shellcheck linting and formatting shell scripts

2025-04-30 10:53:02 +03:00 · 2024-09-17 16:18:29 +03:00 · 2024-09-17 16:18:29 +03:00 · a13e4e064f
commit a13e4e064f
parent c1db09b19e
58 changed files with 2759 additions and 3296 deletions
--- a/blockcheck.sh
+++ b/blockcheck.sh
--- a/common/base.sh
+++ b/common/base.sh
@ -1,5 +1,4 @@
-which()
+which() {
 {
 	# on some systems 'which' command is considered deprecated and not installed by default
 	# 'command -v' replacement does not work exactly the same way. it outputs shell aliases if present
 	# $1 - executable name
@ -12,31 +11,26 @@ which()
 	done
 	return 1
 }
-exists()
+exists() {
 {
 	which "$1" >/dev/null 2>/dev/null
 }
-existf()
+existf() {
 {
 	type "$1" >/dev/null 2>/dev/null
 }
-whichq()
+whichq() {
-{
+	which "$1" 2>/dev/null
 	which $1 2>/dev/null
 }
-exist_all()
+exist_all() {
 {
 	while [ -n "$1" ]; do
 		exists "$1" || return 1
 		shift
 	done
 	return 0
 }
-on_off_function()
+on_off_function() {
-{
+	# $1: function name on
-	# $1 : function name on
+	# $2: function name off
-	# $2 : function name off
+	# $3: 0 - off, 1 - on
 	# $3 : 0 - off, 1 - on
 	local F="$1"
 	[ "$3" = "1" ] || F="$2"
 	shift
@ -44,15 +38,13 @@ on_off_function()
 	shift
 	"$F" "$@"
 }
-contains()
+contains() {
 {
 	# check if substring $2 contains in $1
 	[ "${1#*$2}" != "$1" ]
 }
-starts_with()
+starts_with() {
-{
+	# $1: what
-	# $1 : what
+	# $2: starts with
 	# $2 : starts with
 	case "$1" in
 	"$2"*)
 		return 0
@ -60,8 +52,7 @@ starts_with()
 	esac
 	return 1
 }
-find_str_in_list()
+find_str_in_list() {
 {
 	[ -n "$1" ] && {
 		for v in $2; do
 			[ "$v" = "$1" ] && return 0
@ -69,14 +60,12 @@ find_str_in_list()
 	}
 	return 1
 }
-end_with_newline()
+end_with_newline() {
 {
 	local c="$(tail -c 1)"
 	[ "$c" = "" ]
 }
-append_separator_list()
+append_separator_list() {
 {
 	# $1 - var name to receive result
 	# $2 - separator
 	# $3 - quoter
@ -84,113 +73,102 @@ append_separator_list()
 	local _var="$1" sep="$2" quo="$3" i
 	eval i="\$$_var"
-	shift; shift; shift
+	shift
 	shift
 	shift
 	while [ -n "$1" ]; do
-		if [ -n "$i" ] ; then
+		if [ -n "$i" ]; then
 			i="$i$sep$quo$1$quo"
 		else
 			i="$quo$1$quo"
 		fi
 		shift
 	done
-	eval $_var="\$i"
+	eval "$_var"="\$i"
 }
-make_separator_list()
+make_separator_list() {
-{
+	eval "$1"=''
 	eval $1=''
 	append_separator_list "$@"
 }
-make_comma_list()
+make_comma_list() {
 {
 	# $1 - var name to receive result
 	# $2,$3,... - elements
 	local var="$1"
 	shift
-	make_separator_list $var , '' "$@"
+	make_separator_list "$var" , '' "$@"
 }
-make_quoted_comma_list()
+make_quoted_comma_list() {
 {
 	# $1 - var name to receive result
 	# $2,$3,... - elements
 	local var="$1"
 	shift
-	make_separator_list $var , '"' "$@"
+	make_separator_list "$var" , '"' "$@"
 }
-unique()
+unique() {
 {
 	local i
-	for i in "$@"; do echo $i; done | sort -u | xargs
+	for i in "$@"; do echo "$i"; done | sort -u | xargs
 }
-is_linked_to_busybox()
+is_linked_to_busybox() {
 {
 	local IFS F P
 	IFS=:
 	for path in $PATH; do
 		F=$path/$1
-		P="$(readlink $F)"
+		P="$(readlink "$F")"
-		if [ -z "$P" ] && [ -x $F ] && [ ! -L $F ]; then return 1; fi
+		if [ -z "$P" ] && [ -x "$F" ] && [ ! -L "$F" ]; then return 1; fi
 		[ "${P%busybox*}" != "$P" ] && return
 	done
 }
-get_dir_inode()
+get_dir_inode() {
 {
 	local dir="$1"
 	[ -L "$dir" ] && dir=$(readlink "$dir")
 	ls -id "$dir" | awk '{print $1}'
 }
-linux_min_version()
+linux_min_version() {
 {
 	# $1 - major ver
 	# $2 - minor ver
 	local V1=$(sed -nre 's/^Linux version ([0-9]+)\.[0-9]+.*$/\1/p' /proc/version)
 	local V2=$(sed -nre 's/^Linux version [0-9]+\.([0-9]+).*$/\1/p' /proc/version)
 	[ -n "$V1" -a -n "$V2" ] && [ "$V1" -gt "$1" -o "$V1" -eq "$1" -a "$V2" -ge "$2" ]
 }
-linux_get_subsys()
+linux_get_subsys() {
 {
 	local INIT="$(sed 's/\x0/\n/g' /proc/1/cmdline | head -n 1)"
 	[ -L "$INIT" ] && INIT=$(readlink "$INIT")
 	INIT="$(basename "$INIT")"
-	if [ -f "/etc/openwrt_release" ] && [ "$INIT" = "procd" ] ; then
+	if [ -f "/etc/openwrt_release" ] && [ "$INIT" = "procd" ]; then
 		SUBSYS=openwrt
-	elif [ -x "/bin/ndm" ] ; then
+	elif [ -x "/bin/ndm" ]; then
 		SUBSYS=keenetic
 	else
 		# generic linux
 		SUBSYS=
 	fi
 }
-openwrt_fw3()
+openwrt_fw3() {
 {
 	[ ! -x /sbin/fw4 -a -x /sbin/fw3 ]
 }
-openwrt_fw4()
+openwrt_fw4() {
 {
 	[ -x /sbin/fw4 ]
 }
-openwrt_fw3_integration()
+openwrt_fw3_integration() {
 {
 	[ "$FWTYPE" = iptables ] && openwrt_fw3
 }
-create_dev_stdin()
+create_dev_stdin() {
 {
 	[ -e /dev/stdin ] || ln -s /proc/self/fd/0 /dev/stdin
 }
-call_for_multiple_items()
+call_for_multiple_items() {
 {
 	# $1 - function to get an item
 	# $2 - variable name to put result into
 	# $3 - space separated parameters to function $1
 	local i item items
 	for i in $3; do
-		$1 item $i
+		$1 item "$i"
 		[ -n "$item" ] && {
 			if [ -n "$items" ]; then
 				items="$items $item"
@ -199,25 +177,22 @@ call_for_multiple_items()
 			fi
 		}
 	done
-	eval $2=\"$items\"
+	eval "$2"=\""$items"\"
 }
-fix_sbin_path()
+fix_sbin_path() {
 {
 	local IFS=':'
-	printf "%s\n" $PATH | grep -Fxq '/usr/sbin' || PATH="/usr/sbin:$PATH"
+	printf "%s\n" "$PATH" | grep -Fxq '/usr/sbin' || PATH="/usr/sbin:$PATH"
-	printf "%s\n" $PATH | grep -Fxq '/sbin' || PATH="/sbin:$PATH"
+	printf "%s\n" "$PATH" | grep -Fxq '/sbin' || PATH="/sbin:$PATH"
 	export PATH
 }
 # it can calculate floating point expr
-calc()
+calc() {
-{
+	awk "BEGIN { print $*}"
 	awk "BEGIN { print $*}";
 }
-fsleep_setup()
+fsleep_setup() {
 {
 	[ -n "$FSLEEP" ] || {
 		if sleep 0.001 2>/dev/null; then
 			FSLEEP=1
@ -227,11 +202,11 @@ fsleep_setup()
 			local errtext="$(read -t 0.001 2>&1)"
 			if [ -z "$errtext" ]; then
 				FSLEEP=3
-		# newer openwrt has ucode with system function that supports timeout in ms
+			# newer OpenWrt has ucode with system function that supports timeout in ms
 			elif ucode -e "system(['sleep','1'], 1)" 2>/dev/null; then
 				FSLEEP=4
-		# older openwrt may have lua and nixio lua module
+			# older OpenWrt may have lua and nixio lua module
-		elif lua -e 'require "nixio".nanosleep(0,1)' 2>/dev/null ; then
+			elif lua -e 'require "nixio".nanosleep(0,1)' 2>/dev/null; then
 				FSLEEP=5
 			else
 				FSLEEP=0
@ -239,51 +214,48 @@ fsleep_setup()
 		fi
 	}
 }
-msleep()
+msleep() {
 {
 	# $1 - milliseconds
 	case "$FSLEEP" in
 	1)
-		sleep $(calc $1/1000)
+		sleep $(calc "$1"/1000)
 		;;
 	2)
-		busybox usleep $(calc $1*1000)
+		busybox usleep $(calc "$1"*1000)
 		;;
 	3)
-		read -t $(calc $1/1000)
+		read -t $(calc "$1"/1000)
 		;;
 	4)
 		ucode -e "system(['sleep','2147483647'], $1)"
 		;;
 	5)
-		lua -e "require 'nixio'.nanosleep($(($1/1000)),$(calc $1%1000*1000000))"
+		lua -e "require 'nixio'.nanosleep($(($1 / 1000)),$(calc "$1"%1000*1000000))"
 		;;
 	*)
-		sleep $((($1+999)/1000))
+		sleep $((($1 + 999) / 1000))
 		;;
 	esac
 }
-minsleep()
+minsleep() {
 {
 	msleep 100
 }
-replace_char()
+replace_char() {
 {
 	local a=$1
 	local b=$2
-	shift; shift
+	shift
-	echo "$@" | tr $a $b
+	shift
 	echo "$@" | tr "$a" "$b"
 }
-setup_md5()
+setup_md5() {
 {
 	[ -n "$MD5" ] && return
 	MD5=md5sum
 	exists $MD5 || MD5=md5
 }
-random()
+random() {
 {
 	# $1 - min, $2 - max
 	local r rs
 	setup_md5
@ -293,12 +265,11 @@ random()
 		rs="$RANDOM$RANDOM$(date)"
 	fi
 	# shells use signed int64
-	r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17)
+	r=1$(echo "$rs" | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17)
-	echo $(( ($r % ($2-$1+1)) + $1 ))
+	echo $((($r % ($2 - $1 + 1)) + $1))
 }
-shell_name()
+shell_name() {
 {
 	[ -n "$SHELL_NAME" ] || {
 		[ -n "$UNAME" ] || UNAME="$(uname)"
@ -313,12 +284,11 @@ shell_name()
 	}
 }
-std_ports()
+std_ports() {
 {
 	HTTP_PORTS=${HTTP_PORTS:-80}
 	HTTPS_PORTS=${HTTPS_PORTS:-443}
 	QUIC_PORTS=${QUIC_PORTS:-443}
-        HTTP_PORTS_IPT=$(replace_char - : $HTTP_PORTS)
+	HTTP_PORTS_IPT=$(replace_char - : "$HTTP_PORTS")
-        HTTPS_PORTS_IPT=$(replace_char - : $HTTPS_PORTS)
+	HTTPS_PORTS_IPT=$(replace_char - : "$HTTPS_PORTS")
-        QUIC_PORTS_IPT=$(replace_char - : $QUIC_PORTS)
+	QUIC_PORTS_IPT=$(replace_char - : "$QUIC_PORTS")
 }
--- a/common/dialog.sh
+++ b/common/dialog.sh
@ -1,36 +1,32 @@
-read_yes_no()
+read_yes_no() {
 {
 	# $1 - default (Y/N)
 	local A
 	read A
 	[ -z "$A" ] || ([ "$A" != "Y" ] && [ "$A" != "y" ] && [ "$A" != "N" ] && [ "$A" != "n" ]) && A=$1
 	[ "$A" = "Y" ] || [ "$A" = "y" ] || [ "$A" = "1" ]
 }
-ask_yes_no()
+ask_yes_no() {
 {
 	# $1 - default (Y/N or 0/1)
 	# $2 - text
 	local DEFAULT=$1
 	[ "$1" = "1" ] && DEFAULT=Y
 	[ "$1" = "0" ] && DEFAULT=N
 	[ -z "$DEFAULT" ] && DEFAULT=N
-	printf "$2 (default : $DEFAULT) (Y/N) ? "
+	printf "$2 (default: $DEFAULT) (Y/N)?"
-	read_yes_no $DEFAULT
+	read_yes_no "$DEFAULT"
 }
-ask_yes_no_var()
+ask_yes_no_var() {
-{
+	# $1 - variable name for answer: 0/1
 	# $1 - variable name for answer : 0/1
 	# $2 - text
 	local DEFAULT
 	eval DEFAULT="\$$1"
 	if ask_yes_no "$DEFAULT" "$2"; then
-		eval $1=1
+		eval "$1"=1
 	else
-		eval $1=0
+		eval "$1"=0
 	fi
 }
-ask_list()
+ask_list() {
 {
 	# $1 - mode var
 	# $2 - space separated value list
 	# $3 - (optional) default value
@ -40,19 +36,19 @@ ask_list()
 	local M=""
 	local m
-	[ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3" ;}
+	[ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3"; }
 	n=1
 	for m in $2; do
-		echo $n : $m
+		echo $n: "$m"
-		n=$(($n+1))
+		n=$(($n + 1))
 	done
 	printf "your choice (default : $M_DEFAULT) : "
 	read m
-	[ -n "$m" ] && M=$(echo $2 | cut -d ' ' -f$m 2>/dev/null)
+	[ -n "$m" ] && M=$(echo "$2" | cut -d ' ' -f"$m" 2>/dev/null)
 	[ -z "$M" ] && M="$M_DEFAULT"
-	echo selected : $M
+	echo selected: "$M"
-	eval $1="\"$M\""
+	eval "$1"="\"$M\""
 	[ "$M" != "$M_OLD" ]
 }
--- a/common/elevate.sh
+++ b/common/elevate.sh
@ -1,5 +1,4 @@
-require_root()
+require_root() {
 {
 	local exe
 	echo \* checking privileges
 	[ $(id -u) -ne "0" ] && {
--- a/common/fwtype.sh
+++ b/common/fwtype.sh
@ -1,25 +1,21 @@
-linux_ipt_avail()
+linux_ipt_avail() {
 {
 	exists iptables && exists ip6tables
 }
-linux_maybe_iptables_fwtype()
+linux_maybe_iptables_fwtype() {
 {
 	linux_ipt_avail && FWTYPE=iptables
 }
-linux_nft_avail()
+linux_nft_avail() {
 {
 	exists nft
 }
-linux_fwtype()
+linux_fwtype() {
 {
 	[ -n "$FWTYPE" ] && return
 	FWTYPE=unsupported
 	linux_get_subsys
-	if [ "$SUBSYS" = openwrt ] ; then
+	if [ "$SUBSYS" = openwrt ]; then
-		# linux kernel is new enough if fw4 is there
+		# Linux kernel is new enough if fw4 is there
-		if [ -x /sbin/fw4 ] && linux_nft_avail ; then
+		if [ -x /sbin/fw4 ] && linux_nft_avail; then
 			FWTYPE=nftables
 		else
 			linux_maybe_iptables_fwtype
@ -38,8 +34,7 @@ linux_fwtype()
 	export FWTYPE
 }
-get_fwtype()
+get_fwtype() {
 {
 	[ -n "$FWTYPE" ] && return
 	local UNAME="$(uname)"
@ -49,7 +44,7 @@ get_fwtype()
 		linux_fwtype
 		;;
 	FreeBSD)
-			if exists ipfw ; then
+		if exists ipfw; then
 			FWTYPE=ipfw
 		else
 			FWTYPE=unsupported
--- a/common/installer.sh
+++ b/common/installer.sh
@ -6,36 +6,31 @@ SYSTEMD_DIR=/lib/systemd
 INIT_SCRIPT=/etc/init.d/zapret
-
+exitp() {
 exitp()
 {
 	echo
 	echo press enter to continue
 	read A
-	exit $1
+	exit "$1"
 }
-parse_var_checked()
+parse_var_checked() {
 {
 	# $1 - file name
 	# $2 - var name
 	local sed="sed -nre s/^[[:space:]]*$2=[\\\"|\']?([^\\\"|\']*)[\\\"|\']?/\1/p"
 	local v="$($sed <"$1" | tail -n 1)"
-	eval $2=\"$v\"
+	eval "$2"=\""$v"\"
 }
-parse_vars_checked()
+parse_vars_checked() {
 {
 	# $1 - file name
 	# $2,$3,... - var names
 	local f="$1"
 	shift
 	while [ -n "$1" ]; do
-		parse_var_checked "$f" $1
+		parse_var_checked "$f" "$1"
 		shift
 	done
 }
-edit_file()
+edit_file() {
 {
 	# $1 - file name
 	local ed="$EDITOR"
 	[ -n "$ed" ] || {
@ -48,8 +43,7 @@ edit_file()
 	}
 	[ -n "$ed" ] && "$ed" "$1"
 }
-edit_vars()
+edit_vars() {
 {
 	# $1,$2,... - var names
 	local n=1 var v tmp="/tmp/zvars"
 	rm -f "$tmp"
@ -57,21 +51,19 @@ edit_vars()
 		eval var="\$$n"
 		[ -n "$var" ] || break
 		eval v="\$$var"
-		echo $var=\"$v\" >>"$tmp"
+		echo "$var"=\""$v"\" >>"$tmp"
-		n=$(($n+1))
+		n=$(($n + 1))
 	done
 	edit_file "$tmp" && parse_vars_checked "$tmp" "$@"
 	rm -f "$tmp"
 }
-openrc_test()
+openrc_test() {
 {
 	exists rc-update || return 1
 	# some systems do not usse openrc-init but launch openrc from inittab
 	[ "$INIT" = "openrc-init" ] || grep -qE "sysinit.*openrc" /etc/inittab 2>/dev/null
 }
-check_system()
+check_system() {
 {
 	# $1 - nonempty = do not fail on unknown rc system
 	echo \* checking system
@ -93,10 +85,10 @@ check_system()
 		# some distros include systemctl without systemd
 		if [ -d "$SYSTEMD_DIR" ] && [ -x "$SYSTEMCTL" ] && [ "$INIT" = "systemd" ]; then
 			SYSTEM=systemd
-		elif [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ] ; then
+		elif [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ]; then
 			{
 				SYSTEM=openwrt
-			if openwrt_fw3 ; then
+				if openwrt_fw3; then
 					OPENWRT_FW3=1
 					info="openwrt firewall uses fw3"
 					if is_ipt_flow_offload_avail; then
@ -128,25 +120,21 @@ check_system()
 		exitp 5
 	fi
 	echo system is based on $SYSTEM
-	[ -n "$info" ] && echo $info
+	[ -n "$info" ] && echo "$info"
 }
-get_free_space_mb()
+get_free_space_mb() {
-{
+	df -m "$PWD" | awk '/[0-9]%/{print $(NF-2)}'
    df -m $PWD | awk '/[0-9]%/{print $(NF-2)}'
 }
-get_ram_kb()
+get_ram_kb() {
 {
 	grep MemTotal /proc/meminfo | awk '{print $2}'
 }
-get_ram_mb()
+get_ram_mb() {
 {
 	local R=$(get_ram_kb)
-    echo $(($R/1024))
+	echo $(($R / 1024))
 }
-crontab_del()
+crontab_del() {
 {
 	exists crontab || return
 	echo \* removing crontab entry
@ -162,8 +150,7 @@ crontab_del()
 	fi
 	rm -f $CRONTMP
 }
-crontab_del_quiet()
+crontab_del_quiet() {
 {
 	exists crontab || return
 	CRONTMP=/tmp/cron.tmp
@ -175,8 +162,7 @@ crontab_del_quiet()
 	fi
 	rm -f $CRONTMP
 }
-crontab_add()
+crontab_add() {
 {
 	# $1 - hour min
 	# $2 - hour max
 	[ -x "$GET_LIST" ] && {
@ -190,7 +176,7 @@ crontab_add()
 				grep "$GET_LIST_PREFIX" $CRONTMP
 			else
 				end_with_newline <"$CRONTMP" || echo >>"$CRONTMP"
-				echo "$(random 0 59) $(random $1 $2) */2 * * $GET_LIST" >>$CRONTMP
+				echo "$(random 0 59) $(random "$1" "$2") */2 * * $GET_LIST" >>$CRONTMP
 				crontab $CRONTMP
 			fi
 			rm -f $CRONTMP
@ -199,18 +185,15 @@ crontab_add()
 		fi
 	}
 }
-cron_ensure_running()
+cron_ensure_running() {
-{
+	# if no crontabs present in /etc/cron OpenWrt init script does not launch crond. this is default
 	# if no crontabs present in /etc/cron openwrt init script does not launch crond. this is default
 	[ "$SYSTEM" = "openwrt" ] && {
 		/etc/init.d/cron enable
 		/etc/init.d/cron start
 	}
 }
-
+service_start_systemd() {
 service_start_systemd()
 {
 	echo \* starting zapret service
 	"$SYSTEMCTL" start zapret || {
@ -218,23 +201,20 @@ service_start_systemd()
 		exitp 30
 	}
 }
-service_stop_systemd()
+service_stop_systemd() {
 {
 	echo \* stopping zapret service
 	"$SYSTEMCTL" daemon-reload
 	"$SYSTEMCTL" disable zapret
 	"$SYSTEMCTL" stop zapret
 }
-service_remove_systemd()
+service_remove_systemd() {
 {
 	echo \* removing zapret service
 	rm -f "$SYSTEMD_SYSTEM_DIR/zapret.service"
 	"$SYSTEMCTL" daemon-reload
 }
-timer_remove_systemd()
+timer_remove_systemd() {
 {
 	echo \* removing zapret-list-update timer
 	"$SYSTEMCTL" daemon-reload
@ -244,8 +224,7 @@ timer_remove_systemd()
 	"$SYSTEMCTL" daemon-reload
 }
-install_sysv_init()
+install_sysv_init() {
 {
 	# $1 - "0"=disable
 	echo \* installing init script
@ -256,8 +235,7 @@ install_sysv_init()
 	ln -fs "$INIT_SCRIPT_SRC" "$INIT_SCRIPT"
 	[ "$1" != "0" ] && "$INIT_SCRIPT" enable
 }
-install_openrc_init()
+install_openrc_init() {
 {
 	# $1 - "0"=disable
 	echo \* installing init script
@ -268,8 +246,7 @@ install_openrc_init()
 	ln -fs "$INIT_SCRIPT_SRC" "$INIT_SCRIPT"
 	[ "$1" != "0" ] && rc-update add zapret
 }
-service_remove_openrc()
+service_remove_openrc() {
 {
 	echo \* removing zapret service
 	[ -x "$INIT_SCRIPT" ] && {
@ -278,8 +255,7 @@ service_remove_openrc()
 	}
 	rm -f "$INIT_SCRIPT"
 }
-service_start_sysv()
+service_start_sysv() {
 {
 	[ -x "$INIT_SCRIPT" ] && {
 		echo \* starting zapret service
 		"$INIT_SCRIPT" start || {
@ -288,15 +264,13 @@ service_start_sysv()
 		}
 	}
 }
-service_stop_sysv()
+service_stop_sysv() {
 {
 	[ -x "$INIT_SCRIPT" ] && {
 		echo \* stopping zapret service
 		"$INIT_SCRIPT" stop
 	}
 }
-service_remove_sysv()
+service_remove_sysv() {
 {
 	echo \* removing zapret service
 	[ -x "$INIT_SCRIPT" ] && {
@ -306,104 +280,91 @@ service_remove_sysv()
 	rm -f "$INIT_SCRIPT"
 }
-check_kmod()
+check_kmod() {
 {
 	[ -f "/lib/modules/$(uname -r)/$1.ko" ]
 }
-check_package_exists_openwrt()
+check_package_exists_openwrt() {
-{
+	[ -n "$(opkg list "$1")" ]
 	[ -n "$(opkg list $1)" ]
 }
-check_package_openwrt()
+check_package_openwrt() {
-{
+	[ -n "$(opkg list-installed "$1")" ] && return 0
-	[ -n "$(opkg list-installed $1)" ] && return 0
+	local what="$(opkg whatprovides "$1" | tail -n +2 | head -n 1)"
 	local what="$(opkg whatprovides $1 | tail -n +2 | head -n 1)"
 	[ -n "$what" ] || return 1
-	[ -n "$(opkg list-installed $what)" ]
+	[ -n "$(opkg list-installed "$what")" ]
 }
-check_packages_openwrt()
+check_packages_openwrt() {
 {
 	for pkg in $@; do
-		check_package_openwrt $pkg || return
+		check_package_openwrt "$pkg" || return
 	done
 }
-install_openwrt_iface_hook()
+install_openwrt_iface_hook() {
 {
 	echo \* installing ifup hook
 	ln -fs "$OPENWRT_IFACE_HOOK" /etc/hotplug.d/iface
 }
-remove_openwrt_iface_hook()
+remove_openwrt_iface_hook() {
 {
 	echo \* removing ifup hook
 	rm -f /etc/hotplug.d/iface/??-zapret
 }
-openwrt_fw_section_find()
+openwrt_fw_section_find() {
 {
 	# $1 - fw include postfix
 	# echoes section number
 	i=0
-	while true
+	while true; do
 	do
 		path=$(uci -q get firewall.@include[$i].path)
 		[ -n "$path" ] || break
 		[ "$path" = "$OPENWRT_FW_INCLUDE$1" ] && {
 			echo $i
 			return 0
 		}
-		i=$(($i+1))
+		i=$(($i + 1))
 	done
 	return 1
 }
-openwrt_fw_section_del()
+openwrt_fw_section_del() {
 {
 	# $1 - fw include postfix
-	local id="$(openwrt_fw_section_find $1)"
+	local id="$(openwrt_fw_section_find "$1")"
 	[ -n "$id" ] && {
-		uci delete firewall.@include[$id] && uci commit firewall
+		uci delete firewall.@include["$id"] && uci commit firewall
 		rm -f "$OPENWRT_FW_INCLUDE$1"
 	}
 }
-openwrt_fw_section_add()
+openwrt_fw_section_add() {
 {
 	openwrt_fw_section_find ||
 		{
 			uci add firewall include >/dev/null || return
 			echo -1
 		}
 }
-openwrt_fw_section_configure()
+openwrt_fw_section_configure() {
-{
+	local id="$(openwrt_fw_section_add "$1")"
 	local id="$(openwrt_fw_section_add $1)"
 	[ -z "$id" ] ||
-	 ! uci set firewall.@include[$id].path="$OPENWRT_FW_INCLUDE" ||
+		! uci set firewall.@include["$id"].path="$OPENWRT_FW_INCLUDE" ||
-	 ! uci set firewall.@include[$id].reload="1" ||
+		! uci set firewall.@include["$id"].reload="1" ||
 		! uci commit firewall &&
 		{
 			echo could not add firewall include
 			exitp 50
 		}
 }
-install_openwrt_firewall()
+install_openwrt_firewall() {
-{
+	echo \* installing firewall script "$1"
 	echo \* installing firewall script $1
 	[ -n "MODE" ] || {
-		echo should specify MODE in $ZAPRET_CONFIG
+		echo should specify MODE in "$ZAPRET_CONFIG"
 		exitp 7
 	}
-	echo "linking : $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE"
+	echo "linking: $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE"
 	ln -fs "$FW_SCRIPT_SRC" "$OPENWRT_FW_INCLUDE"
-	openwrt_fw_section_configure $1
+	openwrt_fw_section_configure "$1"
 }
-restart_openwrt_firewall()
+restart_openwrt_firewall() {
 {
 	echo \* restarting firewall
 	local FW=fw4
@ -413,8 +374,7 @@ restart_openwrt_firewall()
 		exitp 30
 	}
 }
-remove_openwrt_firewall()
+remove_openwrt_firewall() {
 {
 	echo \* removing firewall script
 	openwrt_fw_section_del
@ -422,43 +382,36 @@ remove_openwrt_firewall()
 	openwrt_fw_section_del 6
 }
-clear_ipset()
+clear_ipset() {
 {
 	echo "* clearing ipset(s)"
 	# free some RAM
 	"$IPSET_DIR/create_ipset.sh" clear
 }
-
+service_install_macos() {
 service_install_macos()
 {
 	echo \* installing zapret service
 	ln -fs "$ZAPRET_BASE/init.d/macos/zapret.plist" /Library/LaunchDaemons
 }
-service_start_macos()
+service_start_macos() {
 {
 	echo \* starting zapret service
 	"$INIT_SCRIPT_SRC" start
 }
-service_stop_macos()
+service_stop_macos() {
 {
 	echo \* stopping zapret service
 	"$INIT_SCRIPT_SRC" stop
 }
-service_remove_macos()
+service_remove_macos() {
 {
 	echo \* removing zapret service
 	rm -f /Library/LaunchDaemons/zapret.plist
 	zapret_stop_daemons
 }
-remove_macos_firewall()
+remove_macos_firewall() {
 {
 	echo \* removing zapret PF hooks
 	pf_anchors_clear
@ -467,9 +420,8 @@ remove_macos_firewall()
 	pf_anchor_root_reload
 }
-sedi()
+sedi() {
-{
+	# macOS doesnt support -i without parameter. busybox doesnt support -i with parameter.
