bound(cap))
+			{
+				perror("cap_drop_bound");
+				return false;
+			}
+		}
+	}
+	// now without CAP_SETPCAP
+	if (!setpcap(cap_values, capct - 1))
+	{
+		perror("setpcap");
+		return false;
+	}
+	return true;
+}
 bool droproot(uid_t uid, gid_t gid)
 {
 	if (uid || gid)
diff --git a/tpws/tpws.c b/tpws/tpws.c
index bfccc6b..21ec600 100644
--- a/tpws/tpws.c
+++ b/tpws/tpws.c
@@ -24,6 +24,7 @@
 #include <pwd.h>
 #include <signal.h>
 #include <sys/capability.h>
+#include <sys/prctl.h>
 
 #include "tpws.h"
 #include "tpws_conn.h"
@@ -102,13 +103,6 @@ size_t send_with_flush(int sockfd, const void *buf, size_t len, int flags)
 	return wr;
 }
 
-void close_tcp_conn(tproxy_conn_t *conn, struct tailhead *conn_list,
-	struct tailhead *close_list) {
-	conn->state = CONN_CLOSED;
-	TAILQ_REMOVE(conn_list, conn, conn_ptrs);
-	TAILQ_INSERT_TAIL(close_list, conn, conn_ptrs);
-}
-
 #define RD_BLOCK_SIZE 8192
 
 // pHost points to "Host: ..."
@@ -278,7 +272,8 @@ void modify_tcp_segment(char *segment,size_t *size,size_t *split_pos)
 }
 
 
-bool handle_epollin(tproxy_conn_t *conn, ssize_t *data_transferred) {
+bool handle_epollin(tproxy_conn_t *conn, ssize_t *data_transferred)
+{
 	int numbytes;
 	int fd_in, fd_out;
 	bool bOutgoing;
@@ -351,7 +346,8 @@ bool handle_epollin(tproxy_conn_t *conn, ssize_t *data_transferred) {
 	return rd != -1 && wr != -1;
 }
 
-void remove_closed_connections(struct tailhead *close_list) {
+void remove_closed_connections(struct tailhead *close_list)
+{
 	tproxy_conn_t *conn = NULL;
 
 	while (close_list->tqh_first != NULL) {
@@ -367,7 +363,15 @@ void remove_closed_connections(struct tailhead *close_list) {
 	}
 }
 
-int event_loop(int listen_fd) {
+void close_tcp_conn(tproxy_conn_t *conn, struct tailhead *conn_list, struct tailhead *close_list)
+{
+	conn->state = CONN_CLOSED;
+	TAILQ_REMOVE(conn_list, conn, conn_ptrs);
+	TAILQ_INSERT_TAIL(close_list, conn, conn_ptrs);
+}
+
+int event_loop(int listen_fd)
+{
 	int retval = 0, num_events = 0;
 	int tmp_fd = 0; //Used to temporarily hold the accepted file descriptor
 	tproxy_conn_t *conn = NULL;
@@ -483,7 +487,8 @@ int event_loop(int listen_fd) {
 	return retval;
 }
 
-int8_t block_sigpipe() {
+int8_t block_sigpipe()
+{
 	sigset_t sigset;
 	memset(&sigset, 0, sizeof(sigset));
 
@@ -790,29 +795,61 @@ void daemonize()
 	/* stderror */
 }
 
-bool dropcaps()
+bool setpcap(cap_value_t *caps,int ncaps)
 {
 	cap_t capabilities;
-
+	
 	if (!(capabilities = cap_init()))
+		return false;
+	
+	if (ncaps && (cap_set_flag(capabilities, CAP_PERMITTED, ncaps, caps, CAP_SET) ||
+		cap_set_flag(capabilities, CAP_EFFECTIVE, ncaps, caps, CAP_SET)))
 	{
-		perror("cap_init");
+		cap_free(capabilities);
 		return false;
 	}
 	if (cap_set_proc(capabilities))
 	{
-		perror("cap_set_proc");
 		cap_free(capabilities);
 		return false;
 	}
 	cap_free(capabilities);
 	return true;
 }
+bool dropcaps()
+{
+	// must have CAP_SETPCAP at the end. its required to clear bounding set
+	cap_value_t cap_values[] = {CAP_SETPCAP};
+	int capct=sizeof(cap_values)/sizeof(*cap_values);
 
+	if (setpcap(cap_values, capct))
+	{
+		for(int cap=0;cap<=CAP_LAST_CAP;cap++)
+		{
+			if (cap_drop_bound(cap))
+			{
+				perror("cap_drop_bound");
+				return false;
+			}
+		}
+	}
+	// now without CAP_SETPCAP
+	if (!setpcap(cap_values, capct - 1))
+	{
+		perror("setpcap");
+		return false;
+	}
+	return true;
+}
 bool droproot()
 {
 	if (params.uid || params.gid)
 	{
+		if (prctl(PR_SET_KEEPCAPS, 1L))
+		{
+			perror("prctl(PR_SET_KEEPCAPS): ");
+			return false;
+		}
 		if (setgid(params.gid))
 		{
 			perror("setgid: ");