major config re-think and re-write

2025-05-24 22:32:58 +03:00 · 2024-10-25 14:29:47 +03:00
parent d86aa42f48
commit 906e67af55
39 changed files with 963 additions and 1340 deletions
--- a/common/base.sh
+++ b/common/base.sh
@@ -62,6 +62,10 @@ starts_with()
 }
 find_str_in_list()
 {
+	# $1 - string
+	# $2 - space separated values
+
+	local v
 	[ -n "$1" ] && {
 		for v in $2; do
 			[ "$v" = "$1" ] && return 0
@@ -74,6 +78,19 @@ end_with_newline()
 	local c="$(tail -c 1)"
 	[ "$c" = "" ]
 }
+trim()
+{
+	awk '{gsub(/^ +| +$/,"")}1'
+}
+
+dir_is_not_empty()
+{
+	# $1 - directory
+	local n
+	[ -d "$1" ] || return 1
+	n=$(ls "$1" | wc -c | xargs)
+	[ "$n" != 0 ]
+}

 append_separator_list()
 {
@@ -275,6 +292,14 @@ replace_char()
 	echo "$@" | tr $a $b
 }

+replace_str()
+{
+	local a=$(echo "$1" | sed 's/\//\\\//g')
+	local b=$(echo "$2" | sed 's/\//\\\//g')
+	shift; shift
+	echo "$@" | sed "s/$a/$b/g"
+}
+
 setup_md5()
 {
 	[ -n "$MD5" ] && return
@@ -350,10 +375,41 @@ alloc_num()

 std_ports()
 {
-        HTTP_PORTS=${HTTP_PORTS:-80}
-	HTTPS_PORTS=${HTTPS_PORTS:-443}
-	QUIC_PORTS=${QUIC_PORTS:-443}
-        HTTP_PORTS_IPT=$(replace_char - : $HTTP_PORTS)
-        HTTPS_PORTS_IPT=$(replace_char - : $HTTPS_PORTS)
-        QUIC_PORTS_IPT=$(replace_char - : $QUIC_PORTS)
+	TPWS_PORTS_IPT=$(replace_char - : $TPWS_PORTS)
+	NFQWS_PORTS_TCP_IPT=$(replace_char - : $NFQWS_PORTS_TCP)
+	NFQWS_PORTS_TCP_KEEPALIVE_IPT=$(replace_char - : $NFQWS_PORTS_TCP_KEEPALIVE)
+	NFQWS_PORTS_UDP_IPT=$(replace_char - : $NFQWS_PORTS_UDP)
+	NFQWS_PORTS_UDP_KEEPALIVE_IPT=$(replace_char - : $NFQWS_PORTS_UDP_KEEPALIVE)
+}
+
+has_bad_ws_options()
+{
+	# $1 - nfqws/tpws opts
+	# <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+	# <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+	# <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> custom script.
+	# custom script - <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
+	# <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> IPSET <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> nfqws <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+	# --ipset <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> LINUX <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> ipset (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, Android).
+	# <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> LINUX <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
+	contains "$1" "--ipset"
+}
+check_bad_ws_options()
+{
+	# $1 - 0 = stop, 1 = start
+	# $2 - nfqws/tpws options
+	if [ "$1" = 1 ] && has_bad_ws_options "$2"; then
+		echo "!!! REFUSING TO USE BAD OPTIONS : $2"
+		return 1
+	else
+		return 0
+	fi
+}
+help_bad_ws_options()
+{
+	echo "WARNING ! you have specified --ipset option"
+	echo "WARNING ! it would work but on $UNAME it's not the best option"
+	echo "WARNING ! you should use kernel mode sets. they are much more efficient."
+	echo "WARNING ! to use ipsets you have to write your own custom script"
+	echo "WARNING ! installer will stop here to prevent distribution of easy to use but bad copy-paste solutions"
 }
--- a/common/custom.sh
+++ b/common/custom.sh
@@ -7,14 +7,8 @@ custom_runner()

 	shift

-	[ -f "$CUSTOM_DIR/custom" ] && {
-		unset -f $FUNC
-		. "$CUSTOM_DIR/custom"
-		existf $FUNC && $FUNC "$@"
-	}
 	[ -d "$CUSTOM_DIR/custom.d" ] && {
-		n=$(ls "$CUSTOM_DIR/custom.d" | wc -c | xargs)
-		[ "$n" = 0 ] || {
+		dir_is_not_empty "$CUSTOM_DIR/custom.d" && {
 			for script in "$CUSTOM_DIR/custom.d/"*; do
 				[ -f "$script" ] || continue
 				unset -f $FUNC
--- a/common/installer.sh
+++ b/common/installer.sh
@@ -1,4 +1,4 @@
-GET_LIST_PREFIX=/ipset/get_
+readonly GET_LIST_PREFIX=/ipset/get_

 SYSTEMD_DIR=/lib/systemd
 [ -d "$SYSTEMD_DIR" ] || SYSTEMD_DIR=/usr/lib/systemd
@@ -15,13 +15,99 @@ exitp()
 	exit $1
 }