 	# MacOS doesnt support -i without parameter. busybox doesnt support -i with parameter.
 	# its not possible to put "sed -i ''" to a variable and then use it
 	if [ "$SYSTEM" = "macos" ]; then
 		sed -i '' "$@"
@ -478,8 +430,7 @@ sedi()
 	fi
 }
-write_config_var()
+write_config_var() {
 {
 	# $1 - mode var
 	local M
 	eval M="\$$1"
@ -487,7 +438,7 @@ write_config_var()
 	if grep -q "^$1=\|^#$1=" "$ZAPRET_CONFIG"; then
 		# replace / => \/
 		#M=${M//\//\\\/}
-		M=$(echo $M | sed 's/\//\\\//g')
+		M=$(echo "$M" | sed 's/\//\\\//g')
 		if [ -n "$M" ]; then
 			if contains "$M" " "; then
 				sedi -Ee "s/^#?$1=.*$/$1=\"$M\"/" "$ZAPRET_CONFIG"
@ -508,8 +459,7 @@ write_config_var()
 	fi
 }
-check_prerequisites_linux()
+check_prerequisites_linux() {
 {
 	echo \* checking prerequisites
 	local s cmd PKGS UTILS req="curl curl"
@ -522,23 +472,23 @@ check_prerequisites_linux()
 		;;
 	esac
-	PKGS=$(for s in $req; do echo $s; done |
+	PKGS=$(for s in $req; do echo "$s"; done |
 		while read cmd; do
 			read pkg
-			exists $cmd || echo $pkg
+			exists "$cmd" || echo "$pkg"
 		done | sort -u | xargs)
-	UTILS=$(for s in $req; do echo $s; done |
+	UTILS=$(for s in $req; do echo "$s"; done |
 		while read cmd; do
 			read pkg
-			echo $cmd
+			echo "$cmd"
 		done | sort -u | xargs)
-	if [ -z "$PKGS" ] ; then
+	if [ -z "$PKGS" ]; then
-		echo required utilities exist : $UTILS
+		echo required utilities exist: "$UTILS"
 	else
 		echo \* installing prerequisites
-		echo packages required : $PKGS
+		echo packages required: "$PKGS"
 		APTGET=$(whichq apt-get)
 		YUM=$(whichq yum)
@ -546,51 +496,50 @@ check_prerequisites_linux()
 		ZYPPER=$(whichq zypper)
 		EOPKG=$(whichq eopkg)
 		APK=$(whichq apk)
-		if [ -x "$APTGET" ] ; then
+		if [ -x "$APTGET" ]; then
 			"$APTGET" update
-			"$APTGET" install -y --no-install-recommends $PKGS dnsutils || {
+			"$APTGET" install -y --no-install-recommends "$PKGS" dnsutils || {
 				echo could not install prerequisites
 				exitp 6
 			}
-		elif [ -x "$YUM" ] ; then
+		elif [ -x "$YUM" ]; then
-			"$YUM" -y install $PKGS || {
+			"$YUM" -y install "$PKGS" || {
 				echo could not install prerequisites
 				exitp 6
 			}
-		elif [ -x "$PACMAN" ] ; then
+		elif [ -x "$PACMAN" ]; then
 			"$PACMAN" -Syy
-			"$PACMAN" --noconfirm -S $PKGS || {
+			"$PACMAN" --noconfirm -S "$PKGS" || {
 				echo could not install prerequisites
 				exitp 6
 			}
-		elif [ -x "$ZYPPER" ] ; then
+		elif [ -x "$ZYPPER" ]; then
-			"$ZYPPER" --non-interactive install $PKGS || {
+			"$ZYPPER" --non-interactive install "$PKGS" || {
 				echo could not install prerequisites
 				exitp 6
 			}
-		elif [ -x "$EOPKG" ] ; then
+		elif [ -x "$EOPKG" ]; then
-			"$EOPKG" -y install $PKGS || {
+			"$EOPKG" -y install "$PKGS" || {
 				echo could not install prerequisites
 				exitp 6
 			}
-		elif [ -x "$APK" ] ; then
+		elif [ -x "$APK" ]; then
 			"$APK" update
 			# for alpine
 			[ "$FWTYPE" = iptables ] && [ -n "$($APK list ip6tables)" ] && PKGS="$PKGS ip6tables"
-			"$APK" add $PKGS || {
+			"$APK" add "$PKGS" || {
 				echo could not install prerequisites
 				exitp 6
 			}
 		else
 			echo supported package manager not found
-			echo you must manually install : $UTILS
+			echo you must manually install: "$UTILS"
 			exitp 5
 		fi
 	fi
 }
-check_prerequisites_openwrt()
+check_prerequisites_openwrt() {
 {
 	echo \* checking prerequisites
 	local PKGS="curl" UPD=0
@ -605,14 +554,14 @@ check_prerequisites_openwrt()
 		;;
 	esac
-	if check_packages_openwrt $PKGS ; then
+	if check_packages_openwrt "$PKGS"; then
 		echo everything is present
 	else
 		echo \* installing prerequisites
 		opkg update
 		UPD=1
-		opkg install $PKGS || {
+		opkg install "$PKGS" || {
 			echo could not install prerequisites
 			exitp 6
 		}
@ -659,10 +608,7 @@ check_prerequisites_openwrt()
 	}
 }
-
+select_ipv6() {
 select_ipv6()
 {
 	local T=N
 	[ "$DISABLE_IPV6" != '1' ] && T=Y
@ -675,8 +621,7 @@ select_ipv6()
 	fi
 	[ "$old6" != "$DISABLE_IPV6" ] && write_config_var DISABLE_IPV6
 }
-select_fwtype()
+select_fwtype() {
 {
 	echo
 	[ $(get_ram_mb) -le 400 ] && {
 		echo WARNING ! you are running a low RAM system
--- a/common/ipt.sh
+++ b/common/ipt.sh
@ -1,55 +1,43 @@
 std_ports
 readonly ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
-ipt()
+ipt() {
 {
 	iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@"
 }
-ipta()
+ipta() {
 {
 	iptables -C "$@" >/dev/null 2>/dev/null || iptables -A "$@"
 }
-ipt_del()
+ipt_del() {
 {
 	iptables -C "$@" >/dev/null 2>/dev/null && iptables -D "$@"
 }
-ipt_add_del()
+ipt_add_del() {
 {
 	on_off_function ipt ipt_del "$@"
 }
-ipta_add_del()
+ipta_add_del() {
 {
 	on_off_function ipta ipt_del "$@"
 }
-ipt6()
+ipt6() {
 {
 	ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -I "$@"
 }
-ipt6a()
+ipt6a() {
 {
 	ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -A "$@"
 }
-ipt6_del()
+ipt6_del() {
 {
 	ip6tables -C "$@" >/dev/null 2>/dev/null && ip6tables -D "$@"
 }
-ipt6_add_del()
+ipt6_add_del() {
 {
 	on_off_function ipt6 ipt6_del "$@"
 }
-ipt6a_add_del()
+ipt6a_add_del() {
 {
 	on_off_function ipt6 ipt6a_del "$@"
 }
-is_ipt_flow_offload_avail()
+is_ipt_flow_offload_avail() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
-	# $1 = '' for ipv4, '6' for ipv6
+	grep -q FLOWOFFLOAD /proc/net/ip"$1"_tables_targets 2>/dev/null
 	grep -q FLOWOFFLOAD 2>/dev/null /proc/net/ip$1_tables_targets
 }
-filter_apply_port_target()
+filter_apply_port_target() {
 {
 	# $1 - var name of iptables filter
 	local f
 	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
@ -61,62 +49,54 @@ filter_apply_port_target()
 	else
 		echo WARNING !!! HTTP and HTTPS are both disabled
 	fi
-	eval $1="\"\$$1 $f\""
+	eval "$1"="\"\$$1 $f\""
 }
-filter_apply_port_target_quic()
+filter_apply_port_target_quic() {
 {
 	# $1 - var name of nftables filter
 	local f
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
-	eval $1="\"\$$1 $f\""
+	eval "$1"="\"\$$1 $f\""
 }
-filter_apply_ipset_target4()
+filter_apply_ipset_target4() {
 {
 	# $1 - var name of ipv4 iptables filter
 	if [ "$MODE_FILTER" = "ipset" ]; then
-		eval $1="\"\$$1 -m set --match-set zapret dst\""
+		eval "$1"="\"\$$1 -m set --match-set zapret dst\""
 	fi
 }
-filter_apply_ipset_target6()
+filter_apply_ipset_target6() {
 {
 	# $1 - var name of ipv6 iptables filter
 	if [ "$MODE_FILTER" = "ipset" ]; then
-		eval $1="\"\$$1 -m set --match-set zapret6 dst\""
+		eval "$1"="\"\$$1 -m set --match-set zapret6 dst\""
 	fi
 }
-filter_apply_ipset_target()
+filter_apply_ipset_target() {
 {
 	# $1 - var name of ipv4 iptables filter
 	# $2 - var name of ipv6 iptables filter
-	filter_apply_ipset_target4 $1
+	filter_apply_ipset_target4 "$1"
-	filter_apply_ipset_target6 $2
+	filter_apply_ipset_target6 "$2"
 }
-reverse_nfqws_rule_stream()
+reverse_nfqws_rule_stream() {
 {
 	sed -e 's/-o /-i /g' -e 's/--dport /--sport /g' -e 's/--dports /--sports /g' -e 's/ dst$/ src/' -e 's/ dst / src /g' -e 's/--connbytes-dir=original/--connbytes-dir=reply/g' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//g"
 }
-reverse_nfqws_rule()
+reverse_nfqws_rule() {
 {
 	echo "$@" | reverse_nfqws_rule_stream
 }
-prepare_tpws_fw4()
+prepare_tpws_fw4() {
-{
+	# otherwise Linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it
-	# otherwise linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it
+	# NOTE: kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8
 	# NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8
 	[ "$DISABLE_IPV4" = "1" ] || {
 		iptables -N input_rule_zapret 2>/dev/null
-		ipt input_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN
+		ipt input_rule_zapret -d "$TPWS_LOCALHOST4" -j RETURN
 		ipta input_rule_zapret -d 127.0.0.0/8 -j DROP
 		ipt INPUT ! -i lo -j input_rule_zapret
 		prepare_route_localnet
 	}
 }
-unprepare_tpws_fw4()
+unprepare_tpws_fw4() {
 {
 	[ "$DISABLE_IPV4" = "1" ] || {
 		unprepare_route_localnet
@ -125,14 +105,11 @@ unprepare_tpws_fw4()
 		iptables -X input_rule_zapret 2>/dev/null
 	}
 }
-unprepare_tpws_fw()
+unprepare_tpws_fw() {
 {
 	unprepare_tpws_fw4
 }
-
+ipt_print_op() {
 ipt_print_op()
 {
 	if [ "$1" = "1" ]; then
 		echo "Adding ip$4tables rule for $3 : $2"
 	else
@ -140,8 +117,7 @@ ipt_print_op()
 	fi
 }
-_fw_tpws4()
+_fw_tpws4() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - tpws port
@ -152,25 +128,24 @@ _fw_tpws4()
 		[ "$1" = 1 ] && prepare_tpws_fw4
-		ipt_print_op $1 "$2" "tpws (port $3)"
+		ipt_print_op "$1" "$2" "tpws (port $3)"
 		rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
-		for i in $4 ; do
+		for i in $4; do
-			ipt_add_del $1 PREROUTING -t nat -i $i $rule
+			ipt_add_del "$1" PREROUTING -t nat -i "$i" "$rule"
 		done
 		rule="-m owner ! --uid-owner $WS_USER $rule"
 		if [ -n "$5" ]; then
 			for i in $5; do
-				ipt_add_del $1 OUTPUT -t nat -o $i $rule
+				ipt_add_del "$1" OUTPUT -t nat -o "$i" "$rule"
 			done
 		else
-			ipt_add_del $1 OUTPUT -t nat $rule
+			ipt_add_del "$1" OUTPUT -t nat "$rule"
 		fi
 	}
 }
-_fw_tpws6()
+_fw_tpws6() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv6
 	# $3 - tpws port
@ -180,37 +155,34 @@ _fw_tpws6()
 	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
 		local i rule DNAT6
-		ipt_print_op $1 "$2" "tpws (port $3)" 6
+		ipt_print_op "$1" "$2" "tpws (port $3)" 6
 		rule="$2 $IPSET_EXCLUDE6 dst"
-		for i in $4 ; do
+		for i in $4; do
-			_dnat6_target $i DNAT6
+			_dnat6_target "$i" DNAT6
-			[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
+			[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del "$1" PREROUTING -t nat -i "$i" "$rule" -j DNAT --to ["$DNAT6"]:"$3"
 		done
 		rule="-m owner ! --uid-owner $WS_USER $rule -j DNAT --to [::1]:$3"
 		if [ -n "$5" ]; then
 			for i in $5; do
-				ipt6_add_del $1 OUTPUT -t nat -o $i $rule
+				ipt6_add_del "$1" OUTPUT -t nat -o "$i" "$rule"
 			done
 		else
-			ipt6_add_del $1 OUTPUT -t nat $rule
+			ipt6_add_del "$1" OUTPUT -t nat "$rule"
 		fi
 	}
 }
-fw_tpws()
+fw_tpws() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - iptable filter for ipv6
 	# $4 - tpws port
-	fw_tpws4 $1 "$2" $4
+	fw_tpws4 "$1" "$2" "$4"
-	fw_tpws6 $1 "$3" $4
+	fw_tpws6 "$1" "$3" "$4"
 }
-
+_fw_nfqws_post4() {
 _fw_nfqws_post4()
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - queue number
@ -218,20 +190,19 @@ _fw_nfqws_post4()
 	[ "$DISABLE_IPV4" = "1" -o -z "$2" ] || {
 		local i
-		ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"
+		ipt_print_op "$1" "$2" "nfqws postrouting (qnum $3)"
 		rule="$2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
-		if [ -n "$4" ] ; then
+		if [ -n "$4" ]; then
 			for i in $4; do
-				ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
+				ipt_add_del "$1" POSTROUTING -t mangle -o "$i" "$rule"
 			done
 		else
-			ipt_add_del $1 POSTROUTING -t mangle $rule
+			ipt_add_del "$1" POSTROUTING -t mangle "$rule"
 		fi
 	}
 }
-_fw_nfqws_post6()
+_fw_nfqws_post6() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv6
 	# $3 - queue number
@ -239,30 +210,28 @@ _fw_nfqws_post6()
 	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
 		local i
-		ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
+		ipt_print_op "$1" "$2" "nfqws postrouting (qnum $3)" 6
 		rule="$2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
-		if [ -n "$4" ] ; then
+		if [ -n "$4" ]; then
 			for i in $4; do
-				ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule
+				ipt6_add_del "$1" POSTROUTING -t mangle -o "$i" "$rule"
 			done
 		else
-			ipt6_add_del $1 POSTROUTING -t mangle $rule
+			ipt6_add_del "$1" POSTROUTING -t mangle "$rule"
 		fi
 	}
 }
-fw_nfqws_post()
+fw_nfqws_post() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - iptable filter for ipv6
 	# $4 - queue number
-	fw_nfqws_post4 $1 "$2" $4
+	fw_nfqws_post4 "$1" "$2" "$4"
-	fw_nfqws_post6 $1 "$3" $4
+	fw_nfqws_post6 "$1" "$3" "$4"
 }
-_fw_nfqws_pre4()
+_fw_nfqws_pre4() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - queue number
@ -270,23 +239,22 @@ _fw_nfqws_pre4()
 	[ "$DISABLE_IPV4" = "1" -o -z "$2" ] || {
 		local i
-		ipt_print_op $1 "$2" "nfqws input+forward (qnum $3)"
+		ipt_print_op "$1" "$2" "nfqws input+forward (qnum $3)"
 		rule="$2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass"
-		if [ -n "$4" ] ; then
+		if [ -n "$4" ]; then
 			for i in $4; do
 				# iptables PREROUTING chain is before NAT. not possible to have DNATed ip's there
-				ipt_add_del $1 INPUT -t mangle -i $i $rule
+				ipt_add_del "$1" INPUT -t mangle -i "$i" "$rule"
-				ipt_add_del $1 FORWARD -t mangle -i $i $rule
+				ipt_add_del "$1" FORWARD -t mangle -i "$i" "$rule"
 			done
 		else
-			ipt_add_del $1 INPUT -t mangle $rule
+			ipt_add_del "$1" INPUT -t mangle "$rule"
-			ipt_add_del $1 FORWARD -t mangle $rule
+			ipt_add_del "$1" FORWARD -t mangle "$rule"
 		fi
 	}
 }
-_fw_nfqws_pre6()
+_fw_nfqws_pre6() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv6
 	# $3 - queue number
@ -294,34 +262,31 @@ _fw_nfqws_pre6()
 	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
 		local i
-		ipt_print_op $1 "$2" "nfqws input+forward (qnum $3)" 6
+		ipt_print_op "$1" "$2" "nfqws input+forward (qnum $3)" 6
 		rule="$2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass"
-		if [ -n "$4" ] ; then
+		if [ -n "$4" ]; then
 			for i in $4; do
 				# iptables PREROUTING chain is before NAT. not possible to have DNATed ip's there
-				ipt6_add_del $1 INPUT -t mangle -i $i $rule
+				ipt6_add_del "$1" INPUT -t mangle -i "$i" "$rule"
-				ipt6_add_del $1 FORWARD -t mangle -i $i $rule
+				ipt6_add_del "$1" FORWARD -t mangle -i "$i" "$rule"
 			done
 		else
-			ipt6_add_del $1 INPUT -t mangle $rule
+			ipt6_add_del "$1" INPUT -t mangle "$rule"
-			ipt6_add_del $1 FORWARD -t mangle $rule
+			ipt6_add_del "$1" FORWARD -t mangle "$rule"
 		fi
 	}
 }
-fw_nfqws_pre()
+fw_nfqws_pre() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - iptable filter for ipv6
 	# $4 - queue number
-	fw_nfqws_pre4 $1 "$2" $4
+	fw_nfqws_pre4 "$1" "$2" "$4"
-	fw_nfqws_pre6 $1 "$3" $4
+	fw_nfqws_pre6 "$1" "$3" "$4"
 }
-
+produce_reverse_nfqws_rule() {
 produce_reverse_nfqws_rule()
 {
 	local rule="$1"
 	if contains "$rule" "$ipt_connbytes"; then
 		# autohostlist - need several incoming packets
@ -334,28 +299,23 @@ produce_reverse_nfqws_rule()
 	fi
 	echo "$rule" | reverse_nfqws_rule_stream
 }
-fw_reverse_nfqws_rule4()
+fw_reverse_nfqws_rule4() {
-{
+	fw_nfqws_pre4 "$1" "$(produce_reverse_nfqws_rule "$2")" "$3"
 	fw_nfqws_pre4 $1 "$(produce_reverse_nfqws_rule "$2")" $3
 }
-fw_reverse_nfqws_rule6()
+fw_reverse_nfqws_rule6() {
-{
+	fw_nfqws_pre6 "$1" "$(produce_reverse_nfqws_rule "$2")" "$3"
 	fw_nfqws_pre6 $1 "$(produce_reverse_nfqws_rule "$2")" $3
 }
-fw_reverse_nfqws_rule()
+fw_reverse_nfqws_rule() {
 {
 	# ensure that modes relying on incoming traffic work
 	# $1 - 1 - add, 0 - del
 	# $2 - rule4
 	# $3 - rule6
 	# $4 - queue number
-	fw_reverse_nfqws_rule4 $1 "$2" $4
+	fw_reverse_nfqws_rule4 "$1" "$2" "$4"
-	fw_reverse_nfqws_rule6 $1 "$3" $4
+	fw_reverse_nfqws_rule6 "$1" "$3" "$4"
 }
-
+zapret_do_firewall_rules_ipt() {
 zapret_do_firewall_rules_ipt()
 {
 	local mode="${MODE_OVERRIDE:-$MODE}"
 	local first_packet_only="$ipt_connbytes 1:$(first_packets_for_mode)"
@ -365,12 +325,12 @@ zapret_do_firewall_rules_ipt()
 	case "$mode" in
 	tpws)
 		if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
-				echo both http and https are disabled. not applying redirection.
+			echo both HTTP and HTTPS are disabled. not applying redirection.
 		else
 			filter_apply_port_target f4
 			f6=$f4
 			filter_apply_ipset_target f4 f6
-				fw_tpws $1 "$f4" "$f6" $TPPORT
+			fw_tpws "$1" "$f4" "$f6" "$TPPORT"
 		fi
 		;;
@ -381,42 +341,42 @@ zapret_do_firewall_rules_ipt()
 			filter_apply_port_target f4
 			f4="$f4 $first_packet_only"
 			filter_apply_ipset_target4 f4
-				fw_nfqws_post4 $1 "$f4 $desync" $qn
+			fw_nfqws_post4 "$1" "$f4 $desync" "$qn"
-				fw_reverse_nfqws_rule4 $1 "$f4" $qn
+			fw_reverse_nfqws_rule4 "$1" "$f4" "$qn"
 		else
 			if [ -n "$qn" ]; then
 				f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
 				[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
 				filter_apply_ipset_target4 f4
-					fw_nfqws_post4 $1 "$f4 $desync" $qn
+				fw_nfqws_post4 "$1" "$f4 $desync" "$qn"
-					fw_reverse_nfqws_rule4 $1 "$f4" $qn
+				fw_reverse_nfqws_rule4 "$1" "$f4" "$qn"
 			fi
 			if [ -n "$qns" ]; then
 				f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
 				filter_apply_ipset_target4 f4
-					fw_nfqws_post4 $1 "$f4 $desync" $qns
+				fw_nfqws_post4 "$1" "$f4 $desync" "$qns"
-					fw_reverse_nfqws_rule4 $1 "$f4" $qns
+				fw_reverse_nfqws_rule4 "$1" "$f4" "$qns"
 			fi
 		fi
 		if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
 			filter_apply_port_target f6
 			f6="$f6 $first_packet_only"
 			filter_apply_ipset_target6 f6
-				fw_nfqws_post6 $1 "$f6 $desync" $qn6
+			fw_nfqws_post6 "$1" "$f6 $desync" "$qn6"
-				fw_reverse_nfqws_rule6 $1 "$f6" $qn6
+			fw_reverse_nfqws_rule6 "$1" "$f6" "$qn6"
 		else
 			if [ -n "$qn6" ]; then
 				f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
 				[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
 				filter_apply_ipset_target6 f6
-					fw_nfqws_post6 $1 "$f6 $desync" $qn6
+				fw_nfqws_post6 "$1" "$f6 $desync" "$qn6"
-					fw_reverse_nfqws_rule6 $1 "$f6" $qn6
+				fw_reverse_nfqws_rule6 "$1" "$f6" "$qn6"
 			fi
 			if [ -n "$qns6" ]; then
 				f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
 				filter_apply_ipset_target6 f6
-					fw_nfqws_post6 $1 "$f6 $desync" $qns6
+				fw_nfqws_post6 "$1" "$f6 $desync" "$qns6"
-					fw_reverse_nfqws_rule6 $1 "$f6" $qns6
+				fw_reverse_nfqws_rule6 "$1" "$f6" "$qns6"
 			fi
 		fi
@ -426,24 +386,23 @@ zapret_do_firewall_rules_ipt()
 			filter_apply_port_target_quic f4
 			f4="$f4 $first_packet_only"
 			filter_apply_ipset_target4 f4
-				fw_nfqws_post4 $1 "$f4 $desync" $qn
+			fw_nfqws_post4 "$1" "$f4 $desync" "$qn"
 		fi
 		if [ -n "$qn6" ]; then
 			f6=
 			filter_apply_port_target_quic f6
 			f6="$f6 $first_packet_only"
 			filter_apply_ipset_target6 f6
-				fw_nfqws_post6 $1 "$f6 $desync" $qn6
+			fw_nfqws_post6 "$1" "$f6 $desync" "$qn6"
 		fi
 		;;
 	custom)
-	    		existf zapret_custom_firewall && zapret_custom_firewall $1
+		existf zapret_custom_firewall && zapret_custom_firewall "$1"
 		;;
 	esac
 }
-zapret_do_firewall_ipt()
+zapret_do_firewall_ipt() {
 {
 	# $1 - 1 - add, 0 - del
 	if [ "$1" = 1 ]; then
@ -461,7 +420,7 @@ zapret_do_firewall_ipt()
 	zapret_do_firewall_rules_ipt "$@"
-	if [ "$1" = 1 ] ; then
+	if [ "$1" = 1 ]; then
 		existf flow_offloading_exempt && flow_offloading_exempt
 	else
 		existf flow_offloading_unexempt && flow_offloading_unexempt
--- a/common/linux_fw.sh
+++ b/common/linux_fw.sh
@ -1,9 +1,7 @@
-set_conntrack_liberal_mode()
+set_conntrack_liberal_mode() {
-{
+	[ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal="$1"
 	[ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal=$1
 }
-zapret_do_firewall()
+zapret_do_firewall() {
 {
 	linux_fwtype
 	[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
@ -23,29 +21,26 @@ zapret_do_firewall()
 	# switch on liberal mode on zapret firewall start and switch off on zapret firewall stop
 	# this is only required for processing incoming bad RSTs. incoming rules are only applied in autohostlist mode
 	# calling this after firewall because conntrack module can be not loaded before applying conntrack firewall rules
-	[ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode $1
+	[ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode "$1"
 	[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
 	[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK
 	return 0
 }
-zapret_apply_firewall()
+zapret_apply_firewall() {
 {
 	zapret_do_firewall 1 "$@"
 }
-zapret_unapply_firewall()
+zapret_unapply_firewall() {
 {
 	zapret_do_firewall 0 "$@"
 }
-first_packets_for_mode()
+first_packets_for_mode() {
 {
 	# autohostlist and autottl modes requires incoming traffic sample
 	# always use conntrack packet limiter or nfqws will deal with gigabytes
 	local n
 	if [ "$MODE_FILTER" = "autohostlist" ]; then
-		n=$((6+${AUTOHOSTLIST_RETRANS_THRESHOLD:-3}))
+		n=$((6 + ${AUTOHOSTLIST_RETRANS_THRESHOLD:-3}))
 	else
 		n=6
 	fi
--- a/common/linux_iphelper.sh
+++ b/common/linux_iphelper.sh
@ -4,54 +4,48 @@
 # PREROUTING - can't DNAT to ::1. can DNAT to link local of -i interface or to any global addr
 # not a good idea to expose tpws to the world (bind to ::)
-
+get_ipv6_linklocal() {
 get_ipv6_linklocal()
 {
 	# $1 - interface name. if empty - any interface
- if exists ip ; then
+	if exists ip; then
 		local dev
 		[ -n "$1" ] && dev="dev $1"
-    ip addr show $dev | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope link.*$/\1/;t;d' | head -n 1
+		ip addr show "$dev" | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope link.*$/\1/;t;d' | head -n 1
 	else
-    ifconfig $1 | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Link.*$/\1/;t;d' | head -n 1
+		ifconfig "$1" | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Link.*$/\1/;t;d' | head -n 1
 	fi
 }
-get_ipv6_global()
+get_ipv6_global() {
 {
 	# $1 - interface name. if empty - any interface
- if exists ip ; then
+	if exists ip; then
 		local dev
 		[ -n "$1" ] && dev="dev $1"
-    ip addr show $dev | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope global.*$/\1/;t;d' | head -n 1
+		ip addr show "$dev" | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope global.*$/\1/;t;d' | head -n 1
 	else
-    ifconfig $1 | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Global.*$/\1/;t;d' | head -n 1
+		ifconfig "$1" | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Global.*$/\1/;t;d' | head -n 1
 	fi
 }
-iface_is_up()
+iface_is_up() {
 {	
 	# $1 - interface name
-	[ -f /sys/class/net/$1/operstate ] || return
+	[ -f /sys/class/net/"$1"/operstate ] || return
 	local state
-	read state </sys/class/net/$1/operstate
+	read state </sys/class/net/"$1"/operstate
 	[ "$state" != "down" ]
 }
-wait_ifup()
+wait_ifup() {
 {
 	# $1 - interface name
 	local ct=0
 	while
-		iface_is_up $1 && return
+		iface_is_up "$1" && return
 		[ "$ct" -ge "$IFUP_WAIT_SEC" ] && break
-		echo waiting for ifup of $1 for another $(($IFUP_WAIT_SEC - $ct)) seconds ...
