shellcheck linting and formatting shell scripts

2025-04-30 10:53:02 +03:00 · 2024-09-17 16:18:29 +03:00 · 2024-09-17 16:18:29 +03:00 · a13e4e064f
commit a13e4e064f
parent c1db09b19e
58 changed files with 2759 additions and 3296 deletions
--- a/blockcheck.sh
+++ b/blockcheck.sh
--- a/common/base.sh
+++ b/common/base.sh
@ -1,42 +1,36 @@
-which()
+which() {
 {
 	# on some systems 'which' command is considered deprecated and not installed by default
 	# 'command -v' replacement does not work exactly the same way. it outputs shell aliases if present
 	# $1 - executable name
 	local IFS=:
 	for p in $PATH; do
-	    [ -x "$p/$1" ] && {
+		[ -x "$p/$1" ] && {
-		echo "$p/$1"
+			echo "$p/$1"
-		return 0
+			return 0
-	    }
+		}
 	done
 	return 1
 }
-exists()
+exists() {
 {
 	which "$1" >/dev/null 2>/dev/null
 }
-existf()
+existf() {
 {
 	type "$1" >/dev/null 2>/dev/null
 }
-whichq()
+whichq() {
-{
+	which "$1" 2>/dev/null
 	which $1 2>/dev/null
 }
-exist_all()
+exist_all() {
 {
 	while [ -n "$1" ]; do
 		exists "$1" || return 1
 		shift
 	done
 	return 0
 }
-on_off_function()
+on_off_function() {
-{
+	# $1: function name on
-	# $1 : function name on
+	# $2: function name off
-	# $2 : function name off
+	# $3: 0 - off, 1 - on
 	# $3 : 0 - off, 1 - on
 	local F="$1"
 	[ "$3" = "1" ] || F="$2"
 	shift
@ -44,24 +38,21 @@ on_off_function()
 	shift
 	"$F" "$@"
 }
-contains()
+contains() {
 {
 	# check if substring $2 contains in $1
 	[ "${1#*$2}" != "$1" ]
 }
-starts_with()
+starts_with() {
-{
+	# $1: what
-	# $1 : what
+	# $2: starts with
 	# $2 : starts with
 	case "$1" in
-		"$2"*)
+	"$2"*)
-			return 0
+		return 0
-			;;
+		;;
 	esac
 	return 1
 }
-find_str_in_list()
+find_str_in_list() {
 {
 	[ -n "$1" ] && {
 		for v in $2; do
 			[ "$v" = "$1" ] && return 0
@ -69,14 +60,12 @@ find_str_in_list()
 	}
 	return 1
 }
-end_with_newline()
+end_with_newline() {
 {
 	local c="$(tail -c 1)"
 	[ "$c" = "" ]
 }
-append_separator_list()
+append_separator_list() {
 {
 	# $1 - var name to receive result
 	# $2 - separator
 	# $3 - quoter
@ -84,113 +73,102 @@ append_separator_list()
 	local _var="$1" sep="$2" quo="$3" i
 	eval i="\$$_var"
-	shift; shift; shift
+	shift
 	shift
 	shift
 	while [ -n "$1" ]; do
-		if [ -n "$i" ] ; then
+		if [ -n "$i" ]; then
 			i="$i$sep$quo$1$quo"
 		else
 			i="$quo$1$quo"
 		fi
 		shift
 	done
-	eval $_var="\$i"
+	eval "$_var"="\$i"
 }
-make_separator_list()
+make_separator_list() {
-{
+	eval "$1"=''
 	eval $1=''
 	append_separator_list "$@"
 }
-make_comma_list()
+make_comma_list() {
 {
 	# $1 - var name to receive result
 	# $2,$3,... - elements
 	local var="$1"
 	shift
-	make_separator_list $var , '' "$@"
+	make_separator_list "$var" , '' "$@"
 }
-make_quoted_comma_list()
+make_quoted_comma_list() {
 {
 	# $1 - var name to receive result
 	# $2,$3,... - elements
 	local var="$1"
 	shift
-	make_separator_list $var , '"' "$@"
+	make_separator_list "$var" , '"' "$@"
 }
-unique()
+unique() {
 {
 	local i
-	for i in "$@"; do echo $i; done | sort -u | xargs
+	for i in "$@"; do echo "$i"; done | sort -u | xargs
 }
-is_linked_to_busybox()
+is_linked_to_busybox() {
 {
 	local IFS F P
 	IFS=:
 	for path in $PATH; do
 		F=$path/$1
-		P="$(readlink $F)"
+		P="$(readlink "$F")"
-		if [ -z "$P" ] && [ -x $F ] && [ ! -L $F ]; then return 1; fi
+		if [ -z "$P" ] && [ -x "$F" ] && [ ! -L "$F" ]; then return 1; fi
 		[ "${P%busybox*}" != "$P" ] && return
 	done
 }
-get_dir_inode()
+get_dir_inode() {
 {
 	local dir="$1"
 	[ -L "$dir" ] && dir=$(readlink "$dir")
 	ls -id "$dir" | awk '{print $1}'
 }
-linux_min_version()
+linux_min_version() {
 {
 	# $1 - major ver
 	# $2 - minor ver
 	local V1=$(sed -nre 's/^Linux version ([0-9]+)\.[0-9]+.*$/\1/p' /proc/version)
 	local V2=$(sed -nre 's/^Linux version [0-9]+\.([0-9]+).*$/\1/p' /proc/version)
 	[ -n "$V1" -a -n "$V2" ] && [ "$V1" -gt "$1" -o "$V1" -eq "$1" -a "$V2" -ge "$2" ]
 }
-linux_get_subsys()
+linux_get_subsys() {
 {
 	local INIT="$(sed 's/\x0/\n/g' /proc/1/cmdline | head -n 1)"
 	[ -L "$INIT" ] && INIT=$(readlink "$INIT")
 	INIT="$(basename "$INIT")"
-	if [ -f "/etc/openwrt_release" ] && [ "$INIT" = "procd" ] ; then
+	if [ -f "/etc/openwrt_release" ] && [ "$INIT" = "procd" ]; then
 		SUBSYS=openwrt
-	elif [ -x "/bin/ndm" ] ; then
+	elif [ -x "/bin/ndm" ]; then
 		SUBSYS=keenetic
 	else
 		# generic linux
 		SUBSYS=
 	fi
 }
-openwrt_fw3()
+openwrt_fw3() {
 {
 	[ ! -x /sbin/fw4 -a -x /sbin/fw3 ]
 }
-openwrt_fw4()
+openwrt_fw4() {
 {
 	[ -x /sbin/fw4 ]
 }
-openwrt_fw3_integration()
+openwrt_fw3_integration() {
 {
 	[ "$FWTYPE" = iptables ] && openwrt_fw3
 }
-create_dev_stdin()
+create_dev_stdin() {
 {
 	[ -e /dev/stdin ] || ln -s /proc/self/fd/0 /dev/stdin
 }
-call_for_multiple_items()
+call_for_multiple_items() {
 {
 	# $1 - function to get an item
 	# $2 - variable name to put result into
 	# $3 - space separated parameters to function $1
 	local i item items
 	for i in $3; do
-		$1 item $i
+		$1 item "$i"
 		[ -n "$item" ] && {
 			if [ -n "$items" ]; then
 				items="$items $item"
@ -199,91 +177,85 @@ call_for_multiple_items()
 			fi
 		}
 	done
-	eval $2=\"$items\"
+	eval "$2"=\""$items"\"
 }
-fix_sbin_path()
+fix_sbin_path() {
 {
 	local IFS=':'
-	printf "%s\n" $PATH | grep -Fxq '/usr/sbin' || PATH="/usr/sbin:$PATH"
+	printf "%s\n" "$PATH" | grep -Fxq '/usr/sbin' || PATH="/usr/sbin:$PATH"
-	printf "%s\n" $PATH | grep -Fxq '/sbin' || PATH="/sbin:$PATH"
+	printf "%s\n" "$PATH" | grep -Fxq '/sbin' || PATH="/sbin:$PATH"
 	export PATH
 }
 # it can calculate floating point expr
-calc()
+calc() {
-{
+	awk "BEGIN { print $*}"
 	awk "BEGIN { print $*}";
 }
-fsleep_setup()
+fsleep_setup() {
-{
+	[ -n "$FSLEEP" ] || {
-    [ -n "$FSLEEP" ] || {
+		if sleep 0.001 2>/dev/null; then
-	if sleep 0.001 2>/dev/null; then
+			FSLEEP=1
-		FSLEEP=1
+		elif busybox usleep 1 2>/dev/null; then
-	elif busybox usleep 1 2>/dev/null; then
+			FSLEEP=2
 		FSLEEP=2
 	else
 		local errtext="$(read -t 0.001 2>&1)"
 		if [ -z "$errtext" ]; then
 			FSLEEP=3
 		# newer openwrt has ucode with system function that supports timeout in ms
 		elif ucode -e "system(['sleep','1'], 1)" 2>/dev/null; then
 			FSLEEP=4
 		# older openwrt may have lua and nixio lua module
 		elif lua -e 'require "nixio".nanosleep(0,1)' 2>/dev/null ; then
 			FSLEEP=5
 		else
-			FSLEEP=0
+			local errtext="$(read -t 0.001 2>&1)"
 			if [ -z "$errtext" ]; then
 				FSLEEP=3
 			# newer OpenWrt has ucode with system function that supports timeout in ms
 			elif ucode -e "system(['sleep','1'], 1)" 2>/dev/null; then
 				FSLEEP=4
 			# older OpenWrt may have lua and nixio lua module
 			elif lua -e 'require "nixio".nanosleep(0,1)' 2>/dev/null; then
 				FSLEEP=5
 			else
 				FSLEEP=0
 			fi
 		fi
-	fi
+	}
    }
 }
-msleep()
+msleep() {
-{
+	# $1 - milliseconds
-    # $1 - milliseconds
+	case "$FSLEEP" in
    case "$FSLEEP" in
 	1)
-		sleep $(calc $1/1000)
+		sleep $(calc "$1"/1000)
 		;;
 	2)
-		busybox usleep $(calc $1*1000)
+		busybox usleep $(calc "$1"*1000)
 		;;
 	3)
-		read -t $(calc $1/1000)
+		read -t $(calc "$1"/1000)
 		;;
 	4)
 		ucode -e "system(['sleep','2147483647'], $1)"
 		;;
 	5)
-		lua -e "require 'nixio'.nanosleep($(($1/1000)),$(calc $1%1000*1000000))"
+		lua -e "require 'nixio'.nanosleep($(($1 / 1000)),$(calc "$1"%1000*1000000))"
 		;;
-    	*)
+	*)
-		sleep $((($1+999)/1000))
+		sleep $((($1 + 999) / 1000))
-    esac
+		;;
 	esac
 }
-minsleep()
+minsleep() {
 {
 	msleep 100
 }
-replace_char()
+replace_char() {
 {
 	local a=$1
 	local b=$2
-	shift; shift
+	shift
-	echo "$@" | tr $a $b
+	shift
 	echo "$@" | tr "$a" "$b"
 }
-setup_md5()
+setup_md5() {
 {
 	[ -n "$MD5" ] && return
 	MD5=md5sum
 	exists $MD5 || MD5=md5
 }
-random()
+random() {
 {
 	# $1 - min, $2 - max
 	local r rs
 	setup_md5
@ -293,12 +265,11 @@ random()
 		rs="$RANDOM$RANDOM$(date)"
 	fi
 	# shells use signed int64
-	r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17)
+	r=1$(echo "$rs" | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17)
-	echo $(( ($r % ($2-$1+1)) + $1 ))
+	echo $((($r % ($2 - $1 + 1)) + $1))
 }
-shell_name()
+shell_name() {
 {
 	[ -n "$SHELL_NAME" ] || {
 		[ -n "$UNAME" ] || UNAME="$(uname)"
@ -313,12 +284,11 @@ shell_name()
 	}
 }
-std_ports()
+std_ports() {
-{
+	HTTP_PORTS=${HTTP_PORTS:-80}
        HTTP_PORTS=${HTTP_PORTS:-80}
 	HTTPS_PORTS=${HTTPS_PORTS:-443}
 	QUIC_PORTS=${QUIC_PORTS:-443}
-        HTTP_PORTS_IPT=$(replace_char - : $HTTP_PORTS)
+	HTTP_PORTS_IPT=$(replace_char - : "$HTTP_PORTS")
-        HTTPS_PORTS_IPT=$(replace_char - : $HTTPS_PORTS)
+	HTTPS_PORTS_IPT=$(replace_char - : "$HTTPS_PORTS")
-        QUIC_PORTS_IPT=$(replace_char - : $QUIC_PORTS)
+	QUIC_PORTS_IPT=$(replace_char - : "$QUIC_PORTS")
 }
--- a/common/dialog.sh
+++ b/common/dialog.sh
@ -1,36 +1,32 @@
-read_yes_no()
+read_yes_no() {
 {
 	# $1 - default (Y/N)
 	local A
 	read A
 	[ -z "$A" ] || ([ "$A" != "Y" ] && [ "$A" != "y" ] && [ "$A" != "N" ] && [ "$A" != "n" ]) && A=$1
 	[ "$A" = "Y" ] || [ "$A" = "y" ] || [ "$A" = "1" ]
 }
-ask_yes_no()
+ask_yes_no() {
 {
 	# $1 - default (Y/N or 0/1)
 	# $2 - text
 	local DEFAULT=$1
 	[ "$1" = "1" ] && DEFAULT=Y
 	[ "$1" = "0" ] && DEFAULT=N
 	[ -z "$DEFAULT" ] && DEFAULT=N
-	printf "$2 (default : $DEFAULT) (Y/N) ? "
+	printf "$2 (default: $DEFAULT) (Y/N)?"
-	read_yes_no $DEFAULT
+	read_yes_no "$DEFAULT"
 }
-ask_yes_no_var()
+ask_yes_no_var() {
-{
+	# $1 - variable name for answer: 0/1
 	# $1 - variable name for answer : 0/1
 	# $2 - text
 	local DEFAULT
 	eval DEFAULT="\$$1"
 	if ask_yes_no "$DEFAULT" "$2"; then
-		eval $1=1
+		eval "$1"=1
 	else
-		eval $1=0
+		eval "$1"=0
 	fi
 }
-ask_list()
+ask_list() {
 {
 	# $1 - mode var
 	# $2 - space separated value list
 	# $3 - (optional) default value
@ -40,19 +36,19 @@ ask_list()
 	local M=""
 	local m
-	[ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3" ;}
+	[ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3"; }
 	n=1
 	for m in $2; do
-		echo $n : $m
+		echo $n: "$m"
-		n=$(($n+1))
+		n=$(($n + 1))
 	done
 	printf "your choice (default : $M_DEFAULT) : "
 	read m
-	[ -n "$m" ] && M=$(echo $2 | cut -d ' ' -f$m 2>/dev/null)
+	[ -n "$m" ] && M=$(echo "$2" | cut -d ' ' -f"$m" 2>/dev/null)
 	[ -z "$M" ] && M="$M_DEFAULT"
-	echo selected : $M
+	echo selected: "$M"
-	eval $1="\"$M\""
+	eval "$1"="\"$M\""
 	[ "$M" != "$M_OLD" ]
 }
--- a/common/elevate.sh
+++ b/common/elevate.sh
@ -1,5 +1,4 @@
-require_root()
+require_root() {
 {
 	local exe
 	echo \* checking privileges
 	[ $(id -u) -ne "0" ] && {
--- a/common/fwtype.sh
+++ b/common/fwtype.sh
@ -1,25 +1,21 @@
-linux_ipt_avail()
+linux_ipt_avail() {
 {
 	exists iptables && exists ip6tables
 }
-linux_maybe_iptables_fwtype()
+linux_maybe_iptables_fwtype() {
 {
 	linux_ipt_avail && FWTYPE=iptables
 }
-linux_nft_avail()
+linux_nft_avail() {
 {
 	exists nft
 }
-linux_fwtype()
+linux_fwtype() {
 {
 	[ -n "$FWTYPE" ] && return
 	FWTYPE=unsupported
 	linux_get_subsys
-	if [ "$SUBSYS" = openwrt ] ; then
+	if [ "$SUBSYS" = openwrt ]; then
-		# linux kernel is new enough if fw4 is there
+		# Linux kernel is new enough if fw4 is there
-		if [ -x /sbin/fw4 ] && linux_nft_avail ; then
+		if [ -x /sbin/fw4 ] && linux_nft_avail; then
 			FWTYPE=nftables
 		else
 			linux_maybe_iptables_fwtype
@ -38,26 +34,25 @@ linux_fwtype()
 	export FWTYPE
 }
-get_fwtype()
+get_fwtype() {
 {
 	[ -n "$FWTYPE" ] && return
 	local UNAME="$(uname)"
 	case "$UNAME" in
-		Linux)
+	Linux)
-			linux_fwtype
+		linux_fwtype
-			;;
+		;;
-		FreeBSD)
+	FreeBSD)
-			if exists ipfw ; then
+		if exists ipfw; then
-				FWTYPE=ipfw
+			FWTYPE=ipfw
-			else
+		else
 				FWTYPE=unsupported
 			fi
 			;;
 		*)
 			FWTYPE=unsupported
-			;;
+		fi
 		;;
 	*)
 		FWTYPE=unsupported
 		;;
 	esac
 	export FWTYPE
--- a/common/installer.sh
+++ b/common/installer.sh
@ -6,36 +6,31 @@ SYSTEMD_DIR=/lib/systemd
 INIT_SCRIPT=/etc/init.d/zapret
-
+exitp() {
 exitp()
 {
 	echo
 	echo press enter to continue
 	read A
-	exit $1
+	exit "$1"
 }
-parse_var_checked()
+parse_var_checked() {
 {
 	# $1 - file name
 	# $2 - var name
 	local sed="sed -nre s/^[[:space:]]*$2=[\\\"|\']?([^\\\"|\']*)[\\\"|\']?/\1/p"
 	local v="$($sed <"$1" | tail -n 1)"
-	eval $2=\"$v\"
+	eval "$2"=\""$v"\"
 }
-parse_vars_checked()
+parse_vars_checked() {
 {
 	# $1 - file name
 	# $2,$3,... - var names
 	local f="$1"
 	shift
 	while [ -n "$1" ]; do
-		parse_var_checked "$f" $1
+		parse_var_checked "$f" "$1"
 		shift
 	done
 }
-edit_file()
+edit_file() {
 {
 	# $1 - file name
 	local ed="$EDITOR"
 	[ -n "$ed" ] || {
@ -48,8 +43,7 @@ edit_file()
 	}
 	[ -n "$ed" ] && "$ed" "$1"
 }
-edit_vars()
+edit_vars() {
 {
 	# $1,$2,... - var names
 	local n=1 var v tmp="/tmp/zvars"
 	rm -f "$tmp"
@ -57,21 +51,19 @@ edit_vars()
 		eval var="\$$n"
 		[ -n "$var" ] || break
 		eval v="\$$var"
-		echo $var=\"$v\" >>"$tmp"
+		echo "$var"=\""$v"\" >>"$tmp"
-		n=$(($n+1))
+		n=$(($n + 1))
 	done
 	edit_file "$tmp" && parse_vars_checked "$tmp" "$@"
 	rm -f "$tmp"
 }
-openrc_test()
+openrc_test() {
 {
 	exists rc-update || return 1
 	# some systems do not usse openrc-init but launch openrc from inittab
 	[ "$INIT" = "openrc-init" ] || grep -qE "sysinit.*openrc" /etc/inittab 2>/dev/null
 }
-check_system()
+check_system() {
 {
 	# $1 - nonempty = do not fail on unknown rc system
 	echo \* checking system
@ -93,21 +85,21 @@ check_system()
 		# some distros include systemctl without systemd
 		if [ -d "$SYSTEMD_DIR" ] && [ -x "$SYSTEMCTL" ] && [ "$INIT" = "systemd" ]; then
 			SYSTEM=systemd
-		elif [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ] ; then
+		elif [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ]; then
-		{
+			{
-			SYSTEM=openwrt
+				SYSTEM=openwrt
-			if openwrt_fw3 ; then
+				if openwrt_fw3; then
-				OPENWRT_FW3=1
+					OPENWRT_FW3=1
-				info="openwrt firewall uses fw3"
+					info="openwrt firewall uses fw3"
-				if is_ipt_flow_offload_avail; then
+					if is_ipt_flow_offload_avail; then
-					info="$info. hardware flow offloading requires iptables."
+						info="$info. hardware flow offloading requires iptables."
-				else
+					else
-					info="$info. flow offloading unavailable."
+						info="$info. flow offloading unavailable."
 					fi
 				elif openwrt_fw4; then
 					info="openwrt firewall uses fw4. flow offloading requires nftables."
 				fi
-			elif openwrt_fw4; then
+			}
 				info="openwrt firewall uses fw4. flow offloading requires nftables."
 			fi
 		}
 		elif openrc_test; then
 			SYSTEM=openrc
 		else
@ -115,9 +107,9 @@ check_system()
 			echo easy installer can set up config settings but can\'t configure auto start
 			echo you have to do it manually. check readme.txt for manual setup info.
 			if [ -n "$1" ] || ask_yes_no N "do you want to continue"; then
-			    SYSTEM=linux
+				SYSTEM=linux
 			else
-			    exitp 5
+				exitp 5
 			fi
 		fi
 		linux_get_subsys
@ -128,25 +120,21 @@ check_system()
 		exitp 5
 	fi
 	echo system is based on $SYSTEM
-	[ -n "$info" ] && echo $info
+	[ -n "$info" ] && echo "$info"
 }
-get_free_space_mb()
+get_free_space_mb() {
-{
+	df -m "$PWD" | awk '/[0-9]%/{print $(NF-2)}'
    df -m $PWD | awk '/[0-9]%/{print $(NF-2)}'
 }
-get_ram_kb()
+get_ram_kb() {
-{
+	grep MemTotal /proc/meminfo | awk '{print $2}'
    grep MemTotal /proc/meminfo | awk '{print $2}'
 }
-get_ram_mb()
+get_ram_mb() {
-{
+	local R=$(get_ram_kb)
-    local R=$(get_ram_kb)
+	echo $(($R / 1024))
    echo $(($R/1024))
 }
-crontab_del()
+crontab_del() {
 {
 	exists crontab || return
 	echo \* removing crontab entry
@ -162,8 +150,7 @@ crontab_del()
 	fi
 	rm -f $CRONTMP
 }
-crontab_del_quiet()
+crontab_del_quiet() {
 {
 	exists crontab || return
 	CRONTMP=/tmp/cron.tmp
@ -175,11 +162,10 @@ crontab_del_quiet()
 	fi
 	rm -f $CRONTMP
 }
-crontab_add()
+crontab_add() {
 {
 	# $1 - hour min
 	# $2 - hour max
-	[ -x "$GET_LIST" ] &&	{
+	[ -x "$GET_LIST" ] && {
 		echo \* adding crontab entry
 		if exists crontab; then
@ -190,7 +176,7 @@ crontab_add()
 				grep "$GET_LIST_PREFIX" $CRONTMP
 			else
 				end_with_newline <"$CRONTMP" || echo >>"$CRONTMP"
-				echo "$(random 0 59) $(random $1 $2) */2 * * $GET_LIST" >>$CRONTMP
+				echo "$(random 0 59) $(random "$1" "$2") */2 * * $GET_LIST" >>$CRONTMP
 				crontab $CRONTMP
 			fi
 			rm -f $CRONTMP
@ -199,18 +185,15 @@ crontab_add()
 		fi
 	}
 }
-cron_ensure_running()
+cron_ensure_running() {
-{
+	# if no crontabs present in /etc/cron OpenWrt init script does not launch crond. this is default
 	# if no crontabs present in /etc/cron openwrt init script does not launch crond. this is default
 	[ "$SYSTEM" = "openwrt" ] && {
 		/etc/init.d/cron enable
 		/etc/init.d/cron start
 	}
 }
-
+service_start_systemd() {
 service_start_systemd()
 {
 	echo \* starting zapret service
 	"$SYSTEMCTL" start zapret || {
@ -218,23 +201,20 @@ service_start_systemd()
 		exitp 30
 	}
 }
-service_stop_systemd()
+service_stop_systemd() {
 {
 	echo \* stopping zapret service
 	"$SYSTEMCTL" daemon-reload
 	"$SYSTEMCTL" disable zapret
 	"$SYSTEMCTL" stop zapret
 }
-service_remove_systemd()
+service_remove_systemd() {
 {
 	echo \* removing zapret service
 	rm -f "$SYSTEMD_SYSTEM_DIR/zapret.service"
 	"$SYSTEMCTL" daemon-reload
 }
-timer_remove_systemd()
+timer_remove_systemd() {
 {
 	echo \* removing zapret-list-update timer
 	"$SYSTEMCTL" daemon-reload
@ -244,8 +224,7 @@ timer_remove_systemd()
 	"$SYSTEMCTL" daemon-reload
 }
-install_sysv_init()
+install_sysv_init() {
 {
 	# $1 - "0"=disable
 	echo \* installing init script
@ -256,8 +235,7 @@ install_sysv_init()
 	ln -fs "$INIT_SCRIPT_SRC" "$INIT_SCRIPT"
 	[ "$1" != "0" ] && "$INIT_SCRIPT" enable
 }
-install_openrc_init()
+install_openrc_init() {
 {
 	# $1 - "0"=disable
 	echo \* installing init script
@ -268,8 +246,7 @@ install_openrc_init()
 	ln -fs "$INIT_SCRIPT_SRC" "$INIT_SCRIPT"
 	[ "$1" != "0" ] && rc-update add zapret
 }
-service_remove_openrc()
+service_remove_openrc() {
 {
 	echo \* removing zapret service
 	[ -x "$INIT_SCRIPT" ] && {
@ -278,8 +255,7 @@ service_remove_openrc()
 	}
 	rm -f "$INIT_SCRIPT"
 }
-service_start_sysv()
+service_start_sysv() {
 {
 	[ -x "$INIT_SCRIPT" ] && {
 		echo \* starting zapret service
 		"$INIT_SCRIPT" start || {
@ -288,15 +264,13 @@ service_start_sysv()
 		}
 	}
 }
-service_stop_sysv()
+service_stop_sysv() {
 {
 	[ -x "$INIT_SCRIPT" ] && {
 		echo \* stopping zapret service
 		"$INIT_SCRIPT" stop
 	}
 }
-service_remove_sysv()
+service_remove_sysv() {
 {
 	echo \* removing zapret service
 	[ -x "$INIT_SCRIPT" ] && {
@ -306,104 +280,91 @@ service_remove_sysv()
 	rm -f "$INIT_SCRIPT"
 }
-check_kmod()
+check_kmod() {
 {
 	[ -f "/lib/modules/$(uname -r)/$1.ko" ]
 }
-check_package_exists_openwrt()
+check_package_exists_openwrt() {
-{
+	[ -n "$(opkg list "$1")" ]
 	[ -n "$(opkg list $1)" ]
 }
-check_package_openwrt()
+check_package_openwrt() {
-{
+	[ -n "$(opkg list-installed "$1")" ] && return 0
-	[ -n "$(opkg list-installed $1)" ] && return 0
+	local what="$(opkg whatprovides "$1" | tail -n +2 | head -n 1)"
 	local what="$(opkg whatprovides $1 | tail -n +2 | head -n 1)"
 	[ -n "$what" ] || return 1
-	[ -n "$(opkg list-installed $what)" ]
+	[ -n "$(opkg list-installed "$what")" ]
 }
-check_packages_openwrt()
+check_packages_openwrt() {
 {
 	for pkg in $@; do
-		check_package_openwrt $pkg || return
+		check_package_openwrt "$pkg" || return
 	done
 }
-install_openwrt_iface_hook()
+install_openwrt_iface_hook() {
 {
 	echo \* installing ifup hook
 	ln -fs "$OPENWRT_IFACE_HOOK" /etc/hotplug.d/iface
 }
-remove_openwrt_iface_hook()
+remove_openwrt_iface_hook() {
 {
 	echo \* removing ifup hook
 	rm -f /etc/hotplug.d/iface/??-zapret
 }
-openwrt_fw_section_find()
+openwrt_fw_section_find() {
 {
 	# $1 - fw include postfix
 	# echoes section number
 	i=0
-	while true
+	while true; do
 	do
 		path=$(uci -q get firewall.@include[$i].path)
 		[ -n "$path" ] || break
 		[ "$path" = "$OPENWRT_FW_INCLUDE$1" ] && {
-	 		echo $i
+			echo $i
-	 		return 0
+			return 0
 		}
-		i=$(($i+1))
+		i=$(($i + 1))
 	done
 	return 1
 }
-openwrt_fw_section_del()
+openwrt_fw_section_del() {
 {
 	# $1 - fw include postfix
-	local id="$(openwrt_fw_section_find $1)"
+	local id="$(openwrt_fw_section_find "$1")"
 	[ -n "$id" ] && {
-		uci delete firewall.@include[$id] && uci commit firewall
+		uci delete firewall.@include["$id"] && uci commit firewall
 		rm -f "$OPENWRT_FW_INCLUDE$1"
 	}
 }
-openwrt_fw_section_add()
+openwrt_fw_section_add() {
 {
 	openwrt_fw_section_find ||
-	{
+		{
-		uci add firewall include >/dev/null || return
+			uci add firewall include >/dev/null || return
-		echo -1
+			echo -1
-	}
+		}
 }
-openwrt_fw_section_configure()
+openwrt_fw_section_configure() {
-{
+	local id="$(openwrt_fw_section_add "$1")"
 	local id="$(openwrt_fw_section_add $1)"
 	[ -z "$id" ] ||
-	 ! uci set firewall.@include[$id].path="$OPENWRT_FW_INCLUDE" ||
+		! uci set firewall.@include["$id"].path="$OPENWRT_FW_INCLUDE" ||
-	 ! uci set firewall.@include[$id].reload="1" ||
+		! uci set firewall.@include["$id"].reload="1" ||
-	 ! uci commit firewall &&
+		! uci commit firewall &&
-	{
+		{
-		echo could not add firewall include
+			echo could not add firewall include
-		exitp 50
+			exitp 50
-	}
+		}
 }
-install_openwrt_firewall()
+install_openwrt_firewall() {
-{
+	echo \* installing firewall script "$1"
 	echo \* installing firewall script $1
 	[ -n "MODE" ] || {
-		echo should specify MODE in $ZAPRET_CONFIG
+		echo should specify MODE in "$ZAPRET_CONFIG"
 		exitp 7
 	}
-	echo "linking : $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE"
+	echo "linking: $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE"
 	ln -fs "$FW_SCRIPT_SRC" "$OPENWRT_FW_INCLUDE"
-	openwrt_fw_section_configure $1
+	openwrt_fw_section_configure "$1"
 }
-restart_openwrt_firewall()
+restart_openwrt_firewall() {
 {
 	echo \* restarting firewall
 	local FW=fw4
@ -413,8 +374,7 @@ restart_openwrt_firewall()
 		exitp 30
 	}
 }
-remove_openwrt_firewall()
+remove_openwrt_firewall() {
 {
 	echo \* removing firewall script
 	openwrt_fw_section_del
@ -422,43 +382,36 @@ remove_openwrt_firewall()
 	openwrt_fw_section_del 6
 }
-clear_ipset()
+clear_ipset() {
 {
 	echo "* clearing ipset(s)"
 	# free some RAM
 	"$IPSET_DIR/create_ipset.sh" clear
 }
-
+service_install_macos() {
 service_install_macos()
 {
 	echo \* installing zapret service
 	ln -fs "$ZAPRET_BASE/init.d/macos/zapret.plist" /Library/LaunchDaemons
 }
-service_start_macos()
+service_start_macos() {
 {
 	echo \* starting zapret service
 	"$INIT_SCRIPT_SRC" start
 }
-service_stop_macos()
+service_stop_macos() {
 {
 	echo \* stopping zapret service
 	"$INIT_SCRIPT_SRC" stop
 }
-service_remove_macos()
+service_remove_macos() {
 {
 	echo \* removing zapret service
 	rm -f /Library/LaunchDaemons/zapret.plist
 	zapret_stop_daemons
 }
-remove_macos_firewall()
+remove_macos_firewall() {
 {
 	echo \* removing zapret PF hooks
 	pf_anchors_clear
@ -467,9 +420,8 @@ remove_macos_firewall()
 	pf_anchor_root_reload
 }
-sedi()
+sedi() {
-{
+	# macOS doesnt support -i without parameter. busybox doesnt support -i with parameter.
