github: remove sdiv crash on old armv7

winws2: remove .buildid section
winws2: update res bins
2026-03-14 06:13:09 +00:00 · 2026-03-12 20:51:57 +03:00 · 2026-03-12 17:40:11 +03:00 · 2026-03-12 17:31:02 +03:00 · 2026-03-06 21:36:09 +03:00 · 2026-03-06 10:58:05 +03:00
59 changed files with 950 additions and 458 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -25,7 +25,7 @@ jobs:
          - arch: arm64
            tool: aarch64-unknown-linux-musl
          - arch: arm
-            tool: arm-unknown-linux-musleabi
+            tool: armv6-unknown-linux-musleabi
          - arch: mips64
            tool: mips64-unknown-linux-musl
          - arch: mipselsf
@@ -88,6 +88,8 @@ jobs:
          LUAJIT_LUAVER: 5.1
          MINSIZE: -flto=auto -ffunction-sections -fdata-sections
          LDMINSIZE: -Wl,--gc-sections -flto=auto
+          #current toolchain's musl is not PIC.  will be broken by upx
+          #PIC: -fpic
        run: |
          DEPS_DIR=$GITHUB_WORKSPACE/deps
          export CC="$TARGET-gcc"
@@ -97,19 +99,28 @@ jobs:
          export STRIP=$TARGET-strip
          export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
          export STAGING_DIR=$RUNNER_TEMP
-          if [ "$ARCH" = lexra ]; then
-            OPTIMIZE=-Os
-          else
-            OPTIMIZE=-Oz
-          fi
+          OPTIMIZE=-Oz
+          SYSMALLOC=-DLUAJIT_USE_SYSMALLOC
+          case "$ARCH" in
+            lexra)
+              OPTIMIZE=-Os
+              ;;
+            arm)
+              CPU="-mcpu=arm1176jzf-s -mthumb"
+              ;;
+            arm64|mips64)
+              # not safe without GC64
+              SYSMALLOC=
+              ;;
+          esac
          MINSIZE="$OPTIMIZE $MINSIZE"

-          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]] || [[ "$ARCH" == riscv64 ]] || [[ "$ARCH" == x86 ]] ; then
+          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == riscv64 ]] || [[ "$ARCH" == x86 ]] ; then
            # use classic lua
            wget -qO- https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
            (
              cd lua-${LUA_RELEASE}
-              make CC=$CC AR="$AR rc" CFLAGS="$MINSIZE $CFLAGS" LDFLAGS="$LDMINSIZE $LDFLAGS" linux -j$(nproc)
+              make CC=$CC AR="$AR rc" CFLAGS="$CPU $MINSIZE $CFLAGS" LDFLAGS="$LDMINSIZE $LDFLAGS" linux -j$(nproc)
              make install INSTALL_TOP=$DEPS_DIR INSTALL_BIN=$DEPS_DIR/bin INSTALL_INC=$DEPS_DIR/include/lua${LUA_VER} INSTALL_LIB=$DEPS_DIR/lib
            )
            LJIT=0
@@ -125,9 +136,10 @@ jobs:
              *)
                HOSTCC="cc -m32"
            esac
+            echo ARCH=$ARCH SYSMALLOC=$SYSMALLOC
            (
              cd luajit2-*
-              make BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI HOST_CC="$HOSTCC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS" -j$(nproc)
+              make BUILDMODE=static XCFLAGS="$SYSMALLOC -DLUAJIT_DISABLE_FFI" HOST_CC="$HOSTCC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$CPU $MINSIZE $CFLAGS" TARGET_LDFLAGS="$CPU $LDMINSIZE $LDFLAGS" -j$(nproc)
              make install PREFIX= DESTDIR=$DEPS_DIR
            )
            LJIT=1
@@ -143,7 +155,7 @@ jobs:
          for i in libmnl libnfnetlink libnetfilter_queue ; do
            (
              cd $i-*
-              CFLAGS="$MINSIZE $CFLAGS" \
+              CFLAGS="$CPU $MINSIZE $CFLAGS" \
              LDFLAGS="$LDMINSIZE $LDFLAGS" \
              ./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
              make install -j$(nproc) DESTDIR=$DEPS_DIR
@@ -156,7 +168,7 @@ jobs:
            xargs -I{} wget -qO- https://github.com/madler/zlib/archive/refs/tags/{}.tar.gz | tar -xz
          (
            cd zlib-*
-            CFLAGS="$MINSIZE $CFLAGS" \
+            CFLAGS="$CPU $MINSIZE $CFLAGS" \
            ./configure --prefix= --static
            make install -j$(nproc) DESTDIR=$DEPS_DIR
          )
@@ -168,9 +180,9 @@ jobs:

          # zapret2
          OPTIMIZE=$OPTIMIZE \
-          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -static -I$DEPS_DIR/include $CFLAGS" \
+          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -static-libgcc -I$DEPS_DIR/include $CPU $CFLAGS" \
          LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \
-          make -C zapret2 LUA_JIT=$LJIT LUA_CFLAGS="$LCFLAGS" LUA_LIB="$LLIB" -j$(nproc)
+          make -C zapret2 CFLAGS_PIC= LDFLAGS_PIE=-static LUA_JIT=$LJIT LUA_CFLAGS="$LCFLAGS" LUA_LIB="$LLIB" -j$(nproc)

          tar -C zapret2/binaries/my -cJf zapret2-linux-$ARCH.tar.xz .

@@ -230,6 +242,17 @@ jobs:
          export RANLIB=$TOOLCHAIN/bin/llvm-ranlib
          export STRIP=$TOOLCHAIN/bin/llvm-strip
          export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
+          SYSMALLOC=-DLUAJIT_USE_SYSMALLOC
+          case "$ABI" in
+            armeabi-v7a)
+              CPU="-mthumb"
+              ;;
+            arm64-v8a)
+              # not safe without GC64
+              SYSMALLOC=
+              PAGESIZE="-Wl,-z,max-page-size=16384"
+              ;;
+          esac

          # luajit
          wget -qO- https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz | tar -xz
@@ -242,7 +265,7 @@ jobs:
          esac
          (
            cd luajit2-*
-            make BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI HOST_CC="$HOSTCC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS" -j$(nproc)
+            make BUILDMODE=static XCFLAGS="$SYSMALLOC -DLUAJIT_DISABLE_FFI" HOST_CC="$HOSTCC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$CPU $MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS" -j$(nproc)
            make install PREFIX= DESTDIR=$DEPS_DIR
          )
          LJIT=1
@@ -258,7 +281,7 @@ jobs:
          for i in libmnl libnfnetlink libnetfilter_queue ; do
            (
              cd $i-*
-              CFLAGS="$MINSIZE -Wno-implicit-function-declaration $CFLAGS" \
+              CFLAGS="$CPU $MINSIZE -Wno-implicit-function-declaration $CFLAGS" \
              LDFLAGS="$LDMINSIZE $LDFLAGS" \
              ./configure --prefix= --host=$TARGET --enable-static --disable-shared --disable-dependency-tracking
              make install -j$(nproc) DESTDIR=$DEPS_DIR
@@ -267,8 +290,8 @@ jobs:
          done

          # zapret2
-          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -I$DEPS_DIR/include" \
-          LDFLAGS="-L$DEPS_DIR/lib" \
+          CFLAGS="-DZAPRET_GH_VER=${{ github.ref_name }} -DZAPRET_GH_HASH=${{ github.sha }} -I$DEPS_DIR/include $CPU" \
+          LDFLAGS="-L$DEPS_DIR/lib $PAGESIZE" \
          make -C zapret2 LUA_JIT=$LJIT LUA_CFLAGS="$LCFLAGS" LUA_LIB="$LLIB" -j$(nproc) android

          # strip unwanted ELF sections to prevent warnings on old Android versions
@@ -314,15 +337,16 @@ jobs:
        env:
          TARGET: ${{ matrix.target }}
          ARCH: ${{ matrix.arch }}
+          PIC: -fpic
          CC: ${{ matrix.target }}-freebsd11-clang
-          MINSIZE: -Oz -flto=auto -ffunction-sections -fdata-sections
+          MINSIZE: -Os -flto=auto -ffunction-sections -fdata-sections
          LDMINSIZE: -Wl,--gc-sections -flto=auto
        run: |

          wget -qO- https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz | tar -xz
          (
            cd luajit2-*
-            make BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI HOST_CC=gcc CC=$CC TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS"
+            make BUILDMODE=static XCFLAGS="$PIC -DLUAJIT_USE_SYSMALLOC -DLUAJIT_DISABLE_FFI" HOST_CC=gcc CC=$CC TARGET_CFLAGS="$MINSIZE $CFLAGS $PIC" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS"
            make install PREFIX= DESTDIR=$DEPS_DIR
          )

@@ -435,7 +459,7 @@ jobs:
          wget -q https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz &&
          tar -xzf v${LUAJIT_RELEASE}.tar.gz &&
          rm -f v${LUAJIT_RELEASE}.tar.gz &&
-          make -C luajit2-${LUAJIT_RELEASE} BUILDMODE=static XCFLAGS="-DLUAJIT_DISABLE_FFI -ffat-lto-objects" TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS" &&
+          make -C luajit2-${LUAJIT_RELEASE} BUILDMODE=static XCFLAGS="-DLUAJIT_USE_SYSMALLOC -DLUAJIT_DISABLE_FFI -ffat-lto-objects" TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS" &&
          make -C luajit2-${LUAJIT_RELEASE} install

      - name: Build winws
@@ -458,6 +482,8 @@ jobs:
          cp -a -t output psmisc/psmisc-*.src/psmisc-*/inst/usr/bin/killall.exe /usr/bin/cygwin1.dll &&
          wget -O WinDivert.zip https://github.com/basil00/WinDivert/releases/download/v2.2.2/WinDivert-2.2.2-A.zip &&
          unzip -j WinDivert.zip "*/${DIR}/WinDivert.dll" "*/${DIR}/WinDivert${BITS}.sys" -d output &&
+          ( [ "$BITS" = 64 ] && rebase -b 0x205c00000 output/WinDivert.dll || true ) &&
+          peflags --dynamicbase=true --high-entropy-va=true output/WinDivert.dll &&
          zip zapret2-win-${{ matrix.arch }}.zip -j output/*

      - name: Upload artifacts
@@ -490,17 +516,28 @@ jobs:
          pattern: zapret2-*

      - name: Install upx
-        uses: crazy-max/ghaction-upx@v3
-        with:
-          install-only: true
-          version: v5.1.0
+        shell: bash
+        env:
+          VER_OLD: 4.2.4
+          VER_NEW: 5.1.0
+        run: |
+          # old upx works for old kernels like 2.6.26
+          # new upx crashes on ~<3.10 but required for riscv64
+          curl -Lo - https://github.com/upx/upx/releases/download/v$VER_OLD/upx-$VER_OLD-amd64_linux.tar.xz | tar -Jx upx-$VER_OLD-amd64_linux/upx
+          sudo cp upx-$VER_OLD-amd64_linux/upx /usr/local/bin/upx_old
+          curl -Lo - https://github.com/upx/upx/releases/download/v$VER_NEW/upx-$VER_NEW-amd64_linux.tar.xz | tar -Jx upx-$VER_NEW-amd64_linux/upx
+          sudo cp upx-$VER_NEW-amd64_linux/upx /usr/local/bin/upx_new
+          rm -r upx-$VER_OLD-amd64_linux/upx upx-$VER_NEW-amd64_linux/upx

      - name: Prepare binaries
        shell: bash
        run: |
          cd ${{ steps.bins.outputs.download-path }}
-          run_upx() {
-            upx --best --lzma $@ || true
+          run_upx_old() {
+            upx_old --best --lzma $@ || true
+          }
+          run_upx_new() {
+            upx_new --best --lzma $@ || true
          }
          run_dir() {
            for f in $dir/* ; do
@@ -508,8 +545,10 @@ jobs:
              case $f in
                *.tar.xz )
                  tar -C $dir -xvf $f && rm $f
-                  if [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]] && [[ $dir != *-linux-lexra ]]; then
-                    run_upx $dir/*
+                  if [[ $dir = *-linux-riscv64 ]]; then
+                    run_upx_new $dir/*
+                  elif [[ $dir =~ linux ]] && [[ $dir != *-linux-mips64 ]] && [[ $dir != *-linux-lexra ]]; then
+                    run_upx_old $dir/*
                  fi
                  ;;
                *.zip )
--- a/common/base.sh
+++ b/common/base.sh
@@ -438,6 +438,13 @@ has_bad_ws_options()
 		echo "Kernel ipsets should be used instead. Write custom scripts and filter IPs in kernel."
 		echo
 	}
+	contains "$1" "--ipset=$ZAPRET_BASE" || contains "$1" "--ipset-exclude=$ZAPRET_BASE" ||
+	contains "$1" "--hostlist=$ZAPRET_BASE" || contains "$1" "--hostlist-exclude=$ZAPRET_BASE" && {
+		echo
+		echo "WARNING !!! you store ipset or hostlist files inside '$ZAPRET_BASE'"
+		echo "It's not recommended. install_easy.sh will delete them during update."
+		echo
+	}
 	
 	return 1
 }
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -249,6 +249,27 @@ v0.9.4
 * nfqws2: fixed wrong scale factor application to winsize
 * nfqws2: very old kernels compat

-v0.9.5
+v0.9.4.2

 * builder_linux: simple scripts to build static linux bins for any supported architecture
+* zapret-auto:  incompatible change.  cond_lua "code" parameter => "cond_code". to avoid collision with luaexec
+
+v0.9.4.3
+
+* nfqws2: fix broken wifi ssid update
+* github: revert to upx 4.2.4 for all archs except riscv64
+* zapret-lib: apply_fooling throws error if tcp_ts,tcp_seq,tcp_ack,ip_ttl,ip6_ttl,ip_autottl,ip6_autottl are empty or invalid
+
+0.9.4.4
+
+* winws2, dvtws2: ASLR
+* github, linux-builder: reduce arm executable size by 20% - move to armv7+thumb
+* init.d: warn if hostlist/ipset files are inside zapret2 root
+* zapret-lib: do not call apply_arg_prefix in apply_execution_plan - call it right before instance execute
+
+0.9.4.5
+
+* github: rollback to lj_alloc in luajit for arm64 and mips64
+* github: use 16K page size for android arm64 build
+* nfqws2: join fragments in quic CRYPTO reconstruction. allow intersections.
+
--- a/docs/compile/build_howto_unix.txt
+++ b/docs/compile/build_howto_unix.txt
@@ -1,11 +1,21 @@
-debian,ubuntu :
+* debian,ubuntu :

 apt install make gcc zlib1g-dev libcap-dev libnetfilter-queue-dev libmnl-dev libsystemd-dev libluajit2-5.1-dev
 make -C /opt/zapret2 systemd

-linux static :
+* linux static :
+
+need any x86_64 classic linux distribution
+tested on debian/ubuntu/fedora 2020+
+if your distro is very exotic, old or not glibc based you can debootstrap a modern debian/ubuntu system and chroot to it
+NOTE: it's not possible to build luajit in chroot under standard openwrt kernel. build process requires 32-bit x86 support, kernel is compiled without it.
+NOTE: toolchains are pre-compiled for x86_64 glibc. they can't run on arm or anything that is not x86_64.
+
+optionally review "common.inc" for Lua and LuaJIT versions
+
+debian/ubuntu: apt install curl xz-utils bzip2 unzip make gcc gcc-multilib libc6-dev libcap-dev pkg-config
+fedora: dnf install curl xz bzip2 unzip make gcc glibc-devel glibc-devel.i686 libcap-devel pkg-config

-need any x86_64 classic linux distribution with curl, unzip, make, gcc, gcc-multilib
 copy directory "builder-linux" somethere with enough free disk space (up to 2G for all toolchains)
 run "get_toolchains.sh"
 select architectures you need or "ALL"
@@ -15,9 +25,7 @@ get static musl bins from "binaries" folder
 "zapret2" is downloaded from github master branch. if you need specific version - download manually to "zapret2" dir
 i586 and riscv64 targets are built with classic PUC Lua

-optionally review "common.inc" for Lua and LuaJIT versions
-
-FreeBSD :
+* FreeBSD :

 pkg install pkgconf
 pkg search luajit-2
@@ -25,7 +33,7 @@ pkg search luajit-2
 pkg install luajit-2.1.0.20250728
 make -C /opt/zapret2

-OpenBSD :
+* OpenBSD :

 pkg_add luajit gmake
 gmake -C /opt/zapret2 bsd
--- a/docs/compile/builder-linux/build_deps.sh
+++ b/docs/compile/builder-linux/build_deps.sh
@@ -7,22 +7,22 @@ EXEDIR="$(cd "$EXEDIR"; pwd)"

 dl_deps()
 {
-	if [ -d "$DEPS" ]; then
-		dir_is_not_empty "$DEPS" && {
-			echo "deps dir is not empty. if you want to redownload - delete it."
-			return
-		}
-	else
-		mkdir "$DEPS"
-	fi
-	pushd "$DEPS"
-	curl -Lo - https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj
-	curl -Lo - https://www.netfilter.org/pub/libmnl/libmnl-1.0.5.tar.bz2 | tar -xj
-	curl -Lo - https://www.netfilter.org/pub/libnetfilter_queue/libnetfilter_queue-1.0.5.tar.bz2 | tar -xj
-	curl -Lo - https://zlib.net/zlib-1.3.1.tar.gz | tar -xz
-	curl -Lo - https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz | tar -xz
-	curl -Lo - https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
-	popd
+	[ -d "$DEPS" ] || mkdir -p "$DEPS"
+	(
+	cd "$DEPS"
+	exists_dir libnfnetlink-* ||
+		curl -Lo - https://www.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.2.tar.bz2 | tar -xj || exit 5
+	exists_dir libmnl-* ||
+		curl -Lo - https://www.netfilter.org/pub/libmnl/libmnl-1.0.5.tar.bz2 | tar -xj || exit 5
+	exists_dir libnetfilter_queue-* ||
+		curl -Lo - https://www.netfilter.org/pub/libnetfilter_queue/libnetfilter_queue-1.0.5.tar.bz2 | tar -xj || exit 5
+	exists_dir zlib-* ||
+		curl -Lo - https://zlib.net/fossils/zlib-1.3.1.tar.gz | tar -xz || exit 5
+	exists_dir luajit2-* ||
+		curl -Lo - https://github.com/openresty/luajit2/archive/refs/tags/v${LUAJIT_RELEASE}.tar.gz | tar -xz || exit 5
+	exists_dir lua-* ||
+		curl -Lo - https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz || exit 5
+	)
 }

 build_netlink()
@@ -31,7 +31,7 @@ build_netlink()
 		(
 		cd $i-*
 		[ -f "Makefile" ] && make clean
-		CFLAGS="$MINSIZE $CFLAGS" \
+		CFLAGS="$OPTIMIZE $MINSIZE $CFLAGS" \
 		LDFLAGS="$LDMINSIZE $LDFLAGS" \
 		./configure --prefix= --host=$TARGET CC=$CC LD=$LD --enable-static --disable-shared --disable-dependency-tracking
 		make install -j$nproc DESTDIR=$STAGING_DIR
@@ -44,7 +44,7 @@ build_zlib()
 (
 cd zlib-*
 [ -f "Makefile" ] && make clean
-CFLAGS="$MINSIZE $CFLAGS" \
+CFLAGS="$OPTIMIZE $MINSIZE $CFLAGS" \
 LDFLAGS="$LDMINSIZE $LDFLAGS" \
 ./configure --prefix= --static
 make install -j$nproc DESTDIR=$STAGING_DIR
@@ -55,16 +55,27 @@ build_lua()
 (
 	cd lua-${LUA_RELEASE}
 	make clean
-	make CC="$CC" AR="$AR rc" CFLAGS="$MINSIZE $CFLAGS" LDFLAGS="$LDMINSIZE $LDFLAGS" linux -j$nproc
+	make CC="$CC" AR="$AR rc" CFLAGS="$OPTIMIZE $MINSIZE $CFLAGS" LDFLAGS="$LDMINSIZE $LDFLAGS" linux -j$nproc
 	make install INSTALL_TOP="$STAGING_DIR" INSTALL_BIN="$STAGING_DIR/bin" INSTALL_INC="$STAGING_DIR/include/lua${LUA_VER}" INSTALL_LIB="$STAGING_DIR/lib"
 )
 }
 build_luajit()
 {
+	local CFL="$CFLAGS"
+	local SYSMALLOC=
 (
 	cd luajit2-*
+	CFLAGS="-Os"
 	make clean
-	make BUILDMODE=static XCFLAGS=-DLUAJIT_DISABLE_FFI HOST_CC="$HOST_CC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$MINSIZE $CFLAGS" TARGET_LDFLAGS="$LDMINSIZE $LDFLAGS"
+	case $TARGET in
+		aarch64*|mips64*)
+			# sysmalloc can cause troubles without GC64. GC64 slows down by 10-15%. better not to use sysmalloc and leave lj_alloc.
+			;;
+		*)
+			# save some exe size
+			SYSMALLOC=-DLUAJIT_USE_SYSMALLOC
+	esac
+	make BUILDMODE=static XCFLAGS="$SYSMALLOC -DLUAJIT_DISABLE_FFI $CFLAGS_PIC" HOST_CC="$HOST_CC" CROSS= CC="$CC" TARGET_AR="$AR rcus" TARGET_STRIP=$STRIP TARGET_CFLAGS="$OPTIMIZE $MINSIZE $CFL" TARGET_LDFLAGS="$CPU $LDMINSIZE $LDFLAGS"
 	make install PREFIX= DESTDIR="$STAGING_DIR"
 )
 }
@@ -83,14 +94,19 @@ build_luajit_for_target()
 	}
 }