+		echo waiting for ifup of "$1" for another $(($IFUP_WAIT_SEC - $ct)) seconds ...
-		ct=$(($ct+1))
+		ct=$(($ct + 1))
 		sleep 1
 	do :; done
 	false
 }
-_dnat6_target()
+_dnat6_target() {
 {
 	# $1 - interface name
 	# $2 - var to store target ip6
 	# get target ip address for DNAT. prefer link locals
@ -60,57 +54,53 @@ _dnat6_target()
 	# DNAT6_TARGET=- means attempt was made but address was not found (to avoid multiple re-attempts)
 	local DNAT6_TARGET DVAR=DNAT6_TARGET_$1
-	DVAR=$(echo $DVAR | sed 's/[^a-zA-Z0-9_]/_/g')
+	DVAR=$(echo "$DVAR" | sed 's/[^a-zA-Z0-9_]/_/g')
 	eval DNAT6_TARGET="\$$DVAR"
-	[ -n "$2" ] && eval $2=''
+	[ -n "$2" ] && eval "$2"=''
 	[ -n "$DNAT6_TARGET" ] || {
 		local ct=0
 		while
-			DNAT6_TARGET=$(get_ipv6_linklocal $1)
+			DNAT6_TARGET=$(get_ipv6_linklocal "$1")
 			[ -n "$DNAT6_TARGET" ] && break
 			[ "$ct" -ge "$LINKLOCAL_WAIT_SEC" ] && break
-			echo $1: waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ...
+			echo "$1": waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ...
-			ct=$(($ct+1))
+			ct=$(($ct + 1))
 			sleep 1
 		do :; done
 		[ -n "$DNAT6_TARGET" ] || {
-		    	echo $1: no link local. getting global
+			echo "$1": no link local. getting global
-			DNAT6_TARGET=$(get_ipv6_global $1)
+			DNAT6_TARGET=$(get_ipv6_global "$1")
 			[ -n "$DNAT6_TARGET" ] || {
-				echo $1: could not get any address
+				echo "$1": could not get any address
 				DNAT6_TARGET=-
 			}
 		}
-		eval $DVAR="$DNAT6_TARGET"
+		eval "$DVAR"="$DNAT6_TARGET"
 	}
-	[ -n "$2" ] && eval $2="$DNAT6_TARGET"
+	[ -n "$2" ] && eval "$2"="$DNAT6_TARGET"
 }
-_set_route_localnet()
+_set_route_localnet() {
 {
 	# $1 - 1 = enable, 0 = disable
 	# $2,$3,... - interface names
 	[ "$DISABLE_IPV4" = "1" ] || {
 		local enable="$1"
 		shift
 		while [ -n "$1" ]; do
-			sysctl -q -w net.ipv4.conf.$1.route_localnet="$enable"
+			sysctl -q -w net.ipv4.conf."$1".route_localnet="$enable"
 			shift
 		done
 	}
 }
-prepare_route_localnet()
+prepare_route_localnet() {
 {
 	set_route_localnet 1 "$@"
 }
-unprepare_route_localnet()
+unprepare_route_localnet() {
 {
 	set_route_localnet 0 "$@"
 }
-resolve_lower_devices()
+resolve_lower_devices() {
 {
 	# $1 - bridge interface name
 	[ -d "/sys/class/net/$1" ] && {
 		find "/sys/class/net/$1" -follow -maxdepth 1 -name "lower_*" |
--- a/common/list.sh
+++ b/common/list.sh
@ -1,5 +1,4 @@
-find_hostlists()
+find_hostlists() {
 {
 	[ -n "$HOSTLIST_BASE" ] || HOSTLIST_BASE="$ZAPRET_BASE/ipset"
 	HOSTLIST="$HOSTLIST_BASE/zapret-hosts.txt.gz"
@ -18,8 +17,7 @@ find_hostlists()
 	HOSTLIST_AUTO_DEBUGLOG="$HOSTLIST_BASE/zapret-hosts-auto-debug.log"
 }
-filter_apply_autohostlist_target()
+filter_apply_autohostlist_target() {
 {
 	# $1 - var name of tpws or nfqws params
 	local parm1="${AUTOHOSTLIST_FAIL_THRESHOLD:+--hostlist-auto-fail-threshold=$AUTOHOSTLIST_FAIL_THRESHOLD}"
@ -27,11 +25,10 @@ filter_apply_autohostlist_target()
 	local parm3 parm4
 	[ "$MODE" = "tpws" -o "$MODE" = "tpws-socks" ] || parm3="${AUTOHOSTLIST_RETRANS_THRESHOLD:+--hostlist-auto-retrans-threshold=$AUTOHOSTLIST_RETRANS_THRESHOLD}"
 	[ "$AUTOHOSTLIST_DEBUGLOG" = 1 ] && parm4="--hostlist-auto-debug=$HOSTLIST_AUTO_DEBUGLOG"
-	eval $1="\"\$$1 --hostlist-auto=$HOSTLIST_AUTO $parm1 $parm2 $parm3 $parm4\""
+	eval "$1"="\"\$$1 --hostlist-auto=$HOSTLIST_AUTO $parm1 $parm2 $parm3 $parm4\""
 }
-filter_apply_hostlist_target()
+filter_apply_hostlist_target() {
 {
 	# $1 - var name of tpws or nfqws params
 	[ "$MODE_FILTER" = "hostlist" -o "$MODE_FILTER" = "autohostlist" ] || return
@ -40,8 +37,8 @@ filter_apply_hostlist_target()
 	find_hostlists
-	[ -n "$HOSTLIST" ] && eval $1="\"\$$1 --hostlist=$HOSTLIST\""
+	[ -n "$HOSTLIST" ] && eval "$1"="\"\$$1 --hostlist=$HOSTLIST\""
-	[ -n "$HOSTLIST_USER" ] && eval $1="\"\$$1 --hostlist=$HOSTLIST_USER\""
+	[ -n "$HOSTLIST_USER" ] && eval "$1"="\"\$$1 --hostlist=$HOSTLIST_USER\""
-	[ -n "$HOSTLIST_EXCLUDE" ] && eval $1="\"\$$1 --hostlist-exclude=$HOSTLIST_EXCLUDE\""
+	[ -n "$HOSTLIST_EXCLUDE" ] && eval "$1"="\"\$$1 --hostlist-exclude=$HOSTLIST_EXCLUDE\""
-	[ "$MODE_FILTER" = "autohostlist" ] && filter_apply_autohostlist_target $1
+	[ "$MODE_FILTER" = "autohostlist" ] && filter_apply_autohostlist_target "$1"
 }
--- a/common/nft.sh
+++ b/common/nft.sh
@ -5,48 +5,39 @@ readonly nft_connbytes="ct original packets"
 create_dev_stdin
 std_ports
-nft_create_table()
+nft_create_table() {
-{
+	nft add table inet "$ZAPRET_NFT_TABLE"
 	nft add table inet $ZAPRET_NFT_TABLE
 }
-nft_del_table()
+nft_del_table() {
-{
+	nft delete table inet "$ZAPRET_NFT_TABLE" 2>/dev/null
 	nft delete table inet $ZAPRET_NFT_TABLE 2>/dev/null
 }
-nft_list_table()
+nft_list_table() {
-{
+	nft -t list table inet "$ZAPRET_NFT_TABLE"
 	nft -t list table inet $ZAPRET_NFT_TABLE
 }
-nft_create_set()
+nft_create_set() {
 {
 	# $1 - set name
 	# $2 - params
-	nft create set inet $ZAPRET_NFT_TABLE $1 "{ $2 }" 2>/dev/null
+	nft create set inet "$ZAPRET_NFT_TABLE" "$1" "{ $2 }" 2>/dev/null
 }
-nft_del_set()
+nft_del_set() {
 {
 	# $1 - set name
-	nft delete set inet $ZAPRET_NFT_TABLE $1
+	nft delete set inet "$ZAPRET_NFT_TABLE" "$1"
 }
-nft_flush_set()
+nft_flush_set() {
 {
 	# $1 - set name
-	nft flush set inet $ZAPRET_NFT_TABLE $1
+	nft flush set inet "$ZAPRET_NFT_TABLE" "$1"
 }
-nft_set_exists()
+nft_set_exists() {
 {
 	# $1 - set name
-	nft -t list set inet $ZAPRET_NFT_TABLE $1 2>/dev/null >/dev/null
+	nft -t list set inet "$ZAPRET_NFT_TABLE" "$1" 2>/dev/null >/dev/null
 }
-nft_flush_chain()
+nft_flush_chain() {
 {
 	# $1 - chain name
-	nft flush chain inet $ZAPRET_NFT_TABLE $1
+	nft flush chain inet "$ZAPRET_NFT_TABLE" "$1"
 }
-nft_del_all_chains_from_table()
+nft_del_all_chains_from_table() {
 {
 	# $1 - table_name with or without family
 	# delete all chains with possible references to each other
@ -54,12 +45,12 @@ nft_del_all_chains_from_table()
 	# avoid infinite loops
 	local chains deleted=1 error=1
 	while [ -n "$deleted" -a -n "$error" ]; do
-		chains=$(nft -t list table $1 2>/dev/null | sed -nre "s/^[ 	]*chain ([^ ]+) \{/\1/p" | xargs)
+		chains=$(nft -t list table "$1" 2>/dev/null | sed -nre "s/^[ 	]*chain ([^ ]+) \{/\1/p" | xargs)
 		[ -n "$chains" ] || break
 		deleted=
 		error=
 		for chain in $chains; do
-			if nft delete chain $1 $chain 2>/dev/null; then
+			if nft delete chain "$1" "$chain" 2>/dev/null; then
 				deleted=1
 			else
 				error=1
@ -68,9 +59,8 @@ nft_del_all_chains_from_table()
 	done
 }
-nft_create_chains()
+nft_create_chains() {
-{
+	cat <<EOF | nft -f -
 cat << EOF | nft -f -
 	add chain inet $ZAPRET_NFT_TABLE dnat_output { type nat hook output priority -101; }
 	flush chain inet $ZAPRET_NFT_TABLE dnat_output
 	add chain inet $ZAPRET_NFT_TABLE dnat_pre { type nat hook prerouting priority -101; }
@ -113,12 +103,11 @@ EOF
 		nft_add_rule predefrag_nfqws notrack comment \"do not track nfqws generated packets to avoid nat tampering and defragmentation\"
 	}
 }
-nft_del_chains()
+nft_del_chains() {
 {
 	# do not delete all chains because of additional user hooks
 	# they must be inside zapret table to use nfsets
-cat << EOF | nft -f - 2>/dev/null
+	cat <<EOF | nft -f - 2>/dev/null
 	delete chain inet $ZAPRET_NFT_TABLE dnat_output
 	delete chain inet $ZAPRET_NFT_TABLE dnat_pre
 	delete chain inet $ZAPRET_NFT_TABLE forward
@ -132,15 +121,13 @@ cat << EOF | nft -f - 2>/dev/null
 	delete chain inet $ZAPRET_NFT_TABLE flow_offload
 	delete chain inet $ZAPRET_NFT_TABLE localnet_protect
 EOF
-# unfortunately this approach breaks udp desync of the connection initiating packet (new, first one)
+	# unfortunately this approach breaks udp desync of the connection initiating packet (new, first one)
-#	delete chain inet $ZAPRET_NFT_TABLE predefrag
+	#	delete chain inet $ZAPRET_NFT_TABLE predefrag
 }
-nft_del_flowtable()
+nft_del_flowtable() {
-{
+	nft delete flowtable inet "$ZAPRET_NFT_TABLE" ft 2>/dev/null
 	nft delete flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
 }
-nft_create_or_update_flowtable()
+nft_create_or_update_flowtable() {
 {
 	# $1 = flags ('offload' for hw offload)
 	# $2,$3,$4,... - interfaces
 	# can be called multiple times to add interfaces. interfaces can only be added , not removed
@ -153,117 +140,102 @@ nft_create_or_update_flowtable()
 	for makelist in make_quoted_comma_list make_comma_list; do
 		$makelist devices "$@"
 		[ -n "$devices" ] && devices="devices={$devices};"
-		nft add flowtable inet $ZAPRET_NFT_TABLE ft "{ hook ingress priority -1; $flags $devices }" && break
+		nft add flowtable inet "$ZAPRET_NFT_TABLE" ft "{ hook ingress priority -1; $flags $devices }" && break
 	done
 }
-nft_flush_ifsets()
+nft_flush_ifsets() {
-{
+	cat <<EOF | nft -f - 2>/dev/null
 cat << EOF | nft -f -  2>/dev/null
 	flush set inet $ZAPRET_NFT_TABLE lanif
 	flush set inet $ZAPRET_NFT_TABLE wanif
 	flush set inet $ZAPRET_NFT_TABLE wanif6
 	flush map inet $ZAPRET_NFT_TABLE link_local
 EOF
 }
-nft_flush_link_local()
+nft_flush_link_local() {
-{
+	nft flush map inet "$ZAPRET_NFT_TABLE" link_local 2>/dev/null
 	nft flush map inet $ZAPRET_NFT_TABLE link_local 2>/dev/null
 }
-nft_list_ifsets()
+nft_list_ifsets() {
-{
+	nft list set inet "$ZAPRET_NFT_TABLE" lanif
-	nft list set inet $ZAPRET_NFT_TABLE lanif
+	nft list set inet "$ZAPRET_NFT_TABLE" wanif
-	nft list set inet $ZAPRET_NFT_TABLE wanif
+	nft list set inet "$ZAPRET_NFT_TABLE" wanif6
-	nft list set inet $ZAPRET_NFT_TABLE wanif6
+	nft list map inet "$ZAPRET_NFT_TABLE" link_local
-	nft list map inet $ZAPRET_NFT_TABLE link_local
+	nft list flowtable inet "$ZAPRET_NFT_TABLE" ft 2>/dev/null
 	nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
 }
-nft_create_firewall()
+nft_create_firewall() {
 {
 	nft_create_table
 	nft_del_flowtable
 	nft_flush_link_local
 	nft_create_chains
 }
-nft_del_firewall()
+nft_del_firewall() {
 {
 	nft_del_chains
 	nft_del_flowtable
 	nft_flush_link_local
 	# leave ifsets and ipsets because they may be used by custom rules
 }
-nft_add_rule()
+nft_add_rule() {
 {
 	# $1 - chain
 	# $2,$3,... - rule(s)
 	local chain="$1"
 	shift
-	nft add rule inet $ZAPRET_NFT_TABLE $chain "$@"
+	nft add rule inet "$ZAPRET_NFT_TABLE" "$chain" "$@"
 }
-nft_add_set_element()
+nft_add_set_element() {
 {
 	# $1 - set or map name
 	# $2 - element
-	[ -z "$2" ] || nft add element inet $ZAPRET_NFT_TABLE $1 "{ $2 }"
+	[ -z "$2" ] || nft add element inet "$ZAPRET_NFT_TABLE" "$1" "{ $2 }"
 }
-nft_add_set_elements()
+nft_add_set_elements() {
 {
 	# $1 - set or map name
 	# $2,$3,... - element(s)
 	local set="$1" elements
 	shift
 	make_comma_list elements "$@"
-	nft_add_set_element $set "$elements"
+	nft_add_set_element "$set" "$elements"
 }
-nft_reverse_nfqws_rule()
+nft_reverse_nfqws_rule() {
 {
 	echo "$@" | sed -e 's/oifname /iifname /g' -e 's/dport /sport /g' -e 's/daddr /saddr /g' -e 's/ct original /ct reply /g' -e "s/mark and $DESYNC_MARK == 0//g"
 }
-nft_clean_nfqws_rule()
+nft_clean_nfqws_rule() {
 {
 	echo "$@" | sed -e "s/mark and $DESYNC_MARK == 0//g" -e "s/oifname @wanif6//g" -e "s/oifname @wanif//g"
 }
-nft_add_nfqws_flow_exempt_rule()
+nft_add_nfqws_flow_exempt_rule() {
 {
 	# $1 - rule (must be all filters in one var)
-	nft_add_rule flow_offload $(nft_clean_nfqws_rule $1) return comment \"direct flow offloading exemption\"
+	nft_add_rule flow_offload $(nft_clean_nfqws_rule "$1") return comment \"direct flow offloading exemption\"
 	# do not need this because of oifname @wanif/@wanif6 filter in forward chain
 	#nft_add_rule flow_offload $(nft_reverse_nfqws_rule $1) return comment \"reverse flow offloading exemption\"
 }
-nft_add_flow_offload_exemption()
+nft_add_flow_offload_exemption() {
 {
 	# "$1" - rule for ipv4
 	# "$2" - rule for ipv6
 	# "$3" - comment
-	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || nft_add_rule flow_offload oifname @wanif $1 ip daddr != @nozapret return comment \"$3\"
+	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || nft_add_rule flow_offload oifname @wanif "$1" ip daddr != @nozapret return comment \""$3"\"
-	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\"
+	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 "$2" ip6 daddr != @nozapret6 return comment \""$3"\"
 }
-nft_hw_offload_supported()
+nft_hw_offload_supported() {
 {
 	# $1,$2,... - interface names
 	local devices res=1
 	make_quoted_comma_list devices "$@"
 	[ -n "$devices" ] && devices="devices={$devices};"
-	nft add table ${ZAPRET_NFT_TABLE}_test && nft add flowtable ${ZAPRET_NFT_TABLE}_test ft "{ flags offload; $devices }" 2>/dev/null && res=0
+	nft add table "${ZAPRET_NFT_TABLE}"_test && nft add flowtable "${ZAPRET_NFT_TABLE}"_test ft "{ flags offload; $devices }" 2>/dev/null && res=0
-	nft delete table ${ZAPRET_NFT_TABLE}_test 2>/dev/null
+	nft delete table "${ZAPRET_NFT_TABLE}"_test 2>/dev/null
 	return $res
 }
-nft_hw_offload_find_supported()
+nft_hw_offload_find_supported() {
 {
 	# $1,$2,... - interface names
 	local supported_list
 	while [ -n "$1" ]; do
 		nft_hw_offload_supported "$1" && append_separator_list supported_list ' ' '' "$1"
 		shift
 	done
-	echo $supported_list
+	echo "$supported_list"
 }
-nft_apply_flow_offloading()
+nft_apply_flow_offloading() {
 {
 	# ft can be absent
 	nft_add_rule flow_offload meta l4proto "{ tcp, udp }" flow add @ft 2>/dev/null && {
 		nft_add_rule flow_offload meta l4proto "{ tcp, udp }" counter comment \"if offload works here must not be too much traffic\"
@ -273,10 +245,7 @@ nft_apply_flow_offloading()
 	}
 }
-
+nft_filter_apply_port_target() {
 nft_filter_apply_port_target()
 {
 	# $1 - var name of nftables filter
 	local f
 	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
@ -288,58 +257,51 @@ nft_filter_apply_port_target()
 	else
 		echo WARNING !!! HTTP and HTTPS are both disabled
 	fi
-	eval $1="\"\$$1 $f\""
+	eval "$1"="\"\$$1 $f\""
 }
-nft_filter_apply_port_target_quic()
+nft_filter_apply_port_target_quic() {
 {
 	# $1 - var name of nftables filter
 	local f
 	f="udp dport {$QUIC_PORTS}"
-	eval $1="\"\$$1 $f\""
+	eval "$1"="\"\$$1 $f\""
 }
-nft_filter_apply_ipset_target4()
+nft_filter_apply_ipset_target4() {
 {
 	# $1 - var name of ipv4 nftables filter
 	if [ "$MODE_FILTER" = "ipset" ]; then
-		eval $1="\"\$$1 ip daddr @zapret\""
+		eval "$1"="\"\$$1 ip daddr @zapret\""
 	fi
 }
-nft_filter_apply_ipset_target6()
+nft_filter_apply_ipset_target6() {
 {
 	# $1 - var name of ipv6 nftables filter
 	if [ "$MODE_FILTER" = "ipset" ]; then
-		eval $1="\"\$$1 ip6 daddr @zapret6\""
+		eval "$1"="\"\$$1 ip6 daddr @zapret6\""
 	fi
 }
-nft_filter_apply_ipset_target()
+nft_filter_apply_ipset_target() {
 {
 	# $1 - var name of ipv4 nftables filter
 	# $2 - var name of ipv6 nftables filter
-	nft_filter_apply_ipset_target4 $1
+	nft_filter_apply_ipset_target4 "$1"
-	nft_filter_apply_ipset_target6 $2
+	nft_filter_apply_ipset_target6 "$2"
 }
-
+nft_script_add_ifset_element() {
 nft_script_add_ifset_element()
 {
 	# $1 - set name
 	# $2 - space separated elements
 	local elements
 	[ -n "$2" ] && {
-		make_quoted_comma_list elements $2
+		make_quoted_comma_list elements "$2"
 		script="${script}
 add element inet $ZAPRET_NFT_TABLE $1 { $elements }"
 	}
 }
-nft_fill_ifsets()
+nft_fill_ifsets() {
-{
+	# $1 - space separated LAN interface names
-	# $1 - space separated lan interface names
+	# $2 - space separated WAN interface names
-	# $2 - space separated wan interface names
+	# $3 - space separated WAN6 interface names
-	# $3 - space separated wan6 interface names
+	# 4,5,6 is needed for PPPoE+OpenWrt case. looks like it's not easily possible to resolve Ethernet device behind a PPPoE interface
-	# 4,5,6 is needed for pppoe+openwrt case. looks like it's not easily possible to resolve ethernet device behind a pppoe interface
+	# $4 - space separated LAN physical interface names (optional)
-	# $4 - space separated lan physical interface names (optional)
+	# $5 - space separated WAN physical interface names (optional)
-	# $5 - space separated wan physical interface names (optional)
+	# $6 - space separated WAN6 physical interface names (optional)
 	# $6 - space separated wan6 physical interface names (optional)
 	local script i j ALLDEVS devs
@ -359,25 +321,25 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
 	case "$FLOWOFFLOAD" in
 	software)
-			ALLDEVS=$(unique $1 $2 $3)
+		ALLDEVS=$(unique "$1" "$2" "$3")
 		# unbound flowtable may cause error in older nft version
-			nft_create_or_update_flowtable '' $ALLDEVS 2>/dev/null
+		nft_create_or_update_flowtable '' "$ALLDEVS" 2>/dev/null
 		;;
 	hardware)
-			ALLDEVS=$(unique $1 $2 $3 $4 $5 $6)
+		ALLDEVS=$(unique "$1" "$2" "$3" "$4" "$5" "$6")
 		# first create unbound flowtable. may cause error in older nft version
 		nft_create_or_update_flowtable 'offload' 2>/dev/null
 		# then add elements. some of them can cause error because unsupported
 		for i in $ALLDEVS; do
-				if nft_hw_offload_supported $i; then
+			if nft_hw_offload_supported "$i"; then
-					nft_create_or_update_flowtable 'offload' $i
+				nft_create_or_update_flowtable 'offload' "$i"
 			else
 				# bridge members must be added instead of the bridge itself
-					# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
+				# some members may not support hw offload. example: lan1 lan2 lan3 support, wlan0 wlan1 - not
-					devs=$(resolve_lower_devices $i)
+				devs=$(resolve_lower_devices "$i")
 				for j in $devs; do
 					# do not display error if addition failed
-						nft_create_or_update_flowtable 'offload' $j 2>/dev/null
+					nft_create_or_update_flowtable 'offload' "$j" 2>/dev/null
 				done
 			fi
 		done
@ -385,8 +347,7 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
 	esac
 }
-nft_only()
+nft_only() {
 {
 	linux_fwtype
 	case "$FWTYPE" in
@ -396,13 +357,10 @@ nft_only()
 	esac
 }
-
+nft_print_op() {
-nft_print_op()
+	echo "Adding nftables IPv$3 rule for $2: $1"
 {
 	echo "Adding nftables ipv$3 rule for $2 : $1"
 }
-_nft_fw_tpws4()
+_nft_fw_tpws4() {
 {
 	# $1 - filter ipv4
 	# $2 - tpws port
 	# $3 - not-empty if wan interface filtering required
@ -410,13 +368,12 @@ _nft_fw_tpws4()
 	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {
 		local filter="$1" port="$2"
 		nft_print_op "$filter" "tpws (port $2)" 4
-		nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
+		nft_add_rule dnat_output skuid != "$WS_USER" ${3:+oifname @wanif }"$filter" ip daddr != @nozapret dnat ip to "$TPWS_LOCALHOST4":"$port"
-		nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
+		nft_add_rule dnat_pre iifname @lanif "$filter" ip daddr != @nozapret dnat ip to "$TPWS_LOCALHOST4":"$port"
 		prepare_route_localnet
 	}
 }
-_nft_fw_tpws6()
+_nft_fw_tpws6() {
 {
 	# $1 - filter ipv6
 	# $2 - tpws port
 	# $3 - lan interface names space separated
@ -425,48 +382,43 @@ _nft_fw_tpws6()
 	[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {
 		local filter="$1" port="$2" DNAT6 i
 		nft_print_op "$filter" "tpws (port $port)" 6
-		nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
+		nft_add_rule dnat_output skuid != "$WS_USER" ${4:+oifname @wanif6 }"$filter" ip6 daddr != @nozapret6 dnat ip6 to [::1]:"$port"
 		[ -n "$3" ] && {
-			nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
+			nft_add_rule dnat_pre "$filter" ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:"$port"
 			for i in $3; do
-				_dnat6_target $i DNAT6
+				_dnat6_target "$i" DNAT6
 				# can be multiple tpws processes on different ports
 				[ -n "$DNAT6" -a "$DNAT6" != '-' ] && nft_add_set_element link_local "$i : $DNAT6"
 			done
 		}
 	}
 }
-nft_fw_tpws()
+nft_fw_tpws() {
 {
 	# $1 - filter ipv4
 	# $2 - filter ipv6
 	# $3 - tpws port
-	nft_fw_tpws4 "$1" $3
+	nft_fw_tpws4 "$1" "$3"
-	nft_fw_tpws6 "$2" $3
+	nft_fw_tpws6 "$2" "$3"
 }
-is_postnat()
+is_postnat() {
 {
 	[ "$POSTNAT" != 0 -o "$POSTNAT_ALL" = 1 ]
 }
-get_postchain()
+get_postchain() {
-{
+	if is_postnat; then
 	if is_postnat ; then
 		echo -n postnat
 	else
 		echo -n postrouting