 	# MacOS doesnt support -i without parameter. busybox doesnt support -i with parameter.
 	# its not possible to put "sed -i ''" to a variable and then use it
 	if [ "$SYSTEM" = "macos" ]; then
 		sed -i '' "$@"
@ -478,8 +430,7 @@ sedi()
 	fi
 }
-write_config_var()
+write_config_var() {
 {
 	# $1 - mode var
 	local M
 	eval M="\$$1"
@ -487,7 +438,7 @@ write_config_var()
 	if grep -q "^$1=\|^#$1=" "$ZAPRET_CONFIG"; then
 		# replace / => \/
 		#M=${M//\//\\\/}
-		M=$(echo $M | sed 's/\//\\\//g')
+		M=$(echo "$M" | sed 's/\//\\\//g')
 		if [ -n "$M" ]; then
 			if contains "$M" " "; then
 				sedi -Ee "s/^#?$1=.*$/$1=\"$M\"/" "$ZAPRET_CONFIG"
@ -508,37 +459,36 @@ write_config_var()
 	fi
 }
-check_prerequisites_linux()
+check_prerequisites_linux() {
 {
 	echo \* checking prerequisites
 	local s cmd PKGS UTILS req="curl curl"
 	case "$FWTYPE" in
-		iptables)
+	iptables)
-			req="$req iptables iptables ip6tables iptables ipset ipset"
+		req="$req iptables iptables ip6tables iptables ipset ipset"
-			;;
+		;;
-		nftables)
+	nftables)
-			req="$req nft nftables"
+		req="$req nft nftables"
-			;;
+		;;
 	esac
-	PKGS=$(for s in $req; do echo $s; done |
+	PKGS=$(for s in $req; do echo "$s"; done |
 		while read cmd; do
 			read pkg
-			exists $cmd || echo $pkg
+			exists "$cmd" || echo "$pkg"
 		done | sort -u | xargs)
-	UTILS=$(for s in $req; do echo $s; done |
+	UTILS=$(for s in $req; do echo "$s"; done |
 		while read cmd; do
 			read pkg
-			echo $cmd
+			echo "$cmd"
 		done | sort -u | xargs)
-	if [ -z "$PKGS" ] ; then
+	if [ -z "$PKGS" ]; then
-		echo required utilities exist : $UTILS
+		echo required utilities exist: "$UTILS"
 	else
 		echo \* installing prerequisites
-		echo packages required : $PKGS
+		echo packages required: "$PKGS"
 		APTGET=$(whichq apt-get)
 		YUM=$(whichq yum)
@ -546,73 +496,72 @@ check_prerequisites_linux()
 		ZYPPER=$(whichq zypper)
 		EOPKG=$(whichq eopkg)
 		APK=$(whichq apk)
-		if [ -x "$APTGET" ] ; then
+		if [ -x "$APTGET" ]; then
 			"$APTGET" update
-			"$APTGET" install -y --no-install-recommends $PKGS dnsutils || {
+			"$APTGET" install -y --no-install-recommends "$PKGS" dnsutils || {
 				echo could not install prerequisites
 				exitp 6
 			}
-		elif [ -x "$YUM" ] ; then
+		elif [ -x "$YUM" ]; then
-			"$YUM" -y install $PKGS || {
+			"$YUM" -y install "$PKGS" || {
 				echo could not install prerequisites
 				exitp 6
 			}
-		elif [ -x "$PACMAN" ] ; then
+		elif [ -x "$PACMAN" ]; then
 			"$PACMAN" -Syy
-			"$PACMAN" --noconfirm -S $PKGS || {
+			"$PACMAN" --noconfirm -S "$PKGS" || {
 				echo could not install prerequisites
 				exitp 6
 			}
-		elif [ -x "$ZYPPER" ] ; then
+		elif [ -x "$ZYPPER" ]; then
-			"$ZYPPER" --non-interactive install $PKGS || {
+			"$ZYPPER" --non-interactive install "$PKGS" || {
 				echo could not install prerequisites
 				exitp 6
 			}
-		elif [ -x "$EOPKG" ] ; then
+		elif [ -x "$EOPKG" ]; then
-			"$EOPKG" -y install $PKGS || {
+			"$EOPKG" -y install "$PKGS" || {
 				echo could not install prerequisites
 				exitp 6
 			}
-		elif [ -x "$APK" ] ; then
+		elif [ -x "$APK" ]; then
 			"$APK" update
 			# for alpine
 			[ "$FWTYPE" = iptables ] && [ -n "$($APK list ip6tables)" ] && PKGS="$PKGS ip6tables"
-			"$APK" add $PKGS || {
+			"$APK" add "$PKGS" || {
 				echo could not install prerequisites
 				exitp 6
 			}
 		else
 			echo supported package manager not found
-			echo you must manually install : $UTILS
+			echo you must manually install: "$UTILS"
 			exitp 5
 		fi
 	fi
 }
-check_prerequisites_openwrt()
+check_prerequisites_openwrt() {
 {
 	echo \* checking prerequisites
 	local PKGS="curl" UPD=0
 	case "$FWTYPE" in
-		iptables)
+	iptables)
-			PKGS="$PKGS ipset iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra"
+		PKGS="$PKGS ipset iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra"
-			[ "$DISABLE_IPV6" != "1" ] && PKGS="$PKGS ip6tables ip6tables-mod-nat ip6tables-extra"
+		[ "$DISABLE_IPV6" != "1" ] && PKGS="$PKGS ip6tables ip6tables-mod-nat ip6tables-extra"
-			;;
+		;;
-		nftables)
+	nftables)
-			PKGS="$PKGS nftables kmod-nft-nat kmod-nft-offload kmod-nft-queue"
+		PKGS="$PKGS nftables kmod-nft-nat kmod-nft-offload kmod-nft-queue"
-			;;
+		;;
 	esac
-	if check_packages_openwrt $PKGS ; then
+	if check_packages_openwrt "$PKGS"; then
 		echo everything is present
 	else
 		echo \* installing prerequisites
 		opkg update
 		UPD=1
-		opkg install $PKGS || {
+		opkg install "$PKGS" || {
 			echo could not install prerequisites
 			exitp 6
 		}
@ -659,10 +608,7 @@ check_prerequisites_openwrt()
 	}
 }
-
+select_ipv6() {
 select_ipv6()
 {
 	local T=N
 	[ "$DISABLE_IPV6" != '1' ] && T=Y
@ -675,8 +621,7 @@ select_ipv6()
 	fi
 	[ "$old6" != "$DISABLE_IPV6" ] && write_config_var DISABLE_IPV6
 }
-select_fwtype()
+select_fwtype() {
 {
 	echo
 	[ $(get_ram_mb) -le 400 ] && {
 		echo WARNING ! you are running a low RAM system
--- a/common/ipt.sh
+++ b/common/ipt.sh
@ -1,55 +1,43 @@
 std_ports
 readonly ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
-ipt()
+ipt() {
 {
 	iptables -C "$@" >/dev/null 2>/dev/null || iptables -I "$@"
 }
-ipta()
+ipta() {
 {
 	iptables -C "$@" >/dev/null 2>/dev/null || iptables -A "$@"
 }
-ipt_del()
+ipt_del() {
 {
 	iptables -C "$@" >/dev/null 2>/dev/null && iptables -D "$@"
 }
-ipt_add_del()
+ipt_add_del() {
 {
 	on_off_function ipt ipt_del "$@"
 }
-ipta_add_del()
+ipta_add_del() {
 {
 	on_off_function ipta ipt_del "$@"
 }
-ipt6()
+ipt6() {
 {
 	ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -I "$@"
 }
-ipt6a()
+ipt6a() {
 {
 	ip6tables -C "$@" >/dev/null 2>/dev/null || ip6tables -A "$@"
 }
-ipt6_del()
+ipt6_del() {
 {
 	ip6tables -C "$@" >/dev/null 2>/dev/null && ip6tables -D "$@"
 }
-ipt6_add_del()
+ipt6_add_del() {
 {
 	on_off_function ipt6 ipt6_del "$@"
 }
-ipt6a_add_del()
+ipt6a_add_del() {
 {
 	on_off_function ipt6 ipt6a_del "$@"
 }
-is_ipt_flow_offload_avail()
+is_ipt_flow_offload_avail() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
-	# $1 = '' for ipv4, '6' for ipv6
+	grep -q FLOWOFFLOAD /proc/net/ip"$1"_tables_targets 2>/dev/null
 	grep -q FLOWOFFLOAD 2>/dev/null /proc/net/ip$1_tables_targets
 }
-filter_apply_port_target()
+filter_apply_port_target() {
 {
 	# $1 - var name of iptables filter
 	local f
 	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
@ -61,62 +49,54 @@ filter_apply_port_target()
 	else
 		echo WARNING !!! HTTP and HTTPS are both disabled
 	fi
-	eval $1="\"\$$1 $f\""
+	eval "$1"="\"\$$1 $f\""
 }
-filter_apply_port_target_quic()
+filter_apply_port_target_quic() {
 {
 	# $1 - var name of nftables filter
 	local f
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
-	eval $1="\"\$$1 $f\""
+	eval "$1"="\"\$$1 $f\""
 }
-filter_apply_ipset_target4()
+filter_apply_ipset_target4() {
 {
 	# $1 - var name of ipv4 iptables filter
 	if [ "$MODE_FILTER" = "ipset" ]; then
-		eval $1="\"\$$1 -m set --match-set zapret dst\""
+		eval "$1"="\"\$$1 -m set --match-set zapret dst\""
 	fi
 }
-filter_apply_ipset_target6()
+filter_apply_ipset_target6() {
 {
 	# $1 - var name of ipv6 iptables filter
 	if [ "$MODE_FILTER" = "ipset" ]; then
-		eval $1="\"\$$1 -m set --match-set zapret6 dst\""
+		eval "$1"="\"\$$1 -m set --match-set zapret6 dst\""
 	fi
 }
-filter_apply_ipset_target()
+filter_apply_ipset_target() {
 {
 	# $1 - var name of ipv4 iptables filter
 	# $2 - var name of ipv6 iptables filter
-	filter_apply_ipset_target4 $1
+	filter_apply_ipset_target4 "$1"
-	filter_apply_ipset_target6 $2
+	filter_apply_ipset_target6 "$2"
 }
-reverse_nfqws_rule_stream()
+reverse_nfqws_rule_stream() {
 {
 	sed -e 's/-o /-i /g' -e 's/--dport /--sport /g' -e 's/--dports /--sports /g' -e 's/ dst$/ src/' -e 's/ dst / src /g' -e 's/--connbytes-dir=original/--connbytes-dir=reply/g' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//g"
 }
-reverse_nfqws_rule()
+reverse_nfqws_rule() {
 {
 	echo "$@" | reverse_nfqws_rule_stream
 }
-prepare_tpws_fw4()
+prepare_tpws_fw4() {
-{
+	# otherwise Linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it
-	# otherwise linux kernel will treat 127.0.0.0/8 as "martian" ip and refuse routing to it
+	# NOTE: kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8
 	# NOTE : kernels <3.6 do not have this feature. consider upgrading or change DNAT to REDIRECT and do not bind to 127.0.0.0/8
 	[ "$DISABLE_IPV4" = "1" ] || {
 		iptables -N input_rule_zapret 2>/dev/null
-		ipt input_rule_zapret -d $TPWS_LOCALHOST4 -j RETURN
+		ipt input_rule_zapret -d "$TPWS_LOCALHOST4" -j RETURN
 		ipta input_rule_zapret -d 127.0.0.0/8 -j DROP
 		ipt INPUT ! -i lo -j input_rule_zapret
 		prepare_route_localnet
 	}
 }
-unprepare_tpws_fw4()
+unprepare_tpws_fw4() {
 {
 	[ "$DISABLE_IPV4" = "1" ] || {
 		unprepare_route_localnet
@ -125,14 +105,11 @@ unprepare_tpws_fw4()
 		iptables -X input_rule_zapret 2>/dev/null
 	}
 }
-unprepare_tpws_fw()
+unprepare_tpws_fw() {
 {
 	unprepare_tpws_fw4
 }
-
+ipt_print_op() {
 ipt_print_op()
 {
 	if [ "$1" = "1" ]; then
 		echo "Adding ip$4tables rule for $3 : $2"
 	else
@ -140,8 +117,7 @@ ipt_print_op()
 	fi
 }
-_fw_tpws4()
+_fw_tpws4() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - tpws port
@ -152,25 +128,24 @@ _fw_tpws4()
 		[ "$1" = 1 ] && prepare_tpws_fw4
-		ipt_print_op $1 "$2" "tpws (port $3)"
+		ipt_print_op "$1" "$2" "tpws (port $3)"
 		rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
-		for i in $4 ; do
+		for i in $4; do
-			ipt_add_del $1 PREROUTING -t nat -i $i $rule
+			ipt_add_del "$1" PREROUTING -t nat -i "$i" "$rule"
-	 	done
+		done
 		rule="-m owner ! --uid-owner $WS_USER $rule"
 		if [ -n "$5" ]; then
 			for i in $5; do
-				ipt_add_del $1 OUTPUT -t nat -o $i $rule
+				ipt_add_del "$1" OUTPUT -t nat -o "$i" "$rule"
 			done
 		else
-			ipt_add_del $1 OUTPUT -t nat $rule
+			ipt_add_del "$1" OUTPUT -t nat "$rule"
 		fi
 	}
 }
-_fw_tpws6()
+_fw_tpws6() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv6
 	# $3 - tpws port
@ -180,37 +155,34 @@ _fw_tpws6()
 	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
 		local i rule DNAT6
-		ipt_print_op $1 "$2" "tpws (port $3)" 6
+		ipt_print_op "$1" "$2" "tpws (port $3)" 6
 		rule="$2 $IPSET_EXCLUDE6 dst"
-		for i in $4 ; do
+		for i in $4; do
-			_dnat6_target $i DNAT6
+			_dnat6_target "$i" DNAT6
-			[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
+			[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del "$1" PREROUTING -t nat -i "$i" "$rule" -j DNAT --to ["$DNAT6"]:"$3"
-	 	done
+		done
 		rule="-m owner ! --uid-owner $WS_USER $rule -j DNAT --to [::1]:$3"
 		if [ -n "$5" ]; then
 			for i in $5; do
-				ipt6_add_del $1 OUTPUT -t nat -o $i $rule
+				ipt6_add_del "$1" OUTPUT -t nat -o "$i" "$rule"
 			done
 		else
-			ipt6_add_del $1 OUTPUT -t nat $rule
+			ipt6_add_del "$1" OUTPUT -t nat "$rule"
 		fi
 	}
 }
-fw_tpws()
+fw_tpws() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - iptable filter for ipv6
 	# $4 - tpws port
-	fw_tpws4 $1 "$2" $4
+	fw_tpws4 "$1" "$2" "$4"
-	fw_tpws6 $1 "$3" $4
+	fw_tpws6 "$1" "$3" "$4"
 }
-
+_fw_nfqws_post4() {
 _fw_nfqws_post4()
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - queue number
@ -218,20 +190,19 @@ _fw_nfqws_post4()
 	[ "$DISABLE_IPV4" = "1" -o -z "$2" ] || {
 		local i
-		ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)"
+		ipt_print_op "$1" "$2" "nfqws postrouting (qnum $3)"
 		rule="$2 $IPSET_EXCLUDE dst -j NFQUEUE --queue-num $3 --queue-bypass"
-		if [ -n "$4" ] ; then
+		if [ -n "$4" ]; then
 			for i in $4; do
-				ipt_add_del $1 POSTROUTING -t mangle -o $i $rule
+				ipt_add_del "$1" POSTROUTING -t mangle -o "$i" "$rule"
 			done
 		else
-			ipt_add_del $1 POSTROUTING -t mangle $rule
+			ipt_add_del "$1" POSTROUTING -t mangle "$rule"
 		fi
 	}
 }
-_fw_nfqws_post6()
+_fw_nfqws_post6() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv6
 	# $3 - queue number
@ -239,30 +210,28 @@ _fw_nfqws_post6()
 	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
 		local i
-		ipt_print_op $1 "$2" "nfqws postrouting (qnum $3)" 6
+		ipt_print_op "$1" "$2" "nfqws postrouting (qnum $3)" 6
 		rule="$2 $IPSET_EXCLUDE6 dst -j NFQUEUE --queue-num $3 --queue-bypass"
-		if [ -n "$4" ] ; then
+		if [ -n "$4" ]; then
 			for i in $4; do
-				ipt6_add_del $1 POSTROUTING -t mangle -o $i $rule
+				ipt6_add_del "$1" POSTROUTING -t mangle -o "$i" "$rule"
 			done
 		else
-			ipt6_add_del $1 POSTROUTING -t mangle $rule
+			ipt6_add_del "$1" POSTROUTING -t mangle "$rule"
 		fi
 	}
 }
-fw_nfqws_post()
+fw_nfqws_post() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - iptable filter for ipv6
 	# $4 - queue number
-	fw_nfqws_post4 $1 "$2" $4
+	fw_nfqws_post4 "$1" "$2" "$4"
-	fw_nfqws_post6 $1 "$3" $4
+	fw_nfqws_post6 "$1" "$3" "$4"
 }
-_fw_nfqws_pre4()
+_fw_nfqws_pre4() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - queue number
@ -270,23 +239,22 @@ _fw_nfqws_pre4()
 	[ "$DISABLE_IPV4" = "1" -o -z "$2" ] || {
 		local i
-		ipt_print_op $1 "$2" "nfqws input+forward (qnum $3)"
+		ipt_print_op "$1" "$2" "nfqws input+forward (qnum $3)"
 		rule="$2 $IPSET_EXCLUDE src -j NFQUEUE --queue-num $3 --queue-bypass"
-		if [ -n "$4" ] ; then
+		if [ -n "$4" ]; then
 			for i in $4; do
 				# iptables PREROUTING chain is before NAT. not possible to have DNATed ip's there
-				ipt_add_del $1 INPUT -t mangle -i $i $rule
+				ipt_add_del "$1" INPUT -t mangle -i "$i" "$rule"
-				ipt_add_del $1 FORWARD -t mangle -i $i $rule
+				ipt_add_del "$1" FORWARD -t mangle -i "$i" "$rule"
 			done
 		else
-			ipt_add_del $1 INPUT -t mangle $rule
+			ipt_add_del "$1" INPUT -t mangle "$rule"
-			ipt_add_del $1 FORWARD -t mangle $rule
+			ipt_add_del "$1" FORWARD -t mangle "$rule"
 		fi
 	}
 }
-_fw_nfqws_pre6()
+_fw_nfqws_pre6() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv6
 	# $3 - queue number
@ -294,34 +262,31 @@ _fw_nfqws_pre6()
 	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || {
 		local i
-		ipt_print_op $1 "$2" "nfqws input+forward (qnum $3)" 6
+		ipt_print_op "$1" "$2" "nfqws input+forward (qnum $3)" 6
 		rule="$2 $IPSET_EXCLUDE6 src -j NFQUEUE --queue-num $3 --queue-bypass"
-		if [ -n "$4" ] ; then
+		if [ -n "$4" ]; then
 			for i in $4; do
 				# iptables PREROUTING chain is before NAT. not possible to have DNATed ip's there
-				ipt6_add_del $1 INPUT -t mangle -i $i $rule
+				ipt6_add_del "$1" INPUT -t mangle -i "$i" "$rule"
-				ipt6_add_del $1 FORWARD -t mangle -i $i $rule
+				ipt6_add_del "$1" FORWARD -t mangle -i "$i" "$rule"
 			done
 		else
-			ipt6_add_del $1 INPUT -t mangle $rule
+			ipt6_add_del "$1" INPUT -t mangle "$rule"
-			ipt6_add_del $1 FORWARD -t mangle $rule
+			ipt6_add_del "$1" FORWARD -t mangle "$rule"
 		fi
 	}
 }
-fw_nfqws_pre()
+fw_nfqws_pre() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - iptable filter for ipv4
 	# $3 - iptable filter for ipv6
 	# $4 - queue number
-	fw_nfqws_pre4 $1 "$2" $4
+	fw_nfqws_pre4 "$1" "$2" "$4"
-	fw_nfqws_pre6 $1 "$3" $4
+	fw_nfqws_pre6 "$1" "$3" "$4"
 }
-
+produce_reverse_nfqws_rule() {
 produce_reverse_nfqws_rule()
 {
 	local rule="$1"
 	if contains "$rule" "$ipt_connbytes"; then
 		# autohostlist - need several incoming packets
@ -334,28 +299,23 @@ produce_reverse_nfqws_rule()
 	fi
 	echo "$rule" | reverse_nfqws_rule_stream
 }
-fw_reverse_nfqws_rule4()
+fw_reverse_nfqws_rule4() {
-{
+	fw_nfqws_pre4 "$1" "$(produce_reverse_nfqws_rule "$2")" "$3"
 	fw_nfqws_pre4 $1 "$(produce_reverse_nfqws_rule "$2")" $3
 }
-fw_reverse_nfqws_rule6()
+fw_reverse_nfqws_rule6() {
-{
+	fw_nfqws_pre6 "$1" "$(produce_reverse_nfqws_rule "$2")" "$3"
 	fw_nfqws_pre6 $1 "$(produce_reverse_nfqws_rule "$2")" $3
 }
-fw_reverse_nfqws_rule()
+fw_reverse_nfqws_rule() {
 {
 	# ensure that modes relying on incoming traffic work
 	# $1 - 1 - add, 0 - del
 	# $2 - rule4
 	# $3 - rule6
 	# $4 - queue number
-	fw_reverse_nfqws_rule4 $1 "$2" $4
+	fw_reverse_nfqws_rule4 "$1" "$2" "$4"
-	fw_reverse_nfqws_rule6 $1 "$3" $4
+	fw_reverse_nfqws_rule6 "$1" "$3" "$4"
 }
-
+zapret_do_firewall_rules_ipt() {
 zapret_do_firewall_rules_ipt()
 {
 	local mode="${MODE_OVERRIDE:-$MODE}"
 	local first_packet_only="$ipt_connbytes 1:$(first_packets_for_mode)"
@ -363,87 +323,86 @@ zapret_do_firewall_rules_ipt()
 	local n f4 f6 qn qns qn6 qns6
 	case "$mode" in
-		tpws)
+	tpws)
-			if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
+		if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
-				echo both http and https are disabled. not applying redirection.
+			echo both HTTP and HTTPS are disabled. not applying redirection.
-			else
+		else
-				filter_apply_port_target f4
+			filter_apply_port_target f4
-				f6=$f4
+			f6=$f4
-				filter_apply_ipset_target f4 f6
+			filter_apply_ipset_target f4 f6
-				fw_tpws $1 "$f4" "$f6" $TPPORT
+			fw_tpws "$1" "$f4" "$f6" "$TPPORT"
-			fi
+		fi
-			;;
+		;;
-		nfqws)
+	nfqws)
-			# quite complex but we need to minimize nfqws processes to save RAM
+		# quite complex but we need to minimize nfqws processes to save RAM
-			get_nfqws_qnums qn qns qn6 qns6
+		get_nfqws_qnums qn qns qn6 qns6
-			if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then
+		if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then
-				filter_apply_port_target f4
+			filter_apply_port_target f4
-				f4="$f4 $first_packet_only"
+			f4="$f4 $first_packet_only"
-				filter_apply_ipset_target4 f4
+			filter_apply_ipset_target4 f4
-				fw_nfqws_post4 $1 "$f4 $desync" $qn
+			fw_nfqws_post4 "$1" "$f4 $desync" "$qn"
-				fw_reverse_nfqws_rule4 $1 "$f4" $qn
+			fw_reverse_nfqws_rule4 "$1" "$f4" "$qn"
-			else
+		else
 				if [ -n "$qn" ]; then
 					f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
 					[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
 					filter_apply_ipset_target4 f4
 					fw_nfqws_post4 $1 "$f4 $desync" $qn
 					fw_reverse_nfqws_rule4 $1 "$f4" $qn
 				fi
 				if [ -n "$qns" ]; then
 					f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
 					filter_apply_ipset_target4 f4
 					fw_nfqws_post4 $1 "$f4 $desync" $qns
 					fw_reverse_nfqws_rule4 $1 "$f4" $qns
 				fi
 			fi
 			if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
 				filter_apply_port_target f6
 				f6="$f6 $first_packet_only"
 				filter_apply_ipset_target6 f6
 				fw_nfqws_post6 $1 "$f6 $desync" $qn6
 				fw_reverse_nfqws_rule6 $1 "$f6" $qn6
 			else
 				if [ -n "$qn6" ]; then
 					f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
 					[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
 					filter_apply_ipset_target6 f6
 					fw_nfqws_post6 $1 "$f6 $desync" $qn6
 					fw_reverse_nfqws_rule6 $1 "$f6" $qn6
 				fi
 				if [ -n "$qns6" ]; then
 					f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
 					filter_apply_ipset_target6 f6
 					fw_nfqws_post6 $1 "$f6 $desync" $qns6
 					fw_reverse_nfqws_rule6 $1 "$f6" $qns6
 				fi
 			fi
 			get_nfqws_qnums_quic qn qn6
 			if [ -n "$qn" ]; then
-				f4=
+				f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
-				filter_apply_port_target_quic f4
+				[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packet_only"
 				f4="$f4 $first_packet_only"
 				filter_apply_ipset_target4 f4
-				fw_nfqws_post4 $1 "$f4 $desync" $qn
+				fw_nfqws_post4 "$1" "$f4 $desync" "$qn"
 				fw_reverse_nfqws_rule4 "$1" "$f4" "$qn"
 			fi
 			if [ -n "$qns" ]; then
 				f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
 				filter_apply_ipset_target4 f4
 				fw_nfqws_post4 "$1" "$f4 $desync" "$qns"
 				fw_reverse_nfqws_rule4 "$1" "$f4" "$qns"
 			fi
 		fi
 		if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
 			filter_apply_port_target f6
 			f6="$f6 $first_packet_only"
 			filter_apply_ipset_target6 f6
 			fw_nfqws_post6 "$1" "$f6 $desync" "$qn6"
 			fw_reverse_nfqws_rule6 "$1" "$f6" "$qn6"
 		else
 			if [ -n "$qn6" ]; then
-				f6=
+				f6="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
-				filter_apply_port_target_quic f6
+				[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packet_only"
 				f6="$f6 $first_packet_only"
 				filter_apply_ipset_target6 f6
-				fw_nfqws_post6 $1 "$f6 $desync" $qn6
+				fw_nfqws_post6 "$1" "$f6 $desync" "$qn6"
 				fw_reverse_nfqws_rule6 "$1" "$f6" "$qn6"
 			fi
-			;;
+			if [ -n "$qns6" ]; then
-		custom)
+				f6="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
-	    		existf zapret_custom_firewall && zapret_custom_firewall $1
+				filter_apply_ipset_target6 f6
-			;;
+				fw_nfqws_post6 "$1" "$f6 $desync" "$qns6"
 				fw_reverse_nfqws_rule6 "$1" "$f6" "$qns6"
 			fi
 		fi
 		get_nfqws_qnums_quic qn qn6
 		if [ -n "$qn" ]; then
 			f4=
 			filter_apply_port_target_quic f4
 			f4="$f4 $first_packet_only"
 			filter_apply_ipset_target4 f4
 			fw_nfqws_post4 "$1" "$f4 $desync" "$qn"
 		fi
 		if [ -n "$qn6" ]; then
 			f6=
 			filter_apply_port_target_quic f6
 			f6="$f6 $first_packet_only"
 			filter_apply_ipset_target6 f6
 			fw_nfqws_post6 "$1" "$f6 $desync" "$qn6"
 		fi
 		;;
 	custom)
 		existf zapret_custom_firewall && zapret_custom_firewall "$1"
 		;;
 	esac
 }
-zapret_do_firewall_ipt()
+zapret_do_firewall_ipt() {
 {
 	# $1 - 1 - add, 0 - del
 	if [ "$1" = 1 ]; then
@ -461,7 +420,7 @@ zapret_do_firewall_ipt()
 	zapret_do_firewall_rules_ipt "$@"
-	if [ "$1" = 1 ] ; then
+	if [ "$1" = 1 ]; then
 		existf flow_offloading_exempt && flow_offloading_exempt
 	else
 		existf flow_offloading_unexempt && flow_offloading_unexempt
--- a/common/linux_fw.sh
+++ b/common/linux_fw.sh
@ -1,21 +1,19 @@
-set_conntrack_liberal_mode()
+set_conntrack_liberal_mode() {
-{
+	[ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal="$1"
 	[ -n "$SKIP_CONNTRACK_LIBERAL_MODE" ] || sysctl -w net.netfilter.nf_conntrack_tcp_be_liberal=$1
 }
-zapret_do_firewall()
+zapret_do_firewall() {
 {
 	linux_fwtype
 	[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
 	[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
 	case "$FWTYPE" in
-		iptables)
+	iptables)
-			zapret_do_firewall_ipt "$@"
+		zapret_do_firewall_ipt "$@"
-			;;
+		;;
-		nftables)
+	nftables)
-			zapret_do_firewall_nft "$@"
+		zapret_do_firewall_nft "$@"
-			;;
+		;;
 	esac
 	# russian DPI sends RST,ACK with wrong ACK.
@ -23,29 +21,26 @@ zapret_do_firewall()
 	# switch on liberal mode on zapret firewall start and switch off on zapret firewall stop
 	# this is only required for processing incoming bad RSTs. incoming rules are only applied in autohostlist mode
 	# calling this after firewall because conntrack module can be not loaded before applying conntrack firewall rules
-	[ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode $1
+	[ "$MODE_FILTER" = "autohostlist" -a "$MODE" != tpws -a "$MODE" != tpws-socks ] && set_conntrack_liberal_mode "$1"
 	[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
 	[ "$1" = 0 -a -n "$INIT_FW_POST_DOWN_HOOK" ] && $INIT_FW_POST_DOWN_HOOK
 	return 0
 }
-zapret_apply_firewall()
+zapret_apply_firewall() {
 {
 	zapret_do_firewall 1 "$@"
 }
-zapret_unapply_firewall()
+zapret_unapply_firewall() {
 {
 	zapret_do_firewall 0 "$@"
 }
-first_packets_for_mode()
+first_packets_for_mode() {
 {
 	# autohostlist and autottl modes requires incoming traffic sample
 	# always use conntrack packet limiter or nfqws will deal with gigabytes
 	local n
 	if [ "$MODE_FILTER" = "autohostlist" ]; then
-		n=$((6+${AUTOHOSTLIST_RETRANS_THRESHOLD:-3}))
+		n=$((6 + ${AUTOHOSTLIST_RETRANS_THRESHOLD:-3}))
 	else
 		n=6
 	fi
--- a/common/linux_iphelper.sh
+++ b/common/linux_iphelper.sh
@ -4,54 +4,48 @@
 # PREROUTING - can't DNAT to ::1. can DNAT to link local of -i interface or to any global addr
 # not a good idea to expose tpws to the world (bind to ::)
-
+get_ipv6_linklocal() {
-get_ipv6_linklocal()
+	# $1 - interface name. if empty - any interface
-{
+	if exists ip; then
- # $1 - interface name. if empty - any interface
+		local dev
- if exists ip ; then
+		[ -n "$1" ] && dev="dev $1"
-    local dev
+		ip addr show "$dev" | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope link.*$/\1/;t;d' | head -n 1
-    [ -n "$1" ] && dev="dev $1"
+	else
-    ip addr show $dev | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope link.*$/\1/;t;d' | head -n 1
+		ifconfig "$1" | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Link.*$/\1/;t;d' | head -n 1
- else
+	fi
    ifconfig $1 | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Link.*$/\1/;t;d' | head -n 1
 fi
 }
-get_ipv6_global()
+get_ipv6_global() {
-{
+	# $1 - interface name. if empty - any interface
- # $1 - interface name. if empty - any interface
+	if exists ip; then
- if exists ip ; then
+		local dev
-    local dev
+		[ -n "$1" ] && dev="dev $1"
-    [ -n "$1" ] && dev="dev $1"
+		ip addr show "$dev" | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope global.*$/\1/;t;d' | head -n 1
-    ip addr show $dev | sed -e 's/^.*inet6 \([^ ]*\)\/[0-9]* scope global.*$/\1/;t;d' | head -n 1
+	else
- else
+		ifconfig "$1" | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Global.*$/\1/;t;d' | head -n 1
-    ifconfig $1 | sed -re 's/^.*inet6 addr: ([^ ]*)\/[0-9]* Scope:Global.*$/\1/;t;d' | head -n 1
+	fi
 fi
 }
-iface_is_up()
+iface_is_up() {
 {	
 	# $1 - interface name
-	[ -f /sys/class/net/$1/operstate ] || return
+	[ -f /sys/class/net/"$1"/operstate ] || return
 	local state
-	read state </sys/class/net/$1/operstate
+	read state </sys/class/net/"$1"/operstate
 	[ "$state" != "down" ]
 }
-wait_ifup()
+wait_ifup() {
 {
 	# $1 - interface name
 	local ct=0
 	while
-		iface_is_up $1 && return
+		iface_is_up "$1" && return
 		[ "$ct" -ge "$IFUP_WAIT_SEC" ] && break
-		echo waiting for ifup of $1 for another $(($IFUP_WAIT_SEC - $ct)) seconds ...
+		echo waiting for ifup of "$1" for another $(($IFUP_WAIT_SEC - $ct)) seconds ...
-		ct=$(($ct+1))
+		ct=$(($ct + 1))
 		sleep 1
 	do :; done
 	false
 }
-_dnat6_target()
+_dnat6_target() {
 {
 	# $1 - interface name
 	# $2 - var to store target ip6
 	# get target ip address for DNAT. prefer link locals
@ -60,68 +54,64 @@ _dnat6_target()
 	# DNAT6_TARGET=- means attempt was made but address was not found (to avoid multiple re-attempts)
 	local DNAT6_TARGET DVAR=DNAT6_TARGET_$1
-	DVAR=$(echo $DVAR | sed 's/[^a-zA-Z0-9_]/_/g')
+	DVAR=$(echo "$DVAR" | sed 's/[^a-zA-Z0-9_]/_/g')
 	eval DNAT6_TARGET="\$$DVAR"
-	[ -n "$2" ] && eval $2=''
+	[ -n "$2" ] && eval "$2"=''
 	[ -n "$DNAT6_TARGET" ] || {
 		local ct=0
 		while
-			DNAT6_TARGET=$(get_ipv6_linklocal $1)
+			DNAT6_TARGET=$(get_ipv6_linklocal "$1")
 			[ -n "$DNAT6_TARGET" ] && break
 			[ "$ct" -ge "$LINKLOCAL_WAIT_SEC" ] && break
-			echo $1: waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ...
+			echo "$1": waiting for the link local for another $(($LINKLOCAL_WAIT_SEC - $ct)) seconds ...