+check_prog curl tar gzip bzip2 sed make cc pkg-config
+check_h_files
 dl_deps
 check_toolchains
 ask_target

+CFLAGS_BASE="$CFLAGS"
 for t in $TGT; do
+        CFLAGS="$CFLAGS_BASE"
 	buildenv $t
+	CFLAGS="$CFLAGS $CFLAGS_PIC"
 	pushd "$DEPS"
-	bsd_files
+	install_h_files
 	build_netlink
 	build_zlib
 	build_lua
--- a/docs/compile/builder-linux/build_zapret1.sh
+++ b/docs/compile/builder-linux/build_zapret1.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+EXEDIR="$(dirname "$0")"
+EXEDIR="$(cd "$EXEDIR"; pwd)"
+
+. "$EXEDIR/common.inc"
+
+ZDIR="zapret"
+ZBASE="$EXEDIR"
+BRANCH=master
+ZURL=https://github.com/bol-van/zapret/archive/refs/heads/${BRANCH}.zip
+ZBIN="$EXEDIR/binaries"
+
+dl_zapret1()
+{
+	if [ -d "$ZBASE/$ZDIR" ]; then
+		dir_is_not_empty "$ZBASE/$ZDIR" && {
+			echo "zapret dir is not empty. if you want to redownload - delete it."
+			return
+		}
+		rmdir "$ZBASE/$ZDIR"
+	fi
+	(
+	cd "$ZBASE"
+	curl -Lo /tmp/zapret.zip "$ZURL"
+	unzip /tmp/zapret.zip
+	rm /tmp/zapret.zip
+	mv zapret-${BRANCH} $ZDIR
+	)
+}
+
+check_prog curl unzip make
+dl_zapret1
+check_toolchains
+ask_target
+
+[ -d "$ZBIN" ] || mkdir -p "$ZBIN"
+
+CFLAGS_BASE="$CFLAGS"
+for t in $TGT; do
+        CFLAGS="$CFLAGS_BASE $MINSIZE"
+	buildenv $t
+
+	translate_target $t || {
+		echo COULD NOT TRANSLATE TARGET $t TO BIN DIR
+		continue
+	}
+
+	pushd $ZBASE/$ZDIR
+
+	make clean
+	OPTIMIZE=$OPTIMIZE \
+	CFLAGS="-static-libgcc -I$STAGING_DIR/include $CFLAGS $CFLAGS_PIC" \
+	LDFLAGS="-L$STAGING_DIR/lib $LDMINSIZE $LDFLAGS_PIE $LDFLAGS" \
+	make
+
+	[ -d "$ZBIN/$ZBINTARGET" ] || mkdir "$ZBIN/$ZBINTARGET"
+	cp -f binaries/my/* "$ZBIN/$ZBINTARGET"
+
+	popd
+
+	buildenv_clear
+done
+
--- a/docs/compile/builder-linux/build_zapret2.sh
+++ b/docs/compile/builder-linux/build_zapret2.sh
@@ -20,60 +20,25 @@ dl_zapret2()
 		}
 		rmdir "$ZBASE/$ZDIR"
 	fi
-	pushd "$ZBASE"
+	(
+	cd "$ZBASE"
 	curl -Lo /tmp/zapret2.zip "$ZURL"
 	unzip /tmp/zapret2.zip
 	rm /tmp/zapret2.zip
 	mv zapret2-${BRANCH} $ZDIR
-	popd
-}
-
-translate_target()
-{
-	case $1 in
-		aarch64-unknown-linux-musl)
-			ZBINTARGET=linux-arm64
-			;;
-		arm-unknown-linux-musleabi)
-			ZBINTARGET=linux-arm
-			;;
-		x86_64-unknown-linux-musl)
-			ZBINTARGET=linux-x86_64
-			;;
-		i586-unknown-linux-musl)
-			ZBINTARGET=linux-x86
-			;;
-		mips-unknown-linux-muslsf)
-			ZBINTARGET=linux-mips
-			;;
-		mipsel-unknown-linux-muslsf)
-			ZBINTARGET=linux-mipsel
-			;;
-		mips64-unknown-linux-musl)
-			ZBINTARGET=linux-mips64
-			;;
-		mips64el-unknown-linux-musl)
-			ZBINTARGET=linux-mipsel64
-			;;
-		powerpc-unknown-linux-musl)
-			ZBINTARGET=linux-ppc
-			;;
-		riscv64-unknown-linux-musl)
-			ZBINTARGET=linux-riscv64
-			;;
-		*)
-			return 1
-	esac
-	return 0
+	)
 }

+check_prog curl unzip make
 dl_zapret2
 check_toolchains
 ask_target

 [ -d "$ZBIN" ] || mkdir -p "$ZBIN"

+CFLAGS_BASE="$CFLAGS"
 for t in $TGT; do
+        CFLAGS="$CFLAGS_BASE"
 	buildenv $t

 	translate_target $t || {
@@ -89,13 +54,16 @@ for t in $TGT; do
 	target_has_luajit $t && {
 		LUA_JIT=1
 		LCFLAGS="-I${STAGING_DIR}/include/luajit-${LUAJIT_VER}"
-		LLIB="-L${STAGING_DIR}/lib -lluajit-${LUAJIT_LUAVER}"
+		LLIB="-L${STAGING_DIR}/lib -lluajit-${LUAJIT_LUA_VER}"
 	}

-	OPTIMIZE=-Oz \
-	CFLAGS="-static-libgcc -static -I$STAGING_DIR/include $CFLAGS" \
-	LDFLAGS="-L$DEPS_DIR/lib $LDFLAGS" \
-	make LUA_JIT=$LJIT LUA_CFLAGS="$LCFLAGS" LUA_LIB="$LLIB"
+	make clean
+	LUA_JIT=$LUA_JIT LUA_VER=$LUA_VER LUAJIT_LUA_VER=$LUAJIT_LUA_VER \
+	OPTIMIZE=$OPTIMIZE \
+	MINSIZE=$MINSIZE \
+	CFLAGS="-static-libgcc -I$STAGING_DIR/include $CFLAGS" \
+	LDFLAGS="-L$STAGING_DIR/lib $LDFLAGS" \
+	make CFLAGS_PIC="$CFLAGS_PIC" LDFLAGS_PIE="$LDFLAGS_PIE" LUA_JIT=$LJIT LUA_CFLAGS="$LCFLAGS" LUA_LIB="$LLIB"

 	[ -d "$ZBIN/$ZBINTARGET" ] || mkdir "$ZBIN/$ZBINTARGET"
 	cp -f binaries/my/* "$ZBIN/$ZBINTARGET"
--- a/docs/compile/builder-linux/common.inc
+++ b/docs/compile/builder-linux/common.inc
@@ -4,21 +4,26 @@ EXEDIR="$(cd "$EXEDIR"; pwd)"
 TOOLCHAINS="$EXEDIR/toolchain"
 DEPS="$EXEDIR/deps"
 STAGE="$EXEDIR/staging"
-MINSIZE="-Oz -flto=auto -ffunction-sections -fdata-sections"
-LDMINSIZE="-Wl,--gc-sections -flto=auto"
-CFLAGS=""
-LDFLAGS="-lgcc_eh"
-HOSTCC=cc
-LUA_VER="5.5"
-LUA_RELEASE="5.5.0"
-LUAJIT_VER="2.1"
-LUAJIT_RELEASE="2.1-20250826"
-LUAJIT_LUAVER="5.1"
+OPTIMIZE=${OPTIMIZE:--Oz}
+#MINSIZE="${MINSIZE:--flto=auto -ffunction-sections -fdata-sections}"
+MINSIZE="${MINSIZE:--ffunction-sections -fdata-sections}"
+LDMINSIZE="${LDMINSIZE:--Wl,--gc-sections -flto=auto}"
+#CFLAGS=""
+LDFLAGS="-lgcc_eh $LDFLAGS"
+# PIE makes ASLR working but adds 5% to size
+# PIE does not work for arm32 and all mips
+PIE=${PIE:-0}
+HOSTCC=${HOSTCC:-cc}
+LUA_VER=${LUA_VER:-5.5}
+LUA_RELEASE=${LUA_RELEASE:-5.5.0}
+LUAJIT_VER=${LUAJIT_VER:-2.1}
+LUAJIT_RELEASE=${LUAJIT_RELEASE:-2.1-20250826}
+LUAJIT_LUA_VER=${LUAJIT_LUA_VER:-5.1}
 nproc=$(nproc)

 TARGETS="\
 aarch64-unknown-linux-musl \
-arm-unknown-linux-musleabi \
+armv6-unknown-linux-musleabi \
 i586-unknown-linux-musl \
 x86_64-unknown-linux-musl \
 mips-unknown-linux-muslsf \
@@ -33,7 +38,7 @@ target_has_luajit()
 {
 	case "$1" in
 		aarch64-unknown-linux-musl| \
-		arm-unknown-linux-musleabi| \
+		armv6-unknown-linux-musleabi| \
 		x86_64-unknown-linux-musl| \
 		mips-unknown-linux-muslsf| \
 		mips64-unknown-linux-musl| \
@@ -46,9 +51,26 @@ target_has_luajit()
 	return 1
 }

-bsd_files()
+REQD_H_FILES="/usr/include/sys/capability.h /usr/include/bits/libc-header-start.h"
+REQD_QUEUE_1="/usr/include/sys/queue.h"
+REQD_QUEUE_2="/usr/include/x86_64-linux-gnu/sys/queue.h"
+check_h_files()
 {
-	install -Dm644 -t $STAGING_DIR/include/sys /usr/include/x86_64-linux-gnu/sys/queue.h /usr/include/sys/capability.h
+	[ ! -f "$REQD_QUEUE_1" -a ! -f  "$REQD_QUEUE_2" ] && {
+		echo "could not find $REQD_QUEUE_1 or $REQD_QUEUE_2"
+		help_pkg
+		exit 10
+	}
+	check_file $REQD_H_FILES
+}
+install_h_files()
+{
+	if [ -f "$REQD_QUEUE_1" ]; then
+		install -Dm644 -t $STAGING_DIR/include/sys $REQD_QUEUE_1
+	elif [ -f "$REQD_QUEUE_2" ]; then
+		install -Dm644 -t $STAGING_DIR/include/sys $REQD_QUEUE_2
+	fi
+	install -Dm644 -t $STAGING_DIR/include/sys $REQD_H_FILES
 }

 buildenv()
@@ -71,13 +93,60 @@ buildenv()
 	export PKG_CONFIG_PATH=$STAGING_DIR/lib/pkgconfig
 	OLDPATH="$PATH"
 	export PATH="$PATH:$TOOLCHAINS/$TARGET/bin"
+
+	CPU=
+	CFLAGS_PIC=
+	LDFLAGS_PIE=-static
+	# not all archs support -static-pie. if does not support - it produces dynamic executable
+	# "-static -static-pie" causes segfaults
+	case $1 in
+		armv6-*)
+			CPU="-mthumb -msoft-float"
+			CFLAGS="$CPU $CFLAGS"
+			;;
+		mips*)
+			;;
+		*)
+			[ "$PIE" = 1 ] && {
+				CFLAGS_PIC=-fPIC
+				LDFLAGS_PIE="-static-pie"
+			}
+	esac
 }
+
 buildenv_clear()
 {
 	export PATH="$OLDPATH" TARGET= CC= LD= AR= NM= STRIP= STAGING_DIR= PKG_CONFIG_PATH=
 	OLDPATH=
 }

+which()
+{
+	# on some systems 'which' command is considered deprecated and not installed by default
+	# 'command -v' replacement does not work exactly the same way. it outputs shell aliases if present
+	# $1 - executable name
+	local IFS=:
+	[ "$1" != "${1#/}" ] && [ -x "$1" ] && {
+		echo "$1"
+		return 0
+	}
+	for p in $PATH; do
+	    [ -x "$p/$1" ] && {
+		echo "$p/$1"
+		return 0
+	    }
+	done
+	return 1
+}
+exists()
+{
+	which "$1" >/dev/null 2>/dev/null
+}
+exists_dir()
+{
+	# use $1, ignore other args
+	[ -d "$1" ]
+}

 dir_is_not_empty()
 {
@@ -168,3 +237,71 @@ check_toolchains()
 		exit 1
 	}
 }
+
+help_pkg()
+{
+	echo "debian/ubuntu: apt install curl xz-utils bzip2 unzip make gcc gcc-multilib libc6-dev libcap-dev pkg-config"
+	echo "fedora: dnf install curl xz bzip2 unzip make gcc glibc-devel glibc-devel.i686 libcap-devel pkg-config"
+}
+
+check_prog()
+{
+	while [ -n "$1" ]; do
+		exists $1 || {
+			echo $1 is not available
+			help_pkg
+			exit 10
+		}
+		shift
+	done
+}
+check_file()
+{
+	while [ -n "$1" ]; do
+		[ -f "$1" ] || {
+			echo $1 is not available
+			help_pkg
+			exit 10
+		}
+		shift
+	done
+}
+
+translate_target()
+{
+	case $1 in
+		aarch64-unknown-linux-musl)
+			ZBINTARGET=linux-arm64
+			;;
+		armv6-unknown-linux-musleabi)
+			ZBINTARGET=linux-arm
+			;;
+		x86_64-unknown-linux-musl)
+			ZBINTARGET=linux-x86_64
+			;;
+		i586-unknown-linux-musl)
+			ZBINTARGET=linux-x86
+			;;
+		mips-unknown-linux-muslsf)
+			ZBINTARGET=linux-mips
+			;;
+		mipsel-unknown-linux-muslsf)
+			ZBINTARGET=linux-mipsel
+			;;
+		mips64-unknown-linux-musl)
+			ZBINTARGET=linux-mips64
+			;;
+		mips64el-unknown-linux-musl)
+			ZBINTARGET=linux-mipsel64
+			;;
+		powerpc-unknown-linux-musl)
+			ZBINTARGET=linux-ppc
+			;;
+		riscv64-unknown-linux-musl)
+			ZBINTARGET=linux-riscv64
+			;;
+		*)
+			return 1
+	esac
+	return 0
+}
--- a/docs/compile/builder-linux/get_toolchains.sh
+++ b/docs/compile/builder-linux/get_toolchains.sh
@@ -7,13 +7,16 @@ EXEDIR="$(cd "$EXEDIR"; pwd)"

 BASEURL=https://github.com/bol-van/musl-cross/releases/download/latest

+check_prog curl tar xz
+
 [ -d "$TOOLCHAINS" ] || mkdir -p "$TOOLCHAINS"

 ask_target 1

-pushd "$TOOLCHAINS"
+(
+cd "$TOOLCHAINS"
 for t in $TGT; do
 	[ -d "$t" ] && rm -r "$t"
 	curl -Lo - "${BASEURL}/${t}.tar.xz" | tar -Jx
 done
-popd
+)
--- a/docs/manual.en.md
+++ b/docs/manual.en.md
@@ -3531,7 +3531,8 @@ Checks the [instance cutoff](#instance_cutoff) state for `desync.func_instance`
 function apply_arg_prefix(desync)
 ```

-Performs substitution of argument values from `desync.arg` that start with `%` and `#`.
+Performs substitution of argument values from `desync.arg` that start with `%`, `#`,  `\`.
+Multiple calls are safe but do not update desync.arg if blobs were changed.

 ### apply_execution_plan

@@ -3540,6 +3541,8 @@ function apply_execution_plan(desync, instance)
 ```

 Copies the instance identification and its arguments from an [execution plan](#execution_plan) `instance` into the desync object, thereby recreating the desync state as if the `instance` were called directly by C code.
+With one exception : apply_arg_prefix is not applied because args can refer a blob created by previous conditionally executed instances.
+
 The [execution plan](#execution_plan) is provided by the C function `execution_plan()` as an array of `instance` elements.

 ### verdict_aggregate
@@ -3554,11 +3557,17 @@ Aggregates verdicts v1 and v2. VERDICT_MODIFY overrides VERDICT_PASS, while VERD

 ```
 function plan_instance_execute(desync, verdict, instance)
+function plan_instance_execute_preapplied(desync, verdict, instance)
 ```

 Executes an [execution plan](#execution_plan) `instance`, taking into account the [instance cutoff](#instance_cutoff) and standard [payload](#in-profile-filters) and [range](#in-profile-filters) filters.
+Calls apply_arg_prefix right before calling the instance.
 Returns the aggregation of the current verdict and the `instance` verdict.

