nfqws: fix unitialized use of host buffer

typo
nfqws,tpws: use tls record length in TLSDebug
2025-04-19 21:42:59 +03:00 · 2025-04-19 19:59:42 +03:00 · 2025-04-19 19:41:40 +03:00 · 2025-04-14 12:18:07 +03:00 · 2025-04-14 11:21:16 +03:00 · 2025-04-14 11:20:20 +03:00
137 changed files with 8792 additions and 4124 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -1,5 +1,3 @@
 * text=auto eol=lf
-binaries/win64/readme.txt eol=crlf
-binaries/win32/readme.txt eol=crlf
 *.cmd eol=crlf
 *.bat eol=crlf
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -0,0 +1 @@
+blank_issues_enabled: false
--- a/.github/ISSUE_TEMPLATE/issue-warning.md
+++ b/.github/ISSUE_TEMPLATE/issue-warning.md
@ -0,0 +1,19 @@
+---
+name: bugs
+about: do not write lame questions
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+1. Здесь не место для вопросов, касающихся компьютерной грамотности и навыков использования ОС
+2. Здесь не место для вопросов "у меня не работает" без технических подробностей
+3. Здесь не место для вопросов "как мне открыть ютуб", "что писать в ...", "перестало открываться".
+4. Здесь не место для обсуждения сборок
+5. Вирусов здесь нет. У вас либо чья-то сборка, либо ваш антивирус давно пора отправить на покой. Антивирусы в основном жалуются на upx и windivert, которые убраны НЕ будут. upx - это паковщик для сокращения требуемого места на openwrt, windivert - замена iptables для windows, потенциальный инструмент хакера или компонент зловредной программы, но сам по себе вирусом не является. Не согласны - удаляйте софт. За агрессивные наезды "почему автор распространяет вирусы" молча схватите бан.
+
+Все означенное обсуждать в дискуссиях или на форумах.
+При нарушении будет закрываться или конвертироваться в дискуссии.
+Issue только для обсуждения проблем самого софта. Неработа стратегии или ваше неумение настроить - это ваша проблема, а не проблема софта.
+Однокнопочные решения дают только сборщики, поэтому "открытие сайта" не является функцией программы, и нет смысла жаловаться, что он не открывается. Но можно это обсудить в дискуссиях. Не захламляйте issues !
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -52,6 +52,13 @@ jobs:
            tool: i586-unknown-linux-musl
          - arch: x86_64
            tool: x86_64-unknown-linux-musl
+          - arch: lexra
+            tool: mips-linux
+            dir: rsdk-4.6.4-5281-EB-3.10-0.9.33-m32ub-20141001
+            env:
+              CFLAGS: '-march=5281'
+              LDFLAGS: '-lgcc_eh'
+            repo: 'bol-van/build'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@ -60,18 +67,31 @@ jobs:

      - name: Set up build tools
        env:
-          REPO: 'spvkgn/musl-cross'
+          ARCH: ${{ matrix.arch }}
          TOOL: ${{ matrix.tool }}
+          REPO: ${{ matrix.arch == 'lexra' && matrix.repo || 'spvkgn/musl-cross' }}
+          DIR: ${{ matrix.arch == 'lexra' && matrix.dir || matrix.tool }}
        run: |
-          sudo apt update -qq && sudo apt install -y libcap-dev
+          if [[ "$ARCH" == lexra ]]; then
+            sudo dpkg --add-architecture i386
+            sudo apt update -qq
+            sudo apt install -y libcap-dev libc6:i386 zlib1g:i386
+            URL=https://github.com/$REPO/raw/refs/heads/master/$DIR.txz
+          else
+            sudo apt update -qq
+            sudo apt install -y libcap-dev
+            URL=https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz
+          fi
          mkdir -p $HOME/tools
-          wget -qO- https://github.com/$REPO/releases/download/latest/$TOOL.tar.xz | tar -C $HOME/tools -xJ || exit 1
-          [ -d "$HOME/tools/$TOOL/bin" ] && echo "$HOME/tools/$TOOL/bin" >> $GITHUB_PATH
+          wget -qO- $URL | tar -C $HOME/tools -xJ || exit 1
+          [[ -d "$HOME/tools/$DIR/bin" ]] && echo "$HOME/tools/$DIR/bin" >> $GITHUB_PATH

      - name: Build
        env:
          ARCH: ${{ matrix.arch }}
          TARGET: ${{ matrix.tool }}
+          CFLAGS: ${{ matrix.env.CFLAGS != '' && matrix.env.CFLAGS || null }}
+          LDFLAGS: ${{ matrix.env.LDFLAGS != '' && matrix.env.LDFLAGS || null }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          DEPS_DIR=$GITHUB_WORKSPACE/deps
@ -81,21 +101,18 @@ jobs:
          export NM=$TARGET-nm
          export STRIP=$TARGET-strip
          export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
-
-          # optimize for size
-          export CFLAGS="-Os -flto=auto"
-          export LDFLAGS="-Os"
+          export STAGING_DIR=$RUNNER_TEMP

          # netfilter libs
-          git clone --depth 1 -b libmnl-1.0.5 git://git.netfilter.org/libmnl
-          git clone --depth 1 -b libnfnetlink-1.0.2 git://git.netfilter.org/libnfnetlink
-          git clone --depth 1 -b libnetfilter_queue-1.0.5 git://git.netfilter.org/libnetfilter_queue
+          wget -qO- https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj
+          wget -qO- https://www.netfilter.org/pub/libmnl/libmnl-1.0.5.tar.bz2 | tar -xj
+          wget -qO- https://www.netfilter.org/pub/libnetfilter_queue/libnetfilter_queue-1.0.5.tar.bz2 | tar -xj

          for i in libmnl libnfnetlink libnetfilter_queue ; do
            (
-              cd $i
-              ./autogen.sh && \
-              ./configure --prefix= --host=$TARGET --enable-static --disable-shared && \
+              cd $i-*
+              CFLAGS="-Os -flto=auto $CFLAGS" \
+              ./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
              make install -j$(nproc) DESTDIR=$DEPS_DIR
            )
            sed -i "s|^prefix=.*|prefix=$DEPS_DIR|g" $DEPS_DIR/lib/pkgconfig/$i.pc
@ -106,7 +123,8 @@ jobs:
            xargs -I{} wget -qO- https://github.com/madler/zlib/archive/refs/tags/{}.tar.gz | tar -xz
          (
            cd zlib-*
-            ./configure --prefix= --static && \
+            CFLAGS="-Os -flto=auto $CFLAGS" \
+            ./configure --prefix= --static
            make install -j$(nproc) DESTDIR=$DEPS_DIR
          )

@ -116,8 +134,8 @@ jobs:
          install -Dm644 -t $DEPS_DIR/include/sys /usr/include/x86_64-linux-gnu/sys/queue.h /usr/include/sys/capability.h

          # zapret
-          CFLAGS="$CFLAGS -static-libgcc -static -I$DEPS_DIR/include" \
-          LDFLAGS="$LDFLAGS -L$DEPS_DIR/lib" \
+          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include $CFLAGS" \
+          LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \
          make -C zapret -j$(nproc)
          tar -C zapret/binaries/my -cJf zapret-linux-$ARCH.tar.xz .

@ -137,6 +155,7 @@ jobs:

      - name: Build zapret
        run: |
+          export CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }}"
          make mac -j$(sysctl -n hw.logicalcpu)
          tar -C binaries/my -cJf zapret-mac-x64.tar.xz .

@ -171,7 +190,8 @@ jobs:
          TARGET: ${{ matrix.target }}
          ARCH: ${{ matrix.arch }}
        run: |
-          settarget $TARGET-freebsd11 make bsd -j$(nproc) || exit 1
+          export CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }}"
+          settarget $TARGET-freebsd11 make bsd -j$(nproc)
          tar -C binaries/my -cJf zapret-freebsd-$ARCH.tar.xz .

      - name: Upload artifacts
@ -204,6 +224,7 @@ jobs:
      - name: Build ip2net, mdig
        shell: msys2 {0}
        run: |
+          export CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }}"
          mkdir -p output
          cd zapret
          mingw32-make -C ip2net win
@ -260,6 +281,7 @@ jobs:
        shell: C:\cygwin\bin\bash.exe -eo pipefail '{0}'
        run: >-
          export MAKEFLAGS=-j$(nproc) &&
+          export CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }}" &&
          cd zapret &&
          make -C nfq ${TARGET} &&
          cp -a nfq/winws.exe ../output
@ -282,9 +304,81 @@ jobs:
          path: zapret-*.zip
          if-no-files-found: error

+  build-android:
+    name: Android ${{ matrix.abi }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - abi: armeabi-v7a
+            target: armv7a-linux-androideabi
+          - abi: arm64-v8a
+            target: aarch64-linux-android
+          - abi: x86
+            target: i686-linux-android
+          - abi: x86_64
+            target: x86_64-linux-android
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: zapret
+
+      - name: Build
+        env:
+          ABI: ${{ matrix.abi }}
+          API: 21
+          TARGET: ${{ matrix.target }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          DEPS_DIR=$GITHUB_WORKSPACE/deps
+          export TOOLCHAIN=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64
+          export CC="$TOOLCHAIN/bin/clang --target=$TARGET$API"
+          export AR=$TOOLCHAIN/bin/llvm-ar
+          export AS=$CC
+          export LD=$TOOLCHAIN/bin/ld
+          export RANLIB=$TOOLCHAIN/bin/llvm-ranlib
+          export STRIP=$TOOLCHAIN/bin/llvm-strip
+          export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
+
+          # netfilter libs
+          wget -qO- https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj
+          wget -qO- https://www.netfilter.org/pub/libmnl/libmnl-1.0.5.tar.bz2 | tar -xj
+          wget -qO- https://www.netfilter.org/pub/libnetfilter_queue/libnetfilter_queue-1.0.5.tar.bz2 | tar -xj
+          patch -p1 -d libnetfilter_queue-* -i ../zapret/.github/workflows/libnetfilter_queue-android.patch
+
+          for i in libmnl libnfnetlink libnetfilter_queue ; do
+            (
+              cd $i-*
+              CFLAGS="-Os -flto=auto -Wno-implicit-function-declaration" \
+              ./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
+              make install -j$(nproc) DESTDIR=$DEPS_DIR
+            )
+            sed -i "s|^prefix=.*|prefix=$DEPS_DIR|g" $DEPS_DIR/lib/pkgconfig/$i.pc
+          done
+
+          # zapret
+          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -I$DEPS_DIR/include" \
+          LDFLAGS="-L$DEPS_DIR/lib" \
+          make -C zapret android -j$(nproc)
+
+          # strip unwanted ELF sections to prevent warnings on old Android versions
+          gh api repos/termux/termux-elf-cleaner/releases/latest --jq '.tag_name' |\
+            xargs -I{} wget -O elf-cleaner https://github.com/termux/termux-elf-cleaner/releases/download/{}/termux-elf-cleaner
+          chmod +x elf-cleaner
+          ./elf-cleaner --api-level $API zapret/binaries/my/*
+          zip zapret-android-$ABI.zip -j zapret/binaries/my/*
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: zapret-android-${{ matrix.abi }}
+          path: zapret-*.zip
+          if-no-files-found: error
+
  release:
    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
-    needs: [ build-linux, build-windows, build-macos, build-freebsd ]
+    needs: [ build-linux, build-windows, build-macos, build-freebsd, build-android ]
    permissions:
      contents: write
    runs-on: ubuntu-latest
@ -307,6 +401,7 @@ jobs:
        uses: crazy-max/ghaction-upx@v3
        with:
          install-only: true
+          version: v4.2.4

      - name: Prepare binaries
        shell: bash
@ -324,7 +419,7 @@ jobs:
                  if [[ $dir == *-linux-x86_64 ]]; then
                    tar -C $dir -czvf $dir/tpws_wsl.tgz tpws
                    run_upx $dir/*
-                  elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]]; then
+                  elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]] && [[ $dir != *-linux-lexra ]]; then
                    run_upx $dir/*
                  fi
                  ;;
@ -343,6 +438,10 @@ jobs:
            if [ -d $dir ]; then
              echo "Processing $dir"
              case $dir in
+                *-android-arm64-v8a )   run_dir android-aarch64 ;;
+                *-android-armeabi-v7a ) run_dir android-arm ;;
+                *-android-x86 )         run_dir android-x86 ;;
+                *-android-x86_64 )      run_dir android-x86_64 ;;
                *-freebsd-x86_64 )      run_dir freebsd-x64 ;;
                *-linux-arm )           run_dir arm ;;
                *-linux-arm64 )         run_dir aarch64 ;;
@ -352,6 +451,7 @@ jobs:
                *-linux-ppc )           run_dir ppc ;;
                *-linux-x86 )           run_dir x86 ;;
                *-linux-x86_64 )        run_dir x86_64 ;;
+                *-linux-lexra )         run_dir lexra ;;
                *-mac-x64 )             run_dir mac64 ;;
                *-win-x86 )             run_dir win32 ;;
                *-win-x86_64 )          run_dir win64 ;;
@ -363,8 +463,16 @@ jobs:
      - name: Create release bundles
        run: |
          rm -rf ${{ env.repo_dir }}/.git*
-          tar -czf ${{ env.repo_dir }}.tar.gz ${{ env.repo_dir }}
+          find ${{ env.repo_dir }}/binaries -type f -exec sha256sum {} \; >sha256sum.txt
+          tar --owner=0 --group=0 -czf ${{ env.repo_dir }}.tar.gz ${{ env.repo_dir }}
          zip -qr ${{ env.repo_dir }}.zip ${{ env.repo_dir }}
+          (
+            cd ${{ env.repo_dir }}
+            rm -rf binaries/{android*,freebsd*,mac*,win*,x86_64/tpws_wsl.tgz} \
+                   init.d/{openrc,macos,pfsense,runit,s6,systemd} \
+                   tpws nfq ip2net mdig docs files/huawei Makefile
+          )
+          tar --owner=0 --group=0 -czf ${{ env.repo_dir }}-openwrt-embedded.tar.gz ${{ env.repo_dir }}

      - name: Upload release assets
        uses: softprops/action-gh-release@v2
@ -377,3 +485,4 @@ jobs:
          files: |
            zapret*.tar.gz
            zapret*.zip
+            sha256sum.txt
--- a/.github/workflows/libnetfilter_queue-android.patch
+++ b/.github/workflows/libnetfilter_queue-android.patch
@ -0,0 +1,41 @@
+--- a/src/extra/pktbuff.c
+++ b/src/extra/pktbuff.c
+@@ -14,7 +14,7 @@
+ #include <string.h> /* for memcpy */
+ #include <stdbool.h>
+ 
+-#include <netinet/if_ether.h>
+#include <linux/if_ether.h>
+ #include <netinet/ip.h>
+ #include <netinet/tcp.h>
+ 
+--- a/src/nlmsg.c
+++ b/src/nlmsg.c
+@@ -21,7 +21,7 @@
+ 
+ #include <linux/netfilter/nfnetlink_queue.h>
+ 
+-#include <libnetfilter_queue/libnetfilter_queue.h>
+// #include <libnetfilter_queue/libnetfilter_queue.h>
+ 
+ #include "internal.h"
+ 
+--- a/src/extra/tcp.c
+++ b/src/extra/tcp.c
+@@ -139,12 +139,16 @@ void nfq_tcp_compute_checksum_ipv6(struc
+  *  (union is compatible to any of its members)
+  *  This means this part of the code is -fstrict-aliasing safe now.
+  */
+#ifndef __ANDROID__
+ union tcp_word_hdr {
+ 	struct tcphdr hdr;
+ 	uint32_t  words[5];
+ };
+#endif
+ 
+#ifndef tcp_flag_word
+ #define tcp_flag_word(tp) ( ((union tcp_word_hdr *)(tp))->words[3])
+#endif
+ 
+ /**
+  * nfq_pkt_snprintf_tcp_hdr - print tcp header into one buffer in a humnan
--- a/.gitignore
+++ b/.gitignore
@ -1,10 +1,12 @@
 /config
 ip2net/ip2net
 mdig/mdig
+nfq/dvtws
 nfq/nfqws
+nfq/winws.exe
+nfq/WinDivert*
 tpws/tpws
 binaries/my/
-init.d/**/custom
 ipset/zapret-ip*.txt
 ipset/zapret-ip*.gz
 ipset/zapret-hosts*.txt
--- a/26
+++ b/26
@ -15,6 +15,32 @@ all:	clean
 		done \
 	done

+systemd: clean
+	@mkdir -p "$(TGT)"; \
+	for dir in $(DIRS); do \
+		find "$$dir" -type f  \( -name "*.c" -o -name "*.h" -o -name "*akefile" \) -exec chmod -x {} \; ; \
+		$(MAKE) -C "$$dir" systemd || exit; \
+		for exe in "$$dir/"*; do \
+			if [ -f "$$exe" ] && [ -x "$$exe" ]; then \
+				mv -f "$$exe" "${TGT}" ; \
+				ln -fs "../${TGT}/$$(basename "$$exe")" "$$exe" ; \
+			fi \
+		done \
+	done
+
+android: clean
+	@mkdir -p "$(TGT)"; \
+	for dir in $(DIRS); do \
+		find "$$dir" -type f  \( -name "*.c" -o -name "*.h" -o -name "*akefile" \) -exec chmod -x {} \; ; \
+		$(MAKE) -C "$$dir" android || exit; \
+		for exe in "$$dir/"*; do \
+			if [ -f "$$exe" ] && [ -x "$$exe" ]; then \
+				mv -f "$$exe" "${TGT}" ; \
+				ln -fs "../${TGT}/$$(basename "$$exe")" "$$exe" ; \
+			fi \
+		done \
+	done
+
 bsd:	clean
 	@mkdir -p "$(TGT)"; \
 	for dir in $(DIRS); do \
--- a/blockcheck.sh
+++ b/blockcheck.sh
@ -23,6 +23,7 @@ CURL=${CURL:-curl}
 . "$ZAPRET_BASE/common/fwtype.sh"
 . "$ZAPRET_BASE/common/virt.sh"

+DOMAINS_DEFAULT=${DOMAINS_DEFAULT:-rutracker.org}
 QNUM=${QNUM:-59780}
 SOCKS_PORT=${SOCKS_PORT:-1993}
 TPWS_UID=${TPWS_UID:-1}
@ -35,9 +36,9 @@ MDIG=${MDIG:-${ZAPRET_BASE}/mdig/mdig}
 DESYNC_MARK=0x10000000
 IPFW_RULE_NUM=${IPFW_RULE_NUM:-1}
 IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-59780}
-DOMAINS=${DOMAINS:-rutracker.org}
 CURL_MAX_TIME=${CURL_MAX_TIME:-2}
 CURL_MAX_TIME_QUIC=${CURL_MAX_TIME_QUIC:-$CURL_MAX_TIME}
+CURL_MAX_TIME_DOH=${CURL_MAX_TIME_DOH:-2}
 MIN_TTL=${MIN_TTL:-1}
 MAX_TTL=${MAX_TTL:-12}
 USER_AGENT=${USER_AGENT:-Mozilla}
@ -45,9 +46,9 @@ HTTP_PORT=${HTTP_PORT:-80}
 HTTPS_PORT=${HTTPS_PORT:-443}
 QUIC_PORT=${QUIC_PORT:-443}
 UNBLOCKED_DOM=${UNBLOCKED_DOM:-iana.org}
-[ "$CURL_VERBOSE" = 1 ] && CURL_CMD=1
+PARALLEL_OUT=/tmp/zapret_parallel

-HDRTEMP=/tmp/zapret-hdr.txt
+HDRTEMP=/tmp/zapret-hdr

 NFT_TABLE=blockcheck

@ -78,9 +79,11 @@ exitp()
 {
 	local A

+	[ "$BATCH" = 1 ] || {
 		echo
 		echo press enter to continue
 		read A
+	}
 	exit $1
 }

@ -213,7 +216,7 @@ doh_resolve()
 	# $1 - ip version 4/6
 	# $2 - hostname
 	# $3 - doh server URL. use $DOH_SERVER if empty
-	$MDIG --family=$1 --dns-make-query=$2 | curl -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
+	$MDIG --family=$1 --dns-make-query=$2 | $CURL --max-time $CURL_MAX_TIME_DOH -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
 }
 doh_find_working()
 {
@ -338,12 +341,19 @@ netcat_test()
 	}
 }

+tpws_can_fix_seg()
+{
+	# fix-seg requires kernel 4.6+
+	"$TPWS" --port 1 --dry-run --fix-seg >/dev/null 2>/dev/null
+}
+
 check_system()
 {
 	echo \* checking system

 	UNAME=$(uname)
 	SUBSYS=
+	FIX_SEG=
 	local s

 	# can be passed FWTYPE=iptables to override default nftables preference
@ -351,6 +361,14 @@ check_system()
 		Linux)
 			PKTWS="$NFQWS"
 			PKTWSD=nfqws
+			if [ -x "$TPWS" ] ; then
+				if tpws_can_fix_seg ; then
+					echo tpws supports --fix-seg on this system
+					FIX_SEG='--fix-seg'
+				else
+					echo tpws does not support --fix-seg on this system
+				fi
+			fi
 			linux_fwtype
 			[ "$FWTYPE" = iptables -o "$FWTYPE" = nftables ] || {
 				echo firewall type $FWTYPE not supported in $UNAME
@ -561,7 +579,7 @@ curl_supports_tls13()
 	[ $? = 2 ] && return 1
 	# curl can have tlsv1.3 key present but ssl library without TLS 1.3 support
 	# this is online test because there's no other way to trigger library incompatibility case
-	$CURL --tlsv1.3 --max-time $CURL_MAX_TIME -Is -o /dev/null https://iana.org 2>/dev/null
+	$CURL --tlsv1.3 --max-time 1 -Is -o /dev/null https://iana.org 2>/dev/null
 	r=$?
 	[ $r != 4 -a $r != 35 ]
 }
@ -652,28 +670,28 @@ curl_test_http()
 	# $3 - subst ip
 	# $4 - "detail" - detail info

-	local code loc
-	curl_probe $1 $2 $HTTP_PORT "$3" -SsD "$HDRTEMP" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || {
+	local code loc hdrt="${HDRTEMP}_${!:-$$}.txt"
+	curl_probe $1 $2 $HTTP_PORT "$3" -SsD "$hdrt" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || {
 		code=$?
-		rm -f "$HDRTEMP"
+		rm -f "$hdrt"
 		return $code
 	}
 	if [ "$4" = "detail" ] ; then
-		head -n 1 "$HDRTEMP"
-		grep "^[lL]ocation:" "$HDRTEMP"
+		head -n 1 "$hdrt"
+		grep "^[lL]ocation:" "$hdrt"
 	else
-		code=$(hdrfile_http_code "$HDRTEMP")
+		code=$(hdrfile_http_code "$hdrt")
 		[ "$code" = 301 -o "$code" = 302 -o "$code" = 307 -o "$code" = 308 ] && {
-			loc=$(hdrfile_location "$HDRTEMP")
+			loc=$(hdrfile_location "$hdrt")
 			echo "$loc" | grep -qE "^https?://.*$2(/|$)" ||
 			echo "$loc" | grep -vqE '^https?://' || {
 				echo suspicious redirection $code to : $loc
-				rm -f "$HDRTEMP"
+				rm -f "$hdrt"
 				return 254
 			}
 		}
 	fi
-	rm -f "$HDRTEMP"
+	rm -f "$hdrt"
 	[ "$code" = 400 ] && {
 		# this can often happen if the server receives fake packets it should not receive
 		echo http code $code. likely the server receives fakes.
@ -792,7 +810,7 @@ pktws_ipt_prepare()
 			# disable PF to avoid interferences
 			pf_is_avail && pfctl -qd
 			for ip in $3; do
-				IPFW_ADD divert $IPFW_DIVERT_PORT $1 from me to $ip $2 proto ip${IPV} out not diverted not sockarg
+				IPFW_ADD divert $IPFW_DIVERT_PORT $1 from me to $ip $2 proto ip${IPV} out not diverted
 			done
 			;;
 		opf)
@ -867,7 +885,7 @@ pktws_ipt_prepare_tcp()
 			;;
 		ipfw)
 			for ip in $2; do
-				IPFW_ADD divert $IPFW_DIVERT_PORT tcp from $ip $1 to me proto ip${IPV} tcpflags syn,ack in not diverted not sockarg
+				IPFW_ADD divert $IPFW_DIVERT_PORT tcp from $ip $1 to me proto ip${IPV} tcpflags syn,ack in not diverted
 			done
 			;;
 	esac
@ -965,8 +983,27 @@ curl_test()
 	# $2 - domain
 	# $3 - subst ip
 	# $4 - param of test function
-	local code=0 n=0
+	local code=0 n=0 p pids

+	if [ "$PARALLEL" = 1 ]; then
+		rm -f "${PARALLEL_OUT}"*
+		for n in $(seq -s ' ' 1 $REPEATS); do
+			$1 "$IPV" $2 $3 "$4" >"${PARALLEL_OUT}_$n" &
+			pids="${pids:+$pids }$!"
+		done
+		n=1
+		for p in $pids; do
+			[ $REPEATS -gt 1 ] && printf "[attempt $n] "
+			if wait $p; then
+				[ $REPEATS -gt 1 ] && echo 'AVAILABLE'
+			else
+				code=$?
+				cat "${PARALLEL_OUT}_$n"
+			fi
+			n=$(($n+1))
+		done
+		rm -f "${PARALLEL_OUT}"*
+	else
 		while [ $n -lt $REPEATS ]; do
 			n=$(($n+1))
 			[ $REPEATS -gt 1 ] && printf "[attempt $n] "
@ -977,6 +1014,7 @@ curl_test()
 				[ "$SCANLEVEL" = quick ] && break
 			fi
 		done
+	fi
 	[ "$4" = detail ] || {
 		if [ $code = 254 ]; then
 			echo "UNAVAILABLE"
@ -994,7 +1032,6 @@ ws_curl_test()
 	# $2 - test function
 	# $3 - domain
 	# $4,$5,$6, ... - ws params
-
 	local code ws_start=$1 testf=$2 dom=$3
 	shift
 	shift
@ -1013,6 +1050,14 @@ tpws_curl_test()
 	echo - checking tpws $3 $4 $5 $6 $7 $8 $9${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}
 	local ALL_PROXY="socks5://127.0.0.1:$SOCKS_PORT"
 	ws_curl_test tpws_start "$@"${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}
+	local testf=$1 dom=$2 strategy code=$?
+	[ "$code" = 0 ] && {
+		shift; shift;
+		strategy="$@"
+		strategy_append_extra_tpws
+		report_append "ipv${IPV} $dom $testf : tpws ${WF:+$WF }$strategy"
+	}
+	return $code
 }
 pktws_curl_test()
 {
@ -1021,7 +1066,25 @@ pktws_curl_test()
 	# $3,$4,$5, ... - nfqws/dvtws params
 	echo - checking $PKTWSD ${WF:+$WF }$3 $4 $5 $6 $7 $8 $9${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}
 	ws_curl_test pktws_start "$@"${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}
+	local testf=$1 dom=$2 strategy code=$?
+	[ "$code" = 0 ] && {
+		shift; shift;
+		strategy="$@"
+		strategy_append_extra_pktws
+		report_append "ipv${IPV} $dom $testf : $PKTWSD ${WF:+$WF }$strategy"
+	}
+	return $code
 }
+
+strategy_append_extra_pktws()
+{
+	strategy="${strategy:+$strategy${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}}"
+}
+strategy_append_extra_tpws()
+{
+	strategy="${strategy:+$strategy${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}}"
+}
+
 xxxws_curl_test_update()
 {
 	# $1 - xxx_curl_test function
@ -1073,7 +1136,7 @@ report_strategy()
 		strategy="$(echo "$strategy" | xargs)"
 		echo "!!!!! $1: working strategy found for ipv${IPV} $2 : $3 $strategy !!!!!"
 		echo
-		report_append "ipv${IPV} $2 $1 : $3 ${WF:+$WF }$strategy"
+#		report_append "ipv${IPV} $2 $1 : $3 ${WF:+$WF }$strategy"
 		return 0
 	else
 		echo "$1: $3 strategy for ipv${IPV} $2 not found"
@ -1086,14 +1149,21 @@ test_has_split()
 {
 	contains "$1" split || contains "$1" disorder
 }
+test_has_fakedsplit()
+{
+	contains "$1" fakedsplit || contains "$1" fakeddisorder
+}
 test_has_fake()
 {
-	contains "$1" fake
+	[ "$1" = fake ] || starts_with "$1" fake,
 }
 warn_fool()
 {
 	case "$1" in
-		md5sig) echo 'WARNING ! although md5sig fooling worked it will not work on all sites. it typically works only on linux servers.' ;;
+		md5sig) echo 'WARNING ! although md5sig fooling worked it will not work on all sites. it typically works only on linux servers.'
+			[ "$2" = "fakedsplit" -o "$2" = "fakeddisorder" ] && \
+				echo "WARNING ! fakedsplit/fakeddisorder with md5sig fooling and low split position causes MTU overflow with multi-segment TLS (kyber)"
+			;;
 		datanoack) echo 'WARNING ! although datanoack fooling worked it may break NAT and may only work with external IP. Additionally it may require nftables to work correctly.' ;;
 	esac
 }
@ -1105,25 +1175,40 @@ pktws_curl_test_update_vary()
 	# $4 - desync mode
 	# $5,$6,... - strategy

-	local testf=$1 sec=$2 domain=$3 desync=$4 zerofake split fake
+	local testf=$1 sec=$2 domain=$3 desync=$4 proto zerofake= tlsmod= splits= pos fake ret=1
 	
 	shift; shift; shift; shift
 	
-	zerofake=http
-	[ "$sec" = 0 ] || zerofake=tls
-	zerofake="--dpi-desync-fake-$zerofake=0x00000000"
-	
-	for fake in '' $zerofake ; do
-		for split in '' '--dpi-desync-split-pos=1' ; do
-			pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" $fake $split && return 0
-			# split-pos=1 is meaningful for DPIs searching for 16 03 in TLS. no reason to apply to http
-			[ "$sec" = 1 ] || break
-			test_has_split $desync || break
+	proto=http
+	[ "$sec" = 0 ] || proto=tls
+	test_has_fake $desync && {
+		zerofake="--dpi-desync-fake-$proto=0x00000000"
+		[ "$sec" = 0 ] || tlsmod="--dpi-desync-fake-tls-mod=rnd,dupsid,rndsni,padencap"
+	}
+	if test_has_fakedsplit $desync ; then
+		splits="method+2 midsld"
+		[ "$sec" = 0 ] || splits="1 midsld"
+	elif test_has_split $desync ; then
+		splits="method+2 midsld"
+		[ "$sec" = 0 ] || splits="1 midsld 1,midsld"
+	fi
+	for fake in '' $zerofake $tlsmod ; do
+		if [ -n "$splits" ]; then
+			for pos in $splits ; do
+				pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" --dpi-desync-split-pos=$pos $fake && {
+					[ "$SCANLEVEL" = force ] || return 0
+					ret=0
+				}
 			done
-		test_has_fake $desync || break
+		else
+			pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" $fake && {
+				[ "$SCANLEVEL" = force ] || return 0
+				ret=0
+			}
+		fi
 	done

-	return 1
+	return $ret
 }

 pktws_check_domain_http_bypass_()
@ -1132,121 +1217,143 @@ pktws_check_domain_http_bypass_()
 	# $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
 	# $3 - domain

-	local tests='fake' ret ok ttls s f e desync pos fooling frag sec="$2" delta hostcase
+	local ok ttls s f f2 e desync pos fooling frag sec="$2" delta splits
+	local need_split need_disorder need_fakedsplit need_fakeddisorder need_fake need_wssize
+	local splits_http='method+2 midsld method+2,midsld'
+	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'

 	[ "$sec" = 0 ] && {
-		for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase'; do
+		for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase' '--methodeol'; do
 			pktws_curl_test_update $1 $3 $s
 		done
 	}