-			ct=$(($ct+1))
+			ct=$(($ct + 1))
 			sleep 1
 		do :; done
 		[ -n "$DNAT6_TARGET" ] || {
-		    	echo $1: no link local. getting global
+			echo "$1": no link local. getting global
-			DNAT6_TARGET=$(get_ipv6_global $1)
+			DNAT6_TARGET=$(get_ipv6_global "$1")
 			[ -n "$DNAT6_TARGET" ] || {
-				echo $1: could not get any address
+				echo "$1": could not get any address
 				DNAT6_TARGET=-
 			}
 		}
-		eval $DVAR="$DNAT6_TARGET"
+		eval "$DVAR"="$DNAT6_TARGET"
 	}
-	[ -n "$2" ] && eval $2="$DNAT6_TARGET"
+	[ -n "$2" ] && eval "$2"="$DNAT6_TARGET"
 }
-_set_route_localnet()
+_set_route_localnet() {
 {
 	# $1 - 1 = enable, 0 = disable
 	# $2,$3,... - interface names
 	[ "$DISABLE_IPV4" = "1" ] || {
 		local enable="$1"
 		shift
 		while [ -n "$1" ]; do
-			sysctl -q -w net.ipv4.conf.$1.route_localnet="$enable"
+			sysctl -q -w net.ipv4.conf."$1".route_localnet="$enable"
 			shift
 		done
 	}
 }
-prepare_route_localnet()
+prepare_route_localnet() {
 {
 	set_route_localnet 1 "$@"
 }
-unprepare_route_localnet()
+unprepare_route_localnet() {
 {
 	set_route_localnet 0 "$@"
 }
-resolve_lower_devices()
+resolve_lower_devices() {
 {
 	# $1 - bridge interface name
 	[ -d "/sys/class/net/$1" ] && {
 		find "/sys/class/net/$1" -follow -maxdepth 1 -name "lower_*" |
-		{
+			{
-			local l lower lowers
+				local l lower lowers
-			while read lower; do
+				while read lower; do
-				lower="$(basename "$lower")"
+					lower="$(basename "$lower")"
-				l="${lower#lower_*}"
+					l="${lower#lower_*}"
-				[  "$l" != "$lower" ] && append_separator_list lowers ' ' '' "$l"
+					[ "$l" != "$lower" ] && append_separator_list lowers ' ' '' "$l"
-			done
+				done
-			printf "$lowers"
+				printf "$lowers"
-		}
+			}
 	}
 }
--- a/common/list.sh
+++ b/common/list.sh
@ -1,5 +1,4 @@
-find_hostlists()
+find_hostlists() {
 {
 	[ -n "$HOSTLIST_BASE" ] || HOSTLIST_BASE="$ZAPRET_BASE/ipset"
 	HOSTLIST="$HOSTLIST_BASE/zapret-hosts.txt.gz"
@ -18,8 +17,7 @@ find_hostlists()
 	HOSTLIST_AUTO_DEBUGLOG="$HOSTLIST_BASE/zapret-hosts-auto-debug.log"
 }
-filter_apply_autohostlist_target()
+filter_apply_autohostlist_target() {
 {
 	# $1 - var name of tpws or nfqws params
 	local parm1="${AUTOHOSTLIST_FAIL_THRESHOLD:+--hostlist-auto-fail-threshold=$AUTOHOSTLIST_FAIL_THRESHOLD}"
@ -27,11 +25,10 @@ filter_apply_autohostlist_target()
 	local parm3 parm4
 	[ "$MODE" = "tpws" -o "$MODE" = "tpws-socks" ] || parm3="${AUTOHOSTLIST_RETRANS_THRESHOLD:+--hostlist-auto-retrans-threshold=$AUTOHOSTLIST_RETRANS_THRESHOLD}"
 	[ "$AUTOHOSTLIST_DEBUGLOG" = 1 ] && parm4="--hostlist-auto-debug=$HOSTLIST_AUTO_DEBUGLOG"
-	eval $1="\"\$$1 --hostlist-auto=$HOSTLIST_AUTO $parm1 $parm2 $parm3 $parm4\""
+	eval "$1"="\"\$$1 --hostlist-auto=$HOSTLIST_AUTO $parm1 $parm2 $parm3 $parm4\""
 }
-filter_apply_hostlist_target()
+filter_apply_hostlist_target() {
 {
 	# $1 - var name of tpws or nfqws params
 	[ "$MODE_FILTER" = "hostlist" -o "$MODE_FILTER" = "autohostlist" ] || return
@ -40,8 +37,8 @@ filter_apply_hostlist_target()
 	find_hostlists
-	[ -n "$HOSTLIST" ] && eval $1="\"\$$1 --hostlist=$HOSTLIST\""
+	[ -n "$HOSTLIST" ] && eval "$1"="\"\$$1 --hostlist=$HOSTLIST\""
-	[ -n "$HOSTLIST_USER" ] && eval $1="\"\$$1 --hostlist=$HOSTLIST_USER\""
+	[ -n "$HOSTLIST_USER" ] && eval "$1"="\"\$$1 --hostlist=$HOSTLIST_USER\""
-	[ -n "$HOSTLIST_EXCLUDE" ] && eval $1="\"\$$1 --hostlist-exclude=$HOSTLIST_EXCLUDE\""
+	[ -n "$HOSTLIST_EXCLUDE" ] && eval "$1"="\"\$$1 --hostlist-exclude=$HOSTLIST_EXCLUDE\""
-	[ "$MODE_FILTER" = "autohostlist" ] && filter_apply_autohostlist_target $1
+	[ "$MODE_FILTER" = "autohostlist" ] && filter_apply_autohostlist_target "$1"
 }
--- a/common/nft.sh
+++ b/common/nft.sh
@ -5,48 +5,39 @@ readonly nft_connbytes="ct original packets"
 create_dev_stdin
 std_ports
-nft_create_table()
+nft_create_table() {
-{
+	nft add table inet "$ZAPRET_NFT_TABLE"
 	nft add table inet $ZAPRET_NFT_TABLE
 }
-nft_del_table()
+nft_del_table() {
-{
+	nft delete table inet "$ZAPRET_NFT_TABLE" 2>/dev/null
 	nft delete table inet $ZAPRET_NFT_TABLE 2>/dev/null
 }
-nft_list_table()
+nft_list_table() {
-{
+	nft -t list table inet "$ZAPRET_NFT_TABLE"
 	nft -t list table inet $ZAPRET_NFT_TABLE
 }
-nft_create_set()
+nft_create_set() {
 {
 	# $1 - set name
 	# $2 - params
-	nft create set inet $ZAPRET_NFT_TABLE $1 "{ $2 }" 2>/dev/null
+	nft create set inet "$ZAPRET_NFT_TABLE" "$1" "{ $2 }" 2>/dev/null
 }
-nft_del_set()
+nft_del_set() {
 {
 	# $1 - set name
-	nft delete set inet $ZAPRET_NFT_TABLE $1
+	nft delete set inet "$ZAPRET_NFT_TABLE" "$1"
 }
-nft_flush_set()
+nft_flush_set() {
 {
 	# $1 - set name
-	nft flush set inet $ZAPRET_NFT_TABLE $1
+	nft flush set inet "$ZAPRET_NFT_TABLE" "$1"
 }
-nft_set_exists()
+nft_set_exists() {
 {
 	# $1 - set name
-	nft -t list set inet $ZAPRET_NFT_TABLE $1 2>/dev/null >/dev/null
+	nft -t list set inet "$ZAPRET_NFT_TABLE" "$1" 2>/dev/null >/dev/null
 }
-nft_flush_chain()
+nft_flush_chain() {
 {
 	# $1 - chain name
-	nft flush chain inet $ZAPRET_NFT_TABLE $1
+	nft flush chain inet "$ZAPRET_NFT_TABLE" "$1"
 }
-nft_del_all_chains_from_table()
+nft_del_all_chains_from_table() {
 {
 	# $1 - table_name with or without family
 	# delete all chains with possible references to each other
@ -54,12 +45,12 @@ nft_del_all_chains_from_table()
 	# avoid infinite loops
 	local chains deleted=1 error=1
 	while [ -n "$deleted" -a -n "$error" ]; do
-		chains=$(nft -t list table $1 2>/dev/null | sed -nre "s/^[ 	]*chain ([^ ]+) \{/\1/p" | xargs)
+		chains=$(nft -t list table "$1" 2>/dev/null | sed -nre "s/^[ 	]*chain ([^ ]+) \{/\1/p" | xargs)
 		[ -n "$chains" ] || break
 		deleted=
 		error=
 		for chain in $chains; do
-			if nft delete chain $1 $chain 2>/dev/null; then
+			if nft delete chain "$1" "$chain" 2>/dev/null; then
 				deleted=1
 			else
 				error=1
@ -68,9 +59,8 @@ nft_del_all_chains_from_table()
 	done
 }
-nft_create_chains()
+nft_create_chains() {
-{
+	cat <<EOF | nft -f -
 cat << EOF | nft -f -
 	add chain inet $ZAPRET_NFT_TABLE dnat_output { type nat hook output priority -101; }
 	flush chain inet $ZAPRET_NFT_TABLE dnat_output
 	add chain inet $ZAPRET_NFT_TABLE dnat_pre { type nat hook prerouting priority -101; }
@ -113,12 +103,11 @@ EOF
 		nft_add_rule predefrag_nfqws notrack comment \"do not track nfqws generated packets to avoid nat tampering and defragmentation\"
 	}
 }
-nft_del_chains()
+nft_del_chains() {
 {
 	# do not delete all chains because of additional user hooks
 	# they must be inside zapret table to use nfsets
-cat << EOF | nft -f - 2>/dev/null
+	cat <<EOF | nft -f - 2>/dev/null
 	delete chain inet $ZAPRET_NFT_TABLE dnat_output
 	delete chain inet $ZAPRET_NFT_TABLE dnat_pre
 	delete chain inet $ZAPRET_NFT_TABLE forward
@ -132,15 +121,13 @@ cat << EOF | nft -f - 2>/dev/null
 	delete chain inet $ZAPRET_NFT_TABLE flow_offload
 	delete chain inet $ZAPRET_NFT_TABLE localnet_protect
 EOF
-# unfortunately this approach breaks udp desync of the connection initiating packet (new, first one)
+	# unfortunately this approach breaks udp desync of the connection initiating packet (new, first one)
-#	delete chain inet $ZAPRET_NFT_TABLE predefrag
+	#	delete chain inet $ZAPRET_NFT_TABLE predefrag
 }
-nft_del_flowtable()
+nft_del_flowtable() {
-{
+	nft delete flowtable inet "$ZAPRET_NFT_TABLE" ft 2>/dev/null
 	nft delete flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
 }
-nft_create_or_update_flowtable()
+nft_create_or_update_flowtable() {
 {
 	# $1 = flags ('offload' for hw offload)
 	# $2,$3,$4,... - interfaces
 	# can be called multiple times to add interfaces. interfaces can only be added , not removed
@ -153,117 +140,102 @@ nft_create_or_update_flowtable()
 	for makelist in make_quoted_comma_list make_comma_list; do
 		$makelist devices "$@"
 		[ -n "$devices" ] && devices="devices={$devices};"
-		nft add flowtable inet $ZAPRET_NFT_TABLE ft "{ hook ingress priority -1; $flags $devices }" && break
+		nft add flowtable inet "$ZAPRET_NFT_TABLE" ft "{ hook ingress priority -1; $flags $devices }" && break
 	done
 }
-nft_flush_ifsets()
+nft_flush_ifsets() {
-{
+	cat <<EOF | nft -f - 2>/dev/null
 cat << EOF | nft -f -  2>/dev/null
 	flush set inet $ZAPRET_NFT_TABLE lanif
 	flush set inet $ZAPRET_NFT_TABLE wanif
 	flush set inet $ZAPRET_NFT_TABLE wanif6
 	flush map inet $ZAPRET_NFT_TABLE link_local
 EOF
 }
-nft_flush_link_local()
+nft_flush_link_local() {
-{
+	nft flush map inet "$ZAPRET_NFT_TABLE" link_local 2>/dev/null
 	nft flush map inet $ZAPRET_NFT_TABLE link_local 2>/dev/null
 }
-nft_list_ifsets()
+nft_list_ifsets() {
-{
+	nft list set inet "$ZAPRET_NFT_TABLE" lanif
-	nft list set inet $ZAPRET_NFT_TABLE lanif
+	nft list set inet "$ZAPRET_NFT_TABLE" wanif
-	nft list set inet $ZAPRET_NFT_TABLE wanif
+	nft list set inet "$ZAPRET_NFT_TABLE" wanif6
-	nft list set inet $ZAPRET_NFT_TABLE wanif6
+	nft list map inet "$ZAPRET_NFT_TABLE" link_local
-	nft list map inet $ZAPRET_NFT_TABLE link_local
+	nft list flowtable inet "$ZAPRET_NFT_TABLE" ft 2>/dev/null
 	nft list flowtable inet $ZAPRET_NFT_TABLE ft 2>/dev/null
 }
-nft_create_firewall()
+nft_create_firewall() {
 {
 	nft_create_table
 	nft_del_flowtable
 	nft_flush_link_local
 	nft_create_chains
 }
-nft_del_firewall()
+nft_del_firewall() {
 {
 	nft_del_chains
 	nft_del_flowtable
 	nft_flush_link_local
 	# leave ifsets and ipsets because they may be used by custom rules
 }
-nft_add_rule()
+nft_add_rule() {
 {
 	# $1 - chain
 	# $2,$3,... - rule(s)
 	local chain="$1"
 	shift
-	nft add rule inet $ZAPRET_NFT_TABLE $chain "$@"
+	nft add rule inet "$ZAPRET_NFT_TABLE" "$chain" "$@"
 }
-nft_add_set_element()
+nft_add_set_element() {
 {
 	# $1 - set or map name
 	# $2 - element
-	[ -z "$2" ] || nft add element inet $ZAPRET_NFT_TABLE $1 "{ $2 }"
+	[ -z "$2" ] || nft add element inet "$ZAPRET_NFT_TABLE" "$1" "{ $2 }"
 }
-nft_add_set_elements()
+nft_add_set_elements() {
 {
 	# $1 - set or map name
 	# $2,$3,... - element(s)
 	local set="$1" elements
 	shift
 	make_comma_list elements "$@"
-	nft_add_set_element $set "$elements"
+	nft_add_set_element "$set" "$elements"
 }
-nft_reverse_nfqws_rule()
+nft_reverse_nfqws_rule() {
 {
 	echo "$@" | sed -e 's/oifname /iifname /g' -e 's/dport /sport /g' -e 's/daddr /saddr /g' -e 's/ct original /ct reply /g' -e "s/mark and $DESYNC_MARK == 0//g"
 }
-nft_clean_nfqws_rule()
+nft_clean_nfqws_rule() {
 {
 	echo "$@" | sed -e "s/mark and $DESYNC_MARK == 0//g" -e "s/oifname @wanif6//g" -e "s/oifname @wanif//g"
 }
-nft_add_nfqws_flow_exempt_rule()
+nft_add_nfqws_flow_exempt_rule() {
 {
 	# $1 - rule (must be all filters in one var)
-	nft_add_rule flow_offload $(nft_clean_nfqws_rule $1) return comment \"direct flow offloading exemption\"
+	nft_add_rule flow_offload $(nft_clean_nfqws_rule "$1") return comment \"direct flow offloading exemption\"
 	# do not need this because of oifname @wanif/@wanif6 filter in forward chain
 	#nft_add_rule flow_offload $(nft_reverse_nfqws_rule $1) return comment \"reverse flow offloading exemption\"
 }
-nft_add_flow_offload_exemption()
+nft_add_flow_offload_exemption() {
 {
 	# "$1" - rule for ipv4
 	# "$2" - rule for ipv6
 	# "$3" - comment
-	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || nft_add_rule flow_offload oifname @wanif $1 ip daddr != @nozapret return comment \"$3\"
+	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || nft_add_rule flow_offload oifname @wanif "$1" ip daddr != @nozapret return comment \""$3"\"
-	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\"
+	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 "$2" ip6 daddr != @nozapret6 return comment \""$3"\"
 }
-nft_hw_offload_supported()
+nft_hw_offload_supported() {
 {
 	# $1,$2,... - interface names
 	local devices res=1
 	make_quoted_comma_list devices "$@"
 	[ -n "$devices" ] && devices="devices={$devices};"
-	nft add table ${ZAPRET_NFT_TABLE}_test && nft add flowtable ${ZAPRET_NFT_TABLE}_test ft "{ flags offload; $devices }" 2>/dev/null && res=0
+	nft add table "${ZAPRET_NFT_TABLE}"_test && nft add flowtable "${ZAPRET_NFT_TABLE}"_test ft "{ flags offload; $devices }" 2>/dev/null && res=0
-	nft delete table ${ZAPRET_NFT_TABLE}_test 2>/dev/null
+	nft delete table "${ZAPRET_NFT_TABLE}"_test 2>/dev/null
 	return $res
 }
-nft_hw_offload_find_supported()
+nft_hw_offload_find_supported() {
 {
 	# $1,$2,... - interface names
 	local supported_list
 	while [ -n "$1" ]; do
 		nft_hw_offload_supported "$1" && append_separator_list supported_list ' ' '' "$1"
 		shift
 	done
-	echo $supported_list
+	echo "$supported_list"
 }
-nft_apply_flow_offloading()
+nft_apply_flow_offloading() {
 {
 	# ft can be absent
 	nft_add_rule flow_offload meta l4proto "{ tcp, udp }" flow add @ft 2>/dev/null && {
 		nft_add_rule flow_offload meta l4proto "{ tcp, udp }" counter comment \"if offload works here must not be too much traffic\"
@ -273,10 +245,7 @@ nft_apply_flow_offloading()
 	}
 }
-
+nft_filter_apply_port_target() {
 nft_filter_apply_port_target()
 {
 	# $1 - var name of nftables filter
 	local f
 	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
@ -288,58 +257,51 @@ nft_filter_apply_port_target()
 	else
 		echo WARNING !!! HTTP and HTTPS are both disabled
 	fi
-	eval $1="\"\$$1 $f\""
+	eval "$1"="\"\$$1 $f\""
 }
-nft_filter_apply_port_target_quic()
+nft_filter_apply_port_target_quic() {
 {
 	# $1 - var name of nftables filter
 	local f
 	f="udp dport {$QUIC_PORTS}"
-	eval $1="\"\$$1 $f\""
+	eval "$1"="\"\$$1 $f\""
 }
-nft_filter_apply_ipset_target4()
+nft_filter_apply_ipset_target4() {
 {
 	# $1 - var name of ipv4 nftables filter
 	if [ "$MODE_FILTER" = "ipset" ]; then
-		eval $1="\"\$$1 ip daddr @zapret\""
+		eval "$1"="\"\$$1 ip daddr @zapret\""
 	fi
 }
-nft_filter_apply_ipset_target6()
+nft_filter_apply_ipset_target6() {
 {
 	# $1 - var name of ipv6 nftables filter
 	if [ "$MODE_FILTER" = "ipset" ]; then
-		eval $1="\"\$$1 ip6 daddr @zapret6\""
+		eval "$1"="\"\$$1 ip6 daddr @zapret6\""
 	fi
 }
-nft_filter_apply_ipset_target()
+nft_filter_apply_ipset_target() {
 {
 	# $1 - var name of ipv4 nftables filter
 	# $2 - var name of ipv6 nftables filter
-	nft_filter_apply_ipset_target4 $1
+	nft_filter_apply_ipset_target4 "$1"
-	nft_filter_apply_ipset_target6 $2
+	nft_filter_apply_ipset_target6 "$2"
 }
-
+nft_script_add_ifset_element() {
 nft_script_add_ifset_element()
 {
 	# $1 - set name
 	# $2 - space separated elements
 	local elements
 	[ -n "$2" ] && {
-		make_quoted_comma_list elements $2
+		make_quoted_comma_list elements "$2"
 		script="${script}
 add element inet $ZAPRET_NFT_TABLE $1 { $elements }"
 	}
 }
-nft_fill_ifsets()
+nft_fill_ifsets() {
-{
+	# $1 - space separated LAN interface names
-	# $1 - space separated lan interface names
+	# $2 - space separated WAN interface names
-	# $2 - space separated wan interface names
+	# $3 - space separated WAN6 interface names
-	# $3 - space separated wan6 interface names
+	# 4,5,6 is needed for PPPoE+OpenWrt case. looks like it's not easily possible to resolve Ethernet device behind a PPPoE interface
-	# 4,5,6 is needed for pppoe+openwrt case. looks like it's not easily possible to resolve ethernet device behind a pppoe interface
+	# $4 - space separated LAN physical interface names (optional)
-	# $4 - space separated lan physical interface names (optional)
+	# $5 - space separated WAN physical interface names (optional)
-	# $5 - space separated wan physical interface names (optional)
+	# $6 - space separated WAN6 physical interface names (optional)
 	# $6 - space separated wan6 physical interface names (optional)
 	local script i j ALLDEVS devs
@ -358,51 +320,47 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
 	echo "$script" | nft -f -
 	case "$FLOWOFFLOAD" in
-		software)
+	software)
-			ALLDEVS=$(unique $1 $2 $3)
+		ALLDEVS=$(unique "$1" "$2" "$3")
-			# unbound flowtable may cause error in older nft version
+		# unbound flowtable may cause error in older nft version
-			nft_create_or_update_flowtable '' $ALLDEVS 2>/dev/null
+		nft_create_or_update_flowtable '' "$ALLDEVS" 2>/dev/null
-			;;
+		;;
-		hardware)
+	hardware)
-			ALLDEVS=$(unique $1 $2 $3 $4 $5 $6)
+		ALLDEVS=$(unique "$1" "$2" "$3" "$4" "$5" "$6")
-			# first create unbound flowtable. may cause error in older nft version
+		# first create unbound flowtable. may cause error in older nft version
-			nft_create_or_update_flowtable 'offload' 2>/dev/null
+		nft_create_or_update_flowtable 'offload' 2>/dev/null
-			# then add elements. some of them can cause error because unsupported
+		# then add elements. some of them can cause error because unsupported
-			for i in $ALLDEVS; do
+		for i in $ALLDEVS; do
-				if nft_hw_offload_supported $i; then
+			if nft_hw_offload_supported "$i"; then
-					nft_create_or_update_flowtable 'offload' $i
+				nft_create_or_update_flowtable 'offload' "$i"
-				else
+			else
-					# bridge members must be added instead of the bridge itself
+				# bridge members must be added instead of the bridge itself
-					# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
+				# some members may not support hw offload. example: lan1 lan2 lan3 support, wlan0 wlan1 - not
-					devs=$(resolve_lower_devices $i)
+				devs=$(resolve_lower_devices "$i")
-					for j in $devs; do
+				for j in $devs; do
-						# do not display error if addition failed
+					# do not display error if addition failed
-						nft_create_or_update_flowtable 'offload' $j 2>/dev/null
+					nft_create_or_update_flowtable 'offload' "$j" 2>/dev/null
-					done
+				done
-				fi
+			fi
-			done
+		done
-			;;
+		;;
 	esac
 }
-nft_only()
+nft_only() {
 {
 	linux_fwtype
 	case "$FWTYPE" in
-		nftables)
+	nftables)
-			"$@"
+		"$@"
-			;;
+		;;
 	esac
 }
-
+nft_print_op() {
-nft_print_op()
+	echo "Adding nftables IPv$3 rule for $2: $1"
 {
 	echo "Adding nftables ipv$3 rule for $2 : $1"
 }
-_nft_fw_tpws4()
+_nft_fw_tpws4() {
 {
 	# $1 - filter ipv4
 	# $2 - tpws port
 	# $3 - not-empty if wan interface filtering required
@ -410,13 +368,12 @@ _nft_fw_tpws4()
 	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {
 		local filter="$1" port="$2"
 		nft_print_op "$filter" "tpws (port $2)" 4
-		nft_add_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
+		nft_add_rule dnat_output skuid != "$WS_USER" ${3:+oifname @wanif }"$filter" ip daddr != @nozapret dnat ip to "$TPWS_LOCALHOST4":"$port"
-		nft_add_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret dnat ip to $TPWS_LOCALHOST4:$port
+		nft_add_rule dnat_pre iifname @lanif "$filter" ip daddr != @nozapret dnat ip to "$TPWS_LOCALHOST4":"$port"
 		prepare_route_localnet
 	}
 }
-_nft_fw_tpws6()
+_nft_fw_tpws6() {
 {
 	# $1 - filter ipv6
 	# $2 - tpws port
 	# $3 - lan interface names space separated
@ -425,48 +382,43 @@ _nft_fw_tpws6()
 	[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {
 		local filter="$1" port="$2" DNAT6 i
 		nft_print_op "$filter" "tpws (port $port)" 6
-		nft_add_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 dnat ip6 to [::1]:$port
+		nft_add_rule dnat_output skuid != "$WS_USER" ${4:+oifname @wanif6 }"$filter" ip6 daddr != @nozapret6 dnat ip6 to [::1]:"$port"
 		[ -n "$3" ] && {
-			nft_add_rule dnat_pre $filter ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:$port
+			nft_add_rule dnat_pre "$filter" ip6 daddr != @nozapret6 dnat ip6 to iifname map @link_local:"$port"
 			for i in $3; do
-				_dnat6_target $i DNAT6
+				_dnat6_target "$i" DNAT6
 				# can be multiple tpws processes on different ports
 				[ -n "$DNAT6" -a "$DNAT6" != '-' ] && nft_add_set_element link_local "$i : $DNAT6"
 			done
 		}
 	}
 }
-nft_fw_tpws()
+nft_fw_tpws() {
 {
 	# $1 - filter ipv4
 	# $2 - filter ipv6
 	# $3 - tpws port
-	nft_fw_tpws4 "$1" $3
+	nft_fw_tpws4 "$1" "$3"
-	nft_fw_tpws6 "$2" $3
+	nft_fw_tpws6 "$2" "$3"
 }
-is_postnat()
+is_postnat() {
 {
 	[ "$POSTNAT" != 0 -o "$POSTNAT_ALL" = 1 ]
 }
-get_postchain()
+get_postchain() {
-{
+	if is_postnat; then
 	if is_postnat ; then
 		echo -n postnat
 	else
 		echo -n postrouting
 	fi
 }
-get_prechain()
+get_prechain() {
-{
+	if is_postnat; then
 	if is_postnat ; then
 		echo -n prenat
 	else
 		echo -n prerouting
 	fi
 }
-_nft_fw_nfqws_post4()
+_nft_fw_nfqws_post4() {
 {
 	# $1 - filter ipv4
 	# $2 - queue number
 	# $3 - not-empty if wan interface filtering required
@ -476,12 +428,11 @@ _nft_fw_nfqws_post4()
 		nft_print_op "$filter" "nfqws postrouting (qnum $port)" 4
 		rule="${3:+oifname @wanif }$filter ip daddr != @nozapret"
 		is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"
-		nft_add_rule $chain $rule $setmark queue num $port bypass
+		nft_add_rule "$chain" "$rule" "$setmark" queue num "$port" bypass
 		nft_add_nfqws_flow_exempt_rule "$rule"
 	}
 }
-_nft_fw_nfqws_post6()
+_nft_fw_nfqws_post6() {
 {
 	# $1 - filter ipv6
 	# $2 - queue number
 	# $3 - not-empty if wan interface filtering required
@ -491,22 +442,20 @@ _nft_fw_nfqws_post6()
 		nft_print_op "$filter" "nfqws postrouting (qnum $port)" 6
 		rule="${3:+oifname @wanif6 }$filter ip6 daddr != @nozapret6"
 		is_postnat && setmark="meta mark set meta mark or $DESYNC_MARK_POSTNAT"
-		nft_add_rule $chain $rule $setmark queue num $port bypass
+		nft_add_rule "$chain" "$rule" "$setmark" queue num "$port" bypass
 		nft_add_nfqws_flow_exempt_rule "$rule"
 	}
 }
-nft_fw_nfqws_post()
+nft_fw_nfqws_post() {
-{
+	# $1 - filter IPv4
 	# $1 - filter ipv4
 	# $2 - filter ipv6
 	# $3 - queue number
-	nft_fw_nfqws_post4 "$1" $3
+	nft_fw_nfqws_post4 "$1" "$3"
-	nft_fw_nfqws_post6 "$2" $3
+	nft_fw_nfqws_post6 "$2" "$3"
 }
-_nft_fw_nfqws_pre4()
+_nft_fw_nfqws_pre4() {
 {
 	# $1 - filter ipv4
 	# $2 - queue number
 	# $3 - not-empty if wan interface filtering required
@ -515,11 +464,10 @@ _nft_fw_nfqws_pre4()
 		local filter="$1" port="$2" rule
 		nft_print_op "$filter" "nfqws prerouting (qnum $port)" 4
 		rule="${3:+iifname @wanif }$filter ip saddr != @nozapret"
-		nft_add_rule $(get_prechain) $rule queue num $port bypass
+		nft_add_rule $(get_prechain) "$rule" queue num "$port" bypass
 	}
 }
-_nft_fw_nfqws_pre6()
+_nft_fw_nfqws_pre6() {
 {
 	# $1 - filter ipv6
 	# $2 - queue number
 	# $3 - not-empty if wan interface filtering required
@ -528,35 +476,31 @@ _nft_fw_nfqws_pre6()
 		local filter="$1" port="$2" rule
 		nft_print_op "$filter" "nfqws prerouting (qnum $port)" 6
 		rule="${3:+iifname @wanif6 }$filter ip6 saddr != @nozapret6"
-		nft_add_rule $(get_prechain) $rule queue num $port bypass
+		nft_add_rule $(get_prechain) "$rule" queue num "$port" bypass
 	}
 }
-nft_fw_nfqws_pre()
+nft_fw_nfqws_pre() {
 {
 	# $1 - filter ipv4
 	# $2 - filter ipv6
 	# $3 - queue number
-	nft_fw_nfqws_pre4 "$1" $3
+	nft_fw_nfqws_pre4 "$1" "$3"
-	nft_fw_nfqws_pre6 "$2" $3
+	nft_fw_nfqws_pre6 "$2" "$3"
 }
-nft_fw_nfqws_both4()
+nft_fw_nfqws_both4() {
 {
 	# $1 - filter ipv4
 	# $2 - queue number
 	nft_fw_nfqws_post4 "$@"
-	nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule $1)" $2
+	nft_fw_nfqws_pre4 "$(nft_reverse_nfqws_rule "$1")" "$2"
 }
-nft_fw_nfqws_both6()
+nft_fw_nfqws_both6() {
 {
 	# $1 - filter ipv6
 	# $2 - queue number
 	nft_fw_nfqws_post6 "$@"
-	nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule $1)" $2
+	nft_fw_nfqws_pre6 "$(nft_reverse_nfqws_rule "$1")" "$2"
 }
-nft_fw_nfqws_both()
+nft_fw_nfqws_both() {
 {
 	# $1 - filter ipv4
 	# $2 - filter ipv6
 	# $3 - queue number
@ -564,26 +508,21 @@ nft_fw_nfqws_both()
 	nft_fw_nfqws_both6 "$2" "$3"
 }
-zapret_reload_ifsets()
+zapret_reload_ifsets() {
-{
+	nft_only nft_create_table
-	nft_only nft_create_table ; nft_fill_ifsets_overload
+	nft_fill_ifsets_overload
 	return 0
 }
-zapret_list_ifsets()
+zapret_list_ifsets() {
 {
 	nft_only nft_list_ifsets
 	return 0
 }
-zapret_list_table()
+zapret_list_table() {
 {
 	nft_only nft_list_table
 	return 0
 }
-
+nft_produce_reverse_nfqws_rule() {
 nft_produce_reverse_nfqws_rule()
 {
 	local rule="$1"
 	if contains "$rule" "$nft_connbytes "; then
 		# autohostlist - need several incoming packets
@ -596,28 +535,24 @@ nft_produce_reverse_nfqws_rule()
 		[ "$range" = 1 ] || range="1-$range"
 		rule="$nft_connbytes $range $rule"
 	fi
-	nft_reverse_nfqws_rule $rule
+	nft_reverse_nfqws_rule "$rule"
 }
-nft_fw_reverse_nfqws_rule4()
+nft_fw_reverse_nfqws_rule4() {
-{
+	nft_fw_nfqws_pre4 "$(nft_produce_reverse_nfqws_rule "$1")" "$2"
 	nft_fw_nfqws_pre4 "$(nft_produce_reverse_nfqws_rule "$1")" $2
 }
-nft_fw_reverse_nfqws_rule6()
+nft_fw_reverse_nfqws_rule6() {
-{
+	nft_fw_nfqws_pre6 "$(nft_produce_reverse_nfqws_rule "$1")" "$2"
 	nft_fw_nfqws_pre6 "$(nft_produce_reverse_nfqws_rule "$1")" $2
 }
-nft_fw_reverse_nfqws_rule()
+nft_fw_reverse_nfqws_rule() {
 {
 	# ensure that modes relying on incoming traffic work
 	# $1 - rule4
 	# $2 - rule6
 	# $3 - queue number
-	nft_fw_reverse_nfqws_rule4 "$1" $3
+	nft_fw_reverse_nfqws_rule4 "$1" "$3"
-	nft_fw_reverse_nfqws_rule6 "$2" $3
+	nft_fw_reverse_nfqws_rule6 "$2" "$3"
 }
-zapret_apply_firewall_rules_nft()
+zapret_apply_firewall_rules_nft() {
 {
 	local mode="${MODE_OVERRIDE:-$MODE}"
 	local first_packets_only
@ -627,91 +562,90 @@ zapret_apply_firewall_rules_nft()
 	first_packets_only="$nft_connbytes 1-$(first_packets_for_mode)"
 	case "$mode" in
-		tpws)
+	tpws)
-			if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
+		if [ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ]; then
-				echo both http and https are disabled. not applying redirection.
+			echo both HTTP and HTTPS are disabled. not applying redirection.
