From 2ddfe55d9a3584aa85de36474141540797a4ee2d Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Mon, 2 Feb 2026 10:58:48 +0300
Subject: [PATCH] AI inspired fixes

---
 docs/manual.en.md   | 12 +++++-------
 docs/manual.md      | 10 ++++------
 lua/zapret-lib.lua  | 10 +++++-----
 lua/zapret-pcap.lua |  2 +-
 nfq2/desync.c       |  6 +++---
 nfq2/protocol.c     |  7 ++++---
 6 files changed, 22 insertions(+), 25 deletions(-)

diff --git a/docs/manual.en.md b/docs/manual.en.md
index ea15acd..99be43a 100644
--- a/docs/manual.en.md
+++ b/docs/manual.en.md
@@ -1034,7 +1034,7 @@ Direct file operations from Lua code are not recommended unless absolutely neces
 
 These come in three types: `--payload`, `--in-range`, and `--out-range`. Filter values remain active from the moment they are specified until the next override.
 
-- `--payload=type1[,type2][,type2]...` accepts a comma-separated list of known [payloads](#protocol-detection), "all", or "known". The default is `--payload=all`.
+- `--payload=type1[,type2][,type3]...` accepts a comma-separated list of known [payloads](#protocol-detection), "all", or "known". The default is `--payload=all`.
 - `--(in-range|out-range)=[(n|a|d|s|p)<int>](-|<)[(n|a|d|s|p)<int>]` sets conntrack counter ranges for inbound and outbound directions. The default is `--in-range=x`, `--out-range=a`.
 
