diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c3574a9..eb48cef 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -147,7 +147,7 @@ jobs:
           for i in libmnl libnfnetlink libnetfilter_queue ; do
             (
               cd $i-*
-              CFLAGS="-Os -flto=auto $CFLAGS" \
+              CFLAGS="-Os -flto=auto -ffunction-sections -fdata-sections -fvisibility=hidden $CFLAGS" \
               ./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
               make install -j$(nproc) DESTDIR=$DEPS_DIR
             )
diff --git a/nfq2/gzip.c b/nfq2/gzip.c
index 58a2f7b..98401f6 100644
--- a/nfq2/gzip.c
+++ b/nfq2/gzip.c
@@ -15,6 +15,7 @@ int z_readfile(FILE *F, char **buf, size_t *size, size_t extra_alloc)
 	unsigned char in[ZCHUNK];
 	size_t bufsize;
 	void *newbuf;
+	size_t rd;
 
 	memset(&zs, 0, sizeof(zs));
 
@@ -26,18 +27,18 @@ int z_readfile(FILE *F, char **buf, size_t *size, size_t extra_alloc)
 
 	do
 	{
-		zs.avail_in = fread_safe(in, 1, sizeof(in), F);
-		if (ferror(F))
+		if (!fread_safe(in, 1, sizeof(in), F, &rd))
 		{
 			r = Z_ERRNO;
 			goto zerr;
 		}
-		if (!zs.avail_in)
+		if (!rd)
 		{
 			// file is not full
 			r = Z_DATA_ERROR;
 			goto zerr;
 		}
+		zs.avail_in = rd;
 		zs.next_in = in;
 		do
 		{
@@ -79,7 +80,7 @@ zerr:
 bool is_gzip(FILE* F)
 {
 	unsigned char magic[2];
-	bool b = !fseek(F, 0, SEEK_SET) && fread_safe(magic, 1, 2, F) == 2 && magic[0] == 0x1F && magic[1] == 0x8B;
+	bool b = !fseek(F, 0, SEEK_SET) && fread(magic, 1, 2, F) == 2 && magic[0] == 0x1F && magic[1] == 0x8B;
 	fseek(F, 0, SEEK_SET);
 	return b;
 }
diff --git a/nfq2/helpers.c b/nfq2/helpers.c
index 1b7beab..86b35c7 100644
--- a/nfq2/helpers.c
+++ b/nfq2/helpers.c
@@ -120,8 +120,7 @@ bool load_file(const char *filename, off_t offset, void *buffer, size_t *buffer_
 		}
 	}
 
-	*buffer_size = fread_safe(buffer, 1, *buffer_size, F);
-	if (ferror(F))
+	if (!fread_safe(buffer, 1, *buffer_size, F, buffer_size))
 	{
 		fclose(F);
 		return false;
@@ -512,21 +511,31 @@ ssize_t read_intr(int fd, void *buf, size_t count)
 	return rd;
 }
 
-size_t fread_safe(void *ptr, size_t size, size_t nmemb, FILE *F)
+bool fread_safe(void *ptr, size_t size, size_t nmemb, FILE *F, size_t *rd)
 {
-	size_t result, total_read = 0;
+	size_t result, to_read, total_read = 0;
 	while (total_read < nmemb)
 	{
-		total_read += (result = fread((uint8_t*)ptr + (total_read * size), size, nmemb - total_read, F));
-		if (result < (nmemb - total_read))
+		to_read = nmemb - total_read;
+		errno = 0;
+		total_read += (result = fread((uint8_t*)ptr + (total_read * size), size, to_read, F));
+		if (result < to_read)
 		{
-			if (errno == EINTR)
-				clearerr(F);
-			else
-				break;
+			if (ferror(F))
+			{
+				if (errno == EINTR)
+				{
+					clearerr(F);
+					continue;
+				}
+				*rd = total_read;
+				return false;
+			}
+			break;
 		}
 	}
-	return total_read;
+	*rd = total_read;
+	return true;
 }
 char* fgets_safe(char *s, int size, FILE *stream)
 {
@@ -534,6 +543,7 @@ char* fgets_safe(char *s, int size, FILE *stream)
 
 	while (true)
 	{
+		errno = 0;
 		if ((result = fgets(s, size, stream))) return result;
 		if (ferror(stream))
 		{
diff --git a/nfq2/helpers.h b/nfq2/helpers.h
index e01d0c3..2d29490 100644
--- a/nfq2/helpers.h
+++ b/nfq2/helpers.h
@@ -34,7 +34,7 @@ const char *strncasestr(const char *s,const char *find, size_t slen);
 bool is_identifier(const char *p);
 
 ssize_t read_intr(int fd, void *buf, size_t count);
-size_t fread_safe(void *ptr, size_t size, size_t nmemb, FILE *F);
+bool fread_safe(void *ptr, size_t size, size_t nmemb, FILE *F, size_t *rd);
 char* fgets_safe(char *s, int size, FILE *stream);
 
 bool load_file(const char *filename, off_t offset, void *buffer, size_t *buffer_size);