+The "preapplied" version does not apply execution plan, allowing the calling code to do so.
+Sometimes, to decide whether to call an instance, you need a desync table configured for the called instance.
+"preapplied" version allows to avoid double copying.
+
 ### plan_instance_pop

 ```
@@ -4473,7 +4482,8 @@ Returns `true` if the dissect is tcp and has tcp timestamp option.
 function cond_lua(desync)
 ```

-Executes a Lua code from the "code" argument. The code returns condition value. Direct addressing of the desync table is possible within the code.
+Executes a Lua code from the "cond_code" argument. The code returns condition value. Direct addressing of the desync table is possible within the code.
+desync.arg is passed without called "apply_arg_prefix" : `%`, `#`, `\` remain as is without substitution because can refer blobs created by previous conditionally executed instances.


 # Auxiliary programs
--- a/docs/manual.md
+++ b/docs/manual.md
@@ -3709,7 +3709,8 @@ function cutoff_shim_check(desync)
 function apply_arg_prefix(desync)
 ```

-Выполняет подстановку значений аргументов из desync.arg, начинающихся с `%` и `#`.
+Выполняет подстановку значений аргументов из desync.arg, начинающихся с `%` и `#`, `\`.
+Функция ставит специальную метку в desync.arg , чтобы избежать двойного разименования. Повторные вызовы безопасны, но не обновляют desync.arg при изменении блобов.

 ### apply_execution_plan

@@ -3719,6 +3720,8 @@ function apply_execution_plan(desync, instance)

 Копирует в desync идентификацию инстанса и его аргументы из элемента [execution plan](#execution_plan) `instance`,
 тем самым воссоздает состояние desync, как если бы `instance` был вызван напрямую C кодом.
+За одним исключением : apply_arg_prefix не применяется, поскольку может содержать несуществующие блоб, существование которого зависит от условного выполнения предыдущих истансов.
+
 [execution plan](#execution_plan) выдается C функцией `execution_plan()` как массив, элементами которого являются `instance`.

 ### verdict_aggregate
@@ -3733,11 +3736,17 @@ function verdict_aggregate(v1, v2)

 ```
 function plan_instance_execute(desync, verdict, instance)
+function plan_instance_execute_preapplied(desync, verdict, instance)
 ```

 Выполняет элемент [execution plan](#execution_plan) `instance` с учетом [instance cutoff](#instance_cutoff) и стандартных фильтров [payload](#внутрипрофильные-фильтры) и [range](#внутрипрофильные-фильтры).
+При совпадении условий непосредственно перед вызовом выполняет apply_arg_prefix.
 Возвращает агрегацию verdict и вердикта `instance`.

+Вариант "preapplied" не выполняет apply_execution_plan, позволяя это сделат вызывающему коду.
+Иногда для принятия решения вызывать ли instance требуется таблица desync, настроенная на вызываемый инстанс.
+Чтобы не делать apply дважды (там копирование desync.arg) и существует этот вариант.
+
 ### plan_instance_pop