+extract_var_def()
+{
+	# $1 - var name
+	# this sed script parses single or multi line shell var assignments with optional ' or " enclosure
+	sed -n \
+"/^$1=\"/ {
+:s1
+/\".*\"/ {
+ p
+ b
+}
+N
+t c1
+b s1
+:c1
+}
+/^$1='/ {
+:s2
+/'.*'/ {
+ p
+ b
+}
+N
+t c2
+b s2
+:c2
+}
+/^$1=/p
+"
+}
+replace_var_def()
+{
+	# $1 - var name
+	# $2 - new val
+	# $3 - conf file
+	# this sed script replaces single or multi line shell var assignments with optional ' or " enclosure
+	local repl
+	if [ -z "$2" ]; then
+		repl="#$1="
+	elif contains "$2" " "; then
+		repl="$1=\"$2\""
+	else
+		repl="$1=$2"
+	fi
+	local script=\
+"/^#*[[:space:]]*$1=\"/ {
+:s1
+/\".*\"/ {
+ c\\
+$repl
+ b
+}
+N
+t c1
+b s1
+:c1
+}
+/^#*[[:space:]]*$1='/ {
+:s2
+/'.*'/ {
+ c\\
+$repl
+ b
+}
+N
+t c2
+b s2
+:c2
+}
+/^#*[[:space:]]*$1=/c\\
+$repl"
+	# there's incompatibility with -i option on MacOS/BSD and busybox/GNU
+	if [ "$UNAME" = "Linux" ]; then
+		sed -i -e "$script" "$3"
+	else
+		sed -i '' -e "$script" "$3"
+	fi
+}
+
 parse_var_checked()
 {
 	# $1 - file name
 	# $2 - var name
-	local sed="sed -nre s/^[[:space:]]*$2=[\\\"|\']?([^\\\"|\']*)[\\\"|\']?/\1/p"
-	local v="$($sed <"$1" | tail -n 1)"
-	eval $2=\"$v\"
+
+	local tmp="/tmp/zvar-pid-$$.sh"
+	local v
+	cat "$1" | extract_var_def "$2" >"$tmp"
+	. "$tmp"
+	rm -f "$tmp"
+	eval v="\$$2"
+	# trim
+	v="$(echo "$v" | trim)"
+	eval $2=\""$v"\"
 }
 parse_vars_checked()
 {
@@ -48,22 +134,44 @@ edit_file()
 	}
 	[ -n "$ed" ] && "$ed" "$1"
 }
+echo_var()
+{
+	local v
+	eval v="\$$1"
+	if find_str_in_list $1 "$EDITVAR_NEWLINE_VARS"; then
+		echo "$1=\""
+		echo "$v\"" | sed "s/$EDITVAR_NEWLINE_DELIMETER /$EDITVAR_NEWLINE_DELIMETER\n/g"
+	else
+		if contains "$v" " "; then
+			echo $1=\"$v\"
+		else
+			echo $1=$v
+		fi
+	fi
+}
 edit_vars()
 {
 	# $1,$2,... - var names
-	local n=1 var v tmp="/tmp/zvars"
+	local n=1 var tmp="/tmp/zvars-pid-$$.txt"
 	rm -f "$tmp"
-	while [ 1=1 ]; do
+	while : ; do
 		eval var="\${$n}"
 		[ -n "$var" ] || break
-		eval v="\$$var"
-		echo $var=\"$v\" >>"$tmp"
+		echo_var $var >> "$tmp"
 		n=$(($n+1))
 	done
 	edit_file "$tmp" && parse_vars_checked "$tmp" "$@"
 	rm -f "$tmp"
 }

+list_vars()
+{
+	while [ -n "$1" ] ; do
+		echo_var $1
+		shift
+	done
+}
+
 openrc_test()
 {
 	exists rc-update || return 1
@@ -483,30 +591,14 @@ write_config_var()
 	# $1 - mode var
 	local M
 	eval M="\$$1"
-
-	if grep -q "^$1=\|^#$1=" "$ZAPRET_CONFIG"; then
-		# replace / => \/
-		#M=${M//\//\\\/}
-		M=$(echo $M | sed 's/\//\\\//g')
-		if [ -n "$M" ]; then
-			if contains "$M" " "; then
-				sedi -Ee "s/^#?$1=.*$/$1=\"$M\"/" "$ZAPRET_CONFIG"
-			else
-				sedi -Ee "s/^#?$1=.*$/$1=$M/" "$ZAPRET_CONFIG"
-			fi
-		else
-			# write with comment at the beginning
-			sedi -Ee "s/^#?$1=.*$/#$1=/" "$ZAPRET_CONFIG"
-		fi
-	else
+	# replace / => \/
+	#M=${M//\//\\\/}
+	M=$(echo $M | sed 's/\//\\\//g' | trim)
+	grep -q "^[[:space:]]*$1=\|^#*[[:space:]]*$1=" "$ZAPRET_CONFIG" || {
 		# var does not exist in config. add it
-		contains "$M" " " && M="\"$M\""
-		if [ -n "$M" ]; then
-			echo "$1=$M" >>"$ZAPRET_CONFIG"
-		else
-			echo "#$1=$M" >>"$ZAPRET_CONFIG"
-		fi
-	fi
+		echo $1= >>"$ZAPRET_CONFIG"
+	}
+	replace_var_def $1 "$M" "$ZAPRET_CONFIG"
 }

 check_prerequisites_linux()
--- a/common/ipt.sh
+++ b/common/ipt.sh
@@ -48,28 +48,6 @@ is_ipt_flow_offload_avail()
 	grep -q FLOWOFFLOAD 2>/dev/null /proc/net/ip$1_tables_targets
 }