-			else
+		else
-				nft_filter_apply_port_target f4
+			nft_filter_apply_port_target f4
-				f6=$f4
+			f6=$f4
-				nft_filter_apply_ipset_target f4 f6
+			nft_filter_apply_ipset_target f4 f6
-				nft_fw_tpws "$f4" "$f6" $TPPORT
+			nft_fw_tpws "$f4" "$f6" "$TPPORT"
-			fi
+		fi
-			;;
+		;;
-		nfqws)
+	nfqws)
-			local POSTNAT_SAVE=$POSTNAT
+		local POSTNAT_SAVE=$POSTNAT
-			POSTNAT=1
+		POSTNAT=1
-			# quite complex but we need to minimize nfqws processes to save RAM
+		# quite complex but we need to minimize nfqws processes to save RAM
-			get_nfqws_qnums qn qns qn6 qns6
+		get_nfqws_qnums qn qns qn6 qns6
-			if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then
+		if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn" ] && [ "$qn" = "$qns" ]; then
-				nft_filter_apply_port_target f4
+			nft_filter_apply_port_target f4
-				f4="$f4 $first_packets_only"
+			f4="$f4 $first_packets_only"
-				nft_filter_apply_ipset_target4 f4
+			nft_filter_apply_ipset_target4 f4
-				nft_fw_nfqws_post4 "$f4 $desync" $qn
+			nft_fw_nfqws_post4 "$f4 $desync" "$qn"
-				nft_fw_reverse_nfqws_rule4 "$f4" $qn
+			nft_fw_reverse_nfqws_rule4 "$f4" "$qn"
-			else
+		else
 				if [ -n "$qn" ]; then
 					f4="tcp dport {$HTTP_PORTS}"
 					[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packets_only"
 					nft_filter_apply_ipset_target4 f4
 					nft_fw_nfqws_post4 "$f4 $desync" $qn
 					nft_fw_reverse_nfqws_rule4 "$f4" $qn
 				fi
 				if [ -n "$qns" ]; then
 					f4="tcp dport {$HTTPS_PORTS} $first_packets_only"
 					nft_filter_apply_ipset_target4 f4
 					nft_fw_nfqws_post4 "$f4 $desync" $qns
 					nft_fw_reverse_nfqws_rule4 "$f4" $qns
 				fi
 			fi
 			if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
 				nft_filter_apply_port_target f6
 				f6="$f6 $first_packets_only"
 				nft_filter_apply_ipset_target6 f6
 				nft_fw_nfqws_post6 "$f6 $desync" $qn6
 				nft_fw_reverse_nfqws_rule6 "$f6" $qn6
 			else
 				if [ -n "$qn6" ]; then
 					f6="tcp dport {$HTTP_PORTS}"
 					[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packets_only"
 					nft_filter_apply_ipset_target6 f6
 					nft_fw_nfqws_post6 "$f6 $desync" $qn6
 					nft_fw_reverse_nfqws_rule6 "$f6" $qn6
 				fi
 				if [ -n "$qns6" ]; then
 					f6="tcp dport {$HTTPS_PORTS} $first_packets_only"
 					nft_filter_apply_ipset_target6 f6
 					nft_fw_nfqws_post6 "$f6 $desync" $qns6
 					nft_fw_reverse_nfqws_rule6 "$f6" $qns6
 				fi
 			fi
 			get_nfqws_qnums_quic qn qn6
 			if [ -n "$qn" ]; then
-				f4=
+				f4="tcp dport {$HTTP_PORTS}"
-				nft_filter_apply_port_target_quic f4
+				[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f4="$f4 $first_packets_only"
 				f4="$f4 $first_packets_only"
 				nft_filter_apply_ipset_target4 f4
-				nft_fw_nfqws_post4 "$f4 $desync" $qn
+				nft_fw_nfqws_post4 "$f4 $desync" "$qn"
 				nft_fw_reverse_nfqws_rule4 "$f4" "$qn"
 			fi
 			if [ -n "$qns" ]; then
 				f4="tcp dport {$HTTPS_PORTS} $first_packets_only"
 				nft_filter_apply_ipset_target4 f4
 				nft_fw_nfqws_post4 "$f4 $desync" "$qns"
 				nft_fw_reverse_nfqws_rule4 "$f4" "$qns"
 			fi
 		fi
 		if [ "$MODE_HTTP_KEEPALIVE" != "1" ] && [ -n "$qn6" ] && [ "$qn6" = "$qns6" ]; then
 			nft_filter_apply_port_target f6
 			f6="$f6 $first_packets_only"
 			nft_filter_apply_ipset_target6 f6
 			nft_fw_nfqws_post6 "$f6 $desync" "$qn6"
 			nft_fw_reverse_nfqws_rule6 "$f6" "$qn6"
 		else
 			if [ -n "$qn6" ]; then
-				f6=
+				f6="tcp dport {$HTTP_PORTS}"
-				nft_filter_apply_port_target_quic f6
+				[ "$MODE_HTTP_KEEPALIVE" = "1" ] || f6="$f6 $first_packets_only"
 				f6="$f6 $first_packets_only"
 				nft_filter_apply_ipset_target6 f6
-				nft_fw_nfqws_post6 "$f6 $desync" $qn6
+				nft_fw_nfqws_post6 "$f6 $desync" "$qn6"
 				nft_fw_reverse_nfqws_rule6 "$f6" "$qn6"
 			fi
 			if [ -n "$qns6" ]; then
 				f6="tcp dport {$HTTPS_PORTS} $first_packets_only"
 				nft_filter_apply_ipset_target6 f6
 				nft_fw_nfqws_post6 "$f6 $desync" "$qns6"
 				nft_fw_reverse_nfqws_rule6 "$f6" "$qns6"
 			fi
 		fi
-			POSTNAT=$POSTNAT_SAVE
+		get_nfqws_qnums_quic qn qn6
-			;;
+		if [ -n "$qn" ]; then
-		custom)
+			f4=
-	    		existf zapret_custom_firewall_nft && zapret_custom_firewall_nft
+			nft_filter_apply_port_target_quic f4
-			;;
+			f4="$f4 $first_packets_only"
 			nft_filter_apply_ipset_target4 f4
 			nft_fw_nfqws_post4 "$f4 $desync" "$qn"
 		fi
 		if [ -n "$qn6" ]; then
 			f6=
 			nft_filter_apply_port_target_quic f6
 			f6="$f6 $first_packets_only"
 			nft_filter_apply_ipset_target6 f6
 			nft_fw_nfqws_post6 "$f6 $desync" "$qn6"
 		fi
 		POSTNAT=$POSTNAT_SAVE
 		;;
 	custom)
 		existf zapret_custom_firewall_nft && zapret_custom_firewall_nft
 		;;
 	esac
 }
-zapret_apply_firewall_nft()
+zapret_apply_firewall_nft() {
 {
 	echo Applying nftables
 	local mode="${MODE_OVERRIDE:-$MODE}"
@ -728,19 +662,17 @@ zapret_apply_firewall_nft()
 	return 0
 }
-zapret_unapply_firewall_nft()
+zapret_unapply_firewall_nft() {
 {
 	echo Clearing nftables
 	unprepare_route_localnet
 	nft_del_firewall
 	return 0
 }
-zapret_do_firewall_nft()
+zapret_do_firewall_nft() {
 {
 	# $1 - 1 - add, 0 - del
-	if [ "$1" = 0 ] ; then
+	if [ "$1" = 0 ]; then
 		zapret_unapply_firewall_nft
 	else
 		zapret_apply_firewall_nft
--- a/common/pf.sh
+++ b/common/pf.sh
@ -6,14 +6,12 @@ PF_ANCHOR_ZAPRET_V6="$PF_ANCHOR_DIR/zapret-v6"
 std_ports
-pf_anchor_root_reload()
+pf_anchor_root_reload() {
 {
 	echo reloading PF root anchor
 	pfctl -qf "$PF_MAIN"
 }
-pf_anchor_root()
+pf_anchor_root() {
 {
 	local patch
 	[ -f "$PF_MAIN" ] && {
 		grep -q '^rdr-anchor "zapret"$' "$PF_MAIN" || {
@ -39,8 +37,8 @@ set limit table-entries 5000000
 		}
 		grep -q '^anchor "zapret"$' "$PF_MAIN" &&
-		grep -q '^rdr-anchor "zapret"$' "$PF_MAIN" &&
+			grep -q '^rdr-anchor "zapret"$' "$PF_MAIN" &&
-		grep -q '^set limit table-entries' "$PF_MAIN" && {
+			grep -q '^set limit table-entries' "$PF_MAIN" && {
 			if [ -n "$patch" ]; then
 				echo successfully patched $PF_MAIN
 				pf_anchor_root_reload
@ -57,13 +55,11 @@ set limit table-entries 5000000
 	echo ----------------------------------
 	return 1
 }
-pf_anchor_root_del()
+pf_anchor_root_del() {
 {
 	sed -i '' -e '/^anchor "zapret"$/d' -e '/^rdr-anchor "zapret"$/d' -e '/^set limit table-entries/d' "$PF_MAIN"
 }
-pf_anchor_zapret()
+pf_anchor_zapret() {
 {
 	[ "$DISABLE_IPV4" = "1" ] || {
 		if [ -f "$ZIPLIST_EXCLUDE" ]; then
 			echo "table <nozapret> persist file \"$ZIPLIST_EXCLUDE\""
@ -83,8 +79,7 @@ pf_anchor_zapret()
 	[ "$DISABLE_IPV4" = "1" ] || echo "anchor \"/zapret-v4\" inet to !<nozapret>"
 	[ "$DISABLE_IPV6" = "1" ] || echo "anchor \"/zapret-v6\" inet6 to !<nozapret6>"
 }
-pf_anchor_zapret_tables()
+pf_anchor_zapret_tables() {
 {
 	# $1 - variable to receive applied table names
 	# $2/$3 $4/$5 ...  table_name/table_file
 	local tblv=$1
@ -92,22 +87,21 @@ pf_anchor_zapret_tables()
 	shift
 	[ "$MODE_FILTER" = "ipset" ] &&
-	{
+		{
-		while [ -n "$1" ] && [ -n "$2" ] ; do
+			while [ -n "$1" ] && [ -n "$2" ]; do
-			[ -f "$2" ] && {
+				[ -f "$2" ] && {
-				echo "table <$1> file \"$2\""
+					echo "table <$1> file \"$2\""
-				_tbl="$_tbl<$1> "
+					_tbl="$_tbl<$1> "
-			}
+				}
-			shift
+				shift
-			shift
+				shift
-		done
+			done
-	}
+		}
 	[ -n "$_tbl" ] || _tbl="any"
-	eval $tblv="\"\$_tbl\""
+	eval "$tblv"="\"\$_tbl\""
 }
-pf_anchor_port_target()
+pf_anchor_port_target() {
 {
 	if [ "$MODE_HTTP" = "1" ] && [ "$MODE_HTTPS" = "1" ]; then
 		echo "{$HTTP_PORTS_IPT,$HTTPS_PORTS_IPT}"
 	elif [ "$MODE_HTTPS" = "1" ]; then
@ -117,20 +111,19 @@ pf_anchor_port_target()
 	fi
 }
-pf_anchor_zapret_v4_tpws()
+pf_anchor_zapret_v4_tpws() {
 {
 	# $1 - port
 	local rule port=$(pf_anchor_port_target)
 	for lan in $IFACE_LAN; do
 		for t in $tbl; do
-			 echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1"
+			echo "rdr on $lan inet proto tcp from any to $t port $port -> 127.0.0.1 port $1"
 		done
 	done
 	echo "rdr on lo0 inet proto tcp from !127.0.0.0/8 to any port $port -> 127.0.0.1 port $1"
 	for t in $tbl; do
 		rule="route-to (lo0 127.0.0.1) inet proto tcp from !127.0.0.0/8 to $t port $port user { >root }"
-		if [ -n "$IFACE_WAN" ] ; then
+		if [ -n "$IFACE_WAN" ]; then
 			for wan in $IFACE_WAN; do
 				echo "pass out on $wan $rule"
 			done
@ -140,31 +133,29 @@ pf_anchor_zapret_v4_tpws()
 	done
 }
-pf_anchor_zapret_v4()
+pf_anchor_zapret_v4() {
 {
 	local tbl port
 	[ "$DISABLE_IPV4" = "1" ] || {
 		case $MODE in
-			tpws)
+		tpws)
-				[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
+			[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
-				pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
+			pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
-				pf_anchor_zapret_v4_tpws $TPPORT
+			pf_anchor_zapret_v4_tpws "$TPPORT"
-				;;
+			;;
-			custom)
+		custom)
-				pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
+			pf_anchor_zapret_tables tbl zapret-user "$ZIPLIST_USER" zapret "$ZIPLIST"
-				existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4
+			existf zapret_custom_firewall_v4 && zapret_custom_firewall_v4
-				;;
+			;;
 		esac
 	}
 }
-pf_anchor_zapret_v6_tpws()
+pf_anchor_zapret_v6_tpws() {
 {
 	# $1 - port
 	local LL_LAN rule port=$(pf_anchor_port_target)
 	# LAN link local is only for router
 	for lan in $IFACE_LAN; do
-		LL_LAN=$(get_ipv6_linklocal $lan)
+		LL_LAN=$(get_ipv6_linklocal "$lan")
 		[ -n "$LL_LAN" ] && {
 			for t in $tbl; do
 				echo "rdr on $lan inet6 proto tcp from any to $t port $port -> $LL_LAN port $1"
@ -174,7 +165,7 @@ pf_anchor_zapret_v6_tpws()
 	echo "rdr on lo0 inet6 proto tcp from !::1 to any port $port -> fe80::1 port $1"
 	for t in $tbl; do
 		rule="route-to (lo0 fe80::1) inet6 proto tcp from !::1 to $t port $port user { >root }"
-		if [ -n "${IFACE_WAN6:-$IFACE_WAN}" ] ; then
+		if [ -n "${IFACE_WAN6:-$IFACE_WAN}" ]; then
 			for wan in ${IFACE_WAN6:-$IFACE_WAN}; do
 				echo "pass out on $wan $rule"
 			done
@ -183,38 +174,34 @@ pf_anchor_zapret_v6_tpws()
 		fi
 	done
 }
-pf_anchor_zapret_v6()
+pf_anchor_zapret_v6() {
 {
 	local tbl port
 	[ "$DISABLE_IPV6" = "1" ] || {
 		case $MODE in
-			tpws)
+		tpws)
-				[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
+			[ ! "$MODE_HTTP" = "1" ] && [ ! "$MODE_HTTPS" = "1" ] && return
-				pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
+			pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
-				pf_anchor_zapret_v6_tpws $TPPORT
+			pf_anchor_zapret_v6_tpws "$TPPORT"
-				;;
+			;;
-			custom)
+		custom)
-				pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
+			pf_anchor_zapret_tables tbl zapret6-user "$ZIPLIST_USER6" zapret6 "$ZIPLIST6"
-				existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6
+			existf zapret_custom_firewall_v6 && zapret_custom_firewall_v6
-				;;
+			;;
 		esac
 	}
 }
-pf_anchors_create()
+pf_anchors_create() {
 {
 	wait_lan_ll
 	pf_anchor_zapret >"$PF_ANCHOR_ZAPRET"
 	pf_anchor_zapret_v4 >"$PF_ANCHOR_ZAPRET_V4"
 	pf_anchor_zapret_v6 >"$PF_ANCHOR_ZAPRET_V6"
 }
-pf_anchors_del()
+pf_anchors_del() {
 {
 	rm -f "$PF_ANCHOR_ZAPRET" "$PF_ANCHOR_ZAPRET_V4" "$PF_ANCHOR_ZAPRET_V6"
 }
-pf_anchors_load()
+pf_anchors_load() {
 {
 	echo loading zapret anchor from "$PF_ANCHOR_ZAPRET"
 	pfctl -qa zapret -f "$PF_ANCHOR_ZAPRET" || {
 		echo error loading zapret anchor
@ -243,20 +230,17 @@ pf_anchors_load()
 	echo successfully loaded PF anchors
 	return 0
 }
-pf_anchors_clear()
+pf_anchors_clear() {
 {
 	echo clearing zapret anchors
 	pfctl -qa zapret-v4 -F all 2>/dev/null
 	pfctl -qa zapret-v6 -F all 2>/dev/null
 	pfctl -qa zapret -F all 2>/dev/null
 }
-pf_enable()
+pf_enable() {
 {
 	echo enabling PF
 	pfctl -qe
 }
-pf_table_reload()
+pf_table_reload() {
 {
 	echo reloading zapret tables
 	[ "$DISABLE_IPV4" = "1" ] || pfctl -qTl -a zapret-v4 -f "$PF_ANCHOR_ZAPRET_V4"
 	[ "$DISABLE_IPV6" = "1" ] || pfctl -qTl -a zapret-v6 -f "$PF_ANCHOR_ZAPRET_V6"
--- a/common/queue.sh
+++ b/common/queue.sh
@ -1,5 +1,4 @@
-apply_unspecified_desync_modes()
+apply_unspecified_desync_modes() {
 {
 	NFQWS_OPT_DESYNC_HTTP="${NFQWS_OPT_DESYNC_HTTP:-$NFQWS_OPT_DESYNC}"
 	NFQWS_OPT_DESYNC_HTTPS="${NFQWS_OPT_DESYNC_HTTPS:-$NFQWS_OPT_DESYNC}"
 	NFQWS_OPT_DESYNC_HTTP6="${NFQWS_OPT_DESYNC_HTTP6:-$NFQWS_OPT_DESYNC_HTTP}"
@ -7,8 +6,7 @@ apply_unspecified_desync_modes()
 	NFQWS_OPT_DESYNC_QUIC6="${NFQWS_OPT_DESYNC_QUIC6:-$NFQWS_OPT_DESYNC_QUIC}"
 }
-get_nfqws_qnums()
+get_nfqws_qnums() {
 {
 	# $1 - var name for ipv4 http
 	# $2 - var name for ipv4 https
 	# $3 - var name for ipv6 http
@ -18,63 +16,62 @@ get_nfqws_qnums()
 	[ "$DISABLE_IPV4" = "1" ] || {
 		_qn=$QNUM
 		_qns=$_qn
-		[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || _qns=$(($QNUM+1))
+		[ "$NFQWS_OPT_DESYNC_HTTP" = "$NFQWS_OPT_DESYNC_HTTPS" ] || _qns=$(($QNUM + 1))
 	}
 	[ "$DISABLE_IPV6" = "1" ] || {
-		_qn6=$(($QNUM+2))
+		_qn6=$(($QNUM + 2))
-		_qns6=$(($QNUM+3))
+		_qns6=$(($QNUM + 3))
 		[ "$DISABLE_IPV4" = "1" ] || {
 			if [ "$NFQWS_OPT_DESYNC_HTTP6" = "$NFQWS_OPT_DESYNC_HTTP" ]; then
-				_qn6=$_qn;
+				_qn6=$_qn
 			elif [ "$NFQWS_OPT_DESYNC_HTTP6" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
-				_qn6=$_qns;
+				_qn6=$_qns
 			fi
 			if [ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP" ]; then
-				_qns6=$_qn;
+				_qns6=$_qn
 			elif [ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTPS" ]; then
-				_qns6=$_qns;
+				_qns6=$_qns
 			fi
 		}
-		[ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP6" ] && _qns6=$_qn6;
+		[ "$NFQWS_OPT_DESYNC_HTTPS6" = "$NFQWS_OPT_DESYNC_HTTP6" ] && _qns6=$_qn6
 	}
 	if [ "$MODE_HTTP" = 1 ]; then
-		eval $1=$_qn
+		eval "$1"="$_qn"
-		eval $3=$_qn6
+		eval "$3"="$_qn6"
 	else
-		eval $1=
+		eval "$1"=
-		eval $3=
+		eval "$3"=
 	fi
 	if [ "$MODE_HTTPS" = 1 ]; then
-		eval $2=$_qns
+		eval "$2"="$_qns"
-		eval $4=$_qns6
+		eval "$4"="$_qns6"
 	else
-		eval $2=
+		eval "$2"=
-		eval $4=
+		eval "$4"=
 	fi
 }
-get_nfqws_qnums_quic()
+get_nfqws_qnums_quic() {
 {
 	# $1 - var name for ipv4 quic
 	# $2 - var name for ipv6 quic
 	local _qn _qn6
 	[ "$DISABLE_IPV4" = "1" ] || {
-		_qn=$(($QNUM+10))
+		_qn=$(($QNUM + 10))
 	}
 	[ "$DISABLE_IPV6" = "1" ] || {
-		_qn6=$(($QNUM+11))
+		_qn6=$(($QNUM + 11))
 		[ "$DISABLE_IPV4" = "1" ] || {
 			if [ "$NFQWS_OPT_DESYNC_QUIC" = "$NFQWS_OPT_DESYNC_QUIC6" ]; then
-				_qn6=$_qn;
+				_qn6=$_qn
 			fi
 		}
 	}
 	if [ "$MODE_QUIC" = 1 ]; then
-		eval $1=$_qn
+		eval "$1"=$_qn
-		eval $2=$_qn6
+		eval "$2"=$_qn6
 	else
-		eval $1=
+		eval "$1"=
-		eval $2=
+		eval "$2"=
 	fi
 }
--- a/common/virt.sh
+++ b/common/virt.sh
@ -1,28 +1,26 @@
-get_virt()
+get_virt() {
 {
 	local vm s v UNAME
 	UNAME=$(uname)
 	case "$UNAME" in
-		Linux)
+	Linux)
-			if exists systemd-detect-virt; then
+		if exists systemd-detect-virt; then
-				vm=$(systemd-detect-virt --vm)
+			vm=$(systemd-detect-virt --vm)
-			elif [ -f /sys/class/dmi/id/product_name ]; then
+		elif [ -f /sys/class/dmi/id/product_name ]; then
-				read s </sys/class/dmi/id/product_name
+			read s </sys/class/dmi/id/product_name
-				for v in KVM QEMU VMware VMW VirtualBox Xen Bochs Parallels BHYVE Hyper-V; do
+			for v in KVM QEMU VMware VMW VirtualBox Xen Bochs Parallels BHYVE Hyper-V; do
-					case "$s" in
+				case "$s" in
-						"$v"*)
+				"$v"*)
-						vm=$v
+					vm=$v
-						break
+					break
-		    			;;
+					;;
-					esac
+				esac
-				done
+			done
-			fi
+		fi
-			;;
+		;;
 	esac
 	echo "$vm" | awk '{print tolower($0)}'
 }
-check_virt()
+check_virt() {
 {
 	echo \* checking virtualization
 	local vm="$(get_virt)"
 	if [ -n "$vm" ]; then
--- a/init.d/macos/custom-tpws
+++ b/init.d/macos/custom-tpws
@ -2,24 +2,21 @@
 TPPORT_MY=987
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	local opt="--user=root --port=$TPPORT_MY"
 	filter_apply_hostlist_target opt
 	tpws_apply_binds opt
 	opt="$opt $TPWS_OPT"
-	do_daemon $1 1 "$TPWS" "$opt"
+	do_daemon "$1" 1 "$TPWS" "$opt"
 }
 # custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
 # they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
-zapret_custom_firewall_v4()
+zapret_custom_firewall_v4() {
 {
 	pf_anchor_zapret_v4_tpws $TPPORT_MY
 }
-zapret_custom_firewall_v6()
+zapret_custom_firewall_v6() {
 {
 	pf_anchor_zapret_v6_tpws $TPPORT_MY
 }
--- a/init.d/macos/custom.default
+++ b/init.d/macos/custom.default
@ -2,8 +2,7 @@
 # use helpers from "functions" file
 # in case of upgrade keep this file only, do not modify others
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	:
 }
@ -11,11 +10,9 @@ zapret_custom_daemons()
 # custom firewall functions echo rules for zapret-v4 and zapret-v6 anchors
 # they come after automated table definitions. so you can use <zapret> <zapret6> <zapret-user> ...
-zapret_custom_firewall_v4()
+zapret_custom_firewall_v4() {
 {
 	:
 }
-zapret_custom_firewall_v6()
+zapret_custom_firewall_v6() {
 {
 	:
 }
--- a/init.d/macos/functions
+++ b/init.d/macos/functions
@ -21,8 +21,7 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
 CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/macos/custom"
 [ -f "$CUSTOM_SCRIPT" ] && . "$CUSTOM_SCRIPT"
-run_daemon()
+run_daemon() {
 {
 	# $1 - daemon number : 1,2,3,...
 	# $2 - daemon
 	# $3 - daemon args
@ -31,14 +30,13 @@ run_daemon()
 	local PIDFILE="$PIDDIR/$DAEMONBASE$1.pid"
 	local ARGS="--daemon --pidfile=$PIDFILE $3"
 	[ -f "$PIDFILE" ] && pgrep -qF "$PIDFILE" && {
-		echo Already running $1: $2
+		echo Already running "$1": "$2"
 		return 0
 	}
 	echo "Starting daemon $1: $2 $ARGS"
-	"$2" $ARGS
+	"$2" "$ARGS"
 }
-stop_daemon()
+stop_daemon() {
 {
 	# $1 - daemon number : 1,2,3,...
 	# $2 - daemon
 	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
@ -49,19 +47,17 @@ stop_daemon()
 	[ -f "$PIDFILE" ] && read PID <"$PIDFILE"
 	[ -n "$PID" ] && {
 		echo "Stopping daemon $1: $2 (PID=$PID)"
-		kill $PID
+		kill "$PID"
 		rm -f "$PIDFILE"
 	}
 	return 0
 }
-do_daemon()
+do_daemon() {
 {
 	# $1 - 1 - run, 0 - stop
 	on_off_function run_daemon stop_daemon "$@"
 }
-tpws_apply_binds()
+tpws_apply_binds() {
 {
 	local o
 	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
 	[ "$DISABLE_IPV6" = "1" ] || {
@ -69,32 +65,29 @@ tpws_apply_binds()
 			o="$o --bind-iface6=$i --bind-linklocal=force $TPWS_WAIT"
 		done
 	}
-	eval $1="\"\$$1 $o\""
+	eval "$1"="\"\$$1 $o\""
 }
-tpws_apply_socks_binds()
+tpws_apply_socks_binds() {
 {
 	local o
 	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
 	[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
 	for lan in $IFACE_LAN; do
-	    [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
+		[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
-	    [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
+		[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
 	done
-	eval $1="\"\$$1 $o\""
+	eval "$1"="\"\$$1 $o\""
 }
-wait_interface_ll()
+wait_interface_ll() {
-{
+	echo waiting for an IPv6 link local address on "$1" ...
-	echo waiting for an ipv6 link local address on $1 ...
+	"$TPWS" --bind-wait-only --bind-iface6="$1" --bind-linklocal=force "$TPWS_WAIT"
 	"$TPWS" --bind-wait-only --bind-iface6=$1 --bind-linklocal=force $TPWS_WAIT
 }
-wait_lan_ll()
+wait_lan_ll() {
 {
 	[ "$DISABLE_IPV6" != "1" ] && {
 		for lan in $IFACE_LAN; do
-			wait_interface_ll $lan >&2 || {
+			wait_interface_ll "$lan" >&2 || {
 				echo "wait interface failed on $lan"
 				return 1
 			}
@ -102,30 +95,27 @@ wait_lan_ll()
 	}
 	return 0
 }
-get_ipv6_linklocal()
+get_ipv6_linklocal() {
-{
+	ifconfig "$1" | sed -nEe 's/^.*inet6 (fe80:[a-f0-9:]+).*/\1/p'
 	ifconfig $1 | sed -nEe 's/^.*inet6 (fe80:[a-f0-9:]+).*/\1/p'
 }
-
+zapret_do_firewall() {
 zapret_do_firewall()
 {
 	# $1 - 1 - add, 0 - del
 	[ "$1" = 1 -a -n "$INIT_FW_PRE_UP_HOOK" ] && $INIT_FW_PRE_UP_HOOK
 	[ "$1" = 0 -a -n "$INIT_FW_PRE_DOWN_HOOK" ] && $INIT_FW_PRE_DOWN_HOOK
 	case "${MODE_OVERRIDE:-$MODE}" in
-		tpws|filter|custom)
+	tpws | filter | custom)
-			if [ "$1" = "1" ] ; then
+		if [ "$1" = "1" ]; then
-				pf_anchor_root || return 1
+			pf_anchor_root || return 1
-				pf_anchors_create
+			pf_anchors_create
-				pf_anchors_load || return 1
+			pf_anchors_load || return 1
-				pf_enable
+			pf_enable
-			else
+		else
-				pf_anchors_clear
+			pf_anchors_clear
-			fi
+		fi
-			;;
+		;;
 	esac
 	[ "$1" = 1 -a -n "$INIT_FW_POST_UP_HOOK" ] && $INIT_FW_POST_UP_HOOK
@ -133,75 +123,65 @@ zapret_do_firewall()
 	return 0
 }
-zapret_apply_firewall()
+zapret_apply_firewall() {
 {
 	zapret_do_firewall 1 "$@"
 }
-zapret_unapply_firewall()
+zapret_unapply_firewall() {
 {
 	zapret_do_firewall 0 "$@"
 }
-zapret_restart_firewall()
+zapret_restart_firewall() {
 {
 	zapret_unapply_firewall "$@"
 	zapret_apply_firewall "$@"
 }
-
+zapret_do_daemons() {
 zapret_do_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 	local opt
 	case "${MODE_OVERRIDE:-$MODE}" in
-		tpws)
+	tpws)
-			[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
+		[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
-				echo "both ipv4 and ipv6 are disabled. nothing to do"
+			echo "both IPv4 and IPv6 are disabled. nothing to do"
-				return 0
+			return 0
-			}
+		}
-			# MacOS requires root. kernel hardcoded requirement for /dev/pf ioctls
+		# macOS requires root. kernel hardcoded requirement for /dev/pf ioctls
-			opt="--user=root --port=$TPPORT"
+		opt="--user=root --port=$TPPORT"
-			filter_apply_hostlist_target opt
+		filter_apply_hostlist_target opt
-			tpws_apply_binds opt
+		tpws_apply_binds opt
-			opt="$opt $TPWS_OPT"
+		opt="$opt $TPWS_OPT"
-			do_daemon $1 1 "$TPWS" "$opt"
+		do_daemon "$1" 1 "$TPWS" "$opt"
-			;;
+		;;
-		tpws-socks)
+	tpws-socks)
-			[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
+		[ "$1" = "1" ] && [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && {
-				echo "both ipv4 and ipv6 are disabled. nothing to do"
+			echo "both IPv4 and IPv6 are disabled. nothing to do"
-				return 0
+			return 0
-			}
+		}
-			opt="--socks --user=$WS_USER --port=$TPPORT"
+		opt="--socks --user=$WS_USER --port=$TPPORT"
-			tpws_apply_socks_binds opt
+		tpws_apply_socks_binds opt
-			filter_apply_hostlist_target opt
+		filter_apply_hostlist_target opt
-			opt="$opt $TPWS_OPT"
+		opt="$opt $TPWS_OPT"
-			do_daemon $1 1 "$TPWS" "$opt"
+		do_daemon "$1" 1 "$TPWS" "$opt"
-			;;
+		;;
-		filter)
+	filter) ;;
-			;;
+	custom)
-		custom)
+		existf zapret_custom_daemons && zapret_custom_daemons "$1"
-			existf zapret_custom_daemons && zapret_custom_daemons $1
+		;;
-			;;
+	*)
-		*)
+		echo "unsupported MODE=$MODE"
-			echo "unsupported MODE=$MODE"
+		return 1
-			return 1
+		;;
 			;;
 	esac
 	return 0
 }
-zapret_run_daemons()
+zapret_run_daemons() {
 {
 	zapret_do_daemons 1 "$@"
 }
-zapret_stop_daemons()
+zapret_stop_daemons() {
 {
 	zapret_do_daemons 0 "$@"
 }
-zapret_restart_daemons()
+zapret_restart_daemons() {
 {
 	zapret_stop_daemons "$@"
 	zapret_run_daemons "$@"
 }
--- a/init.d/macos/zapret
+++ b/init.d/macos/zapret
@ -2,48 +2,51 @@
 EXEDIR="$(dirname "$0")"
 ZAPRET_BASE="$EXEDIR/../.."
-ZAPRET_BASE="$(cd "$ZAPRET_BASE"; pwd)"
+ZAPRET_BASE="$(
 	cd "$ZAPRET_BASE"
 	pwd
 )"
 . "$EXEDIR/functions"
 case "$1" in
-	start)
+start)
-		zapret_run_daemons
+	zapret_run_daemons
-		[ "$INIT_APPLY_FW" != "1" ] || zapret_apply_firewall
+	[ "$INIT_APPLY_FW" != "1" ] || zapret_apply_firewall
-		;;
+	;;
-	stop)
+stop)
-		[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
+	[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
-		zapret_stop_daemons
+	zapret_stop_daemons
-		;;
+	;;
-	restart)
+restart)
-		"$0" stop
+	"$0" stop
-		"$0" start
+	"$0" start
-		;;
+	;;
-	start-fw|start_fw)
+start-fw | start_fw)
-		zapret_apply_firewall
+	zapret_apply_firewall
-		;;
+	;;
-	stop-fw|stop_fw)
+stop-fw | stop_fw)
-		zapret_unapply_firewall
+	zapret_unapply_firewall
-		;;
+	;;
-	restart-fw|stop_fw)
+restart-fw | stop_fw)
-		zapret_restart_firewall
+	zapret_restart_firewall
-		;;
+	;;
-	reload-fw-tables|reload_fw_tables)
+reload-fw-tables | reload_fw_tables)
-		pf_table_reload
+	pf_table_reload
-		;;
+	;;
-	start-daemons|start_daemons)
+start-daemons | start_daemons)
-		zapret_run_daemons
+	zapret_run_daemons
-		;;
+	;;
-	stop-daemons|stop_daemons)
+stop-daemons | stop_daemons)
-		zapret_stop_daemons
+	zapret_stop_daemons
-		;;
+	;;
-	restart-daemons|restart_daemons)
+restart-daemons | restart_daemons)
-		zapret_restart_daemons
+	zapret_restart_daemons
-		;;
+	;;
-  *)
+*)
 	N="$SCRIPT/$NAME"
 	echo "Usage: $N {start|stop|start-fw|stop-fw|restart-fw|reload-fw-tables|start-daemons|stop-daemons|restart-daemons}" >&2
 	exit 1
--- a/init.d/openrc/zapret
+++ b/init.d/openrc/zapret
@ -4,7 +4,10 @@
 # on some systems (alpine) for unknown reason non-openrc-run scripts are not started from /etc/init.d
 EXEDIR=$(dirname "$RC_SERVICE")
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+EXEDIR="$(
 	cd "$EXEDIR"
 	pwd
 )"
 ZAPRET_BASE="$EXEDIR/../.."