 	fi
 }
-get_prechain()
+get_prechain() {
-{
+	if is_postnat; then
 	if is_postnat ; then
 		echo -n prenat
 	else
 		echo -n prerouting
 	fi
 }
-_nft_fw_nfqws_post4()
+_nft_fw_nfqws_post4() {
 {
 	# $1 - filter ipv4
 	# $2 - queue number
 	# $3 - not-empty if wan interface filtering required
@ -476,12 +428,11 @@ _nft_fw_nfqws_post4()
 		nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
 		rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"
 		is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"
-		nft_add_rule $chain $rule $setmark queue num $port bypass
+		nft_add_rule "$chain" "$rule" "$setmark" queue num "$port" bypass
 		nft_add_nfqws_flow_exempt_rule "$rule"
 	}
 }
-_nft_fw_nfqws_post6()
+_nft_fw_nfqws_post6() {
 {
 	# $1 - filter ipv6
 	# $2 - queue number
 	# $3 - not-empty if wan interface filtering required
@ -491,22 +442,20 @@ _nft_fw_nfqws_post6()
 		nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
 		rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"
 		is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"
-		nft_add_rule $chain $rule $setmark queue num $port bypass
+		nft_add_rule "$chain" "$rule" "$setmark" queue num "$port" bypass
 		nft_add_nfqws_flow_exempt_rule "$rule"
 	}
 }
-nft_fw_nfqws_post()
+nft_fw_nfqws_post() {
-{
+	# $1 - filter IPv4
 	# $1 - filter ipv4
 	# $2 - filter ipv6
 	# $3 - queue number
-	nft_fw_nfqws_post4 "$1" $3
+	nft_fw_nfqws_post4 "$1" "$3"
-	nft_fw_nfqws_post6 "$2" $3
+	nft_fw_nfqws_post6 "$2" "$3"
 }
-_nft_fw_nfqws_pre4()
+_nft_fw_nfqws_pre4() {
 {
 	# $1 - filter ipv4
 	# $2 - queue number
 	# $3 - not-empty if wan interface filtering required
@ -515,11 +464,10 @@ _nft_fw_nfqws_pre4()
 		local filter="$1" port="$2" rule
 		nft_print_op "$filter" "nfqws prerouting (qnum $port)" 4
 		rule="${3:+iifname @wanif }$filter ip saddr != @nozapret"
-		nft_add_rule $(get_prechain) $rule queue num $port bypass
+		nft_add_rule $(get_prechain) "$rule" queue num "$port" bypass
 	}
 }
-_nft_fw_nfqws_pre6()
+_nft_fw_nfqws_pre6() {
 {
 	# $1 - filter ipv6
 	# $2 - queue number
 	# $3 - not-empty if wan interface filtering required
@ -528,35 +476,31 @@ _nft_fw_nfqws_pre6()
 		local filter="$1" port="$2" rule
 		nft_print_op "$filter" "nfqws prerouting (qnum $port)" 6
 		rule="${3:+iifname @wanif6 }$filter ip6 saddr != @nozapret6"
-		nft_add_rule $(get_prechain) $rule queue num $port bypass
+		nft_add_rule $(get_prechain) "$rule" queue num "$port" bypass
 	}
 }
-nft_fw_nfqws_pre()
+nft_fw_nfqws_pre() {
 {
 	# $1 - filter ipv4
 	# $2 - filter ipv6
 	# $3 - queue number
-	nft_fw_nfqws_pre4 "$1" $3
+	nft_fw_nfqws_pre4 "$1" "$3"
-	nft_fw_nfqws_pre6 "$2" $3
+	nft_fw_nfqws_pre6 "$2" "$3"
 }
-nft_fw_nfqws_both4()
+nft_fw_nfqws_both4() {
 {
 	# $1 - filter ipv4
 	# $2 - queue number
 	nft_fw_nfqws_post4 "$@"
-	nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $1)" $2
+	nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule "$1")" "$2"
 }
-nft_fw_nfqws_both6()
+nft_fw_nfqws_both6() {
 {
 	# $1 - filter ipv6
 	# $2 - queue number
 	nft_fw_nfqws_post6 "$@"
-	nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $1)" $2
+	nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule "$1")" "$2"
 }
-nft_fw_nfqws_both()
+nft_fw_nfqws_both() {
 {
 	# $1 - filter ipv4
 	# $2 - filter ipv6
 	# $3 - queue number
@ -564,26 +508,21 @@ nft_fw_nfqws_both()
 	nft_fw_nfqws_both6 "$2" "$3"
 }
-zapret_reload_ifsets()
+zapret_reload_ifsets() {
-{
+	nft_only nft_create_table
-	nft_only nft_create_table ; nft_fill_ifsets_overload
+	nft_fill_ifsets_overload
 	return 0
 }
-zapret_list_ifsets()
+zapret_list_ifsets() {
 {
 	nft_only nft_list_ifsets
 	return 0
 }
-zapret_list_table()
+zapret_list_table() {
 {
 	nft_only nft_list_table
 	return 0
 }
-
+nft_produce_reverse_nfqws_rule() {
 nft_produce_reverse_nfqws_rule()
 {
 	local rule="$1"
 	if contains "$rule" "$nft_connbytes "; then
 		# autohostlist - need several incoming packets
@ -596,28 +535,24 @@ nft_produce_reverse_nfqws_rule()
 		[ "$range" = 1 ] || range="1-$range"
 		rule="$nft_connbytes $range $rule"
 	fi
-	nft_reverse_nfqws_rule $rule
+	nft_reverse_nfqws_rule "$rule"
 }
-nft_fw_reverse_nfqws_rule4()
+nft_fw_reverse_nfqws_rule4() {
-{
+	nft_fw_nfqws_pre4 "$(nft_produce_reverse_nfqws_rule "$1")" "$2"
 	nft_fw_nfqws_pre4 "$(nft_produce_reverse_nfqws_rule "$1")" $2
 }
-nft_fw_reverse_nfqws_rule6()
+nft_fw_reverse_nfqws_rule6() {
-{
+	nft_fw_nfqws_pre6 "$(nft_produce_reverse_nfqws_rule "$1")" "$2"
 	nft_fw_nfqws_pre6 "$(nft_produce_reverse_nfqws_rule "$1")" $2
 }
-nft_fw_reverse_nfqws_rule()
+nft_fw_reverse_nfqws_rule() {
 {
 	# ensure that modes relying on incoming traffic work
 	# $1 - rule4
 	# $2 - rule6
 	# $3 - queue number
-	nft_fw_reverse_nfqws_rule4 "$1" $3
+	nft_fw_reverse_nfqws_rule4 "$1" "$3"
-	nft_fw_reverse_nfqws_rule6 "$2" $3
+	nft_fw_reverse_nfqws_rule6 "$2" "$3"
 }
-zapret_apply_firewall_rules_nft()
+zapret_apply_firewall_rules_nft() {
 {
 	local mode="${MODE_OVERRIDE:-$MODE}"
 	local first_packets_only
@ -629,12 +564,12 @@ zapret_apply_firewall_rules_nft()
 	case "$mode" in
 	tpws)
 		if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
-				echo both http and https are disabled. not applying redirection.
+			echo both HTTP and HTTPS are disabled. not applying redirection.
 		else
 			nft_filter_apply_port_target f4
 			f6=$f4
 			nft_filter_apply_ipset_target f4 f6
-				nft_fw_tpws "$f4" "$f6" $TPPORT
+			nft_fw_tpws "$f4" "$f6" "$TPPORT"
 		fi
 		;;
 	nfqws)
@ -647,42 +582,42 @@ zapret_apply_firewall_rules_nft()
 			nft_filter_apply_port_target f4
 			f4="$f4 $first_packets_only"
 			nft_filter_apply_ipset_target4 f4
-				nft_fw_nfqws_post4 "$f4 $desync" $qn
+			nft_fw_nfqws_post4 "$f4 $desync" "$qn"
-				nft_fw_reverse_nfqws_rule4 "$f4" $qn
+			nft_fw_reverse_nfqws_rule4 "$f4" "$qn"
 		else
 			if [ -n "$qn" ]; then
 				f4="tcp dport {$HTTP_PORTS}"
 				[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packets_only"
 				nft_filter_apply_ipset_target4 f4
-					nft_fw_nfqws_post4 "$f4 $desync" $qn
+				nft_fw_nfqws_post4 "$f4 $desync" "$qn"
-					nft_fw_reverse_nfqws_rule4 "$f4" $qn
+				nft_fw_reverse_nfqws_rule4 "$f4" "$qn"
 			fi
 			if [ -n "$qns" ]; then
 				f4="tcp dport {$HTTPS_PORTS} $first_packets_only"
 				nft_filter_apply_ipset_target4 f4
-					nft_fw_nfqws_post4 "$f4 $desync" $qns
+				nft_fw_nfqws_post4 "$f4 $desync" "$qns"
-					nft_fw_reverse_nfqws_rule4 "$f4" $qns
+				nft_fw_reverse_nfqws_rule4 "$f4" "$qns"
 			fi
 		fi
 		if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
 			nft_filter_apply_port_target f6
 			f6="$f6 $first_packets_only"
 			nft_filter_apply_ipset_target6 f6
-				nft_fw_nfqws_post6 "$f6 $desync" $qn6
+			nft_fw_nfqws_post6 "$f6 $desync" "$qn6"
-				nft_fw_reverse_nfqws_rule6 "$f6" $qn6
+			nft_fw_reverse_nfqws_rule6 "$f6" "$qn6"
 		else
 			if [ -n "$qn6" ]; then
 				f6="tcp dport {$HTTP_PORTS}"
 				[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packets_only"
 				nft_filter_apply_ipset_target6 f6
-					nft_fw_nfqws_post6 "$f6 $desync" $qn6
+				nft_fw_nfqws_post6 "$f6 $desync" "$qn6"
-					nft_fw_reverse_nfqws_rule6 "$f6" $qn6
+				nft_fw_reverse_nfqws_rule6 "$f6" "$qn6"
 			fi
 			if [ -n "$qns6" ]; then
 				f6="tcp dport {$HTTPS_PORTS} $first_packets_only"
 				nft_filter_apply_ipset_target6 f6
-					nft_fw_nfqws_post6 "$f6 $desync" $qns6
+				nft_fw_nfqws_post6 "$f6 $desync" "$qns6"
-					nft_fw_reverse_nfqws_rule6 "$f6" $qns6
+				nft_fw_reverse_nfqws_rule6 "$f6" "$qns6"
 			fi
 		fi
@ -692,14 +627,14 @@ zapret_apply_firewall_rules_nft()
 			nft_filter_apply_port_target_quic f4
 			f4="$f4 $first_packets_only"
 			nft_filter_apply_ipset_target4 f4
-				nft_fw_nfqws_post4 "$f4 $desync" $qn
+			nft_fw_nfqws_post4 "$f4 $desync" "$qn"
 		fi
 		if [ -n "$qn6" ]; then
 			f6=
 			nft_filter_apply_port_target_quic f6
 			f6="$f6 $first_packets_only"
 			nft_filter_apply_ipset_target6 f6
-				nft_fw_nfqws_post6 "$f6 $desync" $qn6
+			nft_fw_nfqws_post6 "$f6 $desync" "$qn6"
 		fi
 		POSTNAT=$POSTNAT_SAVE
@ -710,8 +645,7 @@ zapret_apply_firewall_rules_nft()
 	esac
 }
-zapret_apply_firewall_nft()
+zapret_apply_firewall_nft() {
 {
 	echo Applying nftables
 	local mode="${MODE_OVERRIDE:-$MODE}"
@ -728,19 +662,17 @@ zapret_apply_firewall_nft()
 	return 0
 }
-zapret_unapply_firewall_nft()
+zapret_unapply_firewall_nft() {
 {
 	echo Clearing nftables
 	unprepare_route_localnet
 	nft_del_firewall
 	return 0
 }
-zapret_do_firewall_nft()
+zapret_do_firewall_nft() {
 {
 	# $1 - 1 - add, 0 - del
-	if [ "$1" = 0 ] ; then
+	if [ "$1" = 0 ]; then
 		zapret_unapply_firewall_nft
 	else
 		zapret_apply_firewall_nft
--- a/common/pf.sh
+++ b/common/pf.sh
@ -6,14 +6,12 @@ PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6"
 std_ports
-pf_anchor_root_reload()
+pf_anchor_root_reload() {
 {
 	echo reloading PF root anchor
 	pfctl -qf "$PF_MAIN"
 }
-pf_anchor_root()
+pf_anchor_root() {
 {
 	local patch
 	[ -f "$PF_MAIN" ] && {
 		grep -q '^rdr-anchor "zapret"$' "$PF_MAIN" || {
@ -57,13 +55,11 @@ set limit table-entries 5000000
 	echo ----------------------------------
 	return 1
 }
-pf_anchor_root_del()
+pf_anchor_root_del() {
 {
 	sed -i '' -e '/^anchor "zapret"$/d' -e '/^rdr-anchor "zapret"$/d' -e '/^set limit table-entries/d' "$PF_MAIN"
 }
-pf_anchor_zapret()
+pf_anchor_zapret() {
 {
 	[ "$DISABLE_IPV4" = "1" ] || {
 		if [ -f "$ZIPLIST_EXCLUDE" ]; then
 			echo "table <nozapret> persist file \"$ZIPLIST_EXCLUDE\""
@ -83,8 +79,7 @@ pf_anchor_zapret()
 	[ "$DISABLE_IPV4" = "1" ] || echo "anchor \"/zapret-v4\" inet to !<nozapret>"
 	[ "$DISABLE_IPV6" = "1" ] || echo "anchor \"/zapret-v6\" inet6 to !<nozapret6>"
 }
-pf_anchor_zapret_tables()
+pf_anchor_zapret_tables() {
 {
 	# $1 - variable to receive applied table names
 	# $2/$3 $4/$5 ...  table_name/table_file
 	local tblv=$1
@ -93,7 +88,7 @@ pf_anchor_zapret_tables()
 	shift
 	[ "$MODE_FILTER" = "ipset" ] &&
 		{
-		while [ -n "$1" ] && [ -n "$2" ] ; do
+			while [ -n "$1" ] && [ -n "$2" ]; do
 				[ -f "$2" ] && {
 					echo "table <$1> file \"$2\""
 					_tbl="$_tbl<$1> "
@ -104,10 +99,9 @@ pf_anchor_zapret_tables()
 		}
 	[ -n "$_tbl" ] || _tbl="any"
-	eval $tblv="\"\$_tbl\""
+	eval "$tblv"="\"\$_tbl\""
 }
-pf_anchor_port_target()
+pf_anchor_port_target() {
 {
 	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
 		echo "{$HTTP_PORTS_IPT,$HTTPS_PORTS_IPT}"
 	elif [ "$MODE_HTTPS" = "1" ]; then
@ -117,8 +111,7 @@ pf_anchor_port_target()
 	fi
 }
-pf_anchor_zapret_v4_tpws()
+pf_anchor_zapret_v4_tpws() {
 {
 	# $1 - port
 	local rule port=$(pf_anchor_port_target)
@ -130,7 +123,7 @@ pf_anchor_zapret_v4_tpws()
 	echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $1"
 	for t in $tbl; do
 		rule="route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }"
-		if [ -n "$IFACE_WAN" ] ; then
+		if [ -n "$IFACE_WAN" ]; then
 			for wan in $IFACE_WAN; do
 				echo "pass out on $wan $rule"
 			done
@ -140,15 +133,14 @@ pf_anchor_zapret_v4_tpws()
 	done
 }
-pf_anchor_zapret_v4()
+pf_anchor_zapret_v4() {
 {
 	local tbl port
 	[ "$DISABLE_IPV4" = "1" ] || {
 		case $MODE in
 		tpws)
 			[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
 			pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
-				pf_anchor_zapret_v4_tpws $TPPORT
+			pf_anchor_zapret_v4_tpws "$TPPORT"
 			;;
 		custom)
 			pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
@ -157,14 +149,13 @@ pf_anchor_zapret_v4()
 		esac
 	}
 }
-pf_anchor_zapret_v6_tpws()
+pf_anchor_zapret_v6_tpws() {
 {
 	# $1 - port
 	local LL_LAN rule port=$(pf_anchor_port_target)
 	# LAN link local is only for router
 	for lan in $IFACE_LAN; do
-		LL_LAN=$(get_ipv6_linklocal $lan)
+		LL_LAN=$(get_ipv6_linklocal "$lan")
 		[ -n "$LL_LAN" ] && {
 			for t in $tbl; do
 				echo "rdr on $lan inet6 proto tcp from any to $t port $port -> $LL_LAN port $1"
@ -174,7 +165,7 @@ pf_anchor_zapret_v6_tpws()
 	echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $1"
 	for t in $tbl; do
 		rule="route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }"
-		if [ -n "${IFACE_WAN6:-$IFACE_WAN}" ] ; then
+		if [ -n "${IFACE_WAN6:-$IFACE_WAN}" ]; then
 			for wan in ${IFACE_WAN6:-$IFACE_WAN}; do
 				echo "pass out on $wan $rule"
 			done
@ -183,8 +174,7 @@ pf_anchor_zapret_v6_tpws()
 		fi
 	done
 }
-pf_anchor_zapret_v6()
+pf_anchor_zapret_v6() {
 {
 	local tbl port
 	[ "$DISABLE_IPV6" = "1" ] || {
@ -192,7 +182,7 @@ pf_anchor_zapret_v6()
 		tpws)
 			[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
 			pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
-				pf_anchor_zapret_v6_tpws $TPPORT
+			pf_anchor_zapret_v6_tpws "$TPPORT"
 			;;
 		custom)
 			pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
@ -202,19 +192,16 @@ pf_anchor_zapret_v6()
 	}
 }
-pf_anchors_create()
+pf_anchors_create() {
 {
 	wait_lan_ll
 	pf_anchor_zapret >"$PF_ANCHOR_ZAPRET"
 	pf_anchor_zapret_v4 >"$PF_ANCHOR_ZAPRET_V4"
 	pf_anchor_zapret_v6 >"$PF_ANCHOR_ZAPRET_V6"
 }
-pf_anchors_del()
+pf_anchors_del() {
 {
 	rm -f "$PF_ANCHOR_ZAPRET" "$PF_ANCHOR_ZAPRET_V4" "$PF_ANCHOR_ZAPRET_V6"
 }
-pf_anchors_load()
+pf_anchors_load() {
 {
 	echo loading zapret anchor from "$PF_ANCHOR_ZAPRET"
 	pfctl -qa zapret -f "$PF_ANCHOR_ZAPRET" || {
 		echo error loading zapret anchor
@ -243,20 +230,17 @@ pf_anchors_load()
 	echo successfully loaded PF anchors
 	return 0
 }
-pf_anchors_clear()
+pf_anchors_clear() {
 {
 	echo clearing zapret anchors
 	pfctl -qa zapret-v4 -F all 2>/dev/null
 	pfctl -qa zapret-v6 -F all 2>/dev/null
 	pfctl -qa zapret -F all 2>/dev/null
 }
-pf_enable()
+pf_enable() {
 {
 	echo enabling PF
 	pfctl -qe
 }
-pf_table_reload()
+pf_table_reload() {
 {
 	echo reloading zapret tables
 	[ "$DISABLE_IPV4" = "1" ] || pfctl -qTl -a zapret-v4 -f "$PF_ANCHOR_ZAPRET_V4"
 	[ "$DISABLE_IPV6" = "1" ] || pfctl -qTl -a zapret-v6 -f "$PF_ANCHOR_ZAPRET_V6"
--- a/common/queue.sh
+++ b/common/queue.sh
@ -1,5 +1,4 @@
-apply_unspecified_desync_modes()
+apply_unspecified_desync_modes() {
 {
 	NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}"
 	NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}"
 	NFQWS_OPT_DESYNC_HTTP6="${NFQWS_OPT_DESYNC_HTTP6:-$NFQWS_OPT_DESYNC_HTTP}"
@ -7,8 +6,7 @@ apply_unspecified_desync_modes()
 	NFQWS_OPT_DESYNC_QUIC6="${NFQWS_OPT_DESYNC_QUIC6:-$NFQWS_OPT_DESYNC_QUIC}"
 }
-get_nfqws_qnums()
+get_nfqws_qnums() {
 {
 	# $1 - var name for ipv4 http
 	# $2 - var name for ipv4 https
 	# $3 - var name for ipv6 http
@ -18,63 +16,62 @@ get_nfqws_qnums()
 	[ "$DISABLE_IPV4" = "1" ] || {
 		_qn=$QNUM
 		_qns=$_qn
-		[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || _qns=$(($QNUM+1))
+		[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || _qns=$(($QNUM + 1))
 	}
 	[ "$DISABLE_IPV6" = "1" ] || {
-		_qn6=$(($QNUM+2))
+		_qn6=$(($QNUM + 2))
-		_qns6=$(($QNUM+3))
+		_qns6=$(($QNUM + 3))
 		[ "$DISABLE_IPV4" = "1" ] || {
 			if [ "$NFQWS_OPT_DESYNC_HTTP6" = "$NFQWS_OPT_DESYNC_HTTP" ]; then
-				_qn6=$_qn;
+				_qn6=$_qn
 			elif [ "$NFQWS_OPT_DESYNC_HTTP6" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
-				_qn6=$_qns;
+				_qn6=$_qns
 			fi
 			if [ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP" ]; then
-				_qns6=$_qn;
+				_qns6=$_qn
 			elif [ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
-				_qns6=$_qns;
+				_qns6=$_qns
 			fi
 		}
-		[ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP6" ] && _qns6=$_qn6;
+		[ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP6" ] && _qns6=$_qn6
 	}
 	if [ "$MODE_HTTP" = 1 ]; then
-		eval $1=$_qn
+		eval "$1"="$_qn"
-		eval $3=$_qn6
+		eval "$3"="$_qn6"
 	else
-		eval $1=
+		eval "$1"=
-		eval $3=
+		eval "$3"=
 	fi
 	if [ "$MODE_HTTPS" = 1 ]; then
-		eval $2=$_qns
+		eval "$2"="$_qns"
-		eval $4=$_qns6
+		eval "$4"="$_qns6"
 	else
-		eval $2=
+		eval "$2"=
-		eval $4=
+		eval "$4"=
 	fi
 }
-get_nfqws_qnums_quic()
+get_nfqws_qnums_quic() {
 {
 	# $1 - var name for ipv4 quic
 	# $2 - var name for ipv6 quic
 	local _qn _qn6
 	[ "$DISABLE_IPV4" = "1" ] || {
-		_qn=$(($QNUM+10))
+		_qn=$(($QNUM + 10))
 	}
 	[ "$DISABLE_IPV6" = "1" ] || {
-		_qn6=$(($QNUM+11))
+		_qn6=$(($QNUM + 11))
 		[ "$DISABLE_IPV4" = "1" ] || {
 			if [ "$NFQWS_OPT_DESYNC_QUIC" = "$NFQWS_OPT_DESYNC_QUIC6" ]; then
-				_qn6=$_qn;
+				_qn6=$_qn
 			fi
 		}
 	}
 	if [ "$MODE_QUIC" = 1 ]; then
-		eval $1=$_qn
+		eval "$1"=$_qn
-		eval $2=$_qn6
+		eval "$2"=$_qn6
 	else
-		eval $1=
+		eval "$1"=
-		eval $2=
+		eval "$2"=
 	fi
 }
--- a/common/virt.sh
+++ b/common/virt.sh
@ -1,5 +1,4 @@
-get_virt()
+get_virt() {
 {
 	local vm s v UNAME
 	UNAME=$(uname)
 	case "$UNAME" in
@ -21,8 +20,7 @@ get_virt()
 	esac
 	echo "$vm" | awk '{print tolower($0)}'
 }
-check_virt()
+check_virt() {
 {
 	echo \* checking virtualization
 	local vm="$(get_virt)"
 	if [ -n "$vm" ]; then
--- a/init.d/macos/custom-tpws
+++ b/init.d/macos/custom-tpws
@ -2,24 +2,21 @@
 TPPORT_MY=987
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	local opt="--user=root --port=$TPPORT_MY"
 	filter_apply_hostlist_target opt
 	tpws_apply_binds opt
 	opt="$opt $TPWS_OPT"
-	do_daemon $1 1 "$TPWS" "$opt"
+	do_daemon "$1" 1 "$TPWS" "$opt"
 }
 # custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
 # they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
-zapret_custom_firewall_v4()
+zapret_custom_firewall_v4() {
 {
 	pf_anchor_zapret_v4_tpws $TPPORT_MY
 }
-zapret_custom_firewall_v6()
+zapret_custom_firewall_v6() {
 {
 	pf_anchor_zapret_v6_tpws $TPPORT_MY
 }
--- a/init.d/macos/custom.default
+++ b/init.d/macos/custom.default
@ -2,8 +2,7 @@
 # use helpers from "functions" file
 # in case of upgrade keep this file only, do not modify others
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	:
 }
@ -11,11 +10,9 @@ zapret_custom_daemons()
 # custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
 # they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
-zapret_custom_firewall_v4()
+zapret_custom_firewall_v4() {
 {
 	:
 }
-zapret_custom_firewall_v6()
+zapret_custom_firewall_v6() {
 {
 	:
 }
--- a/init.d/macos/functions
+++ b/init.d/macos/functions
@ -21,8 +21,7 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
 CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/macos/custom"
 [ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
-run_daemon()
+run_daemon() {
 {
 	# $1 - daemon number : 1,2,3,...
 	# $2 - daemon
 	# $3 - daemon args
@ -31,14 +30,13 @@ run_daemon()
 	local PIDFILE="$PIDDIR/$DAEMONBASE$1.pid"
 	local ARGS="--daemon --pidfile=$PIDFILE $3"
 	[ -f "$PIDFILE" ] && pgrep -qF "$PIDFILE" && {
-		echo Already running $1: $2
+		echo Already running "$1": "$2"
 		return 0
 	}
 	echo "Starting daemon $1: $2 $ARGS"
-	"$2" $ARGS
+	"$2" "$ARGS"
 }
-stop_daemon()
+stop_daemon() {
 {
 	# $1 - daemon number : 1,2,3,...
 	# $2 - daemon
 	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
@ -49,19 +47,17 @@ stop_daemon()
 	[ -f "$PIDFILE" ] && read PID <"$PIDFILE"
 	[ -n "$PID" ] && {
 		echo "Stopping daemon $1: $2 (PID=$PID)"
-		kill $PID
+		kill "$PID"
 		rm -f "$PIDFILE"
 	}
 	return 0
 }
-do_daemon()
+do_daemon() {
 {
 	# $1 - 1 - run, 0 - stop
 	on_off_function run_daemon stop_daemon "$@"
 }
-tpws_apply_binds()
+tpws_apply_binds() {
 {
 	local o
 	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
 	[ "$DISABLE_IPV6" = "1" ] || {
@ -69,10 +65,9 @@ tpws_apply_binds()
 			o="$o --bind-iface6=$i --bind-linklocal=force $TPWS_WAIT"
 		done
 	}
-	eval $1="\"\$$1 $o\""
+	eval "$1"="\"\$$1 $o\""
 }
-tpws_apply_socks_binds()
+tpws_apply_socks_binds() {
 {
 	local o
 	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
@ -82,19 +77,17 @@ tpws_apply_socks_binds()
 		[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
 		[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
 	done
-	eval $1="\"\$$1 $o\""
+	eval "$1"="\"\$$1 $o\""
 }
-wait_interface_ll()
+wait_interface_ll() {
-{
+	echo waiting for an IPv6 link local address on "$1" ...