-filter_apply_port_target()
-{
-	# $1 - var name of iptables filter
-	local f
-	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
-		f="-p tcp -m multiport --dports $HTTP_PORTS_IPT,$HTTPS_PORTS_IPT"
-	elif [ "$MODE_HTTPS" = "1" ]; then
-		f="-p tcp -m multiport --dports $HTTPS_PORTS_IPT"
-	elif [ "$MODE_HTTP" = "1" ]; then
-		f="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
-	else
-		echo WARNING !!! HTTP and HTTPS are both disabled
-	fi
-	eval $1="\"\$$1 $f\""
-}
-filter_apply_port_target_quic()
-{
-	# $1 - var name of nftables filter
-	local f
-	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
-	eval $1="\"\$$1 $f\""
-}
 filter_apply_ipset_target4()
 {
 	# $1 - var name of ipv4 iptables filter
@@ -220,7 +198,7 @@ _fw_nfqws_post4()

 		ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"

-		rule="$2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
+		rule="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK $2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
 		if [ -n "$4" ] ; then
 			for i in $4; do
 				ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
@@ -241,7 +219,7 @@ _fw_nfqws_post6()

 		ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6

-		rule="$2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
+		rule="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK $2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
 		if [ -n "$4" ] ; then
 			for i in $4; do
 				ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule
@@ -320,27 +298,13 @@ fw_nfqws_pre()
 }


-produce_reverse_nfqws_rule()
-{
-	local rule="$1"
-	if contains "$rule" "$ipt_connbytes"; then
-		# autohostlist - need several incoming packets
-		# autottl - need only one incoming packet
-		[ "$MODE_FILTER" = autohostlist ] || rule=$(echo "$rule" | sed -re "s/$ipt_connbytes [0-9]+:[0-9]+/$ipt_connbytes 1:1/")
-	else
-		local n=1
-		[ "$MODE_FILTER" = autohostlist ] && n=$(first_packets_for_mode)
-		rule="$ipt_connbytes 1:$n $rule"
-	fi
-	echo "$rule" | reverse_nfqws_rule_stream
-}
 fw_reverse_nfqws_rule4()
 {
-	fw_nfqws_pre4 $1 "$(produce_reverse_nfqws_rule "$2")" $3
+	fw_nfqws_pre4 $1 "$(reverse_nfqws_rule "$2")" $3
 }
 fw_reverse_nfqws_rule6()
 {
-	fw_nfqws_pre6 $1 "$(produce_reverse_nfqws_rule "$2")" $3
+	fw_nfqws_pre6 $1 "$(reverse_nfqws_rule "$2")" $3
 }
 fw_reverse_nfqws_rule()
 {
@@ -353,93 +317,66 @@ fw_reverse_nfqws_rule()
 	fw_reverse_nfqws_rule6 $1 "$3" $4
 }

+ipt_first_packets()
+{
+	# $1 - packet count
+	[ -n "$1" -a "$1" != keepalive ] && [ "$1" -ge 1 ] && echo "$ipt_connbytes 1:$1"
+}
+ipt_do_nfqws_in_out()
+{
+	# $1 - 1 - add, 0 - del
+	# $2 - tcp,udp
+	# $3 - ports
+	# $4 - PKT_OUT. special value : 'keepalive'
+	# $5 - PKT_IN
+	local f4 f6 first_packets_only
+	[ -n "$3" ] || return
+	[ -n "$4" -a "$4" != 0 ] &&
+	{
+		first_packets_only="$(ipt_first_packets $4)"
+		f4="-p $2 -m multiport --dports $3 $first_packets_only"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_nfqws_post $1 "$f4" "$f6" $QNUM
+	}
+	[ -n "$5" -a "$5" != 0 ] &&
+	{
+		first_packets_only="$(ipt_first_packets $5)"
+		f4="-p $2 -m multiport --dports $3  $first_packets_only"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
+	}
+}
+
+zapret_do_firewall_standard_rules_ipt()
+{
+	# $1 - 1 - add, 0 - del
+
+	local f4 f6
+
+	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
+	{
+		f4="-p tcp -m multiport --dports $TPWS_PORTS_IPT"
+		f6=$f4
+		filter_apply_ipset_target f4 f6
+		fw_tpws $1 "$f4" "$f6" $TPPORT
+	}
+	[ "$NFQWS_ENABLE" = 1 ] &&
+	{
+		ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_IPT" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
+		ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_KEEPALIVE_IPT" keepalive "$NFQWS_TCP_PKT_IN"
+		ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_IPT" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
+		ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_KEEPALIVE_IPT" keepalive "$NFQWS_UDP_PKT_IN"
+	}
+}

 zapret_do_firewall_rules_ipt()
 {
-	local mode="${MODE_OVERRIDE:-$MODE}"
+	# $1 - 1 - add, 0 - del