 ```
@@ -4652,7 +4661,8 @@ function cond_tcp_ts(desync)
 function cond_lua(desync)
 ```

-Выполняет Lua код из аргумента "code". Код возвращает значение условия через return. Возможна прямая адресация таблицы desync.
+Выполняет Lua код из аргумента "cond_code". Код возвращает значение условия через return. Возможна прямая адресация таблицы desync.
+desync.arg передаются с НЕ разименованными `%`, `#`, `\`, поскольку разименование может ссылаться на блобы, создаваемые предыдущими условно вызываемыми инстансами.

 # Вспомогательные программы

--- a/docs/readme.md
+++ b/docs/readme.md
@@ -414,8 +414,8 @@ nfqws2 \
 ### Какие есть еще параметры

 Как узнать какие есть еще функции и какие у них бывают параметры ? Смотрите `zapret-antidpi.lua`. Перед каждой функцией подробно описано какие параметры она берет.
-Описание стандартных блоков параметров есть в начале. Позже - по мере сил и возможностей - будет писаться талмуд - справочник с руководством по программированию
-*nfqws2* и описание стандартных библиотек.
+Описание стандартных блоков параметров есть в начале. 
+Или сразу читайте [талмуд](manual.md) . Там все документировано.

 ### Очень важный совет

--- a/files/fake/quic2_example_com.bin
+++ b/files/fake/quic2_example_com.bin
--- a/files/fake/sip.bin
+++ b/files/fake/sip.bin
@@ -1,13 +0,0 @@
-REGISTER sip:192.168.1.1 SIP/2.0
-Via: SIP/2.0/UDP 192.168.1.2:42931;rport;branch=z9hG4bKPj3fd2e8713ffcd90c43f6ce69f6c98461
-Max-Forwards: 50
-From: <sip:703@192.168.1.1>;tag=ca565d7bd4e24a6d80c631d395ee117e
-To: <sip:703@192.168.1.1>
-Call-ID: dfec38302b8cea3d83c1452527c895c1
-CSeq: 26139 REGISTER
-User-Agent: MicroSIP/3.21.5
-Contact: <sip:703@192.168.1.2:42931;ob>
-Expires: 300
-Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
-Content-Length:  0
-
--- a/init.d/custom.d.examples.linux/40-webserver
+++ b/init.d/custom.d.examples.linux/40-webserver
@@ -2,8 +2,8 @@

 WEBSERVER_DEFAULT_STRATEGY="
 --server
--payload http_reply,tls_server_hello --lua-desync=fake:blob=0x00000000000000000000000000000000:badsum:repeats=2 --lua-desync=multisplit
--payload empty --lua-desync=synack_split"
+--payload=http_reply,tls_server_hello --lua-desync=fake:blob=0x00000000000000000000000000000000:badsum:repeats=2 --lua-desync=multisplit
+--payload=empty --lua-desync=synack_split"

 # can override in config :
 NFQWS_OPT_DESYNC_WEBSERVER="${NFQWS_OPT_DESYNC_WEBSERVER:-$WEBSERVER_DEFAULT_STRATEGY}"
--- a/init.d/custom.d.examples.linux/50-dht4all
+++ b/init.d/custom.d.examples.linux/50-dht4all
@@ -2,7 +2,7 @@
 # NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)

 # can override in config :
-NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---payload dht --lua-desync=dht_dn}"
+NFQWS_OPT_DESYNC_DHT="${NFQWS_OPT_DESYNC_DHT:---payload=dht --lua-desync=dht_dn}"
 # set it to "keepalive" to fool all packets, not just the first. or set number of packets to be fooled.
 NFQWS_OPT_DHT_PKT_OUT=${NFQWS_OPT_DHT_PKT_OUT:-20}

--- a/init.d/custom.d.examples.linux/50-discord-media
+++ b/init.d/custom.d.examples.linux/50-discord-media
@@ -2,7 +2,7 @@
 # NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)

 # can override in config :
-NFQWS_OPT_DESYNC_DISCORD_MEDIA="${NFQWS_OPT_DESYNC_DISCORD_MEDIA:---payload discord_ip_discovery --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+NFQWS_OPT_DESYNC_DISCORD_MEDIA="${NFQWS_OPT_DESYNC_DISCORD_MEDIA:---payload=discord_ip_discovery --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
 DISCORD_MEDIA_PORT_RANGE="${DISCORD_MEDIA_PORT_RANGE:-50000-50099}"

 alloc_dnum DNUM_DISCORD_MEDIA
--- a/init.d/custom.d.examples.linux/50-nfqws-ipset
+++ b/init.d/custom.d.examples.linux/50-nfqws-ipset
@@ -1,7 +1,7 @@
 # this custom script demonstrates how to launch extra nfqws instance limited by ipset

 # can override in config :
-NFQWS2_MY1_OPT="${NFQWS2_MY1_OPT:---filter-udp=* --payload known,unknown --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2:payload=all --new --filter-tcp=* --payload=known,unknown --lua-desync=multisplit}"
+NFQWS2_MY1_OPT="${NFQWS2_MY1_OPT:---filter-udp=* --payload=known,unknown --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2:payload=all --new --filter-tcp=* --payload=known,unknown --lua-desync=multisplit}"
 NFQWS2_MY1_SUBNETS4="${NFQWS2_MY1_SUBNETS4:-173.194.0.0/16 108.177.0.0/17 74.125.0.0/16 64.233.160.0/19 172.217.0.0/16}"
 NFQWS2_MY1_SUBNETS6="${NFQWS2_MY1_SUBNETS6:-2a00:1450::/29}"
 NFQWS2_MY1_PORTS_TCP=${NFQWS2_MY1_PORTS_TCP:-$NFQWS2_PORTS_TCP}
--- a/init.d/custom.d.examples.linux/50-quic4all
+++ b/init.d/custom.d.examples.linux/50-quic4all
@@ -2,7 +2,7 @@
 # NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)

 # can override in config :
-NFQWS_OPT_DESYNC_QUIC="${NFQWS_OPT_DESYNC_QUIC:---payload quic_initial --lua-desync=fake:blob=fake_default_quic:repeats=2}"
+NFQWS_OPT_DESYNC_QUIC="${NFQWS_OPT_DESYNC_QUIC:---payload=quic_initial --lua-desync=fake:blob=fake_default_quic:repeats=2}"

 alloc_dnum DNUM_QUIC4ALL
 alloc_qnum QNUM_QUIC4ALL
--- a/init.d/custom.d.examples.linux/50-stun4all
+++ b/init.d/custom.d.examples.linux/50-stun4all
@@ -2,7 +2,7 @@
 # NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)

 # can override in config :
-NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---payload stun --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---payload=stun --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"

 alloc_dnum DNUM_STUN4ALL
 alloc_qnum QNUM_STUN4ALL
--- a/init.d/custom.d.examples.linux/50-wg4all
+++ b/init.d/custom.d.examples.linux/50-wg4all
@@ -3,7 +3,7 @@
 # NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)

 # can override in config :
-NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---payload wireguard_initiation,wireguard_response,wireguard_cookie --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+NFQWS_OPT_DESYNC_WG="${NFQWS_OPT_DESYNC_WG:---payload=wireguard_initiation,wireguard_response,wireguard_cookie --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"

 alloc_dnum DNUM_WG4ALL
 alloc_qnum QNUM_WG4ALL
--- a/init.d/systemd/zapret2.service
+++ b/init.d/systemd/zapret2.service
@@ -7,7 +7,6 @@ Type=forking
 Restart=no
 TimeoutSec=30sec
 IgnoreSIGPIPE=no
-KillMode=none
 GuessMainPID=no
 RemainAfterExit=no
 ExecStart=/opt/zapret2/init.d/sysv/zapret2 start
--- a/install_bin.sh
+++ b/install_bin.sh
@@ -157,7 +157,7 @@ fi
 unset PKTWS
 case $UNAME in
 	Linux)
-		ARCHLIST="my linux-x86_64 linux-x86 linux-arm64 linux-arm linux-mips64 linux-mipsel linux-mips linux-lexra linux-ppc linux-riscv64"
+		ARCHLIST="my linux-x86_64 linux-x86 linux-arm64 linux-arm linux-mips64 linux-mipsel64 linux-mipsel linux-mips linux-lexra linux-ppc linux-riscv64"
 		PKTWS=nfqws2
 		;;
 	FreeBSD)
--- a/ip2net/Makefile
+++ b/ip2net/Makefile
@@ -1,8 +1,12 @@
 CC ?= cc
 OPTIMIZE ?= -Os
-CFLAGS += -std=gnu99 $(OPTIMIZE) -flto=auto
+CFLAGS_PIC = -fPIC
+CFLAGS += -std=gnu99 $(OPTIMIZE) -flto=auto $(CFLAGS_PIC)
 CFLAGS_BSD = -Wno-address-of-packed-member
 CFLAGS_WIN = -static
+LDFLAGS_PIE = -pie
+LDFLAGS +=  $(LDFLAGS_PIE)
+
 LIBS = 
 LIBS_WIN = -lws2_32
 SRC_FILES = ip2net.c qsort.c
--- a/lua/zapret-antidpi.lua
+++ b/lua/zapret-antidpi.lua
@@ -125,7 +125,7 @@ function http_domcase(ctx, desync)
 		local host_range = resolve_multi_pos(desync.dis.payload,desync.l7payload,"host,endhost")
 		if #host_range == 2 then
 			local host = string.sub(desync.dis.payload,host_range[1],host_range[2]-1)
-			local newhost="", i
+			local newhost=""
 			for i = 1, #host do
 				newhost=newhost..((i%2)==0 and string.lower(string.sub(host,i,i)) or string.upper(string.sub(host,i,i)))
 			end
@@ -221,7 +221,7 @@ function http_unixeol(ctx, desync)
 				if #http < #desync.dis.payload then
 					hdis.headers[idx_ua].value = hdis.headers[idx_ua].value .. string.rep(" ", #desync.dis.payload - #http)
 				end
-				local http = http_reconstruct_req(hdis, true)
+				http = http_reconstruct_req(hdis, true)
 				if #http==#desync.dis.payload then
 					desync.dis.payload = http
 					DLOG("http_unixeol: applied")
@@ -389,7 +389,8 @@ function syndata(ctx, desync)
 			dis.payload = blob(desync, desync.arg.blob, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
 			apply_fooling(desync, dis)
 			if desync.arg.tls_mod then
-				dis.payload = tls_mod_shim(desync, dis.payload, desync.arg.tls_mod, nil)
+				local pl = tls_mod_shim(desync, dis.payload, desync.arg.tls_mod, nil)
+				if pl then dis.payload = pl end
 			end
 			if b_debug then DLOG("syndata: "..hexdump_dlog(dis.payload)) end
 			if rawsend_dissect_ipfrag(dis, desync_opts(desync)) then
@@ -449,7 +450,8 @@ function fake(ctx, desync)
 			end
 			local fake_payload = blob(desync, desync.arg.blob)
 			if desync.reasm_data and desync.arg.tls_mod then
-				fake_payload = tls_mod_shim(desync, fake_payload, desync.arg.tls_mod, desync.reasm_data)
+				local pl = tls_mod_shim(desync, fake_payload, desync.arg.tls_mod, desync.reasm_data)
+				if pl then fake_payload = pl end
 			end
 			-- check debug to save CPU
 			if b_debug then DLOG("fake: "..hexdump_dlog(fake_payload)) end
@@ -729,14 +731,15 @@ function hostfakesplit(ctx, desync)
 				local midhost
 				if desync.arg.midhost then
 					midhost = resolve_pos(data,desync.l7payload,desync.arg.midhost)
-					if not midhost then
+					if midhost then
+						DLOG("hosfakesplit: midhost marker resolved to "..midhost)
+						if midhost<=pos[1] or midhost>pos[2] then
+							DLOG("hostfakesplit: midhost is not inside the host range")
+							midhost = nil
+						end
+					else
 						DLOG("hostfakesplit: cannot resolve midhost marker '"..desync.arg.midhost.."'")
 					end
-					DLOG("hosfakesplit: midhost marker resolved to "..midhost)
-					if midhost<=pos[1] or midhost>pos[2] then
-						DLOG("hostfakesplit: midhost is not inside the host range")
-						midhost = nil
-					end
 				end
 				-- if present apply ipfrag only to real host parts. fakes and parts outside of the host must be visible to DPI.
 				if midhost then
@@ -893,7 +896,7 @@ function fakedsplit(ctx, desync)
 					return desync.arg.nodrop and VERDICT_PASS or VERDICT_DROP
 				end
 			else
-				DLOG("fakedsplit: cannot resolve pos '"..desync.arg.pos.."'")
+				DLOG("fakedsplit: cannot resolve pos '"..spos.."'")
 			end
 		else
 			DLOG("fakedsplit: not acting on further replay pieces")
@@ -938,11 +941,11 @@ function fakeddisorder(ctx, desync)
 					if b_debug then DLOG("fakeddisorder: resolved split pos: "..tostring(pos-1)) end

 					-- do not apply fooling to original parts except tcp_ts_up but apply ip_id
-					local fake, part, pat
+					local fake, part
 					local opts_orig = {rawsend = rawsend_opts_base(desync), reconstruct = {}, ipfrag = {}, ipid = desync.arg, fooling = {tcp_ts_up = desync.arg.tcp_ts_up}}
 					local opts_fake = {rawsend = rawsend_opts(desync), reconstruct = reconstruct_opts(desync), ipfrag = {}, ipid = desync.arg, fooling = desync.arg}

-					fakepat = desync.arg.pattern and blob(desync,desync.arg.pattern) or "\x00"
+					local fakepat = desync.arg.pattern and blob(desync,desync.arg.pattern) or "\x00"

 					-- second fake
 					fake = pattern(fakepat,pos,#data-pos+1)
@@ -1008,7 +1011,7 @@ function fakeddisorder(ctx, desync)
 					return desync.arg.nodrop and VERDICT_PASS or VERDICT_DROP
 				end
 			else
-				DLOG("fakeddisorder: cannot resolve pos '"..desync.arg.pos.."'")
+				DLOG("fakeddisorder: cannot resolve pos '"..spos.."'")
 			end
 		else
 			DLOG("fakeddisorder: not acting on further replay pieces")
@@ -1209,8 +1212,8 @@ function udplen(ctx, desync)
 				else
 					desync.dis.payload = string.sub(desync.dis.payload,1,len+inc)
 					DLOG("udplen: "..len.." => "..#desync.dis.payload)
+					return VERDICT_MODIFY
 				end
-				return VERDICT_MODIFY
 			end
 		end
 	end
--- a/lua/zapret-auto.lua
+++ b/lua/zapret-auto.lua
@@ -313,7 +313,7 @@ function circular(ctx, desync)
 	local function count_strategies(hrec)
 		if not hrec.ctstrategy then
 			local uniq={}
-			local n=0
+			local n
 			for i,instance in pairs(desync.plan) do
 				if instance.arg.strategy then
 					n = tonumber(instance.arg.strategy)
@@ -411,19 +411,19 @@ function cond_tcp_has_ts(desync)
 end
 -- exec lua code in "code" arg and return it's result
 function cond_lua(desync)
-	if not desync.arg.code then
-		error("cond_lua: no 'code' parameter")
+	if not desync.arg.cond_code then
+		error("cond_lua: no 'cond_code' parameter")
 	end
-	local fname = desync.func_instance.."_cond_code"
+	local fname = desync.func_instance.."_cond_cond_code"
 	if not _G[fname] then
 		local err
-		_G[fname], err = load(desync.arg.code, fname)
+		_G[fname], err = load(desync.arg.cond_code, fname)
 		if not _G[fname] then
 			error(err)
 			return
 		end
 	end
-	-- allow dynamic code to access desync
+	-- allow dynamic cond_code to access desync
 	_G.desync = desync
 	local res, v = pcall(_G[fname])
 	_G.desync = nil
@@ -479,8 +479,10 @@ function per_instance_condition(ctx, desync)
 			if type(_G[instance.arg.cond])~="function" then
 				error("per_instance_condition: invalid 'iff' function '"..instance.arg.cond.."'")
 			end
+			-- preapply exec plan to feed cond function correct args
+			apply_execution_plan(desync, instance)
 			if logical_xor(_G[instance.arg.cond](desync), instance.arg.cond_neg) then
-				verdict = plan_instance_execute(desync, verdict, instance)
+				verdict = plan_instance_execute_preapplied(desync, verdict, instance)
 			else
 				DLOG("per_instance_condition: condition not satisfied. skipping '"..instance.func_instance.."'")
 			end
--- a/lua/zapret-lib.lua
+++ b/lua/zapret-lib.lua
@@ -96,12 +96,12 @@ function detect_payload_str(ctx, desync)
 		error("detect_payload_str: missing 'pattern'")
 	end
 	local data = desync.reasm_data or desync.dis.payload
-	local b = string.find(data,desync.arg.pattern,1,true)
+	local b = data and string.find(data,desync.arg.pattern,1,true)
 	if b then
-		DLOG("detect_payload_str: detected '"..desync.arg.payload.."'")
+		DLOG("detect_payload_str: detected '"..(desync.arg.payload or '?').."'")
 		if desync.arg.payload then desync.l7payload = desync.arg.payload end
 	else
-		DLOG("detect_payload_str: not detected '"..desync.arg.payload.."'")
+		DLOG("detect_payload_str: not detected '"..(desync.arg.payload or '?').."'")
 		if desync.arg.undetected then desync.l7payload = desync.arg.undetected end
 	end
 end
@@ -149,11 +149,13 @@ end

 -- applies # and $ prefixes. #var means var length, %var means var value
 function apply_arg_prefix(desync)
+	-- prevent double apply
+	if desync.arg.__prefix_applied then return end
 	for a,v in pairs(desync.arg) do
 		local c = string.sub(v,1,1)
 		if c=='#' then
 			local blb = blob(desync,string.sub(v,2))
-			desync.arg[a] = (type(blb)=='string' or type(blb)=='table') and #blb or 0
+			desync.arg[a] = tostring(type(blb)=='string' and #blb or 0)
 		elseif c=='%' then
 			desync.arg[a] = blob(desync,string.sub(v,2))
 		elseif c=='\\' then
@@ -163,6 +165,7 @@ function apply_arg_prefix(desync)
 			end
 		end
 	end
+	desync.arg.__prefix_applied = true
 end
 -- copy instance identification and args from execution plan to desync table
 -- NOTE : to not lose VERDICT_MODIFY dissect changes pass original desync table
@@ -173,7 +176,7 @@ function apply_execution_plan(desync, instance)
 	desync.func_n = instance.func_n
 	desync.func_instance = instance.func_instance
 	desync.arg = deepcopy(instance.arg)
-	apply_arg_prefix(desync)
+	-- no apply_arg_prefix here because it may refer non-existing blobs
 end
 -- produce resulting verdict from 2 verdicts
 function verdict_aggregate(v1, v2)
@@ -192,8 +195,7 @@ function verdict_aggregate(v1, v2)
 	end
 	return bitor(v,vn)
 end
-function plan_instance_execute(desync, verdict, instance)
-	apply_execution_plan(desync, instance)
+function plan_instance_execute_preapplied(desync, verdict, instance)
 	if cutoff_shim_check(desync) then
 		DLOG("plan_instance_execute: not calling '"..desync.func_instance.."' because of voluntary cutoff")
 	elseif not payload_match_filter(desync.l7payload, instance.payload_filter) then
@@ -201,11 +203,18 @@ function plan_instance_execute(desync, verdict, instance)
 	elseif not pos_check_range(desync, instance.range) then
 		DLOG("plan_instance_execute: not calling '"..desync.func_instance.."' because pos "..pos_str(desync,instance.range.from).." "..pos_str(desync,instance.range.to).." is out of range '"..pos_range_str(instance.range).."'")
 	else
+		-- condition is satisfied. here blobs must be referenced
+		apply_arg_prefix(desync)
+		desync.arg.__prefix_applied = nil
 		DLOG("plan_instance_execute: calling '"..desync.func_instance.."'")
 		verdict = verdict_aggregate(verdict,_G[instance.func](nil, desync))
 	end
 	return verdict
 end
+function plan_instance_execute(desync, verdict, instance)
+	apply_execution_plan(desync, instance)
+	return plan_instance_execute_preapplied(desync,verdict,instance)
+end
 function plan_instance_pop(desync)
 	return (desync.plan and #desync.plan>0) and table.remove(desync.plan, 1) or nil
 end
@@ -334,9 +343,8 @@ end

 -- convert array a to packed string using 'packer' function. only numeric indexes starting from 1, order preserved
 function barray(a, packer)
-	local sa={}
 	if a then
-		local s=""
+		local sa={}