 Ranges are specified in the following formats: `mX-mY`, `mX<mY`, `-mY`, `<mY`, `mX-`, where `m` is the counter mode, `X` is the lower bound, and `Y` is the upper bound. Modes `x` and `a` are specified as a single letter without a range or counter value. The `-` sign indicates an inclusive upper bound, while `<` indicates an exclusive one.
@@ -1061,7 +1061,7 @@ The following example demonstrates a setup where we attempt to use specific "fak
 
 ```
 --filter-tcp=80,443 --filter-l7=http,tls
---out-range=-s34228 and
+--out-range=-s34228
 --in-range=-s5556 --lua-desync=circular
 --in-range=x
 --payload=tls_client_hello
@@ -1344,8 +1344,6 @@ desync
 | func_instance | string | instance name | derived from the function name, instance number, and profile number |
 | profile_n | number | profile number | |
 | profile_name | string | profile name | optional |
-| template_n | number | number of the template the profile is based on | optional |
-| template_name | string | name of the template the profile is based on | optional |
 | cookie | string | value of the nfqws2 --cookie parameter for the profile | optional |
 | outgoing | bool | true if the direction is outgoing | |
 | ifin | string | incoming interface name | optional |
@@ -1449,7 +1447,7 @@ All multi-byte numeric values are automatically converted from network byte orde
 | th_dport | destination port                                                                                              |
 | th_x2    | reserved field; used for extended TCP flags                                                                   |
 | th_off   | TCP header size in 4-byte blocks                                                                              |
-| th_flags | TCP flags: TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_FIN, TH_URG, TH_ECE, TH_CWR                             |
+| th_flags | TCP flags: TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG, TH_ECE, TH_CWR                                    |
 | th_seq   | sequence number                                                                                               |
 | th_ack   | acknowledgement number                                                                                        |
 | th_win   | TCP window size                                                                                               |
@@ -1621,12 +1619,12 @@ Before executing `--lua-init`, the C code sets up base constants, blobs, and C f
 | IPV6_FLOWLABEL_MASK | number | flow label in ip6_flow | 0x000FFFFF |
 | IPV6_FLOWINFO_MASK | number | flow label and traffic class in ip6_flow | 0x0FFFFFFF  |
 | IPPROTO_IP<br>IPPROTO_IPV6<br>IPPROTO_ICMP<br>IPPROTO_ICMPV6<br>IPPROTO_TCP<br>IPPROTO_UDP<br>IPPROTO_SCTP<br>IPPROTO_HOPOPTS<br>IPPROTO_ROUTING<br>IPPROTO_FRAGMENT<br>IPPROTO_AH<br>IPPROTO_ESP<br>IPPROTO_DSTOPTS<br>IPPROTO_MH<br>IPPROTO_HIP<br>IPPROTO_SHIM6<br>IPPROTO_NONE | number | [IP protocol numbers](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) | used in IPv4 and IPv6 |
-| ICMP_ECHOREPLY<br>ICMP_DEST_UNREACH<br>ICMP_REDIRECT<br>ICMP_ECHO<br>ICMP_TIME_EXCEEDED<brICMP_PARAMETERPROB<br>ICMP_TIMESTAMP<br>ICMP_TIMESTAMPREPLY<br>ICMP_INFO_REQUEST<br>ICMP_INFO_REPLY | number | [icmp types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
+| ICMP_ECHOREPLY<br>ICMP_DEST_UNREACH<br>ICMP_REDIRECT<br>ICMP_ECHO<br>ICMP_TIME_EXCEEDED<br>ICMP_PARAMETERPROB<br>ICMP_TIMESTAMP<br>ICMP_TIMESTAMPREPLY<br>ICMP_INFO_REQUEST<br>ICMP_INFO_REPLY | number | [icmp types](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
 | ICMP_UNREACH_NET<br>ICMP_UNREACH_HOST<br>ICMP_UNREACH_PROTOCOL<br>ICMP_UNREACH_PORT<br>ICMP_UNREACH_NEEDFRAG<br>ICMP_UNREACH_SRCFAIL<br>ICMP_UNREACH_NET_UNKNOWN<br>ICMP_UNREACH_HOST_UNKNOWN<br>ICMP_UNREACH_NET_PROHIB<br>ICMP_UNREACH_HOST_PROHIB<br>ICMP_UNREACH_TOSNET<br>ICMP_UNREACH_TOSHOST<br>ICMP_UNREACH_FILTER_PROHIB<br>ICMP_UNREACH_HOST_PRECEDENCE<br>ICMP_UNREACH_PRECEDENCE_CUTOFF | number | icmp codes for destination unreachable |
 | ICMP_REDIRECT_NET<br>ICMP_REDIRECT_HOST<br>ICMP_REDIRECT_TOSNET<br>ICMP_REDIRECT_TOSHOST | number | icmp codes for redirect |
 | ICMP_TIMXCEED_INTRANS<br>ICMP_TIMXCEED_REASS | number | icmp codes for time exceeded |
 | ICMP6_ECHO_REQUEST<br>ICMP6_ECHO_REPLY<br>ICMP6_DST_UNREACH<br>ICMP6_PACKET_TOO_BIG<br>ICMP6_TIME_EXCEEDED<br>ICMP6_PARAM_PROB<br>MLD_LISTENER_QUERY<br>MLD_LISTENER_REPORT<br>MLD_LISTENER_REDUCTION<br>ND_ROUTER_SOLICIT<br>ND_ROUTER_ADVERT<br>ND_NEIGHBOR_SOLICIT<br>ND_NEIGHBOR_ADVERT<br>ND_REDIRECT | number | [icmpv6 types](https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml) |
-| ICMP6_DST_UNREACH_NOROUTE<br>ICMP6_DST_UNREACH_ADMIN<br>ICMP6_DST_UNREACH_BEYONDSCOPE<br>ICMP6_DST_UNREACH_ADDR<br>ICMP6_DST_UNREACH_NOPORT | number | коды icmpv6 для destination unreachable |
+| ICMP6_DST_UNREACH_NOROUTE<br>ICMP6_DST_UNREACH_ADMIN<br>ICMP6_DST_UNREACH_BEYONDSCOPE<br>ICMP6_DST_UNREACH_ADDR<br>ICMP6_DST_UNREACH_NOPORT | number | icmpv6 codes for destination unreachable |
 | ICMP6_TIME_EXCEED_TRANSIT<br>ICMP6_TIME_EXCEED_REASSEMBLY | number | icmpv6 codes for time exceeded |
 | ICMP6_PARAMPROB_HEADER<br>ICMP6_PARAMPROB_NEXTHEADER<br>ICMP6_PARAMPROB_OPTION | number | icmpv6 codes for parameter problem |
 
diff --git a/docs/manual.md b/docs/manual.md
index b47df04..ff7d235 100644
--- a/docs/manual.md
+++ b/docs/manual.md
@@ -1164,7 +1164,7 @@ Lua код выполняется с ограниченными правами,
 Они бывают трех видов - `--payload`, `--in-range`, `--out-range`.
 Значения фильтров действуют с момента их указания до следующего переопределения.
 
-- `--payload=type1[,type2][,type2]...` принимает список известных пейлоадов через зяпятую, "all" или "known". [Список известных пейлоадов](#распознавание-протоколов). По умолчанию `--payload=all`.
+- `--payload=type1[,type2][,type3]...` принимает список известных пейлоадов через зяпятую, "all" или "known". [Список известных пейлоадов](#распознавание-протоколов). По умолчанию `--payload=all`.
 - `--(in-range|out-range)=[(n|a|d|s|p)<int>](-|<)[(n|a|d|s|p)<int>]` задает диапазоны счетчиков conntrack по входящему и исходящему направлениям. По умолчанию `--in-range=x`, `--out-range=a`.
 
 Диапазоны задаются в формах : `mX-mY`, `mX<mY`, `-mY`, `<mY`, `mX-`, где m - режим счетчика, X - нижнее значение, Y - верхнее значение.
@@ -1196,7 +1196,7 @@ nfqws2 следит за превышением верхней границы с
 