 ZAPRET_INIT="$ZAPRET_BASE/init.d/sysv/zapret"
@ -23,47 +26,36 @@ description_restart_daemons="Restart zapret firewall only"
 depend() {
 	rc-service -e networking && need networking
 }
-start()
+start() {
 {
 	"$ZAPRET_INIT" start
 }
-stop()
+stop() {
 {
 	"$ZAPRET_INIT" stop
 }
-start_fw()
+start_fw() {
 {
 	"$ZAPRET_INIT" start_fw
 }
-stop_fw()
+stop_fw() {
 {
 	"$ZAPRET_INIT" stop_fw
 }
-restart_fw()
+restart_fw() {
 {
 	"$ZAPRET_INIT" restart_fw
 }
-start_daemons()
+start_daemons() {
 {
 	"$ZAPRET_INIT" start_daemons
 }
-stop_daemons()
+stop_daemons() {
 {
 	"$ZAPRET_INIT" stop_daemons
 }
-restart_daemons()
+restart_daemons() {
 {
 	"$ZAPRET_INIT" restart_daemons
 }
-reload_ifsets()
+reload_ifsets() {
 {
 	"$ZAPRET_INIT" reload_ifsets
 }
-list_ifsets()
+list_ifsets() {
 {
 	"$ZAPRET_INIT" list_ifsets
 }
-list_table()
+list_table() {
 {
 	"$ZAPRET_INIT" list_table
 }
--- a/init.d/openwrt/90-zapret
+++ b/init.d/openwrt/90-zapret
@ -2,8 +2,7 @@
 ZAPRET=/etc/init.d/zapret
-check_lan()
+check_lan() {
 {
 	IS_LAN=
 	[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan
 	for lan in $OPENWRT_LAN; do
@ -13,8 +12,7 @@ check_lan()
 		}
 	done
 }
-check_need_to_reload_tpws6()
+check_need_to_reload_tpws6() {
 {
 	# tpws6 dnat target nft map can only be reloaded within firewall apply procedure
 	# interface ifsets (wanif, wanif6, lanif) can be reloaded independently
 	check_lan
@ -22,7 +20,6 @@ check_need_to_reload_tpws6()
 	[ "$ACTION" = "ifup" -a "$DISABLE_IPV6" != 1 -a -n "$IS_LAN" ] && [ "$MODE" = "tpws" -o "$MODE" = "custom" ] && RELOAD_TPWS6=1
 }
 [ -n "$INTERFACE" ] && [ "$ACTION" = ifup -o "$ACTION" = ifdown ] && [ -x "$ZAPRET" ] && "$ZAPRET" enabled && {
 	SCRIPT=$(readlink "$ZAPRET")
 	if [ -n "$SCRIPT" ]; then
@ -37,27 +34,27 @@ check_need_to_reload_tpws6()
 	check_need_to_reload_tpws6
 	[ -n "$RELOAD_TPWS6" ] && {
-		logger -t zapret restarting daemons due to $ACTION of $INTERFACE to update tpws6 dnat target
+		logger -t zapret restarting daemons due to "$ACTION" of "$INTERFACE" to update tpws6 dnat target
 		"$ZAPRET" restart_daemons
 	}
 	. "$ZAPRET_BASE/common/base.sh"
 	. "$ZAPRET_BASE/common/fwtype.sh"
 	linux_fwtype
 	case "$FWTYPE" in
-		nftables)
+	nftables)
-			if [ -n "$RELOAD_TPWS6" ] ; then
+		if [ -n "$RELOAD_TPWS6" ]; then
-				logger -t zapret reloading nftables due to $ACTION of $INTERFACE to update tpws6 dnat target
+			logger -t zapret reloading nftables due to "$ACTION" of "$INTERFACE" to update tpws6 dnat target
-				"$ZAPRET" restart_fw
+			"$ZAPRET" restart_fw
-			else
+		else
-				logger -t zapret reloading nftables ifsets due to $ACTION of $INTERFACE
+			logger -t zapret reloading nftables ifsets due to "$ACTION" of "$INTERFACE"
-				"$ZAPRET" reload_ifsets
+			"$ZAPRET" reload_ifsets
-			fi
+		fi
-			;;
+		;;
-		iptables)
+	iptables)
-			openwrt_fw3 || {
+		openwrt_fw3 || {
-				logger -t zapret reloading iptables due to $ACTION of $INTERFACE
+			logger -t zapret reloading iptables due to "$ACTION" of "$INTERFACE"
-				"$ZAPRET" restart_fw
+			"$ZAPRET" restart_fw
-			}
+		}
-			;;
+		;;
 	esac
 }
--- a/init.d/openwrt/custom-nfqws-dht4all
+++ b/init.d/openwrt/custom-nfqws-dht4all
@ -1,10 +1,9 @@
 # this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
-QNUM2=$(($QNUM+20))
+QNUM2=$(($QNUM + 20))
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
        # stop logic is managed by procd
        local MODE_OVERRIDE=nfqws
@ -13,10 +12,9 @@ zapret_custom_daemons()
        start_daemons_procd
        opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-        run_daemon 100 $NFQWS "$opt"
+        run_daemon 100 "$NFQWS" "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
        # $1 - 1 - run, 0 - stop
        local MODE_OVERRIDE=nfqws
@ -24,15 +22,14 @@ zapret_custom_firewall()
        local first_packet_only="$ipt_connbytes 1:1"
        local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-        zapret_do_firewall_rules_ipt $1
+        zapret_do_firewall_rules_ipt "$1"
        f='-p udp -m length --length 109:407 -m u32 --u32'
-	uf4='0>>22&0x3C@8>>16=0x6431'
+        uf4='0>>22&0x3C@8>>16=0x6431'
-	uf6='48>>16=0x6431'
+        uf6='48>>16=0x6431'
-        fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only"  "$f $uf6 $desync $first_packet_only" $QNUM2
+        fw_nfqws_post "$1" "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
        # stop logic is not required
        local MODE_OVERRIDE=nfqws
--- a/init.d/openwrt/custom-nfqws-quic4all
+++ b/init.d/openwrt/custom-nfqws-quic4all
@ -2,10 +2,9 @@
 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
 # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
-QNUM2=$(($QNUM+10))
+QNUM2=$(($QNUM + 10))
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# stop logic is managed by procd
 	local MODE_OVERRIDE=nfqws
@ -14,10 +13,9 @@ zapret_custom_daemons()
 	start_daemons_procd
 	opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-	run_daemon 100 $NFQWS "$opt"
+	run_daemon 100 "$NFQWS" "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=nfqws
@ -25,14 +23,13 @@ zapret_custom_firewall()
 	local first_packets_only="$ipt_connbytes 1:3"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-	zapret_do_firewall_rules_ipt $1
+	zapret_do_firewall_rules_ipt "$1"
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
-	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
+	fw_nfqws_post "$1" "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local MODE_OVERRIDE=nfqws
--- a/init.d/openwrt/custom-reuse-builtin-mode
+++ b/init.d/openwrt/custom-reuse-builtin-mode
@ -4,8 +4,7 @@ MY_TPPORT=$(($TPPORT + 1))
 MY_TPWS_OPT="--methodeol --hostcase"
 MY_DPORT=81
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# stop logic is managed by procd
 	local MODE_OVERRIDE=tpws
@ -17,22 +16,20 @@ zapret_custom_daemons()
 	filter_apply_hostlist_target opt
 	run_tpws 100 "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=tpws
 	local f4 f6
-	zapret_do_firewall_rules_ipt $1
+	zapret_do_firewall_rules_ipt "$1"
 	f4="-p tcp --dport $MY_DPORT"
 	f6=$f4
 	filter_apply_ipset_target f4 f6
-	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
+	fw_tpws "$1" "$f4" "$f6" $MY_TPPORT
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local MODE_OVERRIDE=tpws
--- a/init.d/openwrt/custom-tpws4http-nfqws4https
+++ b/init.d/openwrt/custom-tpws4http-nfqws4https
@ -1,8 +1,7 @@
 # this custom script demonstrates how to apply tpws to http and nfqws to https
 # it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# stop logic is managed by procd
 	local opt
@ -16,11 +15,10 @@ zapret_custom_daemons()
 	[ "$MODE_HTTPS" = "1" ] && {
 		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
 		filter_apply_hostlist_target opt
-		run_daemon 2 $NFQWS "$opt"
+		run_daemon 2 "$NFQWS" "$opt"
 	}
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local f4 f6
@ -31,18 +29,17 @@ zapret_custom_firewall()
 		f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
-		fw_tpws $1 "$f4" "$f6" $TPPORT
+		fw_tpws "$1" "$f4" "$f6" "$TPPORT"
 	}
 	[ "$MODE_HTTPS" = "1" ] && {
 		f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
-		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+		fw_nfqws_post "$1" "$f4 $desync" "$f6 $desync" "$QNUM"
 	}
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local f4 f6
@ -53,15 +50,15 @@ zapret_custom_firewall_nft()
 		f4="tcp dport {$HTTP_PORTS}"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
-		nft_fw_tpws "$f4" "$f6" $TPPORT
+		nft_fw_tpws "$f4" "$f6" "$TPPORT"
 	}
 	[ "$MODE_HTTPS" = "1" ] && {
 		f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
-		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
+		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" "$QNUM"
 		# for modes that require incoming traffic
-		nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM
+		nft_fw_reverse_nfqws_rule "$f4" "$f6" "$QNUM"
 	}
 }
--- a/init.d/openwrt/custom.default
+++ b/init.d/openwrt/custom.default
@ -2,8 +2,7 @@
 # use helpers from "functions" file and "zapret" init script
 # in case of upgrade keep this file only, do not modify others
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# stop logic is managed by procd
 	# PLACEHOLDER
@ -13,8 +12,7 @@ zapret_custom_daemons()
 	run_daemon 1 /bin/sleep 20
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	# PLACEHOLDER
@ -22,8 +20,7 @@ zapret_custom_firewall()
 	echo Configure iptables for required actions
 	echo Study how other sections work
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	# PLACEHOLDER
--- a/init.d/openwrt/firewall.zapret
+++ b/init.d/openwrt/firewall.zapret
@ -1,9 +1,9 @@
 SCRIPT=$(readlink /etc/init.d/zapret)
 if [ -n "$SCRIPT" ]; then
- EXEDIR=$(dirname "$SCRIPT")
+    EXEDIR=$(dirname "$SCRIPT")
- ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+    ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
 else
- ZAPRET_BASE=/opt/zapret
+    ZAPRET_BASE=/opt/zapret
 fi
 . "$ZAPRET_BASE/init.d/openwrt/functions"
--- a/init.d/openwrt/functions
+++ b/init.d/openwrt/functions
@ -35,75 +35,65 @@ IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
 apply_unspecified_desync_modes
-
+# can be multiple IPv6 outgoing interfaces
-# can be multiple ipv6 outgoing interfaces
+# uplink from ISP, tunnelbroker, VPN, ...
 # uplink from isp, tunnelbroker, vpn, ...
 # want them all. who knows what's the real one that blocks sites
 # dont want any manual configuration - want to do it automatically
 # standard network_find_wan[6] return only the first
 # we use low level function from network.sh to avoid this limitation
 # it can change theoretically and stop working
-network_find_wan4_all()
+network_find_wan4_all() {
 {
 	if [ -n "$OPENWRT_WAN4" ]; then
-		eval $1="\$OPENWRT_WAN4"
+		eval "$1"="\$OPENWRT_WAN4"
 	else
 		__network_ifstatus "$1" "" "[@.route[@.target='0.0.0.0' && !@.table]].interface" "" 10 2>/dev/null && return
-		network_find_wan $1
+		network_find_wan "$1"
 	fi
 }
-network_find_wan_all()
+network_find_wan_all() {
 {
 	network_find_wan4_all "$@"
 }
-network_find_wan6_all()
+network_find_wan6_all() {
 {
 	if [ -n "$OPENWRT_WAN6" ]; then
-		eval $1="\$OPENWRT_WAN6"
+		eval "$1"="\$OPENWRT_WAN6"
 	else
 		__network_ifstatus "$1" "" "[@.route[@.target='::' && !@.table]].interface" "" 10 2>/dev/null && return
-		network_find_wan6 $1
+		network_find_wan6 "$1"
 	fi
 }
-network_find_wanX_devices()
+network_find_wanX_devices() {
 {
 	# $1 - ip version: 4 or 6
 	# $2 - variable to put result to
 	local ifaces
-	network_find_wan${1}_all ifaces
+	network_find_wan"${1}"_all ifaces
-	call_for_multiple_items network_get_device $2 "$ifaces"
+	call_for_multiple_items network_get_device "$2" "$ifaces"
 }
-
+dnat6_target() {
-dnat6_target()
+	# $1 - LAN network name
 {
 	# $1 - lan network name
 	# $2 - var to store target ip6
-	network_is_up $1 || {
+	network_is_up "$1" || {
-		[ -n "$2" ] && eval $2=''
+		[ -n "$2" ] && eval "$2"=''
 		return
 	}
 	local DEVICE
-	network_get_device DEVICE $1
+	network_get_device DEVICE "$1"
-	_dnat6_target $DEVICE $2
+	_dnat6_target "$DEVICE" "$2"
 }
-set_route_localnet()
+set_route_localnet() {
 {
 	# $1 - 1 = enable, 0 = disable
 	local DLAN
 	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
-	_set_route_localnet $1 $DLAN
+	_set_route_localnet "$1" "$DLAN"
 }
-
+fw_nfqws_prepost_x() {
 fw_nfqws_prepost_x()
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - filter
 	# $3 - queue number
@ -111,29 +101,24 @@ fw_nfqws_prepost_x()
 	# $5 - post/pre
 	local ifaces DWAN
-	network_find_wan${4}_all ifaces
+	network_find_wan"${4}"_all ifaces
 	call_for_multiple_items network_get_device DWAN "$ifaces"
-	[ -n "$DWAN" ] && _fw_nfqws_${5}${4} $1 "$2" $3 "$(unique $DWAN)"
+	[ -n "$DWAN" ] && _fw_nfqws_"${5}"${4} "$1" "$2" "$3" "$(unique "$DWAN")"
 }
-fw_nfqws_post4()
+fw_nfqws_post4() {
-{
+	fw_nfqws_prepost_x "$1" "$2" "$3" 4 post
 	fw_nfqws_prepost_x  $1 "$2" $3 4 post
 }
-fw_nfqws_post6()
+fw_nfqws_post6() {
-{
+	fw_nfqws_prepost_x "$1" "$2" "$3" 6 post
 	fw_nfqws_prepost_x  $1 "$2" $3 6 post
 }
-fw_nfqws_pre4()
+fw_nfqws_pre4() {
-{
+	fw_nfqws_prepost_x "$1" "$2" "$3" 4 pre
 	fw_nfqws_prepost_x  $1 "$2" $3 4 pre
 }
-fw_nfqws_pre6()
+fw_nfqws_pre6() {
-{
+	fw_nfqws_prepost_x "$1" "$2" "$3" 6 pre
 	fw_nfqws_prepost_x  $1 "$2" $3 6 pre
 }
-fw_tpws_x()
+fw_tpws_x() {
 {
 	# $1 - 1 - add, 0 - del
 	# $2 - filter
 	# $3 - tpws port
@ -143,102 +128,88 @@ fw_tpws_x()
 	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
-	network_find_wan${4}_all ifaces
+	network_find_wan"${4}"_all ifaces
 	call_for_multiple_items network_get_device DWAN "$ifaces"
-	[ -n "$DWAN" ] && _fw_tpws${4} $1 "$2" $3 "$DLAN" "$(unique $DWAN)"
+	[ -n "$DWAN" ] && _fw_tpws"${4}" "$1" "$2" "$3" "$DLAN" "$(unique "$DWAN")"
 }
-fw_tpws4()
+fw_tpws4() {
-{
+	fw_tpws_x "$1" "$2" "$3" 4
 	fw_tpws_x $1 "$2" $3 4
 }
-fw_tpws6()
+fw_tpws6() {
-{
+	fw_tpws_x "$1" "$2" "$3" 6
 	fw_tpws_x $1 "$2" $3 6
 }
-
+create_ipset() {
 create_ipset()
 {
 	echo "Creating ip list table (firewall type $FWTYPE)"
 	"$IPSET_CR" "$@"
 }
-list_nfqws_rules()
+list_nfqws_rules() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
-	# $1 = '' for ipv4, '6' for ipv6
+	ip"$1"tables -S POSTROUTING -t mangle |
-	ip$1tables -S POSTROUTING -t mangle | \
+		grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM + 1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM + 11)) --queue-bypass" |
 		grep -E "NFQUEUE --queue-num $QNUM --queue-bypass|NFQUEUE --queue-num $(($QNUM+1)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+2)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+3)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+10)) --queue-bypass|NFQUEUE --queue-num $(($QNUM+11)) --queue-bypass" | \
 		sed -re 's/^-A POSTROUTING (.*) -j NFQUEUE.*$/\1/' -e "s/-m mark ! --mark $DESYNC_MARK\/$DESYNC_MARK//"
 }
-apply_flow_offloading_enable_rule()
+apply_flow_offloading_enable_rule() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
 	# $1 = '' for ipv4, '6' for ipv6
 	local i off='-j FLOWOFFLOAD'
 	[ "$FLOWOFFLOAD" = "hardware" ] && off="$off --hw"
 	i="forwarding_rule_zapret -m comment --comment zapret_traffic_offloading_enable -m conntrack --ctstate RELATED,ESTABLISHED $off"
-	echo enabling ipv${1:-4} flow offloading : $i
+	echo enabling ipv"${1:-4}" flow offloading : "$i"
-	ip$1tables -A $i
+	ip"$1"tables -A "$i"
 }
-apply_flow_offloading_exempt_rule()
+apply_flow_offloading_exempt_rule() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
 	# $1 = '' for ipv4, '6' for ipv6
 	local i v
 	v=$1
 	shift
 	i="forwarding_rule_zapret $@ -m comment --comment zapret_traffic_offloading_exemption -j RETURN"
-	echo applying ipv${v:-4} flow offloading exemption : $i
+	echo applying ipv"${v:-4}" flow offloading exemption : "$i"
-	ip${v}tables -A $i
+	ip"${v}"tables -A "$i"
 }
-flow_offloading_unexempt_v()
+flow_offloading_unexempt_v() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
 	# $1 = '' for ipv4, '6' for ipv6
 	local DWAN
-	network_find_wanX_devices ${1:-4} DWAN
+	network_find_wanX_devices "${1:-4}" DWAN
-	for i in $DWAN; do ipt$1_del FORWARD -o $i -j forwarding_rule_zapret ; done
+	for i in $DWAN; do ipt"$1"_del FORWARD -o "$i" -j forwarding_rule_zapret; done
-	ip$1tables -F forwarding_rule_zapret 2>/dev/null
+	ip"$1"tables -F forwarding_rule_zapret 2>/dev/null
-	ip$1tables -X forwarding_rule_zapret 2>/dev/null
+	ip"$1"tables -X forwarding_rule_zapret 2>/dev/null
 }
-flow_offloading_exempt_v()
+flow_offloading_exempt_v() {
-{
+	# $1 = '' for IPv4, '6' for IPv6
-	# $1 = '' for ipv4, '6' for ipv6
+	is_ipt_flow_offload_avail "$1" || return 0
 	is_ipt_flow_offload_avail $1 || return 0
-	flow_offloading_unexempt_v $1
+	flow_offloading_unexempt_v "$1"
 	[ "$FLOWOFFLOAD" = 'software' -o "$FLOWOFFLOAD" = 'hardware' ] && {
-		ip$1tables -N forwarding_rule_zapret
+		ip"$1"tables -N forwarding_rule_zapret
 		# remove outgoing interface
-		list_nfqws_rules $1 | sed -re 's/-o +[^ ]+//g' |
+		list_nfqws_rules "$1" | sed -re 's/-o +[^ ]+//g' |
-		while read rule; do
+			while read rule; do
-			apply_flow_offloading_exempt_rule "$1" $rule
+				apply_flow_offloading_exempt_rule "$1" "$rule"
-		done
+			done
-		apply_flow_offloading_enable_rule $1
+		apply_flow_offloading_enable_rule "$1"
 		# only outgoing to WAN packets trigger flow offloading
 		local DWAN
-		network_find_wanX_devices ${1:-4} DWAN
+		network_find_wanX_devices "${1:-4}" DWAN
-		for i in $DWAN; do ipt$1 FORWARD -o $i -j forwarding_rule_zapret; done
+		for i in $DWAN; do ipt"$1" FORWARD -o "$i" -j forwarding_rule_zapret; done
 	}
 	return 0
 }
-flow_offloading_exempt()
+flow_offloading_exempt() {
 {
 	[ "$DISABLE_IPV4" = "1" ] || flow_offloading_exempt_v
 	[ "$DISABLE_IPV6" = "1" ] || flow_offloading_exempt_v 6
 }
-flow_offloading_unexempt()
+flow_offloading_unexempt() {
 {
 	[ "$DISABLE_IPV4" = "1" ] || flow_offloading_unexempt_v
 	[ "$DISABLE_IPV6" = "1" ] || flow_offloading_unexempt_v 6
 }
-
+nft_fill_ifsets_overload() {
 nft_fill_ifsets_overload()
 {
 	local ifaces DLAN DWAN DWAN6 PDLAN PDWAN PDWAN6
 	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
@ -255,29 +226,23 @@ nft_fill_ifsets_overload()
 	nft_fill_ifsets "$DLAN" "$DWAN" "$DWAN6" "$PDLAN" "$PDWAN" "$PDWAN6"
 }
-nft_fw_tpws4()
+nft_fw_tpws4() {
-{
+	_nft_fw_tpws4 "$1" "$2" always_apply_wan_filter
 	_nft_fw_tpws4 "$1" $2 always_apply_wan_filter
 }
-nft_fw_tpws6()
+nft_fw_tpws6() {
 {
 	local DLAN
 	call_for_multiple_items network_get_device DLAN "$OPENWRT_LAN"
-	_nft_fw_tpws6 "$1" $2 "$DLAN" always_apply_wan_filter
+	_nft_fw_tpws6 "$1" "$2" "$DLAN" always_apply_wan_filter
 }
-nft_fw_nfqws_post4()
+nft_fw_nfqws_post4() {
-{
+	_nft_fw_nfqws_post4 "$1" "$2" always_apply_wan_filter
 	_nft_fw_nfqws_post4 "$1" $2 always_apply_wan_filter
 }
-nft_fw_nfqws_post6()
+nft_fw_nfqws_post6() {
-{
+	_nft_fw_nfqws_post6 "$1" "$2" always_apply_wan_filter
 	_nft_fw_nfqws_post6 "$1" $2 always_apply_wan_filter
 }
-nft_fw_nfqws_pre4()
+nft_fw_nfqws_pre4() {
-{
+	_nft_fw_nfqws_pre4 "$1" "$2" always_apply_wan_filter
 	_nft_fw_nfqws_pre4 "$1" $2 always_apply_wan_filter
 }
-nft_fw_nfqws_pre6()
+nft_fw_nfqws_pre6() {
-{
+	_nft_fw_nfqws_pre6 "$1" "$2" always_apply_wan_filter
 	_nft_fw_nfqws_pre6 "$1" $2 always_apply_wan_filter
 }
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@ -25,17 +25,16 @@ my_extra_command restart_daemons "Restart zapret firewall only (=restart in ipta
 SCRIPT=$(readlink /etc/init.d/zapret)
 if [ -n "$SCRIPT" ]; then
- EXEDIR=$(dirname "$SCRIPT")
+	EXEDIR=$(dirname "$SCRIPT")
- ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
+	ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
 else
- ZAPRET_BASE=/opt/zapret
+	ZAPRET_BASE=/opt/zapret
 fi
 . "$ZAPRET_BASE/init.d/openwrt/functions"
-
+# !!!!! in old OpenWrt 21.x- with iptables firewall rules are configured separately
-# !!!!! in old openwrt 21.x- with iptables firewall rules are configured separately
+# !!!!! in new OpenWrt >21.x with nftables firewall is configured here
 # !!!!! in new openwrt >21.x with nftables firewall is configured here
 PIDDIR=/var/run
@ -50,8 +49,7 @@ TPWS_WAIT="--bind-wait-ifup=30 --bind-wait-ip=30"
 TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
 TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"
-run_daemon()