-	echo waiting for an ipv6 link local address on $1 ...
+	"$TPWS" --bind-wait-only --bind-iface6="$1" --bind-linklocal=force "$TPWS_WAIT"
 	"$TPWS" --bind-wait-only --bind-iface6=$1 --bind-linklocal=force $TPWS_WAIT
 }
-wait_lan_ll()
+wait_lan_ll() {
 {
 	[ "$DISABLE_IPV6" != "1" ] && {
 		for lan in $IFACE_LAN; do
-			wait_interface_ll $lan >&2 || {
+			wait_interface_ll "$lan" >&2 || {
 				echo "wait interface failed on $lan"
 				return 1
 			}
@ -102,22 +95,19 @@ wait_lan_ll()
 	}
 	return 0
 }
-get_ipv6_linklocal()
+get_ipv6_linklocal() {
-{
+	ifconfig "$1" | sed -nEe 's/^.*inet6 (fe80:[a-f0-9:]+).*/\1/p'
 	ifconfig $1 | sed -nEe 's/^.*inet6 (fe80:[a-f0-9:]+).*/\1/p'
 }
-
+zapret_do_firewall() {
 zapret_do_firewall()
 {
 	# $1 - 1 - add, 0 - del
 	[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
 	[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
 	case "${MODE_OVERRIDE:-$MODE}" in
-		tpws|filter|custom)
+	tpws | filter | custom)
-			if [ "$1" = "1" ] ; then
+		if [ "$1" = "1" ]; then
 			pf_anchor_root || return 1
 			pf_anchors_create
 			pf_anchors_load || return 1
@ -133,24 +123,18 @@ zapret_do_firewall()
 	return 0
 }
-zapret_apply_firewall()
+zapret_apply_firewall() {
 {
 	zapret_do_firewall 1 "$@"
 }
-zapret_unapply_firewall()
+zapret_unapply_firewall() {
 {
 	zapret_do_firewall 0 "$@"
 }
-zapret_restart_firewall()
+zapret_restart_firewall() {
 {
 	zapret_unapply_firewall "$@"
 	zapret_apply_firewall "$@"
 }
-
+zapret_do_daemons() {
 zapret_do_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 	local opt
@ -158,31 +142,30 @@ zapret_do_daemons()
 	case "${MODE_OVERRIDE:-$MODE}" in
 	tpws)
 		[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
-				echo "both ipv4 and ipv6 are disabled. nothing to do"
+			echo "both IPv4 and IPv6 are disabled. nothing to do"
 			return 0
 		}
-			# MacOS requires root. kernel hardcoded requirement for /dev/pf ioctls
+		# macOS requires root. kernel hardcoded requirement for /dev/pf ioctls
 		opt="--user=root --port=$TPPORT"
 		filter_apply_hostlist_target opt
 		tpws_apply_binds opt
 		opt="$opt $TPWS_OPT"
-			do_daemon $1 1 "$TPWS" "$opt"
+		do_daemon "$1" 1 "$TPWS" "$opt"
 		;;
 	tpws-socks)
 		[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
-				echo "both ipv4 and ipv6 are disabled. nothing to do"
+			echo "both IPv4 and IPv6 are disabled. nothing to do"
 			return 0
 		}
 		opt="--socks --user=$WS_USER --port=$TPPORT"
 		tpws_apply_socks_binds opt
 		filter_apply_hostlist_target opt
 		opt="$opt $TPWS_OPT"
-			do_daemon $1 1 "$TPWS" "$opt"
+		do_daemon "$1" 1 "$TPWS" "$opt"
 			;;
 		filter)
 		;;
 	filter) ;;
 	custom)
-			existf zapret_custom_daemons && zapret_custom_daemons $1
+		existf zapret_custom_daemons && zapret_custom_daemons "$1"
 		;;
 	*)
 		echo "unsupported MODE=$MODE"
@ -192,16 +175,13 @@ zapret_do_daemons()
 	return 0
 }
-zapret_run_daemons()
+zapret_run_daemons() {
 {
 	zapret_do_daemons 1 "$@"
 }
-zapret_stop_daemons()
+zapret_stop_daemons() {
 {
 	zapret_do_daemons 0 "$@"
 }
-zapret_restart_daemons()
+zapret_restart_daemons() {
 {
 	zapret_stop_daemons "$@"
 	zapret_run_daemons "$@"
 }
--- a/init.d/macos/zapret
+++ b/init.d/macos/zapret
@ -2,48 +2,51 @@
 EXEDIR="$(dirname "$0")"
 ZAPRET_BASE="$EXEDIR/../.."
-ZAPRET_BASE="$(cd "$ZAPRET_BASE"; pwd)"
+ZAPRET_BASE="$(
 	cd "$ZAPRET_BASE"
 	pwd
 )"
 . "$EXEDIR/functions"
 case "$1" in
-	start)
+start)
 	zapret_run_daemons
 	[ "$INIT_APPLY_FW" != "1" ] || zapret_apply_firewall
 	;;
-	stop)
+stop)
 	[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
 	zapret_stop_daemons
 	;;
-	restart)
+restart)
 	"$0" stop
 	"$0" start
 	;;
-	start-fw|start_fw)
+start-fw | start_fw)
 	zapret_apply_firewall
 	;;
-	stop-fw|stop_fw)
+stop-fw | stop_fw)
 	zapret_unapply_firewall
 	;;
-	restart-fw|stop_fw)
+restart-fw | stop_fw)
 	zapret_restart_firewall
 	;;
-	reload-fw-tables|reload_fw_tables)
+reload-fw-tables | reload_fw_tables)
 	pf_table_reload
 	;;
-	start-daemons|start_daemons)
+start-daemons | start_daemons)
 	zapret_run_daemons
 	;;
-	stop-daemons|stop_daemons)
+stop-daemons | stop_daemons)
 	zapret_stop_daemons
 	;;
-	restart-daemons|restart_daemons)
+restart-daemons | restart_daemons)
 	zapret_restart_daemons
 	;;
-  *)
+*)
 	N="$SCRIPT/$NAME"
 	echo "Usage: $N {start|stop|start-fw|stop-fw|restart-fw|reload-fw-tables|start-daemons|stop-daemons|restart-daemons}" >&2
 	exit 1
--- a/init.d/openrc/zapret
+++ b/init.d/openrc/zapret
@ -4,7 +4,10 @@
 # on some systems (alpine) for unknown reason non-openrc-run scripts are not started from /etc/init.d
 EXEDIR=$(dirname "$RC_SERVICE")
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+EXEDIR="$(
 	cd "$EXEDIR"
 	pwd
 )"
 ZAPRET_BASE="$EXEDIR/../.."
 ZAPRET_INIT="$ZAPRET_BASE/init.d/sysv/zapret"
@ -23,47 +26,36 @@ description_restart_daemons="Restart zapret firewall only"
 depend() {
 	rc-service -e networking && need networking
 }
-start()
+start() {
 {
 	"$ZAPRET_INIT" start
 }
-stop()
+stop() {
 {
 	"$ZAPRET_INIT" stop
 }
-start_fw()
+start_fw() {
 {
 	"$ZAPRET_INIT" start_fw
 }
-stop_fw()
+stop_fw() {
 {
 	"$ZAPRET_INIT" stop_fw
 }
-restart_fw()
+restart_fw() {
 {
 	"$ZAPRET_INIT" restart_fw
 }
-start_daemons()
+start_daemons() {
 {
 	"$ZAPRET_INIT" start_daemons
 }
-stop_daemons()
+stop_daemons() {
 {
 	"$ZAPRET_INIT" stop_daemons
 }
-restart_daemons()
+restart_daemons() {
 {
 	"$ZAPRET_INIT" restart_daemons
 }
-reload_ifsets()
+reload_ifsets() {
 {
 	"$ZAPRET_INIT" reload_ifsets
 }
-list_ifsets()
+list_ifsets() {
 {
 	"$ZAPRET_INIT" list_ifsets
 }
-list_table()
+list_table() {
 {
 	"$ZAPRET_INIT" list_table
 }
--- a/init.d/openwrt/90-zapret
+++ b/init.d/openwrt/90-zapret
@ -2,8 +2,7 @@
 ZAPRET=/etc/init.d/zapret
-check_lan()
+check_lan() {
 {
 	IS_LAN=
 	[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan
 	for lan in $OPENWRT_LAN; do
@ -13,8 +12,7 @@ check_lan()
 		}
 	done
 }
-check_need_to_reload_tpws6()
+check_need_to_reload_tpws6() {
 {
 	# tpws6 dnat target nft map can only be reloaded within firewall apply procedure
 	# interface ifsets (wanif, wanif6, lanif) can be reloaded independently
 	check_lan
@ -22,7 +20,6 @@ check_need_to_reload_tpws6()
 	[ "$ACTION" = "ifup" -a "$DISABLE_IPV6" != 1 -a -n "$IS_LAN" ] && [ "$MODE" = "tpws" -o "$MODE" = "custom" ] && RELOAD_TPWS6=1
 }
 [ -n "$INTERFACE" ] && [ "$ACTION" = ifup -o "$ACTION" = ifdown ] && [ -x "$ZAPRET" ] && "$ZAPRET" enabled && {
 	SCRIPT=$(readlink "$ZAPRET")
 	if [ -n "$SCRIPT" ]; then
@ -37,7 +34,7 @@ check_need_to_reload_tpws6()
 	check_need_to_reload_tpws6
 	[ -n "$RELOAD_TPWS6" ] && {
-		logger -t zapret restarting daemons due to $ACTION of $INTERFACE to update tpws6 dnat target
+		logger -t zapret restarting daemons due to "$ACTION" of "$INTERFACE" to update tpws6 dnat target
 		"$ZAPRET" restart_daemons
 	}
 	. "$ZAPRET_BASE/common/base.sh"
@ -45,17 +42,17 @@ check_need_to_reload_tpws6()
 	linux_fwtype
 	case "$FWTYPE" in
 	nftables)
-			if [ -n "$RELOAD_TPWS6" ] ; then
+		if [ -n "$RELOAD_TPWS6" ]; then
-				logger -t zapret reloading nftables due to $ACTION of $INTERFACE to update tpws6 dnat target
+			logger -t zapret reloading nftables due to "$ACTION" of "$INTERFACE" to update tpws6 dnat target
 			"$ZAPRET" restart_fw
 		else
-				logger -t zapret reloading nftables ifsets due to $ACTION of $INTERFACE
+			logger -t zapret reloading nftables ifsets due to "$ACTION" of "$INTERFACE"
 			"$ZAPRET" reload_ifsets
 		fi
 		;;
 	iptables)
 		openwrt_fw3 || {
-				logger -t zapret reloading iptables due to $ACTION of $INTERFACE
+			logger -t zapret reloading iptables due to "$ACTION" of "$INTERFACE"
 			"$ZAPRET" restart_fw
 		}
 		;;
--- a/init.d/openwrt/custom-nfqws-dht4all
+++ b/init.d/openwrt/custom-nfqws-dht4all
@ -1,10 +1,9 @@
 # this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
-QNUM2=$(($QNUM+20))
+QNUM2=$(($QNUM + 20))
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
        # stop logic is managed by procd
        local MODE_OVERRIDE=nfqws
@ -13,10 +12,9 @@ zapret_custom_daemons()
        start_daemons_procd
        opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-        run_daemon 100 $NFQWS "$opt"
+        run_daemon 100 "$NFQWS" "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
        # $1 - 1 - run, 0 - stop
        local MODE_OVERRIDE=nfqws
@ -24,15 +22,14 @@ zapret_custom_firewall()
        local first_packet_only="$ipt_connbytes 1:1"
        local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-        zapret_do_firewall_rules_ipt $1
+        zapret_do_firewall_rules_ipt "$1"
        f='-p udp -m length --length 109:407 -m u32 --u32'
        uf4='0>>22&0x3C@8>>16=0x6431'
        uf6='48>>16=0x6431'
-        fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only"  "$f $uf6 $desync $first_packet_only" $QNUM2
+        fw_nfqws_post "$1" "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
        # stop logic is not required
        local MODE_OVERRIDE=nfqws
--- a/init.d/openwrt/custom-nfqws-quic4all
+++ b/init.d/openwrt/custom-nfqws-quic4all
@ -2,10 +2,9 @@
 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
 # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
-QNUM2=$(($QNUM+10))
+QNUM2=$(($QNUM + 10))
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# stop logic is managed by procd
 	local MODE_OVERRIDE=nfqws
@ -14,10 +13,9 @@ zapret_custom_daemons()
 	start_daemons_procd
 	opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-	run_daemon 100 $NFQWS "$opt"
+	run_daemon 100 "$NFQWS" "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=nfqws
@ -25,14 +23,13 @@ zapret_custom_firewall()
 	local first_packets_only="$ipt_connbytes 1:3"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-	zapret_do_firewall_rules_ipt $1
+	zapret_do_firewall_rules_ipt "$1"
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
-	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
+	fw_nfqws_post "$1" "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local MODE_OVERRIDE=nfqws
--- a/init.d/openwrt/custom-reuse-builtin-mode
+++ b/init.d/openwrt/custom-reuse-builtin-mode
@ -4,8 +4,7 @@ MY_TPPORT=$(($TPPORT + 1))
 MY_TPWS_OPT="--methodeol --hostcase"
 MY_DPORT=81
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# stop logic is managed by procd
 	local MODE_OVERRIDE=tpws
@ -17,22 +16,20 @@ zapret_custom_daemons()
 	filter_apply_hostlist_target opt
 	run_tpws 100 "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=tpws
 	local f4 f6
-	zapret_do_firewall_rules_ipt $1
+	zapret_do_firewall_rules_ipt "$1"
 	f4="-p tcp --dport $MY_DPORT"
 	f6=$f4
 	filter_apply_ipset_target f4 f6
-	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
+	fw_tpws "$1" "$f4" "$f6" $MY_TPPORT
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local MODE_OVERRIDE=tpws
--- a/init.d/openwrt/custom-tpws4http-nfqws4https
+++ b/init.d/openwrt/custom-tpws4http-nfqws4https
@ -1,8 +1,7 @@
 # this custom script demonstrates how to apply tpws to http and nfqws to https
 # it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# stop logic is managed by procd
 	local opt
@ -16,11 +15,10 @@ zapret_custom_daemons()
 	[ "$MODE_HTTPS" = "1" ] && {
 		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
 		filter_apply_hostlist_target opt
-		run_daemon 2 $NFQWS "$opt"
+		run_daemon 2 "$NFQWS" "$opt"
 	}
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local f4 f6
@ -31,18 +29,17 @@ zapret_custom_firewall()
 		f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
-		fw_tpws $1 "$f4" "$f6" $TPPORT
+		fw_tpws "$1" "$f4" "$f6" "$TPPORT"
 	}
 	[ "$MODE_HTTPS" = "1" ] && {
 		f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
-		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+		fw_nfqws_post "$1" "$f4 $desync" "$f6 $desync" "$QNUM"
 	}
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local f4 f6
@ -53,15 +50,15 @@ zapret_custom_firewall_nft()
 		f4="tcp dport {$HTTP_PORTS}"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
-		nft_fw_tpws "$f4" "$f6" $TPPORT
+		nft_fw_tpws "$f4" "$f6" "$TPPORT"
 	}
 	[ "$MODE_HTTPS" = "1" ] && {
 		f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
-		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
+		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" "$QNUM"
 		# for modes that require incoming traffic
-		nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM
+		nft_fw_reverse_nfqws_rule "$f4" "$f6" "$QNUM"
 	}
 }
--- a/init.d/openwrt/custom.default
+++ b/init.d/openwrt/custom.default
@ -2,8 +2,7 @@
 # use helpers from "functions" file and "zapret" init script
 # in case of upgrade keep this file only, do not modify others
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# stop logic is managed by procd
 	# PLACEHOLDER
@ -13,8 +12,7 @@ zapret_custom_daemons()
 	run_daemon 1 /bin/sleep 20
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	# PLACEHOLDER
@ -22,8 +20,7 @@ zapret_custom_firewall()
 	echo Configure iptables for required actions
 	echo Study how other sections work
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	# PLACEHOLDER
--- a/init.d/openwrt/functions
+++ b/init.d/openwrt/functions
@ -35,75 +35,65 @@ IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
 apply_unspecified_desync_modes
-
+# can be multiple IPv6 outgoing interfaces
-# can be multiple ipv6 outgoing interfaces
+# uplink from ISP, tunnelbroker, VPN, ...
 # uplink from isp, tunnelbroker, vpn, ...
 # want them all. who knows what's the real one that blocks sites
 # dont want any manual configuration - want to do it automatically
 # standard network_find_wan[6] return only the first
 # we use low level function from network.sh to avoid this limitation
 # it can change theoretically and stop working
-network_find_wan4_all()
+network_find_wan4_all() {
 {
 	if [ -n "$OPENWRT_WAN4" ]; then
-		eval $1="\$OPENWRT_WAN4"
+		eval "$1"="\$OPENWRT_WAN4"
 	else
 		__network_ifstatus "$1" "" "[@.route[@.target='0.0.0.0' && !@.table]].interface" "" 10 2>/dev/null && return
-		network_find_wan $1
+		network_find_wan "$1"
 	fi
 }
-network_find_wan_all()
+network_find_wan_all() {
 {
 	network_find_wan4_all "$@"
 }
-network_find_wan6_all()
+network_find_wan6_all() {
 {
 	if [ -n "$OPENWRT_WAN6" ]; then
-		eval $1="\$OPENWRT_WAN6"
+		eval "$1"="\$OPENWRT_WAN6"
 	else
 		__network_ifstatus "$1" "" "[@.route[@.target='::' && !@.table]].interface" "" 10 2>/dev/null && return
-		network_find_wan6 $1
+		network_find_wan6 "$1"
 	fi
 }
-network_find_wanX_devices()
+network_find_wanX_devices() {
 {
 	# $1 - ip version: 4 or 6
 	# $2 - variable to put result to
 	local ifaces
-	network_find_wan${1}_all ifaces
+	network_find_wan"${1}"_all ifaces
-	call_for_multiple_items network_get_device $2 "$ifaces"
+	call_for_multiple_items network_get_device "$2" "$ifaces"
 }
-
+dnat6_target() {
-dnat6_target()
+	# $1 - LAN network name
 {
 	# $1 - lan network name
 	# $2 - var to store target ip6
-	network_is_up $1 || {
+	network_is_up "$1" || {
-		[ -n "$2" ] && eval $2=''
+		[ -n "$2" ] && eval "$2"=''
 		return
 	}
 	local DEVICE
-	network_get_device DEVICE $1
+	network_get_device DEVICE "$1"
-	_dnat6_target $DEVICE $2
+	_dnat6_target "$DEVICE" "$2"
 }
-set_route_localnet()
+set_route_localnet() {
 {
 	# $1 - 1 = enable, 0 = disable
 	local DLAN
 	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
-	_set_route_localnet $1 $DLAN
+	_set_route_localnet "$1" "$DLAN"
 }
-
+fw_nfqws_prepost_x() {
 fw_nfqws_prepost_x()
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - filter
 	# $3 - queue number
@ -111,29 +101,24 @@ fw_nfqws_prepost_x()
 	# $5 - post/pre
 	local ifaces DWAN
-	network_find_wan${4}_all ifaces
+	network_find_wan"${4}"_all ifaces
 	call_for_multiple_items network_get_device DWAN "$ifaces"
-	[ -n "$DWAN" ] && _fw_nfqws_${5}${4} $1 "$2" $3 "$(unique $DWAN)"
+	[ -n "$DWAN" ] && _fw_nfqws_"${5}"${4} "$1" "$2" "$3" "$(unique "$DWAN")"
 }
-fw_nfqws_post4()
+fw_nfqws_post4() {
-{
+	fw_nfqws_prepost_x "$1" "$2" "$3" 4 post
 	fw_nfqws_prepost_x  $1 "$2" $3 4 post
 }
-fw_nfqws_post6()
+fw_nfqws_post6() {
-{
+	fw_nfqws_prepost_x "$1" "$2" "$3" 6 post
 	fw_nfqws_prepost_x  $1 "$2" $3 6 post
 }
-fw_nfqws_pre4()
+fw_nfqws_pre4() {
-{
+	fw_nfqws_prepost_x "$1" "$2" "$3" 4 pre
 	fw_nfqws_prepost_x  $1 "$2" $3 4 pre
 }
-fw_nfqws_pre6()
+fw_nfqws_pre6() {
-{
+	fw_nfqws_prepost_x "$1" "$2" "$3" 6 pre
 	fw_nfqws_prepost_x  $1 "$2" $3 6 pre
 }
-fw_tpws_x()
+fw_tpws_x() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - filter
 	# $3 - tpws port
@ -143,102 +128,88 @@ fw_tpws_x()
 	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
-	network_find_wan${4}_all ifaces
+	network_find_wan"${4}"_all ifaces
 	call_for_multiple_items network_get_device DWAN "$ifaces"
-	[ -n "$DWAN" ] && _fw_tpws${4} $1 "$2" $3 "$DLAN" "$(unique $DWAN)"
+	[ -n "$DWAN" ] && _fw_tpws"${4}" "$1" "$2" "$3" "$DLAN" "$(unique "$DWAN")"
 }
-fw_tpws4()
+fw_tpws4() {
-{
+	fw_tpws_x "$1" "$2" "$3" 4
 	fw_tpws_x $1 "$2" $3 4
 }
-fw_tpws6()
+fw_tpws6() {
-{
+	fw_tpws_x "$1" "$2" "$3" 6
 	fw_tpws_x $1 "$2" $3 6
 }
-
+create_ipset() {
 create_ipset()
 {
 	echo "Creating ip list table (firewall type $FWTYPE)"
 	"$IPSET_CR" "$@"
 }
-list_nfqws_rules()
+list_nfqws_rules() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
-	# $1 = '' for ipv4, '6' for ipv6
+	ip"$1"tables -S POSTROUTING -t mangle |
-	ip$1tables -S POSTROUTING -t mangle | \
+		grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM + 1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 11)) --queue-bypass" |
 		grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+11)) --queue-bypass" | \
 		sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//"
 }
-apply_flow_offloading_enable_rule()
+apply_flow_offloading_enable_rule() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
 	# $1 = '' for ipv4, '6' for ipv6
 	local i off='-j FLOWOFFLOAD'
 	[ "$FLOWOFFLOAD" = "hardware" ] && off="$off --hw"
 	i="forwarding_rule_zapret -m comment --comment zapret_traffic_offloading_enable -m conntrack --ctstate RELATED,ESTABLISHED $off"
-	echo enabling ipv${1:-4} flow offloading : $i
+	echo enabling ipv"${1:-4}" flow offloading : "$i"
-	ip$1tables -A $i
+	ip"$1"tables -A "$i"
 }
-apply_flow_offloading_exempt_rule()
+apply_flow_offloading_exempt_rule() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
 	# $1 = '' for ipv4, '6' for ipv6
 	local i v
 	v=$1
 	shift
 	i="forwarding_rule_zapret $@ -m comment --comment zapret_traffic_offloading_exemption -j RETURN"
-	echo applying ipv${v:-4} flow offloading exemption : $i
+	echo applying ipv"${v:-4}" flow offloading exemption : "$i"
-	ip${v}tables -A $i
+	ip"${v}"tables -A "$i"
 }
-flow_offloading_unexempt_v()
+flow_offloading_unexempt_v() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
 	# $1 = '' for ipv4, '6' for ipv6
 	local DWAN
-	network_find_wanX_devices ${1:-4} DWAN
+	network_find_wanX_devices "${1:-4}" DWAN
-	for i in $DWAN; do ipt$1_del FORWARD -o $i -j forwarding_rule_zapret ; done
+	for i in $DWAN; do ipt"$1"_del FORWARD -o "$i" -j forwarding_rule_zapret; done
-	ip$1tables -F forwarding_rule_zapret 2>/dev/null
+	ip"$1"tables -F forwarding_rule_zapret 2>/dev/null
-	ip$1tables -X forwarding_rule_zapret 2>/dev/null
+	ip"$1"tables -X forwarding_rule_zapret 2>/dev/null
 }
-flow_offloading_exempt_v()
+flow_offloading_exempt_v() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
-	# $1 = '' for ipv4, '6' for ipv6
+	is_ipt_flow_offload_avail "$1" || return 0
 	is_ipt_flow_offload_avail $1 || return 0
-	flow_offloading_unexempt_v $1
+	flow_offloading_unexempt_v "$1"
 	[ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && {
-		ip$1tables -N forwarding_rule_zapret
+		ip"$1"tables -N forwarding_rule_zapret
 		# remove outgoing interface
-		list_nfqws_rules $1 | sed -re 's/-o +[^ ]+//g' |
+		list_nfqws_rules "$1" | sed -re 's/-o +[^ ]+//g' |
 			while read rule; do
-			apply_flow_offloading_exempt_rule "$1" $rule
+				apply_flow_offloading_exempt_rule "$1" "$rule"
 			done
-		apply_flow_offloading_enable_rule $1
+		apply_flow_offloading_enable_rule "$1"
 		# only outgoing to WAN packets trigger flow offloading
 		local DWAN
-		network_find_wanX_devices ${1:-4} DWAN
+		network_find_wanX_devices "${1:-4}" DWAN
-		for i in $DWAN; do ipt$1 FORWARD -o $i -j forwarding_rule_zapret; done
+		for i in $DWAN; do ipt"$1" FORWARD -o "$i" -j forwarding_rule_zapret; done
 	}
 	return 0
 }
-flow_offloading_exempt()
+flow_offloading_exempt() {
 {
 	[ "$DISABLE_IPV4" = "1" ] || flow_offloading_exempt_v
 	[ "$DISABLE_IPV6" = "1" ] || flow_offloading_exempt_v 6
 }
-flow_offloading_unexempt()
+flow_offloading_unexempt() {
 {
 	[ "$DISABLE_IPV4" = "1" ] || flow_offloading_unexempt_v
 	[ "$DISABLE_IPV6" = "1" ] || flow_offloading_unexempt_v 6
 }
-
+nft_fill_ifsets_overload() {
 nft_fill_ifsets_overload()
 {
 	local ifaces DLAN DWAN DWAN6 PDLAN PDWAN PDWAN6
 	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
@ -255,29 +226,23 @@ nft_fill_ifsets_overload()
 	nft_fill_ifsets "$DLAN" "$DWAN" "$DWAN6" "$PDLAN" "$PDWAN" "$PDWAN6"
 }
-nft_fw_tpws4()
+nft_fw_tpws4() {
-{
+	_nft_fw_tpws4 "$1" "$2" always_apply_wan_filter
 	_nft_fw_tpws4 "$1" $2 always_apply_wan_filter
 }
-nft_fw_tpws6()
+nft_fw_tpws6() {
 {
 	local DLAN
 	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
-	_nft_fw_tpws6 "$1" $2 "$DLAN" always_apply_wan_filter
+	_nft_fw_tpws6 "$1" "$2" "$DLAN" always_apply_wan_filter
 }
-nft_fw_nfqws_post4()
+nft_fw_nfqws_post4() {
-{
+	_nft_fw_nfqws_post4 "$1" "$2" always_apply_wan_filter
 	_nft_fw_nfqws_post4 "$1" $2 always_apply_wan_filter
 }
-nft_fw_nfqws_post6()
+nft_fw_nfqws_post6() {
-{
+	_nft_fw_nfqws_post6 "$1" "$2" always_apply_wan_filter
 	_nft_fw_nfqws_post6 "$1" $2 always_apply_wan_filter
 }
-nft_fw_nfqws_pre4()
+nft_fw_nfqws_pre4() {
-{
+	_nft_fw_nfqws_pre4 "$1" "$2" always_apply_wan_filter
 	_nft_fw_nfqws_pre4 "$1" $2 always_apply_wan_filter
 }
-nft_fw_nfqws_pre6()
+nft_fw_nfqws_pre6() {
-{
+	_nft_fw_nfqws_pre6 "$1" "$2" always_apply_wan_filter
 	_nft_fw_nfqws_pre6 "$1" $2 always_apply_wan_filter
 }
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@ -33,9 +33,8 @@ fi
 . "$ZAPRET_BASE/init.d/openwrt/functions"
-
+# !!!!! in old OpenWrt 21.x- with iptables firewall rules are configured separately
-# !!!!! in old openwrt 21.x- with iptables firewall rules are configured separately
+# !!!!! in new OpenWrt >21.x with nftables firewall is configured here
 # !!!!! in new openwrt >21.x with nftables firewall is configured here
 PIDDIR=/var/run
@ -50,8 +49,7 @@ TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
 TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
 TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"
-run_daemon()