 ```
 --filter-tcp=80,443 --filter-l7=http,tls
---out-range=-s34228 and
+--out-range=-s34228
 --in-range=-s5556 --lua-desync=circular
 --in-range=x
 --payload=tls_client_hello
@@ -1486,8 +1486,6 @@ desync
 | func_instance      | string | название инстанса                                                                            | производная имени функции, номера инстанса и номера профиля |
 | profile_n          | number | номер профиля                                                                                |                                                             |
 | profile_name       | string | название профиля                                                                             | может отсутствовать                                         |
-| template_n         | number | номер шаблона, на базе которого создан профиль                                               | может отсутствовать                                         |
-| template_name      | string | название шаблона, на базе которого создан профиль                                            | может отсутствовать                                         |
 | cookie             | string | значение параметра nfqws2 --cookie для профиля                                               | может отсутствовать                                         |
 | outgoing           | bool   | true , если направление исходящее                                                            |                                                             |
 | ifin               | string | имя входящего интерфейса                                                                     | может отсутствовать                                         |
@@ -1591,7 +1589,7 @@ ipv6 extension headers и tcp options представляются в форме
 | th_dport | порт приемника                                                                                                |
 | th_x2    | зарезервированное поле. используется для расширенных tcp flags                                                |
 | th_off   | размер tcp хедера в блоках по 4 байта                                                                         |
-| th_flags | tcp флаги : TH_FIN,TH_SYN,TH_RST,TH_PUSH,TH_ACK,TH_FIN,TH_URG,TH_ECE,TH_CWR                                   |
+| th_flags | tcp флаги : TH_FIN,TH_SYN,TH_RST,TH_PUSH,TH_ACK,TH_URG,TH_ECE,TH_CWR                                          |
 | th_seq   | sequence number                                                                                               |
 | th_ack   | acknowledgement number                                                                                        |
 | th_win   | размер tcp окна                                                                                               |
@@ -1766,7 +1764,7 @@ desync.track всегда отсутствует.
 | IPV6_FLOWLABEL_MASK  | number | flow label в ip6_flow                                                                            | 0x000FFFFF                                          |
 | IPV6_FLOWINFO_MASK  | number | flow label, traffic class в ip6_flow                                                             | 0x0FFFFFFF                                          |
 | IPPROTO_IP<br>IPPROTO_IPV6<br>IPPROTO_IPIP<br>IPPROTO_ICMP<br>IPPROTO_ICMPV6<br>IPPROTO_TCP<br>IPPROTO_UDP<br>IPPROTO_SCTP<br>IPPROTO_HOPOPTS<br>IPPROTO_ROUTING<br>IPPROTO_FRAGMENT<br>IPPROTO_AH<br>IPPROTO_ESP<br>IPPROTO_DSTOPTS<br>IPPROTO_MH<br>IPPROTO_HIP<br>IPPROTO_SHIM6<br>IPPROTO_NONE | number | [номера IP протоколов](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) | используются в ipv4 и ipv6                          |
-| ICMP_ECHOREPLY<br>ICMP_DEST_UNREACH<br>ICMP_REDIRECT<br>ICMP_ECHO<br>ICMP_TIME_EXCEEDED<brICMP_PARAMETERPROB<br>ICMP_TIMESTAMP<br>ICMP_TIMESTAMPREPLY<br>ICMP_INFO_REQUEST<br>ICMP_INFO_REPLY | number | [типы icmp](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
+| ICMP_ECHOREPLY<br>ICMP_DEST_UNREACH<br>ICMP_REDIRECT<br>ICMP_ECHO<br>ICMP_TIME_EXCEEDED<br>ICMP_PARAMETERPROB<br>ICMP_TIMESTAMP<br>ICMP_TIMESTAMPREPLY<br>ICMP_INFO_REQUEST<br>ICMP_INFO_REPLY | number | [типы icmp](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml) |
 | ICMP_UNREACH_NET<br>ICMP_UNREACH_HOST<br>ICMP_UNREACH_PROTOCOL<br>ICMP_UNREACH_PORT<br>ICMP_UNREACH_NEEDFRAG<br>ICMP_UNREACH_SRCFAIL<br>ICMP_UNREACH_NET_UNKNOWN<br>ICMP_UNREACH_HOST_UNKNOWN<br>ICMP_UNREACH_NET_PROHIB<br>ICMP_UNREACH_HOST_PROHIB<br>ICMP_UNREACH_TOSNET<br>ICMP_UNREACH_TOSHOST<br>ICMP_UNREACH_FILTER_PROHIB<br>ICMP_UNREACH_HOST_PRECEDENCE<br>ICMP_UNREACH_PRECEDENCE_CUTOFF | number | коды icmp для destination unreachable |
 | ICMP_REDIRECT_NET<br>ICMP_REDIRECT_HOST<br>ICMP_REDIRECT_TOSNET<br>ICMP_REDIRECT_TOSHOST | number | коды icmp для icmp redirect |
 | ICMP_TIMXCEED_INTRANS<br>ICMP_TIMXCEED_REASS | number | коды icmp для time exceeded |
diff --git a/lua/zapret-lib.lua b/lua/zapret-lib.lua
index a8bfba0..6d6fc5b 100644
--- a/lua/zapret-lib.lua
+++ b/lua/zapret-lib.lua
@@ -1539,7 +1539,7 @@ end
 