+run_daemon() {
 {
 	# $1 - daemon string id or number. can use 1,2,3,...
 	# $2 - daemon
 	# $3 - daemon args
@ -59,13 +57,12 @@ run_daemon()
 	local DAEMONBASE="$(basename "$2")"
 	echo "Starting daemon $1: $2 $3"
 	procd_open_instance
-	procd_set_param command $2 $3
+	procd_set_param command "$2" "$3"
-	procd_set_param pidfile $PIDDIR/$DAEMONBASE$1.pid
+	procd_set_param pidfile $PIDDIR/"$DAEMONBASE"$1.pid
 	procd_close_instance
 }
-run_tpws()
+run_tpws() {
 {
 	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
 	local OPT="$TPWS_OPT_BASE"
@ -75,144 +72,128 @@ run_tpws()
 	[ "$DISABLE_IPV6" = "1" ] || {
 		OPT="$OPT $TPWS_OPT_BASE6"
 		for lan in $OPENWRT_LAN; do
-		    network_get_device DEVICE $lan
+			network_get_device DEVICE "$lan"
-		    [ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE"
+			[ -n "$DEVICE" ] && OPT="$OPT --bind-iface6=$DEVICE $TPWS_OPT_BASE6_PRE"
 		done
 	}
-	run_daemon $1 "$TPWS" "$OPT $2"
+	run_daemon "$1" "$TPWS" "$OPT $2"
 }
-run_tpws_socks()
+run_tpws_socks() {
 {
 	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
 	local opt="$TPWS_OPT_BASE --socks"
 	tpws_apply_socks_binds opt
-	run_daemon $1 "$TPWS" "$opt $2"
+	run_daemon "$1" "$TPWS" "$opt $2"
 }
-stop_tpws()
+stop_tpws() {
-{
+	stop_daemon "$1" "$TPWS"
 	stop_daemon $1 "$TPWS"
 }
-
+tpws_apply_socks_binds() {
 tpws_apply_socks_binds()
 {
 	local o
 	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
 	[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
 	for lan in $OPENWRT_LAN; do
-	    network_get_device DEVICE $lan
+		network_get_device DEVICE "$lan"
-	    [ -n "$DEVICE" ] || continue
+		[ -n "$DEVICE" ] || continue
-	    [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
+		[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$DEVICE $TPWS_WAIT"
-	    [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
+		[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$DEVICE --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
 	done
-	eval $1="\"\$$1 $o\""
+	eval "$1"="\"\$$1 $o\""
 }
-
+start_daemons_procd() {
 start_daemons_procd()
 {
 	local opt qn qns qn6 qns6
 	case "${MODE_OVERRIDE:-$MODE}" in
-		tpws)
+	tpws)
-			opt="--port=$TPPORT $TPWS_OPT"
+		opt="--port=$TPPORT $TPWS_OPT"
 		filter_apply_hostlist_target opt
 		run_tpws 1 "$opt"
 		;;
 	tpws-socks)
 		opt="--port=$TPPORT $TPWS_OPT"
 		filter_apply_hostlist_target opt
 		run_tpws_socks 1 "$opt"
 		;;
 	nfqws)
 		# quite complex but we need to minimize nfqws processes to save RAM
 		get_nfqws_qnums qn qns qn6 qns6
 		[ -z "$qn" ] || {
 			opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP"
 			filter_apply_hostlist_target opt
-			run_tpws 1 "$opt"
+			run_daemon 1 "$NFQWS" "$opt"
-			;;
+		}
-		tpws-socks)
+		[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
-			opt="--port=$TPPORT $TPWS_OPT"
+			opt="--qnum=$qns $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
 			filter_apply_hostlist_target opt
-			run_tpws_socks 1 "$opt"
+			run_daemon 2 "$NFQWS" "$opt"
-			;;
+		}
-		nfqws)
+		[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
-			# quite complex but we need to minimize nfqws processes to save RAM
+			opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP6"
-			get_nfqws_qnums qn qns qn6 qns6
+			filter_apply_hostlist_target opt
-			[ -z "$qn" ] || {
+			run_daemon 3 "$NFQWS" "$opt"
-				opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP"
+		}
-				filter_apply_hostlist_target opt
+		[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
-				run_daemon 1 "$NFQWS" "$opt"
+			opt="--qnum=$qns6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS6"
-			}
+			filter_apply_hostlist_target opt
-			[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
+			run_daemon 4 "$NFQWS" "$opt"
-				opt="--qnum=$qns $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS"
+		}
-				filter_apply_hostlist_target opt
+		get_nfqws_qnums_quic qn qn6
-				run_daemon 2 "$NFQWS" "$opt"
+		[ -z "$qn" ] || {
-			}
+			opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-			[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
+			filter_apply_hostlist_target opt
-				opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTP6"
+			run_daemon 10 "$NFQWS" "$opt"
-				filter_apply_hostlist_target opt
+		}
-				run_daemon 3 "$NFQWS" "$opt"
+		[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
-			}
+			opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
-			[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
+			filter_apply_hostlist_target opt
-				opt="--qnum=$qns6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_HTTPS6"
+			run_daemon 11 "$NFQWS" "$opt"
-				filter_apply_hostlist_target opt
+		}
-				run_daemon 4 "$NFQWS" "$opt"
+		;;
-			}
+	custom)
-			get_nfqws_qnums_quic qn qn6
+		existf zapret_custom_daemons && zapret_custom_daemons "$1"
-			[ -z "$qn" ] || {
+		;;
 				opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
 				filter_apply_hostlist_target opt
 				run_daemon 10 "$NFQWS" "$opt"
 			}
 			[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
 				opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
 				filter_apply_hostlist_target opt
 				run_daemon 11 "$NFQWS" "$opt"
 			}
 			;;
 		custom)
 	    		existf zapret_custom_daemons && zapret_custom_daemons $1
 			;;
 	esac
 	return 0
 }
-start_daemons()
+start_daemons() {
 {
 	rc_procd start_daemons_procd "$@"
 }
-stop_daemons()
+stop_daemons() {
-{
+	procd_kill "$(basename "${basescript:-$initscript}")" "$1"
 	procd_kill "$(basename ${basescript:-$initscript})" "$1"
 }
-restart_daemons()
+restart_daemons() {
 {
 	stop_daemons
 	start_daemons
 }
-start_fw()
+start_fw() {
 {
 	zapret_apply_firewall
 }
-stop_fw()
+stop_fw() {
 {
 	zapret_unapply_firewall
 }
-restart_fw()
+restart_fw() {
 {
 	stop_fw
 	start_fw
 }
-reload_ifsets()
+reload_ifsets() {
 {
 	zapret_reload_ifsets
 }
-list_ifsets()
+list_ifsets() {
 {
 	zapret_list_ifsets
 }
-list_table()
+list_table() {
 {
 	zapret_list_table
 }
-start_service()
+start_service() {
 {
 	start_daemons_procd
 	[ "$INIT_APPLY_FW" != "1" ] || {
 		linux_fwtype
@ -220,8 +201,7 @@ start_service()
 	}
 }
-stop_service()
+stop_service() {
 {
 	# this procedure is called from stop()
 	# stop() already stop daemons
 	[ "$INIT_APPLY_FW" != "1" ] || {
--- a/init.d/pfsense/zapret.sh
+++ b/init.d/pfsense/zapret.sh
@ -14,7 +14,8 @@ sysctl net.inet6.ip6.pfil.outbound=ipfw,pf
 sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
 # required for newer pfsense versions (2.6.0 tested) to return ipfw to functional state
-pfctl -d ; pfctl -e
+pfctl -d
 pfctl -e
 # add ipfw rules and start daemon
--- a/init.d/sysv/custom-nfqws-dht4all
+++ b/init.d/sysv/custom-nfqws-dht4all
@ -1,22 +1,20 @@
 # this custom script in addition to MODE=nfqws runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
 # need to add to config : NFQWS_OPT_DESYNC_DHT="--dpi-desync=fake --dpi-desync-ttl=5"
-QNUM2=$(($QNUM+20))
+QNUM2=$(($QNUM + 20))
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
        # stop logic is managed by procd
        local MODE_OVERRIDE=nfqws
        local opt
-        zapret_do_daemons $1
+        zapret_do_daemons "$1"
        opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-	do_nfqws $1 100 "$opt"
+        do_nfqws "$1" 100 "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
        # $1 - 1 - run, 0 - stop
        local MODE_OVERRIDE=nfqws
@ -24,16 +22,15 @@ zapret_custom_firewall()
        local first_packet_only="$ipt_connbytes 1:1"
        local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-        zapret_do_firewall_rules_ipt $1
+        zapret_do_firewall_rules_ipt "$1"
        f='-p udp -m length --length 109:407 -m u32 --u32'
-	uf4='0>>22&0x3C@8>>16=0x6431'
+        uf4='0>>22&0x3C@8>>16=0x6431'
-	uf6='48>>16=0x6431'
+        uf6='48>>16=0x6431'
-        fw_nfqws_post $1 "$f $uf4 $desync $first_packet_only"  "$f $uf6 $desync $first_packet_only" $QNUM2
+        fw_nfqws_post "$1" "$f $uf4 $desync $first_packet_only" "$f $uf6 $desync $first_packet_only" $QNUM2
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
        # stop logic is not required
        local MODE_OVERRIDE=nfqws
@ -46,4 +43,3 @@ zapret_custom_firewall_nft()
        f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
        nft_fw_nfqws_post "$f $desync $first_packet_only" "$f $desync $first_packet_only" $QNUM2
 }
--- a/init.d/sysv/custom-nfqws-quic4all
+++ b/init.d/sysv/custom-nfqws-quic4all
@ -2,22 +2,20 @@
 # need to add to config : NFQWS_OPT_DESYNC_QUIC="--dpi-desync=fake"
 # NOTE : do not use TTL fooling. chromium QUIC engine breaks sessions if TTL expired in transit received
-QNUM2=$(($QNUM+10))
+QNUM2=$(($QNUM + 10))
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=nfqws
 	local opt
-	zapret_do_daemons $1
+	zapret_do_daemons "$1"
 	opt="--qnum=$QNUM2 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-	do_nfqws $1 100 "$opt"
+	do_nfqws "$1" 100 "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=nfqws
@ -25,14 +23,13 @@ zapret_custom_firewall()
 	local first_packets_only="$ipt_connbytes 1:3"
 	local desync="-m mark ! --mark $DESYNC_MARK/$DESYNC_MARK"
-	zapret_do_firewall_rules_ipt $1
+	zapret_do_firewall_rules_ipt "$1"
 	f="-p udp -m multiport --dports $QUIC_PORTS_IPT"
-	fw_nfqws_post $1 "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
+	fw_nfqws_post "$1" "$f $desync $first_packets_only" "$f $desync $first_packets_only" $QNUM2
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local MODE_OVERRIDE=nfqws
--- a/init.d/sysv/custom-reuse-builtin-mode
+++ b/init.d/sysv/custom-reuse-builtin-mode
@ -4,35 +4,32 @@ MY_TPPORT=$(($TPPORT + 1))
 MY_TPWS_OPT="--methodeol --hostcase"
 MY_DPORT=81
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=tpws
 	local opt
-	zapret_do_daemons $1
+	zapret_do_daemons "$1"
 	opt="--port=$MY_TPPORT $MY_TPWS_OPT"
 	filter_apply_hostlist_target opt
-	do_tpws $1 100 "$opt"
+	do_tpws "$1" 100 "$opt"
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local MODE_OVERRIDE=tpws
 	local f4 f6
-	zapret_do_firewall_rules_ipt $1
+	zapret_do_firewall_rules_ipt "$1"
 	f4="-p tcp --dport $MY_DPORT"
 	f6=$f4
 	filter_apply_ipset_target f4 f6
-	fw_tpws $1 "$f4" "$f6" $MY_TPPORT
+	fw_tpws "$1" "$f4" "$f6" $MY_TPPORT
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local MODE_OVERRIDE=tpws
--- a/init.d/sysv/custom-tpws4http-nfqws4https
+++ b/init.d/sysv/custom-tpws4http-nfqws4https
@ -1,8 +1,7 @@
 # this custom script demonstrates how to apply tpws to http and nfqws to https
 # it preserves config settings : MODE_HTTP, MODE_HTTPS, MODE_FILTER, TPWS_OPT, NFQWS_OPT_DESYNC, NFQWS_OPT_DESYNC_HTTPS
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	local opt
@ -10,17 +9,16 @@ zapret_custom_daemons()
 	[ "$MODE_HTTP" = "1" ] && {
 		opt="--port=$TPPORT $TPWS_OPT"
 		filter_apply_hostlist_target opt
-		do_tpws $1 1 "$opt"
+		do_tpws "$1" 1 "$opt"
 	}
 	[ "$MODE_HTTPS" = "1" ] && {
 		opt="--qnum=$QNUM $NFQWS_OPT_DESYNC_HTTPS"
 		filter_apply_hostlist_target opt
-		do_nfqws $1 2 "$opt"
+		do_nfqws "$1" 2 "$opt"
 	}
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	local f4 f6
@ -31,20 +29,19 @@ zapret_custom_firewall()
 		f4="-p tcp -m multiport --dports $HTTP_PORTS_IPT"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
-		fw_tpws $1 "$f4" "$f6" $TPPORT
+		fw_tpws "$1" "$f4" "$f6" "$TPPORT"
 	}
 	[ "$MODE_HTTPS" = "1" ] && {
 		f4="-p tcp -m multiport --dports $HTTPS_PORTS_IPT $first_packet_only"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
-		fw_nfqws_post $1 "$f4 $desync" "$f6 $desync" $QNUM
+		fw_nfqws_post "$1" "$f4 $desync" "$f6 $desync" "$QNUM"
 		# for modes that require incoming traffic
-		fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
+		fw_reverse_nfqws_rule "$1" "$f4" "$f6" "$QNUM"
 	}
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	local f4 f6
@ -55,15 +52,15 @@ zapret_custom_firewall_nft()
 		f4="tcp dport {$HTTP_PORTS}"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
-		nft_fw_tpws "$f4" "$f6" $TPPORT
+		nft_fw_tpws "$f4" "$f6" "$TPPORT"
 	}
 	[ "$MODE_HTTPS" = "1" ] && {
 		f4="tcp dport {$HTTPS_PORTS} $first_packet_only"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
-		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" $QNUM
+		nft_fw_nfqws_post "$f4 $desync" "$f6 $desync" "$QNUM"
 		# for modes that require incoming traffic
-		nft_fw_reverse_nfqws_rule "$f4" "$f6" $QNUM
+		nft_fw_reverse_nfqws_rule "$f4" "$f6" "$QNUM"
 	}
 }
--- a/init.d/sysv/custom.default
+++ b/init.d/sysv/custom.default
@ -2,8 +2,7 @@
 # use helpers from "functions" file
 # in case of upgrade keep this file only, do not modify others
-zapret_custom_daemons()
+zapret_custom_daemons() {
 {
 	# $1 - 1 - run, 0 - stop
 	# PLACEHOLDER
@ -11,10 +10,9 @@ zapret_custom_daemons()
 	echo Start daemon\(s\)
 	echo Study how other sections work
-	do_daemon $1 1 /bin/sleep 20
+	do_daemon "$1" 1 /bin/sleep 20
 }
-zapret_custom_firewall()
+zapret_custom_firewall() {
 {
 	# $1 - 1 - run, 0 - stop
 	# PLACEHOLDER
@ -23,8 +21,7 @@ zapret_custom_firewall()
 	echo Study how other sections work
 }
-zapret_custom_firewall_nft()
+zapret_custom_firewall_nft() {
 {
 	# stop logic is not required
 	# PLACEHOLDER
--- a/init.d/sysv/functions
+++ b/init.d/sysv/functions
@ -13,38 +13,34 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/linux_fw.sh"
 . "$ZAPRET_BASE/common/list.sh"
-
+user_exists() {
-user_exists()
+	id -u "$1" >/dev/null 2>/dev/null
 {
 	id -u $1 >/dev/null 2>/dev/null
 }
-useradd_compat()
+useradd_compat() {
 {
 	# $1 - username
 	# skip for readonly systems
 	[ -w "/etc" ] && {
-		if exists useradd ; then
+		if exists useradd; then
-			useradd --no-create-home --system --shell /bin/false $1
+			useradd --no-create-home --system --shell /bin/false "$1"
-		elif is_linked_to_busybox adduser ; then
+		elif is_linked_to_busybox adduser; then
 			# some systems may miss nogroup group in /etc/group
 			# adduser fails if it's absent and no group is specified
 			addgroup nogroup 2>/dev/null
 			# busybox has special adduser syntax
-			adduser -S -H -D $1
+			adduser -S -H -D "$1"
 		elif exists adduser; then
-			adduser --no-create-home --system --disabled-login $1
+			adduser --no-create-home --system --disabled-login "$1"
 		fi
 	}
-	user_exists $1
+	user_exists "$1"
 }
-prepare_user()
+prepare_user() {
 {
 	# $WS_USER is required to prevent redirection of the traffic originating from TPWS itself
 	# otherwise infinite loop will occur
 	# also its good idea not to run tpws as root
-	user_exists $WS_USER || {
+	user_exists "$WS_USER" || {
 		# fallback to daemon if we cant add WS_USER
-		useradd_compat $WS_USER || {
+		useradd_compat "$WS_USER" || {
 			for user in daemon nobody; do
 				user_exists $user && {
 					WS_USER=$user
@ -59,10 +55,10 @@ prepare_user()
 # this complex user selection allows to survive in any locked/readonly/minimalistic environment
 [ -n "$WS_USER" ] || WS_USER=tpws
 if prepare_user; then
- USEROPT="--user=$WS_USER"
+	USEROPT="--user=$WS_USER"
 else
- WS_USER=1
+	WS_USER=1
- USEROPT="--uid $WS_USER:$WS_USER"
+	USEROPT="--uid $WS_USER:$WS_USER"
 fi
 PIDDIR=/var/run
@ -97,72 +93,54 @@ CUSTOM_SCRIPT="$ZAPRET_BASE/init.d/sysv/custom"
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
-
+dnat6_target() {
 dnat6_target()
 {
 	_dnat6_target "$@"
 }
-set_route_localnet()
+set_route_localnet() {
-{
+	_set_route_localnet "$1" "$IFACE_LAN"
 	_set_route_localnet $1 "$IFACE_LAN"
 }
-fw_nfqws_post4()
+fw_nfqws_post4() {
-{
+	_fw_nfqws_post4 "$1" "$2" "$3" "$IFACE_WAN"
 	_fw_nfqws_post4  $1 "$2" $3 "$IFACE_WAN"
 }
-fw_nfqws_post6()
+fw_nfqws_post6() {
-{
+	_fw_nfqws_post6 "$1" "$2" "$3" "${IFACE_WAN6:-$IFACE_WAN}"
 	_fw_nfqws_post6  $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
 }
-fw_nfqws_pre4()
+fw_nfqws_pre4() {
-{
+	_fw_nfqws_pre4 "$1" "$2" "$3" "$IFACE_WAN"
 	_fw_nfqws_pre4  $1 "$2" $3 "$IFACE_WAN"
 }
-fw_nfqws_pre6()
+fw_nfqws_pre6() {
-{
+	_fw_nfqws_pre6 "$1" "$2" "$3" "${IFACE_WAN6:-$IFACE_WAN}"
 	_fw_nfqws_pre6  $1 "$2" $3 "${IFACE_WAN6:-$IFACE_WAN}"
 }
-fw_tpws4()
+fw_tpws4() {
-{
+	_fw_tpws4 "$1" "$2" "$3" "$IFACE_LAN" "$IFACE_WAN"
 	_fw_tpws4 $1 "$2" $3 "$IFACE_LAN" "$IFACE_WAN"
 }
-fw_tpws6()
+fw_tpws6() {
-{
+	_fw_tpws6 "$1" "$2" "$3" "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
 	_fw_tpws6 $1 "$2" $3 "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
 }
-nft_fw_tpws4()
+nft_fw_tpws4() {
-{
+	_nft_fw_tpws4 "$1" "$2" "$IFACE_WAN"
 	_nft_fw_tpws4 "$1" $2 "$IFACE_WAN"
 }
-nft_fw_tpws6()
+nft_fw_tpws6() {
-{
+	_nft_fw_tpws6 "$1" "$2" "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
 	_nft_fw_tpws6 "$1" $2 "$IFACE_LAN" "${IFACE_WAN6:-$IFACE_WAN}"
 }
-nft_fw_nfqws_post4()
+nft_fw_nfqws_post4() {
-{
+	_nft_fw_nfqws_post4 "$1" "$2" "$IFACE_WAN"
 	_nft_fw_nfqws_post4 "$1" $2 "$IFACE_WAN"
 }
-nft_fw_nfqws_post6()
+nft_fw_nfqws_post6() {
-{
+	_nft_fw_nfqws_post6 "$1" "$2" "${IFACE_WAN6:-$IFACE_WAN}"
 	_nft_fw_nfqws_post6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
 }
-nft_fw_nfqws_pre4()
+nft_fw_nfqws_pre4() {
-{
+	_nft_fw_nfqws_pre4 "$1" "$2" "$IFACE_WAN"
 	_nft_fw_nfqws_pre4 "$1" $2 "$IFACE_WAN"
 }
-nft_fw_nfqws_pre6()
+nft_fw_nfqws_pre6() {
-{
+	_nft_fw_nfqws_pre6 "$1" "$2" "${IFACE_WAN6:-$IFACE_WAN}"
 	_nft_fw_nfqws_pre6 "$1" $2 "${IFACE_WAN6:-$IFACE_WAN}"
 }
-nft_fill_ifsets_overload()
+nft_fill_ifsets_overload() {
 {
 	nft_fill_ifsets "$IFACE_LAN" "$IFACE_WAN" "${IFACE_WAN6:-$IFACE_WAN}"
 }
-
+run_daemon() {
 run_daemon()
 {
 	# $1 - daemon number : 1,2,3,...
 	# $2 - daemon
 	# $3 - daemon args
@ -171,52 +149,48 @@ run_daemon()
 	local DAEMONBASE="$(basename "$2")"
 	local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
 	echo "Starting daemon $1: $2 $3"
-	if exists start-stop-daemon ; then
+	if exists start-stop-daemon; then
-		start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- $3
+		start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- "$3"
 	else
 		if [ -f "$PIDFILE" ] && pgrep -F "$PIDFILE" "$DAEMONBASE" >/dev/null; then
 			echo already running
 		else
-			"$2" $3 >/dev/null 2>/dev/null &
+			"$2" "$3" >/dev/null 2>/dev/null &
 			PID=$!
 			if [ -n "$PID" ]; then
-				echo $PID >$PIDFILE
+				echo $PID >"$PIDFILE"
 			else
-				echo could not start daemon $1 : $2 $3
+				echo could not start daemon "$1" : "$2" "$3"
 				false
 			fi
 		fi
 	fi
 }
-stop_daemon()
+stop_daemon() {
 {
 	# $1 - daemon number : 1,2,3,...
 	# $2 - daemon
 	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
 	local DAEMONBASE="$(basename "$2")"
 	local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
 	echo "Stopping daemon $1: $2"
-	if exists start-stop-daemon ; then
+	if exists start-stop-daemon; then
 		start-stop-daemon -K -p "$PIDFILE" -x "$2"
 	else
 		if [ -f "$PIDFILE" ]; then
 			read PID <"$PIDFILE"
-			kill $PID
+			kill "$PID"
 			rm -f "$PIDFILE"
 		else
-			echo no pidfile : $PIDFILE
+			echo no pidfile : "$PIDFILE"
 		fi
 	fi
 }
-do_daemon()
+do_daemon() {
 {
 	# $1 - 1 - run, 0 - stop
 	on_off_function run_daemon stop_daemon "$@"
 }
-
+do_tpws() {
 do_tpws()
 {
 	# $1 : 1 - run, 0 - stop
 	# $2 : daemon number
 	# $3 : daemon args
@ -233,10 +207,9 @@ do_tpws()
 		done
 	}
-	do_daemon $1 $2 "$TPWS" "$OPT $3"
+	do_daemon "$1" "$2" "$TPWS" "$OPT $3"
 }
-do_tpws_socks()
+do_tpws_socks() {
 {
 	# $1 : 1 - run, 0 - stop
 	# $2 : daemon number
 	# $3 : daemon args
@ -247,104 +220,95 @@ do_tpws_socks()
 	tpws_apply_socks_binds opt
-	do_daemon $1 $2 "$TPWS" "$opt $3"
+	do_daemon "$1" "$2" "$TPWS" "$opt $3"
 }
-do_nfqws()
+do_nfqws() {
 {
 	# $1 : 1 - run, 0 - stop
 	# $2 : daemon number
 	# $3 : daemon args
-	do_daemon $1 $2 "$NFQWS" "$NFQWS_OPT_BASE $3"
+	do_daemon "$1" "$2" "$NFQWS" "$NFQWS_OPT_BASE $3"
 }
-tpws_apply_socks_binds()
+tpws_apply_socks_binds() {
 {
 	local o
 	[ "$DISABLE_IPV4" = "1" ] || o="--bind-addr=127.0.0.1"
 	[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-addr=::1"
 	for lan in $IFACE_LAN; do
-	    [ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
+		[ "$DISABLE_IPV4" = "1" ] || o="$o --bind-iface4=$lan $TPWS_WAIT"
-	    [ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
+		[ "$DISABLE_IPV6" = "1" ] || o="$o --bind-iface6=$lan --bind-linklocal=unwanted $TPWS_WAIT_SOCKS6"
 	done
-	eval $1="\"\$$1 $o\""
+	eval "$1"="\"\$$1 $o\""
 }
-
+create_ipset() {
 create_ipset()
 {
 	echo "Creating ip list table (firewall type $FWTYPE)"
 	"$IPSET_CR" "$@"
 }
-
+zapret_do_daemons() {
 zapret_do_daemons()
 {
 	# $1 - 1 - run, 0 - stop
 	local opt qn qns qn6 qns6
 	case "${MODE_OVERRIDE:-$MODE}" in
-		tpws)
+	tpws)
-			opt="--port=$TPPORT $TPWS_OPT"
+		opt="--port=$TPPORT $TPWS_OPT"
 		filter_apply_hostlist_target opt
 		do_tpws "$1" 1 "$opt"
 		;;
 	tpws-socks)
 		opt="--port=$TPPORT $TPWS_OPT"
 		filter_apply_hostlist_target opt
 		do_tpws_socks "$1" 1 "$opt"
 		;;
 	nfqws)
 		get_nfqws_qnums qn qns qn6 qns6
 		[ -z "$qn" ] || {
 			opt="--qnum=$qn $NFQWS_OPT_DESYNC_HTTP"
 			filter_apply_hostlist_target opt
-			do_tpws $1 1 "$opt"
+			do_nfqws "$1" 1 "$opt"
-			;;
+		}
-		tpws-socks)
+		[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
-			opt="--port=$TPPORT $TPWS_OPT"
+			opt="--qnum=$qns $NFQWS_OPT_DESYNC_HTTPS"
 			filter_apply_hostlist_target opt
-			do_tpws_socks $1 1 "$opt"
+			do_nfqws "$1" 2 "$opt"
-			;;
+		}
-		nfqws)
+		[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
-			get_nfqws_qnums qn qns qn6 qns6
+			opt="--qnum=$qn6 $NFQWS_OPT_DESYNC_HTTP6"
-			[ -z "$qn" ] || {
+			filter_apply_hostlist_target opt
-				opt="--qnum=$qn $NFQWS_OPT_DESYNC_HTTP"
+			do_nfqws "$1" 3 "$opt"
-				filter_apply_hostlist_target opt
+		}
-				do_nfqws $1 1 "$opt"
+		[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
-			}
+			opt="--qnum=$qns6 $NFQWS_OPT_DESYNC_HTTPS6"
-			[ -z "$qns" ] || [ "$qns" = "$qn" ] || {
+			filter_apply_hostlist_target opt
-				opt="--qnum=$qns $NFQWS_OPT_DESYNC_HTTPS"
+			do_nfqws "$1" 4 "$opt"
-				filter_apply_hostlist_target opt
+		}
-				do_nfqws $1 2 "$opt"
+		get_nfqws_qnums_quic qn qn6
-			}
+		[ -z "$qn" ] || {
-			[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || [ "$qn6" = "$qns" ] || {
+			opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
-				opt="--qnum=$qn6 $NFQWS_OPT_DESYNC_HTTP6"
+			filter_apply_hostlist_target opt
-				filter_apply_hostlist_target opt
+			do_nfqws "$1" 10 "$opt"
-				do_nfqws $1 3 "$opt"
+		}
-			}
+		[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
-			[ -z "$qns6" ] || [ "$qns6" = "$qn" ] || [ "$qns6" = "$qns" ] || [ "$qns6" = "$qn6" ] || {
+			opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
-				opt="--qnum=$qns6 $NFQWS_OPT_DESYNC_HTTPS6"
+			filter_apply_hostlist_target opt
-				filter_apply_hostlist_target opt
+			do_nfqws "$1" 11 "$opt"
-				do_nfqws $1 4 "$opt"
+		}
-			}
+		;;
-			get_nfqws_qnums_quic qn qn6
+	custom)
-			[ -z "$qn" ] || {
+		existf zapret_custom_daemons && zapret_custom_daemons "$1"
-				opt="--qnum=$qn $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC"
+		;;
 				filter_apply_hostlist_target opt
 				do_nfqws $1 10 "$opt"
 			}
 			[ -z "$qn6" ] || [ "$qn6" = "$qn" ] || {
 				opt="--qnum=$qn6 $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_QUIC6"
 				filter_apply_hostlist_target opt
 				do_nfqws $1 11 "$opt"
 			}
 			;;
 		custom)
 	    		existf zapret_custom_daemons && zapret_custom_daemons $1
 			;;
 	esac
 	return 0
 }
-zapret_run_daemons()
+zapret_run_daemons() {
 {
 	zapret_do_daemons 1 "$@"
 }
-zapret_stop_daemons()
+zapret_stop_daemons() {
 {
 	zapret_do_daemons 0 "$@"
 }
--- a/init.d/sysv/zapret
+++ b/init.d/sysv/zapret
@ -15,65 +15,63 @@ ZAPRET_BASE=$(readlink -f "$EXEDIR/../..")
 NAME=zapret
 DESC=anti-zapret
-do_start()
+do_start() {
 {
 	zapret_run_daemons
 	[ "$INIT_APPLY_FW" != "1" ] || { zapret_apply_firewall; }
 }
-do_stop()
+do_stop() {
 {
 	zapret_stop_daemons
 	[ "$INIT_APPLY_FW" != "1" ] || zapret_unapply_firewall
 }
 case "$1" in
-	start)
+start)
-		do_start
+	do_start
-		;;
+	;;
-	stop)
+stop)
-		do_stop
+	do_stop
-		;;
+	;;
-	restart)
+restart)
-		do_stop
+	do_stop
-		do_start
+	do_start
-		;;
+	;;
-	start-fw|start_fw)
+start-fw | start_fw)
-		zapret_apply_firewall
+	zapret_apply_firewall
-		;;
+	;;
-	stop-fw|stop_fw)
+stop-fw | stop_fw)
-		zapret_unapply_firewall
+	zapret_unapply_firewall
-		;;
+	;;
-	restart-fw|restart_fw)
+restart-fw | restart_fw)
-		zapret_unapply_firewall
+	zapret_unapply_firewall
-		zapret_apply_firewall
+	zapret_apply_firewall
-		;;
+	;;
-	start-daemons|start_daemons)
+start-daemons | start_daemons)
-		zapret_run_daemons
+	zapret_run_daemons
-		;;
+	;;
-	stop-daemons|stop_daemons)
+stop-daemons | stop_daemons)
-		zapret_stop_daemons
+	zapret_stop_daemons
-		;;
+	;;
-	restart-daemons|restart_daemons)
+restart-daemons | restart_daemons)
-		zapret_stop_daemons
+	zapret_stop_daemons
-		zapret_run_daemons
+	zapret_run_daemons
-		;;
+	;;
-	reload-ifsets|reload_ifsets)	
+reload-ifsets | reload_ifsets)
-		zapret_reload_ifsets
+	zapret_reload_ifsets
-		;;
+	;;
-	list-ifsets|list_ifsets)	
+list-ifsets | list_ifsets)
-		zapret_list_ifsets
+	zapret_list_ifsets
-		;;
+	;;
-	list-table|list_table)	
+list-table | list_table)
-		zapret_list_table
+	zapret_list_table
-		;;
+	;;
-  *)
+*)
 	N=/etc/init.d/$NAME
 	echo "Usage: $N {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
 	exit 1
--- a/install_bin.sh
+++ b/install_bin.sh
@ -1,15 +1,17 @@
 #!/bin/sh
 EXEDIR="$(dirname "$0")"
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+EXEDIR="$(
 	cd "$EXEDIR"
 	pwd
 )"
 BINS=binaries
 BINDIR="$EXEDIR/$BINS"
 ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
 . "$ZAPRET_BASE/common/base.sh"
-check_dir()
+check_dir() {
 {
 	local dir="$BINDIR/$1"
 	local exe="$dir/ip2net"
 	local out
@ -39,8 +41,7 @@ check_dir()
 }
 # link or copy executables. uncomment either ln or cp, comment other
-ccp()
+ccp() {
 {
 	local F="$(basename "$1")"
 	[ -d "$ZAPRET_BASE/$2" ] || mkdir "$ZAPRET_BASE/$2"
 	[ -f "$ZAPRET_BASE/$2/$F" ] && rm -f "$ZAPRET_BASE/$2/$F"
@ -51,49 +52,48 @@ ccp()
 UNAME=$(uname)
 unset PKTWS
 case $UNAME in
-	Linux)
+Linux)
-		ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc"
+	ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc"
-		PKTWS=nfqws
+	PKTWS=nfqws
-		;;
+	;;
-	Darwin)
+Darwin)
-		ARCHLIST="my mac64"
+	ARCHLIST="my mac64"
-		;;
+	;;
-	FreeBSD)
+FreeBSD)
-		ARCHLIST="my freebsd-x64"
+	ARCHLIST="my freebsd-x64"
-		PKTWS=dvtws
+	PKTWS=dvtws
-		;;
+	;;
-	CYGWIN*)
+CYGWIN*)
-		UNAME=CYGWIN
+	UNAME=CYGWIN
-		ARCHLIST="win64"
+	ARCHLIST="win64"
-		PKTWS=winws
+	PKTWS=winws
-		;;
+	;;
-	*)
+*)
-		ARCHLIST="my"
+	ARCHLIST="my"
 	;;
 esac
 if [ "$1" = "getarch" ]; then
-	for arch in $ARCHLIST
+	for arch in $ARCHLIST; do
 	do
 		[ -d "$BINDIR/$arch" ] || continue
-		if check_dir $arch; then
+		if check_dir "$arch"; then
-	 		echo $arch
+			echo "$arch"
-	 		exit 0
+			exit 0
-	 	fi
+		fi
 	done
 else
-	for arch in $ARCHLIST
+	for arch in $ARCHLIST; do
 	do
 		[ -d "$BINDIR/$arch" ] || continue
-		if check_dir $arch; then
+		if check_dir "$arch"; then
-			echo $arch is OK
+			echo "$arch" is OK
 			echo installing binaries ...
-			ccp $arch/ip2net ip2net
+			ccp "$arch"/ip2net ip2net
-			ccp $arch/mdig mdig
+			ccp "$arch"/mdig mdig
-			[ -n "$PKTWS" ] && ccp $arch/$PKTWS nfq
+			[ -n "$PKTWS" ] && ccp "$arch"/$PKTWS nfq
-			[ "$UNAME" = CYGWIN ] || ccp $arch/tpws tpws
+			[ "$UNAME" = CYGWIN ] || ccp "$arch"/tpws tpws
-	 		exit 0
+			exit 0
 		else
-			echo $arch is NOT OK
+			echo "$arch" is NOT OK
 		fi
 	done
 	echo no compatible binaries found
--- a/install_easy.sh
+++ b/install_easy.sh
@ -3,7 +3,10 @@
 # automated script for easy installing zapret
 EXEDIR="$(dirname "$0")"
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+EXEDIR="$(
 	cd "$EXEDIR"
 	pwd
 )"
 ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
 ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
 ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
@ -31,17 +34,16 @@ GET_LIST="$IPSET_DIR/get_config.sh"
 [ -n "$TPPORT" ] || TPPORT=988
-check_readonly_system()
+check_readonly_system() {
 {
 	local RO
 	echo \* checking readonly system
-        case $SYSTEM in
+	case $SYSTEM in
-		systemd)
+	systemd)
-			[ -w "$SYSTEMD_SYSTEM_DIR" ] || RO=1
+		[ -w "$SYSTEMD_SYSTEM_DIR" ] || RO=1
-			;;
+		;;
-		openrc)
+	openrc)
-			[ -w "$(dirname "$INIT_SCRIPT")" ] || RO=1
+		[ -w "$(dirname "$INIT_SCRIPT")" ] || RO=1
-			;;
+		;;
 	esac
 	[ -z "$RO" ] || {
 		echo '!!! READONLY SYSTEM DETECTED !!!'
@ -51,8 +53,7 @@ check_readonly_system()
 	}
 }
-check_bins()
+check_bins() {
 {
 	echo \* checking executables
 	fix_perms_bin_test "$EXEDIR"
@ -66,7 +67,7 @@ check_bins()
 			arch=""
 		fi
 	}
-	if [ -n "$arch" ] ; then
+	if [ -n "$arch" ]; then
 		echo found architecture "\"$arch\""
 	elif [ -f "$EXEDIR/Makefile" ] && exists make; then
 		echo trying to compile
@ -83,17 +84,14 @@ check_bins()
 	fi
 }
-call_install_bin()
+call_install_bin() {
-{
+	sh "$EXEDIR/install_bin.sh" "$1"
 	sh "$EXEDIR/install_bin.sh" $1
 }
-get_bin_arch()
+get_bin_arch() {
 {
 	call_install_bin getarch
 }
-install_binaries()
+install_binaries() {
 {
 	echo \* installing binaries
 	call_install_bin || {
@ -102,8 +100,7 @@ install_binaries()
 	}
 }
-select_mode_mode()
+select_mode_mode() {
 {
 	local edited v vars MODES="tpws tpws-socks nfqws filter custom"
 	[ "$SYSTEM" = "macos" ] && MODES="tpws tpws-socks filter custom"
 	echo
@ -111,44 +108,42 @@ select_mode_mode()
 	ask_list MODE "$MODES" tpws && write_config_var MODE
 	case $MODE in
-		tpws)
+	tpws)
-			vars="TPWS_OPT"
+		vars="TPWS_OPT"
-			;;
+		;;
-		nfqws)
+	nfqws)
-			vars="NFQWS_OPT_DESYNC NFQWS_OPT_DESYNC_HTTP NFQWS_OPT_DESYNC_HTTPS NFQWS_OPT_DESYNC_HTTP6 NFQWS_OPT_DESYNC_HTTPS6 NFQWS_OPT_DESYNC_QUIC NFQWS_OPT_DESYNC_QUIC6"
+		vars="NFQWS_OPT_DESYNC NFQWS_OPT_DESYNC_HTTP NFQWS_OPT_DESYNC_HTTPS NFQWS_OPT_DESYNC_HTTP6 NFQWS_OPT_DESYNC_HTTPS6 NFQWS_OPT_DESYNC_QUIC NFQWS_OPT_DESYNC_QUIC6"
-			;;
+		;;
 	esac
 	[ -n "$vars" ] && {
 		echo
-		while [ 1=1 ]; do
+		while true; do
 			for var in $vars; do
 				eval v="\$$var"
-				echo $var=\"$v\"
+				echo "$var"=\""$v"\"
 			done
 			ask_yes_no N "do you want to edit the options" || {
 				[ -n "$edited" ] && {
 					for var in $vars; do
-						write_config_var $var
+						write_config_var "$var"
 					done
 				}
 				break
 			}
-			edit_vars $vars
+			edit_vars "$vars"
 			edited=1
 			echo ..edited..
 		done
 	}
 }
-select_mode_http()
+select_mode_http() {
 {
 	[ "$MODE" != "filter" ] && [ "$MODE" != "tpws-socks" ] && {
 		echo
 		ask_yes_no_var MODE_HTTP "enable http support"
 		write_config_var MODE_HTTP
 	}
 }
-select_mode_keepalive()
+select_mode_keepalive() {
 {
 	[ "$MODE" = "nfqws" ] && [ "$MODE_HTTP" = "1" ] && {
 		echo
 		echo enable keep alive support only if DPI checks every outgoing packet for http signature
@ -157,16 +152,14 @@ select_mode_keepalive()
 		write_config_var MODE_HTTP_KEEPALIVE
 	}
 }
-select_mode_https()
+select_mode_https() {
 {
 	[ "$MODE" != "filter" ] && [ "$MODE" != "tpws-socks" ] && {
 		echo
 		ask_yes_no_var MODE_HTTPS "enable https support"
 		write_config_var MODE_HTTPS
 	}
 }
-select_mode_quic()
+select_mode_quic() {
 {
 	[ "$SUBSYS" = "keenetic" ] && {
 		echo
 		echo "WARNING ! Keenetic is not officially supported by zapret."