+run_daemon() {
 {
 	# $1 - daemon string id or number. can use 1,2,3,...
 	# $2 - daemon
 	# $3 - daemon args
@ -59,13 +57,12 @@ run_daemon()
 	local DAEMONBASE="$(basename "$2")"
 	echo "Starting daemon $1: $2 $3"
 	procd_open_instance
-	procd_set_param command $2 $3
+	procd_set_param command "$2" "$3"
-	procd_set_param pidfile $PIDDIR/$DAEMONBASE$1.pid
+	procd_set_param pidfile $PIDDIR/"$DAEMONBASE"$1.pid
 	procd_close_instance
 }
-run_tpws()
+run_tpws() {
 {
 	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
 	local OPT="$TPWS_OPT_BASE"
@ -75,47 +72,41 @@ run_tpws()
 	[ "$DISABLE_IPV6" = "1" ] || {
 		OPT="$OPT $TPWS_OPT_BASE6"
 		for lan in $OPENWRT_LAN; do
-		    network_get_device DEVICE $lan
+			network_get_device DEVICE "$lan"
 			[ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE"
 		done
 	}
-	run_daemon $1 "$TPWS" "$OPT $2"
+	run_daemon "$1" "$TPWS" "$OPT $2"
 }
-run_tpws_socks()
+run_tpws_socks() {
 {
 	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
 	local opt="$TPWS_OPT_BASE --socks"
 	tpws_apply_socks_binds opt
-	run_daemon $1 "$TPWS" "$opt $2"
+	run_daemon "$1" "$TPWS" "$opt $2"
 }
-stop_tpws()
+stop_tpws() {
-{
+	stop_daemon "$1" "$TPWS"
 	stop_daemon $1 "$TPWS"
 }
-
+tpws_apply_socks_binds() {
 tpws_apply_socks_binds()
 {
 	local o
 	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
 	[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
 	for lan in $OPENWRT_LAN; do
-	    network_get_device DEVICE $lan
+		network_get_device DEVICE "$lan"
 		[ -n "$DEVICE" ] || continue
 		[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
 		[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
 	done
-	eval $1="\"\$$1 $o\""
+	eval "$1"="\"\$$1 $o\""
 }
-
+start_daemons_procd() {
 start_daemons_procd()
 {
 	local opt qn qns qn6 qns6
 	case "${MODE_OVERRIDE:-$MODE}" in
@ -165,54 +156,44 @@ start_daemons_procd()
 		}
 		;;
 	custom)
-	    		existf zapret_custom_daemons && zapret_custom_daemons $1
+		existf zapret_custom_daemons && zapret_custom_daemons "$1"
 		;;
 	esac
 	return 0
 }
-start_daemons()
+start_daemons() {
 {
 	rc_procd start_daemons_procd "$@"
 }
-stop_daemons()
+stop_daemons() {
-{
+	procd_kill "$(basename "${basescript:-$initscript}")" "$1"
 	procd_kill "$(basename ${basescript:-$initscript})" "$1"
 }
-restart_daemons()
+restart_daemons() {
 {
 	stop_daemons
 	start_daemons
 }
-start_fw()
+start_fw() {
 {
 	zapret_apply_firewall
 }
-stop_fw()
+stop_fw() {
 {
 	zapret_unapply_firewall
 }
-restart_fw()
+restart_fw() {
 {
 	stop_fw
 	start_fw
 }
-reload_ifsets()
+reload_ifsets() {
 {
 	zapret_reload_ifsets
 }
-list_ifsets()
+list_ifsets() {
 {
 	zapret_list_ifsets
 }
-list_table()
+list_table() {
 {
 	zapret_list_table
 }
-start_service()
+start_service() {
 {
 	start_daemons_procd
 	[ "$INIT_APPLY_FW" != "1" ] || {
 		linux_fwtype
@ -220,8 +201,7 @@ start_service()
 	}
 }
-stop_service()
+stop_service() {
 {
 	# this procedure is called from stop()
 	# stop() already stop daemons
 	[ "$INIT_APPLY_FW" != "1" ] || {
--- a/init.d/pfsense/zapret.sh
+++ b/init.d/pfsense/zapret.sh
@ -14,7 +14,8 @@ sysctl net.inet6.ip6.pfil.outbound=ipfw,pf
 sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
 # required for newer pfsense versions (2.6.0 tested) to return ipfw to functional state
-pfctl -d ; pfctl -e
+pfctl -d
 pfctl -e
 # add ipfw rules and start daemon
--- a/init.d/sysv/custom-nfqws-dht4all
+++ b/init.d/sysv/custom-nfqws-dht4all
@ -1,22 +1,20 @@
 # this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
-QNUM2=$(($QNUM+20))
+QNUM2=$(($QNUM + 20))
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
        # stop logic is managed by procd
        local MODE_OVERRIDE=nfqws
        local opt
-        zapret_do_daemons $1
+        zapret_do_daemons "$1"
        opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-	do_nfqws $1 100 "$opt"
+        do_nfqws "$1" 100 "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
        # $1 - 1 - run, 0 - stop
        local MODE_OVERRIDE=nfqws
@ -24,16 +22,15 @@ zapret_custom_firewall()
        local first_packet_only="$ipt_connbytes 1:1"
        local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-        zapret_do_firewall_rules_ipt $1
+        zapret_do_firewall_rules_ipt "$1"
        f='-p udp -m length --length 109:407 -m u32 --u32'
        uf4='0>>22&0x3C@8>>16=0x6431'
        uf6='48>>16=0x6431'
-        fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only"  "$f $uf6 $desync $first_packet_only" $QNUM2
+        fw_nfqws_post "$1" "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
        # stop logic is not required
        local MODE_OVERRIDE=nfqws
@ -46,4 +43,3 @@ zapret_custom_firewall_nft()
        f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
        nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
 }
--- a/init.d/sysv/custom-nfqws-quic4all
+++ b/init.d/sysv/custom-nfqws-quic4all
@ -2,22 +2,20 @@
 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
 # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
-QNUM2=$(($QNUM+10))
+QNUM2=$(($QNUM + 10))
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=nfqws
 	local opt
-	zapret_do_daemons $1
+	zapret_do_daemons "$1"
 	opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-	do_nfqws $1 100 "$opt"
+	do_nfqws "$1" 100 "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=nfqws
@ -25,14 +23,13 @@ zapret_custom_firewall()
 	local first_packets_only="$ipt_connbytes 1:3"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-	zapret_do_firewall_rules_ipt $1
+	zapret_do_firewall_rules_ipt "$1"
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
-	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
+	fw_nfqws_post "$1" "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local MODE_OVERRIDE=nfqws
--- a/init.d/sysv/custom-reuse-builtin-mode
+++ b/init.d/sysv/custom-reuse-builtin-mode
@ -4,35 +4,32 @@ MY_TPPORT=$(($TPPORT + 1))
 MY_TPWS_OPT="--methodeol --hostcase"
 MY_DPORT=81
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=tpws
 	local opt
-	zapret_do_daemons $1
+	zapret_do_daemons "$1"
 	opt="--port=$MY_TPPORT $MY_TPWS_OPT"
 	filter_apply_hostlist_target opt
-	do_tpws $1 100 "$opt"
+	do_tpws "$1" 100 "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=tpws
 	local f4 f6
-	zapret_do_firewall_rules_ipt $1
+	zapret_do_firewall_rules_ipt "$1"
 	f4="-p tcp --dport $MY_DPORT"
 	f6=$f4
 	filter_apply_ipset_target f4 f6
-	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
+	fw_tpws "$1" "$f4" "$f6" $MY_TPPORT
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local MODE_OVERRIDE=tpws
--- a/init.d/sysv/custom-tpws4http-nfqws4https
+++ b/init.d/sysv/custom-tpws4http-nfqws4https
@ -1,8 +1,7 @@
 # this custom script demonstrates how to apply tpws to http and nfqws to https
 # it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	local opt
@ -10,17 +9,16 @@ zapret_custom_daemons()
 	[ "$MODE_HTTP" = "1" ] && {
 		opt="--port=$TPPORT $TPWS_OPT"
 		filter_apply_hostlist_target opt
-		do_tpws $1 1 "$opt"
+		do_tpws "$1" 1 "$opt"
 	}
 	[ "$MODE_HTTPS" = "1" ] && {
 		opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS"
 		filter_apply_hostlist_target opt
-		do_nfqws $1 2 "$opt"
+		do_nfqws "$1" 2 "$opt"
 	}
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local f4 f6
@ -31,20 +29,19 @@ zapret_custom_firewall()
 		f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
-		fw_tpws $1 "$f4" "$f6" $TPPORT
+		fw_tpws "$1" "$f4" "$f6" "$TPPORT"
 	}
 	[ "$MODE_HTTPS" = "1" ] && {
 		f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
-		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+		fw_nfqws_post "$1" "$f4 $desync" "$f6 $desync" "$QNUM"
 		# for modes that require incoming traffic
-		fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
+		fw_reverse_nfqws_rule "$1" "$f4" "$f6" "$QNUM"
 	}
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local f4 f6
@ -55,15 +52,15 @@ zapret_custom_firewall_nft()
 		f4="tcp dport {$HTTP_PORTS}"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
-		nft_fw_tpws "$f4" "$f6" $TPPORT
+		nft_fw_tpws "$f4" "$f6" "$TPPORT"
 	}
 	[ "$MODE_HTTPS" = "1" ] && {
 		f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
-		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
+		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" "$QNUM"
 		# for modes that require incoming traffic
-		nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM
+		nft_fw_reverse_nfqws_rule "$f4" "$f6" "$QNUM"
 	}
 }
--- a/init.d/sysv/custom.default
+++ b/init.d/sysv/custom.default
@ -2,8 +2,7 @@
 # use helpers from "functions" file
 # in case of upgrade keep this file only, do not modify others
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	# PLACEHOLDER
@ -11,10 +10,9 @@ zapret_custom_daemons()
 	echo Start daemon\(s\)
 	echo Study how other sections work
-	do_daemon $1 1 /bin/sleep 20
+	do_daemon "$1" 1 /bin/sleep 20
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	# PLACEHOLDER
@ -23,8 +21,7 @@ zapret_custom_firewall()
 	echo Study how other sections work
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	# PLACEHOLDER
--- a/init.d/sysv/functions
+++ b/init.d/sysv/functions
@ -13,38 +13,34 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/linux_fw.sh"
 . "$ZAPRET_BASE/common/list.sh"
-
+user_exists() {
-user_exists()
+	id -u "$1" >/dev/null 2>/dev/null
 {
 	id -u $1 >/dev/null 2>/dev/null
 }
-useradd_compat()
+useradd_compat() {
 {
 	# $1 - username
 	# skip for readonly systems
 	[ -w "/etc" ] && {
-		if exists useradd ; then
+		if exists useradd; then
-			useradd --no-create-home --system --shell /bin/false $1
+			useradd --no-create-home --system --shell /bin/false "$1"
-		elif is_linked_to_busybox adduser ; then
+		elif is_linked_to_busybox adduser; then
 			# some systems may miss nogroup group in /etc/group
 			# adduser fails if it's absent and no group is specified
 			addgroup nogroup 2>/dev/null
 			# busybox has special adduser syntax
-			adduser -S -H -D $1
+			adduser -S -H -D "$1"
 		elif exists adduser; then
-			adduser --no-create-home --system --disabled-login $1
+			adduser --no-create-home --system --disabled-login "$1"
 		fi
 	}
-	user_exists $1
+	user_exists "$1"
 }
-prepare_user()
+prepare_user() {
 {
 	# $WS_USER is required to prevent redirection of the traffic originating from TPWS itself
 	# otherwise infinite loop will occur
 	# also its good idea not to run tpws as root
-	user_exists $WS_USER || {
+	user_exists "$WS_USER" || {
 		# fallback to daemon if we cant add WS_USER
-		useradd_compat $WS_USER || {
+		useradd_compat "$WS_USER" || {
 			for user in daemon nobody; do
 				user_exists $user && {
 					WS_USER=$user
@ -97,72 +93,54 @@ CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/sysv/custom"
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
-
+dnat6_target() {
 dnat6_target()
 {
 	_dnat6_target "$@"
 }
-set_route_localnet()
+set_route_localnet() {
-{
+	_set_route_localnet "$1" "$IFACE_LAN"
 	_set_route_localnet $1 "$IFACE_LAN"
 }
-fw_nfqws_post4()
+fw_nfqws_post4() {
-{
+	_fw_nfqws_post4 "$1" "$2" "$3" "$IFACE_WAN"
 	_fw_nfqws_post4  $1 "$2" $3 "$IFACE_WAN"
 }
-fw_nfqws_post6()
+fw_nfqws_post6() {
-{
+	_fw_nfqws_post6 "$1" "$2" "$3" "${IFACE_WAN6:-$IFACE_WAN}"
 	_fw_nfqws_post6  $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
 }
-fw_nfqws_pre4()
+fw_nfqws_pre4() {
-{
+	_fw_nfqws_pre4 "$1" "$2" "$3" "$IFACE_WAN"
 	_fw_nfqws_pre4  $1 "$2" $3 "$IFACE_WAN"
 }
-fw_nfqws_pre6()
+fw_nfqws_pre6() {
-{
+	_fw_nfqws_pre6 "$1" "$2" "$3" "${IFACE_WAN6:-$IFACE_WAN}"
 	_fw_nfqws_pre6  $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
 }
-fw_tpws4()
+fw_tpws4() {
-{
+	_fw_tpws4 "$1" "$2" "$3" "$IFACE_LAN" "$IFACE_WAN"
 	_fw_tpws4 $1 "$2" $3 "$IFACE_LAN" "$IFACE_WAN"
 }
-fw_tpws6()
+fw_tpws6() {
-{
+	_fw_tpws6 "$1" "$2" "$3" "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
 	_fw_tpws6 $1 "$2" $3 "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
 }
-nft_fw_tpws4()
+nft_fw_tpws4() {
-{
+	_nft_fw_tpws4 "$1" "$2" "$IFACE_WAN"
 	_nft_fw_tpws4 "$1" $2 "$IFACE_WAN"
 }
-nft_fw_tpws6()
+nft_fw_tpws6() {
-{
+	_nft_fw_tpws6 "$1" "$2" "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
 	_nft_fw_tpws6 "$1" $2 "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
 }
-nft_fw_nfqws_post4()
+nft_fw_nfqws_post4() {
-{
+	_nft_fw_nfqws_post4 "$1" "$2" "$IFACE_WAN"
 	_nft_fw_nfqws_post4 "$1" $2 "$IFACE_WAN"
 }
-nft_fw_nfqws_post6()
+nft_fw_nfqws_post6() {
-{
+	_nft_fw_nfqws_post6 "$1" "$2" "${IFACE_WAN6:-$IFACE_WAN}"
 	_nft_fw_nfqws_post6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
 }
-nft_fw_nfqws_pre4()
+nft_fw_nfqws_pre4() {
-{
+	_nft_fw_nfqws_pre4 "$1" "$2" "$IFACE_WAN"
 	_nft_fw_nfqws_pre4 "$1" $2 "$IFACE_WAN"
 }
-nft_fw_nfqws_pre6()
+nft_fw_nfqws_pre6() {
-{
+	_nft_fw_nfqws_pre6 "$1" "$2" "${IFACE_WAN6:-$IFACE_WAN}"
 	_nft_fw_nfqws_pre6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
 }
-nft_fill_ifsets_overload()
+nft_fill_ifsets_overload() {
 {
 	nft_fill_ifsets "$IFACE_LAN" "$IFACE_WAN" "${IFACE_WAN6:-$IFACE_WAN}"
 }
-
+run_daemon() {
 run_daemon()
 {
 	# $1 - daemon number : 1,2,3,...
 	# $2 - daemon
 	# $3 - daemon args
@ -171,52 +149,48 @@ run_daemon()
 	local DAEMONBASE="$(basename "$2")"
 	local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
 	echo "Starting daemon $1: $2 $3"
-	if exists start-stop-daemon ; then
+	if exists start-stop-daemon; then
-		start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- $3
+		start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- "$3"
 	else
 		if [ -f "$PIDFILE" ] && pgrep -F "$PIDFILE" "$DAEMONBASE" >/dev/null; then
 			echo already running
 		else
-			"$2" $3 >/dev/null 2>/dev/null &
+			"$2" "$3" >/dev/null 2>/dev/null &
 			PID=$!
 			if [ -n "$PID" ]; then
-				echo $PID >$PIDFILE
+				echo $PID >"$PIDFILE"
 			else
-				echo could not start daemon $1 : $2 $3
+				echo could not start daemon "$1" : "$2" "$3"
 				false
 			fi
 		fi
 	fi
 }
-stop_daemon()
+stop_daemon() {
 {
 	# $1 - daemon number : 1,2,3,...
 	# $2 - daemon
 	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
 	local DAEMONBASE="$(basename "$2")"
 	local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
 	echo "Stopping daemon $1: $2"
-	if exists start-stop-daemon ; then
+	if exists start-stop-daemon; then
 		start-stop-daemon -K -p "$PIDFILE" -x "$2"
 	else
 		if [ -f "$PIDFILE" ]; then
 			read PID <"$PIDFILE"
-			kill $PID
+			kill "$PID"
 			rm -f "$PIDFILE"
 		else
-			echo no pidfile : $PIDFILE
+			echo no pidfile : "$PIDFILE"
 		fi
 	fi
 }
-do_daemon()
+do_daemon() {
 {
 	# $1 - 1 - run, 0 - stop
 	on_off_function run_daemon stop_daemon "$@"
 }
-
+do_tpws() {
 do_tpws()
 {
 	# $1 : 1 - run, 0 - stop
 	# $2 : daemon number
 	# $3 : daemon args
@ -233,10 +207,9 @@ do_tpws()
 		done
 	}
-	do_daemon $1 $2 "$TPWS" "$OPT $3"
+	do_daemon "$1" "$2" "$TPWS" "$OPT $3"
 }
-do_tpws_socks()
+do_tpws_socks() {
 {
 	# $1 : 1 - run, 0 - stop
 	# $2 : daemon number
 	# $3 : daemon args
@ -247,20 +220,18 @@ do_tpws_socks()
 	tpws_apply_socks_binds opt
-	do_daemon $1 $2 "$TPWS" "$opt $3"
+	do_daemon "$1" "$2" "$TPWS" "$opt $3"
 }
-do_nfqws()
+do_nfqws() {
 {
 	# $1 : 1 - run, 0 - stop
 	# $2 : daemon number
 	# $3 : daemon args
-	do_daemon $1 $2 "$NFQWS" "$NFQWS_OPT_BASE $3"
+	do_daemon "$1" "$2" "$NFQWS" "$NFQWS_OPT_BASE $3"
 }
-tpws_apply_socks_binds()
+tpws_apply_socks_binds() {
 {
 	local o
 	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
@ -270,19 +241,15 @@ tpws_apply_socks_binds()
 		[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
 		[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
 	done
-	eval $1="\"\$$1 $o\""
+	eval "$1"="\"\$$1 $o\""
 }
-
+create_ipset() {
 create_ipset()
 {
 	echo "Creating ip list table (firewall type $FWTYPE)"
 	"$IPSET_CR" "$@"
 }
-
+zapret_do_daemons() {
 zapret_do_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 	local opt qn qns qn6 qns6
@ -291,60 +258,57 @@ zapret_do_daemons()
 	tpws)
 		opt="--port=$TPPORT $TPWS_OPT"
 		filter_apply_hostlist_target opt
-			do_tpws $1 1 "$opt"
+		do_tpws "$1" 1 "$opt"
 		;;
 	tpws-socks)
 		opt="--port=$TPPORT $TPWS_OPT"
 		filter_apply_hostlist_target opt
-			do_tpws_socks $1 1 "$opt"
+		do_tpws_socks "$1" 1 "$opt"
 		;;
 	nfqws)
 		get_nfqws_qnums qn qns qn6 qns6
 		[ -z "$qn" ] || {
 			opt="--qnum=$qn $NFQWS_OPT_DESYNC_HTTP"
 			filter_apply_hostlist_target opt
-				do_nfqws $1 1 "$opt"
+			do_nfqws "$1" 1 "$opt"
 		}
 		[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
 			opt="--qnum=$qns $NFQWS_OPT_DESYNC_HTTPS"
 			filter_apply_hostlist_target opt
-				do_nfqws $1 2 "$opt"
+			do_nfqws "$1" 2 "$opt"
 		}
 		[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
 			opt="--qnum=$qn6 $NFQWS_OPT_DESYNC_HTTP6"
 			filter_apply_hostlist_target opt
-				do_nfqws $1 3 "$opt"
+			do_nfqws "$1" 3 "$opt"
 		}
 		[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
 			opt="--qnum=$qns6 $NFQWS_OPT_DESYNC_HTTPS6"
 			filter_apply_hostlist_target opt
-				do_nfqws $1 4 "$opt"
+			do_nfqws "$1" 4 "$opt"
 		}
 		get_nfqws_qnums_quic qn qn6
 		[ -z "$qn" ] || {
 			opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
 			filter_apply_hostlist_target opt
-				do_nfqws $1 10 "$opt"
+			do_nfqws "$1" 10 "$opt"
 		}
 		[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
 			opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
 			filter_apply_hostlist_target opt
-				do_nfqws $1 11 "$opt"
+			do_nfqws "$1" 11 "$opt"
 		}
 		;;
 	custom)
-	    		existf zapret_custom_daemons && zapret_custom_daemons $1
+		existf zapret_custom_daemons && zapret_custom_daemons "$1"
 		;;
 	esac
 	return 0
 }
-zapret_run_daemons()
+zapret_run_daemons() {
 {
 	zapret_do_daemons 1 "$@"
 }
-zapret_stop_daemons()
+zapret_stop_daemons() {
 {
 	zapret_do_daemons 0 "$@"
 }
--- a/init.d/sysv/zapret
+++ b/init.d/sysv/zapret
@ -15,65 +15,63 @@ ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
 NAME=zapret
 DESC=anti-zapret
-do_start()
+do_start() {
 {
 	zapret_run_daemons
 	[ "$INIT_APPLY_FW" != "1" ] || { zapret_apply_firewall; }
 }
-do_stop()
+do_stop() {
 {
 	zapret_stop_daemons
 	[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
 }
 case "$1" in
-	start)
+start)
 	do_start
 	;;
-	stop)
+stop)
 	do_stop
 	;;
-	restart)
+restart)
 	do_stop
 	do_start
 	;;
-	start-fw|start_fw)
+start-fw | start_fw)
 	zapret_apply_firewall
 	;;
-	stop-fw|stop_fw)
+stop-fw | stop_fw)
 	zapret_unapply_firewall
 	;;
-	restart-fw|restart_fw)
+restart-fw | restart_fw)
 	zapret_unapply_firewall
 	zapret_apply_firewall
 	;;
-	start-daemons|start_daemons)
+start-daemons | start_daemons)
 	zapret_run_daemons
 	;;
-	stop-daemons|stop_daemons)
+stop-daemons | stop_daemons)
 	zapret_stop_daemons
 	;;
-	restart-daemons|restart_daemons)
+restart-daemons | restart_daemons)
 	zapret_stop_daemons
 	zapret_run_daemons
 	;;
-	reload-ifsets|reload_ifsets)	
+reload-ifsets | reload_ifsets)
 	zapret_reload_ifsets
 	;;
-	list-ifsets|list_ifsets)	
+list-ifsets | list_ifsets)
 	zapret_list_ifsets
 	;;
-	list-table|list_table)	
+list-table | list_table)
 	zapret_list_table
 	;;
-  *)
+*)
 	N=/etc/init.d/$NAME
 	echo "Usage: $N {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
 	exit 1
--- a/install_bin.sh
+++ b/install_bin.sh
@ -1,15 +1,17 @@
 #!/bin/sh
 EXEDIR="$(dirname "$0")"
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+EXEDIR="$(
 	cd "$EXEDIR"
 	pwd
 )"
 BINS=binaries
 BINDIR="$EXEDIR/$BINS"
 ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
 . "$ZAPRET_BASE/common/base.sh"
-check_dir()
+check_dir() {
 {
 	local dir="$BINDIR/$1"
 	local exe="$dir/ip2net"
 	local out
@ -39,8 +41,7 @@ check_dir()
 }
 # link or copy executables. uncomment either ln or cp, comment other
-ccp()
+ccp() {
 {
 	local F="$(basename "$1")"
 	[ -d "$ZAPRET_BASE/$2" ] || mkdir "$ZAPRET_BASE/$2"
 	[ -f "$ZAPRET_BASE/$2/$F" ] && rm -f "$ZAPRET_BASE/$2/$F"
@ -51,49 +52,48 @@ ccp()
 UNAME=$(uname)
 unset PKTWS
 case $UNAME in
-	Linux)
+Linux)
 	ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc"
 	PKTWS=nfqws
 	;;
-	Darwin)
+Darwin)
 	ARCHLIST="my mac64"
 	;;
-	FreeBSD)
+FreeBSD)
 	ARCHLIST="my freebsd-x64"
 	PKTWS=dvtws
 	;;
-	CYGWIN*)
+CYGWIN*)
 	UNAME=CYGWIN
 	ARCHLIST="win64"
 	PKTWS=winws
 	;;
-	*)
+*)
 	ARCHLIST="my"
 	;;
 esac
 if [ "$1" = "getarch" ]; then
-	for arch in $ARCHLIST
+	for arch in $ARCHLIST; do
 	do
 		[ -d "$BINDIR/$arch" ] || continue
-		if check_dir $arch; then
+		if check_dir "$arch"; then
-	 		echo $arch
+			echo "$arch"
 			exit 0
 		fi
 	done
 else
-	for arch in $ARCHLIST
+	for arch in $ARCHLIST; do
 	do
 		[ -d "$BINDIR/$arch" ] || continue
-		if check_dir $arch; then
+		if check_dir "$arch"; then
-			echo $arch is OK
+			echo "$arch" is OK
 			echo installing binaries ...