-	s="--dpi-desync=split2"
-	ok=0
-	pktws_curl_test_update $1 $3 $s
-	ret=$?
-	[ "$ret" = 0 ] && {
-		[ "$SCANLEVEL" = quick ] && return
-		ok=1
-	}
-	[ "$ret" != 0 -o "$SCANLEVEL" = force ] && {
-		if [ "$sec" = 0 ]; then
-			pktws_curl_test_update $1 $3 $s --hostcase && {
-				[ "$SCANLEVEL" = quick ] && return
-				ok=1
-			}
-			for pos in method host; do
-				for hostcase in '' '--hostcase'; do
-					pktws_curl_test_update $1 $3 $s --dpi-desync-split-http-req=$pos $hostcase && {
-						[ "$SCANLEVEL" = quick ] && return
-						ok=1
-					}
-				done
-			done
-		else
-			for pos in sni sniext; do
-				pktws_curl_test_update $1 $3 $s --dpi-desync-split-tls=$pos && {
-					[ "$SCANLEVEL" = quick ] && return
-					ok=1
-				}
-			done
-		fi
-		for pos in 1 3 4 5 10 50; do
-			s="--dpi-desync=split2 --dpi-desync-split-pos=$pos"
-			if pktws_curl_test_update $1 $3 $s; then
-				[ "$SCANLEVEL" = quick ] && return
-				ok=1
-				[ "$SCANLEVEL" = force ] || break
-			elif [ "$sec" = 0 ]; then
-				pktws_curl_test_update $1 $3 $s --hostcase && [ "$SCANLEVEL" = quick ] && return
-			fi
-		done
-	}
-	[ "$ok" = 1 -a "$SCANLEVEL" != force ] || tests="$tests split fake,split2 fake,split"
-
-	pktws_curl_test_update $1 $3 --dpi-desync=disorder2
-	ret=$?
-	[ "$ret" = 0 -a "$SCANLEVEL" = quick ] && return
-	[ "$ret" != 0 -o "$SCANLEVEL" = force ] && {
-	    pktws_curl_test_update $1 $3 --dpi-desync=disorder2 --dpi-desync-split-pos=1
-	    ret=$?
-	    [ "$ret" = 0 -a "$SCANLEVEL" = quick ] && return
-	}
-	[ "$ret" != 0 -o "$SCANLEVEL" = force ] && tests="$tests disorder fake,disorder2 fake,disorder"
-
 	ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
+	need_wssize=1
 	for e in '' '--wssize 1:6'; do
+		need_split=
+		need_disorder=
+
 		[ -n "$e" ] && {
 			pktws_curl_test_update $1 $3 $e && [ "$SCANLEVEL" = quick ] && return
-			for desync in split2 disorder2; do
-				pktws_curl_test_update_vary $1 $2 $3 $desync $e && [ "$SCANLEVEL" = quick ] && return
-			done
 		}
-		for desync in $tests; do
+
+		for desync in multisplit multidisorder; do
+			ok=0
+			splits="$splits_http"
+			[ "$sec" = 0 ] || splits="$splits_tls"
+			for pos in $splits; do
+				pktws_curl_test_update $1 $3 --dpi-desync=$desync --dpi-desync-split-pos=$pos $e && {
+					[ "$SCANLEVEL" = quick ] && return
+					ok=1
+					need_wssize=0
+					[ "$SCANLEVEL" = force ] || break
+				}
+			done
+			[ "$ok" = 1 -a "$SCANLEVEL" != force ] || {
+				case $desync in
+					multisplit)
+						need_split=1
+						;;
+					multidisorder)
+						need_disorder=1
+						;;
+				esac
+			}
+		done
+
+		need_fakedsplit=1
+		need_fakeddisorder=1
+		need_fake=1
+		for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do
+			[ "$need_fake" = 0 ] && test_has_fake "$desync" && continue
+			[ "$need_fakedsplit" = 0 ] && contains "$desync" fakedsplit && continue
+			[ "$need_fakeddisorder" = 0 ] && contains "$desync" fakeddisorder && continue
+			ok=0
 			for ttl in $ttls; do
 				pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=$ttl $e && {
 					[ "$SCANLEVEL" = quick ] && return
+					ok=1
+					need_wssize=0
 					break
 				}
 			done
+			# only skip tests if TTL succeeded. do not skip if TTL failed but fooling succeeded
+			[ $ok = 1 -a "$SCANLEVEL" != force ] && {
+				[ "$desync" = fake ] && need_fake=0
+				[ "$desync" = fakedsplit ] && need_fakedsplit=0
+				[ "$desync" = fakeddisorder ] && need_fakeddisorder=0
+			}
 			f=
 			[ "$UNAME" = "OpenBSD" ] || f="badsum"
 			f="$f badseq datanoack md5sig"
 			[ "$IPV" = 6 ] && f="$f hopbyhop hopbyhop2"
 			for fooling in $f; do
 				pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fooling=$fooling $e && {
-					warn_fool $fooling
+					warn_fool $fooling $desync
 					[ "$SCANLEVEL" = quick ] && return
+					need_wssize=0
 				}
 			done
 		done
+
 		[ "$IPV" = 6 ] && {
-			f="hopbyhop hopbyhop,split2 hopbyhop,disorder2 destopt destopt,split2 destopt,disorder2"
-			[ -n "$IP6_DEFRAG_DISABLE" ] && f="$f ipfrag1 ipfrag1,split2 ipfrag1,disorder2"
+			f="hopbyhop ${need_split:+hopbyhop,multisplit} ${need_disorder:+hopbyhop,multidisorder} destopt ${need_split:+destopt,multisplit} ${need_disorder:+destopt,multidisorder}"
+			[ -n "$IP6_DEFRAG_DISABLE" ] && f="$f ipfrag1 ${need_split:+ ipfrag1,multisplit} ${need_disorder:+ ipfrag1,multidisorder}"
 			for desync in $f; do
-				pktws_curl_test_update_vary $1 $2 $3 $desync $e && [ "$SCANLEVEL" = quick ] && return
+				pktws_curl_test_update_vary $1 $2 $3 $desync $e && {
+					[ "$SCANLEVEL" = quick ] && return
+					need_wssize=0
+				}
 			done
 		}

-		for desync in split2 disorder2; do
-			s="--dpi-desync=$desync"
+		[ "$need_split" = 1 ] && {
+			# relative markers can be anywhere, even in subsequent packets. first packet can be MTU-full.
+			# make additional split pos "10" to guarantee enough space for seqovl and likely to be before midsld,sniext,...
+			# method is always expected in the beginning of the first packet
+			f="method+2 method+2,midsld"
+			[ "$sec" = 0 ] || f="10 10,sniext+1 10,sniext+4 10,midsld"
+			for pos in $f; do
+				pktws_curl_test_update $1 $3 --dpi-desync=multisplit --dpi-desync-split-pos=$pos --dpi-desync-split-seqovl=1 $e && {
+					[ "$SCANLEVEL" = quick ] && return
+					need_wssize=0
+				}
+			done
+			[ "$sec" != 0 ] && pktws_curl_test_update $1 $3 --dpi-desync=multisplit --dpi-desync-split-pos=2 --dpi-desync-split-seqovl=336 --dpi-desync-split-seqovl-pattern="$ZAPRET_BASE/files/fake/tls_clienthello_iana_org.bin" $e && {
+				[ "$SCANLEVEL" = quick ] && return
+				need_wssize=0
+			}
+		}
+		[ "$need_disorder" = 1 ] && {
 			if [ "$sec" = 0 ]; then
-				for pos in method host; do
-					pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=1 --dpi-desync-split-http-req=$pos $e && [ "$SCANLEVEL" = quick ] && return
+				for pos in 'method+1 method+2' 'midsld-1 midsld' 'method+1 method+2,midsld'; do
+					f="$(extract_arg 1 $pos)"
+					f2="$(extract_arg 2 $pos)"
+					pktws_curl_test_update $1 $3 --dpi-desync=multidisorder --dpi-desync-split-pos=$f2 --dpi-desync-split-seqovl=$f $e && {
+						[ "$SCANLEVEL" = quick ] && return
+						need_wssize=0
+					}
 				done
 			else
-				for pos in sni sniext; do
-					pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=1 --dpi-desync-split-tls=$pos $e && [ "$SCANLEVEL" = quick ] && return
-				done
-			fi
-			for pos in 2 3 4 5 10 50; do
-				pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=$(($pos - 1)) --dpi-desync-split-pos=$pos $e && [ "$SCANLEVEL" = quick ] && return
-			done
-			[ "$sec" != 0 -a $desync = split2 ] && {
-				pktws_curl_test_update $1 $3 $s --dpi-desync-split-seqovl=336 --dpi-desync-split-seqovl-pattern="$ZAPRET_BASE/files/fake/tls_clienthello_iana_org.bin" $e && [ "$SCANLEVEL" = quick ] && return
+				for pos in '1 2' 'sniext sniext+1' 'sniext+3 sniext+4' 'midsld-1 midsld' '1 2,midsld'; do
+					f=$(extract_arg 1 $pos)
+					f2=$(extract_arg 2 $pos)
+					pktws_curl_test_update $1 $3 --dpi-desync=multidisorder --dpi-desync-split-pos=$f2 --dpi-desync-split-seqovl=$f $e && {
+						[ "$SCANLEVEL" = quick ] && return
+						need_wssize=0
 					}
 				done
+			fi
+		}

-		for desync in $tests; do
+		need_fakedsplit=1
+		need_fakeddisorder=1
+		need_fake=1
+		for desync in fake ${need_split:+fakedsplit fake,multisplit fake,fakedsplit} ${need_disorder:+fakeddisorder fake,multidisorder fake,fakeddisorder}; do
+			[ "$need_fake" = 0 ] && test_has_fake "$desync" && continue
+			[ "$need_fakedsplit" = 0 ] && contains "$desync" fakedsplit && continue
+			[ "$need_fakeddisorder" = 0 ] && contains "$desync" fakeddisorder && continue
 			ok=0
 			for delta in 1 2 3 4 5; do
 				pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-ttl=1 --dpi-desync-autottl=$delta $e && ok=1
@ -1256,18 +1363,25 @@ pktws_check_domain_http_bypass_()
 				echo "WARNING ! although autottl worked it requires testing on multiple domains to find out reliable delta"
 				echo "WARNING ! if a reliable delta cannot be found it's a good idea not to use autottl"
 				[ "$SCANLEVEL" = quick ] && return
+				need_wssize=0
+				[ "$SCANLEVEL" = force ] || {
+					[ "$desync" = fake ] && need_fake=0
+					[ "$desync" = fakedsplit ] && need_fakedsplit=0
+					[ "$desync" = fakeddisorder ] && need_fakeddisorder=0
+				}
 			}			
 		done

 		s="http_iana_org.bin"
 		[ "$sec" = 0 ] || s="tls_clienthello_iana_org.bin"
-		for desync in syndata syndata,split2 syndata,disorder2 ; do
+		for desync in syndata ${need_split:+syndata,multisplit} ${need_disorder:+syndata,multidisorder} ; do
 			pktws_curl_test_update_vary $1 $2 $3 $desync $e && [ "$SCANLEVEL" = quick ] && return
 			pktws_curl_test_update_vary $1 $2 $3 $desync --dpi-desync-fake-syndata="$ZAPRET_BASE/files/fake/$s" $e && [ "$SCANLEVEL" = quick ] && return
 		done

 		# do not do wssize test for http and TLS 1.3. it's useless
 		[ "$sec" = 1 ] || break
+		[ "$SCANLEVEL" = force -o "$need_wssize" = 1 ] || break
 	done
 }
 pktws_check_domain_http_bypass()
@ -1278,7 +1392,7 @@ pktws_check_domain_http_bypass()

 	local strategy
 	pktws_check_domain_http_bypass_ "$@"
-	strategy="${strategy:+$strategy${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}}"
+	strategy_append_extra_pktws
 	report_strategy $1 $3 $PKTWSD
 }

@ -1323,7 +1437,7 @@ pktws_check_domain_http3_bypass()

 	local strategy
 	pktws_check_domain_http3_bypass_ "$@"
-	strategy="${strategy:+$strategy $PKTWS_EXTRA $PKTWS_EXTRA_1 $PKTWS_EXTRA_2 $PKTWS_EXTRA_3 $PKTWS_EXTRA_4 $PKTWS_EXTRA_5 $PKTWS_EXTRA_6 $PKTWS_EXTRA_7 $PKTWS_EXTRA_8 $PKTWS_EXTRA_9}"
+	strategy_append_extra_pktws
 	report_strategy $1 $2 $PKTWSD
 }
 warn_mss()
@ -1331,6 +1445,11 @@ warn_mss()
 	[ -n "$1" ] && echo 'WARNING ! although mss worked it may not work on all sites and will likely cause significant slowdown. it may only be required for TLS1.2, not TLS1.3'
 	return 0
 }
+fix_seg()
+{
+	# $1 - split-pos
+	[ -n "$FIX_SEG" ] && contains "$1" , && echo "$FIX_SEG"
+}

 tpws_check_domain_http_bypass_()
 {
@ -1338,50 +1457,58 @@ tpws_check_domain_http_bypass_()
 	# $2 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
 	# $3 - domain

-	local s mss s2 s3 pos sec="$2"
+	local s mss s2 s3 oobdis pos sec="$2"
+	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld,endhost-1'
+	local splits_http='method+2 midsld method+2,midsld'
+
+	# simulteneous oob and disorder works properly only in linux. other systems retransmit oob byte without URG tcp flag and poison tcp stream.
+	[ "$UNAME" = Linux ] && oobdis='--oob --disorder'
 	if [ "$sec" = 0 ]; then
-		for s in '--hostcase' '--hostspell=hoSt' '--hostdot' '--hosttab' '--hostnospace' '--domcase' \
-			'--hostpad=1024' '--hostpad=2048' '--hostpad=4096' '--hostpad=8192' '--hostpad=16384' ; do
+		for s in '--hostcase' '--hostspell=hoSt' '--hostdot' '--hosttab' '--hostnospace' '--domcase' ; do
 			tpws_curl_test_update $1 $3 $s && [ "$SCANLEVEL" = quick ] && return
 		done
-		for s2 in '' '--oob' '--disorder' '--oob --disorder'; do
-			for s in '--split-http-req=method' '--split-http-req=method --hostcase' '--split-http-req=host' '--split-http-req=host --hostcase' ; do
-				tpws_curl_test_update $1 $3 $s $s2 && [ "$SCANLEVEL" = quick ] && return
+		for s in 1024 2048 4096 8192 16384 ; do
+			tpws_curl_test_update $1 $3 --hostpad=$s && [ "$SCANLEVEL" != force ] && {
+				[ "$SCANLEVEL" = quick ] && return
+				break
+			}
+		done
+		for s2 in '' '--hostcase' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
+			for s in $splits_http ; do
+				tpws_curl_test_update $1 $3 --split-pos=$s $(fix_seg $s) $s2 && [ "$SCANLEVEL" != force ] && {
+					[ "$SCANLEVEL" = quick ] && return
+					break
+				}
 			done
 		done
 		for s in  '--methodspace' '--unixeol' '--methodeol'; do
 			tpws_curl_test_update $1 $3 $s && [ "$SCANLEVEL" = quick ] && return
 		done
 	else
+		local need_mss=1
 		for mss in '' 88; do
 			s3=${mss:+--mss=$mss}
-			for s2 in '' '--oob' '--disorder' '--oob --disorder'; do
-				for pos in sni sniext; do
-					s="--split-tls=$pos"
-					tpws_curl_test_update $1 $3 $s $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
-						[ "$SCANLEVEL" = quick ] && return
-						break
-					}
-				done
-				for pos in 1 2 3 4 5 10 50; do
-					s="--split-pos=$pos"
-					tpws_curl_test_update $1 $3 $s $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
+			for s2 in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
+				for pos in $splits_tls; do
+					tpws_curl_test_update $1 $3 --split-pos=$pos $(fix_seg $pos) $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
 						[ "$SCANLEVEL" = quick ] && return
+						need_mss=0
 						break
 					}
 				done
 			done
-			for s2 in '--tlsrec=sni' '--tlsrec=sni --split-tls=sni' '--tlsrec=sni --split-tls=sni --oob' \
-					'--tlsrec=sni --split-tls=sni --disorder' '--tlsrec=sni --split-tls=sni --oob --disorder' \
-					'--tlsrec=sni --split-pos=1' '--tlsrec=sni --split-pos=1 --oob' '--tlsrec=sni --split-pos=1 --disorder' \
-					'--tlsrec=sni --split-pos=1 --oob --disorder'; do
-				tpws_curl_test_update $1 $3 $s2 $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
+			for s in '' '--oob' '--disorder' ${oobdis:+"$oobdis"}; do
+				for s2 in '--tlsrec=midsld' '--tlsrec=sniext+1 --split-pos=midsld' '--tlsrec=sniext+4 --split-pos=midsld' "--tlsrec=sniext+1 --split-pos=1,midsld $FIX_SEG" "--tlsrec=sniext+4 --split-pos=1,midsld $FIX_SEG" ; do
+					tpws_curl_test_update $1 $3 $s2 $s $s3 && warn_mss $s3 && [ "$SCANLEVEL" != force ] && {
 						[ "$SCANLEVEL" = quick ] && return
+						need_mss=0
 						break
 					}
 				done
+			done
 			# only linux supports mss
 			[ "$UNAME" = Linux -a "$sec" = 1 ] || break
+			[ "$SCANLEVEL" = force -o "$need_mss" = 1 ] || break
 		done
 	fi
 }
@ -1393,7 +1520,7 @@ tpws_check_domain_http_bypass()

 	local strategy
 	tpws_check_domain_http_bypass_ "$@"
-	strategy="${strategy:+$strategy${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}}"
+	strategy_append_extra_tpws
 	report_strategy $1 $3 tpws
 }

@ -1474,7 +1601,7 @@ check_domain_http_tcp()

 	check_domain_prolog $1 $2 $4 || return

-	check_dpi_ip_block $1 $4
+	[ "$SKIP_IPBLOCK" = 1 ] || check_dpi_ip_block $1 $4

 	[ "$SKIP_TPWS" = 1 ] || {
 		echo
@ -1520,22 +1647,22 @@ check_domain_http_udp()
 check_domain_http()
 {
 	# $1 - domain
-	check_domain_http_tcp curl_test_http 80 0 $1
+	check_domain_http_tcp curl_test_http $HTTP_PORT 0 $1
 }
 check_domain_https_tls12()
 {
 	# $1 - domain
-	check_domain_http_tcp curl_test_https_tls12 443 1 $1
+	check_domain_http_tcp curl_test_https_tls12 $HTTPS_PORT 1 $1
 }
 check_domain_https_tls13()
 {
 	# $1 - domain
-	check_domain_http_tcp curl_test_https_tls13 443 2 $1
+	check_domain_http_tcp curl_test_https_tls13 $HTTPS_PORT 2 $1
 }
 check_domain_http3()
 {
 	# $1 - domain
-	check_domain_http_udp curl_test_http3 443 $1
+	check_domain_http_udp curl_test_http3 $QUIC_PORT $1
 }

 configure_ip_version()
@ -1630,87 +1757,119 @@ ask_params()
 		exitp 1
 	}

-
+	local dom
+	[ -n "$DOMAINS" ] || {
+		DOMAINS="$DOMAINS_DEFAULT"
+		[ "$BATCH" = 1 ] || {
 			echo "specify domain(s) to test. multiple domains are space separated."
 			printf "domain(s) (default: $DOMAINS) : "
-	local dom
 			read dom
 			[ -n "$dom" ] && DOMAINS="$dom"
+		}
+	}

 	local IPVS_def=4
+	[ -n "$IPVS" ] || {
 		# yandex public dns
 		pingtest 6 2a02:6b8::feed:0ff && IPVS_def=46
+		[ "$BATCH" = 1 ] || {
 			printf "ip protocol version(s) - 4, 6 or 46 for both (default: $IPVS_def) : "
 			read IPVS
+		}
 		[ -n "$IPVS" ] || IPVS=$IPVS_def
 		[ "$IPVS" = 4 -o "$IPVS" = 6 -o "$IPVS" = 46 ] || {
 			echo 'invalid ip version(s). should be 4, 6 or 46.'
 			exitp 1
 		}
+	}
 	[ "$IPVS" = 46 ] && IPVS="4 6"

 	configure_curl_opt

+	[ -n "$ENABLE_HTTP" ] || {
 		ENABLE_HTTP=1
+		[ "$BATCH" = 1 ] || {
 			echo
 			ask_yes_no_var ENABLE_HTTP "check http"
+		}
+	}

+	[ -n "$ENABLE_HTTPS_TLS12" ] || {
 		ENABLE_HTTPS_TLS12=1
+		[ "$BATCH" = 1 ] || {
 			echo
 			ask_yes_no_var ENABLE_HTTPS_TLS12 "check https tls 1.2"
+		}
+	}

+	[ -n "$ENABLE_HTTPS_TLS13" ] || {
 		ENABLE_HTTPS_TLS13=0
-	echo
 		if [ -n "$TLS13" ]; then
+			[ "$BATCH" = 1 ] || {
+				echo
 				echo "TLS 1.3 uses encrypted ServerHello. DPI cannot check domain name in server response."
 				echo "This can allow more bypass strategies to work."
 				echo "What works for TLS 1.2 will also work for TLS 1.3 but not vice versa."
 				echo "Most sites nowadays support TLS 1.3 but not all. If you can't find a strategy for TLS 1.2 use this test."
 				echo "TLS 1.3 only strategy is better than nothing."
 				ask_yes_no_var ENABLE_HTTPS_TLS13 "check https tls 1.3"
+			}
 		else
+			echo
 			echo "installed curl version does not support TLS 1.3 . tests disabled."
 		fi
-
-	ENABLE_HTTP3=0
-	echo
-	if [ -n "$HTTP3" ]; then
-		echo "make sure target domain(s) support QUIC or result will be negative in any case"
-		ENABLE_HTTP3=1
-		ask_yes_no_var ENABLE_HTTP3 "check http3 QUIC"
-	else
-		echo "installed curl version does not support http3 QUIC. tests disabled."
-	fi
-
-	IGNORE_CA=0
-	CURL_OPT=
-	[ $ENABLE_HTTPS_TLS13 = 1 -o $ENABLE_HTTPS_TLS12 = 1 ] && {
-		echo
-		echo "on limited systems like openwrt CA certificates might not be installed to preserve space"
-		echo "in such a case curl cannot verify server certificate and you should either install ca-bundle or disable verification"
-		echo "however disabling verification will break https check if ISP does MitM attack and substitutes server certificate"
-		ask_yes_no_var IGNORE_CA "do not verify server certificate"
-		[ "$IGNORE_CA" = 1 ] && CURL_OPT=-k
 	}

+	[ -n "$ENABLE_HTTP3" ] || {
+		ENABLE_HTTP3=0
+		if [ -n "$HTTP3" ]; then
+			ENABLE_HTTP3=1
+			[ "$BATCH" = 1 ] || {
+				echo
+				echo "make sure target domain(s) support QUIC or result will be negative in any case"
+				ask_yes_no_var ENABLE_HTTP3 "check http3 QUIC"
+			}
+		else
+			echo
+			echo "installed curl version does not support http3 QUIC. tests disabled."
+		fi
+	}
+
+	[ -n "$REPEATS" ] || {
+		[ "$BATCH" = 1 ] || {
 			echo
 			echo "sometimes ISPs use multiple DPIs or load balancing. bypass strategies may work unstable."
 			printf "how many times to repeat each test (default: 1) : "
 			read REPEATS
+		}
 		REPEATS=$((0+${REPEATS:-1}))
 		[ "$REPEATS" = 0 ] && {
 			echo invalid repeat count
 			exitp 1
 		}
+	}
+	[ -z "$PARALLEL" -a $REPEATS -gt 1 ] && {
+		PARALLEL=0
+		[ "$BATCH" = 1 ] || {
+			echo
+			echo "parallel scan can greatly increase speed but may also trigger DDoS protection and cause false result"
+			ask_yes_no_var PARALLEL "enable parallel scan"
+		}
+	}
+	PARALLEL=${PARALLEL:-0}

+	[ -n "$SCANLEVEL" ] || {
+		SCANLEVEL=standard
+		[ "$BATCH" = 1 ] || {
 			echo
 			echo quick    - scan as fast as possible to reveal any working strategy
 			echo standard - do investigation what works on your DPI
 			echo force    - scan maximum despite of result
-	SCANLEVEL=${SCANLEVEL:-standard}
 			ask_list SCANLEVEL "quick standard force" "$SCANLEVEL"
 			# disable tpws checks by default in quick mode
 			[ "$SCANLEVEL" = quick -a -z "$SKIP_TPWS" -a "$UNAME" != Darwin ] && SKIP_TPWS=1
+		}
+	}

 	echo

@ -1915,14 +2074,15 @@ check_dns()
 unprepare_all()
 {
 	# make sure we are not in a middle state that impacts connectivity
-	rm -f "$HDRTEMP"
-	[ -n "$IPV" ] && {
-		pktws_ipt_unprepare_tcp 80
-		pktws_ipt_unprepare_tcp 443
-		pktws_ipt_unprepare_udp 443
-	}
 	ws_kill
+	wait
+	[ -n "$IPV" ] && {
+		pktws_ipt_unprepare_tcp $HTTP_PORT
+		pktws_ipt_unprepare_tcp $HTTPS_PORT
+		pktws_ipt_unprepare_udp $QUIC_PORT
+	}
 	cleanup
+	rm -f "${HDRTEMP}"* "${PARALLEL_OUT}"*
 }
 sigint()
 {
@ -1968,10 +2128,10 @@ for dom in $DOMAINS; do
 	for IPV in $IPVS; do
 		configure_ip_version
 		[ "$ENABLE_HTTP" = 1 ] && {
-			check_domain_port_block $dom $HTTP_PORT
+			[ "$SKIP_IPBLOCK" = 1 ] || check_domain_port_block $dom $HTTP_PORT
 			check_domain_http $dom
 		}
-		[ "$ENABLE_HTTPS_TLS12" = 1 -o "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_port_block $dom $HTTPS_PORT
+		[ "$ENABLE_HTTPS_TLS12" = 1 -o "$ENABLE_HTTPS_TLS13" = 1 ] && [ "$SKIP_IPBLOCK" != 1 ] && check_domain_port_block $dom $HTTPS_PORT
 		[ "$ENABLE_HTTPS_TLS12" = 1 ] && check_domain_https_tls12 $dom
 		[ "$ENABLE_HTTPS_TLS13" = 1 ] && check_domain_https_tls13 $dom
 		[ "$ENABLE_HTTP3" = 1 ] && check_domain_http3 $dom
--- a/common/base.sh
+++ b/common/base.sh
@ -60,11 +60,22 @@ starts_with()
 	esac
 	return 1
 }
+extract_arg()
+{
+	# $1 - arg number
+	# $2,$3,... - args
+        local n=$1
+        while [ -n "$1" ]; do
+                shift
+                [ $n -eq 1 ] && { echo "$1"; return 0; }
+                n=$(($n-1))
+        done
+        return 1
+}
 find_str_in_list()
 {
 	# $1 - string
 	# $2 - space separated values
-
 	local v
 	[ -n "$1" ] && {
 		for v in $2; do
@ -230,7 +241,7 @@ fix_sbin_path()
 # it can calculate floating point expr
 calc()
 {
-	awk "BEGIN { print $*}";
+	LC_ALL=C awk "BEGIN { print $*}";
 }

 fsleep_setup()
@ -307,18 +318,27 @@ setup_md5()
 	exists $MD5 || MD5=md5
 }

+setup_random()
+{
+	[ -n "$RCUT" ] && return
+	RCUT="cut -c 1-17"
+	# some shells can operate with 32 bit signed int
+	[ $((0x100000000)) = 0 ] && RCUT="cut -c 1-9"
+}
+
 random()
 {
 	# $1 - min, $2 - max
 	local r rs
 	setup_md5
+	setup_random
 	if [ -c /dev/urandom ]; then
 		read rs </dev/urandom
 	else
 		rs="$RANDOM$RANDOM$(date)"
 	fi
 	# shells use signed int64
-	r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | cut -c 1-17)
+	r=1$(echo $rs | $MD5 | sed 's/[^0-9]//g' | $RCUT)
 	echo $(( ($r % ($2-$1+1)) + $1 ))
 }

--- a/common/custom.sh
+++ b/common/custom.sh
@ -3,6 +3,8 @@ custom_runner()
 	# $1 - function name
 	# $2+ - params

+	[ "$DISABLE_CUSTOM" = 1 ] && return 0
+
 	local n script FUNC=$1

 	shift
--- a/common/installer.sh
+++ b/common/installer.sh
@ -1,4 +1,4 @@
-readonly GET_LIST_PREFIX=/ipset/get_
+GET_LIST_PREFIX=/ipset/get_

 SYSTEMD_DIR=/lib/systemd
 [ -d "$SYSTEMD_DIR" ] || SYSTEMD_DIR=/usr/lib/systemd
@ -140,7 +140,7 @@ echo_var()
 	eval v="\$$1"
 	if find_str_in_list $1 "$EDITVAR_NEWLINE_VARS"; then
 		echo "$1=\""
-		echo "$v\"" | sed "s/$EDITVAR_NEWLINE_DELIMETER /$EDITVAR_NEWLINE_DELIMETER\n/g"
+		echo "$v\"" | tr '\n' ' ' | tr -d '\r' | sed -e 's/^ *//' -e 's/ *$//' -e "s/$EDITVAR_NEWLINE_DELIMETER /$EDITVAR_NEWLINE_DELIMETER\n/g"
 	else
 		if contains "$v" " "; then
 			echo $1=\"$v\"
@ -170,6 +170,7 @@ list_vars()
 		echo_var $1
 		shift
 	done
+	echo
 }

 openrc_test()
@ -190,6 +191,7 @@ check_system()

 	get_fwtype
 	OPENWRT_FW3=
+	OPENWRT_FW4=

 	local info
 	UNAME=$(uname)
@ -201,27 +203,35 @@ check_system()
 		# some distros include systemctl without systemd
 		if [ -d "$SYSTEMD_DIR" ] && [ -x "$SYSTEMCTL" ] && [ "$INIT" = "systemd" ]; then
 			SYSTEM=systemd
-		elif [ -f "/etc/openwrt_release" ] && exists opkg && exists uci && [ "$INIT" = "procd" ] ; then
-		{
+		elif [ -f "/etc/openwrt_release" ] && exists opkg || exists apk && exists uci && [ "$INIT" = "procd" ] ; then
 			SYSTEM=openwrt
+			OPENWRT_PACKAGER=opkg
+			OPENWRT_PACKAGER_INSTALL="opkg install"
+			OPENWRT_PACKAGER_UPDATE="opkg update"
+			exists apk && {
+				OPENWRT_PACKAGER=apk
+				OPENWRT_PACKAGER_INSTALL="apk add"
+				OPENWRT_PACKAGER_UPDATE=
+			}
+			info="package manager $OPENWRT_PACKAGER\n"
 			if openwrt_fw3 ; then
 				OPENWRT_FW3=1
-				info="openwrt firewall uses fw3"
+				info="${info}firewall fw3"
 				if is_ipt_flow_offload_avail; then
 					info="$info. hardware flow offloading requires iptables."
 				else
 					info="$info. flow offloading unavailable."
 				fi
 			elif openwrt_fw4; then
-				info="openwrt firewall uses fw4. flow offloading requires nftables."
+				OPENWRT_FW4=1
+				info="${info}firewall fw4. flow offloading requires nftables."
 			fi
-		}
 		elif openrc_test; then
 			SYSTEM=openrc
 		else
 			echo system is not either systemd, openrc or openwrt based
 			echo easy installer can set up config settings but can\'t configure auto start
-			echo you have to do it manually. check readme.txt for manual setup info.
+			echo you have to do it manually. check readme.md for manual setup info.
 			if [ -n "$1" ] || ask_yes_no N "do you want to continue"; then
 			    SYSTEM=linux
 			else
@ -232,11 +242,11 @@ check_system()
 	elif [ "$UNAME" = "Darwin" ]; then
 		SYSTEM=macos
 	else
-		echo easy installer only supports Linux and MacOS. check readme.txt for supported systems and manual setup info.
+		echo easy installer only supports Linux and MacOS. check readme.md for supported systems and manual setup info.
 		exitp 5
 	fi
 	echo system is based on $SYSTEM
-	[ -n "$info" ] && echo $info
+	[ -n "$info" ] && printf "${info}\n"
 }

 get_free_space_mb()
@ -420,14 +430,21 @@ check_kmod()
 }
 check_package_exists_openwrt()
 {
-	[ -n "$(opkg list $1)" ]
+	[ -n "$($OPENWRT_PACKAGER list $1)" ]
 }
 check_package_openwrt()
 {
+	case $OPENWRT_PACKAGER in
+		opkg)
 			[ -n "$(opkg list-installed $1)" ] && return 0
 			local what="$(opkg whatprovides $1 | tail -n +2 | head -n 1)"
 			[ -n "$what" ] || return 1
 			[ -n "$(opkg list-installed $what)" ]
+			;;
+		apk)
+			apk info -e $1
+			;;
+	esac
 }
 check_packages_openwrt()
 {
@ -516,9 +533,8 @@ restart_openwrt_firewall()

 	local FW=fw4
 	[ -n "$OPENWRT_FW3" ] && FW=fw3
-	$FW -q restart || {
+	exists $FW && $FW -q restart || {
 		echo could not restart firewall $FW
-		exitp 30
 	}
 }
 remove_openwrt_firewall()
@ -601,11 +617,17 @@ write_config_var()
 	replace_var_def $1 "$M" "$ZAPRET_CONFIG"
 }