-	local first_packet_only="$ipt_connbytes 1:$(first_packets_for_mode)"
-	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-	local n f4 f6 qn qns qn6 qns6
-
-	case "$mode" in
-		tpws)
-			if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
-				echo both http and https are disabled. not applying redirection.
-			else
-				filter_apply_port_target f4
-				f6=$f4
-				filter_apply_ipset_target f4 f6
-				fw_tpws $1 "$f4" "$f6" $TPPORT
-			fi
-			;;
-	
-		nfqws)
-			# quite complex but we need to minimize nfqws processes to save RAM
-			get_nfqws_qnums qn qns qn6 qns6
-			if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then
-				filter_apply_port_target f4
-				f4="$f4 $first_packet_only"
-				filter_apply_ipset_target4 f4
-				fw_nfqws_post4 $1 "$f4 $desync" $qn
-				fw_reverse_nfqws_rule4 $1 "$f4" $qn
-			else
-				if [ -n "$qn" ]; then
-					f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
-					[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
-					filter_apply_ipset_target4 f4
-					fw_nfqws_post4 $1 "$f4 $desync" $qn
-					fw_reverse_nfqws_rule4 $1 "$f4" $qn
-				fi
-				if [ -n "$qns" ]; then
-					f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
-					filter_apply_ipset_target4 f4
-					fw_nfqws_post4 $1 "$f4 $desync" $qns
-					fw_reverse_nfqws_rule4 $1 "$f4" $qns
-				fi
-			fi
-			if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
-				filter_apply_port_target f6
-				f6="$f6 $first_packet_only"
-				filter_apply_ipset_target6 f6
-				fw_nfqws_post6 $1 "$f6 $desync" $qn6
-				fw_reverse_nfqws_rule6 $1 "$f6" $qn6
-			else
-				if [ -n "$qn6" ]; then
-					f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
-					[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
-					filter_apply_ipset_target6 f6
-					fw_nfqws_post6 $1 "$f6 $desync" $qn6
-					fw_reverse_nfqws_rule6 $1 "$f6" $qn6
-				fi
-				if [ -n "$qns6" ]; then
-					f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
-					filter_apply_ipset_target6 f6
-					fw_nfqws_post6 $1 "$f6 $desync" $qns6
-					fw_reverse_nfqws_rule6 $1 "$f6" $qns6
-				fi
-			fi
-
-			get_nfqws_qnums_quic qn qn6
-			if [ -n "$qn" ]; then
-				f4=
-				filter_apply_port_target_quic f4
-				f4="$f4 $first_packet_only"
-				filter_apply_ipset_target4 f4
-				fw_nfqws_post4 $1 "$f4 $desync" $qn
-			fi
-			if [ -n "$qn6" ]; then
-				f6=
-				filter_apply_port_target_quic f6
-				f6="$f6 $first_packet_only"
-				filter_apply_ipset_target6 f6
-				fw_nfqws_post6 $1 "$f6 $desync" $qn6
-			fi
-			;;
-		custom)
-			custom_runner zapret_custom_firewall $1
-			;;
-	esac
+	zapret_do_firewall_standard_rules_ipt $1
+	custom_runner zapret_custom_firewall $1
 }

 zapret_do_firewall_ipt()
@@ -452,10 +389,6 @@ zapret_do_firewall_ipt()
 		echo Clearing iptables
 	fi

-	local mode="${MODE_OVERRIDE:-$MODE}"
-
-	[ "$mode" = "tpws-socks" ] && return 0
-
 	# always create ipsets. ip_exclude ipset is required
 	[ "$1" = 1 ] && create_ipset no-update

--- a/common/linux_fw.sh
+++ b/common/linux_fw.sh
@@ -23,7 +23,7 @@ zapret_do_firewall()
 	# switch on liberal mode on zapret firewall start and switch off on zapret firewall stop
 	# this is only required for processing incoming bad RSTs. incoming rules are only applied in autohostlist mode
 	# calling this after firewall because conntrack module can be not loaded before applying conntrack firewall rules
-	[ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode $1
+	[ "$MODE_FILTER" = "autohostlist" ] && set_conntrack_liberal_mode $1
 	