 		for i=1,#a do
 			sa[i] = packer(a[i])
 		end
@@ -345,16 +353,16 @@ function barray(a, packer)
 end
 -- convert table a to packed string using 'packer' function. any indexes, any order
 function btable(a, packer)
-	local sa={}
 	if a then
-		local s=""
+		local sa={}
+		local i=1
 		for k,v in pairs(a) do
-			sa[k] = packer(v)
+			sa[i] = packer(v)
+			i=i+1
 		end
 		return table.concat(sa)
 	end
 end
-
 -- sequence comparision functions. they work only within 2G interval
 -- seq1>=seq2
 function seq_ge(seq1, seq2)
@@ -545,6 +553,7 @@ function blob(desync, name, def)
 				error("blob  '"..name.."' unavailable")
 			end
 		end
+		blob = tostring(blob)
 	end
 	return blob
 end
@@ -629,7 +638,7 @@ function tls_mod_shim(desync, blob, modlist, payload)
 		if not val then
 			error("tls_mod_shim: non-existent var '"..var.."'")
 		end
-		modlist = string.sub(modlist,1,p1+3)..val..string.sub(modlist,p2+1)
+		modlist = string.sub(modlist,1,p1+3)..tostring(val)..string.sub(modlist,p2+1)
 	end
 	return tls_mod(blob,modlist,payload)
 end
@@ -641,7 +650,7 @@ function parse_tcp_flags(s)
 	local s_upper = string.upper(s)
 	for flag in string.gmatch(s_upper, "[^,]+") do
 		if flags[flag] then
- 			f = bitor(f,flags[flag])
+			f = bitor(f,flags[flag])
 		else
 			error("tcp flag '"..flag.."' is invalid")
 		end
@@ -872,7 +881,11 @@ function apply_fooling(desync, dis, fooling_options)
 				if type(desync.track.lua_state.autottl_cache)~="table" then desync.track.lua_state.autottl_cache={} end
 				if type(desync.track.lua_state.autottl_cache[desync.func_instance])~="table" then desync.track.lua_state.autottl_cache[desync.func_instance]={} end
 				if not desync.track.lua_state.autottl_cache[desync.func_instance].autottl_found then
-					desync.track.lua_state.autottl_cache[desync.func_instance].autottl = autottl(desync.track.incoming_ttl,parse_autottl(arg_autottl))
+					local attl = parse_autottl(arg_autottl)
+					if not attl then
+						error("apply_fooling: invalid autottl value '"..arg_autottl.."'")
+					end
+					desync.track.lua_state.autottl_cache[desync.func_instance].autottl = autottl(desync.track.incoming_ttl,attl)
 					if desync.track.lua_state.autottl_cache[desync.func_instance].autottl then
 						desync.track.lua_state.autottl_cache[desync.func_instance].autottl_found = true
 							DLOG("apply_fooling: discovered autottl "..desync.track.lua_state.autottl_cache[desync.func_instance].autottl)
@@ -887,8 +900,11 @@ function apply_fooling(desync, dis, fooling_options)
 				DLOG("apply_fooling: cannot apply autottl because incoming ttl unknown")
 			end
 		end
-		if not ttl and tonumber(arg_ttl) then
+		if not ttl and arg_ttl then
 			ttl = tonumber(arg_ttl)
+			if not ttl or ttl<0 or ttl>255 then
+				error("apply_fooling: ip_ttl and ip6_ttl require valid value")
+			end
 		end
 		--io.stderr:write("TTL "..tostring(ttl).."\n")
 		return ttl
@@ -905,11 +921,19 @@ function apply_fooling(desync, dis, fooling_options)
 	-- use current packet if dissect not given
 	if not dis then dis = desync.dis end
 	if dis.tcp then
-		if tonumber(fooling_options.tcp_seq) then
-			dis.tcp.th_seq = u32add(dis.tcp.th_seq, fooling_options.tcp_seq)
+		if fooling_options.tcp_seq then
+			if tonumber(fooling_options.tcp_seq) then
+				dis.tcp.th_seq = u32add(dis.tcp.th_seq, fooling_options.tcp_seq)
+			else
+				error("apply_fooling: tcp_seq requires increment parameter. there's no default value.")
+			end
 		end
-		if tonumber(fooling_options.tcp_ack) then
-			dis.tcp.th_ack = u32add(dis.tcp.th_ack, fooling_options.tcp_ack)
+		if fooling_options.tcp_ack then
+			if tonumber(fooling_options.tcp_ack) then
+				dis.tcp.th_ack = u32add(dis.tcp.th_ack, fooling_options.tcp_ack)
+			else
+				error("apply_fooling: tcp_ack requires increment parameter. there's no default value.")
+			end
 		end
 		if fooling_options.tcp_flags_unset then
 			dis.tcp.th_flags = bitand(dis.tcp.th_flags, bitnot(parse_tcp_flags(fooling_options.tcp_flags_unset)))
@@ -924,12 +948,16 @@ function apply_fooling(desync, dis, fooling_options)
 				end
 			end
 		end
-		if tonumber(fooling_options.tcp_ts) then
-			local idx = find_tcp_option(dis.tcp.options,TCP_KIND_TS)
-			if idx and (dis.tcp.options[idx].data and #dis.tcp.options[idx].data or 0)==8 then
-				dis.tcp.options[idx].data = bu32(u32add(u32(dis.tcp.options[idx].data),fooling_options.tcp_ts))..string.sub(dis.tcp.options[idx].data,5)
+		if fooling_options.tcp_ts then
+			if tonumber(fooling_options.tcp_ts) then
+				local idx = find_tcp_option(dis.tcp.options,TCP_KIND_TS)
+				if idx and (dis.tcp.options[idx].data and #dis.tcp.options[idx].data or 0)==8 then
+					dis.tcp.options[idx].data = bu32(u32add(u32(dis.tcp.options[idx].data),fooling_options.tcp_ts))..string.sub(dis.tcp.options[idx].data,5)
+				else
+					DLOG("apply_fooling: timestamp tcp option not present or invalid")
+				end
 			else
-				DLOG("apply_fooling: timestamp tcp option not present or invalid")
+				error("apply_fooling: tcp_ts requires increment parameter. there's no default value.")
 			end
 		end
 		if fooling_options.tcp_md5 then
@@ -940,7 +968,7 @@ function apply_fooling(desync, dis, fooling_options)
 			end
 		end
 		if fooling_options.tcp_ts_up then
-			move_ts_top(dis.tcp.options)
+			move_ts_top()
 		end
 	end
 	if dis.ip6 then
@@ -1179,7 +1207,7 @@ function rawsend_dissect_segmented(desync, dis, mss, options)
 					-- stop if failed
 					return false
 				end
-				discopy.tcp.th_seq = discopy.tcp.th_seq + len
+				discopy.tcp.th_seq = u32add(discopy.tcp.th_seq, len)
 				pos = pos + len
 			end
 			return true
@@ -1544,11 +1572,11 @@ function tls_client_hello_mod(tls, options)
 			table.insert(tdis.handshake[TLS_HANDSHAKE_TYPE_CLIENT].dis.ext[idx_sni].dis.list, { name = options.sni_last, type = options.sni_snt_new } )
 		end
 	end
-	local tls = tls_reconstruct(tdis)
-	if not tls then
+	local rtls = tls_reconstruct(tdis)
+	if not rtls then
 		DLOG_ERR("tls_client_hello_mod: reconstruct error")
 	end
-	return tls
+	return rtls
 end

 -- checks if filename is gzip compressed
@@ -1615,9 +1643,9 @@ function gzip_file(filename, data, expected_ratio, level, memlevel, compress_blo
 	if not gz then
 		error("gzip_file: stream init error")
 	end
-	local off=1, block_size
+	local off=1
 	repeat
-		block_size = #data-off+1
+		local block_size = #data-off+1
 		if block_size>compress_block_size then block_size=compress_block_size end
 		local comp, eof = gzip_deflate(gz, string.sub(data,off,off+block_size-1), block_size / expected_ratio)
 		if not comp then
@@ -1637,7 +1665,7 @@ function readfile(filename)
 	if not f then
 		error("readfile: "..err)
 	end
-	local s,err = f:read("*a")
+	local s, err = f:read("*a")
 	f:close()
 	if err then
 		error("readfile: "..err)
@@ -1655,7 +1683,7 @@ function writefile(filename, data)
 	if not f then
 		error("writefile: "..err)
 	end
-	local s,err = f:write(data)
+	local s, err = f:write(data)
 	f:close()
 	if not s then
 		error("writefile: "..err)
@@ -1675,7 +1703,7 @@ function http_dissect_header(header)
 end
 -- make table with structured http header representation
 function http_dissect_headers(http, pos)
-	local eol,pnext,header,value,idx,headers,pos_endheader,pos_startvalue,pos_headers_end
+	local eol,pnext,header,value,headers,pos_endheader,pos_startvalue,pos_headers_end
 	headers={}
 	while pos do
 		eol,pnext = find_next_line(http,pos)
@@ -2239,7 +2267,8 @@ function tls_dissect_ext(ext)
 		return left, off
 	end

-	local dis={}, off, len, left
+	local dis={}
+	local off, len, left

 	ext.dis = nil

--- a/lua/zapret-obfs.lua
+++ b/lua/zapret-obfs.lua
@@ -175,7 +175,12 @@ end
 -- arg : server=[0|1] - override server mode. by default use "--server" nfqws2 parameter
 function udp2icmp(ctx, desync)
 	local dataxor
-	local bserver = desync.arg.server and (desync.arg.server~="0") or b_server
+	local bserver
+	if desync.arg.server then
+		bserver = desync.arg.server~="0"
+	else
+		bserver = b_server
+	end

 	local function one_byte_arg(name)
 		if desync.arg[name] then
--- a/lua/zapret-pcap.lua
+++ b/lua/zapret-pcap.lua
@@ -1,6 +1,6 @@
 function pcap_write_header(file)
-	-- big endian, nanoseconds in timestamps, ver 2.4, max packet size - 0x4000 (16384), 0x65 - l3 packets without l2
-	file:write("\xA1\xB2\x3C\x4D\x00\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x65")
+	-- big endian, nanoseconds in timestamps, ver 2.4, max packet size - 0xFFFF (65535), 0x65 - l3 packets without l2
+	file:write("\xA1\xB2\x3C\x4D\x00\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x00\x00\x00\x65")
 end
 function pcap_write_packet(file, raw)
 	local sec, nsec = clock_gettime();
@@ -34,6 +34,7 @@ function pcap(ctx, desync)
 	if not f then
 		error("pcap: could not write to '".._G[fn_cache_name].."'")
 	end
-	pcap_write(f, raw_packet(ctx))
+	local raw = ctx and raw_packet(ctx) or reconstruct_dissect(desync.dis)
+	pcap_write(f, raw)
 	f:close()
 end
--- a/lua/zapret-tests.lua
+++ b/lua/zapret-tests.lua
@@ -119,7 +119,7 @@ function test_aes()
 	print("* aes")

 	local clear_text="test "..brandom_az09(11)
-	local iv, key, encrypted, decrypted
+	local encrypted, decrypted

 	for key_size=16,32,8 do
 		local key = brandom(key_size)
@@ -507,7 +507,7 @@ end
 function test_dissect()
 	print("* dissect")

-	local dis, raw1, raw2
+	local raw1, raw2

 	for i=1,20 do
 		print("* dissect test "..tostring(i))
@@ -611,7 +611,7 @@ function test_dissect()
 			},
 			payload = brandom(math.random(0, 20))
 		}
-	
+
 		raw1 = reconstruct_dissect(ip6_udp)
 		print("IP6+UDP : "..string2hex(raw1))
 		dis1 = dissect(raw1)
@@ -772,11 +772,6 @@ function test_csum()
 		uh_ulen = UDP_BASE_LEN + #payload
 	}

-	ip.ip_p = IPPROTO_UDP
-	ip4b = reconstruct_iphdr(ip)
-	ip6.ip6_plen = packet_len({ip6=ip6,udp=udp,payload=payload}) - IP6_BASE_LEN
-	ip6b = reconstruct_ip6hdr(ip6, {ip6_last_proto=IPPROTO_UDP})
-
 	udpb = reconstruct_udphdr(udp)
 	raw =	bu16(udp.uh_sport) ..
 		bu16(udp.uh_dport) ..
@@ -785,8 +780,10 @@ function test_csum()
 	print( raw==udpb and "UDP RECONSTRUCT OK" or "UDP RECONSTRUCT FAILED" )
 	test_assert(raw==udpb)

+	ip.ip_p = IPPROTO_UDP
 	raw = reconstruct_dissect({ip=ip, udp=udp, payload=payload})
 	dis1 = dissect(raw)
+	ip.ip_p = IPPROTO_UDP
 	ip.ip_len = IP_BASE_LEN + #ip.options + #udpb + #payload
 	ip4b = reconstruct_iphdr(ip)
 	udpb = csum_udp_fix(ip4b,udpb,payload)
@@ -794,6 +791,8 @@ function test_csum()
 	print( dis1.udp.uh_sum==dis2.udp.uh_sum and "UDP+IP4 CSUM OK" or "UDP+IP4 CSUM FAILED" )
 	test_assert(dis1.udp.uh_sum==dis2.udp.uh_sum)

+	ip6.ip6_plen = packet_len({ip6=ip6,udp=udp,payload=payload}) - IP6_BASE_LEN
+	ip6b = reconstruct_ip6hdr(ip6, {ip6_last_proto=IPPROTO_UDP})
 	raw = reconstruct_dissect({ip6=ip6, udp=udp, payload=payload})
 	dis1 = dissect(raw)
 	udpb = csum_udp_fix(ip6b,udpb,payload)
@@ -949,7 +948,6 @@ function test_rawsend(opts)
 	end
 	local ip, ip6, udp, dis, ddis, raw_ip, raw_udp, raw
 	local payload = brandom(math.random(100,1200))
-	local b

 	local target
 	for ifname,ifinfo in pairs(get_ifaddrs()) do
@@ -997,7 +995,6 @@ function test_rawsend(opts)
 	print("send ipv4 udp using pure rawsend without dissect")
 	test_assert(rawsend_print(raw, {repeats=5}))

-	local target
 	for ifname,ifinfo in pairs(get_ifaddrs()) do
 		for k,v in pairs(ifinfo.addr) do
 			if #v.addr==16 and (string.sub(v.addr,1,1)=="\xFC" or string.sub(v.addr,1,1)=="\xFD") then
@@ -1083,7 +1080,7 @@ function test_rawsend(opts)
 	print("send ipv6 icmp")
 	test_assert(rawsend_dissect_print(dis, {fwmark = 0x8E10, repeats=3}))

-	local ip2 = {
+	ip2 = {
 		ip_tos = 0,
 		ip_id = math.random(0,0xFFFF),
 		ip_off = 0,
--- a/mdig/Makefile
+++ b/mdig/Makefile
@@ -1,8 +1,11 @@
 CC ?= cc
 OPTIMIZE ?= -Os
-CFLAGS += -std=gnu99 $(OPTIMIZE)
+CFLAGS_PIC = -fPIC
+CFLAGS += -std=gnu99 $(OPTIMIZE) $(CFLAGS_PIC)
 CFLAGS_BSD = -Wno-address-of-packed-member
 CFLAGS_WIN = -static
+LDFLAGS_PIE = -pie
+LDFLAGS +=  $(LDFLAGS_PIE)
 LIBS = -lpthread
 LIBS_ANDROID =
 LIBS_WIN = -lws2_32
--- a/nfq2/BSDmakefile
+++ b/nfq2/BSDmakefile
@@ -2,8 +2,11 @@ CC ?= cc
 PKG_CONFIG ?= pkg-config
 OPTIMIZE ?= -Oz
 MINSIZE ?= -flto=auto -ffunction-sections -fdata-sections
-CFLAGS += -std=gnu99 -s $(OPTIMIZE) $(MINSIZE) -Wno-address-of-packed-member
-LDFLAGS += -flto=auto -Wl,--gc-sections
+STRIPP = -s
+CFLAGS_PIC = -fPIC
+CFLAGS += -std=gnu99  $(OPTIMIZE) $(MINSIZE) $(CFLAGS_PIC) -Wno-address-of-packed-member
+LDFLAGS_PIE = -pie
+LDFLAGS += -flto=auto -Wl,--gc-sections $(LDFLAGS_PIE)
 LIBS = -lz -lm
 SRC_FILES = *.c crypto/*.c

@@ -39,7 +42,7 @@ LUA_CFLAGS+=-DLUAJIT
 all: dvtws2

 dvtws2: $(SRC_FILES)
-	$(CC) $(CFLAGS) $(LUA_CFLAGS) -o dvtws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LDFLAGS)
+	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFLAGS) -o dvtws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LDFLAGS)

 clean:
 	rm -f dvtws2
--- a/nfq2/Makefile
+++ b/nfq2/Makefile
@@ -3,14 +3,19 @@ PKG_CONFIG ?= pkg-config
 OPTIMIZE ?= -Os
 MINSIZE ?= -flto=auto -ffunction-sections -fdata-sections
 CFLAGS += -std=gnu99 $(OPTIMIZE) $(MINSIZE)
-CFLAGS_LINUX = -Wno-alloc-size-larger-than
+CFLAGS_PIC = -fPIC
+CFLAGS_LINUX = -Wno-alloc-size-larger-than $(CFLAGS_PIC)
 CFLAGS_SYSTEMD = -DUSE_SYSTEMD
-CFLAGS_BSD = -Wno-address-of-packed-member
-CFLAGS_CYGWIN = -Wno-address-of-packed-member -static
+CFLAGS_BSD = -Wno-address-of-packed-member $(CFLAGS_PIC)
+CFLAGS_CYGWIN = -Wno-address-of-packed-member -static -Wl,--nxcompat
 CFLAGS_CYGWIN32 =
+CFLAGS_CYGWIN64 = -Wl,--dynamicbase -Wl,--high-entropy-va
 CFLAGS_UBSAN = -fsanitize=undefined,alignment -fno-sanitize-recover=undefined,alignment
-LDFLAGS += -flto=auto -Wl,--gc-sections
+LDFLAGS_PIE = -pie
+LDFLAGS += -flto=auto -Wl,--gc-sections $(LDFLAGS_PIE)
 LDFLAGS_ANDROID = -llog
+LDFLAGS_CYGWIN = -Wl,--build-id=none
+STRIPP=-s
 LIBS =
 LIBS_LINUX = -lz -lnetfilter_queue -lnfnetlink -lmnl -lm
 LIBS_SYSTEMD = -lsystemd
@@ -138,24 +143,24 @@ LUA_CFL += $(LUA_CFLAGS)
 all: nfqws2

 nfqws2: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_LINUX) -o nfqws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_LINUX) $(LDFLAGS)
+	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) $(CFLAGS_LINUX) -o nfqws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_LINUX) $(LDFLAGS)

 ubsan: $(SRC_FILES)
 	$(CC) $(CFLAGS_UBSAN) $(CFLAGS) $(LUA_CFL) $(CFLAGS_LINUX) -o nfqws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_LINUX) $(LDFLAGS)

 systemd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_LINUX) $(CFLAGS_SYSTEMD) -o nfqws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_LINUX) $(LIBS_SYSTEMD) $(LDFLAGS)
+	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) $(CFLAGS_LINUX) $(CFLAGS_SYSTEMD) -o nfqws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_LINUX) $(LIBS_SYSTEMD) $(LDFLAGS)

 android: $(SRC_FILES_ANDROID)
-	$(CC) -s $(CFLAGS) $(LUA_CFL) -o nfqws2 $(SRC_FILES_ANDROID) $(LIBS) $(LUA_LIB) $(LIBS_LINUX) $(LDFLAGS) $(LDFLAGS_ANDROID)
+	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) -o nfqws2 $(SRC_FILES_ANDROID) $(LIBS) $(LUA_LIB) $(LIBS_LINUX) $(LDFLAGS) $(LDFLAGS_ANDROID)

 bsd: $(SRC_FILES)
-	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_BSD) -o dvtws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_BSD) $(LDFLAGS)
+	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) $(CFLAGS_BSD) -o dvtws2 $(SRC_FILES) $(LIBS) $(LUA_LIB) $(LIBS_BSD) $(LDFLAGS)

 cygwin64:
-	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) -o winws2 $(SRC_FILES) $(RES_CYGWIN64) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(LDFLAGS)
+	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) $(CFLAGS_CYGWIN64) -o winws2 $(SRC_FILES) $(RES_CYGWIN64) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN64) $(LDFLAGS) $(LDFLAGS_CYGWIN)
 cygwin32:
-	$(CC) -s $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) $(CFLAGS_CYGWIN32) -o winws2 $(SRC_FILES) $(RES_CYGWIN32) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(LDFLAGS)
+	$(CC) $(STRIPP) $(CFLAGS) $(LUA_CFL) $(CFLAGS_CYGWIN) $(CFLAGS_CYGWIN32) -o winws2 $(SRC_FILES) $(RES_CYGWIN32) $(LIBS) $(LUA_LIB) $(LIBS_CYGWIN) $(LIBS_CYGWIN32) $(LDFLAGS) $(LDFLAGS_CYGWIN)
 cygwin: cygwin64

 clean:
--- a/nfq2/conntrack.c
+++ b/nfq2/conntrack.c
@@ -148,7 +148,7 @@ static void ConntrackApplyPos(t_ctrack *t, bool bReverse, const struct dissect *
 		if (scale != SCALE_NONE) direct->scale = scale;
 		direct->mss = tcp_find_mss(dis->tcp);
 	}
-	else if (direct->scale != SCALE_NONE)
+	else
 		// apply scale only outside of the SYN stage
 		direct->winsize_calc <<= direct->scale;

@@ -172,9 +172,6 @@ static void ConntrackApplyPos(t_ctrack *t, bool bReverse, const struct dissect *

 static void ConntrackFeedPacket(t_ctrack *t, bool bReverse, const struct dissect *dis)
 {
-	uint8_t scale;
-	uint16_t mss;
-
 	if (bReverse)
 	{
 		t->pos.server.pcounter++;
@@ -288,7 +285,7 @@ static bool ConntrackPoolFeedPool(t_conntrack_pool **pp, const struct dissect *d
 	}
 	return false;
 ok:
-	ctr->track.ipproto = proto;
+	ctr->track.pos.ipproto = proto;
 	if (ctrack) *ctrack = &ctr->track;
 	if (bReverse) *bReverse = b_rev;
 	return true;
@@ -370,8 +367,8 @@ void ConntrackPoolDump(const t_conntrack *p)