+no_prereq_exit()
+{
+	echo could not install prerequisites
+	exitp 6
+}
 check_prerequisites_linux()
 {
 	echo \* checking prerequisites

 	local s cmd PKGS UTILS req="curl curl"
+	local APTGET DNF YUM PACMAN ZYPPER EOPKG APK
 	case "$FWTYPE" in
 		iptables)
 			req="$req iptables iptables ip6tables iptables ipset ipset"
@ -634,6 +656,7 @@ check_prerequisites_linux()
 		echo packages required : $PKGS

 		APTGET=$(whichq apt-get)
+		DNF=$(whichq dnf)
 		YUM=$(whichq yum)
 		PACMAN=$(whichq pacman)
 		ZYPPER=$(whichq zypper)
@ -641,39 +664,23 @@ check_prerequisites_linux()
 		APK=$(whichq apk)
 		if [ -x "$APTGET" ] ; then
 			"$APTGET" update
-			"$APTGET" install -y --no-install-recommends $PKGS dnsutils || {
-				echo could not install prerequisites
-				exitp 6
-			}
+			"$APTGET" install -y --no-install-recommends $PKGS dnsutils || no_prereq_exit
+		elif [ -x "$DNF" ] ; then
+			"$DNF" -y install $PKGS || no_prereq_exit
 		elif [ -x "$YUM" ] ; then
-			"$YUM" -y install $PKGS || {
-				echo could not install prerequisites
-				exitp 6
-			}
+			"$YUM" -y install $PKGS || no_prereq_exit
 		elif [ -x "$PACMAN" ] ; then
 			"$PACMAN" -Syy
-			"$PACMAN" --noconfirm -S $PKGS || {
-				echo could not install prerequisites
-				exitp 6
-			}
+			"$PACMAN" --noconfirm -S $PKGS || no_prereq_exit
 		elif [ -x "$ZYPPER" ] ; then
-			"$ZYPPER" --non-interactive install $PKGS || {
-				echo could not install prerequisites
-				exitp 6
-			}
+			"$ZYPPER" --non-interactive install $PKGS || no_prereq_exit
 		elif [ -x "$EOPKG" ] ; then
-			"$EOPKG" -y install $PKGS || {
-				echo could not install prerequisites
-				exitp 6
-			}
+			"$EOPKG" -y install $PKGS || no_prereq_exit
 		elif [ -x "$APK" ] ; then
 			"$APK" update
 			# for alpine
 			[ "$FWTYPE" = iptables ] && [ -n "$($APK list ip6tables)" ] && PKGS="$PKGS ip6tables"
-			"$APK" add $PKGS || {
-				echo could not install prerequisites
-				exitp 6
-			}
+			"$APK" add $PKGS || no_prereq_exit
 		else
 			echo supported package manager not found
 			echo you must manually install : $UTILS
@ -684,7 +691,23 @@ check_prerequisites_linux()

 removable_pkgs_openwrt()
 {
-	PKGS="iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra ip6tables-mod-nat ip6tables-extra kmod-nft-queue gzip coreutils-sort coreutils-sleep curl"
+	local pkg PKGS2
+	[ -n "$OPENWRT_FW4" ] && PKGS2="$PKGS2 iptables-zz-legacy iptables ip6tables-zz-legacy ip6tables"
+	[ -n "$OPENWRT_FW3" ] && PKGS2="$PKGS2 nftables-json nftables-nojson nftables"
+	PKGS=
+	for pkg in $PKGS2; do
+		check_package_exists_openwrt $pkg && PKGS="${PKGS:+$PKGS }$pkg"
+	done
+	PKGS="ipset iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra ip6tables-mod-nat ip6tables-extra kmod-nft-queue gzip coreutils-sort coreutils-sleep curl $PKGS"
+}
+
+openwrt_fix_broken_apk_uninstall_scripts()
+{
+	# at least in early snapshots with apk removing gnu gzip, sort, ... does not restore links to busybox
+	# system may become unusable
+	exists sort || { echo fixing missing sort; ln -fs /bin/busybox /usr/bin/sort; }
+	exists gzip || { echo fixing missing gzip; ln -fs /bin/busybox /bin/gzip; }
+	exists sleep || { echo fixing missing sleep; ln -fs /bin/busybox /bin/sleep; }
 }

 remove_extra_pkgs_openwrt()
@ -693,19 +716,32 @@ remove_extra_pkgs_openwrt()
 	echo \* remove dependencies
 	removable_pkgs_openwrt
 	echo these packages may have been installed by install_easy.sh : $PKGS
-	ask_yes_no N "do you want to remove them" && opkg remove --autoremove $PKGS
+	ask_yes_no N "do you want to remove them" && {
+		case $OPENWRT_PACKAGER in
+			opkg)
+				opkg remove --autoremove $PKGS
+				;;
+			apk)
+				apk del $PKGS
+				openwrt_fix_broken_apk_uninstall_scripts
+				;;
+		esac
+	}
 }

 check_prerequisites_openwrt()
 {
 	echo \* checking prerequisites

-	local PKGS="curl" UPD=0
+	local PKGS="curl" UPD=0 local pkg_iptables

 	case "$FWTYPE" in
 		iptables)
-			PKGS="$PKGS ipset iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra"
-			[ "$DISABLE_IPV6" != "1" ] && PKGS="$PKGS ip6tables ip6tables-mod-nat ip6tables-extra"
+			pkg_iptables=iptables
+			check_package_exists_openwrt iptables-zz-legacy && pkg_iptables=iptables-zz-legacy
+			PKGS="$PKGS ipset $pkg_iptables iptables-mod-extra iptables-mod-nfqueue iptables-mod-filter iptables-mod-ipopt iptables-mod-conntrack-extra"
+			check_package_exists_openwrt ip6tables-zz-legacy && pkg_iptables=ip6tables-zz-legacy
+			[ "$DISABLE_IPV6" = 1 ] || PKGS="$PKGS $pkg_iptables ip6tables-mod-nat ip6tables-extra"
 			;;
 		nftables)
 			PKGS="$PKGS nftables kmod-nft-nat kmod-nft-offload kmod-nft-queue"
@ -717,9 +753,9 @@ check_prerequisites_openwrt()
 	else
 		echo \* installing prerequisites

-		opkg update
+		$OPENWRT_PACKAGER_UPDATE
 		UPD=1
-		opkg install $PKGS || {
+		$OPENWRT_PACKAGER_INSTALL $PKGS || {
 			echo could not install prerequisites
 			exitp 6
 		}
@ -732,10 +768,10 @@ check_prerequisites_openwrt()
 		echo installer can install GNU gzip but it requires about 100 Kb space
 		if ask_yes_no N "do you want to install GNU gzip"; then
 			[ "$UPD" = "0" ] && {
-				opkg update
+				$OPENWRT_PACKAGER_UPDATE
 				UPD=1
 			}
-			opkg install --force-overwrite gzip
+			$OPENWRT_PACKAGER_INSTALL --force-overwrite gzip
 		fi
 	}
 	is_linked_to_busybox sort && {
@ -745,10 +781,10 @@ check_prerequisites_openwrt()
 		echo installer can install GNU sort but it requires about 100 Kb space
 		if ask_yes_no N "do you want to install GNU sort"; then
 			[ "$UPD" = "0" ] && {
-				opkg update
+				$OPENWRT_PACKAGER_UPDATE
 				UPD=1
 			}
-			opkg install --force-overwrite coreutils-sort
+			$OPENWRT_PACKAGER_INSTALL --force-overwrite coreutils-sort
 		fi
 	}
 	[ "$FSLEEP" = 0 ] && is_linked_to_busybox sleep && {
@ -757,10 +793,10 @@ check_prerequisites_openwrt()
 		echo if you want to speed up blockcheck install coreutils-sleep. it requires about 40 Kb space
 		if ask_yes_no N "do you want to install COREUTILS sleep"; then
 			[ "$UPD" = "0" ] && {
-				opkg update
+				$OPENWRT_PACKAGER_UPDATE
 				UPD=1
 			}
-			opkg install --force-overwrite coreutils-sleep
+			$OPENWRT_PACKAGER_INSTALL --force-overwrite coreutils-sleep
 			fsleep_setup
 		fi
 	}
@ -793,3 +829,37 @@ select_fwtype()
 	echo select firewall type :
 	ask_list FWTYPE "iptables nftables" "$FWTYPE" && write_config_var FWTYPE
 }
+
+dry_run_tpws_()
+{
+	local TPWS="$ZAPRET_BASE/tpws/tpws"
+	echo verifying tpws options
+	"$TPWS" --dry-run "$@"
+}
+dry_run_nfqws_()
+{
+	local NFQWS="$ZAPRET_BASE/nfq/nfqws"
+	echo verifying nfqws options
+	"$NFQWS" --dry-run "$@"
+}
+dry_run_tpws()
+{
+	[ "$TPWS_ENABLE" = 1 ] || return 0
+	local opt="$TPWS_OPT" port=${TPPORT_SOCKS:-988}
+	filter_apply_hostlist_target opt
+	dry_run_tpws_ --port=$port $opt
+}
+dry_run_tpws_socks()
+{
+	[ "$TPWS_SOCKS_ENABLE" = 1 ] || return 0
+	local opt="$TPWS_SOCKS_OPT" port=${TPPORT:-987}
+	filter_apply_hostlist_target opt
+	dry_run_tpws_ --port=$port --socks $opt
+}
+dry_run_nfqws()
+{
+	[ "$NFQWS_ENABLE" = 1 ] || return 0
+	local opt="$NFQWS_OPT" qn=${QNUM:-200}
+	filter_apply_hostlist_target opt
+	dry_run_nfqws_ --qnum=$qn $opt
+}
--- a/common/ipt.sh
+++ b/common/ipt.sh
@ -1,5 +1,9 @@
 std_ports
-readonly ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
+ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
+IPSET_EXCLUDE="-m set ! --match-set nozapret"
+IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
+IPBAN_EXCLUDE="-m set ! --match-set ipban"
+IPBAN_EXCLUDE6="-m set ! --match-set ipban6"

 ipt()
 {
@ -132,7 +136,7 @@ _fw_tpws4()

 		ipt_print_op $1 "$2" "tpws (port $3)"

-		rule="$2 $IPSET_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
+		rule="$2 $IPSET_EXCLUDE dst $IPBAN_EXCLUDE dst -j DNAT --to $TPWS_LOCALHOST4:$3"
 		for i in $4 ; do
 			ipt_add_del $1 PREROUTING -t nat -i $i $rule
 	 	done
@ -160,7 +164,7 @@ _fw_tpws6()

 		ipt_print_op $1 "$2" "tpws (port $3)" 6

-		rule="$2 $IPSET_EXCLUDE6 dst"
+		rule="$2 $IPSET_EXCLUDE6 dst $IPBAN_EXCLUDE6 dst"
 		for i in $4 ; do
 			_dnat6_target $i DNAT6
 			[ -n "$DNAT6" -a "$DNAT6" != "-" ] && ipt6_add_del $1 PREROUTING -t nat -i $i $rule -j DNAT --to [$DNAT6]:$3
@ -349,27 +353,37 @@ ipt_do_nfqws_in_out()
 	}
 }

-zapret_do_firewall_standard_rules_ipt()
+zapret_do_firewall_standard_tpws_rules_ipt()
 {
 	# $1 - 1 - add, 0 - del

 	local f4 f6

-	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
-	{
+	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {
 		f4="-p tcp -m multiport --dports $TPWS_PORTS_IPT"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
 		fw_tpws $1 "$f4" "$f6" $TPPORT
 	}
-	[ "$NFQWS_ENABLE" = 1 ] &&
-	{
+}
+zapret_do_firewall_standard_nfqws_rules_ipt()
+{
+	# $1 - 1 - add, 0 - del
+
+	[ "$NFQWS_ENABLE" = 1 ] && {
 		ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_IPT" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
 		ipt_do_nfqws_in_out $1 tcp "$NFQWS_PORTS_TCP_KEEPALIVE_IPT" keepalive "$NFQWS_TCP_PKT_IN"
 		ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_IPT" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
 		ipt_do_nfqws_in_out $1 udp "$NFQWS_PORTS_UDP_KEEPALIVE_IPT" keepalive "$NFQWS_UDP_PKT_IN"
 	}
 }
+zapret_do_firewall_standard_rules_ipt()
+{
+	# $1 - 1 - add, 0 - del
+
+	zapret_do_firewall_standard_tpws_rules_ipt $1
+	zapret_do_firewall_standard_nfqws_rules_ipt $1
+}

 zapret_do_firewall_rules_ipt()
 {
--- a/common/linux_daemons.sh
+++ b/common/linux_daemons.sh
@ -0,0 +1,55 @@
+standard_mode_tpws_socks()
+{
+	# $1 - 1 - run, 0 - stop
+	local opt
+	[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
+		opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
+		filter_apply_hostlist_target opt
+		do_tpws_socks $1 2 "$opt"
+	}
+}
+standard_mode_tpws()
+{
+	# $1 - 1 - run, 0 - stop
+	local opt
+	[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {
+		opt="--port=$TPPORT $TPWS_OPT"
+		filter_apply_hostlist_target opt
+		do_tpws $1 1 "$opt"
+	}
+}
+standard_mode_nfqws()
+{
+	# $1 - 1 - run, 0 - stop
+	local opt
+	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
+		opt="--qnum=$QNUM $NFQWS_OPT"
+		filter_apply_hostlist_target opt
+		do_nfqws $1 3 "$opt"
+	}
+}
+standard_mode_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	standard_mode_tpws_socks $1
+	standard_mode_tpws $1
+	standard_mode_nfqws $1
+}
+zapret_do_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	standard_mode_daemons $1
+	custom_runner zapret_custom_daemons $1
+
+	return 0
+}
+zapret_run_daemons()
+{
+	zapret_do_daemons 1 "$@"
+}
+zapret_stop_daemons()
+{
+	zapret_do_daemons 0 "$@"
+}
--- a/common/linux_iphelper.sh
+++ b/common/linux_iphelper.sh
@ -4,6 +4,8 @@
 # PREROUTING - can't DNAT to ::1. can DNAT to link local of -i interface or to any global addr
 # not a good idea to expose tpws to the world (bind to ::)

+# max wait time for the link local ipv6 on the LAN interface
+LINKLOCAL_WAIT_SEC=${LINKLOCAL_WAIT_SEC:-5}

 get_ipv6_linklocal()
 {
@ -125,3 +127,13 @@ resolve_lower_devices()
 		}
 	}
 }
+
+default_route_interfaces6()
+{
+	sed -nre 's/^00000000000000000000000000000000 00 [0-9a-f]{32} [0-9a-f]{2} [0-9a-f]{32} [0-9a-f]{8} [0-9a-f]{8} [0-9a-f]{8} [0-9a-f]{8} +(.*)$/\1/p' /proc/net/ipv6_route | grep -v '^lo$' | sort -u | xargs
+}
+
+default_route_interfaces4()
+{
+	sed -nre 's/^([^\t]+)\t00000000\t[0-9A-F]{8}\t[0-9A-F]{4}\t[0-9]+\t[0-9]+\t[0-9]+\t00000000.*$/\1/p' /proc/net/route | sort -u | xargs
+}
--- a/common/list.sh
+++ b/common/list.sh
@ -1,5 +1,5 @@
-readonly HOSTLIST_MARKER="<HOSTLIST>"
-readonly HOSTLIST_NOAUTO_MARKER="<HOSTLIST_NOAUTO>"
+HOSTLIST_MARKER="<HOSTLIST>"
+HOSTLIST_NOAUTO_MARKER="<HOSTLIST_NOAUTO>"

 find_hostlists()
 {
--- a/common/nft.sh
+++ b/common/nft.sh
@ -1,5 +1,5 @@
 [ -n "$ZAPRET_NFT_TABLE" ] || ZAPRET_NFT_TABLE=zapret
-readonly nft_connbytes="ct original packets"
+nft_connbytes="ct original packets"

 # required for : nft -f -
 create_dev_stdin
@ -263,28 +263,6 @@ nft_add_flow_offload_exemption()
 	[ "$DISABLE_IPV6" = "1" -o -z "$2" ] || nft_add_rule flow_offload oifname @wanif6 $2 ip6 daddr != @nozapret6 return comment \"$3\"
 }

-nft_hw_offload_supported()
-{
-	# $1,$2,... - interface names
-	local devices res=1
-	make_quoted_comma_list devices "$@"
-	[ -n "$devices" ] && devices="devices={$devices};"
-	nft add table ${ZAPRET_NFT_TABLE}_test && nft add flowtable ${ZAPRET_NFT_TABLE}_test ft "{ flags offload; $devices }" 2>/dev/null && res=0
-	nft delete table ${ZAPRET_NFT_TABLE}_test 2>/dev/null
-	return $res
-}
-
-nft_hw_offload_find_supported()
-{
-	# $1,$2,... - interface names
-	local supported_list
-	while [ -n "$1" ]; do
-		nft_hw_offload_supported "$1" && append_separator_list supported_list ' ' '' "$1"
-		shift
-	done
-	echo $supported_list
-}
-
 nft_apply_flow_offloading()
 {
 	# ft can be absent
@ -370,9 +348,8 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
 			nft_create_or_update_flowtable 'offload' 2>/dev/null
 			# then add elements. some of them can cause error because unsupported
 			for i in $ALLDEVS; do
-				if nft_hw_offload_supported $i; then
-					nft_create_or_update_flowtable 'offload' $i
-				else
+				# first try to add interface itself
+				nft_create_or_update_flowtable 'offload' $i 2>/dev/null
 				# bridge members must be added instead of the bridge itself
 				# some members may not support hw offload. example : lan1 lan2 lan3 support, wlan0 wlan1 - not
 				devs=$(resolve_lower_devices $i)
@ -380,7 +357,6 @@ flush set inet $ZAPRET_NFT_TABLE lanif"
 					# do not display error if addition failed
 					nft_create_or_update_flowtable 'offload' $j 2>/dev/null
 				done
-				fi
 			done
 			;;
 	esac
@ -411,8 +387,8 @@ _nft_fw_tpws4()
 	[ "$DISABLE_IPV4" = "1" -o -z "$1" ] || {
 		local filter="$1" port="$2"
 		nft_print_op "$filter" "tpws (port $2)" 4
-		nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port
-		nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port
+		nft_insert_rule dnat_output skuid != $WS_USER ${3:+oifname @wanif }$filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port
+		nft_insert_rule dnat_pre iifname @lanif $filter ip daddr != @nozapret ip daddr != @ipban $FW_EXTRA_POST dnat ip to $TPWS_LOCALHOST4:$port
 		prepare_route_localnet
 	}
 }
@ -426,9 +402,9 @@ _nft_fw_tpws6()
 	[ "$DISABLE_IPV6" = "1" -o -z "$1" ] || {
 		local filter="$1" port="$2" DNAT6 i
 		nft_print_op "$filter" "tpws (port $port)" 6
-		nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to [::1]:$port
+		nft_insert_rule dnat_output skuid != $WS_USER ${4:+oifname @wanif6 }$filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to [::1]:$port
 		[ -n "$3" ] && {
-			nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port
+			nft_insert_rule dnat_pre $filter ip6 daddr != @nozapret6 ip6 daddr != @ipban6 $FW_EXTRA_POST dnat ip6 to iifname map @link_local:$port
 			for i in $3; do
 				_dnat6_target $i DNAT6
 				# can be multiple tpws processes on different ports
@ -640,25 +616,31 @@ nft_apply_nfqws_in_out()
 	}
 }

-zapret_apply_firewall_standard_rules_nft()
+zapret_apply_firewall_standard_tpws_rules_nft()
 {
 	local f4 f6

-	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] &&
-	{
+	[ "$TPWS_ENABLE" = 1 -a -n "$TPWS_PORTS" ] && {
 		f4="tcp dport {$TPWS_PORTS}"
 		f6=$f4
 		nft_filter_apply_ipset_target f4 f6
 		nft_fw_tpws "$f4" "$f6" $TPPORT
 	}
-	[ "$NFQWS_ENABLE" = 1 ] &&
-	{
+}
+zapret_apply_firewall_standard_nfqws_rules_nft()
+{
+	[ "$NFQWS_ENABLE" = 1 ] && {
 		nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP" "$NFQWS_TCP_PKT_OUT" "$NFQWS_TCP_PKT_IN"
 		nft_apply_nfqws_in_out tcp "$NFQWS_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS_TCP_PKT_IN"
 		nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP" "$NFQWS_UDP_PKT_OUT" "$NFQWS_UDP_PKT_IN"
 		nft_apply_nfqws_in_out udp "$NFQWS_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS_UDP_PKT_IN"
 	}
 }
+zapret_apply_firewall_standard_rules_nft()
+{
+	zapret_apply_firewall_standard_tpws_rules_nft
+	zapret_apply_firewall_standard_nfqws_rules_nft
+}

 zapret_apply_firewall_rules_nft()
 {
--- a/config.default
+++ b/config.default
@ -55,7 +55,7 @@ TPPORT_SOCKS=987
 # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 TPWS_SOCKS_OPT="
 --filter-tcp=80 --methodeol <HOSTLIST> --new
--filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
+--filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>
 "

 TPWS_ENABLE=0
@ -65,7 +65,7 @@ TPWS_PORTS=80,443
 # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 TPWS_OPT="
 --filter-tcp=80 --methodeol <HOSTLIST> --new
--filter-tcp=443 --split-tls=sni --disorder <HOSTLIST>
+--filter-tcp=443 --split-pos=1,midsld --disorder <HOSTLIST>
 "

 NFQWS_ENABLE=0
@ -89,15 +89,15 @@ NFQWS_UDP_PKT_IN=0
 # hostlist markers are replaced to empty string if MODE_FILTER does not satisfy
 # <HOSTLIST_NOAUTO> appends ipset/zapret-hosts-auto.txt as normal list
 NFQWS_OPT="
--filter-tcp=80 --dpi-desync=fake,split2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
--filter-tcp=443 --dpi-desync=fake,disorder2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
+--filter-tcp=80 --dpi-desync=fake,multisplit --dpi-desync-split-pos=method+2 --dpi-desync-fooling=md5sig <HOSTLIST> --new
+--filter-tcp=443 --dpi-desync=fake,multidisorder --dpi-desync-split-pos=1,midsld --dpi-desync-fooling=badseq,md5sig <HOSTLIST> --new
 --filter-udp=443 --dpi-desync=fake --dpi-desync-repeats=6 <HOSTLIST_NOAUTO>
 "

 # none,ipset,hostlist,autohostlist
 MODE_FILTER=none

-# openwrt only : donttouch,none,software,hardware
+# donttouch,none,software,hardware
 FLOWOFFLOAD=donttouch

 # openwrt: specify networks to be treated as LAN. default is "lan"
--- a/docs/LICENSE.txt
+++ b/docs/LICENSE.txt
@ -1,6 +1,6 @@
 MIT License

-Copyright (c) 2016-2021 bol-van
+Copyright (c) 2016-2024 bol-van

 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/docs/bsd.en.md
+++ b/docs/bsd.en.md
@ -100,7 +100,7 @@ Later you will add ipfw commands to `/etc/rc.firewall.my` to be reapplied after
 You can also run zapret daemons from there. Start them with `--daemon` options, for example
 ```
 pkill ^dvtws$
-/opt/zapret/nfq/dvtws --port=989 --daemon --dpi-desync=split2
+/opt/zapret/nfq/dvtws --port=989 --daemon --dpi-desync=multisplit --dpi-desync-split-pos=2
 ```

 To restart firewall and daemons run : `/etc/rc.d/ipfw restart`
@ -157,7 +157,7 @@ ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
 # required for autottl mode only
 ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
-/opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
+/opt/zapret/nfq/dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
 ```

 Process only table zapret with the exception of table nozapret:
@ -167,7 +167,7 @@ ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
 ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
 # required for autottl mode only
 ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
-/opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
+/opt/zapret/nfq/dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
 ```

 Reinjection loop avoidance. FreeBSD artificially ignores sockarg for ipv6 in
@ -245,7 +245,7 @@ sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg xmit em0
 pkill ^dvtws$
-dvtws --daemon --port 989 --dpi-desync=split2
+dvtws --daemon --port 989 --dpi-desync=multisplit --dpi-desync-split-pos=2

 # required for newer pfsense versions (2.6.0 tested) to return ipfw to functional state
 pfctl -d ; pfctl -e
@ -280,7 +280,7 @@ Autostart `/usr/local/etc/rc.d/zapret.sh`:
 ```
 pfctl -a zapret -f /etc/zapret.anchor
 pkill ^tpws$
-tpws --daemon --port=988 --enable-pf --bind-addr=127.0.0.1 --bind-iface6=em1 --bind-linklocal=force --split-http-req=method --split-pos=2
+tpws --daemon --port=988 --enable-pf --bind-addr=127.0.0.1 --bind-iface6=em1 --bind-linklocal=force --split-pos=2
 ```

 After reboot check that anchor is created and referred from the main ruleset:
@ -342,7 +342,7 @@ pass out quick on em0 proto tcp to   port {80,443} divert-packet port 989
 Then:
 ```
 pfctl -f /etc/pf.conf
-./dvtws --port=989 --dpi-desync=split2
+./dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
 ```

 `dwtws` only for table zapret with the exception of table nozapret :
@ -375,7 +375,7 @@ pass out quick on em0 inet6 proto tcp to   <zapret6-user> port {80,443} divert-p
 Then:
 ```
 pfctl -f /etc/pf.conf
-./dvtws --port=989 --dpi-desync=split2
+./dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
 ```

 divert-packet automatically adds the reverse rule. By default also incoming
--- a/docs/bsd.md
+++ b/docs/bsd.md
@ -143,7 +143,7 @@ $ ipfw -q -f flush
 zapret, добавив в параметры `--daemon`. Например так:
 ```sh
 $ pkill ^dvtws$
-$ /opt/zapret/nfq/dvtws --port=989 --daemon --dpi-desync=split2
+$ /opt/zapret/nfq/dvtws --port=989 --daemon --dpi-desync=multisplit --dpi-desync-split-pos=2
 ```

 Для перезапуска фаервола и демонов достаточно будет сделать:
@ -209,7 +209,7 @@ $ ipfw delete 100
 $ ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted xmit em0
 # required for autottl mode only
 $ ipfw add 100 divert 989 tcp from any 80,443 to any tcpflags syn,ack in not diverted recv em0
-$ /opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
+$ /opt/zapret/nfq/dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
 ```

 #### Трафик только на таблицу zapret, за исключением таблицы nozapret
@ -220,7 +220,7 @@ $ ipfw add 100 allow tcp from me to table\(nozapret\) 80,443
 $ ipfw add 100 divert 989 tcp from any to table\(zapret\) 80,443 out not diverted not sockarg xmit em0
 # required for autottl mode only
 $ ipfw add 100 divert 989 tcp from table\(zapret\) 80,443 to any tcpflags syn,ack in not diverted not sockarg recv em0
-$ /opt/zapret/nfq/dvtws --port=989 --dpi-desync=split2
+$ /opt/zapret/nfq/dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
 ```


@ -317,7 +317,7 @@ sysctl net.inet6.ip6.pfil.inbound=ipfw,pf
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted xmit em0
 pkill ^dvtws$
-dvtws --daemon --port 989 --dpi-desync=split2
+dvtws --daemon --port 989 --dpi-desync=multisplit --dpi-desync-split-pos=2

 # required for newer pfsense versions (2.6.0 tested) to return ipfw to functional state
 pfctl -d ; pfctl -e
@ -357,7 +357,7 @@ rdr pass on em1 inet6 proto tcp to port {80,443} -> fe80::20c:29ff:5ae3:4821 por
 ```sh
 $ pfctl -a zapret -f /etc/zapret.anchor
 $ pkill ^tpws$
-$ tpws --daemon --port=988 --enable-pf --bind-addr=127.0.0.1 --bind-iface6=em1 --bind-linklocal=force --split-http-req=method --split-pos=2
+$ tpws --daemon --port=988 --enable-pf --bind-addr=127.0.0.1 --bind-iface6=em1 --bind-linklocal=force --split-pos=2
 ```

 4. После перезагрузки проверьте, что правила создались:
@ -424,7 +424,7 @@ pass out quick on em0 proto tcp to   port {80,443} divert-packet port 989 no sta

 ```sh
 $ pfctl -f /etc/pf.conf
-$ ./dvtws --port=989 --dpi-desync=split2
+$ ./dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
 ```

 #### Трафик только на таблицу zapret, за исключением таблицы nozapret
@ -456,7 +456,7 @@ pass out quick on em0 inet6 proto tcp to   <zapret6-user> port {80,443} divert-p

 ```sh
 $ pfctl -f /etc/pf.conf
-$ ./dvtws --port=989 --dpi-desync=split2
+$ ./dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2
 ```


--- a/docs/bsdfw.txt
+++ b/docs/bsdfw.txt
@ -70,7 +70,7 @@ pass in  quick on em0 proto tcp from port {80,443} flags SA/SA divert-packet por
 pass in  quick on em0 proto tcp from port {80,443} no state
 pass out quick on em0 proto tcp to   port {80,443} divert-packet port 989 no state
 pfctl -f /etc/pf.conf
-./dvtws --port=989 --dpi-desync=split2
+./dvtws --port=989 --dpi-desync=multisplit --dpi-desync-split-pos=2

 ; dvtws with table limitations : to zapret,zapret6 but not to nozapret,nozapret6
 ; reload tables : pfctl -f /etc/pf.conf
--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -363,3 +363,125 @@ nfqws,tpws: use alternate $ sign for $<config_file>
 repo: binaries removed from repo. git actions binaries build in releases.
 uninstall_easy.sh: offer to remove dependencies in openwrt
 install_easy.sh: allow to download lists in autohostlist filter mode
+
+v69:
+
+nfqws, tpws: multisplit/multidisorder support.
+nfqws: name change split->fakedsplit, disorder->fakeddisorder. compat : old names are synonyms
+nfqws: --dpi-desync-split-http-req, --dpi-desync-split-tls deprecated. compat : these parameters add split point to multisplit.
+nfqws: --dpi-desync=split2|disorder2 deprecated. compat: they are now synonyms for multisplit/multidisorder
+nfqws: cancel seqovl if MTU is exceeded (linux only). cancel seqovl for disorder if seqovl>=first_part_size.
+nfqws: fixed splits in multiple TLS segments.
+tpws: --split-http-req,--split-tls deprecated. compat : these parameters add split point to multisplit.
+tpws: --tlsrec now takes pos markers. compat : old names are converted to pos markers
+tpws: --tlsrec-pos deprecated. compat : sets absolute pos marker
+nfqws,tpws: chown autohostlist, autohostlist debug log and debug log files after options parse
+nfqws,tpws: set EXEDIR env var to use in @config (won't work for stadalone winws without /bin/sh)
+dvtws: set random/increasing ip_id value in generated packets
+mdig: fixed parsing of DNS reply in windows (stdin is opened as text, not binary)
+tpws: support compile for android NDK api level >= 21 (Android 5.0)
+tpws: --fix-seg segmentation fixer
+repo: build for android NDK api level 21 (Android 5.0)
+install_easy: support for APK package manager in openwrt
+blockcheck: removed ignore CA question
+blockcheck: removed IGNORE_CA, CURL_VERBOSE
+blockcheck: added CURL_OPT
+blockcheck: new strategies support
+blockcheck: test sequence rework
+blockcheck: view all working strategies in summary
+
+v69.1:
+
+init.d: keenetic udp fix custom
+tpws: fixed incorrect hostlist checks
+
+v69.2:
+
+nfqws,tpws: --skip
+nfqws: --methodeol
+init.d: do not use pgrep in sysv for busybox compat
+
+v69.3
+
+nfqws,tpws: fixed ipsets and hostlists
+all progs: version numbers for github, build date/time for self built
+repo: light release for openwrt and embedded systems
+repo: sha256sum
+
+v69.4
+
+nfqws: fakedsplit/fakeddisorder fakes for both split segments
+nfqws: --dpi-desync-fakedsplit-pattern
+
+v69.5
+
+nfqws,tpws: --dry-run
+install_easy: check tpws and nfqws options validity
+
+v69.6
+
+nfqws: set NETLINK_NO_ENOBUFS to fix possible nfq recv errors
+init.d: unify custom scripts for linux
+init.d: new custom scripts : 20-fw-extra, 50-wg4all
+
+v69.7
+
+nfqws,tpws: --comment
+nfqws: trash flood warning
+winws: exclude empty outgoing ack packets in windivert filter
+
+v69.8
+
+winws: accept empty outgoing RST and FIN packets for conntrack needs
+repo: lexra build
+
+v69.9
+
+init.d: exclude ipban from tpws redirection
+macos: fix install_easy
+macos: fix national decimal separator in sleep
+ipset: scripts maintenance
+
+v70
+
+blockcheck: override all dialog questions and enable batch mode
+blockcheck: parallel attempts
+nfqws: weaken wireguard initiation recognition. use len=148 and data[0]=1 signature
+nfqws: apply split+seqovl only to the first reasm fragment
+install_easy: dnf packager support
+nfqws,tpws: hostlist/ipset track not only file mod time but also file size
+nfqws,tpws,ipset: return lists reload on HUP
+nfqws,blockcheck: --dpi-desync-fake-tls-mod
+
+v70.1
+
+nfqws: --dpi-desync-fake-tls-mod=dupsid
+nfqws,tpws: test accessibility of list files after privs drop
+nfqws,tpws: --version
+
+v70.4
+
+nfqws,tpws: ^ prefix in hostlist to disable subdomain matches
+nfqws,tpws: optional systemd notify support. compile using 'make systemd'
+nfqws,tpws: systemd instance templates for nfqws and tpws
+nfqws,tpws: separate droproot from dropcaps
+tpws: detect WSL 1 and warn about non-working options
+
+v70.5
+
+nfqws: multiple --dpi-desync-fake-xxx
+nfqws: support of inter-packet fragmented QUIC CRYPTO
+
+v70.6
+
+nfqws: detect Discord Voice IP discovery packets
+nfqws: detect STUN message packets
+nfqws: change SNI to specified value tls mod : --dpi-desync-fake-tls-mod sni=<sni>
+nfqws: update default TLS ClientHello fake. firefox 136.0.4 finger, no kyber, SNI=microsoft.com
+nfqws: multiple mods for multiple TLS fakes
+init.d: remove 50-discord
+blockcheck: use tpws --fix-seg on linux for multiple splits
+
+v70.7
+
+nfqws,tpws: debug tls version, alpn, ech
--- a/docs/compile/build_howto_openwrt.txt
+++ b/docs/compile/build_howto_openwrt.txt
@ -1,21 +1,57 @@
 How to compile native programs for use in openwrt
 -------------------------------------------------

-1) Download latest SDK for your platform from https://downloads.openwrt.org
+1) Install required packages to the host system :

-   curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxvf -
-   cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64
+debian,ubuntu : apt install build-essential patch libncurses-dev python3-distutils unzip gawk wget git
+fedora: dnf install make patch gcc g++ ncurses-devel git perl

-2) ./scripts/feeds update -a
-   ./scripts/feeds install -a
+Other packages may be required on your distribution. Look for the errors.