@ -183,16 +176,14 @@ select_mode_quic()
 		write_config_var MODE_QUIC
 	}
 }
-select_mode_filter()
+select_mode_filter() {
 {
 	local filter="none ipset hostlist autohostlist"
 	[ "$MODE" = "tpws-socks" ] && filter="none hostlist autohostlist"
 	echo
 	echo select filtering :
 	ask_list MODE_FILTER "$filter" none && write_config_var MODE_FILTER
 }
-select_mode()
+select_mode() {
 {
 	select_mode_mode
 	select_mode_iface
 	select_mode_http
@ -202,14 +193,13 @@ select_mode()
 	select_mode_filter
 }
-select_getlist()
+select_getlist() {
 {
 	if [ "$MODE_FILTER" = "ipset" -o "$MODE_FILTER" = "hostlist" ]; then
 		local D=N
 		[ -n "$GETLIST" ] && D=Y
 		echo
 		if ask_yes_no $D "do you want to auto download ip/host list"; then
-			if [ "$MODE_FILTER" = "hostlist" ] ; then
+			if [ "$MODE_FILTER" = "hostlist" ]; then
 				GETLISTS="get_antizapret_domains.sh get_reestr_resolvable_domains.sh get_reestr_hostlist.sh"
 				GETLIST_DEF="get_antizapret_domains.sh"
 			else
@ -224,14 +214,12 @@ select_getlist()
 	write_config_var GETLIST
 }
-ask_config()
+ask_config() {
 {
 	select_mode
 	select_getlist
 }
-ask_config_offload()
+ask_config_offload() {
 {
 	[ "$FWTYPE" = nftables ] || is_ipt_flow_offload_avail && {
 		echo
 		echo flow offloading can greatly increase speed on slow devices and high speed links \(usually 150+ mbits\)
@ -257,31 +245,28 @@ ask_config_offload()
 	}
 }
-ask_config_tmpdir()
+ask_config_tmpdir() {
 {
 	# ask tmpdir change for low ram systems with enough free disk space
 	[ -n "$GETLIST" ] && [ $(get_free_space_mb "$EXEDIR/tmp") -ge 128 ] && [ $(get_ram_mb) -le 400 ] && {
 		echo
 		echo /tmp in openwrt is tmpfs. on low RAM systems there may be not enough RAM to store downloaded files
 		echo default tmpfs has size of 50% RAM
-		echo "RAM  : $(get_ram_mb) Mb"
+		echo "RAM: $(get_ram_mb) Mb"
-		echo "DISK : $(get_free_space_mb) Mb"
+		echo "DISK: $(get_free_space_mb) Mb"
 		echo select temp file location
 		[ -z "$TMPDIR" ] && TMPDIR=/tmp
 		ask_list TMPDIR "/tmp $EXEDIR/tmp" && {
-		    [ "$TMPDIR" = "/tmp" ] && TMPDIR=
+			[ "$TMPDIR" = "/tmp" ] && TMPDIR=
-		    write_config_var TMPDIR
+			write_config_var TMPDIR
 		}
 	}
 }
-nft_flow_offload()
+nft_flow_offload() {
 {
 	[ "$UNAME" = Linux -a "$FWTYPE" = nftables -a "$MODE" != "tpws-socks" ] && [ "$FLOWOFFLOAD" = software -o "$FLOWOFFLOAD" = hardware ]
 }
-ask_iface()
+ask_iface() {
 {
 	# $1 - var to ask
 	# $2 - additional name for empty string synonim
@ -290,38 +275,35 @@ ask_iface()
 	[ -n "$2" ] && i0="$2 "
 	case $SYSTEM in
-		macos)
+	macos)
-			ifs="$(ifconfig -l)"
+		ifs="$(ifconfig -l)"
-			;;
+		;;
-		*)
+	*)
-			ifs="$(ls /sys/class/net)"
+		ifs="$(ls /sys/class/net)"
-			;;
+		;;
 	esac
-	[ -z "$def" ] && eval $1="$2"
+	[ -z "$def" ] && eval "$1"="$2"
-	ask_list $1 "$i0$ifs" && {
+	ask_list "$1" "$i0$ifs" && {
 		eval new="\$$1"
-		[ "$new" = "$2" ] && eval $1=""
+		[ "$new" = "$2" ] && eval "$1"=""
-		write_config_var $1
+		write_config_var "$1"
 	}
 }
-ask_iface_lan()
+ask_iface_lan() {
 {
 	echo LAN interface :
 	local opt
 	nft_flow_offload || opt=NONE
 	ask_iface IFACE_LAN $opt
 }
-ask_iface_wan()
+ask_iface_wan() {
 {
 	echo WAN interface :
 	local opt
 	nft_flow_offload || opt=ANY
 	ask_iface IFACE_WAN $opt
 }
-select_mode_iface()
+select_mode_iface() {
-{
+	# OpenWrt has its own interface management scheme
 	# openwrt has its own interface management scheme
 	# filter just creates ip tables, no daemons involved
 	# nfqws sits in POSTROUTING chain and unable to filter by incoming interface
 	# tpws redirection works in PREROUTING chain
@ -332,63 +314,62 @@ select_mode_iface()
 	if [ "$SYSTEM" = "openwrt" ] || [ "$MODE" = "filter" ]; then return; fi
 	case "$MODE" in
-		tpws-socks)
+	tpws-socks)
-			echo "select LAN interface to allow socks access from your LAN. select NONE for localhost only."
+		echo "select LAN interface to allow SOCKS access from your LAN. select NONE for localhost only."
-			echo "expect socks on tcp port $TPPORT"
+		echo "expect SOCKS on tcp port $TPPORT"
 		ask_iface_lan
 		;;
 	tpws)
 		echo "select LAN interface to operate in router mode. select NONE for local outgoing traffic only."
 		if [ "$SYSTEM" = "macos" ]; then
 			echo "WARNING ! OS feature \"internet sharing\" is not supported."
 			echo "Only manually configured PF router is supported."
 		else
 			echo "WARNING ! This installer will not configure routing, NAT, ... for you. Its your responsibility."
 		fi
 		ask_iface_lan
 		;;
 	custom)
 		echo "select LAN interface for your custom script (how it works depends on your code)"
 		ask_iface_lan
 		;;
 	*)
 		nft_flow_offload && {
 			echo "select LAN interface for nftables flow offloading"
 			ask_iface_lan
-			;;
+		}
-		tpws)
+		;;
 			echo "select LAN interface to operate in router mode. select NONE for local outgoing traffic only."
 			if [ "$SYSTEM" = "macos" ]; then
 				echo "WARNING ! OS feature \"internet sharing\" is not supported."
 				echo "Only manually configured PF router is supported."
 			else
 				echo "WARNING ! This installer will not configure routing, NAT, ... for you. Its your responsibility."
 			fi
 			ask_iface_lan
 			;;
 		custom)
 			echo "select LAN interface for your custom script (how it works depends on your code)"
 			ask_iface_lan
 			;;
 		*)
 			nft_flow_offload && {
 				echo "select LAN interface for nftables flow offloading"
 				ask_iface_lan
 			}
 			;;
 	esac
 	case "$MODE" in
-		tpws)
+	tpws)
-			echo "select WAN interface for $MODE operations. select ANY to operate on any interface."
+		echo "select WAN interface for $MODE operations. select ANY to operate on any interface."
-			[ -n "$IFACE_LAN" ] && echo "WAN filtering works only for local outgoing traffic !"
+		[ -n "$IFACE_LAN" ] && echo "WAN filtering works only for local outgoing traffic !"
 		ask_iface_wan
 		;;
 	nfqws)
 		echo "select WAN interface for $MODE operations. select ANY to operate on any interface."
 		ask_iface_wan
 		;;
 	custom)
 		echo "select WAN interface for your custom script (how it works depends on your code)"
 		ask_iface_wan
 		;;
 	*)
 		nft_flow_offload && {
 			echo "select WAN interface for nftables flow offloading"
 			ask_iface_wan
-			;;
+		}
-		nfqws)
+		;;
 			echo "select WAN interface for $MODE operations. select ANY to operate on any interface."
 			ask_iface_wan
 			;;
 		custom)
 			echo "select WAN interface for your custom script (how it works depends on your code)"
 			ask_iface_wan
 			;;
 		*)
 			nft_flow_offload && {
 				echo "select WAN interface for nftables flow offloading"
 				ask_iface_wan
 			}
 			;;
 	esac
 }
-default_files()
+default_files() {
 {
 	# $1 - ro location
 	# $2 - rw location (can be equal to $1)
 	[ -d "$2/ipset" ] || mkdir -p "$2/ipset"
 	[ -f "$2/ipset/zapret-hosts-user-exclude.txt" ] || cp "$1/ipset/zapret-hosts-user-exclude.txt.default" "$2/ipset/zapret-hosts-user-exclude.txt"
-	[ -f "$2/ipset/zapret-hosts-user.txt" ] || echo nonexistent.domain >> "$2/ipset/zapret-hosts-user.txt"
+	[ -f "$2/ipset/zapret-hosts-user.txt" ] || echo nonexistent.domain >>"$2/ipset/zapret-hosts-user.txt"
 	[ -f "$2/ipset/zapret-hosts-user-ipban.txt" ] || touch "$2/ipset/zapret-hosts-user-ipban.txt"
 	for dir in openwrt sysv macos; do
 		[ -d "$1/init.d/$dir" ] && {
@ -397,15 +378,13 @@ default_files()
 		}
 	done
 }
-copy_all()
+copy_all() {
 {
 	local dir
 	cp -R "$1" "$2"
 	[ -d "$2/tmp" ] || mkdir "$2/tmp"
 }
-copy_openwrt()
+copy_openwrt() {
 {
 	local ARCH="$(get_bin_arch)"
 	local BINDIR="$1/binaries/$ARCH"
 	local file
@ -420,91 +399,84 @@ copy_openwrt()
 	cp "$BINDIR/tpws" "$BINDIR/nfqws" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH"
 }
-fix_perms_bin_test()
+fix_perms_bin_test() {
 {
 	[ -d "$1" ] || return
 	find "$1/binaries" -name ip2net ! -perm -111 -exec chmod +x {} \;
 }
-fix_perms()
+fix_perms() {
 {
 	[ -d "$1" ] || return
 	find "$1" -type d -exec chmod 755 {} \;
 	find "$1" -type f -exec chmod 644 {} \;
 	local chow
 	case "$UNAME" in
-		Linux)
+	Linux)
-			chow=root:root
+		chow=root:root
-			;;
+		;;
-		*)
+	*)
-			chow=root:wheel
+		chow=root:wheel
 		;;
 	esac
 	chown -R $chow "$1"
 	find "$1/binaries" '(' -name tpws -o -name dvtws -o -name nfqws -o -name ip2net -o -name mdig ')' -exec chmod 755 {} \;
 	for f in \
-install_bin.sh \
+		install_bin.sh \
-blockcheck.sh \
+		blockcheck.sh \
-install_easy.sh \
+		install_easy.sh \
-install_prereq.sh \
+		install_prereq.sh \
-files/huawei/E8372/zapret-ip \
+		files/huawei/E8372/zapret-ip \
-files/huawei/E8372/unzapret-ip \
+		files/huawei/E8372/unzapret-ip \
-files/huawei/E8372/run-zapret-hostlist \
+		files/huawei/E8372/run-zapret-hostlist \
-files/huawei/E8372/unzapret \
+		files/huawei/E8372/unzapret \
-files/huawei/E8372/zapret \
+		files/huawei/E8372/zapret \
-files/huawei/E8372/run-zapret-ip \
+		files/huawei/E8372/run-zapret-ip \
-ipset/get_exclude.sh \
+		ipset/get_exclude.sh \
-ipset/clear_lists.sh \
+		ipset/clear_lists.sh \
-ipset/get_antifilter_ipresolve.sh \
+		ipset/get_antifilter_ipresolve.sh \
-ipset/get_reestr_resolvable_domains.sh \
+		ipset/get_reestr_resolvable_domains.sh \
-ipset/get_config.sh \
+		ipset/get_config.sh \
-ipset/get_reestr_preresolved.sh \
+		ipset/get_reestr_preresolved.sh \
-ipset/get_user.sh \
+		ipset/get_user.sh \
-ipset/get_antifilter_allyouneed.sh \
+		ipset/get_antifilter_allyouneed.sh \
-ipset/get_reestr_resolve.sh \
+		ipset/get_reestr_resolve.sh \
-ipset/create_ipset.sh \
+		ipset/create_ipset.sh \
-ipset/get_reestr_hostlist.sh \
+		ipset/get_reestr_hostlist.sh \
-ipset/get_ipban.sh \
+		ipset/get_ipban.sh \
-ipset/get_antifilter_ipsum.sh \
+		ipset/get_antifilter_ipsum.sh \
-ipset/get_antifilter_ipsmart.sh \
+		ipset/get_antifilter_ipsmart.sh \
-ipset/get_antizapret_domains.sh \
+		ipset/get_antizapret_domains.sh \
-ipset/get_reestr_preresolved_smart.sh \
+		ipset/get_reestr_preresolved_smart.sh \
-ipset/get_antifilter_ip.sh \
+		ipset/get_antifilter_ip.sh \
-init.d/pfsense/zapret.sh \
+		init.d/pfsense/zapret.sh \
-init.d/macos/zapret \
+		init.d/macos/zapret \
-init.d/runit/zapret/run \
+		init.d/runit/zapret/run \
-init.d/runit/zapret/finish \
+		init.d/runit/zapret/finish \
-init.d/openrc/zapret \
+		init.d/openrc/zapret \
-init.d/sysv/zapret \
+		init.d/sysv/zapret \
-init.d/openwrt/zapret \
+		init.d/openwrt/zapret \
-uninstall_easy.sh \
+		uninstall_easy.sh; do chmod 755 "$1/$f" 2>/dev/null; done
 	; do chmod 755 "$1/$f" 2>/dev/null ; done
 }
-
+_backup_settings() {
 _backup_settings()
 {
 	local i=0
 	for f in "$@"; do
 		[ -f "$ZAPRET_TARGET/$f" ] && cp -f "$ZAPRET_TARGET/$f" "/tmp/zapret-bkp-$i"
-		i=$(($i+1))
+		i=$(($i + 1))
 	done
 }
-_restore_settings()
+_restore_settings() {
 {
 	local i=0
 	for f in "$@"; do
 		[ -f "/tmp/zapret-bkp-$i" ] && mv -f "/tmp/zapret-bkp-$i" "$ZAPRET_TARGET/$f" || rm -f "/tmp/zapret-bkp-$i"
-		i=$(($i+1))
+		i=$(($i + 1))
 	done
 }
-backup_restore_settings()
+backup_restore_settings() {
 {
 	# $1 - 1 - backup, 0 - restore
-	local mode=$1
+	local mode="$1"
-	on_off_function _backup_settings _restore_settings $mode "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
+	on_off_function _backup_settings _restore_settings "$mode" "config" "init.d/sysv/custom" "init.d/openwrt/custom" "init.d/macos/custom" "ipset/zapret-hosts-user.txt" "ipset/zapret-hosts-user-exclude.txt" "ipset/zapret-hosts-user-ipban.txt" "ipset/zapret-hosts-auto.txt"
 }
-check_location()
+check_location() {
 {
 	# $1 - copy function
 	echo \* checking location
@ -514,13 +486,13 @@ check_location()
 		default_files "$ZAPRET_TARGET" "$ZAPRET_RW"
 	else
 		echo
-		echo easy install is supported only from default location : $ZAPRET_TARGET
+		echo easy install is supported only from default location: "$ZAPRET_TARGET"
-		echo currently its run from $EXEDIR
+		echo currently its run from "$EXEDIR"
 		if ask_yes_no N "do you want the installer to copy it for you"; then
 			local keep=N
 			if [ -d "$ZAPRET_TARGET" ]; then
 				echo
-				echo installer found existing $ZAPRET_TARGET
+				echo installer found existing "$ZAPRET_TARGET"
 				echo directory needs to be replaced. config and custom scripts can be kept or replaced with clean version
 				if ask_yes_no N "do you want to delete all files there and copy this version"; then
 					echo
@ -530,7 +502,7 @@ check_location()
 					fi
 					rm -r "$ZAPRET_TARGET"
 				else
-					echo refused to overwrite $ZAPRET_TARGET. exiting
+					echo refused to overwrite "$ZAPRET_TARGET". exiting
 					exitp 3
 				fi
 			fi
@ -539,22 +511,20 @@ check_location()
 			$1 "$EXEDIR" "$ZAPRET_TARGET"
 			fix_perms "$ZAPRET_TARGET"
 			[ "$keep" = "Y" ] && backup_restore_settings 0
-			echo relaunching itself from $ZAPRET_TARGET
+			echo relaunching itself from "$ZAPRET_TARGET"
 			exec "$ZAPRET_TARGET/$(basename "$0")"
 		else
 			echo copying aborted. exiting
 			exitp 3
 		fi
 	fi
-	echo running from $EXEDIR
+	echo running from "$EXEDIR"
 }
-
+service_install_systemd() {
 service_install_systemd()
 {
 	echo \* installing zapret service
-	if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
+	if [ -w "$SYSTEMD_SYSTEM_DIR" ]; then
 		rm -f "$INIT_SCRIPT"
 		ln -fs "$EXEDIR/init.d/systemd/zapret.service" "$SYSTEMD_SYSTEM_DIR"
 		"$SYSTEMCTL" daemon-reload
@ -567,11 +537,10 @@ service_install_systemd()
 	fi
 }
-timer_install_systemd()
+timer_install_systemd() {
 {
 	echo \* installing zapret-list-update timer
-	if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
+	if [ -w "$SYSTEMD_SYSTEM_DIR" ]; then
 		"$SYSTEMCTL" disable zapret-list-update.timer
 		"$SYSTEMCTL" stop zapret-list-update.timer
 		ln -fs "$EXEDIR/init.d/systemd/zapret-list-update.service" "$SYSTEMD_SYSTEM_DIR"
@ -590,9 +559,8 @@ timer_install_systemd()
 	fi
 }
-download_list()
+download_list() {
-{
+	[ -x "$GET_LIST" ] && {
 	[ -x "$GET_LIST" ] &&	{
 		echo \* downloading blocked ip/host list
 		# can be txt or txt.gz
@ -601,27 +569,22 @@ download_list()
 	}
 }
-
+dnstest() {
-dnstest()
+	# $1 - DNS server. empty for system resolver
-{
+	nslookup w3.org "$1" >/dev/null 2>/dev/null
 	# $1 - dns server. empty for system resolver
 	nslookup w3.org $1 >/dev/null 2>/dev/null
 }
-check_dns()
+check_dns() {
 {
 	echo \* checking DNS
 	dnstest || {
-		echo -- DNS is not working. It's either misconfigured or blocked or you don't have inet access.
+		echo "-- DNS is not working. It's either misconfigured or blocked or you don't have inet access."
 		return 1
 	}
 	echo system DNS is working
 	return 0
 }
-
+install_systemd() {
 install_systemd()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
 	check_bins
@ -646,8 +609,7 @@ install_systemd()
 	service_start_systemd
 }
-_install_sysv()
+_install_sysv() {
 {
 	# $1 - install init script
 	check_bins
@ -671,21 +633,17 @@ _install_sysv()
 	service_start_sysv
 }
-install_sysv()
+install_sysv() {
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
 	_install_sysv install_sysv_init
 }
-install_openrc()
+install_openrc() {
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/openrc/zapret"
 	_install_sysv install_openrc_init
 }
-
+install_linux() {
 install_linux()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
 	check_bins
@ -706,14 +664,12 @@ install_linux()
 	echo
 	echo '!!! WARNING. YOUR SETUP IS INCOMPLETE !!!'
-	echo you must manually add to auto start : $INIT_SCRIPT_SRC start
+	echo you must manually add to auto start: "$INIT_SCRIPT_SRC" start
 	echo make sure it\'s executed after your custom/firewall iptables configuration
 	echo "if your system uses sysv init : ln -fs $INIT_SCRIPT_SRC /etc/init.d/zapret ; chkconfig zapret on"
 }
-
+deoffload_openwrt_firewall() {
 deoffload_openwrt_firewall()
 {
 	echo \* checking flow offloading
 	[ "$FWTYPE" = "nftables" ] || is_ipt_flow_offload_avail || {
@ -723,27 +679,28 @@ deoffload_openwrt_firewall()
 	local fo=$(uci -q get firewall.@defaults[0].flow_offloading)
-	if [ "$fo" = "1" ] ; then
+	if [ "$fo" = "1" ]; then
 		local mod=0
 		printf "system wide flow offloading detected. "
 		case $FLOWOFFLOAD in
-			donttouch)
+		donttouch)
-				if [ "$MODE" = "nfqws" ]; then
+			if [ "$MODE" = "nfqws" ]; then
-					echo its incompatible with nfqws tcp data tampering. disabling
+				echo its incompatible with nfqws tcp data tampering. disabling
-					uci set firewall.@defaults[0].flow_offloading=0
+				uci set firewall.@defaults[0].flow_offloading=0
-					mod=1
+				mod=1
 			else
 				if [ "$MODE" = "custom" ]; then
 					echo custom mode selected !!! only you can decide whether flow offloading is compatible
 				else
-					if [ "$MODE" = "custom" ] ; then
+					echo its compatible with selected options. not disabling
 						echo custom mode selected !!! only you can decide whether flow offloading is compatible
 					else
 						echo its compatible with selected options. not disabling
 					fi
 				fi
 			fi
 			;;
 		*)
 			echo zapret will disable system wide offloading setting and add selective rules if required
 			uci set firewall.@defaults[0].flow_offloading=0
 			mod=1
 			;;
 		esac
 		[ "$mod" = "1" ] && uci commit firewall
 	else
@ -752,10 +709,7 @@ deoffload_openwrt_firewall()
 }
-
+install_openwrt() {
 install_openwrt()
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/openwrt/zapret"
 	FW_SCRIPT_SRC="$EXEDIR/init.d/openwrt/firewall.zapret"
 	OPENWRT_FW_INCLUDE=/etc/firewall.zapret
@ -768,7 +722,7 @@ install_openwrt()
 	check_dns
 	check_virt
-	local FWTYPE_OLD=$FWTYPE
+	local FWTYPE_OLD="$FWTYPE"
 	echo \* stopping current firewall rules/daemons
 	"$INIT_SCRIPT_SRC" stop_fw
@ -798,36 +752,30 @@ install_openwrt()
 	restart_openwrt_firewall
 }
-
+remove_pf_zapret_hooks() {
 remove_pf_zapret_hooks()
 {
 	echo \* removing zapret PF hooks
 	pf_anchors_clear
 }
-macos_fw_reload_trigger_clear()
+macos_fw_reload_trigger_clear() {
 {
 	case "$MODE" in
-		tpws|tpws-socks|custom)
+	tpws | tpws-socks | custom)
-			LISTS_RELOAD=
+		LISTS_RELOAD=
-			write_config_var LISTS_RELOAD
+		write_config_var LISTS_RELOAD
-			;;
+		;;
 	esac
 }
-macos_fw_reload_trigger_set()
+macos_fw_reload_trigger_set() {
 {
 	case "$MODE" in
-		tpws|custom)
+	tpws | custom)
-			LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables"
+		LISTS_RELOAD="$INIT_SCRIPT_SRC reload-fw-tables"
-			write_config_var LISTS_RELOAD
+		write_config_var LISTS_RELOAD
-			;;
+		;;
 	esac
 }
-install_macos()
+install_macos() {
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/macos/zapret"
 	# compile before root
@ -852,7 +800,6 @@ install_macos()
 	service_start_macos
 }
 # build binaries, do not use precompiled
 [ "$1" = "make" ] && FORCE_BUILD=1
@ -864,22 +811,21 @@ check_system
 [ "$SYSTEM" = "macos" ] && . "$EXEDIR/init.d/macos/functions"
 case $SYSTEM in
-	systemd)
+systemd)
-		install_systemd
+	install_systemd
-		;;
+	;;
-	openrc)
+openrc)
-		install_openrc
+	install_openrc
-		;;
+	;;
-	linux)
+linux)
-		install_linux
+	install_linux
-		;;
+	;;
-	openwrt)
+openwrt)
-		install_openwrt
+	install_openwrt
-		;;
+	;;
-	macos)
+macos)
-		install_macos
+	install_macos
-		;;
+	;;
 esac
 exitp 0
--- a/install_prereq.sh
+++ b/install_prereq.sh
@ -3,7 +3,10 @@
 # install prerequisites
 EXEDIR="$(dirname "$0")"
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+EXEDIR="$(
 	cd "$EXEDIR"
 	pwd
 )"
 ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
 ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
 ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
@ -27,25 +30,25 @@ umask 0022
 fix_sbin_path
 fsleep_setup
 check_system accept_unknown_rc
-[ $UNAME = "Linux" ] || {
+[ "$UNAME" = "Linux" ] || {
-	echo no prerequisites required for $UNAME
+	echo no prerequisites required for "$UNAME"
 	exitp 0
 }
 require_root
 case $UNAME in
-	Linux)
+Linux)
-		select_fwtype
+	select_fwtype
-		case $SYSTEM in
+	case $SYSTEM in
-			openwrt)
+	openwrt)
-				select_ipv6
+		select_ipv6
-				check_prerequisites_openwrt
+		check_prerequisites_openwrt
 				;;
 			*)
 				check_prerequisites_linux
 				;;
 		esac
 		;;
 	*)
 		check_prerequisites_linux
 		;;
 	esac
 	;;
 esac
 exitp 0
--- a/ipset/clear_lists.sh
+++ b/ipset/clear_lists.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/create_ipset.sh
+++ b/ipset/create_ipset.sh
@ -5,7 +5,10 @@
 # $1=clear        - clear ipset
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
 	cd "$IPSET_DIR" || exit
 	pwd
 )"
 . "$IPSET_DIR/def.sh"
 . "$IPSET_DIR/../common/fwtype.sh"
@ -27,17 +30,14 @@ while [ -n "$1" ]; do
 	shift
 done
-
+file_extract_lines() {
 file_extract_lines()
 {
 	# $1 - filename
 	# $2 - from line (starting with 0)
 	# $3 - line count
 	# awk "{ err=1 } NR < $(($2+1)) { next } { print; err=0 } NR == $(($2+$3)) { exit err } END {exit err}" "$1"
-	$AWK "NR < $(($2+1)) { next } { print } NR == $(($2+$3)) { exit }" "$1"
+	$AWK "NR < $(($2 + 1)) { next } { print } NR == $(($2 + $3)) { exit }" "$1"
 }
-ipset_restore_chunked()
+ipset_restore_chunked() {
 {
 	# $1 - filename
 	# $2 - chunk size
 	local pos lines
@ -45,27 +45,23 @@ ipset_restore_chunked()
 	lines=$(wc -l <"$1")
 	pos=$lines
 	while [ "$pos" -gt "0" ]; do
-		pos=$((pos-$2))
+		pos=$((pos - $2))
 		[ "$pos" -lt "0" ] && pos=0
-		file_extract_lines "$1" $pos $2 | ipset -! restore
+		file_extract_lines "$1" $pos "$2" | ipset -! restore
-		sed -i "$(($pos+1)),$ d" "$1"
+		sed -i "$(($pos + 1)),$ d" "$1"
 	done
 }
-
+ipset_get_script() {
 ipset_get_script()
 {
 	# $1 - ipset name
 	sed -nEe "s/^.+$/add $1 &/p"
 }
-ipset_get_script_from_file()
+ipset_get_script_from_file() {
 {
 	# $1 - filename
 	# $2 - ipset name
-	zzcat "$1" | sort -u | ipset_get_script $2
+	zzcat "$1" | sort -u | ipset_get_script "$2"
 }
-ipset_restore()
+ipset_restore() {
 {
 	# $1 - ipset name
 	# $2 - filename
@ -78,7 +74,7 @@ ipset_restore()
 	local T="Adding to ipset $1 "
 	[ "$svram" = "1" ] && T="$T (saveram)"
 	T="$T : $f"
-	echo $T
+	echo "$T"
 	if [ "$svram" = "1" ]; then
 		ipset_get_script_from_file "$2" "$1" >"$IPSET_CMD"
@ -88,46 +84,43 @@ ipset_restore()
 		ipset_get_script_from_file "$2" "$1" | ipset -! restore
 	fi
 }
-create_ipset()
+create_ipset() {
 {
 	if [ "$1" -eq "6" ]; then
 		FAMILY=inet6
 	else
 		FAMILY=inet
 	fi
-	ipset create $2 $3 $4 family $FAMILY 2>/dev/null || {
+	ipset create "$2" "$3" "$4" family $FAMILY 2>/dev/null || {
 		[ "$NO_UPDATE" = "1" ] && return 0
 	}
-	ipset flush $2
+	ipset flush "$2"
 	[ "$DO_CLEAR" = "1" ] || {
-		for f in "$5" "$6" ; do
+		for f in "$5" "$6"; do
 			ipset_restore "$2" "$f"
 		done
-		[ -n "$IPSET_HOOK" ] && $IPSET_HOOK $2 | ipset_get_script $2 | ipset -! restore
+		[ -n "$IPSET_HOOK" ] && $IPSET_HOOK "$2" | ipset_get_script "$2" | ipset -! restore
 	}
 	return 0
 }
-nfset_get_script_multi()
+nfset_get_script_multi() {
 {
 	# $1 - set name
 	# $2,$3,... - filenames
 	# all in one shot. this allows to merge overlapping ranges
 	# good but eats lots of RAM
-	local set=$1 nonempty N=1 f
+	local set="$1" nonempty N=1 f
 	shift
 	# first we need to make sure at least one element exists or nft will fail
-	while :
+	while :; do
 	do
 		eval f=\$$N
 		[ -n "$f" ] || break
 		nonempty=$(zzexist "$f" && zzcat "$f" | head -n 1)
 		[ -n "$nonempty" ] && break
-		N=$(($N+1))
+		N=$(($N + 1))
 	done
 	[ -n "$nonempty" ] && {
@ -139,22 +132,20 @@ nfset_get_script_multi()
 		echo "}"
 	}
 }
-nfset_restore()
+nfset_restore() {
 {
 	# $1 - set name
 	# $2,$3,... - filenames
 	echo "Adding to nfset $1 : $2 $3 $4 $5"
 	local hookfile
 	[ -n "$IPSET_HOOK" ] && {
-		$IPSET_HOOK $1 >"$IPSET_HOOK_TEMP"
+		$IPSET_HOOK "$1" >"$IPSET_HOOK_TEMP"
 		[ -s "$IPSET_HOOK_TEMP" ] && hookfile=$IPSET_HOOK_TEMP
 	}
-	nfset_get_script_multi "$@" $hookfile | nft -f -
+	nfset_get_script_multi "$@" "$hookfile" | nft -f -
 	rm -f "$IPSET_HOOK_TEMP"
 }
-create_nfset()
+create_nfset() {
 {
 	# $1 - family
 	# $2 - set name
 	# $3 - maxelem
@ -162,54 +153,50 @@ create_nfset()
 	local policy
 	[ $SAVERAM = "1" ] && policy="policy memory;"
-	nft_create_set $2 "type ipv${1}_addr; size $3; flags interval; auto-merge; $policy" || {
+	nft_create_set "$2" "type ipv${1}_addr; size $3; flags interval; auto-merge; $policy" || {
 		[ "$NO_UPDATE" = "1" ] && return 0
-		nft flush set inet $ZAPRET_NFT_TABLE $2
+		nft flush set inet "$ZAPRET_NFT_TABLE" "$2"
 	}
 	[ "$DO_CLEAR" = "1" ] || {
-		nfset_restore $2 $4 $5
+		nfset_restore "$2" "$4" "$5"
 	}
 	return 0
 }
-add_ipfw_table()
+add_ipfw_table() {
 {
 	# $1 - table name
 	sed -nEe "s/^.+$/table $1 add &/p" | ipfw -q /dev/stdin
 }
-populate_ipfw_table()
+populate_ipfw_table() {
 {
 	# $1 - table name
 	# $2 - ip list file
 	zzexist "$2" || return
-	zzcat "$2" | sort -u | add_ipfw_table $1
+	zzcat "$2" | sort -u | add_ipfw_table "$1"
 }
-create_ipfw_table()
+create_ipfw_table() {
 {
 	# $1 - table name
 	# $2 - table options
 	# $3,$4, ... - ip list files. can be v4,v6 or mixed
-	local name=$1
+	local name="$1"
-	ipfw table "$name" create $2 2>/dev/null || {
+	ipfw table "$name" create "$2" 2>/dev/null || {
 		[ "$NO_UPDATE" = "1" ] && return 0
 	}
-	ipfw -q table $1 flush
+	ipfw -q table "$1" flush
 	shift
 	shift
 	[ "$DO_CLEAR" = "1" ] || {
 		while [ -n "$1" ]; do
 			echo "Adding to ipfw table $name : $1"
-			populate_ipfw_table $name "$1"
+			populate_ipfw_table "$name" "$1"
 			shift
 		done
-		[ -n "$IPSET_HOOK" ] && $IPSET_HOOK $name | add_ipfw_table $name
+		[ -n "$IPSET_HOOK" ] && $IPSET_HOOK "$name" | add_ipfw_table "$name"
 	}
 	return 0
 }
-print_reloading_backend()
+print_reloading_backend() {
 {
 	# $1 - backend name
 	local s="reloading $1 backend"
 	if [ "$NO_UPDATE" = 1 ]; then
@ -219,91 +206,90 @@ print_reloading_backend()
 	else
 		s="$s (forced-update)"
 	fi
-	echo $s
+	echo "$s"
 }
 oom_adjust_high
 get_fwtype
-if [ -n "$LISTS_RELOAD" ] ; then
+if [ -n "$LISTS_RELOAD" ]; then
-	if [ "$LISTS_RELOAD" = "-" ] ; then
+	if [ "$LISTS_RELOAD" = "-" ]; then
 		echo not reloading ip list backend
 		true
 	else
-		echo executing custom ip list reload command : $LISTS_RELOAD
+		echo executing custom ip list reload command : "$LISTS_RELOAD"
 		$LISTS_RELOAD
 		[ -n "$IPSET_HOOK" ] && $IPSET_HOOK
 	fi
 else
 	case "$FWTYPE" in
-		iptables)
+	iptables)
-			# ipset seem to buffer the whole script to memory
+		# ipset seem to buffer the whole script to memory
-			# on low RAM system this can cause oom errors
+		# on low RAM system this can cause oom errors
-			# in SAVERAM mode we feed script lines in portions starting from the end, while truncating source file to free /tmp space
+		# in SAVERAM mode we feed script lines in portions starting from the end, while truncating source file to free /tmp space
-			# only /tmp is considered tmpfs. other locations mean tmpdir was redirected to a disk
+		# only /tmp is considered tmpfs. other locations mean tmpdir was redirected to a disk
 		SAVERAM=0
 		[ "$TMPDIR" = "/tmp" ] && {
 			RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK "{print $2}")
 			[ "$RAMSIZE" -lt "110000" ] && SAVERAM=1
 		}
 		print_reloading_backend ipset
 		[ "$DISABLE_IPV4" != "1" ] && {
 			create_ipset 4 "$ZIPSET" hash:net "$IPSET_OPT" "$ZIPLIST" "$ZIPLIST_USER"
 			create_ipset 4 "$ZIPSET_IPBAN" hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
 			create_ipset 4 "$ZIPSET_EXCLUDE" hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
 		}
 		[ "$DISABLE_IPV6" != "1" ] && {
 			create_ipset 6 "$ZIPSET6" hash:net "$IPSET_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
 			create_ipset 6 "$ZIPSET_IPBAN6" hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
 			create_ipset 6 "$ZIPSET_EXCLUDE6" hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
 		}
 		true
 		;;
 	nftables)
 		nft_create_table && {
 			SAVERAM=0
-			[ "$TMPDIR" = "/tmp" ] && {
+			RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK "{print $2}")
-				RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK '{print $2}')
+			[ "$RAMSIZE" -lt "420000" ] && SAVERAM=1
-				[ "$RAMSIZE" -lt "110000" ] && SAVERAM=1
+			print_reloading_backend "nftables set"
 			}
 			print_reloading_backend ipset
 			[ "$DISABLE_IPV4" != "1" ] && {
-				create_ipset 4 $ZIPSET hash:net "$IPSET_OPT" "$ZIPLIST" "$ZIPLIST_USER"
+				create_nfset 4 "$ZIPSET" "$SET_MAXELEM" "$ZIPLIST" "$ZIPLIST_USER"
-				create_ipset 4 $ZIPSET_IPBAN hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
+				create_nfset 4 "$ZIPSET_IPBAN" "$SET_MAXELEM" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
-				create_ipset 4 $ZIPSET_EXCLUDE hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
+				create_nfset 4 "$ZIPSET_EXCLUDE" "$SET_MAXELEM_EXCLUDE" "$ZIPLIST_EXCLUDE"
 			}
 			[ "$DISABLE_IPV6" != "1" ] && {
-				create_ipset 6 $ZIPSET6 hash:net "$IPSET_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
+				create_nfset 6 "$ZIPSET6" "$SET_MAXELEM" "$ZIPLIST6" "$ZIPLIST_USER6"
-				create_ipset 6 $ZIPSET_IPBAN6 hash:net "$IPSET_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
+				create_nfset 6 "$ZIPSET_IPBAN6" "$SET_MAXELEM" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
-				create_ipset 6 $ZIPSET_EXCLUDE6 hash:net "$IPSET_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
+				create_nfset 6 "$ZIPSET_EXCLUDE6" "$SET_MAXELEM_EXCLUDE" "$ZIPLIST_EXCLUDE6"
 			}
 			true
-			;;
+		}
-		nftables)
+		;;
-			nft_create_table && {
+	ipfw)
-				SAVERAM=0
+		print_reloading_backend "ipfw table"
-				RAMSIZE=$($GREP MemTotal /proc/meminfo | $AWK '{print $2}')
+		if [ "$DISABLE_IPV4" != "1" ] && [ "$DISABLE_IPV6" != "1" ]; then
-				[ "$RAMSIZE" -lt "420000" ] && SAVERAM=1
+			create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER" "$ZIPLIST6" "$ZIPLIST_USER6"
-				print_reloading_backend "nftables set"
+			create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
-				[ "$DISABLE_IPV4" != "1" ] && {
+			create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" "$ZIPLIST_EXCLUDE6"
-					create_nfset 4 $ZIPSET $SET_MAXELEM "$ZIPLIST" "$ZIPLIST_USER"
+		elif [ "$DISABLE_IPV4" != "1" ]; then
-					create_nfset 4 $ZIPSET_IPBAN $SET_MAXELEM "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
+			create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER"
-					create_nfset 4 $ZIPSET_EXCLUDE $SET_MAXELEM_EXCLUDE "$ZIPLIST_EXCLUDE"
+			create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
-				}
+			create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
-				[ "$DISABLE_IPV6" != "1" ] && {
+		elif [ "$DISABLE_IPV6" != "1" ]; then
-					create_nfset 6 $ZIPSET6 $SET_MAXELEM "$ZIPLIST6" "$ZIPLIST_USER6"
+			create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
-					create_nfset 6 $ZIPSET_IPBAN6 $SET_MAXELEM "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
+			create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
-					create_nfset 6 $ZIPSET_EXCLUDE6 $SET_MAXELEM_EXCLUDE "$ZIPLIST_EXCLUDE6"
+			create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
-				}
+		else
-				true
+			create_ipfw_table "$ZIPSET" "$IPFW_TABLE_OPT"
-			}
+			create_ipfw_table "$ZIPSET_IPBAN" "$IPFW_TABLE_OPT"
-			;;
+			create_ipfw_table "$ZIPSET_EXCLUDE" "$IPFW_TABLE_OPT_EXCLUDE"
-		ipfw)
+		fi
-			print_reloading_backend "ipfw table"
+		true
-			if [ "$DISABLE_IPV4" != "1" ] && [ "$DISABLE_IPV6" != "1" ]; then
+		;;
-				create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER" "$ZIPLIST6" "$ZIPLIST_USER6"
+	*)
-				create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
+		echo no supported ip list backend found
-				create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE" "$ZIPLIST_EXCLUDE6"
+		true
-			elif [ "$DISABLE_IPV4" != "1" ]; then
+		;;
-				create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST" "$ZIPLIST_USER"
+	esac
 				create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN" "$ZIPLIST_USER_IPBAN"
 				create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE"
 			elif [ "$DISABLE_IPV6" != "1" ]; then
 				create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT" "$ZIPLIST6" "$ZIPLIST_USER6"
 				create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT" "$ZIPLIST_IPBAN6" "$ZIPLIST_USER_IPBAN6"
 				create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE" "$ZIPLIST_EXCLUDE6"
 			else
 				create_ipfw_table $ZIPSET "$IPFW_TABLE_OPT"
 				create_ipfw_table $ZIPSET_IPBAN "$IPFW_TABLE_OPT"
 				create_ipfw_table $ZIPSET_EXCLUDE "$IPFW_TABLE_OPT_EXCLUDE"
 			fi
 			true
 			;;
 		*)
 			echo no supported ip list backend found
 			true
 			;;
 		esac
 fi
--- a/ipset/def.sh
+++ b/ipset/def.sh
@ -1,6 +1,9 @@
 [ -n "$IPSET_DIR" ] || {
- IPSET_DIR="$(dirname "$0")"
+  IPSET_DIR="$(dirname "$0")"
- IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+  IPSET_DIR="$(
    cd "$IPSET_DIR" || exit
    pwd
  )"
 }
 . "$IPSET_DIR/../config"
@ -39,230 +42,204 @@ ZIPLIST_USER_IPBAN6="$IPSET_DIR/zapret-ip-user-ipban6.txt"
 ZUSERLIST_IPBAN="$IPSET_DIR/zapret-hosts-user-ipban.txt"
 ZUSERLIST_EXCLUDE="$IPSET_DIR/zapret-hosts-user-exclude.txt"
 [ -n "$IP2NET" ] || IP2NET="$IPSET_DIR/../ip2net/ip2net"
 [ -n "$MDIG" ] || MDIG="$IPSET_DIR/../mdig/mdig"
 [ -z "$MDIG_THREADS" ] && MDIG_THREADS=30
 # BSD grep is damn slow with -f option. prefer GNU grep (ggrep) if present
 # MacoS in cron does not include /usr/local/bin to PATH
-if [ -x /usr/local/bin/ggrep ] ; then
+if [ -x /usr/local/bin/ggrep ]; then
- GREP=/usr/local/bin/ggrep
+  GREP=/usr/local/bin/ggrep
-elif [ -x /usr/local/bin/grep ] ; then
+elif [ -x /usr/local/bin/grep ]; then
- GREP=/usr/local/bin/grep
+  GREP=/usr/local/bin/grep
 elif exists ggrep; then
- GREP=$(whichq ggrep)
+  GREP=$(whichq ggrep)
 else
- GREP=$(whichq grep)
+  GREP=$(whichq grep)
 fi
 # GNU awk is faster
 if exists gawk; then
- AWK=gawk
+  AWK=gawk
 else
- AWK=awk
+  AWK=awk
 fi
-grep_supports_b()
+grep_supports_b() {
-{
+  # \b does not work with BSD grep
- # \b does not work with BSD grep
+  $GREP --version 2>&1 | $GREP -qE "BusyBox|GNU"
 $GREP --version 2>&1 | $GREP -qE "BusyBox|GNU"
 }
-get_ip_regex()
+get_ip_regex() {
-{
+  REG_IPV4='((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[12][0-9]|3[012]))?'