 	[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
 	[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK
@@ -38,16 +38,3 @@ zapret_unapply_firewall()
 {
 	zapret_do_firewall 0 "$@"
 }
-
-first_packets_for_mode()
-{
-	# autohostlist and autottl modes requires incoming traffic sample
-	# always use conntrack packet limiter or nfqws will deal with gigabytes
-	local n
-	if [ "$MODE_FILTER" = "autohostlist" ]; then
-		n=$((6+${AUTOHOSTLIST_RETRANS_THRESHOLD:-3}))
-	else
-		n=6
-	fi
-	echo $n
-}
--- a/common/list.sh
+++ b/common/list.sh
@@ -1,3 +1,5 @@
+readonly HOSTLIST_MARKER="<HOSTLIST>"
+
 find_hostlists()
 {
 	[ -n "$HOSTLIST_BASE" ] || HOSTLIST_BASE="$ZAPRET_BASE/ipset"
@@ -18,38 +20,33 @@ find_hostlists()
 	HOSTLIST_AUTO_DEBUGLOG="$HOSTLIST_BASE/zapret-hosts-auto-debug.log"
 }

-filter_apply_autohostlist_target()
-{
-	# $1 - var name of tpws or nfqws params
-	
-	local parm1="${AUTOHOSTLIST_FAIL_THRESHOLD:+--hostlist-auto-fail-threshold=$AUTOHOSTLIST_FAIL_THRESHOLD}"
-	local parm2="${AUTOHOSTLIST_FAIL_TIME:+--hostlist-auto-fail-time=$AUTOHOSTLIST_FAIL_TIME}"
-	local parm3 parm4
-	[ "$MODE" = "tpws" -o "$MODE" = "tpws-socks" ] || parm3="${AUTOHOSTLIST_RETRANS_THRESHOLD:+--hostlist-auto-retrans-threshold=$AUTOHOSTLIST_RETRANS_THRESHOLD}"
-	[ "$AUTOHOSTLIST_DEBUGLOG" = 1 ] && parm4="--hostlist-auto-debug=$HOSTLIST_AUTO_DEBUGLOG"
-	eval $1="\"\$$1 --hostlist-auto=$HOSTLIST_AUTO $parm1 $parm2 $parm3 $parm4\""
-}
-
 filter_apply_hostlist_target()
 {
 	# $1 - var name of tpws or nfqws params

-	[ "$MODE_FILTER" = "hostlist" -o "$MODE_FILTER" = "autohostlist" ] || return
-
-	local HOSTLIST_BASE HOSTLIST HOSTLIST_USER HOSTLIST_EXCLUDE
-
-	find_hostlists
-
-	[ -n "$HOSTLIST" ] && eval $1="\"\$$1 --hostlist=$HOSTLIST\""
-	[ -n "$HOSTLIST_USER" ] && eval $1="\"\$$1 --hostlist=$HOSTLIST_USER\""
-	[ -n "$HOSTLIST_EXCLUDE" ] && eval $1="\"\$$1 --hostlist-exclude=$HOSTLIST_EXCLUDE\""
-	[ "$MODE_FILTER" = "autohostlist" ] && filter_apply_autohostlist_target $1
-}
-
-filter_apply_suffix()
-{
-	# $1 - var name of tpws or nfqws params
-	# $2 - suffix value
-	local v="${2:+ --new $2}"
-	eval $1="\"\$$1$v\""
+	local v parm parm1 parm2 parm3 parm4 parm5 parm6 parm7
+	eval v="\$$1"
+	contains "$v" "$HOSTLIST_MARKER" &&
+	{
+		[ "$MODE_FILTER" = hostlist -o "$MODE_FILTER" = autohostlist ] &&
+		{
+			find_hostlists
+			parm1="${HOSTLIST_USER:+--hostlist=$HOSTLIST_USER}"
+			parm2="${HOSTLIST:+--hostlist=$HOSTLIST}"
+			parm3="${HOSTLIST_EXCLUDE:+--hostlist-exclude=$HOSTLIST_EXCLUDE}"
+			[ "$MODE_FILTER" = autohostlist ] &&
+			{
+				parm4="--hostlist-auto=$HOSTLIST_AUTO"
+				parm5="${AUTOHOSTLIST_FAIL_THRESHOLD:+--hostlist-auto-fail-threshold=$AUTOHOSTLIST_FAIL_THRESHOLD}"
+				parm6="${AUTOHOSTLIST_FAIL_TIME:+--hostlist-auto-fail-time=$AUTOHOSTLIST_FAIL_TIME}"
+				parm7="${AUTOHOSTLIST_RETRANS_THRESHOLD:+--hostlist-auto-retrans-threshold=$AUTOHOSTLIST_RETRANS_THRESHOLD}"
+			}
+			parm="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm4:+ $parm4}${parm5:+ $parm5}${parm6:+ $parm6}${parm7:+ $parm7}"
+		}
+		v="$(replace_str $HOSTLIST_MARKER "$parm" "$v")"
+		[ "$MODE_FILTER" = autohostlist -a "$AUTOHOSTLIST_DEBUGLOG" = 1 ] && {
+			v="$v --hostlist-auto-debug=$HOSTLIST_AUTO_DEBUGLOG"
+		}
+		eval $1=\""$v"\"
+	}
 }
--- a/common/nft.sh
+++ b/common/nft.sh
@@ -86,10 +86,16 @@ cat << EOF | nft -f -
 	add rule inet  $ZAPRET_NFT_TABLE localnet_protect ip daddr $TPWS_LOCALHOST4 return comment "route_localnet allow access to tpws"
 	add rule inet  $ZAPRET_NFT_TABLE localnet_protect ip daddr 127.0.0.0/8 drop comment "route_localnet remote access protection"
 	add rule inet  $ZAPRET_NFT_TABLE input iif != lo jump localnet_protect
-	add chain inet $ZAPRET_NFT_TABLE postrouting { type filter hook postrouting priority 99; }
+	add chain inet $ZAPRET_NFT_TABLE postrouting
 	flush chain inet $ZAPRET_NFT_TABLE postrouting
-	add chain inet $ZAPRET_NFT_TABLE postnat { type filter hook postrouting priority 101; }
+	add chain inet $ZAPRET_NFT_TABLE postrouting_hook { type filter hook postrouting priority 99; }
+	flush chain inet $ZAPRET_NFT_TABLE postrouting_hook
+	add rule inet  $ZAPRET_NFT_TABLE postrouting_hook mark and $DESYNC_MARK == 0 jump postrouting
+	add chain inet $ZAPRET_NFT_TABLE postnat
 	flush chain inet $ZAPRET_NFT_TABLE postnat
+	add chain inet $ZAPRET_NFT_TABLE postnat_hook { type filter hook postrouting priority 101; }
+	flush chain inet $ZAPRET_NFT_TABLE postnat_hook
+	add rule inet  $ZAPRET_NFT_TABLE postnat_hook mark and $DESYNC_MARK == 0 jump postnat
 	add chain inet $ZAPRET_NFT_TABLE prerouting { type filter hook prerouting priority -99; }
 	flush chain inet $ZAPRET_NFT_TABLE prerouting
 	add chain inet $ZAPRET_NFT_TABLE prenat { type filter hook prerouting priority -101; }
@@ -107,6 +113,7 @@ cat << EOF | nft -f -
 	add set inet $ZAPRET_NFT_TABLE wanif { type ifname; }
 	add set inet $ZAPRET_NFT_TABLE wanif6 { type ifname; }
 	add map inet $ZAPRET_NFT_TABLE link_local { type ifname : ipv6_addr; }
+
 EOF
 	[ -n "$POSTNAT_ALL" ] && {
 		nft_flush_chain predefrag_nfqws
@@ -118,6 +125,12 @@ nft_del_chains()
 	# do not delete all chains because of additional user hooks
 	# they must be inside zapret table to use nfsets