-3) cp -R /opt/zapret/docs/compile/openwrt/. .
-   cp -R /opt/zapret/tpws package/zapret/tpws
-   cp -R /opt/zapret/nfq package/zapret/nfqws
-   cp -R /opt/zapret/mdig package/zapret/mdig
-   cp -R /opt/zapret/ip2net package/zapret/ip2net
+2) Download latest SDK for your target platform from https://downloads.openwrt.org

-4) make package/{tpws,nfqws,mdig,ip2net}/compile
+examples :

-5) find bin -name tpws*.ipk
-   #take your tpws*.ipk , nfqws*.ipk , ip2net*.ipk, mdig*.ipk from there
+curl -o - https://downloads.openwrt.org/releases/23.05.5/targets/x86/64/openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64.tar.xz | tar -Jxv
+cd openwrt-sdk-23.05.5-x86-64_gcc-12.3.0_musl.Linux-x86_64
+
+curl -o - https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64.tar.zst | tar --zstd -xv
+cd openwrt-sdk-x86-64_gcc-13.3.0_musl.Linux-x86_64
+
+3) Install required libs
+
+./scripts/feeds update base packages
+./scripts/feeds install libnetfilter-queue zlib libcap
+
+4) Prepare openwrt package definitions
+
+cp -R /opt/zapret/docs/compile/openwrt/. .
+cp -R /opt/zapret/tpws package/zapret/tpws
+cp -R /opt/zapret/nfq package/zapret/nfqws
+cp -R /opt/zapret/mdig package/zapret/mdig
+cp -R /opt/zapret/ip2net package/zapret/ip2net
+rm -f package/zapret/tpws/tpws/tpws package/zapret/nfqws/nfq/nfqws package/zapret/mdig/mdig/mdig package/zapret/ip2net/ip2net/ip2net
+
+5) Prepare .config
+
+make defconfig
+
+If you only need bins without packages comment 'CONFIG_AUTOREMOVE=y' line in .config
+
+6) Compile
+
+dynamic build : make package/{tpws,nfqws,mdig,ip2net}/compile
+static build :  make CFLAGS=-static package/{tpws,nfqws,mdig,ip2net}/compile
+
+7) Get result
+
+executables only : build_dir/target/<progname>
+ipk or apk packages : bin/packages/*/base
+
+8) Installing to openwrt to use with zapret
+
+zapret with or without binaries should be already installed in /opt/zapret.
+Install ipk's or apk's with all compiled progs using opkg or apk.
+Bins are placed to /opt/zapret/binaries/my.
+Or copy binaries there manually and set chmod 755 to them.
+Run install_bin.sh or install_easy.sh. They will use bins in 'my' folder.
--- a/docs/compile/build_howto_unix.txt
+++ b/docs/compile/build_howto_unix.txt
@ -0,0 +1,16 @@
+debian,ubuntu :
+
+apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev libsystemd-dev
+make -C /opt/zapret systemd
+
+FreeBSD :
+
+make -C /opt/zapret
+
+OpenBSD :
+
+make -C /opt/zapret bsd
+
+MacOS :
+
+make -C /opt/zapret mac
--- a/docs/compile/build_howto_windows.txt
+++ b/docs/compile/build_howto_windows.txt
@ -0,0 +1,29 @@
+Windows x64
+
+1) Download latest cygwin for windows 7
+
+curl -O https://www.cygwin.com/setup-x86_64.exe
+setup-x86_64.exe --allow-unsupported-windows --no-verify --site http://ctm.crouchingtigerhiddenfruitbat.org/pub/cygwin/circa/64bit/2024/01/30/231215
+
+2) During setup install packages : make gcc-core zlib-devel
+
+3) Run Cygwin.bat
+
+4) cd to %ZAPRET_BASE%/nfq
+
+cd C:/Users/user/Downloads/zapret/nfq
+
+5) Compile
+
+make cygwin64
+
+use winws.exe
+
+6) Take windivert.dll and windivert64.sys here : https://reqrypt.org/download
+Choose version 2.2.2 for Windows 10 and 2.2.0 for Windows 7.
+
+7) Copy cygwin1.dll, winws.exe, windivert.dll and windivert64.sys to one folder.
+
+8) Run winws.exe from cmd.exe running as administrator.
+winws will not run from cygwin shell with cygwin1.dll copy in it's folder.
+winws will not run without cygwin1.dll outside of cygwin shell.
--- a/docs/compile/openwrt/package/zapret/ip2net/Makefile
+++ b/docs/compile/openwrt/package/zapret/ip2net/Makefile
@ -24,8 +24,8 @@ define Build/Compile
 endef

 define Package/ip2net/install
-	$(INSTALL_DIR) $(1)/opt/zapret/ip2net
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ip2net $(1)/opt/zapret/ip2net
+	$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/ip2net $(1)/opt/zapret/binaries/my
 endef

 $(eval $(call BuildPackage,ip2net))
--- a/docs/compile/openwrt/package/zapret/mdig/Makefile
+++ b/docs/compile/openwrt/package/zapret/mdig/Makefile
@ -24,8 +24,8 @@ define Build/Compile
 endef

 define Package/mdig/install
-	$(INSTALL_DIR) $(1)/opt/zapret/mdig
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdig $(1)/opt/zapret/mdig
+	$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/mdig $(1)/opt/zapret/binaries/my
 endef

 $(eval $(call BuildPackage,mdig))
--- a/docs/compile/openwrt/package/zapret/nfqws/Makefile
+++ b/docs/compile/openwrt/package/zapret/nfqws/Makefile
@ -25,8 +25,8 @@ define Build/Compile
 endef

 define Package/nfqws/install
-	$(INSTALL_DIR) $(1)/opt/zapret/nfq
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/nfqws $(1)/opt/zapret/nfq
+	$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/nfqws $(1)/opt/zapret/binaries/my
 endef

 $(eval $(call BuildPackage,nfqws))
--- a/docs/compile/openwrt/package/zapret/tpws/Makefile
+++ b/docs/compile/openwrt/package/zapret/tpws/Makefile
@ -25,8 +25,8 @@ define Build/Compile
 endef

 define Package/tpws/install
-	$(INSTALL_DIR) $(1)/opt/zapret/tpws
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/tpws $(1)/opt/zapret/tpws
+	$(INSTALL_DIR) $(1)/opt/zapret/binaries/my
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/tpws $(1)/opt/zapret/binaries/my
 endef

 $(eval $(call BuildPackage,tpws))
--- a/docs/iptables.txt
+++ b/docs/iptables.txt
@ -12,7 +12,7 @@ iptables -t mangle -I POSTROUTING -p udp --dport 443 -m mark ! --mark 0x40000000
 # auto hostlist with avoiding wrong ACK numbers in RST,ACK packets sent by russian DPI
 sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1 
 iptables -t mangle -I POSTROUTING -p tcp -m multiport --dports 80,443 -m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes 1:12 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
-iptables -t mangle -I PREROUTING -p tcp -m multiport --sports 80,443 -m connbytes --connbytes-dir=reply --connbytes-mode=packets --connbytes 1:6 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass
+iptables -t mangle -I PREROUTING -p tcp -m multiport --sports 80,443 -m connbytes --connbytes-dir=reply --connbytes-mode=packets --connbytes 1:3 -m mark ! --mark 0x40000000/0x40000000 -j NFQUEUE --queue-num 200 --queue-bypass


 For TPROXY :
--- a/docs/nftables.txt
+++ b/docs/nftables.txt
@ -19,8 +19,8 @@ For dpi desync attack :
 nft delete table inet ztest
 nft create table inet ztest
 nft add chain inet ztest post "{type filter hook postrouting priority mangle;}"
-nft add rule inet ztest post meta mark and 0x40000000 == 0 tcp dport "{80,443}" ct original packets 1-12 queue num 200 bypass
-nft add rule inet ztest post meta mark and 0x40000000 == 0 udp dport 443 ct original packets 1-12 queue num 200 bypass
+nft add rule inet ztest post meta mark and 0x40000000 == 0 tcp dport "{80,443}" ct original packets 1-6 queue num 200 bypass
+nft add rule inet ztest post meta mark and 0x40000000 == 0 udp dport 443 ct original packets 1-6 queue num 200 bypass

 # auto hostlist with avoiding wrong ACK numbers in RST,ACK packets sent by russian DPI
 sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1 
--- a/docs/quick_start.md
+++ b/docs/quick_start.md
@ -2,8 +2,8 @@

 > [!CAUTION]  
 > Не пишите в issue вопросы типа "как скопировать файл", "как скачать", "как
-> запустить", ... То есть все , что касается базовых навыков обращения с ОС
-> linux. Эти вопросы будут закрывать сразу. Если у вас подобные вопросы
+> запустить" и т.п. То есть все, что касается базовых навыков обращения с ОС
+> Linux. Эти вопросы будут закрывать сразу. Если у вас подобные вопросы
 > возникают, рекомендую не использовать данный софт или искать помощь где-то в
 > другом месте. То же самое могу сказать тем, кто хочет нажать 1 кнопку, чтобы
 > все заработало, и совсем не хочет читать и изучать. Увы, такое не подвезли и
@ -50,6 +50,8 @@
 > образ `squashfs` с помощью `image builder` и перешить этим вариантом роутер.

 1. Скачайте последний [tar.gz релиз](https://github.com/bol-van/zapret/releases) в /tmp, распакуйте его, затем удалите архив.
+   Для openwrt и прошивок используйте вариант `openwrt-embedded`.
+   Для экономия места в /tmp можно качать через curl в stdout и сразу распаковывать.

 2. Убедитесь, что у вас отключены все средства обхода блокировок, в том числе и
   сам zapret. Гарантированно уберет zapret скрипт `uninstall_easy.sh`.
@ -87,14 +89,15 @@
   >
   > Проверить работает ли этот вариант можно так:
   > ```sh
-   > $ dig -p 53 @77.88.8.88 rutracker.org dig -p 1253 @77.88.8.88 rutracker.org
+   > $ dig -p 53 @77.88.8.88 rutracker.org
+   > $ dig -p 1253 @77.88.8.88 rutracker.org
   > ```
   >
   > Если DNS действительно подменяется, и ответ на эти 2 команды разный,
   > значит метод вероятно работает.
   >
   > В openwrt DNS на нестандартном порту можно прописать в `/etc/config/dhcp`
-   > таким способом :
+   > таким способом:
   >
   > ```
   > config dnsmasq
@ -156,12 +159,12 @@
   >
   > Далее, имея понимание что работает на http, https, quic нужно
   > сконструировать параметры запуска `tpws` и/или `nfqws` с использованием
-   > мультистратегии. Как работают мультистратегии описано в readme.txt.
+   > мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии).
   >
   > Если кратко, то обычно параметры конструируются так:
   > ```sh
   > "--filter-udp=443 'параметры для quic' <HOSTLIST_NOAUTO> --new
-   > --filter-tcp=80,443 'обьединенные параметры для http и https' <HOSTLIST>"
+   > --filter-tcp=80,443 'объединенные параметры для http и https' <HOSTLIST>"
   > ```
   >
   > Или так:
@ -191,7 +194,7 @@
   > "--filter-l3=ipv4 --filter-udp=443 lпараметры для quic ipv4' <HOSTLIST_NOAUTO> --new
   > --filter-l3=ipv4 --filter-tcp=80 'параметры для http ipv4' <HOSTLIST> --new
   > --filter-l3=ipv4 --filter-tcp=443 'параметры для https ipv4' <HOSTLIST> --new
-   > --filter-l3=ipv6 --filter-udp=443 "параметры для quic ipv6" <HOSTLIST_NOAUTO> --new
+   > --filter-l3=ipv6 --filter-udp=443 'параметры для quic ipv6' <HOSTLIST_NOAUTO> --new
   > --filter-l3=ipv6 --filter-tcp=80 'параметры для http ipv6' <HOSTLIST> --new
   > --filter-l3=ipv6 --filter-tcp=443 'параметры для https ipv6' <HOSTLIST>"
   > ```
@ -213,7 +216,7 @@
   > Если используются методы нулевой фазы десинхронизации (`--mss`,
   > `--wssize`, `--dpi-desync=syndata`) и режим фильтрации `hostlist`, то все
   > параметры, относящиеся к этим методам, следует помещать в отдельные
-   > профили мульистратегии, которые получат управление до определения имени
+   > профили мультистратегии, которые получат управление до определения имени
   > хоста. Необходимо понимать алгоритм работы мультистратегий. Самым надежным
   > вариантом будет дублирование этих параметров на 2 профиля. Какой-нибудь
   > сработает в зависимости от параметра `MODE_FILTER`.
@ -235,6 +238,13 @@
 8. На все остальные вопросы `install_easy.sh` отвечайте согласно выводимой
   аннотации.

+9. Удалите директорию из /tmp, откуда производилась установка.
+
+## Полное удаление
+
+1. Прогоните `/opt/zapret/uninstall_easy.sh`.
+2. Cогласитесь на удаление зависимостей в openwrt.
+3. Удалите каталог `/opt/zapret`.

 ## Итог
 Это минимальная инструкция, чтобы быстро сориентироваться с чего начать.
--- a/docs/quick_start_windows.md
+++ b/docs/quick_start_windows.md
@ -47,11 +47,19 @@ _"Совсем ничего не могу, все очень сложно, да

 Не помогла _"таблетка"_ ? Это вовсе не значит, что ничего не получится. Но придется делать по нормальному.

+## НЕ ПОМОГЛО, КАК ТЕПЕРЬ ЭТО УДАЛИТЬ
+
+Если вы не устанавливали zapret как службу или запланированную задачу (а это требует редактирования cmd файлов),
+достаточно закрыть окно с winws и запустить windivert_delete.cmd.
+Альтернатива - перезагрузить компьютер.
+После чего можно удалить папку с zapret. На этом деинсталляция закончена.
+Если же вы устанавливали zapret как службу, то вы наверняка знаете как ее удалить.
+
 ## РЕШЕНИЕ "КАК ПОЛОЖЕНО"

 1) Скачайте и распакуйте архив https://github.com/bol-van/zapret-win-bundle/archive/refs/heads/master.zip.

-2) Если у вас Windows 7 x64, читайте [docs/windows.md](./windows.md). Без описанной там подготовки может не работать.
+2) Если у вас Windows 7 x64, однократно запустите `win7/install_win7.cmd`. Батник заменит файлы windivert на совместимую с Windows 7 версию.

 > [!WARNING]  
 > Для 32-битных систем Windows нет готового полного варианта.
@ -115,7 +123,7 @@ blockcheck перейдет в этом случае на **DoH** _(DNS over HTT
   > она стабильна, на третьих полный хаос, и проще отказаться.
   >
   > Далее, имея понимание что работает на http, https, quic, нужно сконструировать параметры запуска winws
-   > с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md).
+   > с использованием мультистратегии. Как работают мультистратегии описано в [readme.md](./readme.md#множественные-стратегии).
   >
   > Прежде всего вам нужно собрать фильтр перехватываемого трафика. Это делается через параметры
   > `--wf-l3`, `--wf-tcp`, `--wf-udp`.
--- a/docs/readme.en.md
+++ b/docs/readme.en.md
--- a/docs/readme.md
+++ b/docs/readme.md
--- a/docs/windows.en.md
+++ b/docs/windows.en.md
@ -101,10 +101,11 @@ There are several options :
 Replace these 2 files in every location they are present.
 In `zapret-win-bundle` they are in `zapret-winws` и `blockcheck/zapret/nfq` folders.
 However this option still requires 10+ year old patch that enables SHA256 signatures.
+If you're using win bundle you can simply run `win7\install_win7.cmd`

-2. [Hack ESU](https://hackandpwn.com/windows-7-esu-patching)
+3. [Hack ESU](https://hackandpwn.com/windows-7-esu-patching)

-3. Use `UpdatePack7R2` from simplix : https://blog.simplix.info
+4. Use `UpdatePack7R2` from simplix : https://blog.simplix.info
 If you are in Russia or Belarus temporary change region in Control Panel.

 ### blockcheck
--- a/docs/windows.md
+++ b/docs/windows.md
@ -159,6 +159,7 @@ _windivert 2.2.2-A_, который идет в поставке zapret.
 и заменить эти 2 файла.
 В [zapret-win-bundle](https://github.com/bol-van/zapret-win-bundle) есть отдельных 2 места, где находится **winws** : [_zapret-winws_](https://github.com/bol-van/zapret-win-bundle/tree/master/zapret-winws) и [_blockcheck/zapret/nfq_](https://github.com/bol-van/zapret-win-bundle/tree/master/blockcheck).
 Надо менять в обоих местах.
+Альтернативный вариант при использовании win bundle - запустить `win7\install_win7.cmd`

 > [!NOTE]
 > Этот вариант проверен и должен работать. Тем не менее патч 10 летней давности, который включает SHA256 сигнатуры, все еще необходим.
--- a/docs/wireguard/010-wg-mod.patch
+++ b/docs/wireguard/010-wg-mod.patch
@ -1,133 +0,0 @@
-Index: WireGuard-0.0.20190123/src/cookie.c
-===================================================================
--- WireGuard-0.0.20190123.orig/src/cookie.c
-+++ WireGuard-0.0.20190123/src/cookie.c
-@@ -193,6 +193,8 @@ void wg_cookie_message_create(struct mes
- 	xchacha20poly1305_encrypt(dst->encrypted_cookie, cookie, COOKIE_LEN,
- 				  macs->mac1, COOKIE_LEN, dst->nonce,
- 				  checker->cookie_encryption_key);
-+        // MOD : randomize trash
-+	dst->header.trash = gen_trash();
- }
- 
- void wg_cookie_message_consume(struct message_handshake_cookie *src,
-Index: WireGuard-0.0.20190123/src/messages.h
-===================================================================
--- WireGuard-0.0.20190123.orig/src/messages.h
-+++ WireGuard-0.0.20190123/src/messages.h
-@@ -53,23 +53,41 @@ enum limits {
- 	MAX_QUEUED_PACKETS = 1024 /* TODO: replace this with DQL */
- };
- 
-+/*
- enum message_type {
-	MESSAGE_INVALID = 0,
-	MESSAGE_HANDSHAKE_INITIATION = 1,
-	MESSAGE_HANDSHAKE_RESPONSE = 2,
-	MESSAGE_HANDSHAKE_COOKIE = 3,
-	MESSAGE_DATA = 4
-+    MESSAGE_INVALID = 0,
-+    MESSAGE_HANDSHAKE_INITIATION = 1,
-+    MESSAGE_HANDSHAKE_RESPONSE = 2,
-+    MESSAGE_HANDSHAKE_COOKIE = 3,
-+    MESSAGE_DATA = 4
- };
-+*/
-+
-+// MOD : message type
-+enum message_type {
-+    MESSAGE_INVALID = 0xE319CCD0,
-+    MESSAGE_HANDSHAKE_INITIATION = 0x48ADE198,
-+    MESSAGE_HANDSHAKE_RESPONSE = 0xFCA6A8F3,
-+    MESSAGE_HANDSHAKE_COOKIE = 0x64A3BB18,
-+    MESSAGE_DATA = 0x391820AA
-+};
-+
-+// MOD : generate fast trash without true RNG
-+__le32 gen_trash(void);
- 
- struct message_header {
-	/* The actual layout of this that we want is:
-	 * u8 type
-	 * u8 reserved_zero[3]
-	 *
-	 * But it turns out that by encoding this as little endian,
-	 * we achieve the same thing, and it makes checking faster.
-	 */
-	__le32 type;
-+    /* The actual layout of this that we want is:
-+     * u8 type
-+     * u8 reserved_zero[3]
-+     *
-+     * But it turns out that by encoding this as little endian,
-+     * we achieve the same thing, and it makes checking faster.
-+     */
-+
-+    // MOD : trash field to change message size and add 4 byte offset to all fields
-+    __le32 trash;
-+
-+    __le32 type;
- };
- 
- struct message_macs {
-Index: WireGuard-0.0.20190123/src/noise.c
-===================================================================
--- WireGuard-0.0.20190123.orig/src/noise.c
-+++ WireGuard-0.0.20190123/src/noise.c
-@@ -17,6 +17,24 @@
- #include <linux/highmem.h>
- #include <crypto/algapi.h>
- 
-+
-+// MOD : trash generator
-+__le32 gtrash = 0;
-+__le32 gen_trash(void)
-+{
-+    if (gtrash)
-+	gtrash = gtrash*1103515243 + 12345;
-+    else
-+	// first value is true random
-+	get_random_bytes_wait(&gtrash, sizeof(gtrash));
-+    return gtrash;
-+}
-+
- /* This implements Noise_IKpsk2:
-  *
-  * <- s
-@@ -515,6 +533,10 @@ wg_noise_handshake_create_initiation(str
- 		&handshake->entry);
- 
- 	handshake->state = HANDSHAKE_CREATED_INITIATION;
-+
-+	// MOD : randomize trash
-+        dst->header.trash = gen_trash();
-+
- 	ret = true;
- 
- out:
-@@ -655,6 +677,10 @@ bool wg_noise_handshake_create_response(
- 		&handshake->entry);
- 
- 	handshake->state = HANDSHAKE_CREATED_RESPONSE;
-+
-+        // MOD : randomize trash
-+        dst->header.trash = gen_trash();
-+
- 	ret = true;
- 
- out:
-Index: WireGuard-0.0.20190123/src/send.c
-===================================================================
--- WireGuard-0.0.20190123.orig/src/send.c
-+++ WireGuard-0.0.20190123/src/send.c
-@@ -200,6 +200,10 @@ static bool encrypt_packet(struct sk_buf
- 	header->header.type = cpu_to_le32(MESSAGE_DATA);
- 	header->key_idx = keypair->remote_index;
- 	header->counter = cpu_to_le64(PACKET_CB(skb)->nonce);
-+
-+        // MOD : randomize trash
-+	header->header.trash = gen_trash();
-+
- 	pskb_put(skb, trailer, trailer_len);
- 
- 	/* Now we can encrypt the scattergather segments */
--- a/docs/wireguard/wireguard-mod.txt
+++ b/docs/wireguard/wireguard-mod.txt
@ -1,250 +0,0 @@
-!!! Эта инструкция написана еще до включения wireguard в ядро linux.
-!!! Процесс сборки для in-tree модулей отличается.
-!!! Цель данного чтива - дать идею для программистов как можно исправить исходники wireguard
-!!! для преодоления DPI. Автор не преследует цели поддерживать готовые патчи для актуальных версий.
-!!! Вместо патчинга гораздо проще использовать навесное решение ipobfs.
-
-Посвящено возможной блокировке в РФ VPN протоколов через DPI.
-Предпосылками являются последние законодательные акты и во всю сочащиеся "секретные" записки.
-В РФ разрабатываются и готовятся к применению более продвинутые решения по блокировке трафика.
-Вполне вероятно будут резать стандартные VPN протоколы. Нам надо быть к этому готовыми.
-
-Один из возможных и перспективных путей решения данного вопроса - кустомная модификация
-исходников VPN с целью незначительного изменения протокола, ломающего стандартные модули обнаружения в DPI.
-Это относительно сложно, доступно только для гиков.
-Никто не будет разрабатывать специальные модули обнаружения в DPI, если только кто-то не сделает простое и
-удобное решение для всех, и его станут широко применять. Но это маловероятно, и даже если и так,
-то всегда можно модифицировать протокол чуток по другому. Делать моды для DPI несравненно дольше
-и дороже, чем клепать на коленке изменения протокола для wireguard.
-
-
-ЗАМЕЧЕНИЕ : альтернативой модификации конечного софта для VPN является использование "навесных"
-обфускаторов. см : https://github.com/bol-van/ipobfs
-
-
-Рассмотрю что нам надо пропатчить в wireguard. Модифицированный wireguard проверен на виртуалках
-с десктопным linux, он работает, сообщения в wireshark действительно не вписываются в стандартный
-протокол и не опознаются.
-
-Wireguard протокол очень простой. Все сообщения описаны в messages.h
-Поставим себе целью сделать 2 простые модификации :
-1) Добавим в начало всех сообщений немного мусора, чтобы изменить размер сообщений и смещения полей
-2) Изменим коды типов сообщений
-Этого может быть вполне достаточно для обмана DPI
-
--messages.h--------------------------
-/*
-enum message_type {
-	MESSAGE_INVALID = 0,
-	MESSAGE_HANDSHAKE_INITIATION = 1,
-	MESSAGE_HANDSHAKE_RESPONSE = 2,
-	MESSAGE_HANDSHAKE_COOKIE = 3,
-	MESSAGE_DATA = 4
-};
-*/
-
-// MOD : message type
-enum message_type {
-	MESSAGE_INVALID = 0xE319CCD0,
-	MESSAGE_HANDSHAKE_INITIATION = 0x48ADE198,
-	MESSAGE_HANDSHAKE_RESPONSE = 0xFCA6A8F3,
-	MESSAGE_HANDSHAKE_COOKIE = 0x64A3BB18,
-	MESSAGE_DATA = 0x391820AA
-};
-
-// MOD : generate fast trash without true RNG
-__le32 gen_trash(void);
-
-struct message_header {
-	/* The actual layout of this that we want is:
-	 * u8 type
-	 * u8 reserved_zero[3]
-	 *
-	 * But it turns out that by encoding this as little endian,
-	 * we achieve the same thing, and it makes checking faster.
-	 */
-
-	// MOD : trash field to change message size and add 4 byte offset to all fields
-	__le32 trash;
-
-	__le32 type;
-};
--------------------------------------
-
-Напишем функцию для генерации trash. Функция должна быть быстрая, важно не замедлить скорость.
-Мы не расчитываем, что нас будут специально ловить, иначе бы пришлось делать полноценный обфускатор.
-Задача лишь сломать стандартный модуль обнаружения протокола wireguard. Потому истинная рандомность
-trash не важна.
-Но все же немного "трэша" не повредит. Гонки между тредами так же пофигистичны. Это же трэш.
-
--noise.c-----------------------------
-// MOD : trash generator
-__le32 gtrash = 0;
-__le32 gen_trash(void)
-{
-	if (gtrash)
-		gtrash = gtrash*1103515243 + 12345;
-	else
-		// first value is true random
-		get_random_bytes_wait(&gtrash, sizeof(gtrash));
-	return gtrash;
-}
--------------------------------------
-
-Теперь осталось найти все места, где создаются сообщения и внести туда заполнение поля trash.
-Сообщений всего 4. Их можно найти по присваиванию полю type одного из значений enum message_type.
-
-2 места в noise.c в функциях wg_noise_handshake_create_initiation и wg_noise_handshake_create_response,
-1 место в cookie.c в функции wg_cookie_message_create
-Дописываем в конец инициализации структуры сообщения :
-
--------------------------------------
-	// MOD : randomize trash
-	dst->header.trash = gen_trash();
--------------------------------------
-
-и 1 место в send.c в функции encrypt_packet
-
--------------------------------------
-	// MOD : randomize trash
-	header->header.trash = gen_trash();
--------------------------------------
-
-
-Вот и весь патчинг. Полный patch (версия wireguard 0.0.20190123) лежит в 010-wg-mod.patch.
-Патчинг кода - самое простое. Для десктопного linux дальше все просто.
-Пересобираем через make, устанавливаем через make install, перегружаем
-модуль wireguard, перезапускаем интерфейсы, и все готово.
-
-Настоящий геморой начнется когда вы это попытаетесь засунуть на роутер под openwrt.
-Одна из больших проблем linux - отсутствие совместимости драйверов на уровне бинариков.
-Поэтому собирать необходимо в точности под вашу версию ядра и в точности под его .config.
-Вам придется либо полностью самостоятельно собирать всю прошивку, либо найти SDK в точности
-от вашей версии прошивки для вашей архитектуры и собрать модуль с помощью этого SDK.
-Последний вариант более легкий.
-Для сборки вам понадобится система на linux x86_64. Ее можно установить в виртуалке.
-Теоретически можно пользоваться WSL из win10, но на практике там очень медленное I/O,
-по крайней мере на старых версиях win10. Безумно медленное. Будете собирать вечность.
-Может в новых win10 что-то и улучшили, но я бы сразу расчитывал на полноценный linux.
-
-Находим здесь вашу версию : https://downloads.openwrt.org/
-Скачиваем файл openwrt-sdk-*.tar.xz или lede-sdk-*.tar.xz
-Например : https://downloads.openwrt.org/releases/18.06.2/targets/ar71xx/generic/openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64.tar.xz
-Если ваша версия непонятна или стара, то проще будет найти последнюю прошивку и перешить роутер.
-Распаковываем SDK. Следующими командами можно собрать оригинальный вариант wireguard :
-
-# scripts/feeds update -a
-# scripts/feeds install -a
-# make defconfig
-# make -j 4 package/wireguard/compile
-
-Сборка будет довольно долгой. Ведь придется подтащить ядро, собрать его, собрать зависимости.
-"-j 4" означает использовать 4 потока. Впишите вместо 4 количество доступных cpu cores.
-
-Получим следующие файлы :
-
-openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/bin/targets/ar71xx/generic/packages/kmod-wireguard_4.9.152+0.0.20190123-1_mips_24kc.ipk
-openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/bin/packages/mips_24kc/base/wireguard-tools_0.0.20190123-1_mips_24kc.ipk
-
-Но это будет оригинальный wireguard. Нам нужен патченый.
-Установим quilt и mc для нормального редактора вместо vim :
-
-# sudo apt-get update
-# sudo apt-get install quilt mc
-
-# make package/wireguard/clean
-# make package/wireguard/prepare V=s QUILT=1
-
-
-Сорцы приготовлены для сборки в :
- openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/build_dir/target-mips_24kc_musl/linux-ar71xx_generic/WireGuard-0.0.20190123/src
-
-# cd build_dir/target-mips_24kc_musl/linux-ar71xx_generic/WireGuard-0.0.20190123/src
-# quilt push -a
-# quilt new 010-wg-mod.patch
-# export EDITOR=mcedit
-
-Далее будет открываться редактор mcedit, в который нужно вносить изменения в каждый файл :
-
-# quilt edit messages.h
-# quilt edit cookie.c
-# quilt edit noise.c
-# quilt edit send.c
-# quilt diff
-# quilt refresh
-
-Получили файл патча в :
-openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/build_dir/target-mips_24kc_musl/linux-ar71xx_generic/WireGuard-0.0.20190123/patches/010-wg-mod.patch
-
-Выходим в корень SDK.
-
-# make package/wireguard/compile V=99
-
-Если не было ошибок, то получили измененные ipk.
-Патч можно зафиксировать в описании пакета :
-
-# make package/wireguard/update
-
-Получим :
-openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/feeds/base/package/network/services/wireguard/patches/010-wg-mod.patch
-При последующей очистке и пересборке он будет автоматом применяться.
-
-
-АЛЬТЕРНАТИВА : можно не возиться с quilt.
-сделайте
-# make package/wireguard/clean
-# make package/wireguard/prepare
-и напрямую модифицируйте или копируйте файлы в 
- openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/build_dir/target-mips_24kc_musl/linux-ar71xx_generic/WireGuard-0.0.20190123/src
-затем
-# make package/wireguard/compile
-
-Если нужно поменять версию wireguard, то идите в
-openwrt-sdk-18.06.2-ar71xx-generic_gcc-7.3.0_musl.Linux-x86_64/feeds/base/package/network/services/wireguard/Makefile
-поменяйте там версию в PKG_VERSION на последнюю из : https://git.zx2c4.com/WireGuard
-скачайте tar.xz с этой версией , вычислите его sha256sum, впишите в PKG_HASH
-
-1 раз где-нибудь пропатчите файлы последней версии wireguard в текстовом редакторе, скопируйте в build_dir,
-сделайте версию для openwrt. эти же файлы скопируйте на ваш сервер с десктопным linux, сделайте там make / make install
-
-Но имейте в виду, что build_dir - локация для временных файлов.
-make clean оттуда все снесет, включая ваши модификации. Модифицированные файлы лучше сохранить отдельно,
-чтобы потом было легко скопировать обратно.
-
-Полученные ipk копируем на роутер в /tmp, устанавливаем через
-# cd /tmp
-# rm -r /tmp/opkg-lists
-# opkg install *.ipk
-Если требует зависимостей, то
-# opkg update
-# opkg install .... <зависимости>
-# rm -r /tmp/opkg-lists
-# opkg install *.ipk
-
-В /tmp/opkg-lists opkg хранит кэш списка пакетов. Если попытаться установить файл ipk, и такой же пакет
-найдется в репозитории, opkg будет устанавливать из репозитория. А нам это не надо.
-
-# rmmod wireguard
-# kmodloader
-# dmesg | tail
-должны увидеть что-то вроде :
-[8985.415490] wireguard: WireGuard 0.0.20190123 loaded. See www.wireguard.com for information.
-[8985.424178] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
-значит модуль загрузился
-
-Могут понадобиться ключи opkg --force-reinstall, --force-depends.
--force-depends поможет при несоответствии hash версии ядра. То есть версия x.x.x та же самая, но hash конфигурации разный.
-При несоответствии x.x.x вы что-то делаете не так, работать это не будет.
-Например : 4.14.56-1-b1186491495127cc6ff81d29c00a91fc, 4.14.56-1-3f8a21a63974cfb7ee67e41f2d4b805d
-Это свидетельствует о несоответствии .config ядра при сборке прошивки и в SDK.
-Если несоответствие легкое, то может все прокатить, но при более серьезной разнице в .config модуль может не загрузиться
-или вызвать стабильные или хаотические падения ядра и перезагрузки (включая вариант беcконечной перезагрузки - bootloop).
-Так что перед --force-depends убедитесь, что знаете как лечится такая ситуация, и не стоит это делать при отсутствии физического
-доступа к девайсу.
-
-Когда поднимите линк, и вдруг ничего не будет работать, то посмотрите в wireshark udp пакеты
-на порт endpoint. Они не должны начинаться с 0,1,2,3,4. В первых 4 байтах должен быть рандом,
-в следующих 4 байтах - значения из измененного enum message_type. Если пакет все еще начинается с 0..4,
-значит модуль wireguard оригинальный, что-то не собралось, не скопировалось, не перезапустилось.
-В противном случае должен подняться линк, пинги ходить. Значит вы победили, поздравляю.
-Регулятору будет намного сложнее поймать ваш VPN.
--- a/docs/wireguard/wireguard_iproute_openwrt.txt
+++ b/docs/wireguard/wireguard_iproute_openwrt.txt
@ -236,7 +236,7 @@ config rule

 --- Подготовка zapret ---

-Выполните install_easy.sh. Он настроит режим обхода DPI. Если обход DPI не нужен - выберите MODE=filter.
+Выполните install_easy.sh. Он настроит режим обхода DPI. Если обход DPI не нужен - не включайте tpws и nfqws.
 Так же инсталятор заресолвит домены из ipset/zapret-hosts-user-ipban.txt и внесет крон-джоб для периодического обновления ip.