-			ccp $arch/ip2net ip2net
+			ccp "$arch"/ip2net ip2net
-			ccp $arch/mdig mdig
+			ccp "$arch"/mdig mdig
-			[ -n "$PKTWS" ] && ccp $arch/$PKTWS nfq
+			[ -n "$PKTWS" ] && ccp "$arch"/$PKTWS nfq
-			[ "$UNAME" = CYGWIN ] || ccp $arch/tpws tpws
+			[ "$UNAME" = CYGWIN ] || ccp "$arch"/tpws tpws
 			exit 0
 		else
-			echo $arch is NOT OK
+			echo "$arch" is NOT OK
 		fi
 	done
 	echo no compatible binaries found
--- a/install_easy.sh
+++ b/install_easy.sh
@ -3,7 +3,10 @@
 # automated script for easy installing zapret
 EXEDIR="$(dirname "$0")"
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+EXEDIR="$(
 	cd "$EXEDIR"
 	pwd
 )"
 ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
 ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
 ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
@ -31,8 +34,7 @@ GET_LIST="$IPSET_DIR/get_config.sh"
 [ -n "$TPPORT" ] || TPPORT=988
-check_readonly_system()
+check_readonly_system() {
 {
 	local RO
 	echo \* checking readonly system
 	case $SYSTEM in
@ -51,8 +53,7 @@ check_readonly_system()
 	}
 }
-check_bins()
+check_bins() {
 {
 	echo \* checking executables
 	fix_perms_bin_test "$EXEDIR"
@ -66,7 +67,7 @@ check_bins()
 			arch=""
 		fi
 	}
-	if [ -n "$arch" ] ; then
+	if [ -n "$arch" ]; then
 		echo found architecture "\"$arch\""
 	elif [ -f "$EXEDIR/Makefile" ] && exists make; then
 		echo trying to compile
@ -83,17 +84,14 @@ check_bins()
 	fi
 }
-call_install_bin()
+call_install_bin() {
-{
+	sh "$EXEDIR/install_bin.sh" "$1"
 	sh "$EXEDIR/install_bin.sh" $1
 }
-get_bin_arch()
+get_bin_arch() {
 {
 	call_install_bin getarch
 }
-install_binaries()
+install_binaries() {
 {
 	echo \* installing binaries
 	call_install_bin || {
@ -102,8 +100,7 @@ install_binaries()
 	}
 }
-select_mode_mode()
+select_mode_mode() {
 {
 	local edited v vars MODES="tpws tpws-socks nfqws filter custom"
 	[ "$SYSTEM" = "macos" ] && MODES="tpws tpws-socks filter custom"
 	echo
@ -120,35 +117,33 @@ select_mode_mode()
 	esac
 	[ -n "$vars" ] && {
 		echo
-		while [ 1=1 ]; do
+		while true; do
 			for var in $vars; do
 				eval v="\$$var"
-				echo $var=\"$v\"
+				echo "$var"=\""$v"\"
 			done
 			ask_yes_no N "do you want to edit the options" || {
 				[ -n "$edited" ] && {
 					for var in $vars; do
-						write_config_var $var
+						write_config_var "$var"
 					done
 				}
 				break
 			}
-			edit_vars $vars
+			edit_vars "$vars"
 			edited=1
 			echo ..edited..
 		done
 	}
 }
-select_mode_http()
+select_mode_http() {
 {
 	[ "$MODE" != "filter" ] && [ "$MODE" != "tpws-socks" ] && {
 		echo
 		ask_yes_no_var MODE_HTTP "enable http support"
 		write_config_var MODE_HTTP
 	}
 }
-select_mode_keepalive()
+select_mode_keepalive() {
 {
 	[ "$MODE" = "nfqws" ] && [ "$MODE_HTTP" = "1" ] && {
 		echo
 		echo enable keep alive support only if DPI checks every outgoing packet for http signature
@ -157,16 +152,14 @@ select_mode_keepalive()
 		write_config_var MODE_HTTP_KEEPALIVE
 	}
 }
-select_mode_https()
+select_mode_https() {
 {
 	[ "$MODE" != "filter" ] && [ "$MODE" != "tpws-socks" ] && {
 		echo
 		ask_yes_no_var MODE_HTTPS "enable https support"
 		write_config_var MODE_HTTPS
 	}
 }
-select_mode_quic()
+select_mode_quic() {
 {
 	[ "$SUBSYS" = "keenetic" ] && {
 		echo
 		echo "WARNING ! Keenetic is not officially supported by zapret."
@ -183,16 +176,14 @@ select_mode_quic()
 		write_config_var MODE_QUIC
 	}
 }
-select_mode_filter()
+select_mode_filter() {
 {
 	local filter="none ipset hostlist autohostlist"
 	[ "$MODE" = "tpws-socks" ] && filter="none hostlist autohostlist"
 	echo
 	echo select filtering :
 	ask_list MODE_FILTER "$filter" none && write_config_var MODE_FILTER
 }
-select_mode()
+select_mode() {
 {
 	select_mode_mode
 	select_mode_iface
 	select_mode_http
@ -202,14 +193,13 @@ select_mode()
 	select_mode_filter
 }
-select_getlist()
+select_getlist() {
 {
 	if [ "$MODE_FILTER" = "ipset" -o "$MODE_FILTER" = "hostlist" ]; then
 		local D=N
 		[ -n "$GETLIST" ] && D=Y
 		echo
 		if ask_yes_no $D "do you want to auto download ip/host list"; then
-			if [ "$MODE_FILTER" = "hostlist" ] ; then
+			if [ "$MODE_FILTER" = "hostlist" ]; then
 				GETLISTS="get_antizapret_domains.sh get_reestr_resolvable_domains.sh get_reestr_hostlist.sh"
 				GETLIST_DEF="get_antizapret_domains.sh"
 			else
@ -224,14 +214,12 @@ select_getlist()
 	write_config_var GETLIST
 }
-ask_config()
+ask_config() {
 {
 	select_mode
 	select_getlist
 }
-ask_config_offload()
+ask_config_offload() {
 {
 	[ "$FWTYPE" = nftables ] || is_ipt_flow_offload_avail && {
 		echo
 		echo flow offloading can greatly increase speed on slow devices and high speed links \(usually 150+ mbits\)
@ -257,15 +245,14 @@ ask_config_offload()
 	}
 }
-ask_config_tmpdir()
+ask_config_tmpdir() {
 {
 	# ask tmpdir change for low ram systems with enough free disk space
 	[ -n "$GETLIST" ] && [ $(get_free_space_mb "$EXEDIR/tmp") -ge 128 ] && [ $(get_ram_mb) -le 400 ] && {
 		echo
 		echo /tmp in openwrt is tmpfs. on low RAM systems there may be not enough RAM to store downloaded files
 		echo default tmpfs has size of 50% RAM
-		echo "RAM  : $(get_ram_mb) Mb"
+		echo "RAM: $(get_ram_mb) Mb"
-		echo "DISK : $(get_free_space_mb) Mb"
+		echo "DISK: $(get_free_space_mb) Mb"
 		echo select temp file location
 		[ -z "$TMPDIR" ] && TMPDIR=/tmp
 		ask_list TMPDIR "/tmp $EXEDIR/tmp" && {
@ -275,13 +262,11 @@ ask_config_tmpdir()
 	}
 }
-nft_flow_offload()
+nft_flow_offload() {
 {
 	[ "$UNAME" = Linux -a "$FWTYPE" = nftables -a "$MODE" != "tpws-socks" ] && [ "$FLOWOFFLOAD" = software -o "$FLOWOFFLOAD" = hardware ]
 }
-ask_iface()
+ask_iface() {
 {
 	# $1 - var to ask
 	# $2 - additional name for empty string synonim
@ -297,31 +282,28 @@ ask_iface()
 		ifs="$(ls /sys/class/net)"
 		;;
 	esac
-	[ -z "$def" ] && eval $1="$2"
+	[ -z "$def" ] && eval "$1"="$2"
-	ask_list $1 "$i0$ifs" && {
+	ask_list "$1" "$i0$ifs" && {
 		eval new="\$$1"
-		[ "$new" = "$2" ] && eval $1=""
+		[ "$new" = "$2" ] && eval "$1"=""
-		write_config_var $1
+		write_config_var "$1"
 	}
 }
-ask_iface_lan()
+ask_iface_lan() {
 {
 	echo LAN interface :
 	local opt
 	nft_flow_offload || opt=NONE
 	ask_iface IFACE_LAN $opt
 }
-ask_iface_wan()
+ask_iface_wan() {
 {
 	echo WAN interface :
 	local opt
 	nft_flow_offload || opt=ANY
 	ask_iface IFACE_WAN $opt
 }
-select_mode_iface()
+select_mode_iface() {
-{
+	# OpenWrt has its own interface management scheme
 	# openwrt has its own interface management scheme
 	# filter just creates ip tables, no daemons involved
 	# nfqws sits in POSTROUTING chain and unable to filter by incoming interface
 	# tpws redirection works in PREROUTING chain
@ -333,8 +315,8 @@ select_mode_iface()
 	case "$MODE" in
 	tpws-socks)
-			echo "select LAN interface to allow socks access from your LAN. select NONE for localhost only."
+		echo "select LAN interface to allow SOCKS access from your LAN. select NONE for localhost only."
-			echo "expect socks on tcp port $TPPORT"
+		echo "expect SOCKS on tcp port $TPPORT"
 		ask_iface_lan
 		;;
 	tpws)
@ -382,13 +364,12 @@ select_mode_iface()
 	esac
 }
-default_files()
+default_files() {
 {
 	# $1 - ro location
 	# $2 - rw location (can be equal to $1)
 	[ -d "$2/ipset" ] || mkdir -p "$2/ipset"
 	[ -f "$2/ipset/zapret-hosts-user-exclude.txt" ] || cp "$1/ipset/zapret-hosts-user-exclude.txt.default" "$2/ipset/zapret-hosts-user-exclude.txt"
-	[ -f "$2/ipset/zapret-hosts-user.txt" ] || echo nonexistent.domain >> "$2/ipset/zapret-hosts-user.txt"
+	[ -f "$2/ipset/zapret-hosts-user.txt" ] || echo nonexistent.domain >>"$2/ipset/zapret-hosts-user.txt"
 	[ -f "$2/ipset/zapret-hosts-user-ipban.txt" ] || touch "$2/ipset/zapret-hosts-user-ipban.txt"
 	for dir in openwrt sysv macos; do
 		[ -d "$1/init.d/$dir" ] && {
@ -397,15 +378,13 @@ default_files()
 		}
 	done
 }
-copy_all()
+copy_all() {
 {
 	local dir
 	cp -R "$1" "$2"
 	[ -d "$2/tmp" ] || mkdir "$2/tmp"
 }
-copy_openwrt()
+copy_openwrt() {
 {
 	local ARCH="$(get_bin_arch)"
 	local BINDIR="$1/binaries/$ARCH"
 	local file
@ -420,13 +399,11 @@ copy_openwrt()
 	cp "$BINDIR/tpws" "$BINDIR/nfqws" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH"
 }
-fix_perms_bin_test()
+fix_perms_bin_test() {
 {
 	[ -d "$1" ] || return
 	find "$1/binaries" -name ip2net ! -perm -111 -exec chmod +x {} \;
 }
-fix_perms()
+fix_perms() {
 {
 	[ -d "$1" ] || return
 	find "$1" -type d -exec chmod 755 {} \;
 	find "$1" -type f -exec chmod 644 {} \;
@ -437,74 +414,69 @@ fix_perms()
 		;;
 	*)
 		chow=root:wheel
 		;;
 	esac
 	chown -R $chow "$1"
 	find "$1/binaries" '(' -name tpws -o -name dvtws -o -name nfqws -o -name ip2net -o -name mdig ')' -exec chmod 755 {} \;
 	for f in \
-install_bin.sh \
+		install_bin.sh \
-blockcheck.sh \
+		blockcheck.sh \
-install_easy.sh \
+		install_easy.sh \
-install_prereq.sh \
+		install_prereq.sh \
-files/huawei/E8372/zapret-ip \
+		files/huawei/E8372/zapret-ip \
-files/huawei/E8372/unzapret-ip \
+		files/huawei/E8372/unzapret-ip \
-files/huawei/E8372/run-zapret-hostlist \
+		files/huawei/E8372/run-zapret-hostlist \
-files/huawei/E8372/unzapret \
+		files/huawei/E8372/unzapret \
-files/huawei/E8372/zapret \
+		files/huawei/E8372/zapret \
-files/huawei/E8372/run-zapret-ip \
+		files/huawei/E8372/run-zapret-ip \
-ipset/get_exclude.sh \
+		ipset/get_exclude.sh \
-ipset/clear_lists.sh \
+		ipset/clear_lists.sh \
-ipset/get_antifilter_ipresolve.sh \
+		ipset/get_antifilter_ipresolve.sh \
-ipset/get_reestr_resolvable_domains.sh \
+		ipset/get_reestr_resolvable_domains.sh \
-ipset/get_config.sh \
+		ipset/get_config.sh \
-ipset/get_reestr_preresolved.sh \
+		ipset/get_reestr_preresolved.sh \
-ipset/get_user.sh \
+		ipset/get_user.sh \
-ipset/get_antifilter_allyouneed.sh \
+		ipset/get_antifilter_allyouneed.sh \
-ipset/get_reestr_resolve.sh \
+		ipset/get_reestr_resolve.sh \
-ipset/create_ipset.sh \
+		ipset/create_ipset.sh \
-ipset/get_reestr_hostlist.sh \
+		ipset/get_reestr_hostlist.sh \
-ipset/get_ipban.sh \
+		ipset/get_ipban.sh \
-ipset/get_antifilter_ipsum.sh \
+		ipset/get_antifilter_ipsum.sh \
-ipset/get_antifilter_ipsmart.sh \
+		ipset/get_antifilter_ipsmart.sh \
-ipset/get_antizapret_domains.sh \
+		ipset/get_antizapret_domains.sh \
-ipset/get_reestr_preresolved_smart.sh \
+		ipset/get_reestr_preresolved_smart.sh \
-ipset/get_antifilter_ip.sh \
+		ipset/get_antifilter_ip.sh \
-init.d/pfsense/zapret.sh \
+		init.d/pfsense/zapret.sh \
-init.d/macos/zapret \
+		init.d/macos/zapret \
-init.d/runit/zapret/run \
+		init.d/runit/zapret/run \
-init.d/runit/zapret/finish \
+		init.d/runit/zapret/finish \
-init.d/openrc/zapret \
+		init.d/openrc/zapret \
-init.d/sysv/zapret \
+		init.d/sysv/zapret \
-init.d/openwrt/zapret \
+		init.d/openwrt/zapret \
-uninstall_easy.sh \
+		uninstall_easy.sh; do chmod 755 "$1/$f" 2>/dev/null; done
 	; do chmod 755 "$1/$f" 2>/dev/null ; done
 }
-
+_backup_settings() {
 _backup_settings()
 {
 	local i=0
 	for f in "$@"; do
 		[ -f "$ZAPRET_TARGET/$f" ] && cp -f "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i"
-		i=$(($i+1))
+		i=$(($i + 1))
 	done
 }
-_restore_settings()
+_restore_settings() {
 {
 	local i=0
 	for f in "$@"; do
 		[ -f "/tmp/zapret-bkp-$i" ] && mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -f "/tmp/zapret-bkp-$i"
-		i=$(($i+1))
+		i=$(($i + 1))
 	done
 }
-backup_restore_settings()
+backup_restore_settings() {
 {
 	# $1 - 1 - backup, 0 - restore
-	local mode=$1
+	local mode="$1"
-	on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
+	on_off_function _backup_settings _restore_settings "$mode" "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
 }
-check_location()
+check_location() {
 {
 	# $1 - copy function
 	echo \* checking location
@ -514,13 +486,13 @@ check_location()
 		default_files "$ZAPRET_TARGET" "$ZAPRET_RW"
 	else
 		echo
-		echo easy install is supported only from default location : $ZAPRET_TARGET
+		echo easy install is supported only from default location: "$ZAPRET_TARGET"
-		echo currently its run from $EXEDIR
+		echo currently its run from "$EXEDIR"
 		if ask_yes_no N "do you want the installer to copy it for you"; then
 			local keep=N
 			if [ -d "$ZAPRET_TARGET" ]; then
 				echo
-				echo installer found existing $ZAPRET_TARGET
+				echo installer found existing "$ZAPRET_TARGET"
 				echo directory needs to be replaced. config and custom scripts can be kept or replaced with clean version
 				if ask_yes_no N "do you want to delete all files there and copy this version"; then
 					echo
@ -530,7 +502,7 @@ check_location()
 					fi
 					rm -r "$ZAPRET_TARGET"
 				else
-					echo refused to overwrite $ZAPRET_TARGET. exiting
+					echo refused to overwrite "$ZAPRET_TARGET". exiting
 					exitp 3
 				fi
 			fi
@ -539,22 +511,20 @@ check_location()
 			$1 "$EXEDIR" "$ZAPRET_TARGET"
 			fix_perms "$ZAPRET_TARGET"
 			[ "$keep" = "Y" ] && backup_restore_settings 0
-			echo relaunching itself from $ZAPRET_TARGET
+			echo relaunching itself from "$ZAPRET_TARGET"
 			exec "$ZAPRET_TARGET/$(basename "$0")"
 		else
 			echo copying aborted. exiting
 			exitp 3
 		fi
 	fi
-	echo running from $EXEDIR
+	echo running from "$EXEDIR"
 }
-
+service_install_systemd() {
 service_install_systemd()
 {
 	echo \* installing zapret service
-	if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
+	if [ -w "$SYSTEMD_SYSTEM_DIR" ]; then
 		rm -f "$INIT_SCRIPT"
 		ln -fs "$EXEDIR/init.d/systemd/zapret.service" "$SYSTEMD_SYSTEM_DIR"
 		"$SYSTEMCTL" daemon-reload
@ -567,11 +537,10 @@ service_install_systemd()
 	fi
 }
-timer_install_systemd()
+timer_install_systemd() {
 {
 	echo \* installing zapret-list-update timer
-	if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
+	if [ -w "$SYSTEMD_SYSTEM_DIR" ]; then
 		"$SYSTEMCTL" disable zapret-list-update.timer
 		"$SYSTEMCTL" stop zapret-list-update.timer
 		ln -fs "$EXEDIR/init.d/systemd/zapret-list-update.service" "$SYSTEMD_SYSTEM_DIR"
@ -590,8 +559,7 @@ timer_install_systemd()
 	fi
 }
-download_list()
+download_list() {
 {
 	[ -x "$GET_LIST" ] && {
 		echo \* downloading blocked ip/host list
@ -601,27 +569,22 @@ download_list()
 	}
 }
-
+dnstest() {
-dnstest()
+	# $1 - DNS server. empty for system resolver
-{
+	nslookup w3.org "$1" >/dev/null 2>/dev/null
 	# $1 - dns server. empty for system resolver
 	nslookup w3.org $1 >/dev/null 2>/dev/null
 }
-check_dns()
+check_dns() {
 {
 	echo \* checking DNS
 	dnstest || {
-		echo -- DNS is not working. It's either misconfigured or blocked or you don't have inet access.
+		echo "-- DNS is not working. It's either misconfigured or blocked or you don't have inet access."
 		return 1
 	}
 	echo system DNS is working
 	return 0
 }
-
+install_systemd() {
 install_systemd()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
 	check_bins
@ -646,8 +609,7 @@ install_systemd()
 	service_start_systemd
 }
-_install_sysv()
+_install_sysv() {
 {
 	# $1 - install init script
 	check_bins
@ -671,21 +633,17 @@ _install_sysv()
 	service_start_sysv
 }
-install_sysv()
+install_sysv() {
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
 	_install_sysv install_sysv_init
 }
-install_openrc()
+install_openrc() {
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/openrc/zapret"
 	_install_sysv install_openrc_init
 }
-
+install_linux() {
 install_linux()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
 	check_bins
@ -706,14 +664,12 @@ install_linux()
 	echo
 	echo '!!! WARNING. YOUR SETUP IS INCOMPLETE !!!'