- REG_IPV4='((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/([0-9]|[12][0-9]|3[012]))?'
+  REG_IPV6='[0-9a-fA-F]{1,4}:([0-9a-fA-F]{1,4}|:)+(\/([0-9][0-9]?|1[01][0-9]|12[0-8]))?'
- REG_IPV6='[0-9a-fA-F]{1,4}:([0-9a-fA-F]{1,4}|:)+(\/([0-9][0-9]?|1[01][0-9]|12[0-8]))?'
+  # good but too slow
- # good but too slow
+  # REG_IPV6='([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,7}:(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}(/[0-9]+)?|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})(/[0-9]+)?|:((:[0-9a-fA-F]{1,4}){1,7}|:)(/([0-9][0-9]?|1[01][0-9]|12[0-8]))?'
- # REG_IPV6='([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,7}:(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}(/[0-9]+)?|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}(/[0-9]+)?|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})(/[0-9]+)?|:((:[0-9a-fA-F]{1,4}){1,7}|:)(/([0-9][0-9]?|1[01][0-9]|12[0-8]))?'
+  # grep_supports_b && {
-# grep_supports_b && {
+  #  REG_IPV4="\b$REG_IPV4\b"
-#  REG_IPV4="\b$REG_IPV4\b"
+  #  REG_IPV6="\b$REG_IPV6\b"
-#  REG_IPV6="\b$REG_IPV6\b"
+  # }
 # }
 }
-ip2net4()
+ip2net4() {
-{
+  if [ -x "$IP2NET" ]; then
- if [ -x "$IP2NET" ]; then
+    "$IP2NET" -4 "$IP2NET_OPT4"
-  "$IP2NET" -4 $IP2NET_OPT4
+  else
- else
+    sort -u
-  sort -u
+  fi
 fi
 }
-ip2net6()
+ip2net6() {
-{
+  if [ -x "$IP2NET" ]; then
- if [ -x "$IP2NET" ]; then
+    "$IP2NET" -6 "$IP2NET_OPT6"
-  "$IP2NET" -6 $IP2NET_OPT6
+  else
- else
+    sort -u
-  sort -u
+  fi
 fi
 }
-zzexist()
+zzexist() {
-{
+  [ -f "$1.gz" ] || [ -f "$1" ]
 [ -f "$1.gz" ] || [ -f "$1" ]
 }
-zztest()
+zztest() {
-{
+  gzip -t "$1" 2>/dev/null
 gzip -t "$1" 2>/dev/null
 }
-zzcat()
+zzcat() {
-{
+  if [ -f "$1.gz" ]; then
- if [ -f "$1.gz" ]; then
+    gunzip -c "$1.gz"
- 	gunzip -c "$1.gz"
+  elif [ -f "$1" ]; then
- elif [ -f "$1" ]; then
+    if zztest "$1"; then
-	if zztest "$1"; then
+      gunzip -c "$1"
- 		gunzip -c "$1"
+    else
-	else
+      cat "$1"
-	 	cat "$1"
+    fi
-	fi
+  fi
 fi
 }
-zz()
+zz() {
-{
+  if [ "$GZIP_LISTS" = "1" ]; then
- if [ "$GZIP_LISTS" = "1" ]; then
+    gzip -c >"$1.gz"
-  gzip -c >"$1.gz"
+    rm -f "$1"
-  rm -f "$1"
+  else
- else
+    cat >"$1"
-  cat >"$1"
+    rm -f "$1.gz"
-  rm -f "$1.gz"
+  fi
 fi
 }
-zzsize()
+zzsize() {
-{
+  local f="$1"
- local f="$1"
+  [ -f "$1.gz" ] && f="$1.gz"
- [ -f "$1.gz" ] && f="$1.gz"
+  if [ -f "$f" ]; then
- if [ -f "$f" ]; then
+    wc -c <"$f" | xargs
-  wc -c <"$f" | xargs
+  else
- else
+    printf 0
-  printf 0
+  fi
 fi
 }
-digger()
+digger() {
-{
+  # $1 - family (4|6)
- # $1 - family (4|6)
+  # $2 - s=enable mdig stats
- # $2 - s=enable mdig stats
+  if [ -x "$MDIG" ]; then
- if [ -x "$MDIG" ]; then
+    local cmd
-  local cmd
+    [ "$2" = "s" ] && cmd=--stats=1000
-  [ "$2" = "s" ] && cmd=--stats=1000
+    "$MDIG" --family="$1" --threads="$MDIG_THREADS" $cmd
-  "$MDIG" --family=$1 --threads=$MDIG_THREADS $cmd
+  else
- else
+    local A=A
-  local A=A
+    [ "$1" = "6" ] && A=AAAA
-  [ "$1" = "6" ] && A=AAAA
+    dig $A +short +time=8 +tries=2 -f - | $GREP -E '^[^;].*[^\.]$'
-  dig $A +short +time=8 +tries=2 -f - | $GREP -E '^[^;].*[^\.]$'
+  fi
 fi
 }
-filedigger()
+filedigger() {
-{
+  # $1 - hostlist
- # $1 - hostlist
+  # $2 - family (4|6)
- # $2 - family (4|6)
+  echo ">&2 digging $(wc -l <"$1" | xargs) ipv$2 domains : $1"
- >&2 echo digging $(wc -l <"$1" | xargs) ipv$2 domains : "$1"
+  zzcat "$1" | digger "$2" s
 zzcat "$1" | digger $2 s
 }
-flush_dns_cache()
+flush_dns_cache() {
-{
+  echo clearing all known DNS caches
 echo clearing all known DNS caches
- if exists killall; then
+  if exists killall; then
-  killall -HUP dnsmasq 2>/dev/null
+    killall -HUP dnsmasq 2>/dev/null
-  # MacOS
+    # macOS
-  killall -HUP mDNSResponder 2>/dev/null
+    killall -HUP mDNSResponder 2>/dev/null
- elif exists pkill; then
+  elif exists pkill; then
-  pkill -HUP ^dnsmasq$
+    pkill -HUP ^dnsmasq$
- else
+  else
-  echo no mass killer available ! cant flush dnsmasq
+    echo no mass killer available ! cant flush dnsmasq
- fi
+  fi
- if exists rndc; then
+  if exists rndc; then
-  rndc flush
+    rndc flush
- fi
+  fi
- if exists systemd-resolve; then
+  if exists systemd-resolve; then
-  systemd-resolve --flush-caches
+    systemd-resolve --flush-caches
- fi
+  fi
 }
-dnstest()
+dnstest() {
-{
+  local ip
- local ip="$(echo w3.org | digger 46)"
+  ip="$(echo w3.org | digger 46)"
- [ -n "$ip" ]
+  [ -n "$ip" ]
 }
-dnstest_with_cache_clear()
+dnstest_with_cache_clear() {
-{
+  flush_dns_cache
- flush_dns_cache
+  if dnstest; then
 if dnstest ; then
    echo DNS is working
    return 0
- else
+  else
    echo "! DNS is not working"
    return 1
- fi
+  fi
 }
-
+cut_local() {
 cut_local()
 {
  $GREP -vE '^192\.168\.|^127\.|^10\.'
 }
-cut_local6()
+cut_local6() {
 {
  $GREP -vE '^::|^fc..:|^fd..:|^fe8.:|^fe9.:|^fea.:|^feb.:|^FC..:|^FD..:|^FE8.:|^FE9.:|^FEA.:|^FEB.:'
 }
-oom_adjust_high()
+oom_adjust_high() {
-{
+  [ -f /proc/$$/oom_score_adj ] && {
-	[ -f /proc/$$/oom_score_adj ] && {
+    echo setting high oom kill priority
-		echo setting high oom kill priority
+    echo -n 100 >/proc/$$/oom_score_adj
-		echo -n 100 >/proc/$$/oom_score_adj
+  }
 	}
 }
-getexclude()
+getexclude() {
-{
+  oom_adjust_high
- oom_adjust_high
+  dnstest_with_cache_clear || return
- dnstest_with_cache_clear || return
+  [ -f "$ZUSERLIST_EXCLUDE" ] && {
- [ -f "$ZUSERLIST_EXCLUDE" ] && {
+    [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 4 | sort -u >"$ZIPLIST_EXCLUDE"
-  [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 4 | sort -u > "$ZIPLIST_EXCLUDE"
+    [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 6 | sort -u >"$ZIPLIST_EXCLUDE6"
-  [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_EXCLUDE" 6 | sort -u > "$ZIPLIST_EXCLUDE6"
+  }
- }
+  return 0
 return 0
 }
-_get_ipban()
+_get_ipban() {
-{
+  [ -f "$ZUSERLIST_IPBAN" ] && {
- [ -f "$ZUSERLIST_IPBAN" ] && {
+    [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 4 | cut_local | sort -u >"$ZIPLIST_USER_IPBAN"
-  [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 4 | cut_local | sort -u > "$ZIPLIST_USER_IPBAN"
+    [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 6 | cut_local6 | sort -u >"$ZIPLIST_USER_IPBAN6"
-  [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST_IPBAN" 6 | cut_local6 | sort -u > "$ZIPLIST_USER_IPBAN6"
+  }
 }
 }
-getuser()
+getuser() {
-{
+  getexclude || return
- getexclude || return
+  [ -f "$ZUSERLIST" ] && {
- [ -f "$ZUSERLIST" ] && {
+    [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST" 4 | cut_local | sort -u >"$ZIPLIST_USER"
-  [ "$DISABLE_IPV4" != "1" ] && filedigger "$ZUSERLIST" 4 | cut_local | sort -u > "$ZIPLIST_USER"
+    [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST" 6 | cut_local6 | sort -u >"$ZIPLIST_USER6"
-  [ "$DISABLE_IPV6" != "1" ] && filedigger "$ZUSERLIST" 6 | cut_local6 | sort -u > "$ZIPLIST_USER6"
+  }
- }
+  _get_ipban
- _get_ipban
+  return 0
 return 0
 }
-getipban()
+getipban() {
-{
+  getexclude || return
- getexclude || return
+  _get_ipban
- _get_ipban
+  return 0
 return 0
 }
-hup_zapret_daemons()
+hup_zapret_daemons() {
-{
+  echo forcing zapret daemons to reload their hostlist
- echo forcing zapret daemons to reload their hostlist
+  if exists killall; then
- if exists killall; then
+    killall -HUP tpws nfqws dvtws 2>/dev/null
-  killall -HUP tpws nfqws dvtws 2>/dev/null
+  elif exists pkill; then
- elif exists pkill; then
+    pkill -HUP ^tpws$ ^nfqws$ ^dvtws$
-  pkill -HUP ^tpws$ ^nfqws$ ^dvtws$
+  else
- else
+    echo no mass killer available ! cant HUP zapret daemons
-  echo no mass killer available ! cant HUP zapret daemons
+  fi
 fi
 }
--- a/ipset/get_antifilter_allyouneed.sh
+++ b/ipset/get_antifilter_allyouneed.sh
@ -1,13 +1,16 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
 getuser && {
- . "$IPSET_DIR/antifilter.helper"
+    . "$IPSET_DIR/antifilter.helper"
- get_antifilter https://antifilter.download/list/allyouneed.lst "$ZIPLIST"
+    get_antifilter https://antifilter.download/list/allyouneed.lst "$ZIPLIST"
 }
 "$IPSET_DIR/create_ipset.sh"
--- a/ipset/get_antifilter_ip.sh
+++ b/ipset/get_antifilter_ip.sh
@ -1,13 +1,16 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
 getuser && {
- . "$IPSET_DIR/antifilter.helper"
+    . "$IPSET_DIR/antifilter.helper"
- get_antifilter https://antifilter.download/list/ip.lst "$ZIPLIST"
+    get_antifilter https://antifilter.download/list/ip.lst "$ZIPLIST"
 }
 "$IPSET_DIR/create_ipset.sh"
--- a/ipset/get_antifilter_ipresolve.sh
+++ b/ipset/get_antifilter_ipresolve.sh
@ -1,13 +1,16 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
 getuser && {
- . "$IPSET_DIR/antifilter.helper"
+    . "$IPSET_DIR/antifilter.helper"
- get_antifilter https://antifilter.download/list/ipresolve.lst "$ZIPLIST"
+    get_antifilter https://antifilter.download/list/ipresolve.lst "$ZIPLIST"
 }
 "$IPSET_DIR/create_ipset.sh"
--- a/ipset/get_antifilter_ipsmart.sh
+++ b/ipset/get_antifilter_ipsmart.sh
@ -1,13 +1,16 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
 getuser && {
- . "$IPSET_DIR/antifilter.helper"
+    . "$IPSET_DIR/antifilter.helper"
- get_antifilter https://antifilter.network/download/ipsmart.lst "$ZIPLIST"
+    get_antifilter https://antifilter.network/download/ipsmart.lst "$ZIPLIST"
 }
 "$IPSET_DIR/create_ipset.sh"
--- a/ipset/get_antifilter_ipsum.sh
+++ b/ipset/get_antifilter_ipsum.sh
@ -1,13 +1,16 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
 getuser && {
- . "$IPSET_DIR/antifilter.helper"
+    . "$IPSET_DIR/antifilter.helper"
- get_antifilter https://antifilter.download/list/ipsum.lst "$ZIPLIST"
+    get_antifilter https://antifilter.download/list/ipsum.lst "$ZIPLIST"
 }
 "$IPSET_DIR/create_ipset.sh"
--- a/ipset/get_antizapret_domains.sh
+++ b/ipset/get_antizapret_domains.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -14,17 +17,16 @@ getipban || FAIL=1
 ZURL=https://antizapret.prostovpn.org:8443/domains-export.txt
 ZDOM="$TMPDIR/zapret.txt"
 curl -H "Accept-Encoding: gzip" -k --fail --max-time 600 --connect-timeout 5 --retry 3 --max-filesize 251658240 "$ZURL" | gunzip - >"$ZDOM" ||
-{
+    {
- echo domain list download failed   
+        echo domain list download failed
- exit 2
+        exit 2
-}
+    }
 dlsize=$(LANG=C wc -c "$ZDOM" | xargs | cut -f 1 -d ' ')
-if test $dlsize -lt 102400; then
+if test "$dlsize" -lt 102400; then
- echo list file is too small. can be bad.
+    echo list file is too small. can be bad.
- exit 2
+    exit 2
 fi
 sort -u "$ZDOM" | zz "$ZHOSTLIST"
--- a/ipset/get_config.sh
+++ b/ipset/get_config.sh
@ -2,7 +2,10 @@
 # run script specified in config
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/../config"
--- a/ipset/get_exclude.sh
+++ b/ipset/get_exclude.sh
@ -2,7 +2,10 @@
 # resolve user host list
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/get_ipban.sh
+++ b/ipset/get_ipban.sh
@ -2,7 +2,10 @@
 # resolve only ipban user host list
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/ipset/get_reestr_hostlist.sh
+++ b/ipset/get_reestr_hostlist.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
  cd "$IPSET_DIR" || exit
  pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -9,44 +12,40 @@ ZREESTR="$TMPDIR/zapret.txt"
 IPB="$TMPDIR/ipb.txt"
 ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv
-dl_checked()
+dl_checked() {
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
  # $5 - maxtime
-  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
+  curl -k --fail --max-time "$5" --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$2" "$1" ||
-  {
+    {
-   echo list download failed : $1
+      echo list download failed : "$1"
-   return 2
+      return 2
-  }
+    }
  dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
+  if test "$dlsize" -lt "$3"; then
-   echo list is too small : $dlsize bytes. can be bad.
+    echo list is too small : "$dlsize" bytes. can be bad.
-   return 2
+    return 2
  fi
  return 0
 }
-reestr_list()
+reestr_list() {
-{
+  LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK "{ print tolower($0) }"
 LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
 }
-reestr_extract_ip()
+reestr_extract_ip() {
-{
+  LANG=C nice -n 5 "$AWK" -F ";" "($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}" "$ZREESTR" | LANG=C $AWK "{split($1, a, /\|/); for (i in a) {print a[i]}}"
 LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
 }
-ipban_fin()
+ipban_fin() {
-{
+  getipban
- getipban
+  "$IPSET_DIR/create_ipset.sh"
 "$IPSET_DIR/create_ipset.sh"
 }
 dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || {
- ipban_fin
+  ipban_fin
- exit 2
+  exit 2
 }
 reestr_list | sort -u | zz "$ZHOSTLIST"
--- a/ipset/get_reestr_preresolved.sh
+++ b/ipset/get_reestr_preresolved.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
  cd "$IPSET_DIR" || exit
  pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -13,35 +16,34 @@ URL6="$BASEURL/reestr_resolved6.txt"
 IPB4="$BASEURL/reestr_ipban4.txt"
 IPB6="$BASEURL/reestr_ipban6.txt"
-dl()
+dl() {
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
-  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" ||
+  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" ||
-  {
+    {
-   echo list download failed : $1
+      echo list download failed : "$1"
-   exit 2
+      exit 2
-  }
+    }
  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
+  if test "$dlsize" -lt "$3"; then
-   echo list is too small : $dlsize bytes. can be bad.
+    echo list is too small : "$dlsize" bytes. can be bad.
-   exit 2
+    exit 2
  fi
  zzcat "$TMPLIST" | zz "$2"
  rm -f "$TMPLIST"
 }
 getuser && {
- [ "$DISABLE_IPV4" != "1" ] && {
+  [ "$DISABLE_IPV4" != "1" ] && {
- 	dl "$URL4" "$ZIPLIST" 32768 4194304
+    dl "$URL4" "$ZIPLIST" 32768 4194304
- 	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+    dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
- }
+  }
- [ "$DISABLE_IPV6" != "1" ] && {
+  [ "$DISABLE_IPV6" != "1" ] && {
- 	dl "$URL6" "$ZIPLIST6" 8192 4194304
+    dl "$URL6" "$ZIPLIST6" 8192 4194304
- 	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+    dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
- }
+  }
 }
 "$IPSET_DIR/create_ipset.sh"
--- a/ipset/get_reestr_preresolved_smart.sh
+++ b/ipset/get_reestr_preresolved_smart.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
  cd "$IPSET_DIR" || exit
  pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -13,35 +16,34 @@ URL6="$BASEURL/reestr_smart6.txt"
 IPB4="$BASEURL/reestr_ipban4.txt"
 IPB6="$BASEURL/reestr_ipban6.txt"
-dl()
+dl() {
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
-  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" ||
+  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" ||
-  {
+    {
-   echo list download failed : $1
+      echo list download failed : "$1"
-   exit 2
+      exit 2
-  }
+    }
  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
+  if test "$dlsize" -lt "$3"; then
-   echo list is too small : $dlsize bytes. can be bad.
+    echo list is too small : "$dlsize" bytes. can be bad.
-   exit 2
+    exit 2
  fi
  zzcat "$TMPLIST" | zz "$2"
  rm -f "$TMPLIST"
 }
 getuser && {
- [ "$DISABLE_IPV4" != "1" ] && {
+  [ "$DISABLE_IPV4" != "1" ] && {
- 	dl "$URL4" "$ZIPLIST" 32768 4194304
+    dl "$URL4" "$ZIPLIST" 32768 4194304
- 	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+    dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
- }
+  }
- [ "$DISABLE_IPV6" != "1" ] && {
+  [ "$DISABLE_IPV6" != "1" ] && {
- 	dl "$URL6" "$ZIPLIST6" 8192 4194304
+    dl "$URL6" "$ZIPLIST6" 8192 4194304
- 	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+    dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
- }
+  }
 }
 "$IPSET_DIR/create_ipset.sh"
--- a/ipset/get_reestr_resolvable_domains.sh
+++ b/ipset/get_reestr_resolvable_domains.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
  cd "$IPSET_DIR" || exit
  pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -12,21 +15,20 @@ URL="$BASEURL/reestr_hostname_resolvable.txt"
 IPB4="$BASEURL/reestr_ipban4.txt"
 IPB6="$BASEURL/reestr_ipban6.txt"
-dl()
+dl() {
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
-  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$TMPLIST" "$1" ||
+  curl -H "Accept-Encoding: gzip" -k --fail --max-time 120 --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$TMPLIST" "$1" ||
-  {
+    {
-   echo list download failed : $1
+      echo list download failed : "$1"
-   exit 2
+      exit 2
-  }
+    }
  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
+  if test "$dlsize" -lt "$3"; then
-   echo list is too small : $dlsize bytes. can be bad.
+    echo list is too small : "$dlsize" bytes. can be bad.
-   exit 2
+    exit 2
  fi
  zzcat "$TMPLIST" | zz "$2"
  rm -f "$TMPLIST"
--- a/ipset/get_reestr_resolve.sh
+++ b/ipset/get_reestr_resolve.sh
@ -1,7 +1,10 @@
 #!/bin/sh
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
  cd "$IPSET_DIR" || exit
  pwd
 )"
 . "$IPSET_DIR/def.sh"
@ -12,72 +15,69 @@ ZIPLISTTMP="$TMPDIR/zapret-ip.txt"
 #ZURL=https://reestr.rublacklist.net/api/current
 ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv
-dl_checked()
+dl_checked() {
 {
  # $1 - url
  # $2 - file
  # $3 - minsize
  # $4 - maxsize
  # $5 - maxtime
-  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
+  curl -k --fail --max-time "$5" --connect-timeout 10 --retry 4 --max-filesize "$4" -o "$2" "$1" ||
-  {
+    {
-   echo list download failed : $1
+      echo list download failed : "$1"
-   return 2
+      return 2
-  }
+    }
  dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
+  if test "$dlsize" -lt "$3"; then
-   echo list is too small : $dlsize bytes. can be bad.
+    echo list is too small : "$dlsize" bytes. can be bad.
-   return 2
+    return 2
  fi
  return 0
 }
-reestr_list()
+reestr_list() {
-{
+  LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p'
 LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p'
 }
-reestr_extract_ip()
+reestr_extract_ip() {
-{
+  LANG=C nice -n 5 "$AWK" -F ';' "($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}" "$ZREESTR" | LANG=C $AWK "{split($1, a, /\|/); for (i in a) {print a[i]}}"
 LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
 }
 getuser && {
- # both disabled
+  # both disabled
- [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && exit 0
+  [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && exit 0
- dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || exit 2
+  dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || exit 2
- echo preparing ipban list ..
+  echo preparing ipban list ..
- reestr_extract_ip <"$ZREESTR" >"$IPB"
+  reestr_extract_ip <"$ZREESTR" >"$IPB"
- [ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
+  [ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
- [ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
+  [ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
- rm -f "$IPB"
+  rm -f "$IPB"
- echo preparing dig list ..
+  echo preparing dig list ..
- reestr_list | sort -u >"$ZDIG"
+  reestr_list | sort -u >"$ZDIG"
- rm -f "$ZREESTR"
+  rm -f "$ZREESTR"
- echo digging started. this can take long ...
+  echo digging started. this can take long ...
- [ "$DISABLE_IPV4" != "1" ] && {
+  [ "$DISABLE_IPV4" != "1" ] && {
-  filedigger "$ZDIG" 4 | cut_local >"$ZIPLISTTMP" || {
+    filedigger "$ZDIG" 4 | cut_local >"$ZIPLISTTMP" || {
-   rm -f "$ZDIG"
+      rm -f "$ZDIG"
-   exit 1
+      exit 1
    }
    ip2net4 <"$ZIPLISTTMP" | zz "$ZIPLIST"
    rm -f "$ZIPLISTTMP"
  }
-  ip2net4 <"$ZIPLISTTMP" | zz "$ZIPLIST"
+  [ "$DISABLE_IPV6" != "1" ] && {
-  rm -f "$ZIPLISTTMP"
+    filedigger "$ZDIG" 6 | cut_local6 >"$ZIPLISTTMP" || {
- }
+      rm -f "$ZDIG"
- [ "$DISABLE_IPV6" != "1" ] && {
+      exit 1
-  filedigger "$ZDIG" 6 | cut_local6 >"$ZIPLISTTMP" || {
+    }
-   rm -f "$ZDIG"
+    ip2net6 <"$ZIPLISTTMP" | zz "$ZIPLIST6"
-   exit 1
+    rm -f "$ZIPLISTTMP"
  }
-  ip2net6 <"$ZIPLISTTMP" | zz "$ZIPLIST6"
+  rm -f "$ZDIG"
  rm -f "$ZIPLISTTMP"
 }
 rm -f "$ZDIG"
 }
 "$IPSET_DIR/create_ipset.sh"
--- a/ipset/get_user.sh
+++ b/ipset/get_user.sh
@ -2,7 +2,10 @@
 # resolve user host list
 IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
+IPSET_DIR="$(
    cd "$IPSET_DIR"
    pwd
 )"
 . "$IPSET_DIR/def.sh"
--- a/uninstall_easy.sh
+++ b/uninstall_easy.sh
@ -3,7 +3,10 @@
 # automated script for easy uninstalling zapret
 EXEDIR="$(dirname "$0")"
-EXEDIR="$(cd "$EXEDIR"; pwd)"
+EXEDIR="$(
 	cd "$EXEDIR"
 	pwd
 )"
 ZAPRET_BASE=${ZAPRET_BASE:-"$EXEDIR"}
 ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
 ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
@ -26,8 +29,7 @@ IPSET_DIR="$ZAPRET_BASE/ipset"
 . "$ZAPRET_BASE/common/pf.sh"
 . "$ZAPRET_BASE/common/installer.sh"
-remove_systemd()
+remove_systemd() {
 {
 	clear_ipset
 	service_stop_systemd
 	service_remove_systemd
@ -36,16 +38,14 @@ remove_systemd()
 	crontab_del
 }
-remove_openrc()
+remove_openrc() {
 {
 	clear_ipset
 	service_remove_openrc
 	nft_del_table
 	crontab_del
 }
-remove_linux()
+remove_linux() {
 {
 	INIT_SCRIPT_SRC="$EXEDIR/init.d/sysv/zapret"
 	clear_ipset
@ -61,8 +61,7 @@ remove_linux()
 	echo 'you must manually remove zapret auto start from your system'
 }
-remove_openwrt()
+remove_openwrt() {
 {
 	OPENWRT_FW_INCLUDE=/etc/firewall.zapret
 	clear_ipset
@ -74,14 +73,12 @@ remove_openwrt()
 	crontab_del
 }
-remove_macos()
+remove_macos() {
 {
 	remove_macos_firewall
 	service_remove_macos
 	crontab_del
 }
 fix_sbin_path
 check_system
 require_root
@ -89,22 +86,21 @@ require_root
 [ "$SYSTEM" = "macos" ] && . "$EXEDIR/init.d/macos/functions"
 case $SYSTEM in
-	systemd)
+systemd)
-		remove_systemd
+	remove_systemd
-		;;
+	;;
-	openrc)
+openrc)
-		remove_openrc
+	remove_openrc
-		;;
+	;;
-	linux)
+linux)
-		remove_linux
+	remove_linux
-		;;
+	;;
-	openwrt)
+openwrt)
-		remove_openwrt
+	remove_openwrt
-		;;
+	;;
-	macos)
+macos)
-		remove_macos
+	remove_macos
-		;;
+	;;
 esac
 exitp 0