 				t->track.pos.client.seq0, t->track.pos.client.seq_last - t->track.pos.client.seq0, t->track.pos.client.pos - t->track.pos.client.seq0,
 				t->track.pos.server.seq0, t->track.pos.server.seq_last - t->track.pos.server.seq0, t->track.pos.server.pos - t->track.pos.server.seq0,
 				t->track.pos.client.mss, t->track.pos.server.mss,
-				t->track.pos.client.winsize, t->track.pos.client.scale == SCALE_NONE ? -1 : t->track.pos.client.scale,
-				t->track.pos.server.winsize, t->track.pos.server.scale == SCALE_NONE ? -1 : t->track.pos.server.scale);
+				t->track.pos.client.winsize, t->track.pos.client.scale,
+				t->track.pos.server.winsize, t->track.pos.server.scale);
 		else
 			printf("rseq=%u client.pos=%u rack=%u server.pos=%u",
 				t->track.pos.client.seq_last, t->track.pos.client.pos,
--- a/nfq2/conntrack.h
+++ b/nfq2/conntrack.h
@@ -53,7 +53,6 @@ typedef struct {
 typedef struct
 {
 	bool bCheckDone, bCheckResult, bCheckExcluded; // hostlist check result cache
-	uint8_t ipproto;

 	struct timespec t_start;

--- a/nfq2/conntrack_base.h
+++ b/nfq2/conntrack_base.h
@@ -21,15 +21,15 @@ typedef struct
 	uint32_t ip6flow;

 	// tcp only state, not used in udp
-	uint32_t pos;		// TCP: seq_last+payload, ack_last+payload  UDP: sum of all seen payload lenghts including current
+	uint32_t pos;		// seq_last+payload, ack_last+payload
 	uint32_t uppos;		// max seen position. useful to detect retransmissions
 	uint32_t uppos_prev; 	// previous max seen position. useful to detect retransmissions
-	uint32_t seq_last;	// TCP: last seen seq and ack  UDP: sum of all seen payload lenghts NOT including current
+	uint32_t seq_last;	// last seen seq and ack
 	uint32_t seq0;		// starting seq and ack
 	uint16_t winsize;	// last seen window size
 	uint16_t mss;
 	uint32_t winsize_calc;	// calculated window size
-	uint8_t scale;		// last seen window scale factor. SCALE_NONE if none
+	uint8_t scale;		// last seen window scale factor
 	bool rseq_over_2G;
 } t_ctrack_position;

@@ -38,5 +38,6 @@ typedef struct
 	struct timespec t_last;
 	t_connstate state;
 	t_ctrack_position client, server;
+	uint8_t ipproto;
 }
 t_ctrack_positions;
--- a/nfq2/crypto/gcm.h
+++ b/nfq2/crypto/gcm.h
@@ -29,7 +29,6 @@

 #if defined(_MSC_VER)
 #include <basetsd.h>
-typedef unsigned int size_t;// use the right type for length declarations
 typedef UINT32 uint32_t;
 typedef UINT64 uint64_t;
 #else
--- a/nfq2/darkmagic.c
+++ b/nfq2/darkmagic.c
@@ -48,7 +48,7 @@ uint32_t net32_add(uint32_t netorder_value, uint32_t cpuorder_increment)
 {
 	return htonl(ntohl(netorder_value)+cpuorder_increment);
 }
-uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment)
+uint16_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment)
 {
 	return htons(ntohs(netorder_value)+cpuorder_increment);
 }
@@ -229,7 +229,7 @@ uint16_t family_from_proto(uint8_t l3proto)
 	{
 		case IPPROTO_IP: return AF_INET;
 		case IPPROTO_IPV6: return AF_INET6;
-		default: return -1;
+		default: return AF_UNSPEC;
 	}
 }

@@ -335,7 +335,7 @@ void str_tcphdr(char *s, size_t s_len, const struct tcphdr *tcphdr)
 	if (tcphdr->th_flags & TH_PUSH) *f++='P';
 	if (tcphdr->th_flags & TH_URG) *f++='U';
 	*f=0;
-	snprintf(s,s_len,"sport=%u dport=%u flags=%s seq=%u ack_seq=%u",htons(tcphdr->th_sport),htons(tcphdr->th_dport),flags,htonl(tcphdr->th_seq),htonl(tcphdr->th_ack));
+	snprintf(s,s_len,"sport=%u dport=%u flags=%s seq=%u ack_seq=%u",ntohs(tcphdr->th_sport),ntohs(tcphdr->th_dport),flags,ntohl(tcphdr->th_seq),ntohl(tcphdr->th_ack));
 }
 void print_tcphdr(const struct tcphdr *tcphdr)
 {
@@ -345,7 +345,7 @@ void print_tcphdr(const struct tcphdr *tcphdr)
 }
 void str_udphdr(char *s, size_t s_len, const struct udphdr *udphdr)
 {
-	snprintf(s,s_len,"sport=%u dport=%u",htons(udphdr->uh_sport),htons(udphdr->uh_dport));
+	snprintf(s,s_len,"sport=%u dport=%u",ntohs(udphdr->uh_sport),ntohs(udphdr->uh_dport));
 }
 void print_udphdr(const struct udphdr *udphdr)
 {
@@ -557,11 +557,15 @@ void proto_dissect_l3l4(const uint8_t *data, size_t len, struct dissect *dis, bo
 	dis->data_pkt = data;
 	dis->len_pkt = len;

+	uint16_t iplen;
+
 	if (proto_check_ipv4(data, len) && (no_payload_check || proto_check_ipv4_payload(data, len)))
 	{
 		dis->ip = (const struct ip *) data;
 		dis->proto = dis->ip->ip_p;
 		p = data;
+		iplen = ntohs(((struct ip*)data)->ip_len);
+		if (iplen<len) dis->len_pkt = len = iplen;
 		proto_skip_ipv4(&data, &len, &dis->frag, &dis->frag_off);
 		dis->len_l3 = data-p;
 	}
@@ -569,6 +573,8 @@ void proto_dissect_l3l4(const uint8_t *data, size_t len, struct dissect *dis, bo
 	{
 		dis->ip6 = (const struct ip6_hdr *) data;
 		p = data;
+		iplen = ntohs(((struct ip6_hdr*)data)->ip6_ctlun.ip6_un1.ip6_un1_plen) + sizeof(struct ip6_hdr);
+		if (iplen<len) dis->len_pkt = len = iplen;
 		proto_skip_ipv6(&data, &len, &dis->proto, &dis->frag, &dis->frag_off);
 		dis->len_l3 = data-p;
 	}
@@ -797,8 +803,8 @@ static BOOL RemoveTokenPrivs(void)
 							if (memcmp(&privs->Privileges[k].Luid, &luid_SeChangeNotifyPrivilege, sizeof(LUID)))
 								privs->Privileges[k].Attributes = SE_PRIVILEGE_REMOVED;
 						}
+						bRes = AdjustTokenPrivileges(hToken, FALSE, privs, dwSize, NULL, NULL);
 					}
-					bRes = AdjustTokenPrivileges(hToken, FALSE, privs, dwSize, NULL, NULL);
 					free(privs);
 				}
 			}
@@ -922,11 +928,29 @@ BOOL SetMandatoryLabelObject(HANDLE h, SE_OBJECT_TYPE ObjType, DWORD dwMandatory

 bool ensure_file_access(const char *filename)
 {
-	return SetMandatoryLabelFile(filename, SECURITY_MANDATORY_LOW_RID, 0);
+	bool b=false;
+	size_t l = cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, filename, NULL, 0);
+	WCHAR *wfilename = (WCHAR*)malloc(l);
+	if (wfilename)
+	{
+		if (!cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, filename, wfilename, l))
+			b = SetMandatoryLabelFileW(wfilename, SECURITY_MANDATORY_LOW_RID, 0);
+		free(wfilename);
+	}
+	return b;
 }
 bool ensure_dir_access(const char *dir)
 {
-	return SetMandatoryLabelFile(dir, SECURITY_MANDATORY_LOW_RID, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE);
+	bool b=false;
+	size_t l = cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, dir, NULL, 0);
+	WCHAR *wdir = (WCHAR*)malloc(l);
+	if (wdir)
+	{
+		if (!cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, dir, wdir, l))
+			b=SetMandatoryLabelFileW(wdir, SECURITY_MANDATORY_LOW_RID, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE);
+		free(wdir);
+	}
+	return b;
 }

 bool prepare_low_appdata()
@@ -2075,6 +2099,7 @@ static uint16_t wlan_get_family_id(struct mnl_socket* nl)
 static int wlan_info_attr_cb(const struct nlattr *attr, void *data)
 {
 	struct wlan_interface *wlan = (struct wlan_interface *)data;
+	size_t len;
 	switch(mnl_attr_get_type(attr))
 	{
 		case NL80211_ATTR_IFINDEX:
@@ -2086,12 +2111,10 @@ static int wlan_info_attr_cb(const struct nlattr *attr, void *data)
 			wlan->ifindex = mnl_attr_get_u32(attr);
 			break;
 		case NL80211_ATTR_SSID:
-			if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0)
-			{
-				DLOG_PERROR("mnl_attr_validate(ssid)");
-				return MNL_CB_ERROR;
-			}
-			snprintf(wlan->ssid,sizeof(wlan->ssid),"%s",mnl_attr_get_str(attr));
+			len = mnl_attr_get_payload_len(attr);
+			if (len>=sizeof(wlan->ssid)) len=sizeof(wlan->ssid)-1;
+			memcpy(wlan->ssid, mnl_attr_get_payload(attr), len);
+			wlan->ssid[len]=0;
 			break;
 		case NL80211_ATTR_IFNAME:
 			if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0)
@@ -2137,8 +2160,8 @@ static uint8_t *find_ie(uint8_t *buf, size_t len, uint8_t ie)
 	{
 		if (len<(2+buf[1])) break;
 		if (buf[0]==ie) return buf;
-		buf+=buf[1]+2;
 		len-=buf[1]+2;
+		buf+=buf[1]+2;
 	}
 	return NULL;
 }
@@ -2221,6 +2244,7 @@ static bool scan_info(struct mnl_socket* nl, uint16_t wlan_family_id, struct wla
 	// wlan_info does not return ssid since kernel 5.19
 	// it's used to enumerate all wifi interfaces then call scan_info on each
 	if (!wlan_info(nl, wlan_family_id, &wc_all, false)) return false;
+	w->count=0;
 	for(int i=0;i<wc_all.count;i++)
 		if (!netlink_genl_simple_transact(nl, wlan_family_id, NLM_F_REQUEST | NLM_F_ACK | NLM_F_DUMP, NL80211_CMD_GET_SCAN, 0, scan_prepare, (void*)&wc_all.wlan[i].ifindex, scan_info_cb, w))
 			return false;
@@ -2434,20 +2458,11 @@ bool make_writeable_dir()
 	if (mkdir(wrdir,0755) && errno!=EEXIST)
 		return false;

-	bool b = false;
+	bool b;
 #ifdef __CYGWIN__
-	size_t l = cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, wrdir, NULL, 0);
-	WCHAR *wwrdir = (WCHAR*)malloc(l);
-	if (wwrdir)
-	{
-		if (!cygwin_conv_path(CCP_POSIX_TO_WIN_W | CCP_ABSOLUTE, wrdir, wwrdir, l))
-			b = SetMandatoryLabelFileW(wwrdir, SECURITY_MANDATORY_LOW_RID, OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE);
-		free(wwrdir);
-	}
+	b = ensure_dir_access(wrdir);
 #else
-	if (ensure_dir_access(wrdir))
-		b = true;
-	else
+	if (!(b=ensure_dir_access(wrdir)))
 	{
 		// could not chown. may be still accessible ?
 		char testfile[PATH_MAX];
--- a/nfq2/darkmagic.h
+++ b/nfq2/darkmagic.h
@@ -94,7 +94,7 @@

 // returns netorder value
 uint32_t net32_add(uint32_t netorder_value, uint32_t cpuorder_increment);
-uint32_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment);
+uint16_t net16_add(uint16_t netorder_value, uint16_t cpuorder_increment);

 #define SCALE_NONE ((uint8_t)-1)

--- a/nfq2/desync.c
+++ b/nfq2/desync.c
@@ -556,7 +556,7 @@ static bool reasm_client_start(t_ctrack *ctrack, uint8_t proto, size_t sz, size_
 		// server gave us too small tcp window
 		// client will not send all pieces of reasm
 		// if we drop packets and wait for next pieces we will see nothing but retransmissions
-		DLOG("reasm cancelled because server window size %u is smaller than expected reasm size %u\n", ctrack->pos.server.winsize_calc, sz);
+		DLOG("reasm cancelled because server window size %u is smaller than expected reasm size %zu\n", ctrack->pos.server.winsize_calc, sz);
 		return false;
 	}
 	return reasm_start(ctrack, &ctrack->reasm_client, proto, (proto == IPPROTO_TCP) ? ctrack->pos.client.seq_last : 0, sz, szMax, data_payload, len_payload);
@@ -1581,14 +1581,14 @@ static uint8_t dpi_desync_tcp_packet_play(

 				if (!ReasmIsEmpty(&ps.ctrack->reasm_client))
 				{
-					if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos))
+					if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos, false))
 					{
 						DLOG("DELAY desync until reasm is complete (#%u)\n", rawpacket_queue_count(&ps.ctrack->delayed));
 					}
 					else
 					{
 						DLOG_ERR("rawpacket_queue failed !\n");
-						goto pass_reasm_cancel;
+						goto rediscover;
 					}
 					if (ReasmIsFull(&ps.ctrack->reasm_client))
 					{
@@ -1602,6 +1602,7 @@ static uint8_t dpi_desync_tcp_packet_play(
 		}
 	}

+// UNSOLVED: if reasm is cancelled all packets except the last are passed as is without lua desync
 rediscover:
 	if (!dp_rediscovery(&ps))
 		goto pass_reasm_cancel;
@@ -1647,8 +1648,12 @@ static const uint8_t *dns_extract_name(const uint8_t *a, const uint8_t *b, const
 {
 	size_t nl, off;
 	const uint8_t *p;
-	bool bptr = (*a & 0xC0)==0xC0;
+	bool bptr;
+	uint8_t x,y;

+	if (!name_size) return NULL;
+
+	bptr = (*a & 0xC0)==0xC0;
 	if (bptr)
 	{
 		if (a+1>=e) return NULL;
@@ -1663,67 +1668,115 @@ static const uint8_t *dns_extract_name(const uint8_t *a, const uint8_t *b, const
 	if (p>=e) return NULL;
 	for (nl=0; *p ;)
 	{
+		if (nl)
+		{
+			if (nl>=name_size) return NULL;
+			name[nl++] = '.';
+		}
 		// do not support mixed ptr+real
 		if ((*p & 0xC0) || (p+*p+1)>=e || (*p+1)>=(name_size-nl)) return NULL;
-		if (nl)	name[nl++] = '.';
-		memcpy(name + nl, p + 1, *p);
-		nl += *p;
-		p += *p + 1;
+		for(y=*p++,x=0 ; x<y ; x++,p++) name[nl+x] = tolower(*p);
+		nl += y;
 	}
+	if (nl>=name_size) return NULL;
 	name[nl] = 0;
 	return bptr ? a+2 : p+1;
 }
+static bool dns_skip_name(const uint8_t **a, size_t *len)
+{
+	// 11 higher bits indicate pointer
+	// lazy skip name. mixed compressed/uncompressed names are supported
+	for(;;)
+	{
+		if (*len<2) return false;
+		if ((**a & 0xC0)==0xC0)
+		{
+			// pointer is the end
+			(*a)+=2; (*len)-=2;
+			break;
+		}
+		if (!**a)
+		{
+			// zero length is the end
+			(*a)++; (*len)--;
+			break;
+		}
+		if (*len<(**a+1)) return false;
+		*len-=**a+1;
+		*a+=**a+1;
+	}
+	return true;
+}
+
 static bool feed_dns_response(const uint8_t *a, size_t len)
 {
 	if (!params.cache_hostname) return true;

 	// check of minimum header length and response flag
-	uint16_t k, off, dlen, qcount = a[4]<<8 | a[5], acount = a[6]<<8 | a[7];
+	uint16_t k, typ, off, dlen, qcount = a[4]<<8 | a[5], acount = a[6]<<8 | a[7];
 	char s_ip[INET6_ADDRSTRLEN];
 	const uint8_t *b = a, *p;
 	const uint8_t *e = b + len;
 	size_t nl;
 	char name[256] = "";

-	if (len<12 || !(a[2]&0x80)) return false;
-	a+=12; len-=12;
-	for(k=0;k<qcount;k++)
+	if (!qcount || len<12 || !(a[2]&0x80)) return false;
+	if (!acount)
 	{
+		DLOG("skipping DNS response without answer\n");
+		return false;
+	}
+	a+=12; len-=12;
+	for(k=0,*name = 0 ; k<qcount ; k++)
+	{
+		if (*name) return false; // we do not support multiple queries with names
 		// remember original query name
 		if (!(p = dns_extract_name(a, b, e, name, sizeof(name)))) return false;
 		len -= p-a;
+		if ((len<4) || p[2] || p[3]!=1)	return false;
+		typ = pntoh16(p);
 		// must be A or AAAA query. others are not interesting
-		if ((len<4) || p[0] || p[1]!=1 && p[1]!=28 || p[2] || p[3]!=1) return false;
+		if (typ!=1 && typ!=28)
+		{
+			DLOG("skipping DNS query type %u for '%s'\n", typ, name);
+			return false;
+		}
+		else
+		{
+			DLOG("DNS query type %u for '%s'\n", typ, name);
+		}
 		// skip type, class
 		a=p+4; len-=4;
 	}
 	if (!*name) return false;
 	for(k=0;k<acount;k++)
 	{
-		// 11 higher bits indicate pointer
-		if (len<12 || (*a & 0xC0)!=0xC0) return false;
-
-		dlen = a[10]<<8 | a[11];
-		if (len<(dlen+12)) return false;
-		if (a[4]==0 && a[5]==1 && a[2]==0) // IN class and higher byte of type = 0
+		if (!dns_skip_name(&a,&len)) return false;
+		if (len<10) return false;
+		dlen = a[8]<<8 | a[9];
+		if (len<(dlen+10)) return false;
+		if (a[2]==0 && a[3]==1) // IN class
 		{
-			switch(a[3])
+			typ = pntoh16(a);
+			switch(typ)
 			{
 				case 1: // A
 					if (dlen!=4) break;
-					if (params.debug && inet_ntop(AF_INET, a+12, s_ip, sizeof(s_ip)))
-						DLOG("DNS response : %s\n", s_ip);
-					ipcache_put_hostname((struct in_addr *)(a+12), NULL, name, false);
+					if (params.debug && inet_ntop(AF_INET, a+10, s_ip, sizeof(s_ip)))
+						DLOG("DNS response type %u : %s\n", typ, s_ip);
+					ipcache_put_hostname((struct in_addr *)(a+10), NULL, name, false);
 					break;
 				case 28: // AAAA
 					if (dlen!=16) break;
-					if (params.debug && inet_ntop(AF_INET6, a+12, s_ip, sizeof(s_ip)))
-						DLOG("DNS response : %s\n", s_ip);
-					ipcache_put_hostname(NULL, (struct in6_addr *)(a+12), name, false);
+					if (params.debug && inet_ntop(AF_INET6, a+10, s_ip, sizeof(s_ip)))
+						DLOG("DNS response type %u : %s\n", typ, s_ip);
+					ipcache_put_hostname(NULL, (struct in6_addr *)(a+10), name, false);
 					break;
+				default:
+					DLOG("skipping DNS response type %u\n", typ);
 			}
 		}
-		len -= 12+dlen; a += 12+dlen;
+		len -= 10+dlen; a += 10+dlen;
 	}
 	return true;
 }
@@ -1781,7 +1834,7 @@ static uint8_t dpi_desync_udp_packet_play(
 						else
 						{
 							DLOG("QUIC reasm is too long. cancelling.\n");
-							goto pass_reasm_cancel;
+							goto rediscover_cancel;
 						}
 					}
 					size_t hello_offset, hello_len, defrag_len = sizeof(defrag);
@@ -1805,18 +1858,18 @@ static uint8_t dpi_desync_udp_packet_play(
 								{
 									// preallocate max buffer to avoid reallocs that cause memory copy
 									if (!reasm_client_start(ps.ctrack, IPPROTO_UDP, UDP_MAX_REASM, UDP_MAX_REASM, clean, clean_len))
-										goto pass_reasm_cancel;
+										goto rediscover_cancel;
 								}
 								if (!ReasmIsEmpty(&ps.ctrack->reasm_client))
 								{
-									if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos))
+									if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos, false))
 									{
 										DLOG("DELAY desync until reasm is complete (#%u)\n", rawpacket_queue_count(&ps.ctrack->delayed));
 									}
 									else
 									{
 										DLOG_ERR("rawpacket_queue failed !\n");
-										goto pass_reasm_cancel;
+										goto rediscover_cancel;
 									}
 									if (bReqFull)
 									{
@@ -1847,16 +1900,16 @@ static uint8_t dpi_desync_udp_packet_play(
 								{
 									// preallocate max buffer to avoid reallocs that cause memory copy
 									if (!reasm_client_start(ps.ctrack, IPPROTO_UDP, UDP_MAX_REASM, UDP_MAX_REASM, clean, clean_len))
-										goto pass_reasm_cancel;
+										goto rediscover_cancel;
 								}
-								if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos))
+								if (rawpacket_queue(&ps.ctrack->delayed, &ps.dst, fwmark, desync_fwmark, ifin, ifout, dis->data_pkt, dis->len_pkt, dis->len_payload, &ps.ctrack->pos, false))
 								{
 									DLOG("DELAY desync until reasm is complete (#%u)\n", rawpacket_queue_count(&ps.ctrack->delayed));
 								}
 								else
 								{
 									DLOG_ERR("rawpacket_queue failed !\n");