 Если вы используете в своих правилах ipset zapret, то он ресолвится и обновляется только, если выбран режим фильтрации обхода DPI по ipset.
--- a/files/fake/discord-ip-discovery-with-port.bin
+++ b/files/fake/discord-ip-discovery-with-port.bin
--- a/files/fake/discord-ip-discovery-without-port.bin
+++ b/files/fake/discord-ip-discovery-without-port.bin
--- a/files/fake/isakmp_initiator_request.bin
+++ b/files/fake/isakmp_initiator_request.bin
--- a/files/fake/quic_initial_rr1---sn-xguxaxjvh-n8me_googlevideo_com_kyber_1.bin
+++ b/files/fake/quic_initial_rr1---sn-xguxaxjvh-n8me_googlevideo_com_kyber_1.bin
--- a/files/fake/quic_initial_rr1---sn-xguxaxjvh-n8me_googlevideo_com_kyber_2.bin
+++ b/files/fake/quic_initial_rr1---sn-xguxaxjvh-n8me_googlevideo_com_kyber_2.bin
--- a/files/fake/stun.bin
+++ b/files/fake/stun.bin
--- a/files/fake/tls_clienthello_www_google_com.bin
+++ b/files/fake/tls_clienthello_www_google_com.bin
--- a/init.d/custom.d.examples.linux/10-keenetic-udp-fix
+++ b/init.d/custom.d.examples.linux/10-keenetic-udp-fix
@ -0,0 +1,22 @@
+# This script fixes keenetic issue with nfqws generated udp packets
+# Keenetic uses proprietary ndmmark and does not masquerade without this mark
+# If not masqueraded packets go to WAN with LAN IP and get dropped by ISP
+
+# It's advised to set IFACE_WAN in config
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - add, 0 - stop
+
+	local wan wanif rule
+
+	[ "$DISABLE_IPV4" = "1" ] || {
+		# use IFACE_WAN if defined. if not - search for interfaces with default route.
+		wanif=${IFACE_WAN:-$(sed -nre 's/^([^\t]+)\t00000000\t[0-9A-F]{8}\t[0-9A-F]{4}\t[0-9]+\t[0-9]+\t[0-9]+\t00000000.*$/\1/p' /proc/net/route | sort -u | xargs)}
+		for wan in $wanif; do
+			rule="-o $wan -p udp -m mark --mark $DESYNC_MARK/$DESYNC_MARK"
+			ipt_print_op $1 "$rule" "keenetic udp fix"
+			ipt_add_del $1 POSTROUTING -t nat $rule -j MASQUERADE
+		done
+	}
+}
--- a/init.d/custom.d.examples.linux/20-fw-extra
+++ b/init.d/custom.d.examples.linux/20-fw-extra
@ -0,0 +1,66 @@
+# this custom script runs standard mode with extra firewall rules
+
+# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons
+# standard and override switches cannot be enabled simultaneously !
+
+TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}
+NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}
+
+# config: some if these values must be set in config. not setting any of these makes this script meaningless.
+# pre vars put ipt/nft code to the rule beginning
+#FW_EXTRA_PRE_TPWS_IPT=
+#FW_EXTRA_PRE_TPWS_NFT=
+#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"
+#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"
+# post vars put ipt/nft code to the rule end
+#FW_EXTRA_POST_TPWS_IPT=
+#FW_EXTRA_POST_TPWS_NFT=
+#FW_EXTRA_POST_NFQWS_IPT=
+#FW_EXTRA_POST_NFQWS_NFT=
+
+check_std_intersect()
+{
+	[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {
+		echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"
+		return 1
+	}
+	[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {
+		echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"
+		return 1
+	}
+	return 0
+}
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+	check_std_intersect || return
+
+	local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	standard_mode_daemons "$1"
+}
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+	check_std_intersect || return
+
+	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"
+	zapret_do_firewall_standard_tpws_rules_ipt $1
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"
+	zapret_do_firewall_standard_nfqws_rules_ipt $1
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+	check_std_intersect || return
+
+	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"
+	zapret_apply_firewall_standard_tpws_rules_nft
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"
+	zapret_apply_firewall_standard_nfqws_rules_nft
+}
--- a/init.d/custom.d.examples.linux/50-dht4all
+++ b/init.d/custom.d.examples.linux/50-dht4all
@ -8,9 +8,9 @@ alloc_qnum QNUM_DHT4ALL

 zapret_custom_daemons()
 {
-        # stop logic is managed by procd
+	# $1 - 1 - add, 0 - stop

-        local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
+        local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_DESYNC_DHT"
 	do_nfqws $1 $DNUM_DHT4ALL "$opt"
 }
 zapret_custom_firewall()
--- a/init.d/custom.d.examples.linux/50-nfqws-ipset
+++ b/init.d/custom.d.examples.linux/50-nfqws-ipset
@ -0,0 +1,74 @@
+# this custom script demonstrates how to launch extra nfqws instance limited by ipset. ipv4 only.
+
+# can override in config :
+NFQWS_OPT_DESYNC_NFQWS_MY1="${NFQWS_OPT_DESYNC_NFQWS_MY1:---dpi-desync=fake --dpi-desync-repeats=6 --dpi-desync-any-protocol}"
+NFQWS_MY1_PORTS=${NFQWS_MY1_PORTS:-6000-6009}
+NFQWS_MY1_SUBNETS="${NFQWS_MY1_SUBNETS:-34.0.48.0/21 34.0.56.0/23 34.0.59.0/24 34.0.60.0/24 34.0.62.0/23}"
+
+alloc_dnum DNUM_NFQWS_MY1
+alloc_qnum QNUM_NFQWS_MY1
+NFQWS_MY1_SET_NAME=my1nfqws4
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--qnum=$QNUM_NFQWS_MY1 $NFQWS_OPT_DESYNC_NFQWS_MY1"
+	do_nfqws $1 $DNUM_NFQWS_MY1 "$opt"
+}
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f
+	local first_packets_only="$ipt_connbytes 1:3"
+	local NFQWS_MY1_PORTS_IPT=$(replace_char - : $NFQWS_MY1_PORTS)
+	local dest_set="-m set --match-set $NFQWS_MY1_SET_NAME dst"
+	local subnet
+
+	local DISABLE_IPV6=1
+
+	[ "$1" = 1 ] && {
+		ipset create $NFQWS_MY1_SET_NAME hash:net hashsize 8192 maxelem 4096 2>/dev/null
+		ipset flush $NFQWS_MY1_SET_NAME
+		for subnet in $NFQWS_MY1_SUBNETS; do
+			echo add $NFQWS_MY1_SET_NAME $subnet
+		done | ipset -! restore
+	}
+
+	f="-p udp -m multiport --dports $NFQWS_MY1_PORTS_IPT"
+	fw_nfqws_post $1 "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
+
+	[ "$1" = 1 ] || {
+		ipset destroy $NFQWS_MY1_SET_NAME 2>/dev/null
+	}
+}
+
+zapret_custom_firewall_nft()
+{
+	# stop logic is not required
+
+	local f
+	local first_packets_only="$nft_connbytes 1-3"
+	local dest_set="ip daddr @$NFQWS_MY1_SET_NAME"
+	local subnets
+
+	local DISABLE_IPV6=1
+
+	make_comma_list subnets $NFQWS_MY1_SUBNETS
+	nft_create_set $NFQWS_MY1_SET_NAME "type ipv4_addr; size 4096; auto-merge; flags interval;"
+	nft_flush_set $NFQWS_MY1_SET_NAME
+	nft_add_set_element $NFQWS_MY1_SET_NAME "$subnets"
+
+	f="udp dport {$NFQWS_MY1_PORTS}"
+	nft_fw_nfqws_post "$f $first_packets_only $dest_set" "" $QNUM_NFQWS_MY1
+}
+
+zapret_custom_firewall_nft_flush()
+{
+	# this function is called after all nft fw rules are deleted
+	# however sets are not deleted. it's desired to clear sets here.
+
+	nft_del_set $NFQWS_MY1_SET_NAME 2>/dev/null
+}
--- a/init.d/custom.d.examples.linux/50-tpws-ipset
+++ b/init.d/custom.d.examples.linux/50-tpws-ipset
@ -0,0 +1,89 @@
+# this custom script demonstrates how to launch extra tpws instance limited by ipset
+
+# can override in config :
+TPWS_MY1_OPT="${TPWS_MY1_OPT:---oob --split-pos=midsld}"
+TPWS_MY1_PORTS=${TPWS_MY1_PORTS:-$TPWS_PORTS}
+TPWS_MY1_SUBNETS4="${TPWS_MY1_SUBNETS4:-142.250.0.0/15 64.233.160.0/19 172.217.0.0/16 173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 209.85.128.0/17 216.58.192.0/19}"
+TPWS_MY1_SUBNETS6="${TPWS_MY1_SUBNETS6:-2607:F8B0::/32 2a00:1450:4000::/37}"
+
+TPWS_MY1_IPSET_SIZE=${TPWS_MY1_IPSET_SIZE:-4096}
+TPWS_MY1_IPSET_OPT="${TPWS_MY1_IPSET_OPT:-hash:net hashsize 8192 maxelem $TPWS_MY1_IPSET_SIZE}"
+
+alloc_dnum DNUM_TPWS_MY1
+alloc_tpws_port PORT_TPWS_MY1
+TPWS_MY1_NAME4=my1tpws4
+TPWS_MY1_NAME6=my1tpws6
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local opt="--port=$PORT_TPWS_MY1 $TPWS_MY1_OPT"
+	do_tpws $1 $DNUM_TPWS_MY1 "$opt"
+}
+
+zapret_custom_firewall()
+{
+	# $1 - 1 - run, 0 - stop
+
+	local f4 f6 subnet
+	local PORTS_IPT=$(replace_char - : $TPWS_MY1_PORTS)
+	local dest_set="-m set --match-set $TPWS_MY1_NAME4 dst"
+
+	[ "$1" = 1 -a "$DISABLE_IPV4" != 1 ] && {
+		ipset create $TPWS_MY1_NAME4 $TPWS_MY1_IPSET_OPT family inet 2>/dev/null
+		ipset flush $TPWS_MY1_NAME4
+		for subnet in $TPWS_MY1_SUBNETS4; do
+			echo add $TPWS_MY1_NAME4 $subnet
+		done | ipset -! restore
+	}
+	[ "$1" = 1 -a "$DISABLE_IPV6" != 1 ] && {
+		ipset create $TPWS_MY1_NAME6 $TPWS_MY1_IPSET_OPT family inet6 2>/dev/null
+		ipset flush $TPWS_MY1_NAME6
+		for subnet in $TPWS_MY1_SUBNETS6; do
+			echo add $TPWS_MY1_NAME6 $subnet
+		done | ipset -! restore
+	}
+
+	f4="-p tcp -m multiport --dports $PORTS_IPT -m set --match-set"
+	f6="$f4 $TPWS_MY1_NAME6 dst"
+	f4="$f4 $TPWS_MY1_NAME4 dst"
+	fw_tpws $1 "$f4" "$f6" $PORT_TPWS_MY1
+
+	[ "$1" = 1 ] || {
+		ipset destroy $TPWS_MY1_NAME4 2>/dev/null
+		ipset destroy $TPWS_MY1_NAME6 2>/dev/null
+	}
+}
+
+zapret_custom_firewall_nft()
+{
+	local f4 f6 subnet
+
+	[ "$DISABLE_IPV4" != 1 ] && {
+	        make_comma_list subnets $TPWS_MY1_SUBNETS4
+		nft_create_set $TPWS_MY1_NAME4 "type ipv4_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $TPWS_MY1_NAME4
+		nft_add_set_element $TPWS_MY1_NAME4 "$subnets"
+	}
+	[ "$DISABLE_IPV6" != 1 ] && {
+	        make_comma_list subnets $TPWS_MY1_SUBNETS6
+		nft_create_set $TPWS_MY1_NAME6 "type ipv6_addr; size $TPWS_MY1_IPSET_SIZE; auto-merge; flags interval;"
+		nft_flush_set $TPWS_MY1_NAME6
+		nft_add_set_element $TPWS_MY1_NAME6 "$subnets"
+	}
+
+	f4="tcp dport {$TPWS_MY1_PORTS}"
+	f6="$f4 ip6 daddr @$TPWS_MY1_NAME6"
+	f4="$f4 ip daddr @$TPWS_MY1_NAME4"
+	nft_fw_tpws "$f4" "$f6" $PORT_TPWS_MY1
+}
+
+zapret_custom_firewall_nft_flush()
+{
+	# this function is called after all nft fw rules are deleted
+	# however sets are not deleted. it's desired to clear sets here.
+
+	nft_del_set $TPWS_MY1_NAME4 2>/dev/null
+	nft_del_set $TPWS_MY1_NAME6 2>/dev/null
+}
--- a/init.d/custom.d.examples.linux/50-wg4all
+++ b/init.d/custom.d.examples.linux/50-wg4all
@ -0,0 +1,30 @@
+# this custom script runs desync to all wireguard handshake initiation packets
+
+# can override in config :
+NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---dpi-desync=fake}"
+
+alloc_dnum DNUM_WG4ALL
+alloc_qnum QNUM_WG4ALL
+
+zapret_custom_daemons()
+{
+	# $1 - 1 - add, 0 - stop
+
+        local opt="--qnum=$QNUM_WG4ALL $NFQWS_OPT_DESYNC_WG"
+	do_nfqws $1 $DNUM_WG4ALL "$opt"
+}
+# size = 156 (8 udp header + 148 payload) && payload starts with 0x01000000
+zapret_custom_firewall()
+{
+        # $1 - 1 - run, 0 - stop
+
+        local f='-p udp -m u32 --u32'
+        fw_nfqws_post $1 "$f 0>>22&0x3C@4>>16=0x9c&&0>>22&0x3C@8=0x01000000" "$f 44>>16=0x9c&&48=0x01000000" $QNUM_WG4ALL
+}
+zapret_custom_firewall_nft()
+{
+        # stop logic is not required
+
+        local f="udp length 156 @th,64,32 0x01000000"
+        nft_fw_nfqws_post "$f" "$f" $QNUM_WG4ALL
+}
--- a/init.d/openwrt/custom.d.examples/50-dht4all
+++ b/init.d/openwrt/custom.d.examples/50-dht4all
@ -1,38 +0,0 @@
-# this custom script runs desync to DHT packets with udp payload length 101..399 , without ipset/hostlist filtering
-
-# can override in config :
-NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---dpi-desync=tamper}"
-
-alloc_dnum DNUM_DHT4ALL
-alloc_qnum QNUM_DHT4ALL
-
-zapret_custom_daemons()
-{
-        # stop logic is managed by procd
-
-        local opt="--qnum=$QNUM_DHT4ALL $NFQWS_OPT_BASE $NFQWS_OPT_DESYNC_DHT"
-	run_daemon $DNUM_DHT4ALL $NFQWS "$opt"
-}
-zapret_custom_firewall()
-{
-        # $1 - 1 - run, 0 - stop
-
-        local f uf4 uf6
-        local first_packet_only="$ipt_connbytes 1:1"
-
-        f='-p udp -m length --length 109:407 -m u32 --u32'
-	uf4='0>>22&0x3C@8>>16=0x6431'
-	uf6='48>>16=0x6431'
-        fw_nfqws_post $1 "$f $uf4 $first_packet_only"  "$f $uf6 $first_packet_only" $QNUM_DHT4ALL
-
-}
-zapret_custom_firewall_nft()
-{
-        # stop logic is not required
-
-        local f
-        local first_packet_only="$nft_connbytes 1"
-
-        f="meta length 109-407 meta l4proto udp @th,64,16 0x6431"
-        nft_fw_nfqws_post "$f $first_packet_only" "$f $first_packet_only" $QNUM_DHT4ALL
-}
--- a/init.d/openwrt/custom.d.examples/50-discord
+++ b/init.d/openwrt/custom.d.examples/50-discord
--- a/init.d/openwrt/functions
+++ b/init.d/openwrt/functions
@ -10,6 +10,7 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/ipt.sh"
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
+. "$ZAPRET_BASE/common/linux_daemons.sh"
 . "$ZAPRET_BASE/common/list.sh"
 . "$ZAPRET_BASE/common/custom.sh"
 CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"
@ -24,15 +25,8 @@ CUSTOM_DIR="$ZAPRET_RW/init.d/openwrt"

 TPWS_LOCALHOST4=127.0.0.127

-# max wait time for the link local ipv6 on the LAN interface
-LINKLOCAL_WAIT_SEC=5
-
 IPSET_CR="$ZAPRET_BASE/ipset/create_ipset.sh"

-IPSET_EXCLUDE="-m set ! --match-set nozapret"
-IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
-
-
 # can be multiple ipv6 outgoing interfaces
 # uplink from isp, tunnelbroker, vpn, ...
 # want them all. who knows what's the real one that blocks sites
--- a/init.d/openwrt/zapret
+++ b/init.d/openwrt/zapret
@ -81,6 +81,10 @@ run_tpws()
 	}
 	run_daemon $1 "$TPWS" "$OPT $2"
 }
+do_tpws()
+{
+	[ "$1" = 0 ] || { shift; run_tpws "$@"; }
+}
 run_tpws_socks()
 {
 	[ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && return 0
@ -90,13 +94,10 @@ run_tpws_socks()
 	tpws_apply_socks_binds opt
 	run_daemon $1 "$TPWS" "$opt $2"
 }
-
-stop_tpws()
+do_tpws_socks()
 {
-	stop_daemon $1 "$TPWS"
+	[ "$1" = 0 ] || { shift; run_tpws_socks "$@"; }
 }
-
-
 tpws_apply_socks_binds()
 {
 	local o
@ -113,31 +114,19 @@ tpws_apply_socks_binds()
 	eval $1="\"\$$1 $o\""
 }

-
-standard_mode_daemons()
+run_nfqws()
 {
-	local opt
-	[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$TPWS_OPT" && {
-		opt="--port=$TPPORT $TPWS_OPT"
-		filter_apply_hostlist_target opt
-		run_tpws 1 "$opt"
-	}
-	[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
-		opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
-		filter_apply_hostlist_target opt
-		run_tpws_socks 2 "$opt"
-	}
-	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options 1 "$NFQWS_OPT" && {
-		opt="--qnum=$QNUM $NFQWS_OPT_BASE $NFQWS_OPT"
-		filter_apply_hostlist_target opt
-		run_daemon 3 "$NFQWS" "$opt"
-	}
+	run_daemon $1 "$NFQWS" "$NFQWS_OPT_BASE $2"
+}
+do_nfqws()
+{
+	[ "$1" = 0 ] || { shift; run_nfqws "$@"; }
 }

 start_daemons_procd()
 {
-	standard_mode_daemons
-	custom_runner zapret_custom_daemons
+	standard_mode_daemons 1
+	custom_runner zapret_custom_daemons 1

 	return 0
 }
--- a/init.d/pfsense/zapret.sh
+++ b/init.d/pfsense/zapret.sh
@ -21,4 +21,4 @@ pfctl -d ; pfctl -e
 ipfw delete 100
 ipfw add 100 divert 989 tcp from any to any 80,443 out not diverted not sockarg
 pkill ^dvtws$
-dvtws --daemon --port 989 --dpi-desync=split2
+dvtws --daemon --port 989 --dpi-desync=multisplit
--- a/init.d/systemd/nfqws@.service
+++ b/init.d/systemd/nfqws@.service
@ -0,0 +1,65 @@
+# Example systemd service unit for nfqws. Adjust for your installation.
+
+# WARNING ! This unit requires to compile nfqws using `make systemd`
+# WARNING ! This makefile target enables special systemd notify support.
+
+# PREPARE
+# install build depends
+# make -C /opt/zapret systemd
+# cp nfqws@service /lib/systemd/system
+# systemctl daemon-reload
+
+# MANAGE INSTANCE
+# prepare /etc/zapret/nfqws1.conf with nfqws parameters
+# systemctl start nfqws@nfqws1
+# systemctl status nfqws@nfqws1
+# systemctl restart nfqws@nfqws1
+# systemctl enable nfqws@nfqws1
+# systemctl disable nfqws@nfqws1
+# systemctl stop nfqws@nfqws1
+
+# DELETE
+# rm /lib/systemd/system/nfqws@.service
+# systemctl daemon-reload
+
+
+[Unit]
+After=network.target
+
+[Service]
+Type=notify
+Restart=on-failure
+
+ExecSearchPath=/opt/zapret/binaries/my
+ExecStart=nfqws @${CONFIG_DIR}/${INSTANCE}.conf
+Environment=CONFIG_DIR=/etc/zapret
+Environment=INSTANCE=%i
+
+RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
--- a/init.d/systemd/tpws@.service
+++ b/init.d/systemd/tpws@.service
@ -0,0 +1,63 @@
+# Example systemd service unit for tpws. Adjust for your installation.
+
+# WARNING ! This unit requires to compile tpws using `make systemd`
+# WARNING ! This makefile target enables special systemd notify support.
+
+# PREPARE
+# install build depends
+# make -C /opt/zapret systemd
+# cp tpws@service /lib/systemd/system
+# systemctl daemon-reload
+
+# MANAGE INSTANCE
+# prepare /etc/zapret/tpws1.conf with tpws parameters
+# systemctl start tpws@tpws1
+# systemctl status tpws@tpws1
+# systemctl restart tpws@tpws1
+# systemctl enable tpws@tpws1
+# systemctl disable tpws@tpws1
+# systemctl stop tpws@tpws1
+
+# DELETE
+# rm /lib/systemd/system/tpws@.service
+# systemctl daemon-reload
+
+
+[Unit]
+After=network.target
+
+[Service]
+Type=notify
+Restart=on-failure
+
+ExecSearchPath=/opt/zapret/binaries/my
+ExecStart=tpws @${CONFIG_DIR}/${INSTANCE}.conf
+Environment=CONFIG_DIR=/etc/zapret
+Environment=INSTANCE=%i
+
+RestrictAddressFamilies=AF_NETLINK AF_UNIX AF_INET6 AF_INET
+
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectProc=invisible
+ProtectSystem=full
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
--- a/init.d/sysv/custom.d.examples/50-discord
+++ b/init.d/sysv/custom.d.examples/50-discord
--- a/init.d/sysv/functions
+++ b/init.d/sysv/functions
@ -10,6 +10,7 @@ ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 . "$ZAPRET_BASE/common/ipt.sh"
 . "$ZAPRET_BASE/common/nft.sh"
 . "$ZAPRET_BASE/common/linux_fw.sh"
+. "$ZAPRET_BASE/common/linux_daemons.sh"
 . "$ZAPRET_BASE/common/list.sh"
 . "$ZAPRET_BASE/common/custom.sh"
 CUSTOM_DIR="$ZAPRET_RW/init.d/sysv"
@ -89,20 +90,13 @@ TPWS_WAIT_SOCKS6="$TPWS_WAIT --bind-wait-ip-linklocal=30"
 # first wait for lan to ifup, then wait for bind-wait-ip-linklocal seconds for link local address and bind-wait-ip for any ipv6 as the worst case
 TPWS_OPT_BASE6_PRE="--bind-linklocal=prefer $TPWS_WAIT --bind-wait-ip-linklocal=3"

-# max wait time for the link local ipv6 on the LAN interface
-LINKLOCAL_WAIT_SEC=5
-
-IPSET_EXCLUDE="-m set ! --match-set nozapret"
-IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
-
-
 dnat6_target()
 {
 	_dnat6_target "$@"
 }
 set_route_localnet()
 {
-	_set_route_localnet $1 "$IFACE_LAN"
+	_set_route_localnet $1 $IFACE_LAN
 }

 fw_nfqws_post4()
@ -167,15 +161,18 @@ run_daemon()
 	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile

 	local DAEMONBASE="$(basename "$2")"
-	local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
+	local PID= PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
 	echo "Starting daemon $1: $2 $3"
-	if exists start-stop-daemon ; then
-		start-stop-daemon -S -p "$PIDFILE" -m -b -x "$2" -- $3
-	else
-		if [ -f "$PIDFILE" ] && pgrep -F "$PIDFILE" "$DAEMONBASE" >/dev/null; then
+
+	[ -f "$PIDFILE" ] && {
+		read PID <"$PIDFILE"
+		[ -d "/proc/$PID" ] || PID=
+	}
+
+	if [ -n "$PID" ]; then
 		echo already running
 	else
-			"$2" $3 >/dev/null 2>/dev/null &
+		"$2" $3 >/dev/null &
 		PID=$!
 		if [ -n "$PID" ]; then
 			echo $PID >$PIDFILE
@ -184,7 +181,6 @@ run_daemon()
 			false
 		fi
 	fi
-	fi
 }
 stop_daemon()
 {
@ -192,11 +188,8 @@ stop_daemon()
 	# $2 - daemon
 	# use $PIDDIR/$DAEMONBASE$1.pid as pidfile
 	local DAEMONBASE="$(basename "$2")"
-	local PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
+	local PID PIDFILE=$PIDDIR/$DAEMONBASE$1.pid
 	echo "Stopping daemon $1: $2"
-	if exists start-stop-daemon ; then
-		start-stop-daemon -K -p "$PIDFILE" -x "$2"
-	else
 	if [ -f "$PIDFILE" ]; then
 		read PID <"$PIDFILE"
 		kill $PID
@ -204,7 +197,6 @@ stop_daemon()
 	else
 		echo no pidfile : $PIDFILE
 	fi
-	fi
 }
 do_daemon()
 {
@ -277,45 +269,3 @@ create_ipset()
 	echo "Creating ip list table (firewall type $FWTYPE)"
 	"$IPSET_CR" "$@"
 }
-
-
-standard_mode_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	local opt
-
-	[ "$TPWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$TPWS_OPT" && {
-		opt="--port=$TPPORT $TPWS_OPT"
-		filter_apply_hostlist_target opt
-		do_tpws $1 1 "$opt"
-	}
-	[ "$TPWS_SOCKS_ENABLE" = 1 ] && {
-		opt="--port=$TPPORT_SOCKS $TPWS_SOCKS_OPT"
-		filter_apply_hostlist_target opt
-		do_tpws_socks $1 2 "$opt"
-	}
-	[ "$NFQWS_ENABLE" = 1 ] && check_bad_ws_options $1 "$NFQWS_OPT" && {
-		opt="--qnum=$QNUM $NFQWS_OPT"
-		filter_apply_hostlist_target opt
-		do_nfqws $1 3 "$opt"
-	}
-}
-
-zapret_do_daemons()
-{
-	# $1 - 1 - run, 0 - stop
-
-	standard_mode_daemons $1
-	custom_runner zapret_custom_daemons $1
-
-	return 0
-}
-zapret_run_daemons()
-{
-	zapret_do_daemons 1 "$@"
-}
-zapret_stop_daemons()
-{
-	zapret_do_daemons 0 "$@"
-}
--- a/init.d/sysv/zapret
+++ b/init.d/sysv/zapret
@ -74,8 +74,7 @@ case "$1" in
 		;;
 		
  *)
-	N=/etc/init.d/$NAME
-	echo "Usage: $N {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
+	echo "Usage: $SCRIPT {start|stop|restart|start-fw|stop-fw|restart-fw|start-daemons|stop-daemons|restart-daemons|reload-ifsets|list-ifsets|list-table}" >&2
 	exit 1
 	;;
 esac
--- a/install_bin.sh
+++ b/install_bin.sh
@ -25,7 +25,11 @@ check_dir()
 				# find does not use its own shell exec
 				# it uses execvp(). in musl libc it does not call shell, in glibc it DOES call /bin/sh
 				# that's why prefer bash or zsh if present. otherwise it's our last chance
-				out=$(echo 0.0.0.0 | find "$dir" -maxdepth 1 -name ip2net -exec {} \; 2>/dev/null)
+				local FIND=find
+				if ! exists find && exists busybox; then
+					FIND="busybox find"
+				fi
+				out=$(echo 0.0.0.0 | $FIND "$dir" -maxdepth 1 -name ip2net -exec {} \; 2>/dev/null)
 			fi
 			[ -n "$out" ]
 		else
@ -52,7 +56,7 @@ UNAME=$(uname)
 unset PKTWS
 case $UNAME in
 	Linux)
-		ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb ppc"
+		ARCHLIST="my x86_64 x86 aarch64 arm mips64r2-msb mips32r1-lsb mips32r1-msb lexra ppc"
 		PKTWS=nfqws
 		;;
 	Darwin)
@ -64,7 +68,7 @@ case $UNAME in
 		;;
 	CYGWIN*)
 		UNAME=CYGWIN
-		ARCHLIST="win64"
+		ARCHLIST="win64 win32"
 		PKTWS=winws
 		;;
 	*)
--- a/install_easy.sh
+++ b/install_easy.sh
@ -26,6 +26,7 @@ IPSET_DIR="$ZAPRET_BASE/ipset"
 . "$ZAPRET_BASE/common/ipt.sh"
 . "$ZAPRET_BASE/common/installer.sh"
 . "$ZAPRET_BASE/common/virt.sh"
+. "$ZAPRET_BASE/common/list.sh"