-	echo you must manually add to auto start : $INIT_SCRIPT_SRC start
+	echo you must manually add to auto start: "$INIT_SCRIPT_SRC" start
 	echo make sure it\'s executed after your custom/firewall iptables configuration
 	echo "if your system uses sysv init : ln -fs $INIT_SCRIPT_SRC /etc/init.d/zapret ; chkconfig zapret on"
 }
-
+deoffload_openwrt_firewall() {
 deoffload_openwrt_firewall()
 {
 	echo \* checking flow offloading
 	[ "$FWTYPE" = "nftables" ] || is_ipt_flow_offload_avail || {
@ -723,7 +679,7 @@ deoffload_openwrt_firewall()
 	local fo=$(uci -q get firewall.@defaults[0].flow_offloading)
-	if [ "$fo" = "1" ] ; then
+	if [ "$fo" = "1" ]; then
 		local mod=0
 		printf "system wide flow offloading detected. "
 		case $FLOWOFFLOAD in
@ -733,7 +689,7 @@ deoffload_openwrt_firewall()
 				uci set firewall.@defaults[0].flow_offloading=0
 				mod=1
 			else
-					if [ "$MODE" = "custom" ] ; then
+				if [ "$MODE" = "custom" ]; then
 					echo custom mode selected !!! only you can decide whether flow offloading is compatible
 				else
 					echo its compatible with selected options. not disabling
@ -744,6 +700,7 @@ deoffload_openwrt_firewall()
 			echo zapret will disable system wide offloading setting and add selective rules if required
 			uci set firewall.@defaults[0].flow_offloading=0
 			mod=1
 			;;
 		esac
 		[ "$mod" = "1" ] && uci commit firewall
 	else
@ -752,10 +709,7 @@ deoffload_openwrt_firewall()
 }
-
+install_openwrt() {
 install_openwrt()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/openwrt/zapret"
 	FW_SCRIPT_SRC="$EXEDIR/init.d/openwrt/firewall.zapret"
 	OPENWRT_FW_INCLUDE=/etc/firewall.zapret
@ -768,7 +722,7 @@ install_openwrt()
 	check_dns
 	check_virt
-	local FWTYPE_OLD=$FWTYPE
+	local FWTYPE_OLD="$FWTYPE"
 	echo \* stopping current firewall rules/daemons
 	"$INIT_SCRIPT_SRC" stop_fw
@ -798,36 +752,30 @@ install_openwrt()
 	restart_openwrt_firewall
 }
-
+remove_pf_zapret_hooks() {
 remove_pf_zapret_hooks()
 {
 	echo \* removing zapret PF hooks
 	pf_anchors_clear
 }
-macos_fw_reload_trigger_clear()
+macos_fw_reload_trigger_clear() {
 {
 	case "$MODE" in
-		tpws|tpws-socks|custom)
+	tpws | tpws-socks | custom)
 		LISTS_RELOAD=
 		write_config_var LISTS_RELOAD
 		;;
 	esac
 }
-macos_fw_reload_trigger_set()
+macos_fw_reload_trigger_set() {
 {
 	case "$MODE" in
-		tpws|custom)
+	tpws | custom)
 		LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables"
 		write_config_var LISTS_RELOAD
 		;;
 	esac
 }
-install_macos()
+install_macos() {
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/macos/zapret"
 	# compile before root
@ -852,7 +800,6 @@ install_macos()
 	service_start_macos
 }
 # build binaries, do not use precompiled
 [ "$1" = "make" ] && FORCE_BUILD=1
@ -864,22 +811,21 @@ check_system
 [ "$SYSTEM" = "macos" ] && . "$EXEDIR/init.d/macos/functions"
 case $SYSTEM in
-	systemd)
+systemd)
 	install_systemd
 	;;
-	openrc)
+openrc)
 	install_openrc
 	;;
-	linux)
+linux)
 	install_linux
 	;;
-	openwrt)
+openwrt)
 	install_openwrt
 	;;
-	macos)
+macos)
 	install_macos
 	;;
 esac
 exitp 0
--- a/install_prereq.sh
+++ b/install_prereq.sh
@ -3,7 +3,10 @@
 # install prerequisites
 EXEDIR="$(dirname "$0")"
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+EXEDIR="$(
 	cd "$EXEDIR"
 	pwd
 )"
 ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
 ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
 ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
@ -27,14 +30,14 @@ umask 0022
 fix_sbin_path
 fsleep_setup
 check_system accept_unknown_rc
-[ $UNAME = "Linux" ] || {
+[ "$UNAME" = "Linux" ] || {
-	echo no prerequisites required for $UNAME
+	echo no prerequisites required for "$UNAME"
 	exitp 0
 }
 require_root
 case $UNAME in
-	Linux)
+Linux)
 	select_fwtype
 	case $SYSTEM in
 	openwrt)
--- a/ipset/clear_lists.sh
+++ b/ipset/clear_lists.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/create_ipset.sh
+++ b/ipset/create_ipset.sh
@ -5,7 +5,10 @@
 # $1=clear        - clear ipset
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
 	cd "$IPSET_DIR" || exit
 	pwd
 )"
 . "$IPSET_DIR/def.sh"
 . "$IPSET_DIR/../common/fwtype.sh"
@ -27,17 +30,14 @@ while [ -n "$1" ]; do
 	shift
 done
-
+file_extract_lines() {
 file_extract_lines()
 {
 	# $1 - filename
 	# $2 - from line (starting with 0)
 	# $3 - line count
 	# awk "{ err=1 } NR < $(($2+1)) { next } { print; err=0 } NR == $(($2+$3)) { exit err } END {exit err}" "$1"
-	$AWK "NR < $(($2+1)) { next } { print } NR == $(($2+$3)) { exit }" "$1"
+	$AWK "NR < $(($2 + 1)) { next } { print } NR == $(($2 + $3)) { exit }" "$1"
 }
-ipset_restore_chunked()
+ipset_restore_chunked() {
 {
 	# $1 - filename
 	# $2 - chunk size
 	local pos lines
@ -45,27 +45,23 @@ ipset_restore_chunked()
 	lines=$(wc -l <"$1")
 	pos=$lines
 	while [ "$pos" -gt "0" ]; do
-		pos=$((pos-$2))
+		pos=$((pos - $2))
 		[ "$pos" -lt "0" ] && pos=0
-		file_extract_lines "$1" $pos $2 | ipset -! restore
+		file_extract_lines "$1" $pos "$2" | ipset -! restore
-		sed -i "$(($pos+1)),$ d" "$1"
+		sed -i "$(($pos + 1)),$ d" "$1"
 	done
 }
-
+ipset_get_script() {
 ipset_get_script()
 {
 	# $1 - ipset name
 	sed -nEe "s/^.+$/add $1 &/p"
 }
-ipset_get_script_from_file()
+ipset_get_script_from_file() {
 {
 	# $1 - filename
 	# $2 - ipset name
-	zzcat "$1" | sort -u | ipset_get_script $2
+	zzcat "$1" | sort -u | ipset_get_script "$2"
 }
-ipset_restore()
+ipset_restore() {
 {
 	# $1 - ipset name
 	# $2 - filename
@ -78,7 +74,7 @@ ipset_restore()
 	local T="Adding to ipset $1 "
 	[ "$svram" = "1" ] && T="$T (saveram)"
 	T="$T : $f"
-	echo $T
+	echo "$T"
 	if [ "$svram" = "1" ]; then
 		ipset_get_script_from_file "$2" "$1" >"$IPSET_CMD"
@ -88,46 +84,43 @@ ipset_restore()
 		ipset_get_script_from_file "$2" "$1" | ipset -! restore
 	fi
 }
-create_ipset()
+create_ipset() {
 {
 	if [ "$1" -eq "6" ]; then
 		FAMILY=inet6
 	else
 		FAMILY=inet
 	fi
-	ipset create $2 $3 $4 family $FAMILY 2>/dev/null || {
+	ipset create "$2" "$3" "$4" family $FAMILY 2>/dev/null || {
 		[ "$NO_UPDATE" = "1" ] && return 0
 	}
-	ipset flush $2
+	ipset flush "$2"
 	[ "$DO_CLEAR" = "1" ] || {
-		for f in "$5" "$6" ; do
+		for f in "$5" "$6"; do
 			ipset_restore "$2" "$f"
 		done
-		[ -n "$IPSET_HOOK" ] && $IPSET_HOOK $2 | ipset_get_script $2 | ipset -! restore
+		[ -n "$IPSET_HOOK" ] && $IPSET_HOOK "$2" | ipset_get_script "$2" | ipset -! restore
 	}
 	return 0
 }
-nfset_get_script_multi()
+nfset_get_script_multi() {
 {
 	# $1 - set name
 	# $2,$3,... - filenames
 	# all in one shot. this allows to merge overlapping ranges
 	# good but eats lots of RAM
-	local set=$1 nonempty N=1 f
+	local set="$1" nonempty N=1 f
 	shift
 	# first we need to make sure at least one element exists or nft will fail
-	while :
+	while :; do
 	do
 		eval f=\$$N
 		[ -n "$f" ] || break
 		nonempty=$(zzexist "$f" && zzcat "$f" | head -n 1)
 		[ -n "$nonempty" ] && break
-		N=$(($N+1))
+		N=$(($N + 1))
 	done
 	[ -n "$nonempty" ] && {
@ -139,22 +132,20 @@ nfset_get_script_multi()
 		echo "}"
 	}
 }
-nfset_restore()
+nfset_restore() {
 {
 	# $1 - set name
 	# $2,$3,... - filenames
 	echo "Adding to nfset $1 : $2 $3 $4 $5"
 	local hookfile
 	[ -n "$IPSET_HOOK" ] && {
-		$IPSET_HOOK $1 >"$IPSET_HOOK_TEMP"
+		$IPSET_HOOK "$1" >"$IPSET_HOOK_TEMP"
 		[ -s "$IPSET_HOOK_TEMP" ] && hookfile=$IPSET_HOOK_TEMP
 	}
-	nfset_get_script_multi "$@" $hookfile | nft -f -
+	nfset_get_script_multi "$@" "$hookfile" | nft -f -
 	rm -f "$IPSET_HOOK_TEMP"
 }
-create_nfset()
+create_nfset() {
 {
 	# $1 - family
 	# $2 - set name
 	# $3 - maxelem
@ -162,54 +153,50 @@ create_nfset()
 	local policy
 	[ $SAVERAM = "1" ] && policy="policy memory;"
-	nft_create_set $2 "type ipv${1}_addr; size $3; flags interval; auto-merge; $policy" || {
+	nft_create_set "$2" "type ipv${1}_addr; size $3; flags interval; auto-merge; $policy" || {
 		[ "$NO_UPDATE" = "1" ] && return 0
-		nft flush set inet $ZAPRET_NFT_TABLE $2
+		nft flush set inet "$ZAPRET_NFT_TABLE" "$2"
 	}
 	[ "$DO_CLEAR" = "1" ] || {
-		nfset_restore $2 $4 $5
+		nfset_restore "$2" "$4" "$5"
 	}
 	return 0
 }
-add_ipfw_table()
+add_ipfw_table() {
 {
 	# $1 - table name
 	sed -nEe "s/^.+$/table $1 add &/p" | ipfw -q /dev/stdin
 }
-populate_ipfw_table()
+populate_ipfw_table() {
 {
 	# $1 - table name
 	# $2 - ip list file
 	zzexist "$2" || return
-	zzcat "$2" | sort -u | add_ipfw_table $1
+	zzcat "$2" | sort -u | add_ipfw_table "$1"
 }
-create_ipfw_table()
+create_ipfw_table() {
 {
 	# $1 - table name
 	# $2 - table options
 	# $3,$4, ... - ip list files. can be v4,v6 or mixed
-	local name=$1
+	local name="$1"
-	ipfw table "$name" create $2 2>/dev/null || {
+	ipfw table "$name" create "$2" 2>/dev/null || {
 		[ "$NO_UPDATE" = "1" ] && return 0
 	}
-	ipfw -q table $1 flush
+	ipfw -q table "$1" flush
 	shift
 	shift
 	[ "$DO_CLEAR" = "1" ] || {
 		while [ -n "$1" ]; do
 			echo "Adding to ipfw table $name : $1"
-			populate_ipfw_table $name "$1"
+			populate_ipfw_table "$name" "$1"
 			shift
 		done
-		[ -n "$IPSET_HOOK" ] && $IPSET_HOOK $name | add_ipfw_table $name
+		[ -n "$IPSET_HOOK" ] && $IPSET_HOOK "$name" | add_ipfw_table "$name"
 	}
 	return 0
 }
-print_reloading_backend()
+print_reloading_backend() {
 {
 	# $1 - backend name
 	local s="reloading $1 backend"
 	if [ "$NO_UPDATE" = 1 ]; then
@ -219,19 +206,18 @@ print_reloading_backend()
 	else
 		s="$s (forced-update)"
 	fi
-	echo $s
+	echo "$s"
 }
 oom_adjust_high
 get_fwtype
-if [ -n "$LISTS_RELOAD" ] ; then
+if [ -n "$LISTS_RELOAD" ]; then
-	if [ "$LISTS_RELOAD" = "-" ] ; then
+	if [ "$LISTS_RELOAD" = "-" ]; then
 		echo not reloading ip list backend
 		true
 	else
-		echo executing custom ip list reload command : $LISTS_RELOAD
+		echo executing custom ip list reload command : "$LISTS_RELOAD"
 		$LISTS_RELOAD
 		[ -n "$IPSET_HOOK" ] && $IPSET_HOOK
 	fi
@ -244,37 +230,37 @@ else
 		# only /tmp is considered tmpfs. other locations mean tmpdir was redirected to a disk
 		SAVERAM=0
 		[ "$TMPDIR" = "/tmp" ] && {
-				RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK '{print $2}')
+			RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK "{print $2}")
 			[ "$RAMSIZE" -lt "110000" ] && SAVERAM=1
 		}
 		print_reloading_backend ipset
 		[ "$DISABLE_IPV4" != "1" ] && {
-				create_ipset 4 $ZIPSET hash:net "$IPSET_OPT" "$ZIPLIST" "$ZIPLIST_USER"
+			create_ipset 4 "$ZIPSET" hash:net "$IPSET_OPT" "$ZIPLIST" "$ZIPLIST_USER"
-				create_ipset 4 $ZIPSET_IPBAN hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
+			create_ipset 4 "$ZIPSET_IPBAN" hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
-				create_ipset 4 $ZIPSET_EXCLUDE hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
+			create_ipset 4 "$ZIPSET_EXCLUDE" hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
 		}
 		[ "$DISABLE_IPV6" != "1" ] && {
-				create_ipset 6 $ZIPSET6 hash:net "$IPSET_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
+			create_ipset 6 "$ZIPSET6" hash:net "$IPSET_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
-				create_ipset 6 $ZIPSET_IPBAN6 hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
+			create_ipset 6 "$ZIPSET_IPBAN6" hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
-				create_ipset 6 $ZIPSET_EXCLUDE6 hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
+			create_ipset 6 "$ZIPSET_EXCLUDE6" hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
 		}
 		true
 		;;
 	nftables)
 		nft_create_table && {
 			SAVERAM=0
-				RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK '{print $2}')
+			RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK "{print $2}")
 			[ "$RAMSIZE" -lt "420000" ] && SAVERAM=1
 			print_reloading_backend "nftables set"
 			[ "$DISABLE_IPV4" != "1" ] && {
-					create_nfset 4 $ZIPSET $SET_MAXELEM "$ZIPLIST" "$ZIPLIST_USER"
+				create_nfset 4 "$ZIPSET" "$SET_MAXELEM" "$ZIPLIST" "$ZIPLIST_USER"
-					create_nfset 4 $ZIPSET_IPBAN $SET_MAXELEM "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
+				create_nfset 4 "$ZIPSET_IPBAN" "$SET_MAXELEM" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
-					create_nfset 4 $ZIPSET_EXCLUDE $SET_MAXELEM_EXCLUDE "$ZIPLIST_EXCLUDE"
+				create_nfset 4 "$ZIPSET_EXCLUDE" "$SET_MAXELEM_EXCLUDE" "$ZIPLIST_EXCLUDE"
 			}
 			[ "$DISABLE_IPV6" != "1" ] && {
-					create_nfset 6 $ZIPSET6 $SET_MAXELEM "$ZIPLIST6" "$ZIPLIST_USER6"
+				create_nfset 6 "$ZIPSET6" "$SET_MAXELEM" "$ZIPLIST6" "$ZIPLIST_USER6"
-					create_nfset 6 $ZIPSET_IPBAN6 $SET_MAXELEM "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
+				create_nfset 6 "$ZIPSET_IPBAN6" "$SET_MAXELEM" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
-					create_nfset 6 $ZIPSET_EXCLUDE6 $SET_MAXELEM_EXCLUDE "$ZIPLIST_EXCLUDE6"
+				create_nfset 6 "$ZIPSET_EXCLUDE6" "$SET_MAXELEM_EXCLUDE" "$ZIPLIST_EXCLUDE6"
 			}
 			true
 		}
@ -282,21 +268,21 @@ else
 	ipfw)
 		print_reloading_backend "ipfw table"
 		if [ "$DISABLE_IPV4" != "1" ] && [ "$DISABLE_IPV6" != "1" ]; then
-				create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER" "$ZIPLIST6" "$ZIPLIST_USER6"
+			create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER" "$ZIPLIST6" "$ZIPLIST_USER6"
-				create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
+			create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
-				create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" "$ZIPLIST_EXCLUDE6"
+			create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" "$ZIPLIST_EXCLUDE6"
 		elif [ "$DISABLE_IPV4" != "1" ]; then
-				create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER"
+			create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER"
-				create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
+			create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
-				create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
+			create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
 		elif [ "$DISABLE_IPV6" != "1" ]; then
-				create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
+			create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
-				create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
+			create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
-				create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
+			create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
 		else
-				create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT"
+			create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT"
-				create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT"
+			create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT"
-				create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE"
+			create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE"
 		fi
 		true
 		;;
--- a/ipset/def.sh
+++ b/ipset/def.sh
@ -1,6 +1,9 @@
 [ -n "$IPSET_DIR" ] || {
  IPSET_DIR="$(dirname "$0")"
- IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+  IPSET_DIR="$(
    cd "$IPSET_DIR" || exit
    pwd
  )"
 }
 . "$IPSET_DIR/../config"
@ -39,18 +42,15 @@ ZIPLIST_USER_IPBAN6="$IPSET_DIR/zapret-ip-user-ipban6.txt"
 ZUSERLIST_IPBAN="$IPSET_DIR/zapret-hosts-user-ipban.txt"
 ZUSERLIST_EXCLUDE="$IPSET_DIR/zapret-hosts-user-exclude.txt"
 [ -n "$IP2NET" ] || IP2NET="$IPSET_DIR/../ip2net/ip2net"
 [ -n "$MDIG" ] || MDIG="$IPSET_DIR/../mdig/mdig"
 [ -z "$MDIG_THREADS" ] && MDIG_THREADS=30
 # BSD grep is damn slow with -f option. prefer GNU grep (ggrep) if present
 # MacoS in cron does not include /usr/local/bin to PATH
-if [ -x /usr/local/bin/ggrep ] ; then
+if [ -x /usr/local/bin/ggrep ]; then
  GREP=/usr/local/bin/ggrep
-elif [ -x /usr/local/bin/grep ] ; then
+elif [ -x /usr/local/bin/grep ]; then
  GREP=/usr/local/bin/grep
 elif exists ggrep; then
  GREP=$(whichq ggrep)
@ -65,50 +65,43 @@ else
  AWK=awk
 fi
-grep_supports_b()
+grep_supports_b() {
 {
  # \b does not work with BSD grep
  $GREP --version 2>&1 | $GREP -qE "BusyBox|GNU"
 }
-get_ip_regex()
+get_ip_regex() {
 {
  REG_IPV4='((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[12][0-9]|3[012]))?'
  REG_IPV6='[0-9a-fA-F]{1,4}:([0-9a-fA-F]{1,4}|:)+(\/([0-9][0-9]?|1[01][0-9]|12[0-8]))?'
  # good but too slow
  # REG_IPV6='([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,7}:(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}(/[0-9]+)?|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})(/[0-9]+)?|:((:[0-9a-fA-F]{1,4}){1,7}|:)(/([0-9][0-9]?|1[01][0-9]|12[0-8]))?'
-# grep_supports_b && {
+  # grep_supports_b && {
-#  REG_IPV4="\b$REG_IPV4\b"
+  #  REG_IPV4="\b$REG_IPV4\b"
-#  REG_IPV6="\b$REG_IPV6\b"
+  #  REG_IPV6="\b$REG_IPV6\b"
-# }
+  # }
 }
-ip2net4()
+ip2net4() {
 {
  if [ -x "$IP2NET" ]; then
-  "$IP2NET" -4 $IP2NET_OPT4
+    "$IP2NET" -4 "$IP2NET_OPT4"
  else
    sort -u
  fi
 }
-ip2net6()
+ip2net6() {
 {
  if [ -x "$IP2NET" ]; then
-  "$IP2NET" -6 $IP2NET_OPT6
+    "$IP2NET" -6 "$IP2NET_OPT6"
  else
    sort -u
  fi
 }
-zzexist()
+zzexist() {
 {
  [ -f "$1.gz" ] || [ -f "$1" ]
 }
-zztest()
+zztest() {
 {
  gzip -t "$1" 2>/dev/null
 }
-zzcat()
+zzcat() {
 {
  if [ -f "$1.gz" ]; then
    gunzip -c "$1.gz"
  elif [ -f "$1" ]; then
@ -119,8 +112,7 @@ zzcat()
    fi
  fi
 }
-zz()
+zz() {
 {
  if [ "$GZIP_LISTS" = "1" ]; then
    gzip -c >"$1.gz"
    rm -f "$1"
@ -129,8 +121,7 @@ zz()
    rm -f "$1.gz"
  fi
 }
-zzsize()
+zzsize() {
 {
  local f="$1"
  [ -f "$1.gz" ] && f="$1.gz"
  if [ -f "$f" ]; then
@ -140,34 +131,31 @@ zzsize()
  fi
 }
-digger()
+digger() {
 {
  # $1 - family (4|6)
  # $2 - s=enable mdig stats
  if [ -x "$MDIG" ]; then
    local cmd
    [ "$2" = "s" ] && cmd=--stats=1000
-  "$MDIG" --family=$1 --threads=$MDIG_THREADS $cmd
+    "$MDIG" --family="$1" --threads="$MDIG_THREADS" $cmd
  else
    local A=A
    [ "$1" = "6" ] && A=AAAA
    dig $A +short +time=8 +tries=2 -f - | $GREP -E '^[^;].*[^\.]$'
  fi
 }
-filedigger()
+filedigger() {
 {
  # $1 - hostlist
  # $2 - family (4|6)
- >&2 echo digging $(wc -l <"$1" | xargs) ipv$2 domains : "$1"
+  echo ">&2 digging $(wc -l <"$1" | xargs) ipv$2 domains : $1"
- zzcat "$1" | digger $2 s
+  zzcat "$1" | digger "$2" s
 }
-flush_dns_cache()
+flush_dns_cache() {
 {
  echo clearing all known DNS caches
  if exists killall; then
    killall -HUP dnsmasq 2>/dev/null
-  # MacOS
+    # macOS
    killall -HUP mDNSResponder 2>/dev/null
  elif exists pkill; then
    pkill -HUP ^dnsmasq$
@ -184,15 +172,14 @@ flush_dns_cache()
  fi
 }
-dnstest()
+dnstest() {
-{
+  local ip
- local ip="$(echo w3.org | digger 46)"
+  ip="$(echo w3.org | digger 46)"
  [ -n "$ip" ]
 }
-dnstest_with_cache_clear()
+dnstest_with_cache_clear() {
 {
  flush_dns_cache
- if dnstest ; then
+  if dnstest; then
    echo DNS is working
    return 0
  else
@ -201,61 +188,52 @@ dnstest_with_cache_clear()
  fi
 }
-
+cut_local() {
 cut_local()
 {
  $GREP -vE '^192\.168\.|^127\.|^10\.'
 }
-cut_local6()
+cut_local6() {
 {
  $GREP -vE '^::|^fc..:|^fd..:|^fe8.:|^fe9.:|^fea.:|^feb.:|^FC..:|^FD..:|^FE8.:|^FE9.:|^FEA.:|^FEB.:'
 }
-oom_adjust_high()
+oom_adjust_high() {
 {
  [ -f /proc/$$/oom_score_adj ] && {
    echo setting high oom kill priority
    echo -n 100 >/proc/$$/oom_score_adj
  }
 }
-getexclude()
+getexclude() {
 {
  oom_adjust_high
  dnstest_with_cache_clear || return
  [ -f "$ZUSERLIST_EXCLUDE" ] && {
-  [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 4 | sort -u > "$ZIPLIST_EXCLUDE"
+    [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 4 | sort -u >"$ZIPLIST_EXCLUDE"
-  [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 6 | sort -u > "$ZIPLIST_EXCLUDE6"
+    [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 6 | sort -u >"$ZIPLIST_EXCLUDE6"
  }
  return 0
 }
-_get_ipban()
+_get_ipban() {
 {
  [ -f "$ZUSERLIST_IPBAN" ] && {
-  [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 4 | cut_local | sort -u > "$ZIPLIST_USER_IPBAN"
+    [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 4 | cut_local | sort -u >"$ZIPLIST_USER_IPBAN"
-  [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 6 | cut_local6 | sort -u > "$ZIPLIST_USER_IPBAN6"
+    [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 6 | cut_local6 | sort -u >"$ZIPLIST_USER_IPBAN6"
  }
 }
-getuser()
+getuser() {
 {
  getexclude || return
  [ -f "$ZUSERLIST" ] && {
-  [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST" 4 | cut_local | sort -u > "$ZIPLIST_USER"
+    [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST" 4 | cut_local | sort -u >"$ZIPLIST_USER"
-  [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST" 6 | cut_local6 | sort -u > "$ZIPLIST_USER6"
+    [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST" 6 | cut_local6 | sort -u >"$ZIPLIST_USER6"
  }
  _get_ipban
  return 0
 }
-getipban()
+getipban() {
 {
  getexclude || return
  _get_ipban
  return 0
 }
-hup_zapret_daemons()
+hup_zapret_daemons() {
 {
  echo forcing zapret daemons to reload their hostlist
  if exists killall; then
    killall -HUP tpws nfqws dvtws 2>/dev/null
@ -265,4 +243,3 @@ hup_zapret_daemons()
    echo no mass killer available ! cant HUP zapret daemons
  fi
 }
--- a/ipset/get_antifilter_allyouneed.sh
+++ b/ipset/get_antifilter_allyouneed.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/get_antifilter_ip.sh
+++ b/ipset/get_antifilter_ip.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/get_antifilter_ipresolve.sh
+++ b/ipset/get_antifilter_ipresolve.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/get_antifilter_ipsmart.sh
+++ b/ipset/get_antifilter_ipsmart.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/get_antifilter_ipsum.sh
+++ b/ipset/get_antifilter_ipsum.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/get_antizapret_domains.sh
+++ b/ipset/get_antizapret_domains.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -14,15 +17,14 @@ getipban || FAIL=1
 ZURL=https://antizapret.prostovpn.org:8443/domains-export.txt
 ZDOM="$TMPDIR/zapret.txt"
 curl -H "Accept-Encoding: gzip" -k --fail --max-time 600 --connect-timeout 5 --retry 3 --max-filesize 251658240 "$ZURL" | gunzip - >"$ZDOM" ||
-{
+    {
        echo domain list download failed
        exit 2
-}
+    }
 dlsize=$(LANG=C wc -c "$ZDOM" | xargs | cut -f 1 -d ' ')
-if test $dlsize -lt 102400; then
+if test "$dlsize" -lt 102400; then
    echo list file is too small. can be bad.
    exit 2
 fi
--- a/ipset/get_config.sh
+++ b/ipset/get_config.sh
@ -2,7 +2,10 @@
 # run script specified in config
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/../config"
--- a/ipset/get_exclude.sh
+++ b/ipset/get_exclude.sh
@ -2,7 +2,10 @@
 # resolve user host list
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/get_ipban.sh
+++ b/ipset/get_ipban.sh
@ -2,7 +2,10 @@
 # resolve only ipban user host list
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/get_reestr_hostlist.sh
+++ b/ipset/get_reestr_hostlist.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
  cd "$IPSET_DIR" || exit
  pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -9,37 +12,33 @@ ZREESTR="$TMPDIR/zapret.txt"
 IPB="$TMPDIR/ipb.txt"
 ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv
-dl_checked()
+dl_checked() {
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
  # $5 - maxtime
-  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
+  curl -k --fail --max-time "$5" --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$2" "$1" ||
    {
-   echo list download failed : $1
+      echo list download failed : "$1"
      return 2
    }
  dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
+  if test "$dlsize" -lt "$3"; then
-   echo list is too small : $dlsize bytes. can be bad.
+    echo list is too small : "$dlsize" bytes. can be bad.
    return 2
  fi
  return 0
 }
-reestr_list()
+reestr_list() {
-{
+  LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK "{ print tolower($0) }"
 LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
 }
-reestr_extract_ip()
+reestr_extract_ip() {
-{
+  LANG=C nice -n 5 "$AWK" -F ";" "($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}" "$ZREESTR" | LANG=C $AWK "{split($1, a, /\|/); for (i in a) {print a[i]}}"
 LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
 }
-ipban_fin()
+ipban_fin() {
 {
  getipban
  "$IPSET_DIR/create_ipset.sh"
 }
--- a/ipset/get_reestr_preresolved.sh
+++ b/ipset/get_reestr_preresolved.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
  cd "$IPSET_DIR" || exit
  pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -13,20 +16,19 @@ URL6="$BASEURL/reestr_resolved6.txt"
 IPB4="$BASEURL/reestr_ipban4.txt"
 IPB6="$BASEURL/reestr_ipban6.txt"
-dl()
+dl() {
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
-  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" ||
+  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" ||
    {
-   echo list download failed : $1
+      echo list download failed : "$1"
      exit 2
    }
  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
+  if test "$dlsize" -lt "$3"; then
-   echo list is too small : $dlsize bytes. can be bad.
+    echo list is too small : "$dlsize" bytes. can be bad.
    exit 2
  fi
  zzcat "$TMPLIST" | zz "$2"
--- a/ipset/get_reestr_preresolved_smart.sh
+++ b/ipset/get_reestr_preresolved_smart.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
  cd "$IPSET_DIR" || exit
  pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -13,20 +16,19 @@ URL6="$BASEURL/reestr_smart6.txt"
 IPB4="$BASEURL/reestr_ipban4.txt"
 IPB6="$BASEURL/reestr_ipban6.txt"
-dl()
+dl() {
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
-  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" ||
+  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" ||
    {
-   echo list download failed : $1
+      echo list download failed : "$1"
      exit 2
    }
  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
+  if test "$dlsize" -lt "$3"; then
-   echo list is too small : $dlsize bytes. can be bad.
+    echo list is too small : "$dlsize" bytes. can be bad.
    exit 2
  fi
  zzcat "$TMPLIST" | zz "$2"
--- a/ipset/get_reestr_resolvable_domains.sh
+++ b/ipset/get_reestr_resolvable_domains.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
  cd "$IPSET_DIR" || exit
  pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -12,20 +15,19 @@ URL="$BASEURL/reestr_hostname_resolvable.txt"
 IPB4="$BASEURL/reestr_ipban4.txt"
 IPB6="$BASEURL/reestr_ipban6.txt"
-dl()
+dl() {
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
-  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" ||
+  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" ||
    {
-   echo list download failed : $1
+      echo list download failed : "$1"
      exit 2
    }
  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
+  if test "$dlsize" -lt "$3"; then
-   echo list is too small : $dlsize bytes. can be bad.
+    echo list is too small : "$dlsize" bytes. can be bad.
    exit 2
  fi
  zzcat "$TMPLIST" | zz "$2"
--- a/ipset/get_reestr_resolve.sh
+++ b/ipset/get_reestr_resolve.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
  cd "$IPSET_DIR" || exit
  pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -12,33 +15,30 @@ ZIPLISTTMP="$TMPDIR/zapret-ip.txt"
 #ZURL=https://reestr.rublacklist.net/api/current
 ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv
-dl_checked()
+dl_checked() {
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
  # $5 - maxtime
-  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
+  curl -k --fail --max-time "$5" --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$2" "$1" ||
    {
-   echo list download failed : $1
+      echo list download failed : "$1"
      return 2
    }
  dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
+  if test "$dlsize" -lt "$3"; then
-   echo list is too small : $dlsize bytes. can be bad.
+    echo list is too small : "$dlsize" bytes. can be bad.
    return 2
  fi
  return 0
 }
-reestr_list()
+reestr_list() {
 {
  LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p'
 }
-reestr_extract_ip()
+reestr_extract_ip() {
-{
+  LANG=C nice -n 5 "$AWK" -F ';' "($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}" "$ZREESTR" | LANG=C $AWK "{split($1, a, /\|/); for (i in a) {print a[i]}}"
 LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
 }
 getuser && {
--- a/ipset/get_user.sh
+++ b/ipset/get_user.sh
@ -2,7 +2,10 @@
 # resolve user host list
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/uninstall_easy.sh
+++ b/uninstall_easy.sh
@ -3,7 +3,10 @@
 # automated script for easy uninstalling zapret
 EXEDIR="$(dirname "$0")"
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+EXEDIR="$(
 	cd "$EXEDIR"
 	pwd
 )"
 ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
 ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
 ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
@ -26,8 +29,7 @@ IPSET_DIR="$ZAPRET_BASE/ipset"
 . "$ZAPRET_BASE/common/pf.sh"
 . "$ZAPRET_BASE/common/installer.sh"
-remove_systemd()
+remove_systemd() {
 {
 	clear_ipset
 	service_stop_systemd
 	service_remove_systemd
@ -36,16 +38,14 @@ remove_systemd()
 	crontab_del
 }
-remove_openrc()
+remove_openrc() {
 {
 	clear_ipset
 	service_remove_openrc
 	nft_del_table
 	crontab_del
 }
-remove_linux()
+remove_linux() {
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
 	clear_ipset
@ -61,8 +61,7 @@ remove_linux()
 	echo 'you must manually remove zapret auto start from your system'
 }
-remove_openwrt()
+remove_openwrt() {
 {
 	OPENWRT_FW_INCLUDE=/etc/firewall.zapret
 	clear_ipset
@ -74,14 +73,12 @@ remove_openwrt()
 	crontab_del
 }
-remove_macos()
+remove_macos() {
 {
 	remove_macos_firewall
 	service_remove_macos
 	crontab_del
 }
 fix_sbin_path
 check_system
 require_root
@ -89,22 +86,21 @@ require_root
 [ "$SYSTEM" = "macos" ] && . "$EXEDIR/init.d/macos/functions"
 case $SYSTEM in
-	systemd)
+systemd)
 	remove_systemd
 	;;
-	openrc)
+openrc)
 	remove_openrc
 	;;
-	linux)
+linux)
 	remove_linux
 	;;
-	openwrt)
+openwrt)
 	remove_openwrt
 	;;
-	macos)
+macos)
 	remove_macos
 	;;
 esac
 exitp 0