 -- checks if filename is gzip compressed
 function is_gzip_file(filename)
-	local f, err = io.open(filename, "r")
+	local f, err = io.open(filename, "rb")
 	if not f then
 		error("is_gzip_file: "..err)
 	end
@@ -1550,7 +1550,7 @@ end
 -- ungzip file to raw string
 -- expected_ratio = uncompressed_size/compressed_size (default 4)
 function gunzip_file(filename, expected_ratio, read_block_size)
-	local f, err = io.open(filename, "r")
+	local f, err = io.open(filename, "rb")
 	if not f then
 		error("gunzip_file: "..err)
 	end
@@ -1590,7 +1590,7 @@ end
 -- level : 1..9 (default 9)
 -- memlevel : 1..8 (default 8)
 function gzip_file(filename, data, expected_ratio, level, memlevel, compress_block_size)
-	local f, err = io.open(filename, "w")
+	local f, err = io.open(filename, "wb")
 	if not f then
 		error("gzip_file: "..err)
 	end
@@ -1619,7 +1619,7 @@ function gzip_file(filename, data, expected_ratio, level, memlevel, compress_blo
 end
 -- reads the whole file
 function readfile(filename)
-	local f, err = io.open(filename, "r")
+	local f, err = io.open(filename, "rb")
 	if not f then
 		error("readfile: "..err)
 	end
@@ -1637,7 +1637,7 @@ function z_readfile(filename, expected_ratio)
 end
 -- write data to filename
 function writefile(filename, data)
-	local f, err = io.open(filename, "w")
+	local f, err = io.open(filename, "wb")
 	if not f then
 		error("writefile: "..err)
 	end
diff --git a/lua/zapret-pcap.lua b/lua/zapret-pcap.lua
index 5419169..2a10efc 100644
--- a/lua/zapret-pcap.lua
+++ b/lua/zapret-pcap.lua
@@ -30,7 +30,7 @@ function pcap(ctx, desync)
 			os.remove(_G[fn_cache_name])
 		end
 	end
-	local f = io.open(_G[fn_cache_name], "a")
+	local f = io.open(_G[fn_cache_name], "ab")
 	if not f then
 		error("pcap: could not write to '".._G[fn_cache_name].."'")
 	end
diff --git a/nfq2/desync.c b/nfq2/desync.c
index 1686dd6..eb07dac 100644
--- a/nfq2/desync.c
+++ b/nfq2/desync.c
@@ -1644,6 +1644,7 @@ static const uint8_t *dns_extract_name(const uint8_t *a, const uint8_t *b, const
 