+	# these chains are newer. do not fail all because chains are not present
+cat << EOF | nft -f - 2>/dev/null
+	delete chain inet $ZAPRET_NFT_TABLE postrouting_hook
+	delete chain inet $ZAPRET_NFT_TABLE postnat_hook
+EOF
+
 cat << EOF | nft -f - 2>/dev/null
 	delete chain inet $ZAPRET_NFT_TABLE dnat_output
 	delete chain inet $ZAPRET_NFT_TABLE dnat_pre
@@ -285,28 +298,6 @@ nft_apply_flow_offloading()



-nft_filter_apply_port_target()
-{
-	# $1 - var name of nftables filter
-	local f
-	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
-		f="tcp dport {$HTTP_PORTS,$HTTPS_PORTS}"
-	elif [ "$MODE_HTTPS" = "1" ]; then
-		f="tcp dport {$HTTPS_PORTS}"
-	elif [ "$MODE_HTTP" = "1" ]; then
-		f="tcp dport {$HTTP_PORTS}"
-	else
-		echo WARNING !!! HTTP and HTTPS are both disabled
-	fi
-	eval $1="\"\$$1 $f\""
-}
-nft_filter_apply_port_target_quic()
-{
-	# $1 - var name of nftables filter
-	local f
-	f="udp dport {$QUIC_PORTS}"
-	eval $1="\"\$$1 $f\""
-}
 nft_filter_apply_ipset_target4()
 {
 	# $1 - var name of ipv4 nftables filter
@@ -592,29 +583,13 @@ zapret_list_table()



-nft_produce_reverse_nfqws_rule()
-{
-	local rule="$1"
-	if contains "$rule" "$nft_connbytes "; then
-		# autohostlist - need several incoming packets
-		# autottl - need only one incoming packet
-		[ "$MODE_FILTER" = autohostlist ] || rule=$(echo "$rule" | sed -re "s/$nft_connbytes [0-9]+-[0-9]+/$nft_connbytes 1/")
-	else
-		# old nft does not swallow 1-1
-		local range=1
-		[ "$MODE_FILTER" = autohostlist ] && range=$(first_packets_for_mode)
-		[ "$range" = 1 ] || range="1-$range"
-		rule="$nft_connbytes $range $rule"
-	fi
-	nft_reverse_nfqws_rule $rule
-}
 nft_fw_reverse_nfqws_rule4()
 {
-	nft_fw_nfqws_pre4 "$(nft_produce_reverse_nfqws_rule "$1")" $2
+	nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule "$1")" $2
 }
 nft_fw_reverse_nfqws_rule6()
 {
-	nft_fw_nfqws_pre6 "$(nft_produce_reverse_nfqws_rule "$1")" $2
+	nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule "$1")" $2
 }
 nft_fw_reverse_nfqws_rule()
 {
@@ -626,108 +601,75 @@ nft_fw_reverse_nfqws_rule()
 	nft_fw_reverse_nfqws_rule6 "$2" $3
 }