-									goto pass_reasm_cancel;
+									goto rediscover_cancel;
 								}
 								return ct_new_postnat_fix(ps.ctrack, dis, mod_pkt, len_mod_pkt);
 							}
@@ -1881,18 +1934,16 @@ static uint8_t dpi_desync_udp_packet_play(
 			feed_dns_response(dis->data_payload, dis->len_payload);
 	} // len_payload

+// UNSOLVED: if reasm is cancelled all packets except the last are passed as is without lua desync
+rediscover_cancel:
 	reasm_client_cancel(ps.ctrack);

 	if (!dp_rediscovery(&ps))
 		goto pass;

 	ps.verdict = desync(ps.dp, fwmark, ifin, ifout, ps.bReverseFixed, ps.ctrack_replay, tpos, ps.l7payload, ps.l7proto, dis, ps.sdip4, ps.sdip6, ps.sdport, mod_pkt, len_mod_pkt, replay_piece, replay_piece_count, reasm_offset, NULL, 0, data_decrypt, len_decrypt);
-
 pass:
-	return (!ps.bReverse && (ps.verdict & VERDICT_MASK) == VERDICT_DROP) ? ct_new_postnat_fix(ps.ctrack, dis, mod_pkt, len_mod_pkt) : ps.verdict;
-pass_reasm_cancel:
-	reasm_client_cancel(ps.ctrack);
-	goto pass;
+	return (!ps.bReverseFixed && (ps.verdict & VERDICT_MASK) == VERDICT_DROP) ? ct_new_postnat_fix(ps.ctrack, dis, mod_pkt, len_mod_pkt) : ps.verdict;
 }

 // conntrack is supported only for RELATED icmp
@@ -1952,7 +2003,7 @@ static uint8_t dpi_desync_icmp_packet(
 				// invert direction. they are answering to this packet
 				bReverse = !bReverse;
 				DLOG("found conntrack entry. inverted reverse=%u\n",bReverse);
-				if (ctrack->dp_search_complete)
+				if (ctrack->dp_search_complete && ctrack->dp)
 				{
 					// RELATED icmp processed within base connection profile
 					dp = ctrack->dp;
@@ -2146,12 +2197,24 @@ static bool replay_queue(struct rawpacket_tailhead *q)
 	struct rawpacket *rp;
 	size_t offset;
 	unsigned int i, count;
-	bool b = true;
 	uint8_t mod[RECONSTRUCT_MAX_SIZE];
 	size_t modlen;
+	uint32_t seq0;
+	t_ctrack_position *pos;
+	bool b = true, bseq;

-	for (i = 0, offset = 0, count = rawpacket_queue_count(q); (rp = rawpacket_dequeue(q)); offset += rp->len_payload, rawpacket_free(rp), i++)
+	for (i = 0, offset = 0, count = rawpacket_queue_count(q); (rp = rawpacket_dequeue(q)); rawpacket_free(rp), i++)
 	{
+		// TCP: track reasm_offset using sequence numbers
+		if ((bseq = rp->tpos_present && rp->tpos.ipproto==IPPROTO_TCP))
+		{
+			pos = rp->server_side ? &rp->tpos.server : &rp->tpos.client;
+			if (i)
+				offset = pos->seq_last - seq0;
+			else
+				seq0 = pos->seq_last;
+		}
+
 		DLOG("REPLAYING delayed packet #%u offset %zu\n", i+1, offset);
 		modlen = sizeof(mod);
 		uint8_t verdict = dpi_desync_packet_play(i, count, offset, rp->fwmark_orig, rp->ifin, rp->ifout, rp->tpos_present ? &rp->tpos : NULL, rp->packet, rp->len, mod, &modlen);
@@ -2169,6 +2232,9 @@ static bool replay_queue(struct rawpacket_tailhead *q)
 			DLOG("DROPPING delayed packet #%u\n", i+1);
 			break;
 		}
+
+		if (!bseq)
+			offset += rp->len_payload;
 	}
 	return b;
 }
--- a/nfq2/filter.c
+++ b/nfq2/filter.c
@@ -180,7 +180,7 @@ void str_cidr4(char *s, size_t s_len, const struct cidr4 *cidr)
 }
 void print_cidr4(const struct cidr4 *cidr)
 {
-	char s[19];
+	char s[INET_ADDRSTRLEN+4];
 	str_cidr4(s,sizeof(s),cidr);
 	printf("%s",s);
 }
@@ -193,7 +193,7 @@ void str_cidr6(char *s, size_t s_len, const struct cidr6 *cidr)
 }
 void print_cidr6(const struct cidr6 *cidr)
 {
-	char s[INET_ADDRSTRLEN+4];
+	char s[INET6_ADDRSTRLEN+4];
 	str_cidr6(s,sizeof(s),cidr);
 	printf("%s",s);
 }
--- a/nfq2/helpers.c
+++ b/nfq2/helpers.c
@@ -50,7 +50,6 @@ void qsort_ssize_t(ssize_t *array, int ct)
 	qsort(array, ct, sizeof(*array), cmp_ssize_t);
 }

-
 int str_index(const char **strs, int count, const char *str)
 {
 	for (int i = 0; i < count; i++)
--- a/nfq2/helpers.h
+++ b/nfq2/helpers.h
@@ -12,6 +12,9 @@
 #include <fcntl.h>

 #define UNARY_PLUS(v) (v>0 ? "+" : "")
+//#define	MIN(v1,v2) ((v1)<(v2) ? (v1) : (v2))
+//#define	MAX(v1,v2) ((v1)<(v2) ? (v2) : (v1))
+

 // this saves memory. sockaddr_storage is larger than required. it can be 128 bytes. sockaddr_in6 is 28 bytes.
 typedef union
--- a/nfq2/hostlist.c
+++ b/nfq2/hostlist.c
@@ -8,8 +8,10 @@ static bool addpool(hostlist_pool **hostlist, char **s, const char *end, int *ct
 {
 	char *p=*s;

+	for (; p<end && (*p==' ' || *p=='\t') ; p++);
+	*s = p;
 	// comment line ?
-	if ( *p != '#' && *p != ';' && *p != '/' && *p != '\r' && *p != '\n')
+	if (p<end && *p != '#' && *p != ';' && *p != '/' && *p != '\r' && *p != '\n')
 	{
 		// advance until eol lowering all chars
 		uint32_t flags = 0;
@@ -64,18 +66,21 @@ bool AppendHostList(hostlist_pool **hostlist, const char *filename)
 		{
 			DLOG_CONDUP("zlib compression detected. uncompressed size : %zu\n", zsize);

-			p = zbuf;
-			e = zbuf + zsize;
-			while(p<e)
+			if (zbuf)
 			{
-				if (!addpool(hostlist,&p,e,&ct))
+				p = zbuf;
+				e = zbuf + zsize;
+				while(p<e)
 				{
-					DLOG_ERR("Not enough memory to store host list : %s\n", filename);
-					free(zbuf);
-					return false;
+					if (!addpool(hostlist,&p,e,&ct))
+					{
+						DLOG_ERR("Not enough memory to store host list : %s\n", filename);
+						free(zbuf);
+						return false;
+					}
 				}
+				free(zbuf);
 			}
-			free(zbuf);
 		}
 		else
 		{
--- a/nfq2/ipset.c
+++ b/nfq2/ipset.c
@@ -11,36 +11,42 @@ static bool addpool(ipset *ips, char **s, const char *end, int *ct)
 	struct cidr4 c4;
 	struct cidr6 c6;

-	for (p=*s; p<end && *p && *p!=' ' && *p!='\t' && *p!='\r' && *p != '\n'; p++);
-
-	// comment line
-	if (!(**s == '#' || **s == ';' || **s == '/' || **s == '\r' || **s == '\n' ))
+	for (p=*s; p<end && (*p==' ' || *p=='\t') ; p++);
+	if (p<end)
 	{
-		l = p-*s;
-		if (l>=sizeof(cidr)) l=sizeof(cidr)-1;
-		memcpy(cidr,*s,l);
-		cidr[l]=0;
+		// comment line
+		if (!(*p == '#' || *p == ';' || *p == '/' || *p == '\r' || *p == '\n' ))
+		{
+			*s=p;
+			// advance to the token's end
+			for (; p<end && *p && *p!=' ' && *p!='\t' && *p!='\r' && *p != '\n'; p++);

-		if (parse_cidr4(cidr,&c4))
-		{
-			if (!ipset4AddCidr(&ips->ips4, &c4))
+			l = p-*s;
+			if (l>=sizeof(cidr)) l=sizeof(cidr)-1;
+			memcpy(cidr,*s,l);
+			cidr[l]=0;
+
+			if (parse_cidr4(cidr,&c4))
 			{
-				ipsetDestroy(ips);
-				return false;
+				if (!ipset4AddCidr(&ips->ips4, &c4))
+				{
+					ipsetDestroy(ips);
+					return false;
+				}
+				if (ct) (*ct)++;
 			}
-			if (ct) (*ct)++;
-		}
-		else if (parse_cidr6(cidr,&c6))
-		{
-			if (!ipset6AddCidr(&ips->ips6, &c6))
+			else if (parse_cidr6(cidr,&c6))
 			{
-				ipsetDestroy(ips);
-				return false;
+				if (!ipset6AddCidr(&ips->ips6, &c6))
+				{
+					ipsetDestroy(ips);
+					return false;
+				}
+				if (ct) (*ct)++;
 			}
-			if (ct) (*ct)++;
+			else
+				DLOG_ERR("bad ip or subnet : %s\n",cidr);
 		}
-		else
-			DLOG_ERR("bad ip or subnet : %s\n",cidr);
 	}

 	// skip remaining non-eol chars
@@ -81,18 +87,21 @@ static bool AppendIpset(ipset *ips, const char *filename)
 		{
 			DLOG_CONDUP("zlib compression detected. uncompressed size : %zu\n", zsize);

-			p = zbuf;
-			e = zbuf + zsize;
-			while(p<e)
+			if (zbuf)
 			{
-				if (!addpool(ips,&p,e,&ct))
+				p = zbuf;
+				e = zbuf + zsize;
+				while(p<e)
 				{
-					DLOG_ERR("Not enough memory to store ipset : %s\n", filename);
-					free(zbuf);
-					return false;
+					if (!addpool(ips,&p,e,&ct))
+					{
+						DLOG_ERR("Not enough memory to store ipset : %s\n", filename);
+						free(zbuf);
+						return false;
+					}
 				}
+				free(zbuf);
 			}
-			free(zbuf);
 		}
 		else
 		{
@@ -104,7 +113,7 @@ static bool AppendIpset(ipset *ips, const char *filename)
 	{
 		DLOG_CONDUP("loading plain text list\n");

-		while (fgets(s, sizeof(s)-1, F))
+		while (fgets_safe(s, sizeof(s)-1, F))
 		{
 			p = s;
 			if (!addpool(ips,&p,p+strlen(p),&ct))
--- a/nfq2/lua.c
+++ b/nfq2/lua.c
@@ -1248,6 +1248,7 @@ void lua_push_blob(lua_State *L, int idx_desync, const char *blob)
 		lua_pop(L,1);
 		lua_getglobal(L, blob);
 	}
+	lua_tostring(L,-1);
 }
 void lua_pushf_blob(lua_State *L, int idx_desync, const char *field, const char *blob)
 {
@@ -1657,7 +1658,7 @@ void lua_pushf_ctrack_pos(lua_State *L, const t_ctrack *ctrack, const t_ctrack_p
 	lua_pushf_lint(L,"pdcounter", pos->pdcounter);
 	lua_pushf_lint(L,"pbcounter", pos->pbcounter);
 	if (pos->ip6flow) lua_pushf_int(L,"ip6_flow", pos->ip6flow);
-	if (ctrack->ipproto == IPPROTO_TCP)
+	if (ctrack->pos.ipproto == IPPROTO_TCP)
 	{
 		lua_pushliteral(L, "tcp");
 		lua_createtable(L, 0, 11);
@@ -1779,7 +1780,10 @@ void lua_pushf_args(lua_State *L, const struct str2_list_head *args, int idx_des
 				lua_push_blob(L, idx_desync, val+1);
 				lua_Integer len = lua_rawlen(L, -1);
 				lua_pop(L,1);
-				lua_pushf_int(L, var, len);
+				lua_pushstring(L, var);
+				lua_pushinteger(L, len);
+				lua_tostring(L,-1); // force string type in arg
+				lua_rawset(L,-3);
 			}
 			else
 				lua_pushf_str(L, var, val);
@@ -1864,7 +1868,7 @@ static bool lua_reconstruct_ip6exthdr(lua_State *L, int idx, struct ip6_hdr *ip6
 {
 	LUA_STACK_GUARD_ENTER(L)
 	// proto = last header type
-	if (*len<sizeof(struct tcphdr)) return false;
+	if (*len<sizeof(struct ip6_hdr)) return false;

 	uint8_t *last_proto = &ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt;
 	size_t filled = sizeof(struct ip6_hdr);
@@ -1901,11 +1905,24 @@ static bool lua_reconstruct_ip6exthdr(lua_State *L, int idx, struct ip6_hdr *ip6
 				lua_getfield(L,-1, "data");
 				if (lua_type(L,-1)!=LUA_TSTRING) goto err;
 				if (!(p=(uint8_t*)lua_tolstring(L,-1,&l))) l=0;
-				if (l<6 || (l+2)>left || (type==IPPROTO_AH ? (l>=1024 || ((l+2) & 3)) : (l>=2048 || ((l+2) & 7)))) goto err;
-				memcpy(data+2,p,l);
-				l+=2;
+
+				if (l<6 || (l+2)>left) goto err;
+				if (type==IPPROTO_AH)
+				{
+					if (l>=1024 || ((l+2) & 3)) goto err;
+					memcpy(data+2,p,l);
+					l+=2;
+					data[1] = (l>>2)-2;
+				}
+				else
+				{
+					if (l>=2048 || ((l+2) & 7)) goto err;
+					memcpy(data+2,p,l);
+					l+=2;
+					data[1] = (l>>3)-1;
+				}
+
 				data[0] = next; // may be overwritten later
-				data[1] = (type==IPPROTO_AH) ? (l>>2)-2 : (l>>3)-1;
 				if (!preserve_next) *last_proto = type;
 				last_proto = data; // first byte of header holds type
 				left -= l; data += l; filled += l;
@@ -2014,7 +2031,7 @@ bool lua_reconstruct_iphdr(lua_State *L, int idx, struct ip *ip, size_t *len)

 	LUA_STACK_GUARD_ENTER(L)

-	if (*len<sizeof(struct ip) || lua_type(L,-1)!=LUA_TTABLE) return false;
+	if (*len<sizeof(struct ip) || lua_type(L,idx)!=LUA_TTABLE) return false;

 	ip->ip_v = IPVERSION;

@@ -2184,7 +2201,7 @@ err:
 }
 bool lua_reconstruct_tcphdr(lua_State *L, int idx, struct tcphdr *tcp, size_t *len)
 {
-	if (*len<sizeof(struct tcphdr) || lua_type(L,-1)!=LUA_TTABLE) return false;
+	if (*len<sizeof(struct tcphdr) || lua_type(L,idx)!=LUA_TTABLE) return false;

 	LUA_STACK_GUARD_ENTER(L)

@@ -2259,7 +2276,7 @@ static int luacall_reconstruct_tcphdr(lua_State *L)

 bool lua_reconstruct_udphdr(lua_State *L, int idx, struct udphdr *udp)
 {
-	if (lua_type(L,-1)!=LUA_TTABLE) return false;
+	if (lua_type(L,idx)!=LUA_TTABLE) return false;

 	LUA_STACK_GUARD_ENTER(L)

@@ -2303,7 +2320,7 @@ static int luacall_reconstruct_udphdr(lua_State *L)

 bool lua_reconstruct_icmphdr(lua_State *L, int idx, struct icmp46 *icmp)
 {
-	if (lua_type(L,-1)!=LUA_TTABLE) return false;
+	if (lua_type(L,idx)!=LUA_TTABLE) return false;

 	LUA_STACK_GUARD_ENTER(L)

@@ -3333,7 +3350,6 @@ static int luacall_tls_mod(lua_State *L)
 	int argc=lua_gettop(L);

 	size_t fake_tls_len;
-	bool bRes;
 	const uint8_t *fake_tls = (uint8_t*)lua_reqlstring(L,1,&fake_tls_len);
 	const char *modlist = lua_reqstring(L,2);

@@ -3353,8 +3369,10 @@ static int luacall_tls_mod(lua_State *L)
 		uint8_t *newtls = lua_newuserdata(L, maxlen);

 		memcpy(newtls, fake_tls, newlen);
-		bRes = TLSMod(&mod, payload, payload_len, newtls, &newlen, maxlen);
-		lua_pushlstring(L,(char*)newtls,newlen);
+		if (TLSMod(&mod, payload, payload_len, newtls, &newlen, maxlen))
+			lua_pushlstring(L,(char*)newtls,newlen);
+		else
+			lua_pushnil(L);

 		lua_remove(L,-2);
 	}
@@ -3362,11 +3380,9 @@ static int luacall_tls_mod(lua_State *L)
 	{
 		// no mod. push it back
 		lua_pushlstring(L,(char*)fake_tls,fake_tls_len);
-		bRes = true;
 	}
-	lua_pushboolean(L, bRes);

-	LUA_STACK_GUARD_RETURN(L,2)
+	LUA_STACK_GUARD_RETURN(L,1)
 }

 struct userdata_zs
@@ -3710,7 +3726,7 @@ static void lua_xtime(lua_State *L, struct tm *(*timefunc)(const time_t *,struct
 		lua_pushf_int(L,"isdst", t.tm_isdst);
 		lua_pushf_str(L,"zone", t.tm_zone);

-		char s[24];
+		char s[40];
 		snprintf(s,sizeof(s),"%02d.%02d.%04d %02d:%02d:%02d", t.tm_mday, t.tm_mon + 1, t.tm_year + 1900, t.tm_hour, t.tm_min, t.tm_sec);
 		lua_pushf_str(L,"str", s);
 	}
--- a/nfq2/nfqws.c
+++ b/nfq2/nfqws.c
@@ -43,6 +43,7 @@
 #endif

 #ifdef __linux__
+#include <sys/ioctl.h>
 #include <libnetfilter_queue/libnetfilter_queue.h>
 #define NF_DROP 0
 #define NF_ACCEPT 1
@@ -240,6 +241,13 @@ static int write_pidfile(FILE **Fpid)


 #ifdef __linux__
+
+struct nfq_cb_data
+{
+	uint8_t *mod;
+	int sock;
+};
+
 // cookie must point to mod buffer with size RECONSTRUCT_MAX_SIZE
 static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_data *nfa, void *cookie)
 {
@@ -247,27 +255,32 @@ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_da
 	size_t len;
 	struct nfqnl_msg_packet_hdr *ph;
 	uint8_t *data;
-	uint32_t ifidx_out, ifidx_in;
-	char ifout[IFNAMSIZ], ifin[IFNAMSIZ];
 	size_t modlen;
-	uint8_t *mod = (uint8_t*)cookie;
+	struct nfq_cb_data *cbdata = (struct nfq_cb_data*)cookie;
 	uint32_t mark;
+	struct ifreq ifr_in, ifr_out;

-	ph = nfq_get_msg_packet_hdr(nfa);
-	id = ph ? ntohl(ph->packet_id) : 0;
+	if (!(ph = nfq_get_msg_packet_hdr(nfa))) return 0; // should not happen
+	id = ntohl(ph->packet_id);

 	mark = nfq_get_nfmark(nfa);
 	ilen = nfq_get_payload(nfa, &data);

-	ifidx_out = nfq_get_outdev(nfa);
-	*ifout = 0;
-	if (ifidx_out) if_indextoname(ifidx_out, ifout);
+	// if_indextoname creates socket, calls ioctl, closes socket
+	// code below prevents socket() and close() syscalls on every packet
+	// this saves CPU 5-10 times

-	ifidx_in = nfq_get_indev(nfa);
-	*ifin = 0;
-	if (ifidx_in) if_indextoname(ifidx_in, ifin);
+	*ifr_out.ifr_name = 0;
+	ifr_out.ifr_ifindex = nfq_get_outdev(nfa);
+	if (ifr_out.ifr_ifindex && ioctl(cbdata->sock, SIOCGIFNAME, &ifr_out)<0)
+		DLOG_PERROR("ioctl(SIOCGIFNAME)");

-	DLOG("\npacket: id=%d len=%d mark=%08X ifin=%s(%u) ifout=%s(%u)\n", id, ilen, mark, ifin, ifidx_in, ifout, ifidx_out);
+	*ifr_in.ifr_name = 0;
+	ifr_in.ifr_ifindex = nfq_get_indev(nfa);
+	if (ifr_in.ifr_ifindex && ioctl(cbdata->sock, SIOCGIFNAME, &ifr_in)<0)
+		DLOG_PERROR("ioctl(SIOCGIFNAME)");
+
+	DLOG("\npacket: id=%d len=%d mark=%08X ifin=%s(%u) ifout=%s(%u)\n", id, ilen, mark, ifr_in.ifr_name, ifr_in.ifr_ifindex, ifr_out.ifr_name, ifr_out.ifr_ifindex);

 	if (ilen >= 0)
 	{
@@ -277,12 +290,12 @@ static int nfq_cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg, struct nfq_da
 		// to support increased sizes use separate mod buffer
 		// this is not a problem because only LUA code can trigger VERDICT_MODIFY (and postnat workaround too, once a connection if first packet is dropped)
 		// in case of VERIDCT_MODIFY packet is always reconstructed from dissect, so no difference where to save the data => no performance loss
-		uint8_t verdict = processPacketData(&mark, ifin, ifout, data, len, mod, &modlen);
+		uint8_t verdict = processPacketData(&mark, ifr_in.ifr_name, ifr_out.ifr_name, data, len, cbdata->mod, &modlen);
 		switch (verdict & VERDICT_MASK)
 		{
 		case VERDICT_MODIFY:
 			DLOG("packet: id=%d pass modified. len %zu => %zu\n", id, len, modlen);
-			return nfq_set_verdict2(qh, id, NF_ACCEPT, mark, (uint32_t)modlen, mod);
+			return nfq_set_verdict2(qh, id, NF_ACCEPT, mark, (uint32_t)modlen, cbdata->mod);
 		case VERDICT_DROP:
 			DLOG("packet: id=%d drop\n", id);
 			return nfq_set_verdict2(qh, id, NF_DROP, mark, 0, NULL);
@@ -306,7 +319,7 @@ static void nfq_deinit(struct nfq_handle **h, struct nfq_q_handle **qh)
 		*h = NULL;
 	}
 }
-static bool nfq_init(struct nfq_handle **h, struct nfq_q_handle **qh, uint8_t *mod_buffer)
+static bool nfq_init(struct nfq_handle **h, struct nfq_q_handle **qh, struct nfq_cb_data *cbdata)
 {
 	nfq_deinit(h, qh);

@@ -343,7 +356,7 @@ static bool nfq_init(struct nfq_handle **h, struct nfq_q_handle **qh, uint8_t *m
 	}

 	DLOG_CONDUP("binding this socket to queue '%u'\n", params.qnum);
-	*qh = nfq_create_queue(*h, params.qnum, &nfq_cb, mod_buffer);
+	*qh = nfq_create_queue(*h, params.qnum, &nfq_cb, cbdata);
 	if (!*qh) {
 		DLOG_PERROR("nfq_create_queue()");
 		goto exiterr;
@@ -365,6 +378,12 @@ static bool nfq_init(struct nfq_handle **h, struct nfq_q_handle **qh, uint8_t *m
 		// dot not fail. not supported in old linuxes <3.6 
 	}

+	unsigned int rcvbuf = nfnl_rcvbufsiz(nfq_nfnlh(*h), Q_RCVBUF) / 2;
+	if (rcvbuf==Q_RCVBUF)
+		DLOG("set receive buffer size to %u\n", rcvbuf);
+	else
+		DLOG_CONDUP("could not set receive buffer size to %u. real size is %u\n", Q_RCVBUF, rcvbuf);
+
 	int yes = 1, fd = nfq_fd(*h);

 #if defined SOL_NETLINK && defined NETLINK_NO_ENOBUFS
@@ -387,6 +406,8 @@ static void notify_ready(void)
 #endif
 }

+// extra space for netlink headers
+#define NFQ_MAX_RECV_SIZE (RECONSTRUCT_MAX_SIZE+4096)