 GET_LIST="$IPSET_DIR/get_config.sh"

@ -68,8 +69,15 @@ check_bins()
 		echo found architecture "\"$arch\""
 	elif [ -f "$EXEDIR/Makefile" ] && exists make; then
 		echo trying to compile
-		[ "$SYSTEM" = "macos" ] && make_target=mac
-		make -C "$EXEDIR" $make_target || {
+		case $SYSTEM in
+			macos)
+				make_target=mac
+				;;
+			systemd)
+				make_target=systemd
+				;;
+		esac
+		CFLAGS="-march=native ${CFLAGS}" make -C "$EXEDIR" $make_target || {
 			echo could not compile
 			make -C "$EXEDIR" clean
 			exitp 8
@ -115,6 +123,30 @@ ws_opt_validate()
 	}
 	return 0
 }
+tpws_opt_validate()
+{
+	ws_opt_validate "$1" || return 1
+	dry_run_tpws || {
+		echo invalid tpws options
+		return 1
+	}
+}
+tpws_socks_opt_validate()
+{
+	# --ipset allowed here
+	dry_run_tpws_socks || {
+		echo invalid tpws options
+		return 1
+	}
+}
+nfqws_opt_validate()
+{
+	ws_opt_validate "$1" || return 1
+	dry_run_nfqws || {
+		echo invalid nfqws options
+		return 1
+	}
+}

 select_mode_group()
 {
@ -162,18 +194,17 @@ select_mode_group()
 select_mode_tpws_socks()
 {
 	local EDITVAR_NEWLINE_DELIMETER="--new" EDITVAR_NEWLINE_VARS="TPWS_SOCKS_OPT"
-	# --ipset allowed here
-	select_mode_group TPWS_SOCKS_ENABLE "enable tpws socks mode on port $TPPORT_SOCKS ?" "TPPORT_SOCKS TPWS_SOCKS_OPT"
+	select_mode_group TPWS_SOCKS_ENABLE "enable tpws socks mode on port $TPPORT_SOCKS ?" "TPPORT_SOCKS TPWS_SOCKS_OPT" tpws_socks_opt_validate TPWS_SOCKS_OPT
 }
 select_mode_tpws()
 {
 	local EDITVAR_NEWLINE_DELIMETER="--new" EDITVAR_NEWLINE_VARS="TPWS_OPT"
-	select_mode_group TPWS_ENABLE "enable tpws transparent mode ?" "TPWS_PORTS TPWS_OPT" ws_opt_validate TPWS_OPT
+	select_mode_group TPWS_ENABLE "enable tpws transparent mode ?" "TPWS_PORTS TPWS_OPT" tpws_opt_validate TPWS_OPT
 }
 select_mode_nfqws()
 {
 	local EDITVAR_NEWLINE_DELIMETER="--new" EDITVAR_NEWLINE_VARS="NFQWS_OPT"
-	select_mode_group NFQWS_ENABLE "enable nfqws ?" "NFQWS_PORTS_TCP NFQWS_PORTS_UDP NFQWS_TCP_PKT_OUT NFQWS_TCP_PKT_IN NFQWS_UDP_PKT_OUT NFQWS_UDP_PKT_IN NFQWS_PORTS_TCP_KEEPALIVE NFQWS_PORTS_UDP_KEEPALIVE NFQWS_OPT" ws_opt_validate NFQWS_OPT
+	select_mode_group NFQWS_ENABLE "enable nfqws ?" "NFQWS_PORTS_TCP NFQWS_PORTS_UDP NFQWS_TCP_PKT_OUT NFQWS_TCP_PKT_IN NFQWS_UDP_PKT_OUT NFQWS_UDP_PKT_IN NFQWS_PORTS_TCP_KEEPALIVE NFQWS_PORTS_UDP_KEEPALIVE NFQWS_OPT" nfqws_opt_validate NFQWS_OPT
 }

 select_mode_mode()
@ -370,7 +401,7 @@ copy_openwrt()
 	mkdir "$2/tpws" "$2/nfq" "$2/ip2net" "$2/mdig" "$2/binaries" "$2/binaries/$ARCH" "$2/init.d" "$2/tmp" "$2/files"
 	cp -R "$1/files/fake" "$2/files"
 	cp -R "$1/common" "$1/ipset" "$2"
-	cp -R "$1/init.d/openwrt" "$2/init.d"
+	cp -R "$1/init.d/openwrt" "$1/init.d/custom.d.examples.linux" "$2/init.d"
 	cp "$1/config" "$1/config.default" "$1/install_easy.sh" "$1/uninstall_easy.sh" "$1/install_bin.sh" "$1/install_prereq.sh" "$1/blockcheck.sh" "$2"
 	cp "$BINDIR/tpws" "$BINDIR/nfqws" "$BINDIR/ip2net" "$BINDIR/mdig" "$2/binaries/$ARCH"
 }
@ -549,7 +580,7 @@ service_install_systemd()

 	if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
 		rm -f "$INIT_SCRIPT"
-		ln -fs "$EXEDIR/init.d/systemd/zapret.service" "$SYSTEMD_SYSTEM_DIR"
+		cp -f "$EXEDIR/init.d/systemd/zapret.service" "$SYSTEMD_SYSTEM_DIR"
 		"$SYSTEMCTL" daemon-reload
 		"$SYSTEMCTL" enable zapret || {
 			echo could not enable systemd service
@ -567,8 +598,8 @@ timer_install_systemd()
 	if [ -w "$SYSTEMD_SYSTEM_DIR" ] ; then
 		"$SYSTEMCTL" disable zapret-list-update.timer
 		"$SYSTEMCTL" stop zapret-list-update.timer
-		ln -fs "$EXEDIR/init.d/systemd/zapret-list-update.service" "$SYSTEMD_SYSTEM_DIR"
-		ln -fs "$EXEDIR/init.d/systemd/zapret-list-update.timer" "$SYSTEMD_SYSTEM_DIR"
+		cp -f "$EXEDIR/init.d/systemd/zapret-list-update.service" "$SYSTEMD_SYSTEM_DIR"
+		cp -f "$EXEDIR/init.d/systemd/zapret-list-update.timer" "$SYSTEMD_SYSTEM_DIR"
 		"$SYSTEMCTL" daemon-reload
 		"$SYSTEMCTL" enable zapret-list-update.timer || {
 			echo could not enable zapret-list-update.timer
@ -748,7 +779,6 @@ deoffload_openwrt_firewall()
 	else
 		echo system wide software flow offloading disabled. ok
 	fi
-			
 }


--- a/ip2net/Makefile
+++ b/ip2net/Makefile
@ -1,5 +1,5 @@
 CC ?= gcc
-CFLAGS += -std=gnu99 -O3
+CFLAGS += -std=gnu99 -Os -flto=auto
 CFLAGS_BSD = -Wno-address-of-packed-member
 CFLAGS_WIN = -static
 LIBS = 
@ -9,20 +9,24 @@ SRC_FILES = ip2net.c qsort.c
 all: ip2net

 ip2net: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) -o $@ $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) -s $(CFLAGS) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)
+
+systemd: ip2net
+
+android: ip2net

 bsd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o ip2net $(SRC_FILES) $(LIBS) $(LDFLAGS)

 mac: $(SRC_FILES)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2neta $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2netx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2neta $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS) $(LDFLAGS)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o ip2netx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS) $(LDFLAGS)
 	strip ip2neta ip2netx
 	lipo -create -output ip2net ip2netx ip2neta
 	rm -f ip2netx ip2neta

 win: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o ip2net $(SRC_FILES) $(LDFLAGS) $(LIBS_WIN)
+	$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o ip2net $(SRC_FILES) $(LIBS_WIN) $(LDFLAGS)

 clean:
 	rm -f ip2net *.o
--- a/ip2net/ip2net.c
+++ b/ip2net/ip2net.c
@ -192,7 +192,7 @@ static void ip6_and(const struct in6_addr * restrict a, const struct in6_addr *
 static void rtrim(char *s)
 {
 	if (s)
-		for (char *p = s + strlen(s) - 1; p >= s && (*p == '\n' || *p == '\r'); p--) *p = '\0';
+		for (char *p = s + strlen(s) - 1; p >= s && (*p == '\n' || *p == '\r' || *p == ' ' || *p == '\t'); p--) *p = '\0';
 }


@ -217,6 +217,36 @@ static void exithelp(void)
 	exit(1);
 }

+#define STRINGIFY(x) #x
+#define TOSTRING(x) STRINGIFY(x)
+#if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH)
+#define PRINT_VER printf("github version %s (%s)\n\n", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH))
+#else
+#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
+#endif
+
+enum opt_indices {
+	IDX_HELP,
+	IDX_H,
+	IDX_4,
+	IDX_6,
+	IDX_PREFIX_LENGTH,
+	IDX_V4_THRESHOLD,
+	IDX_V6_THRESHOLD,
+	IDX_LAST,
+};
+
+static const struct option long_options[] = {
+	[IDX_HELP] = {"help", no_argument, 0, 0},
+	[IDX_H] = {"h", no_argument, 0, 0},
+	[IDX_4] = {"4", no_argument, 0, 0},
+	[IDX_6] = {"6", no_argument, 0, 0},
+	[IDX_PREFIX_LENGTH] = {"prefix-length", required_argument, 0, 0},
+	[IDX_V4_THRESHOLD] = {"v4-threshold", required_argument, 0, 0},
+	[IDX_V6_THRESHOLD] = {"v6-threshold", required_argument, 0, 0},
+	[IDX_LAST] = {NULL, 0, NULL, 0},
+};
+
 static void parse_params(int argc, char *argv[])
 {
 	int option_index = 0;
@ -228,32 +258,23 @@ static void parse_params(int argc, char *argv[])
 	params.pctdiv = DEFAULT_PCTDIV;
 	params.v6_threshold = DEFAULT_V6_THRESHOLD;

-	const struct option long_options[] = {
-		{ "help",no_argument,0,0 },// optidx=0
-		{ "h",no_argument,0,0 },// optidx=1
-		{ "4",no_argument,0,0 },// optidx=2
-		{ "6",no_argument,0,0 },// optidx=3
-		{ "prefix-length",required_argument,0,0 },// optidx=4
-		{ "v4-threshold",required_argument,0,0 },// optidx=5
-		{ "v6-threshold",required_argument,0,0 },// optidx=6
-		{ NULL,0,NULL,0 }
-	};
 	while ((v = getopt_long_only(argc, argv, "", long_options, &option_index)) != -1)
 	{
 		if (v) exithelp();
 		switch (option_index)
 		{
-		case 0:
-		case 1:
+		case IDX_HELP:
+		case IDX_H:
+			PRINT_VER;
 			exithelp();
 			break;
-		case 2:
+		case IDX_4:
 			params.ipv6 = false;
 			break;
-		case 3:
+		case IDX_6:
 			params.ipv6 = true;
 			break;
-		case 4:
+		case IDX_PREFIX_LENGTH:
 			i = sscanf(optarg,"%u-%u",&plen1,&plen2);
 			if (i == 1) plen2 = plen1;
 			if (i<=0 || plen2<plen1 || !plen1 || !plen2)
@ -262,7 +283,7 @@ static void parse_params(int argc, char *argv[])
 				exit(1);
 			}
 			break;
-		case 5:
+		case IDX_V4_THRESHOLD:
 			i = sscanf(optarg, "%u/%u", &params.pctmult, &params.pctdiv);
 			if (i!=2 || params.pctdiv<2 || params.pctmult<1 || params.pctmult>=params.pctdiv)
 			{
@ -270,7 +291,7 @@ static void parse_params(int argc, char *argv[])
 				exit(1);
 			}
 			break;
-		case 6:
+		case IDX_V6_THRESHOLD:
 			i = sscanf(optarg, "%u", &params.v6_threshold);
 			if (i != 1 || params.v6_threshold<1)
 			{
--- a/ipset/antifilter.helper
+++ b/ipset/antifilter.helper
@ -7,7 +7,7 @@ get_antifilter()
 [ "$DISABLE_IPV4" != "1" ] && {
  curl --fail --max-time 150 --connect-timeout 20 --max-filesize 41943040 -k -L "$1" | cut_local >"$ZIPLISTTMP" &&
  {
-   dlsize=$(LANG=C wc -c "$ZIPLISTTMP" | xargs | cut -f 1 -d ' ')
+   dlsize=$(LC_ALL=C LANG=C wc -c "$ZIPLISTTMP" | xargs | cut -f 1 -d ' ')
   if [ $dlsize -lt 102400 ]; then
    echo list file is too small. can be bad.
    exit 2
--- a/ipset/def.sh
+++ b/ipset/def.sh
@ -5,7 +5,7 @@ ZAPRET_RW=${ZAPRET_RW:-"$ZAPRET_BASE"}
 ZAPRET_CONFIG=${ZAPRET_CONFIG:-"$ZAPRET_RW/config"}
 IPSET_RW_DIR="$ZAPRET_RW/ipset"

-. "$ZAPRET_CONFIG"
+[ -f "$ZAPRET_CONFIG" ] && . "$ZAPRET_CONFIG"
 . "$ZAPRET_BASE/common/base.sh"

 [ -z "$TMPDIR" ] && TMPDIR=/tmp
@ -141,6 +141,18 @@ zzsize()
  printf 0
 fi
 }
+zzcopy()
+{
+ local is_gz=0
+ zztest "$1" && is_gz=1
+ if [ "$GZIP_LISTS" = 1 -a $is_gz = 1 ]; then
+  cp "$1" "${2}.gz"
+ elif [ "$GZIP_LISTS" != 1 -a $is_gz != 1 ]; then
+  cp "$1" "$2"
+ else
+  zzcat "$1" | zz "$2"
+ fi
+}

 digger()
 {
@ -255,3 +267,17 @@ getipban()
 _get_ipban
 return 0
 }
+
+hup_zapret_daemons()
+{
+ echo forcing zapret daemons to reload their hostlist
+ if exists killall; then
+  killall -HUP tpws nfqws dvtws 2>/dev/null
+ elif exists pkill; then
+  pkill -HUP ^tpws$
+  pkill -HUP ^nfqws$
+  pkill -HUP ^dvtws$
+ else
+  echo no mass killer available ! cant HUP zapret daemons
+ fi
+}
--- a/ipset/get_antizapret_domains.sh
+++ b/ipset/get_antizapret_domains.sh
@ -21,7 +21,7 @@ curl -H "Accept-Encoding: gzip" -k --fail --max-time 600 --connect-timeout 5 --r
 exit 2
 }

-dlsize=$(LANG=C wc -c "$ZDOM" | xargs | cut -f 1 -d ' ')
+dlsize=$(LC_ALL=C LANG=C wc -c "$ZDOM" | xargs | cut -f 1 -d ' ')
 if test $dlsize -lt 102400; then
 echo list file is too small. can be bad.
 exit 2
@ -31,4 +31,6 @@ sort -u "$ZDOM" | zz "$ZHOSTLIST"

 rm -f "$ZDOM"

+hup_zapret_daemons
+
 exit 0
--- a/ipset/get_config.sh
+++ b/ipset/get_config.sh
@ -4,7 +4,7 @@
 IPSET_DIR="$(dirname "$0")"
 IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"

-. "$IPSET_DIR/../config"
+[ -f "$IPSET_DIR/../config" ] && . "$IPSET_DIR/../config"

 [ -z "$GETLIST" ] && GETLIST=get_ipban.sh
 [ -x "$IPSET_DIR/$GETLIST" ] && exec "$IPSET_DIR/$GETLIST"
--- a/ipset/get_reestr_hostlist.sh
+++ b/ipset/get_reestr_hostlist.sh
@ -5,9 +5,9 @@ IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"

 . "$IPSET_DIR/def.sh"

-ZREESTR="$TMPDIR/zapret.txt"
+ZREESTR="$TMPDIR/zapret.txt.gz"
 IPB="$TMPDIR/ipb.txt"
-ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv
+ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz

 dl_checked()
 {
@ -21,7 +21,7 @@ dl_checked()
   echo list download failed : $1
   return 2
  }
-  dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
+  dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
  if test $dlsize -lt $3; then
   echo list is too small : $dlsize bytes. can be bad.
   return 2
@ -31,11 +31,11 @@ dl_checked()

 reestr_list()
 {
- LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
+ LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C  LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
 }
 reestr_extract_ip()
 {
- LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
+ LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C  LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
 }

 ipban_fin()
@ -58,6 +58,8 @@ rm -f "$ZREESTR"
 [ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
 rm -f "$IPB"

+hup_zapret_daemons
+
 ipban_fin

 exit 0
--- a/ipset/get_reestr_preresolved.sh
+++ b/ipset/get_reestr_preresolved.sh
@ -24,12 +24,12 @@ dl()
   echo list download failed : $1
   exit 2
  }
-  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
+  dlsize=$(LC_ALL=C LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
  if test $dlsize -lt $3; then
   echo list is too small : $dlsize bytes. can be bad.
   exit 2
  fi
-  zzcat "$TMPLIST" | zz "$2"
+  zzcopy "$TMPLIST" "$2"
  rm -f "$TMPLIST"
 }

--- a/ipset/get_reestr_preresolved_smart.sh
+++ b/ipset/get_reestr_preresolved_smart.sh
@ -24,12 +24,12 @@ dl()
   echo list download failed : $1
   exit 2
  }
-  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
+  dlsize=$(LC_ALL=C LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
  if test $dlsize -lt $3; then
   echo list is too small : $dlsize bytes. can be bad.
   exit 2
  fi
-  zzcat "$TMPLIST" | zz "$2"
+  zzcopy "$TMPLIST" "$2"
  rm -f "$TMPLIST"
 }

--- a/ipset/get_reestr_resolvable_domains.sh
+++ b/ipset/get_reestr_resolvable_domains.sh
@ -23,17 +23,19 @@ dl()
   echo list download failed : $1
   exit 2
  }
-  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
+  dlsize=$(LC_ALL=C LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
  if test $dlsize -lt $3; then
   echo list is too small : $dlsize bytes. can be bad.
   exit 2
  fi
-  zzcat "$TMPLIST" | zz "$2"
+  zzcopy "$TMPLIST" "$2"
  rm -f "$TMPLIST"
 }

 dl "$URL" "$ZHOSTLIST" 65536 67108864

+hup_zapret_daemons
+
 [ "$DISABLE_IPV4" != "1" ] && dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
 [ "$DISABLE_IPV6" != "1" ] && dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576

--- a/ipset/get_reestr_resolve.sh
+++ b/ipset/get_reestr_resolve.sh
@ -5,12 +5,12 @@ IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"

 . "$IPSET_DIR/def.sh"

-ZREESTR="$TMPDIR/zapret.txt"
+ZREESTR="$TMPDIR/zapret.txt.gz"
 ZDIG="$TMPDIR/zapret-dig.txt"
 IPB="$TMPDIR/ipb.txt"
 ZIPLISTTMP="$TMPDIR/zapret-ip.txt"
 #ZURL=https://reestr.rublacklist.net/api/current
-ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv
+ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz

 dl_checked()
 {
@ -24,7 +24,7 @@ dl_checked()
   echo list download failed : $1
   return 2
  }
-  dlsize=$(LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
+  dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
  if test $dlsize -lt $3; then
   echo list is too small : $dlsize bytes. can be bad.
   return 2
@ -34,11 +34,11 @@ dl_checked()

 reestr_list()
 {
- LANG=C cut -s -f2 -d';' "$ZREESTR" | LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p'
+ LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
 }
 reestr_extract_ip()
 {
- LANG=C nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' "$ZREESTR" | LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
+ LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
 }

 getuser && {
--- a/ipset/get_refilter_domains.sh
+++ b/ipset/get_refilter_domains.sh
@ -20,12 +20,12 @@ dl()
   echo list download failed : $1
   exit 2
  }
-  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
+  dlsize=$(LC_ALL=C LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
  if test $dlsize -lt $3; then
   echo list is too small : $dlsize bytes. can be bad.
   exit 2
  fi
-  zzcat "$TMPLIST" | tr -d '\015' | zz "$2"
+  zzcopy "$TMPLIST" "$2"
  rm -f "$TMPLIST"
 }

@ -37,4 +37,6 @@ getipban || FAIL=1

 dl "$URL" "$ZHOSTLIST" 32768 4194304

+hup_zapret_daemons
+
 exit 0
--- a/ipset/get_refilter_ipsum.sh
+++ b/ipset/get_refilter_ipsum.sh
@ -20,13 +20,12 @@ dl()
   echo list download failed : $1
   exit 2
  }
-  dlsize=$(LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
+  dlsize=$(LC_ALL=C LANG=C wc -c "$TMPLIST" | xargs | cut -f 1 -d ' ')
  if test $dlsize -lt $3; then
   echo list is too small : $dlsize bytes. can be bad.
   exit 2
  fi
-  # remove DOS EOL \r
-  zzcat "$TMPLIST" | tr -d '\015' | zz "$2"
+  zzcopy "$TMPLIST" "$2"
  rm -f "$TMPLIST"
 }

--- a/ipset/zapret-hosts-user-exclude.txt.default
+++ b/ipset/zapret-hosts-user-exclude.txt.default
@ -1,6 +1,8 @@
+127.0.0.0/8
 10.0.0.0/8
 172.16.0.0/12
 192.168.0.0/16
 169.254.0.0/16
+::1
 fc00::/7
 fe80::/10
--- a/mdig/Makefile
+++ b/mdig/Makefile
@ -1,28 +1,34 @@
 CC ?= gcc
-CFLAGS += -std=gnu99 -O3
+CFLAGS += -std=gnu99 -Os
 CFLAGS_BSD = -Wno-address-of-packed-member
 CFLAGS_WIN = -static
 LIBS = -lpthread
+LIBS_ANDROID =
 LIBS_WIN = -lws2_32
 SRC_FILES = *.c

 all: mdig

 mdig: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) -o $@ $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)
+
+systemd: mdig
+
+android: $(SRC_FILES)
+	$(CC) -s $(CFLAGS) -o mdig $(SRC_FILES) $(LIBS_ANDROID) $(LDFLAGS)

 bsd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o mdig $(SRC_FILES) $(LIBS) $(LDFLAGS)

 mac: $(SRC_FILES)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdiga $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS_BSD)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdigx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS_BSD)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdiga $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o mdigx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
 	strip mdiga mdigx
 	lipo -create -output mdig mdigx mdiga
 	rm -f mdigx mdiga

 win: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o mdig $(SRC_FILES) $(LDFLAGS) $(LIBS_WIN)
+	$(CC) -s $(CFLAGS) $(CFLAGS_WIN) -o mdig $(SRC_FILES) $(LIBS_WIN) $(LDFLAGS)

 clean:
 	rm -f mdig *.o
--- a/mdig/mdig.c
+++ b/mdig/mdig.c
@ -12,7 +12,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <stdbool.h>
-#include <unistd.h>
 #include <pthread.h>
 #include <getopt.h>
 #ifdef _WIN32
@ -21,7 +20,9 @@
 #include <winsock2.h>
 #include <ws2ipdef.h>
 #include <ws2tcpip.h>
+#include <fcntl.h>
 #else
+#include <unistd.h>
 #include <sys/socket.h>
 #include <arpa/inet.h>
 #include <netinet/in.h>
@ -34,7 +35,7 @@
 static void trimstr(char *s)
 {
 	char *p;
-	for (p = s + strlen(s) - 1; p >= s && (*p == '\n' || *p == '\r'); p--) *p = '\0';
+	for (p = s + strlen(s) - 1; p >= s && (*p == '\n' || *p == '\r' || *p == ' ' || *p == '\t'); p--) *p = '\0';
 }

 static const char* eai_str(int r)
@ -364,6 +365,9 @@ int dns_make_query(const char *dom, char family)
 		fprintf(stderr, "could not make DNS query\n");
 		return 1;
 	}
+#ifdef _WIN32
+	_setmode(_fileno(stdout), _O_BINARY);
+#endif
 	if (fwrite(q,l,1,stdout)!=1)
 	{
 		fprintf(stderr, "could not write DNS query blob to stdout\n");
@ -420,8 +424,11 @@ bool dns_parse_print(const uint8_t *a, size_t len)
 }
 int dns_parse_query()
 {
-	uint8_t a[1500];
+	uint8_t a[8192];
 	size_t l;
+#ifdef _WIN32
+	_setmode(_fileno(stdin), _O_BINARY);
+#endif
 	l = fread(a,1,sizeof(a),stdin);
 	if (!l || !feof(stdin))
 	{
@ -451,25 +458,47 @@ static void exithelp(void)
 	);
 	exit(1);
 }
+
+#define STRINGIFY(x) #x
+#define TOSTRING(x) STRINGIFY(x)
+#if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH)
+#define PRINT_VER printf("github version %s (%s)\n\n", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH))
+#else
+#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
+#endif
+
+enum opt_indices {
+	IDX_HELP,
+	IDX_THREADS,
+	IDX_FAMILY,
+	IDX_VERBOSE,
+	IDX_STATS,
+	IDX_LOG_RESOLVED,
+	IDX_LOG_FAILED,
+	IDX_DNS_MAKE_QUERY,
+	IDX_DNS_PARSE_QUERY,
+	IDX_LAST,
+};
+
+static const struct option long_options[] = {
+	[IDX_HELP] = {"help", no_argument, 0, 0},
+	[IDX_THREADS] = {"threads", required_argument, 0, 0},
+	[IDX_FAMILY] = {"family", required_argument, 0, 0},
+	[IDX_VERBOSE] = {"verbose", no_argument, 0, 0},
+	[IDX_STATS] = {"stats", required_argument, 0, 0},
+	[IDX_LOG_RESOLVED] = {"log-resolved", required_argument, 0, 0},
+	[IDX_LOG_FAILED] = {"log-failed", required_argument, 0, 0},
+	[IDX_DNS_MAKE_QUERY] = {"dns-make-query", required_argument, 0, 0},
+	[IDX_DNS_PARSE_QUERY] = {"dns-parse-query", no_argument, 0, 0},
+	[IDX_LAST] = {NULL, 0, NULL, 0},
+};
+
 int main(int argc, char **argv)
 {
 	int r, v, option_index = 0;
 	char fn1[256],fn2[256];
 	char dom[256];

-	static const struct option long_options[] = {
-			{"help",no_argument,0,0},			// optidx=0
-			{"threads",required_argument,0,0},		// optidx=1
-			{"family",required_argument,0,0},		// optidx=2
-			{"verbose",no_argument,0,0},			// optidx=3
-			{"stats",required_argument,0,0},		// optidx=4
-			{"log-resolved",required_argument,0,0},		// optidx=5
-			{"log-failed",required_argument,0,0},		// optidx=6
-			{"dns-make-query",required_argument,0,0},	// optidx=7
-			{"dns-parse-query",no_argument,0,0},		// optidx=8
-			{NULL,0,NULL,0}
-	};
-
 	memset(&glob, 0, sizeof(glob));
 	*fn1 = *fn2 = *dom = 0;
 	glob.family = FAMILY4;
@ -479,10 +508,11 @@ int main(int argc, char **argv)
 		if (v) exithelp();
 		switch (option_index)
 		{
-		case 0: /* help */
+		case IDX_HELP:
+			PRINT_VER;
 			exithelp();
 			break;
-		case 1: /* threads */
+		case IDX_THREADS:
 			glob.threads = optarg ? atoi(optarg) : 0;
 			if (glob.threads <= 0 || glob.threads > 100)
 			{
@ -490,7 +520,7 @@ int main(int argc, char **argv)
 				return 1;
 			}
 			break;
-		case 2: /* family */
+		case IDX_FAMILY:
 			if (!strcmp(optarg, "4"))
 				glob.family = FAMILY4;
 			else if (!strcmp(optarg, "6"))
@ -503,25 +533,25 @@ int main(int argc, char **argv)
 				return 1;
 			}
 			break;
-		case 3: /* verbose */
+		case IDX_VERBOSE:
 			glob.verbose = '\1';
 			break;
-		case 4: /* stats */
+		case IDX_STATS:
 			glob.stats_every = optarg ? atoi(optarg) : 0;
 			break;
-		case 5: /* log-resolved */
+		case IDX_LOG_RESOLVED:
 			strncpy(fn1,optarg,sizeof(fn1));
 			fn1[sizeof(fn1)-1] = 0;
 			break;
-		case 6: /* log-failed */
+		case IDX_LOG_FAILED:
 			strncpy(fn2,optarg,sizeof(fn2));
 			fn2[sizeof(fn2)-1] = 0;
 			break;
-		case 7: /* dns-make-query */
+		case IDX_DNS_MAKE_QUERY:
 			strncpy(dom,optarg,sizeof(dom));
 			dom[sizeof(dom)-1] = 0;
 			break;
-		case 8: /* dns-parse-query */
+		case IDX_DNS_PARSE_QUERY:
 			return dns_parse_query();
 		}
 	}
--- a/nfq/BSDmakefile
+++ b/nfq/BSDmakefile
@ -1,12 +1,12 @@
 CC ?= cc
-CFLAGS += -std=gnu99 -s -O3 -Wno-address-of-packed-member
+CFLAGS += -std=gnu99 -s -Os -Wno-address-of-packed-member -flto=auto
 LIBS = -lz
 SRC_FILES = *.c crypto/*.c

 all: dvtws

 dvtws: $(SRC_FILES)
-	$(CC) $(CFLAGS) -o $@ $(SRC_FILES) $(LDFLAGS) $(LIBS)
+	$(CC) $(CFLAGS) -o dvtws $(SRC_FILES) $(LIBS) $(LDFLAGS)

 clean:
 	rm -f dvtws
--- a/nfq/Makefile
+++ b/nfq/Makefile
@ -1,11 +1,12 @@
 CC ?= gcc
-CFLAGS += -std=gnu99 -O3
+CFLAGS += -std=gnu99 -Os -flto=auto
+CFLAGS_SYSTEMD = -DUSE_SYSTEMD
 CFLAGS_BSD = -Wno-address-of-packed-member
-CFLAGS_MAC = -mmacosx-version-min=10.8
 CFLAGS_CYGWIN = -Wno-address-of-packed-member -static
 LIBS_LINUX = -lnetfilter_queue -lnfnetlink -lz
+LIBS_SYSTEMD = -lsystemd
 LIBS_BSD = -lz
-LIBS_CYGWIN = -lz -Lwindows/windivert -Iwindows -lwlanapi -lole32 -loleaut32 -luuid
+LIBS_CYGWIN = -lz -Lwindows/windivert -Iwindows -lwlanapi -lole32 -loleaut32
 LIBS_CYGWIN32 = -lwindivert32
 LIBS_CYGWIN64 = -lwindivert64
 RES_CYGWIN32 = windows/res/32/winmanifest.o windows/res/32/winicon.o
@ -15,22 +16,27 @@ SRC_FILES = *.c crypto/*.c
 all: nfqws

 nfqws: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) -o $@ $(SRC_FILES) $(LDFLAGS) $(LIBS_LINUX)
+	$(CC) -s $(CFLAGS) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LDFLAGS)
+
+systemd: $(SRC_FILES)
+	$(CC) -s $(CFLAGS) $(CFLAGS_SYSTEMD) -o nfqws $(SRC_FILES) $(LIBS_LINUX) $(LIBS_SYSTEMD) $(LDFLAGS)
+
+android: nfqws

 bsd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o dvtws $(SRC_FILES) $(LDFLAGS) $(LIBS_BSD)
+	$(CC) -s $(CFLAGS) $(CFLAGS_BSD) -o dvtws $(SRC_FILES) $(LIBS_BSD) $(LDFLAGS)

 mac: $(SRC_FILES)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsa $(SRC_FILES) $(LDFLAGS) -target arm64-apple-macos10.8 $(LIBS_BSD)
-	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsx $(SRC_FILES) $(LDFLAGS) -target x86_64-apple-macos10.8 $(LIBS_BSD)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsa $(SRC_FILES) -target arm64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
+	$(CC) $(CFLAGS) $(CFLAGS_BSD) -o dvtwsx $(SRC_FILES) -target x86_64-apple-macos10.8 $(LIBS_BSD) $(LDFLAGS)
 	strip dvtwsa dvtwsx
 	lipo -create -output dvtws dvtwsx dvtwsa
 	rm -f dvtwsx dvtwsa

 cygwin64:
-	$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LDFLAGS) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64)
+	$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(RES_CYGWIN64) $(LDFLAGS)
 cygwin32:
-	$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LDFLAGS) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32)
+	$(CC) -s $(CFLAGS) $(CFLAGS_CYGWIN) -o winws $(SRC_FILES) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(RES_CYGWIN32) $(LDFLAGS)
 cygwin: cygwin64

 clean:
--- a/nfq/conntrack.c
+++ b/nfq/conntrack.c
@ -12,29 +12,6 @@ static void ut_oom_recover(void *elem)
 	oom = true;
 }