 	if (bptr)
 	{
+		if (a>=e) return NULL;
 		// name pointer
 		off = (*a & 0x3F)<<8 | a[1];
 		p = b + off;
@@ -1929,14 +1930,13 @@ static uint8_t dpi_desync_icmp_packet(
 	if (pkt_attached)
 	{
 		struct dissect adis;
-
 		len_attached = pkt_attached - dis->data_payload + dis->len_payload;
 		proto_dissect_l3l4(pkt_attached, len_attached, &adis, true); // dissect without payload length checks - can be partial
-		if (!dis->ip && !dis->ip6)
+		if (!adis.ip && !adis.ip6)
 			DLOG("attached packet is invalid\n");
 		else
 		{
-			l7payload = dis->ip ? L7P_IPV4 : L7P_IPV6;
+			l7payload = adis.ip ? L7P_IPV4 : L7P_IPV6;
 			DLOG("attached packet\n");
 			packet_debug(false, &adis);
 			if (ConntrackPoolDoubleSearch(&params.conntrack, &adis, &ctrack, &bReverse))
diff --git a/nfq2/protocol.c b/nfq2/protocol.c
index 3c4c889..a202a12 100644
--- a/nfq2/protocol.c
+++ b/nfq2/protocol.c
@@ -1337,7 +1337,7 @@ bool IsQUICInitial(const uint8_t *data, size_t len)
 	// quic v2 : initial packets are 01b
 	if ((data[0] & 0x30) != (is_quic_v2(ver) ? 0x10 : 0x00)) return false;
 
-	uint64_t offset=5, sz;
+	uint64_t offset=5, sz, sz2;
 
 	// DCID
 	if (data[offset] > QUIC_MAX_CID_LENGTH) return false;
@@ -1353,9 +1353,10 @@ bool IsQUICInitial(const uint8_t *data, size_t len)
 	if (offset >= len) return false;
 
 	// payload length
-	if ((offset + tvb_get_size(data[offset])) > len) return false;
+	sz2 = tvb_get_size(data[offset]);
+	if ((offset + sz2) > len) return false;
 	tvb_get_varint(data + offset, &sz);
-	offset += sz;
+	offset += sz2 + sz;
 	if (offset > len) return false;
 
 	return true;