From 48e4d3a6e7307a9e5d9973ce55b88bee446a85c7 Mon Sep 17 00:00:00 2001
From: bol-van <none@none.none>
Date: Tue, 10 Feb 2026 12:34:47 +0300
Subject: [PATCH] init.d: optimize ipt dports

---
 common/ipt.sh | 43 ++++++++++++++++++++++---------------------
 1 file changed, 22 insertions(+), 21 deletions(-)

diff --git a/common/ipt.sh b/common/ipt.sh
index fdb02c2..9e4ddc2 100644
--- a/common/ipt.sh
+++ b/common/ipt.sh
@@ -247,30 +247,29 @@ ipt_do_nfqws_in_out()
 	# $1 - 1 - add, 0 - del
 	# $2 - tcp,udp
 	# $3 - ports
-	# $4 - PKT_OUT. special value : 'keepalive'
-	# $5 - PKT_IN
-	local f4 f6 first_packets_only ipset
+	# $4 - PKT. special value : 'keepalive'
+	# $5 - 1 - out, 0 - in
+	# $6 - ipset base name
+	local f f4 f6 first_packets_only ipset
 	[ -n "$3" ] || return
-	ipset=${IPSET_PORTS_NAME}_$2
+	ipset="${6}_$2"
 	[ "$4" = keepalive ] && ipset="${ipset}_k"
-	[ "$1" = 1 ] && {
-		ipt_port_ipset $ipset "$3" || return
-	}
+	[ "$1" = 1 ] && ipt_port_ipset $ipset "$3"
 	[ -n "$4" -a "$4" != 0 ] &&
 	{
 		first_packets_only="$(ipt_first_packets $4)"
-		f4="-p $2 -m set --match-set $ipset dst $first_packets_only"
+		f4="-p $2 -m set --match-set $ipset"
+		if [ "$5" = 1 ]; then
+			f4="$f4 dst"
+			f=fw_nfqws_post
+		else
+			f4="$f4 src"
+			f=fw_reverse_nfqws_rule
+		fi
+		f4="$f4 $first_packets_only"
 		f6=$f4
 		filter_apply_ipset_target f4 f6
-		fw_nfqws_post $1 "$f4" "$f6" $QNUM
-	}
-	[ -n "$5" -a "$5" != 0 ] &&
-	{
-		first_packets_only="$(ipt_first_packets $5)"
-		f4="-p $2 -m set --match-set $ipset dst $first_packets_only"
-		f6=$f4
-		filter_apply_ipset_target f4 f6
-		fw_reverse_nfqws_rule $1 "$f4" "$f6" $QNUM
+		$f $1 "$f4" "$f6" $QNUM
 	}
 	[ "$1" = 1 ] || ipset -q destroy $ipset
 }
@@ -280,10 +279,12 @@ zapret_do_firewall_standard_nfqws_rules_ipt()
 	# $1 - 1 - add, 0 - del
 
 	[ "$NFQWS2_ENABLE" = 1 ] && {
-		ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP" "$NFQWS2_TCP_PKT_OUT" "$NFQWS2_TCP_PKT_IN"
-		ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP_KEEPALIVE" keepalive "$NFQWS2_TCP_PKT_IN"
-		ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP" "$NFQWS2_UDP_PKT_OUT" "$NFQWS2_UDP_PKT_IN"
-		ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP_KEEPALIVE" keepalive "$NFQWS2_UDP_PKT_IN"
+		ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP" "$NFQWS2_TCP_PKT_OUT" 1 $IPSET_PORTS_NAME
+		ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP" "$NFQWS2_TCP_PKT_IN" 0 $IPSET_PORTS_NAME
+		ipt_do_nfqws_in_out $1 tcp "$NFQWS2_PORTS_TCP_KEEPALIVE" keepalive 1 $IPSET_PORTS_NAME
+		ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP" "$NFQWS2_UDP_PKT_OUT" 1 $IPSET_PORTS_NAME
+		ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP" "$NFQWS2_UDP_PKT_IN" 0 $IPSET_PORTS_NAME
+		ipt_do_nfqws_in_out $1 udp "$NFQWS2_PORTS_UDP_KEEPALIVE" keepalive 1 $IPSET_PORTS_NAME
 	}
 }
 zapret_do_firewall_standard_rules_ipt()