-const char *l7proto_str(t_l7proto l7)
-{
-	switch(l7)
-	{
-		case HTTP: return "http";
-		case TLS: return "tls";
-		case QUIC: return "quic";
-		case WIREGUARD: return "wireguard";
-		case DHT: return "dht";
-		default: return "unknown";
-	}
-}
-bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7)
-{
-	return  (l7proto==UNKNOWN && (filter_l7 & L7_PROTO_UNKNOWN)) ||
-		(l7proto==HTTP && (filter_l7 & L7_PROTO_HTTP)) ||
-		(l7proto==TLS && (filter_l7 & L7_PROTO_TLS)) ||
-		(l7proto==QUIC && (filter_l7 & L7_PROTO_QUIC)) ||
-		(l7proto==WIREGUARD && (filter_l7 & L7_PROTO_WIREGUARD)) ||
-		(l7proto==DHT && (filter_l7 & L7_PROTO_DHT));
-}
-
-
 static const char *connstate_s[]={"SYN","ESTABLISHED","FIN"};

 static void connswap(const t_conn *c, t_conn *c2)
@ -50,11 +27,8 @@ static void connswap(const t_conn *c, t_conn *c2)

 void ConntrackClearHostname(t_ctrack *track)
 {
-	if (track->hostname)
-	{
 	free(track->hostname);
 	track->hostname = NULL;
-	}
 }
 static void ConntrackClearTrack(t_ctrack *track)
 {
@ -372,11 +346,8 @@ void ConntrackPoolDump(const t_conntrack *p)

 void ReasmClear(t_reassemble *reasm)
 {
-	if (reasm->packet)
-	{
 	free(reasm->packet);
 	reasm->packet = NULL;
-	}
 	reasm->size = reasm->size_present = 0;
 }
 bool ReasmInit(t_reassemble *reasm, size_t size_requested, uint32_t seq_start)
--- a/nfq/conntrack.h
+++ b/nfq/conntrack.h
@ -4,8 +4,6 @@
 // this conntrack is not bullet-proof
 // its designed to satisfy dpi desync needs only

-#include "packet_queue.h"
-
 #include <stdbool.h>
 #include <stdint.h>
 #include <ctype.h>
@ -19,6 +17,8 @@
 #include <netinet/tcp.h>
 #include <netinet/udp.h>

+#include "packet_queue.h"
+#include "protocol.h"

 //#define HASH_BLOOM 20
 #define HASH_NONFATAL_OOM 1
@ -53,16 +53,6 @@ typedef struct {
 // FIN - FIN or RST received
 typedef enum {SYN=0, ESTABLISHED, FIN} t_connstate;

-typedef enum {UNKNOWN=0, HTTP, TLS, QUIC, WIREGUARD, DHT} t_l7proto;
-#define L7_PROTO_HTTP		0x00000001
-#define L7_PROTO_TLS		0x00000002
-#define L7_PROTO_QUIC		0x00000004
-#define L7_PROTO_WIREGUARD	0x00000008
-#define L7_PROTO_DHT		0x00000010
-#define L7_PROTO_UNKNOWN	0x80000000
-const char *l7proto_str(t_l7proto l7);
-bool l7_proto_match(t_l7proto l7proto, uint32_t filter_l7);
-
 typedef struct
 {
 	bool bCheckDone, bCheckResult, bCheckExcluded; // hostlist check result cache
--- a/nfq/darkmagic.c
+++ b/nfq/darkmagic.c
@ -163,7 +163,7 @@ static void fill_udphdr(struct udphdr *udp, uint16_t nsport, uint16_t ndport, ui
 	udp->uh_sum = 0;
 }

-static void fill_iphdr(struct ip *ip, const struct in_addr *src, const struct in_addr *dst, uint16_t pktlen, uint8_t proto, uint8_t ttl, uint8_t tos)
+static void fill_iphdr(struct ip *ip, const struct in_addr *src, const struct in_addr *dst, uint16_t pktlen, uint8_t proto, uint8_t ttl, uint8_t tos, uint16_t ip_id)
 {
 	ip->ip_tos = tos;
 	ip->ip_sum = 0;
@ -171,7 +171,7 @@ static void fill_iphdr(struct ip *ip, const struct in_addr *src, const struct in
 	ip->ip_v = 4;
 	ip->ip_hl = 5;
 	ip->ip_len = htons(pktlen);
-	ip->ip_id = 0;
+	ip->ip_id = ip_id;
 	ip->ip_ttl = ttl;
 	ip->ip_p = proto;
 	ip->ip_src = *src;
@ -196,6 +196,7 @@ bool prepare_tcp_segment4(
 	uint32_t *timestamps,
 	uint8_t ttl,
 	uint8_t tos,
+	uint16_t ip_id,
 	uint32_t fooling,
 	uint32_t badseq_increment,
 	uint32_t badseq_ack_increment,
@ -211,7 +212,7 @@ bool prepare_tcp_segment4(
 	struct tcphdr *tcp = (struct tcphdr*)(ip+1);
 	uint8_t *payload = (uint8_t*)(tcp+1)+tcpoptlen;

-	fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_TCP, ttl, tos);
+	fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_TCP, ttl, tos, ip_id);
 	fill_tcphdr(tcp,fooling,tcp_flags,nseq,nack_seq,src->sin_port,dst->sin_port,nwsize,scale_factor,timestamps,badseq_increment,badseq_ack_increment,len);

 	memcpy(payload,data,len);
@ -314,7 +315,9 @@ bool prepare_tcp_segment(
 	uint8_t scale_factor,
 	uint32_t *timestamps,
 	uint8_t ttl,
-	uint8_t tos, uint32_t flow_label,
+	uint8_t tos,
+	uint16_t ip_id,
+	uint32_t flow_label,
 	uint32_t fooling,
 	uint32_t badseq_increment,
 	uint32_t badseq_ack_increment,
@ -322,7 +325,7 @@ bool prepare_tcp_segment(
 	uint8_t *buf, size_t *buflen)
 {
 	return (src->sa_family==AF_INET && dst->sa_family==AF_INET) ?
-		prepare_tcp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,tcp_flags,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,tos,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
+		prepare_tcp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,tcp_flags,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,tos,ip_id,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
 		(src->sa_family==AF_INET6 && dst->sa_family==AF_INET6) ?
 		prepare_tcp_segment6((struct sockaddr_in6 *)src,(struct sockaddr_in6 *)dst,tcp_flags,nseq,nack_seq,nwsize,scale_factor,timestamps,ttl,flow_label,fooling,badseq_increment,badseq_ack_increment,data,len,buf,buflen) :
 		false;
@ -334,6 +337,7 @@ bool prepare_udp_segment4(
 	const struct sockaddr_in *src, const struct sockaddr_in *dst,
 	uint8_t ttl,
 	uint8_t tos,
+	uint16_t ip_id,
 	uint32_t fooling,
 	const uint8_t *padding, size_t padding_size,
 	int padlen,
@ -357,7 +361,7 @@ bool prepare_udp_segment4(
 	uint8_t *payload = (uint8_t*)(udp+1);


-	fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_UDP, ttl, tos);
+	fill_iphdr(ip, &src->sin_addr, &dst->sin_addr, pktlen, IPPROTO_UDP, ttl, tos, ip_id);
 	fill_udphdr(udp, src->sin_port, dst->sin_port, datalen);

 	memcpy(payload,data,len);
@ -463,7 +467,9 @@ bool prepare_udp_segment6(
 bool prepare_udp_segment(
 	const struct sockaddr *src, const struct sockaddr *dst,
 	uint8_t ttl,
-	uint8_t tos, uint32_t flow_label,
+	uint8_t tos,
+	uint16_t ip_id,
+	uint32_t flow_label,
 	uint32_t fooling,
 	const uint8_t *padding, size_t padding_size,
 	int padlen,
@ -471,7 +477,7 @@ bool prepare_udp_segment(
 	uint8_t *buf, size_t *buflen)
 {
 	return (src->sa_family==AF_INET && dst->sa_family==AF_INET) ?
-		prepare_udp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,ttl,tos,fooling,padding,padding_size,padlen,data,len,buf,buflen) :
+		prepare_udp_segment4((struct sockaddr_in *)src,(struct sockaddr_in *)dst,ttl,tos,ip_id,fooling,padding,padding_size,padlen,data,len,buf,buflen) :
 		(src->sa_family==AF_INET6 && dst->sa_family==AF_INET6) ?
 		prepare_udp_segment6((struct sockaddr_in6 *)src,(struct sockaddr_in6 *)dst,ttl,flow_label,fooling,padding,padding_size,padlen,data,len,buf,buflen) :
 		false;
@ -869,60 +875,49 @@ void proto_skip_ipv6(uint8_t **data, size_t *len, uint8_t *proto_type, uint8_t *
 	// we have garbage
 }

-void proto_dissect_l3l4(
-	uint8_t *data, size_t len,
-	struct ip **ip, struct ip6_hdr **ip6,
-	uint8_t *proto,
-	struct tcphdr **tcp,
-	struct udphdr **udp,
-	size_t *transport_len,
-	uint8_t **data_payload, size_t *len_payload)
+void proto_dissect_l3l4(uint8_t *data, size_t len,struct dissect *dis)
 {
-	*ip = NULL;
-	*ip6 = NULL;
-	*proto = 0;
-	*tcp = NULL;
-	*transport_len = 0;
-	*udp = NULL;
-	*data_payload = NULL;
-	*len_payload = 0;
+	memset(dis,0,sizeof(*dis));
+
+	dis->data_pkt = data;
+	dis->len_pkt = len;

 	if (proto_check_ipv4(data, len))
 	{
-		*ip = (struct ip *) data;
-		*proto = (*ip)->ip_p;
+		dis->ip = (struct ip *) data;
+		dis->proto = dis->ip->ip_p;
 		proto_skip_ipv4(&data, &len);
 	}
 	else if (proto_check_ipv6(data, len))
 	{
-		*ip6 = (struct ip6_hdr *) data;
-		proto_skip_ipv6(&data, &len, proto, NULL);
+		dis->ip6 = (struct ip6_hdr *) data;
+		proto_skip_ipv6(&data, &len, &dis->proto, NULL);
 	}
 	else
 	{
 		return;
 	}

-	if (*proto==IPPROTO_TCP && proto_check_tcp(data, len))
+	if (dis->proto==IPPROTO_TCP && proto_check_tcp(data, len))
 	{
-		*tcp = (struct tcphdr *) data;
-		*transport_len = len;
+		dis->tcp = (struct tcphdr *) data;
+		dis->transport_len = len;

 		proto_skip_tcp(&data, &len);

-		*data_payload = data;
-		*len_payload = len;
+		dis->data_payload = data;
+		dis->len_payload = len;

 	}
-	else if (*proto==IPPROTO_UDP && proto_check_udp(data, len))
+	else if (dis->proto==IPPROTO_UDP && proto_check_udp(data, len))
 	{
-		*udp = (struct udphdr *) data;
-		*transport_len = len;
+		dis->udp = (struct udphdr *) data;
+		dis->transport_len = len;

 		proto_skip_udp(&data, &len);

-		*data_payload = data;
-		*len_payload = len;
+		dis->data_payload = data;
+		dis->len_payload = len;
 	}
 }

@ -1752,7 +1747,9 @@ nofix:
 	bytes = sendto(sock, data, len, 0, (struct sockaddr*)&dst2, salen);
 	if (bytes==-1)
 	{
-		DLOG_PERROR("rawsend: sendto");
+		char s[40];
+		snprintf(s,sizeof(s),"rawsend: sendto (%zu)",len);
+		DLOG_PERROR(s);
 		return false;
 	}
 	return true;
@ -1882,3 +1879,34 @@ void verdict_udp_csum_fix(uint8_t verdict, struct udphdr *udphdr, size_t transpo
 			udp_fix_checksum(udphdr,transport_len,ip,ip6hdr);
 	}
 }
+
+void dbgprint_socket_buffers(int fd)
+{
+	if (params.debug)
+	{
+		int v;
+		socklen_t sz;
+		sz = sizeof(int);
+		if (!getsockopt(fd, SOL_SOCKET, SO_RCVBUF, &v, &sz))
+			DLOG("fd=%d SO_RCVBUF=%d\n", fd, v);
+			sz = sizeof(int);
+		if (!getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &v, &sz))
+			DLOG("fd=%d SO_SNDBUF=%d\n", fd, v);
+	}
+}
+bool set_socket_buffers(int fd, int rcvbuf, int sndbuf)
+{
+	DLOG("set_socket_buffers fd=%d rcvbuf=%d sndbuf=%d\n", fd, rcvbuf, sndbuf);
+	if (rcvbuf && setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, sizeof(int)) < 0)
+	{
+		DLOG_PERROR("setsockopt (SO_RCVBUF)");
+		return false;
+	}
+	if (sndbuf && setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(int)) < 0)
+	{
+		DLOG_PERROR("setsockopt (SO_SNDBUF)");
+		return false;
+	}
+	dbgprint_socket_buffers(fd);
+	return true;
+}
--- a/nfq/darkmagic.h
+++ b/nfq/darkmagic.h
@ -22,6 +22,7 @@
 #endif

 #ifdef __CYGWIN__
+#define INITGUID
 #include "windivert/windivert.h"
 #endif

@ -60,6 +61,7 @@ uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment);
 #define VERDICT_NOCSUM	4

 #define IP4_TOS(ip_header) (ip_header ? ip_header->ip_tos : 0)
+#define IP4_IP_ID(ip_header) (ip_header ? ip_header->ip_id : 0)
 #define IP6_FLOW(ip6_header) (ip6_header ? ip6_header->ip6_ctlun.ip6_un1.ip6_un1_flow : 0)

 // seq and wsize have network byte order
@ -72,6 +74,7 @@ bool prepare_tcp_segment4(
 	uint32_t *timestamps,
 	uint8_t ttl,
 	uint8_t tos,
+	uint16_t ip_id,
 	uint32_t fooling,
 	uint32_t badseq_increment,
 	uint32_t badseq_ack_increment,
@ -99,7 +102,9 @@ bool prepare_tcp_segment(
 	uint8_t scale_factor,
 	uint32_t *timestamps,
 	uint8_t ttl,
-	uint8_t tos, uint32_t flow_label,
+	uint8_t tos,
+	uint16_t ip_id,
+	uint32_t flow_label,
 	uint32_t fooling,
 	uint32_t badseq_increment,
 	uint32_t badseq_ack_increment,
@ -111,6 +116,7 @@ bool prepare_udp_segment4(
 	const struct sockaddr_in *src, const struct sockaddr_in *dst,
 	uint8_t ttl,
 	uint8_t tos,
+	uint16_t ip_id,
 	uint32_t fooling,
 	const uint8_t *padding, size_t padding_size,
 	int padlen,
@ -128,7 +134,9 @@ bool prepare_udp_segment6(
 bool prepare_udp_segment(
 	const struct sockaddr *src, const struct sockaddr *dst,
 	uint8_t ttl,
-	uint8_t tos, uint32_t flow_label,
+	uint8_t tos,
+	uint16_t ip_id,
+	uint32_t flow_label,
 	uint32_t fooling,
 	const uint8_t *padding, size_t padding_size,
 	int padlen,
@ -210,14 +218,20 @@ bool proto_check_tcp(const uint8_t *data, size_t len);
 void proto_skip_tcp(uint8_t **data, size_t *len);
 bool proto_check_udp(const uint8_t *data, size_t len);
 void proto_skip_udp(uint8_t **data, size_t *len);
-void proto_dissect_l3l4(
-	uint8_t *data, size_t len,
-	struct ip **ip, struct ip6_hdr **ip6,
-	uint8_t *proto,
-	struct tcphdr **tcp,
-	struct udphdr **udp,
-	size_t *transport_len,
-	uint8_t **data_payload, size_t *len_payload);
+struct dissect
+{
+	uint8_t *data_pkt;
+	size_t len_pkt;
+	struct ip *ip;
+	struct ip6_hdr *ip6;
+	uint8_t proto;
+	struct tcphdr *tcp;
+	struct udphdr *udp;
+	size_t transport_len;
+	uint8_t *data_payload;
+	size_t len_payload;
+};
+void proto_dissect_l3l4(uint8_t *data, size_t len,struct dissect *dis);

 bool tcp_synack_segment(const struct tcphdr *tcphdr);
 bool tcp_syn_segment(const struct tcphdr *tcphdr);
@ -241,3 +255,6 @@ void do_nat(bool bOutbound, struct ip *ip, struct ip6_hdr *ip6, struct tcphdr *t

 void verdict_tcp_csum_fix(uint8_t verdict, struct tcphdr *tcphdr, size_t transport_len, struct ip *ip, struct ip6_hdr *ip6hdr);
 void verdict_udp_csum_fix(uint8_t verdict, struct udphdr *udphdr, size_t transport_len, struct ip *ip, struct ip6_hdr *ip6hdr);
+
+void dbgprint_socket_buffers(int fd);
+bool set_socket_buffers(int fd, int rcvbuf, int sndbuf);
--- a/nfq/desync.c
+++ b/nfq/desync.c
--- a/nfq/desync.h
+++ b/nfq/desync.h
@ -28,10 +28,10 @@ enum dpi_desync_mode {
 	DESYNC_RSTACK,
 	DESYNC_SYNACK,
 	DESYNC_SYNDATA,
-	DESYNC_DISORDER,
-	DESYNC_DISORDER2,
-	DESYNC_SPLIT,
-	DESYNC_SPLIT2,
+	DESYNC_FAKEDSPLIT,
+	DESYNC_FAKEDDISORDER,
+	DESYNC_MULTISPLIT,
+	DESYNC_MULTIDISORDER,
 	DESYNC_IPFRAG2,
 	DESYNC_HOPBYHOP,
 	DESYNC_DESTOPT,
@ -41,7 +41,7 @@ enum dpi_desync_mode {
 };

 extern const char *fake_http_request_default;
-extern const uint8_t fake_tls_clienthello_default[648];
+extern const uint8_t fake_tls_clienthello_default[680];
 void randomize_default_tls_payload(uint8_t *p);

 enum dpi_desync_mode desync_mode_from_string(const char *s);
@ -52,5 +52,4 @@ bool desync_valid_second_stage(enum dpi_desync_mode mode);
 bool desync_valid_second_stage_tcp(enum dpi_desync_mode mode);
 bool desync_valid_second_stage_udp(enum dpi_desync_mode mode);

-void desync_init(void);
 uint8_t dpi_desync_packet(uint32_t fwmark, const char *ifout, uint8_t *data_pkt, size_t *len_pkt);
--- a/nfq/gzip.c
+++ b/nfq/gzip.c
@ -65,11 +65,8 @@ int z_readfile(FILE *F, char **buf, size_t *size)

 zerr:
 	inflateEnd(&zs);
-	if (*buf)
-	{
 	free(*buf);
 	*buf = NULL;
-	}
 	return r;
 }

--- a/nfq/helpers.c
+++ b/nfq/helpers.c
@ -5,11 +5,32 @@
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
+#include <stdlib.h>
 #include <ctype.h>
 #include <sys/stat.h>
 #include <libgen.h>
+#include <fcntl.h>
+
+int unique_size_t(size_t *pu, int ct)
+{
+	int i, j, u;
+	for (i = j = 0; j < ct; i++)
+	{
+		u = pu[j++];
+		for (; j < ct && pu[j] == u; j++);
+		pu[i] = u;
+	}
+	return i;
+}
+static int cmp_size_t(const void * a, const void * b)
+{
+	return *(size_t*)a < *(size_t*)b ? -1 : *(size_t*)a > *(size_t*)b;
+}
+void qsort_size_t(size_t *array,size_t ct)
+{
+	qsort(array,ct,sizeof(*array),cmp_size_t);
+}

-#include "params.h"

 void rtrim(char *s)
 {
@ -43,22 +64,6 @@ char *strncasestr(const char *s, const char *find, size_t slen)
 	return (char *)s;
 }

-void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit)
-{
-	size_t k;
-	bool bcut = false;
-	if (size > limit)
-	{
-		size = limit;
-		bcut = true;
-	}
-	if (!size) return;
-	for (k = 0; k < size; k++) DLOG("%02X ", data[k]);
-	DLOG(bcut ? "... : " : ": ");
-	for (k = 0; k < size; k++) DLOG("%c", data[k] >= 0x20 && data[k] <= 0x7F ? (char)data[k] : '.');
-	if (bcut) DLOG(" ...");
-}
-

 bool load_file(const char *filename, void *buffer, size_t *buffer_size)
 {
@ -199,38 +204,6 @@ uint16_t saport(const struct sockaddr *sa)
 		     sa->sa_family==AF_INET6 ? ((struct sockaddr_in6*)sa)->sin6_port : 0);
 }

-void dbgprint_socket_buffers(int fd)
-{
-	if (params.debug)
-	{
-		int v;
-		socklen_t sz;
-		sz = sizeof(int);
-		if (!getsockopt(fd, SOL_SOCKET, SO_RCVBUF, &v, &sz))
-			DLOG("fd=%d SO_RCVBUF=%d\n", fd, v);
-			sz = sizeof(int);
-		if (!getsockopt(fd, SOL_SOCKET, SO_SNDBUF, &v, &sz))
-			DLOG("fd=%d SO_SNDBUF=%d\n", fd, v);
-	}
-}
-bool set_socket_buffers(int fd, int rcvbuf, int sndbuf)
-{
-	DLOG("set_socket_buffers fd=%d rcvbuf=%d sndbuf=%d\n", fd, rcvbuf, sndbuf);
-	if (rcvbuf && setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, sizeof(int)) < 0)
-	{
-		DLOG_PERROR("setsockopt (SO_RCVBUF)");
-		close(fd);
-		return false;
-	}
-	if (sndbuf && setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(int)) < 0)
-	{
-		DLOG_PERROR("setsockopt (SO_SNDBUF)");
-		close(fd);
-		return false;
-	}
-	dbgprint_socket_buffers(fd);
-	return true;
-}

 uint64_t pntoh64(const void *p)
 {
@ -328,6 +301,29 @@ time_t file_mod_time(const char *filename)
 	struct stat st;
 	return stat(filename,&st)==-1 ? 0 : st.st_mtime;
 }
+bool file_mod_signature(const char *filename, file_mod_sig *ms)
+{
+	struct stat st;
+	if (stat(filename,&st)==-1)
+	{
+		FILE_MOD_RESET(ms);
+		return false;
+	}
+	ms->mod_time=st.st_mtime;
+	ms->size=st.st_size;
+	return true;
+}
+
+bool file_open_test(const char *filename, int flags)
+{
+	int fd = open(filename,flags);
+	if (fd>=0)
+	{
+		close(fd);
+		return true;
+	}
+	return false;
+}

 bool pf_in_range(uint16_t port, const port_filter *pf)
 {
@ -395,14 +391,20 @@ void fill_random_az09(uint8_t *p,size_t sz)
 	}
 }

-bool cd_to_exe_dir(const char *argv0)
+void set_console_io_buffering(void)
+{
+	setvbuf(stdout, NULL, _IOLBF, 0);
+	setvbuf(stderr, NULL, _IOLBF, 0);
+}
+
+bool set_env_exedir(const char *argv0)
 {
 	char *s,*d;
 	bool bOK=false;
 	if ((s = strdup(argv0)))
 	{
 		if ((d = dirname(s)))
-			bOK = !chdir(d);
+			setenv("EXEDIR",s,1);
 		free(s);
 	}
 	return bOK;
--- a/nfq/helpers.h
+++ b/nfq/helpers.h
@ -17,11 +17,13 @@ typedef union
 	char _align[32];		// force 16-byte alignment for ip6_and int128 ops
 } sockaddr_in46;

+int unique_size_t(size_t *pu, int ct);
+void qsort_size_t(size_t *array,size_t ct);
+
 void rtrim(char *s);
 void replace_char(char *s, char from, char to);
 char *strncasestr(const char *s,const char *find, size_t slen);

-void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit);
 bool load_file(const char *filename,void *buffer,size_t *buffer_size);
 bool load_file_nonempty(const char *filename,void *buffer,size_t *buffer_size);
 bool save_file(const char *filename, const void *buffer, size_t buffer_size);
@ -37,9 +39,6 @@ uint16_t saport(const struct sockaddr *sa);

 bool seq_within(uint32_t s, uint32_t s1, uint32_t s2);

-void dbgprint_socket_buffers(int fd);
-bool set_socket_buffers(int fd, int rcvbuf, int sndbuf);
-
 uint64_t pntoh64(const void *p);
 void phton64(uint8_t *p, uint64_t v);

@ -52,6 +51,14 @@ static inline void phton16(uint8_t *p, uint16_t v) {
 	p[0] = (uint8_t)(v >> 8);
 	p[1] = v & 0xFF;
 }
+static inline uint32_t pntoh24(const uint8_t *p) {
+	return ((uint32_t)p[0] << 16) | ((uint32_t)p[1] << 8) | (uint32_t)p[2];
+}
+static inline void phton24(uint8_t *p, uint32_t v) {
+	p[0] = (uint8_t)(v>>16);
+	p[1] = (uint8_t)(v>>8);
+	p[2] = (uint8_t)v;
+}
 static inline uint32_t pntoh32(const uint8_t *p) {
 	return ((uint32_t)p[0] << 24) | ((uint32_t)p[1] << 16) | ((uint32_t)p[2] << 8) | (uint32_t)p[3];
 }
@ -61,7 +68,16 @@ void fill_pattern(uint8_t *buf,size_t bufsize,const void *pattern,size_t patsize

 int fprint_localtime(FILE *F);

+typedef struct
+{
+	time_t mod_time;
+	off_t size;
+} file_mod_sig;
+#define FILE_MOD_COMPARE(ms1,ms2) (((ms1)->mod_time==(ms2)->mod_time) && ((ms1)->size==(ms2)->size))
+#define FILE_MOD_RESET(ms) memset(ms,0,sizeof(file_mod_sig))
+bool file_mod_signature(const char *filename, file_mod_sig *ms);
 time_t file_mod_time(const char *filename);
+bool file_open_test(const char *filename, int flags);

 typedef struct
 {
@ -76,7 +92,8 @@ void fill_random_bytes(uint8_t *p,size_t sz);
 void fill_random_az(uint8_t *p,size_t sz);
 void fill_random_az09(uint8_t *p,size_t sz);

-bool cd_to_exe_dir(const char *argv0);
+void set_console_io_buffering(void);
+bool set_env_exedir(const char *argv0);


 struct cidr4
--- a/nfq/hostlist.c
+++ b/nfq/hostlist.c
@ -4,7 +4,7 @@
 #include "helpers.h"

 // inplace tolower() and add to pool
-static bool addpool(strpool **hostlist, char **s, const char *end, int *ct)
+static bool addpool(hostlist_pool **hostlist, char **s, const char *end, int *ct)
 {
 	char *p=*s;

@ -17,14 +17,20 @@ static bool addpool(strpool **hostlist, char **s, const char *end, int *ct)
 	else
 	{
 		// advance until eol lowering all chars
-		for (; p<end && *p && *p!='\r' && *p != '\n'; p++) *p=tolower(*p);
-		if (!StrPoolAddStrLen(hostlist, *s, p-*s))
+		uint32_t flags = 0;
+		if (*p=='^')
 		{
-			StrPoolDestroy(hostlist);
+			p = ++(*s);
+			flags |= HOSTLIST_POOL_FLAG_STRICT_MATCH;
+		}
+		for (; p<end && *p && *p!='\r' && *p != '\n'; p++) *p=tolower(*p);
+		if (!HostlistPoolAddStrLen(hostlist, *s, p-*s, flags))
+		{
+			HostlistPoolDestroy(hostlist);
 			*hostlist = NULL;
 			return false;
 		}
-		(*ct)++;
+		if (ct) (*ct)++;
 	}
 	// advance to the next line
 	for (; p<end && (!*p || *p=='\r' || *p=='\n') ; p++);
@ -32,7 +38,12 @@ static bool addpool(strpool **hostlist, char **s, const char *end, int *ct)
 	return true;
 }

-bool AppendHostList(strpool **hostlist, const char *filename)
+bool AppendHostlistItem(hostlist_pool **hostlist, char *s)
+{
+	return addpool(hostlist,&s,s+strlen(s),NULL);
+}
+
+bool AppendHostList(hostlist_pool **hostlist, const char *filename)
 {
 	char *p, *e, s[256], *zbuf;
 	size_t zsize;
@ -98,21 +109,25 @@ bool AppendHostList(strpool **hostlist, const char *filename)

 static bool LoadHostList(struct hostlist_file *hfile)
 {
-	time_t t = file_mod_time(hfile->filename);
-	if (!t)
+	if (hfile->filename)
+	{
+		file_mod_sig fsig;
+		if (!file_mod_signature(hfile->filename, &fsig))
 		{
 			// stat() error
+			DLOG_PERROR("file_mod_signature");
 			DLOG_ERR("cannot access hostlist file '%s'. in-memory content remains unchanged.\n",hfile->filename);
 			return true;
 		}
-	if (t==hfile->mod_time) return true; // up to date
-	StrPoolDestroy(&hfile->hostlist);
+		if (FILE_MOD_COMPARE(&hfile->mod_sig,&fsig)) return true; // up to date
+		HostlistPoolDestroy(&hfile->hostlist);
 		if (!AppendHostList(&hfile->hostlist, hfile->filename))
 		{
-		StrPoolDestroy(&hfile->hostlist);
+			HostlistPoolDestroy(&hfile->hostlist);
 			return false;
 		}
-	hfile->mod_time=t;
+		hfile->mod_sig=fsig;
+	}
 	return true;
 }
 static bool LoadHostLists(struct hostlist_files_head *list)
@ -129,10 +144,10 @@ static bool LoadHostLists(struct hostlist_files_head *list)
 	return bres;
 }

-bool NonEmptyHostlist(strpool **hostlist)
+bool NonEmptyHostlist(hostlist_pool **hostlist)
 {
 	// add impossible hostname if the list is empty
-	return *hostlist ? true : StrPoolAddStrLen(hostlist, "@&()", 4);
+	return *hostlist ? true : HostlistPoolAddStrLen(hostlist, "@&()", 4, 0);
 }

 static void MakeAutolistsNonEmpty()
@ -155,19 +170,34 @@ bool LoadAllHostLists()



-static bool SearchHostList(strpool *hostlist, const char *host)
+static bool SearchHostList(hostlist_pool *hostlist, const char *host)
 {
 	if (hostlist)
 	{
 		const char *p = host;
-		bool bInHostList;
+		const struct hostlist_pool *hp;
+		bool bHostFull=true;
 		while (p)
 		{
-			bInHostList = StrPoolCheckStr(hostlist, p);
-			DLOG("hostlist check for %s : %s\n", p, bInHostList ? "positive" : "negative");
-			if (bInHostList) return true;
+			DLOG("hostlist check for %s : ", p);
+			hp = HostlistPoolGetStr(hostlist, p);
+			if (hp)
+			{
+				if ((hp->flags & HOSTLIST_POOL_FLAG_STRICT_MATCH) && !bHostFull)
+				{
+					DLOG("negative : strict_mismatch : %s != %s\n", p, host);
+				}
+				else
+				{
+					DLOG("positive\n");
+					return true;
+				}
+			}
+			else
+				DLOG("negative\n");
 			p = strchr(p, '.');
 			if (p) p++;
+			bHostFull = false;
 		}
 	}
 	return false;
@ -202,7 +232,7 @@ static bool HostlistCheck_(const struct hostlist_collection_head *hostlists, con

 	LIST_FOREACH(item, hostlists_exclude, next)
 	{
-		DLOG("[%s] exclude ", item->hfile->filename);
+		DLOG("[%s] exclude ", item->hfile->filename ? item->hfile->filename : "fixed");
 		if (SearchHostList(item->hfile->hostlist, host))
 		{
 			if (excluded) *excluded = true;
@ -214,7 +244,7 @@ static bool HostlistCheck_(const struct hostlist_collection_head *hostlists, con
 	{
 		LIST_FOREACH(item, hostlists, next)
 		{
-			DLOG("[%s] include ", item->hfile->filename);
+			DLOG("[%s] include ", item->hfile->filename ? item->hfile->filename : "fixed");
 			if (SearchHostList(item->hfile->hostlist, host))
 				return true;
 		}
@ -235,17 +265,29 @@ bool HostlistCheck(const struct desync_profile *dp, const char *host, bool *excl
 static struct hostlist_file *RegisterHostlist_(struct hostlist_files_head *hostlists, struct hostlist_collection_head *hl_collection, const char *filename)
 {
 	struct hostlist_file *hfile;
+
+	if (filename)
+	{
 		if (!(hfile=hostlist_files_search(hostlists, filename)))
 			if (!(hfile=hostlist_files_add(hostlists, filename)))
 				return NULL;
 		if (!hostlist_collection_search(hl_collection, filename))
 			if (!hostlist_collection_add(hl_collection, hfile))
 				return NULL;
+	}
+	else
+	{
+		if (!(hfile=hostlist_files_add(hostlists, NULL)))
+			return NULL;
+		if (!hostlist_collection_add(hl_collection, hfile))
+			return NULL;
+	}
+
 	return hfile;
 }
 struct hostlist_file *RegisterHostlist(struct desync_profile *dp, bool bExclude, const char *filename)
 {
-	if (!file_mod_time(filename))
+	if (filename && !file_mod_time(filename))
 	{
 		DLOG_ERR("cannot access hostlist file '%s'\n",filename);
 		return NULL;
@ -265,15 +307,30 @@ void HostlistsDebug()
 	struct hostlist_item *hl_item;