+nft_first_packets()
+{
+	# $1 - packet count
+	[ -n "$1" -a "$1" != keepalive ] && [ "$1" -ge 1 ] &&
+	{
+		if [ "$1" = 1 ] ; then
+			echo "$nft_connbytes 1"
+		else
+			echo "$nft_connbytes 1-$1"
+		fi
+	}
+}
+
+nft_apply_nfqws_in_out()
+{
+	# $1 - tcp,udp
+	# $2 - ports
+	# $3 - PKT_OUT. special value : 'keepalive'
+	# $4 - PKT_IN
+	local f4 f6 first_packets_only
+	[ -n "$2" ] || return
+	[ -n "$3" -a "$3" != 0 ] &&
+	{
+		first_packets_only="$(nft_first_packets $3)"
+		f4="$1 dport {$2} $first_packets_only"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_nfqws_post "$f4" "$f6" $QNUM
+	}
+	[ -n "$4" -a "$4" != 0 ] &&
+	{
+		first_packets_only="$(nft_first_packets $4)"
+		f4="$1 dport {$2} $first_packets_only"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM
+	}
+}
+
+zapret_apply_firewall_standard_rules_nft()
+{
+	local f4 f6
+
+	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
+	{
+		f4="tcp dport {$TPWS_PORTS}"
+		f6=$f4
+		nft_filter_apply_ipset_target f4 f6
+		nft_fw_tpws "$f4" "$f6" $TPPORT
+	}
+	[ "$NFQWS_ENABLE" = 1 ] &&
+	{
+		nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
+		nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS_TCP_PKT_IN"
+		nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
+		nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS_UDP_PKT_IN"
+	}
+}
+
 zapret_apply_firewall_rules_nft()
 {
-	local mode="${MODE_OVERRIDE:-$MODE}"
-
-	local first_packets_only
-	local desync="mark and $DESYNC_MARK == 0"
-	local f4 f6 qn qns qn6 qns6
-	
-	first_packets_only="$nft_connbytes 1-$(first_packets_for_mode)"
-
-	case "$mode" in
-		tpws)
-			if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
-				echo both http and https are disabled. not applying redirection.
-			else
-				nft_filter_apply_port_target f4
-				f6=$f4
-				nft_filter_apply_ipset_target f4 f6
-				nft_fw_tpws "$f4" "$f6" $TPPORT
-			fi
-			;;
-		nfqws)
-			local POSTNAT_SAVE=$POSTNAT
-
-			POSTNAT=1
-			# quite complex but we need to minimize nfqws processes to save RAM
-			get_nfqws_qnums qn qns qn6 qns6
-			if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then
-				nft_filter_apply_port_target f4
-				f4="$f4 $first_packets_only"
-				nft_filter_apply_ipset_target4 f4
-				nft_fw_nfqws_post4 "$f4 $desync" $qn
-				nft_fw_reverse_nfqws_rule4 "$f4" $qn
-			else
-				if [ -n "$qn" ]; then
-					f4="tcp dport {$HTTP_PORTS}"
-					[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packets_only"
-					nft_filter_apply_ipset_target4 f4
-					nft_fw_nfqws_post4 "$f4 $desync" $qn
-					nft_fw_reverse_nfqws_rule4 "$f4" $qn
-				fi
-				if [ -n "$qns" ]; then
-					f4="tcp dport {$HTTPS_PORTS} $first_packets_only"
-					nft_filter_apply_ipset_target4 f4
-					nft_fw_nfqws_post4 "$f4 $desync" $qns
-					nft_fw_reverse_nfqws_rule4 "$f4" $qns
-				fi
-			fi
-			if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
-				nft_filter_apply_port_target f6
-				f6="$f6 $first_packets_only"
-				nft_filter_apply_ipset_target6 f6
-				nft_fw_nfqws_post6 "$f6 $desync" $qn6
-				nft_fw_reverse_nfqws_rule6 "$f6" $qn6
-			else
-				if [ -n "$qn6" ]; then
-					f6="tcp dport {$HTTP_PORTS}"
-					[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packets_only"
-					nft_filter_apply_ipset_target6 f6
-					nft_fw_nfqws_post6 "$f6 $desync" $qn6
-					nft_fw_reverse_nfqws_rule6 "$f6" $qn6
-				fi
-				if [ -n "$qns6" ]; then
-					f6="tcp dport {$HTTPS_PORTS} $first_packets_only"
-					nft_filter_apply_ipset_target6 f6
-					nft_fw_nfqws_post6 "$f6 $desync" $qns6
-					nft_fw_reverse_nfqws_rule6 "$f6" $qns6
-				fi
-			fi
-
-			get_nfqws_qnums_quic qn qn6
-			if [ -n "$qn" ]; then
-				f4=
-				nft_filter_apply_port_target_quic f4
-				f4="$f4 $first_packets_only"
-				nft_filter_apply_ipset_target4 f4
-				nft_fw_nfqws_post4 "$f4 $desync" $qn
-			fi
-			if [ -n "$qn6" ]; then
-				f6=
-				nft_filter_apply_port_target_quic f6
-				f6="$f6 $first_packets_only"
-				nft_filter_apply_ipset_target6 f6
-				nft_fw_nfqws_post6 "$f6 $desync" $qn6
-			fi
-
-			POSTNAT=$POSTNAT_SAVE
-			;;
-		custom)
-			custom_runner zapret_custom_firewall_nft
-			;;
-	esac
+	zapret_apply_firewall_standard_rules_nft
+	custom_runner zapret_custom_firewall_nft
 }

 zapret_apply_firewall_nft()
 {
 	echo Applying nftables

-	local mode="${MODE_OVERRIDE:-$MODE}"
-
-	[ "$mode" = "tpws-socks" ] && return 0
-
 	create_ipset no-update
 	nft_create_firewall
 	nft_fill_ifsets_overload
@@ -744,7 +686,7 @@ zapret_unapply_firewall_nft()

 	unprepare_route_localnet
 	nft_del_firewall
-	[ "$MODE" = custom ] &&	custom_runner zapret_custom_firewall_nft_flush
+	custom_runner zapret_custom_firewall_nft_flush
 	return 0
 }
 zapret_do_firewall_nft()
--- a/common/pf.sh
+++ b/common/pf.sh
@@ -1,5 +1,5 @@
 PF_MAIN="/etc/pf.conf"
-PF_ANCHOR_DIR=/etc/pf.anchors
+PF_ANCHOR_DIR="/etc/pf.anchors"
 PF_ANCHOR_ZAPRET="$PF_ANCHOR_DIR/zapret"
 PF_ANCHOR_ZAPRET_V4="$PF_ANCHOR_DIR/zapret-v4"
 PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6"
@@ -112,30 +112,13 @@ pf_nat_reorder_rules()
        # use only first word as a key and preserve order within a single key
 	sort -srfk 1,1
 }
-pf_anchor_port_target()
-{
-	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
-		echo "{$HTTP_PORTS_IPT,$HTTPS_PORTS_IPT}"
-	elif [ "$MODE_HTTPS" = "1" ]; then
-		echo "{$HTTPS_PORTS_IPT}"
-	elif [ "$MODE_HTTP" = "1" ]; then
-		echo "{$HTTP_PORTS_IPT}"
-	fi
-}

 pf_anchor_zapret_v4_tpws()
 {
 	# $1 - tpws listen port
-	# $2 - rdr ports. defaults are used if empty
-
-	local rule port
-
-	if [ -n "$2" ]; then
-		port="{$2}"
-	else
-		port=$(pf_anchor_port_target)
-	fi
+	# $2 - rdr ports

+	local rule port="{$2}"
 	for lan in $IFACE_LAN; do
 		for t in $tbl; do
 			 echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1"
@@ -158,31 +141,19 @@ pf_anchor_zapret_v4()
 {
 	local tbl port
 	[ "$DISABLE_IPV4" = "1" ] || {
-		case "${MODE_OVERRIDE:-$MODE}" in
-			tpws)
-				[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
-				pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
-				pf_anchor_zapret_v4_tpws $TPPORT
-				;;
-			custom)
-				pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
-				custom_runner zapret_custom_firewall_v4 | pf_nat_reorder_rules
-				;;
-		esac
+		{
+			pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
+			custom_runner zapret_custom_firewall_v4
+			[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && pf_anchor_zapret_v4_tpws $TPPORT "$TPWS_PORTS_IPT"
+		} | pf_nat_reorder_rules
 	}
 }
 pf_anchor_zapret_v6_tpws()
 {
 	# $1 - tpws listen port
-	# $2 - rdr ports. defaults are used if empty
+	# $2 - rdr ports

-	local rule LL_LAN port
-
-	if [ -n "$2" ]; then
-		port="{$2}"
-	else
-		port=$(pf_anchor_port_target)
-	fi
+	local rule LL_LAN port="{$2}"

 	# LAN link local is only for router
 	for lan in $IFACE_LAN; do
@@ -208,19 +179,12 @@ pf_anchor_zapret_v6_tpws()
 pf_anchor_zapret_v6()
 {
 	local tbl port
-
 	[ "$DISABLE_IPV6" = "1" ] || {
-		case "${MODE_OVERRIDE:-$MODE}" in
-			tpws)
-				[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
-				pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
-				pf_anchor_zapret_v6_tpws $TPPORT
-				;;
-			custom)
-				pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
-				custom_runner zapret_custom_firewall_v6 | pf_nat_reorder_rules
-				;;
-		esac
+		{
+			pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
+			custom_runner zapret_custom_firewall_v6
+			[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS_IPT" ] && pf_anchor_zapret_v6_tpws $TPPORT "$TPWS_PORTS_IPT"
+		} | pf_nat_reorder_rules
 	}
 }