 	LIST_FOREACH(hfile, &params.hostlists, next)
+	{
+		if (hfile->filename)
 			DLOG("hostlist file %s%s\n",hfile->filename,hfile->hostlist ? "" : " (empty)");
+		else
+			DLOG("hostlist fixed%s\n",hfile->hostlist ? "" : " (empty)");
+	}

 	LIST_FOREACH(dpl, &params.desync_profiles, next)
 	{
 		LIST_FOREACH(hl_item, &dpl->dp.hl_collection, next)
 			if (hl_item->hfile!=dpl->dp.hostlist_auto)
+			{
+				if (hl_item->hfile->filename)
 					DLOG("profile %d include hostlist %s%s\n",dpl->dp.n, hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
+				else
+					DLOG("profile %d include fixed hostlist%s\n",dpl->dp.n, hl_item->hfile->hostlist ? "" : " (empty)");
+			}
 		LIST_FOREACH(hl_item, &dpl->dp.hl_collection_exclude, next)
+		{
+			if (hl_item->hfile->filename)
 				DLOG("profile %d exclude hostlist %s%s\n",dpl->dp.n,hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
+			else
+				DLOG("profile %d exclude fixed hostlist%s\n",dpl->dp.n,hl_item->hfile->hostlist ? "" : " (empty)");
+		}
 		if (dpl->dp.hostlist_auto)
 			DLOG("profile %d auto hostlist %s%s\n",dpl->dp.n,dpl->dp.hostlist_auto->filename,dpl->dp.hostlist_auto->hostlist ? "" : " (empty)");
 	}
--- a/nfq/hostlist.h
+++ b/nfq/hostlist.h
@ -4,11 +4,14 @@
 #include "pools.h"
 #include "params.h"

-bool AppendHostList(strpool **hostlist, const char *filename);
+bool AppendHostlistItem(hostlist_pool **hostlist, char *s);
+bool AppendHostList(hostlist_pool **hostlist, const char *filename);
 bool LoadAllHostLists();
-bool NonEmptyHostlist(strpool **hostlist);
+bool NonEmptyHostlist(hostlist_pool **hostlist);
 // return : true = apply fooling, false = do not apply
 bool HostlistCheck(const struct desync_profile *dp,const char *host, bool *excluded, bool bSkipReloadCheck);
 struct hostlist_file *RegisterHostlist(struct desync_profile *dp, bool bExclude, const char *filename);
 bool HostlistsReloadCheckForProfile(const struct desync_profile *dp);
 void HostlistsDebug();
+
+#define ResetAllHostlistsModTime() hostlist_files_reset_modtime(&params.hostlists)
--- a/nfq/ipset.c
+++ b/nfq/ipset.c
@ -31,7 +31,7 @@ static bool addpool(ipset *ips, char **s, const char *end, int *ct)
 				ipsetDestroy(ips);
 				return false;
 			}
-			(*ct)++;
+			if (ct) (*ct)++;
 		}
 		else if (parse_cidr6(cidr,&c6))
 		{
@ -40,7 +40,7 @@ static bool addpool(ipset *ips, char **s, const char *end, int *ct)
 				ipsetDestroy(ips);
 				return false;
 			}
-			(*ct)++;
+			if (ct) (*ct)++;
 		}
 		else
 			DLOG_ERR("bad ip or subnet : %s\n",cidr);
@ -53,6 +53,11 @@ static bool addpool(ipset *ips, char **s, const char *end, int *ct)

 }

+bool AppendIpsetItem(ipset *ips, char *ip)
+{
+	return addpool(ips,&ip,ip+strlen(ip),NULL);
+}
+
 static bool AppendIpset(ipset *ips, const char *filename)
 {
 	char *p, *e, s[256], *zbuf;
@ -119,21 +124,25 @@ static bool AppendIpset(ipset *ips, const char *filename)

 static bool LoadIpset(struct ipset_file *hfile)
 {
-	time_t t = file_mod_time(hfile->filename);
-	if (!t)
+	if (hfile->filename)
+	{
+		file_mod_sig fsig;
+		if (!file_mod_signature(hfile->filename, &fsig))
 		{
 			// stat() error
+			DLOG_PERROR("file_mod_signature");
 			DLOG_ERR("cannot access ipset file '%s'. in-memory content remains unchanged.\n",hfile->filename);
 			return true;
 		}
-	if (t==hfile->mod_time) return true; // up to date
+		if (FILE_MOD_COMPARE(&hfile->mod_sig,&fsig)) return true; // up to date
 		ipsetDestroy(&hfile->ipset);
 		if (!AppendIpset(&hfile->ipset, hfile->filename))
 		{
 			ipsetDestroy(&hfile->ipset);
 			return false;
 		}
-	hfile->mod_time=t;
+		hfile->mod_sig=fsig;
+	}
 	return true;
 }
 static bool LoadIpsets(struct ipset_files_head *list)
@ -205,7 +214,7 @@ static bool IpsetCheck_(const struct ipset_collection_head *ips, const struct ip

 	LIST_FOREACH(item, ips_exclude, next)
 	{
-		DLOG("[%s] exclude ",item->hfile->filename);
+		DLOG("[%s] exclude ",item->hfile->filename ? item->hfile->filename : "fixed");
 		if (SearchIpset(&item->hfile->ipset, ipv4, ipv6))
 			return false;
 	}
@ -214,7 +223,7 @@ static bool IpsetCheck_(const struct ipset_collection_head *ips, const struct ip
 	{
 		LIST_FOREACH(item, ips, next)
 		{
-			DLOG("[%s] include ",item->hfile->filename);
+			DLOG("[%s] include ",item->hfile->filename ? item->hfile->filename : "fixed");
 			if (SearchIpset(&item->hfile->ipset, ipv4, ipv6))
 				return true;
 		}
@ -234,17 +243,27 @@ bool IpsetCheck(const struct desync_profile *dp, const struct in_addr *ipv4, con
 static struct ipset_file *RegisterIpset_(struct ipset_files_head *ipsets, struct ipset_collection_head *ips_collection, const char *filename)
 {
 	struct ipset_file *hfile;
+	if (filename)
+	{
 		if (!(hfile=ipset_files_search(ipsets, filename)))
 			if (!(hfile=ipset_files_add(ipsets, filename)))
 				return NULL;
 		if (!ipset_collection_search(ips_collection, filename))
 			if (!ipset_collection_add(ips_collection, hfile))
 				return NULL;
+	}
+	else
+	{
+		if (!(hfile=ipset_files_add(ipsets, NULL)))
+			return NULL;
+		if (!ipset_collection_add(ips_collection, hfile))
+			return NULL;
+	}
 	return hfile;
 }
 struct ipset_file *RegisterIpset(struct desync_profile *dp, bool bExclude, const char *filename)
 {
-	if (!file_mod_time(filename))
+	if (filename && !file_mod_time(filename))
 	{
 		DLOG_ERR("cannot access ipset file '%s'\n",filename);
 		return NULL;
@ -277,13 +296,24 @@ void IpsetsDebug()
 	struct ipset_item *ips_item;

 	LIST_FOREACH(hfile, &params.ipsets, next)
+	{
+		if (hfile->filename)
 			DLOG("ipset file %s (%s)\n",hfile->filename,dbg_ipset_fill(&hfile->ipset));
+		else
+			DLOG("ipset fixed (%s)\n",dbg_ipset_fill(&hfile->ipset));
+	}

 	LIST_FOREACH(dpl, &params.desync_profiles, next)
 	{
 		LIST_FOREACH(ips_item, &dpl->dp.ips_collection, next)
+			if (ips_item->hfile->filename)
 				DLOG("profile %d include ipset %s (%s)\n",dpl->dp.n,ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
+			else
+				DLOG("profile %d include fixed ipset (%s)\n",dpl->dp.n,dbg_ipset_fill(&ips_item->hfile->ipset));
 		LIST_FOREACH(ips_item, &dpl->dp.ips_collection_exclude, next)
+			if (ips_item->hfile->filename)
 				DLOG("profile %d exclude ipset %s (%s)\n",dpl->dp.n,ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
+			else
+				DLOG("profile %d exclude fixed ipset (%s)\n",dpl->dp.n,dbg_ipset_fill(&ips_item->hfile->ipset));
 	}
 }
--- a/nfq/ipset.h
+++ b/nfq/ipset.h
@ -9,3 +9,6 @@ bool LoadAllIpsets();
 bool IpsetCheck(const struct desync_profile *dp, const struct in_addr *ipv4, const struct in6_addr *ipv6);
 struct ipset_file *RegisterIpset(struct desync_profile *dp, bool bExclude, const char *filename);
 void IpsetsDebug();
+bool AppendIpsetItem(ipset *ips, char *ip);
+
+#define ResetAllIpsetModTime() ipset_files_reset_modtime(&params.ipsets)
--- a/nfq/nfqws.c
+++ b/nfq/nfqws.c
--- a/nfq/params.c
+++ b/nfq/params.c
@ -65,6 +65,7 @@ static int DLOG_VA(const char *format, int syslog_priority, bool condup, va_list
 	{
 		va_copy(args2,args);
 		DLOG_CON(format,syslog_priority,args2);
+		va_end(args2);
 	}
 	if (params.debug)
 	{
@ -154,47 +155,93 @@ int HOSTLIST_DEBUGLOG_APPEND(const char *format, ...)
 		return 0;
 }

+void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit)
+{
+	size_t k;
+	bool bcut = false;
+	if (size > limit)
+	{
+		size = limit;
+		bcut = true;
+	}
+	if (!size) return;
+	for (k = 0; k < size; k++) DLOG("%02X ", data[k]);
+	DLOG(bcut ? "... : " : ": ");
+	for (k = 0; k < size; k++) DLOG("%c", data[k] >= 0x20 && data[k] <= 0x7F ? (char)data[k] : '.');
+	if (bcut) DLOG(" ...");
+}

+void dp_init(struct desync_profile *dp)
+{
+	LIST_INIT(&dp->hl_collection);
+	LIST_INIT(&dp->hl_collection_exclude);
+	LIST_INIT(&dp->ips_collection);
+	LIST_INIT(&dp->ips_collection_exclude);
+	LIST_INIT(&dp->pf_tcp);
+	LIST_INIT(&dp->pf_udp);
+
+	memcpy(dp->hostspell, "host", 4); // default hostspell
+	dp->desync_skip_nosni = true;
+	dp->desync_ipfrag_pos_udp = IPFRAG_UDP_DEFAULT;
+	dp->desync_ipfrag_pos_tcp = IPFRAG_TCP_DEFAULT;
+	dp->desync_repeats = 1;
+	dp->fake_syndata_size = 16;
+	dp->wscale=-1; // default - dont change scale factor (client)
+	dp->desync_ttl6 = 0xFF; // unused
+	dp->desync_badseq_increment = BADSEQ_INCREMENT_DEFAULT;
+	dp->desync_badseq_ack_increment = BADSEQ_ACK_INCREMENT_DEFAULT;
+	dp->wssize_cutoff_mode = dp->desync_start_mode = dp->desync_cutoff_mode = 'n'; // packet number by default
+	dp->udplen_increment = UDPLEN_INCREMENT_DEFAULT;
+	dp->hostlist_auto_fail_threshold = HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT;
+	dp->hostlist_auto_fail_time = HOSTLIST_AUTO_FAIL_TIME_DEFAULT;
+	dp->hostlist_auto_retrans_threshold = HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT;
+	dp->filter_ipv4 = dp->filter_ipv6 = true;
+}
+bool dp_fake_defaults(struct desync_profile *dp)
+{
+	struct blob_item *item;
+	if (blob_collection_empty(&dp->fake_http))
+		if (!blob_collection_add_blob(&dp->fake_http,fake_http_request_default,strlen(fake_http_request_default),0))
+			return false;
+	if (blob_collection_empty(&dp->fake_tls))
+	{
+		if (!(item=blob_collection_add_blob(&dp->fake_tls,fake_tls_clienthello_default,sizeof(fake_tls_clienthello_default),4+sizeof(((struct fake_tls_mod*)0)->sni))))
+			return false;
+		if (!(item->extra2 = malloc(sizeof(struct fake_tls_mod))))
+			return false;
+		*(struct fake_tls_mod*)item->extra2 = dp->tls_mod_last;
+	}
+	if (blob_collection_empty(&dp->fake_unknown))
+	{
+		if (!(item=blob_collection_add_blob(&dp->fake_unknown,NULL,256,0)))
+			return false;
+		memset(item->data,0,item->size);
+	}
+	if (blob_collection_empty(&dp->fake_quic))
+	{
+		if (!(item=blob_collection_add_blob(&dp->fake_quic,NULL,620,0)))
+			return false;
+		memset(item->data,0,item->size);
+		item->data[0] = 0x40;
+	}
+	struct blob_collection_head **fake,*fakes_z64[] = {&dp->fake_wg, &dp->fake_dht, &dp->fake_discord, &dp->fake_stun, &dp->fake_unknown_udp,NULL};
+	for(fake=fakes_z64;*fake;fake++)
+	{
+		if (blob_collection_empty(*fake))
+		{
+			if (!(item=blob_collection_add_blob(*fake,NULL,64,0)))
+				return false;
+			memset(item->data,0,item->size);
+		}
+	}
+	return true;
+}
 struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head)
 {
 	struct desync_profile_list *entry = calloc(1,sizeof(struct desync_profile_list));
 	if (!entry) return NULL;

-	LIST_INIT(&entry->dp.hl_collection);
-	LIST_INIT(&entry->dp.hl_collection_exclude);
-	LIST_INIT(&entry->dp.ips_collection);
-	LIST_INIT(&entry->dp.ips_collection_exclude);
-	LIST_INIT(&entry->dp.pf_tcp);
-	LIST_INIT(&entry->dp.pf_udp);
-
-	memcpy(entry->dp.hostspell, "host", 4); // default hostspell
-	entry->dp.desync_skip_nosni = true;
-	entry->dp.desync_split_pos = 2;
-	entry->dp.desync_ipfrag_pos_udp = IPFRAG_UDP_DEFAULT;
-	entry->dp.desync_ipfrag_pos_tcp = IPFRAG_TCP_DEFAULT;
-	entry->dp.desync_repeats = 1;
-	entry->dp.fake_tls_size = sizeof(fake_tls_clienthello_default);
-	memcpy(entry->dp.fake_tls,fake_tls_clienthello_default,entry->dp.fake_tls_size);
-	randomize_default_tls_payload(entry->dp.fake_tls);
-	entry->dp.fake_http_size = strlen(fake_http_request_default);
-	memcpy(entry->dp.fake_http,fake_http_request_default,entry->dp.fake_http_size);
-	entry->dp.fake_quic_size = 620; // must be 601+ for TSPU hack
-	entry->dp.fake_quic[0] = 0x40; // russian TSPU QUIC short header fake
-	entry->dp.fake_wg_size = 64;
-	entry->dp.fake_dht_size = 64;
-	entry->dp.fake_unknown_size = 256;
-	entry->dp.fake_syndata_size = 16;
-	entry->dp.fake_unknown_udp_size = 64;
-	entry->dp.wscale=-1; // default - dont change scale factor (client)
-	entry->dp.desync_ttl6 = 0xFF; // unused
-	entry->dp.desync_badseq_increment = BADSEQ_INCREMENT_DEFAULT;
-	entry->dp.desync_badseq_ack_increment = BADSEQ_ACK_INCREMENT_DEFAULT;
-	entry->dp.wssize_cutoff_mode = entry->dp.desync_start_mode = entry->dp.desync_cutoff_mode = 'n'; // packet number by default
-	entry->dp.udplen_increment = UDPLEN_INCREMENT_DEFAULT;
-	entry->dp.hostlist_auto_fail_threshold = HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT;
-	entry->dp.hostlist_auto_fail_time = HOSTLIST_AUTO_FAIL_TIME_DEFAULT;
-	entry->dp.hostlist_auto_retrans_threshold = HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT;
-	entry->dp.filter_ipv4 = entry->dp.filter_ipv6 = true;
+	dp_init(&entry->dp);

 	// add to the tail
 	struct desync_profile_list *dpn,*dpl=LIST_FIRST(&params.desync_profiles);
@ -208,15 +255,26 @@ struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head)

 	return entry;
 }
-static void dp_entry_destroy(struct desync_profile_list *entry)
+static void dp_clear_dynamic(struct desync_profile *dp)
 {
-	hostlist_collection_destroy(&entry->dp.hl_collection);
-	hostlist_collection_destroy(&entry->dp.hl_collection_exclude);
-	ipset_collection_destroy(&entry->dp.ips_collection);
-	ipset_collection_destroy(&entry->dp.ips_collection_exclude);
-	port_filters_destroy(&entry->dp.pf_tcp);
-	port_filters_destroy(&entry->dp.pf_udp);
-	HostFailPoolDestroy(&entry->dp.hostlist_auto_fail_counters);
+	hostlist_collection_destroy(&dp->hl_collection);
+	hostlist_collection_destroy(&dp->hl_collection_exclude);
+	ipset_collection_destroy(&dp->ips_collection);
+	ipset_collection_destroy(&dp->ips_collection_exclude);
+	port_filters_destroy(&dp->pf_tcp);
+	port_filters_destroy(&dp->pf_udp);
+	HostFailPoolDestroy(&dp->hostlist_auto_fail_counters);
+	struct blob_collection_head **fake,*fakes[] = {&dp->fake_http, &dp->fake_tls, &dp->fake_unknown, &dp->fake_unknown_udp, &dp->fake_quic, &dp->fake_wg, &dp->fake_dht, &dp->fake_discord, &dp->fake_stun, NULL};
+	for(fake=fakes;*fake;fake++) blob_collection_destroy(*fake);
+}
+void dp_clear(struct desync_profile *dp)
+{
+	dp_clear_dynamic(dp);
+	memset(dp,0,sizeof(*dp));
+}
+void dp_entry_destroy(struct desync_profile_list *entry)
+{
+	dp_clear_dynamic(&entry->dp);
 	free(entry);
 }
 void dp_list_destroy(struct desync_profile_list_head *head)
--- a/nfq/params.h
+++ b/nfq/params.h
@ -14,14 +14,12 @@
 #include <stdio.h>
 #include <time.h>
 #include <sys/queue.h>
-#ifndef __OpenBSD__
+#if !defined( __OpenBSD__) && !defined(__ANDROID__)
 #include <wordexp.h>
 #endif

 #define TLS_PARTIALS_ENABLE	true

-#define Q_RCVBUF	(128*1024)	// in bytes
-#define Q_SNDBUF	(64*1024)	// in bytes
 #define RAW_SNDBUF	(64*1024)	// in bytes

 #define Q_MAXLEN	1024		// in packets
@ -38,8 +36,32 @@
 #define	HOSTLIST_AUTO_FAIL_TIME_DEFAULT 	60
 #define	HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT	3

+#define MAX_SPLITS	64
+
+#define FAKE_TLS_MOD_SAVE_MASK		0x0F
+#define FAKE_TLS_MOD_SET		0x01
+#define FAKE_TLS_MOD_CUSTOM_FAKE	0x02
+#define FAKE_TLS_MOD_RND		0x10
+#define FAKE_TLS_MOD_DUP_SID		0x20
+#define FAKE_TLS_MOD_RND_SNI		0x40
+#define FAKE_TLS_MOD_SNI		0x80
+#define FAKE_TLS_MOD_PADENCAP		0x100
+
+#define FAKE_MAX_TCP	1460
+#define FAKE_MAX_UDP	1472
+
 enum log_target { LOG_TARGET_CONSOLE=0, LOG_TARGET_FILE, LOG_TARGET_SYSLOG };

+struct fake_tls_mod_cache
+{
+	size_t extlen_offset, padlen_offset;
+};
+struct fake_tls_mod
+{
+	char sni[64];
+	uint32_t mod;
+};
+
 struct desync_profile
 {
 	int n;	// number of the profile
@ -49,22 +71,31 @@ struct desync_profile
 	char wssize_cutoff_mode; // n - packets, d - data packets, s - relative sequence
 	unsigned int wssize_cutoff;

-	bool hostcase, hostnospace, domcase;
+	bool hostcase, hostnospace, domcase, methodeol;
 	char hostspell[4];
 	enum dpi_desync_mode desync_mode0,desync_mode,desync_mode2;
 	bool desync_retrans,desync_skip_nosni,desync_any_proto;
-	unsigned int desync_repeats,desync_split_pos,desync_seqovl,desync_ipfrag_pos_tcp,desync_ipfrag_pos_udp;
-	enum httpreqpos desync_split_http_req;
-	enum tlspos desync_split_tls;
+	unsigned int desync_repeats,desync_ipfrag_pos_tcp,desync_ipfrag_pos_udp;
+
+	// multisplit
+	struct proto_pos splits[MAX_SPLITS];
+	int split_count;
+	struct proto_pos seqovl;
+
 	char desync_start_mode, desync_cutoff_mode; // n - packets, d - data packets, s - relative sequence
 	unsigned int desync_start, desync_cutoff;
 	uint8_t desync_ttl, desync_ttl6;
 	autottl desync_autottl, desync_autottl6;
 	uint32_t desync_fooling_mode;
 	uint32_t desync_badseq_increment, desync_badseq_ack_increment;
-	uint8_t fake_http[1460],fake_tls[1460],fake_unknown[1460],fake_syndata[1460],seqovl_pattern[1460];
-	uint8_t fake_unknown_udp[1472],udplen_pattern[1472],fake_quic[1472],fake_wg[1472],fake_dht[1472];
-	size_t fake_http_size,fake_tls_size,fake_quic_size,fake_wg_size,fake_dht_size,fake_unknown_size,fake_syndata_size,fake_unknown_udp_size;
+
+	struct blob_collection_head fake_http,fake_tls,fake_unknown,fake_unknown_udp,fake_quic,fake_wg,fake_dht,fake_discord,fake_stun;
+	uint8_t fake_syndata[FAKE_MAX_TCP],seqovl_pattern[FAKE_MAX_TCP],fsplit_pattern[FAKE_MAX_TCP],udplen_pattern[FAKE_MAX_UDP];
+	size_t fake_syndata_size;
+
+	struct fake_tls_mod tls_mod_last;
+	struct blob_item *tls_fake_last;
+
 	int udplen_increment;

 	bool filter_ipv4,filter_ipv6;
@ -93,12 +124,16 @@ struct desync_profile_list {
 };
 LIST_HEAD(desync_profile_list_head, desync_profile_list);
 struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head);
+void dp_entry_destroy(struct desync_profile_list *entry);
 void dp_list_destroy(struct desync_profile_list_head *head);
 bool dp_list_have_autohostlist(struct desync_profile_list_head *head);
+void dp_init(struct desync_profile *dp);
+bool dp_fake_defaults(struct desync_profile *dp);
+void dp_clear(struct desync_profile *dp);

 struct params_s
 {
-#ifndef __OpenBSD__
+#if !defined( __OpenBSD__) && !defined(__ANDROID__)
 	wordexp_t wexp; // for file based config
 #endif

@ -143,3 +178,4 @@ int DLOG_ERR(const char *format, ...);
 int DLOG_PERROR(const char *s);
 int DLOG_CONDUP(const char *format, ...);
 int HOSTLIST_DEBUGLOG_APPEND(const char *format, ...);
+void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit);
--- a/nfq/pools.c
+++ b/nfq/pools.c
@ -31,6 +31,9 @@
 		free(elem); \
 		return false; \
 	}
+#define ADD_HOSTLIST_POOL(etype, ppool, keystr, keystr_len, flg) \
+	ADD_STR_POOL(etype,ppool,keystr,keystr_len); \
+	elem->flags = flg;


 #undef uthash_nonfatal_oom
@ -42,27 +45,31 @@ static void ut_oom_recover(void *elem)
 }

 // for not zero terminated strings
-bool StrPoolAddStrLen(strpool **pp, const char *s, size_t slen)
+bool HostlistPoolAddStrLen(hostlist_pool **pp, const char *s, size_t slen, uint32_t flags)
 {
-	ADD_STR_POOL(strpool, pp, s, slen)
+	ADD_HOSTLIST_POOL(hostlist_pool, pp, s, slen, flags)
 	return true;
 }
 // for zero terminated strings
-bool StrPoolAddStr(strpool **pp, const char *s)
+bool HostlistPoolAddStr(hostlist_pool **pp, const char *s, uint32_t flags)
 {
-	return StrPoolAddStrLen(pp, s, strlen(s));
+	return HostlistPoolAddStrLen(pp, s, strlen(s), flags);
 }

-bool StrPoolCheckStr(strpool *p, const char *s)
+hostlist_pool *HostlistPoolGetStr(hostlist_pool *p, const char *s)
 {
-	strpool *elem;
+	hostlist_pool *elem;
 	HASH_FIND_STR(p, s, elem);
-	return elem != NULL;
+	return elem;
+}
+bool HostlistPoolCheckStr(hostlist_pool *p, const char *s)
+{
+	return !!HostlistPoolGetStr(p,s);
 }

-void StrPoolDestroy(strpool **pp)
+void HostlistPoolDestroy(hostlist_pool **pp)
 {
-	DESTROY_STR_POOL(strpool, pp)
+	DESTROY_STR_POOL(hostlist_pool, pp)
 }


@ -139,7 +146,7 @@ bool strlist_add(struct str_list_head *head, const char *filename)
 }
 static void strlist_entry_destroy(struct str_list *entry)
 {
-	if (entry->str)	free(entry->str);
+	free(entry->str);
 	free(entry);
 }
 void strlist_destroy(struct str_list_head *head)
@ -154,18 +161,22 @@ void strlist_destroy(struct str_list_head *head)



-
 struct hostlist_file *hostlist_files_add(struct hostlist_files_head *head, const char *filename)
 {
 	struct hostlist_file *entry = malloc(sizeof(struct hostlist_file));
 	if (entry)
+	{
+		if (filename)
 		{
 			if (!(entry->filename = strdup(filename)))
 			{
 				free(entry);
 				return false;
 			}
-		entry->mod_time=0;
+		}
+		else
+			entry->filename = NULL;
+		FILE_MOD_RESET(&entry->mod_sig);
 		entry->hostlist = NULL;
 		LIST_INSERT_HEAD(head, entry, next);
 	}
@ -173,8 +184,8 @@ struct hostlist_file *hostlist_files_add(struct hostlist_files_head *head, const
 }
 static void hostlist_files_entry_destroy(struct hostlist_file *entry)
 {
-	if (entry->filename) free(entry->filename);
-	StrPoolDestroy(&entry->hostlist);
+	free(entry->filename);
+	HostlistPoolDestroy(&entry->hostlist);
 	free(entry);
 }
 void hostlist_files_destroy(struct hostlist_files_head *head)
@ -192,11 +203,18 @@ struct hostlist_file *hostlist_files_search(struct hostlist_files_head *head, co

 	LIST_FOREACH(hfile, head, next)
 	{
-		if (!strcmp(hfile->filename,filename))
+		if (hfile->filename && !strcmp(hfile->filename,filename))
 			return hfile;
 	}
 	return NULL;
 }
+void hostlist_files_reset_modtime(struct hostlist_files_head *list)
+{
+	struct hostlist_file *hfile;
+
+	LIST_FOREACH(hfile, list, next)
+		FILE_MOD_RESET(&hfile->mod_sig);
+}

 struct hostlist_item *hostlist_collection_add(struct hostlist_collection_head *head, struct hostlist_file *hfile)
 {
@ -223,7 +241,7 @@ struct hostlist_item *hostlist_collection_search(struct hostlist_collection_head

 	LIST_FOREACH(item, head, next)
 	{
-		if (!strcmp(item->hfile->filename,filename))
+		if (item->hfile->filename && !strcmp(item->hfile->filename,filename))
 			return item;
 	}
 	return NULL;
@ -368,13 +386,18 @@ struct ipset_file *ipset_files_add(struct ipset_files_head *head, const char *fi
 {
 	struct ipset_file *entry = malloc(sizeof(struct ipset_file));
 	if (entry)
+	{
+		if (filename)
 		{
 			if (!(entry->filename = strdup(filename)))
 			{
 				free(entry);
 				return false;
 			}
-		entry->mod_time=0;
+		}
+		else
+			entry->filename = NULL;
+		FILE_MOD_RESET(&entry->mod_sig);
 		memset(&entry->ipset,0,sizeof(entry->ipset));
 		LIST_INSERT_HEAD(head, entry, next);
 	}
@ -382,7 +405,7 @@ struct ipset_file *ipset_files_add(struct ipset_files_head *head, const char *fi
 }
 static void ipset_files_entry_destroy(struct ipset_file *entry)
 {
-	if (entry->filename) free(entry->filename);
+	free(entry->filename);
 	ipsetDestroy(&entry->ipset);
 	free(entry);
 }
@ -401,11 +424,18 @@ struct ipset_file *ipset_files_search(struct ipset_files_head *head, const char

 	LIST_FOREACH(hfile, head, next)
 	{
-		if (!strcmp(hfile->filename,filename))
+		if (hfile->filename && !strcmp(hfile->filename,filename))
 			return hfile;
 	}
 	return NULL;
 }
+void ipset_files_reset_modtime(struct ipset_files_head *list)
+{
+	struct ipset_file *hfile;
+
+	LIST_FOREACH(hfile, list, next)
+		FILE_MOD_RESET(&hfile->mod_sig);
+}

 struct ipset_item *ipset_collection_add(struct ipset_collection_head *head, struct ipset_file *hfile)
 {
@ -432,7 +462,7 @@ struct ipset_item *ipset_collection_search(struct ipset_collection_head *head, c

 	LIST_FOREACH(item, head, next)
 	{
-		if (!strcmp(item->hfile->filename,filename))
+		if (item->hfile->filename && !strcmp(item->hfile->filename,filename))
 			return item;
 	}
 	return NULL;
@ -487,3 +517,65 @@ bool port_filters_deny_if_empty(struct port_filters_head *head)
 	if (LIST_FIRST(head)) return true;
 	return pf_parse("0",&pf) && port_filter_add(head,&pf);
 }
+
+
+		
+struct blob_item *blob_collection_add(struct blob_collection_head *head)
+{
+	struct blob_item *entry = calloc(1,sizeof(struct blob_item));
+	if (entry)
+	{
+		// insert to the end
+		struct blob_item *itemc,*iteml=LIST_FIRST(head);
+		if (iteml)
+		{
+			while ((itemc=LIST_NEXT(iteml,next))) iteml = itemc;
+			LIST_INSERT_AFTER(iteml, entry, next);
+		}
+		else
+			LIST_INSERT_HEAD(head, entry, next);
+	}
+	return entry;
+}
+struct blob_item *blob_collection_add_blob(struct blob_collection_head *head, const void *data, size_t size, size_t size_reserve)
+{
+	struct blob_item *entry = calloc(1,sizeof(struct blob_item));
+	if (!entry) return NULL;
+	if (!(entry->data = malloc(size+size_reserve))) 
+	{
+		free(entry);
+		return NULL;
+	}
+	if (data) memcpy(entry->data,data,size);
+	entry->size = size;
+	entry->size_buf = size+size_reserve;
+	
+	// insert to the end
+	struct blob_item *itemc,*iteml=LIST_FIRST(head);
+	if (iteml)
+	{
+		while ((itemc=LIST_NEXT(iteml,next))) iteml = itemc;
+		LIST_INSERT_AFTER(iteml, entry, next);
+	}
+	else
+		LIST_INSERT_HEAD(head, entry, next);
+
+	return entry;
+}
+
+void blob_collection_destroy(struct blob_collection_head *head)
+{
+	struct blob_item *entry;
+	while ((entry = LIST_FIRST(head)))
+	{
+		LIST_REMOVE(entry, next);
+		free(entry->extra);
+		free(entry->extra2);
+		free(entry->data);
+		free(entry);
+	}
+}
+bool blob_collection_empty(const struct blob_collection_head *head)
+{
+	return !LIST_FIRST(head);
+}
--- a/Show More
+++ b/Show More