 static int nfq_main(void)
 {
 	struct nfq_handle *h = NULL;
@@ -395,6 +416,7 @@ static int nfq_main(void)
 	ssize_t rd;
 	FILE *Fpid = NULL;
 	uint8_t *buf=NULL, *mod=NULL;
+	struct nfq_cb_data cbdata = { .sock = -1, .mod = NULL };

 	if (*params.pidfile && !(Fpid = fopen(params.pidfile, "w")))
 	{
@@ -436,13 +458,19 @@ static int nfq_main(void)
 		goto exok;
 	}

-	if (!(buf = malloc(RECONSTRUCT_MAX_SIZE)) || !(mod = malloc(RECONSTRUCT_MAX_SIZE)))
+	if (!(buf = malloc(NFQ_MAX_RECV_SIZE)) || !(cbdata.mod = malloc(RECONSTRUCT_MAX_SIZE)))
 	{
 		DLOG_ERR("out of memory\n");
 		goto err;
 	}

-	if (!nfq_init(&h, &qh, mod))
+	if ((cbdata.sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
+	{
+		DLOG_PERROR("socket");
+		goto err;
+	}
+
+	if (!nfq_init(&h, &qh, &cbdata))
 		goto err;

 #ifdef HAS_FILTER_SSID
@@ -466,7 +494,7 @@ static int nfq_main(void)
 	do
 	{
 		if (bQuit) goto quit;
-		while ((rd = recv(fd, buf, RECONSTRUCT_MAX_SIZE, 0)) >= 0)
+		while ((rd = recv(fd, buf, NFQ_MAX_RECV_SIZE, 0)) >= 0)
 		{
 			if (!rd)
 			{
@@ -481,7 +509,7 @@ static int nfq_main(void)
 					DLOG_ERR("cannot get wlan info\n");
 #endif
 			int r = nfq_handle_packet(h, (char *)buf, (int)rd);
-			if (r) DLOG_ERR("nfq_handle_packet error %d\n", r);
+			if (r<0) DLOG_ERR("nfq_handle_packet result %d, errno %d : %s\n", r, errno, strerror(errno));
 			if (bQuit) goto quit;
 		}
 		if (errno==EINTR)
@@ -493,10 +521,18 @@ static int nfq_main(void)
 		// do not fail on ENOBUFS
 	} while (e == ENOBUFS);

+err:
+	res=1;
+	goto ex;
+
+quit:
+	DLOG_CONDUP("quit requested\n");
 exok:
 	res=0;
 ex:
-	free(mod);
+	if (Fpid) fclose(Fpid);
+	if (cbdata.sock>=0) close(cbdata.sock);
+	free(cbdata.mod);
 	free(buf);
 	nfq_deinit(&h, &qh);
 	lua_shutdown();
@@ -505,13 +541,6 @@ ex:
 #endif
 	rawsend_cleanup();
 	return res;
-err:
-	if (Fpid) fclose(Fpid);
-	res=1;
-	goto ex;
-quit:
-	DLOG_CONDUP("quit requested\n");
-	goto exok;
 }

 #elif defined(BSD)
@@ -641,6 +670,7 @@ static int dvt_main(void)
 				if (rd < 0)
 				{
 					DLOG_PERROR("recvfrom");
+					if (errno==ENOBUFS) continue;
 					goto exiterr;
 				}
 				else if (rd > 0)
@@ -1255,7 +1285,7 @@ struct func_list *parse_lua_call(char *opt, struct func_list_head *flist)
 	struct func_list *f = NULL;

 	if (!(name = item_name(&opt)))
-		return false;
+		return NULL;

 	if (!is_identifier(name) || !(f=funclist_add_tail(flist,name)))
 		goto err;
@@ -2508,7 +2538,7 @@ int main(int argc, char **argv)
 			}
 			break;
 		case IDX_HOSTLIST_AUTO_FAIL_THRESHOLD:
-			dp->hostlist_auto_fail_threshold = (uint8_t)atoi(optarg);
+			dp->hostlist_auto_fail_threshold = atoi(optarg);
 			if (dp->hostlist_auto_fail_threshold < 1 || dp->hostlist_auto_fail_threshold>20)
 			{
 				DLOG_ERR("auto hostlist fail threshold must be within 1..20\n");
@@ -2517,7 +2547,7 @@ int main(int argc, char **argv)
 			dp->b_hostlist_auto_fail_threshold = true;
 			break;
 		case IDX_HOSTLIST_AUTO_FAIL_TIME:
-			dp->hostlist_auto_fail_time = (uint8_t)atoi(optarg);
+			dp->hostlist_auto_fail_time = atoi(optarg);
 			if (dp->hostlist_auto_fail_time < 1)
 			{
 				DLOG_ERR("auto hostlist fail time is not valid\n");
@@ -2526,7 +2556,7 @@ int main(int argc, char **argv)
 			dp->b_hostlist_auto_fail_time = true;
 			break;
 		case IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD:
-			dp->hostlist_auto_retrans_threshold = (uint8_t)atoi(optarg);
+			dp->hostlist_auto_retrans_threshold = atoi(optarg);
 			if (dp->hostlist_auto_retrans_threshold < 2 || dp->hostlist_auto_retrans_threshold>10)
 			{
 				DLOG_ERR("auto hostlist fail threshold must be within 2..10\n");
--- a/nfq2/packet_queue.c
+++ b/nfq2/packet_queue.c
@@ -26,7 +26,14 @@ void rawpacket_queue_destroy(struct rawpacket_tailhead *q)
 	while((rp = rawpacket_dequeue(q))) rawpacket_free(rp);
 }

-struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload,const t_ctrack_positions *tpos)
+struct rawpacket *rawpacket_queue(
+	struct rawpacket_tailhead *q,
+	const struct sockaddr_storage* dst,
+	uint32_t fwmark_orig,uint32_t fwmark,
+	const char *ifin,const char *ifout,
+	const void *data,size_t len,size_t len_payload,
+	const t_ctrack_positions *tpos,
+	bool server_side)
 {
 	struct rawpacket *rp = malloc(sizeof(struct rawpacket));
 	if (!rp) return NULL;
@@ -61,6 +68,7 @@ struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sock
 	}
 	else
 		rp->tpos_present = false;
+	rp->server_side = server_side;
 	
 	TAILQ_INSERT_TAIL(q, rp, next);
 	
--- a/nfq2/packet_queue.h
+++ b/nfq2/packet_queue.h
@@ -18,6 +18,7 @@ struct rawpacket
 	uint8_t *packet;
 	t_ctrack_positions tpos;
 	bool tpos_present;
+	bool server_side;		// true = reasm of packets from the server side
 	TAILQ_ENTRY(rawpacket) next;
 };
 TAILQ_HEAD(rawpacket_tailhead, rawpacket);
@@ -26,6 +27,6 @@ void rawpacket_queue_init(struct rawpacket_tailhead *q);
 void rawpacket_queue_destroy(struct rawpacket_tailhead *q);
 bool rawpacket_queue_empty(const struct rawpacket_tailhead *q);
 unsigned int rawpacket_queue_count(const struct rawpacket_tailhead *q);
-struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload,const t_ctrack_positions *tpos);
+struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload,const t_ctrack_positions *tpos,bool server_side);
 struct rawpacket *rawpacket_dequeue(struct rawpacket_tailhead *q);
 void rawpacket_free(struct rawpacket *rp);
--- a/nfq2/params.c
+++ b/nfq2/params.c
@@ -116,7 +116,7 @@ static char log_buf[4096];
 static size_t log_buf_sz=0;
 static void syslog_log_function(int priority, const char *line)
 {
-	syslog(priority,"%s",log_buf);
+	syslog(priority,"%s",line);
 }

 static int DLOG_FILENAME(const char *filename, const char *format, ...)
@@ -130,7 +130,7 @@ static int DLOG_FILENAME(const char *filename, const char *format, ...)
 }
 static void file_log_function(int priority, const char *line)
 {
-	DLOG_FILENAME(params.debug_logfile,"%s",log_buf);
+	DLOG_FILENAME(params.debug_logfile,"%s",line);
 }

 #ifdef __ANDROID__
@@ -405,7 +405,7 @@ static struct desync_profile_list *desync_profile_entry_alloc()
 struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head)
 {
 	struct desync_profile_list *entry = desync_profile_entry_alloc();
-	if (!entry) return false;
+	if (!entry) return NULL;

 	struct desync_profile_list *tail, *item;
 	LIST_TAIL(head, tail, item);
--- a/nfq2/params.h
+++ b/nfq2/params.h
@@ -23,7 +23,8 @@

 #define RAW_SNDBUF	(64*1024)	// in bytes

-#define Q_MAXLEN	1024		// in packets
+#define Q_MAXLEN	4096		// in packets
+#define Q_RCVBUF	(1024*1024)	// in bytes

 #define HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT	3
 #define	HOSTLIST_AUTO_FAIL_TIME_DEFAULT 	60
--- a/nfq2/pools.c
+++ b/nfq2/pools.c
@@ -493,7 +493,6 @@ void kavl_bit_destroy(struct kavl_bit_elem **hdr)
 		if (!e)	break;
 		kavl_bit_destroy_elem(e);
 	}
-	free(*hdr);
 }
 struct kavl_bit_elem *kavl_bit_add(struct kavl_bit_elem **hdr, void *data, unsigned int bitlen, size_t struct_size)
 {
--- a/nfq2/protocol.c
+++ b/nfq2/protocol.c
@@ -248,7 +248,7 @@ void ResolveMultiPos(const uint8_t *data, size_t sz, t_l7payload l7payload, cons
 }


-static const char *http_methods[] = { "GET ","POST ","HEAD ","OPTIONS ","PUT ","DELETE ","CONNECT ","TRACE ",NULL };
+static const char *http_methods[] = { "GET ","POST ","HEAD ","OPTIONS ","PUT ","DELETE ","CONNECT ","TRACE ", "PATCH ", NULL };
 static const char *HttpMethod(const uint8_t *data, size_t len)
 {
 	const char **method;
@@ -331,7 +331,7 @@ bool IsHttpReply(const uint8_t *data, size_t len)
 		data[10]>='0' && data[10]<='9' &&
 		data[11]>='0' && data[11]<='9';
 }
-int HttpReplyCode(const uint8_t *data, size_t len)
+int HttpReplyCode(const uint8_t *data)
 {
 	return (data[9]-'0')*100 + (data[10]-'0')*10 + (data[11]-'0');
 }
@@ -370,7 +370,7 @@ bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *
 	
 	if (!host || !*host || !IsHttpReply(data, len)) return false;
 	
-	code = HttpReplyCode(data,len);
+	code = HttpReplyCode(data);
 	
 	if ((code!=302 && code!=307) || !HttpExtractHeader(data,len,"\nLocation:",loc,sizeof(loc))) return false;

@@ -565,7 +565,7 @@ bool TLSFindExtLenOffsetInHandshake(const uint8_t *data, size_t len, size_t *off
 }
 bool TLSFindExtLen(const uint8_t *data, size_t len, size_t *off)
 {
-	if (!TLSFindExtLenOffsetInHandshake(data+5,len-5,off))
+	if (len<5 || !TLSFindExtLenOffsetInHandshake(data+5,len-5,off))
 		return false;
 	*off+=5;
 	return true;
@@ -649,9 +649,11 @@ bool TLSAdvanceToHostInSNI(const uint8_t **ext, size_t *elen, size_t *slen)
 	// u8	data+2 - server name type. 0=host_name
 	// u16	data+3 - server name length
 	if (*elen < 5 || (*ext)[2] != 0) return false;
+	uint16_t nll = pntoh16(*ext);
 	*slen = pntoh16(*ext + 3);
+	if (nll<(*slen+3) || *slen > *elen-5) return false;
 	*ext += 5; *elen -= 5;
-	return *slen <= *elen;
+	return true;
 }
 static bool TLSExtractHostFromExt(const uint8_t *ext, size_t elen, char *host, size_t len_host)
 {
@@ -1252,6 +1254,13 @@ static int cmp_range64(const void * a, const void * b)
 {
 	return (((struct range64*)a)->offset < ((struct range64*)b)->offset) ? -1 : (((struct range64*)a)->offset > ((struct range64*)b)->offset) ? 1 : 0;
 }
+/*
+static bool intersected_u64(uint64_t l1, uint64_t r1, uint64_t l2, uint64_t r2)
+{
+	return l1 <= r2 && l2 <= r1;
+}
+*/
+
 bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,size_t *defrag_len, bool *bFull)
 {
 	// Crypto frame can be split into multiple chunks
@@ -1265,7 +1274,7 @@ bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,siz
 	uint64_t offset,sz,szmax=0,zeropos=0,pos=0;
 	bool found=false;
 	struct range64 ranges[MAX_DEFRAG_PIECES];
-	int i,range=0;
+	int i,j,range=0;

 	while(pos<clean_len)
 	{
@@ -1287,24 +1296,54 @@ bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,siz
 			if ((pos+sz)>clean_len) return false;

 			if ((offset+sz)>defrag_data_len) return false; // defrag buf overflow
+
+			// remove exact duplicates early to save cpu
+			for(i=0;i<range;i++)
+				if (ranges[i].offset==offset && ranges[i].len==sz)
+					goto skip_range;
+
 			if (zeropos < offset)
 				// make sure no uninitialized gaps exist in case of not full fragment coverage
 				memset(defrag_data+zeropos,0,offset-zeropos);
 			if ((offset+sz) > zeropos)
 				zeropos=offset+sz;
-			memcpy(defrag_data+offset,clean+pos,sz);
-			if ((offset+sz) > szmax) szmax = offset+sz;

 			found=true;
-			pos+=sz;
-
+			if ((offset+sz) > szmax) szmax = offset+sz;
+			memcpy(defrag_data+offset,clean+pos,sz);
 			ranges[range].offset = offset;
 			ranges[range].len = sz;
 			range++;
+skip_range:
+			pos+=sz;
 		}
 	}
 	if (found)
 	{
+		qsort(ranges, range, sizeof(*ranges), cmp_range64);
+
+//		for(i=0 ; i<range ; i++)
+//			printf("range1 %llu-%llu\n",ranges[i].offset,ranges[i].offset+ranges[i].len);
+
+		if (range>0)
+		{
+			for (j=0,i=1; i < range; i++)
+			{
+				uint64_t current_end = ranges[j].offset + ranges[j].len;
+				uint64_t next_start = ranges[i].offset;
+				uint64_t next_end = ranges[i].offset + ranges[i].len;
+
+				if (next_start <= current_end)
+					ranges[j].len = MAX(next_end,current_end) - ranges[j].offset;
+				else
+					ranges[++j] = ranges[i];
+			}
+			range = j+1;
+		}
+
+//		for(i=0 ; i<range ; i++)
+//			printf("range2 %llu-%llu\n",ranges[i].offset,ranges[i].offset+ranges[i].len);
+
 		defrag[0] = 6;
 		defrag[1] = 0; // offset
 		// 2..9 - length 64 bit
@@ -1313,21 +1352,7 @@ bool QUICDefragCrypto(const uint8_t *clean,size_t clean_len, uint8_t *defrag,siz
 		defrag[2] |= 0xC0; // 64 bit value
 		*defrag_len = (size_t)(szmax+10);

-		qsort(ranges, range, sizeof(*ranges), cmp_range64);
-
-		//for(i=0 ; i<range ; i++)
-		//	printf("RANGE %zu len %zu\n",ranges[i].offset,ranges[i].len);
-
-		for(i=0,offset=0,*bFull=true ; i<range ; i++)
-		{
-			if (ranges[i].offset!=offset)
-			{
-				*bFull = false;
-				break;
-			}
-			offset += ranges[i].len;
-		}
-
+		*bFull = range==1 && !ranges[0].offset;
 		//printf("bFull=%u\n",*bFull);
 	}
 	return found;
@@ -1337,14 +1362,12 @@ bool IsQUICInitial(const uint8_t *data, size_t len)
 {
 	// too small packets are not likely to be initials
 	// long header, fixed bit
-	if (len < 128 || (data[0] & 0xF0)!=0xC0) return false;
+	if (len < 128) return false;

 	uint32_t ver = QUICExtractVersion(data,len);
 	if (QUICDraftVersion(ver) < 11) return false;

-	// quic v1 : initial packets are 00b
-	// quic v2 : initial packets are 01b
-	if ((data[0] & 0x30) != (is_quic_v2(ver) ? 0x10 : 0x00)) return false;
+	if ((data[0] & 0xF0) != (is_quic_v2(ver) ? 0xD0 : 0xC0)) return false;

 	uint64_t offset=5, sz, sz2;

@@ -1352,6 +1375,8 @@ bool IsQUICInitial(const uint8_t *data, size_t len)
 	if (data[offset] > QUIC_MAX_CID_LENGTH) return false;
 	offset += 1 + data[offset];

+	if (offset>=len) return false;
+
 	// SCID
 	if (data[offset] > QUIC_MAX_CID_LENGTH) return false;
 	offset += 1 + data[offset];
@@ -1447,7 +1472,7 @@ bool IsStunMessage(const uint8_t *data, size_t len)
 		(data[0]&0xC0)==0 && // 2 most significant bits must be zeroes
 		(data[3]&3)==0 && // length must be a multiple of 4
 		pntoh32(data+4)==0x2112A442 && // magic cookie
-		pntoh16(data+2)==(len-20);
+		pntoh16(data+2)<=(len-20);
 }
 #if defined(__GNUC__) && !defined(__llvm__)
 __attribute__((optimize ("no-strict-aliasing")))
@@ -1462,7 +1487,7 @@ bool IsMTProto(const uint8_t *data, size_t len)
 		return !memcmp(decrypt+56,"\xEF\xEF\xEF\xEF",4);
 */
 		// this way requires only one AES instead of 4
-		uint8_t decrypt[16] __attribute__((aligned)), iv[16];
+		uint8_t decrypt[16] __attribute__((aligned(16))), iv[16] __attribute__((aligned(16)));
 		aes_context ctx;

 		memcpy(iv, data+40, 16);
--- a/nfq2/protocol.h
+++ b/nfq2/protocol.h
@@ -104,7 +104,7 @@ bool HttpExtractHeader(const uint8_t *data, size_t len, const char *header, char
 bool HttpExtractHost(const uint8_t *data, size_t len, char *host, size_t len_host);
 bool IsHttpReply(const uint8_t *data, size_t len);
 // must be pre-checked by IsHttpReply
-int HttpReplyCode(const uint8_t *data, size_t len);
+int HttpReplyCode(const uint8_t *data);
 // must be pre-checked by IsHttpReply
 bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *host);

--- a/nfq2/sec.h
+++ b/nfq2/sec.h
@@ -95,6 +95,10 @@ bool dropcaps(void);

 # define ARCH_NR AUDIT_ARCH_LOONGARCH64

+#elif defined(__e2k__)
+
+# define ARCH_NR	AUDIT_ARCH_E2K
+
 #else

 # error "Platform does not support seccomp filter yet"
--- a/nfq2/win.c
+++ b/nfq2/win.c
@@ -28,12 +28,6 @@ bool service_run(int argc, char *argv[])
 	return StartServiceCtrlDispatcherA(ServiceTable);
 }

-static void service_set_status(DWORD state)
-{
-	ServiceStatus.dwCurrentState = state;
-	SetServiceStatus(hStatus, &ServiceStatus);
-}
-
 // Control handler function
 void service_controlhandler(DWORD request)
 {
--- a/nfq2/win.h
+++ b/nfq2/win.h
@@ -4,6 +4,6 @@

 #include <stdbool.h>

-bool service_run();
+bool service_run(int argc, char *argv[]);

 #endif
--- a/nfq2/windows/res/winws_res32.o
+++ b/nfq2/windows/res/winws_res32.o
--- a/nfq2/windows/res/winws_res64.o
+++ b/nfq2/windows/res/winws_res64.o
Author	SHA1	Message	Date
bol-van	7cdc75d0db	github: remove sdiv crash on old armv7	2026-03-12 20:51:57 +03:00
bol-van	348f907b47	winws2: remove .buildid section	2026-03-12 17:40:11 +03:00
bol-van	d641b00083	winws2: update res bins	2026-03-12 17:31:02 +03:00
bol-van	d3b3011000	AI fixes	2026-03-06 21:36:09 +03:00
bol-van	2ec512af17	AI fixes	2026-03-06 10:58:05 +03:00
bol-van	d41151ef6f	nfqws2: join fragments in quic CRYPTO reconstruction. allow intersections	2026-03-05 18:38:44 +03:00
bol-van	60ac3693fc	nfqws2: optimize quic CRYPTO defrag	2026-03-05 09:41:41 +03:00
bol-van	766b60544f	nfqws2: remove unused var	2026-03-04 22:50:31 +03:00
bol-van	e563f60153	AI fixes	2026-03-04 22:36:31 +03:00
bol-van	6d7f8efc49	nfqws2: optimize quic CRYPTO defrag	2026-03-04 19:33:49 +03:00
bol-van	e46cde8e6e	nfqws2: optimize	2026-03-04 18:58:39 +03:00
bol-van	52072359f0	nfqws2: remove unneeded function	2026-03-04 18:54:38 +03:00
bol-van	cafacf35bc	nfqws2: quic CRYPTO frag early dedup	2026-03-04 18:52:47 +03:00
bol-van	55dc47bae4	nfqws2: remove unneeded loop	2026-03-04 14:16:19 +03:00
bol-van	14a2548bf5	nfqws2: allow quic CRYPTO fragment intersection and dups	2026-03-04 12:31:40 +03:00
bol-van	f59ddbb645	github,linux-builder: revert to lj_alloc for arm64 and mips64	2026-03-03 19:25:33 +03:00
bol-van	96f58adc7a	docs	2026-03-03 10:53:05 +03:00
bol-van	b20ee9adbe	zapret-lib: prevent double apply_arg_prefix	2026-03-03 10:49:55 +03:00
bol-van	7bfb4066cd	update docs	2026-03-02 20:24:45 +03:00
bol-van	a8a742f48c	zapret-lib: call apply_arg_prefix right before instance execute	2026-03-02 20:21:38 +03:00
bol-van	03f1fc4788	init.d: warn if ipset/hostlist files inside zapret2 root	2026-03-02 14:18:57 +03:00
bol-van	3ae875f8aa	AI fixes	2026-03-02 10:44:48 +03:00
bol-van	300084a654	github.linux-builder: move arm to armv6	2026-03-01 20:22:02 +03:00
bol-van	ccef4377df	github: use thumb in android armv7 build	2026-03-01 18:30:54 +03:00
bol-van	3ebb24930e	-DLUAJIT_USE_SYSMALLOC	2026-03-01 10:22:19 +03:00
bol-van	aff6fe3966	-DLUAJIT_USE_SYSMALLOC	2026-03-01 10:18:35 +03:00
bol-van	f43030c0b8	AI fix	2026-03-01 09:53:55 +03:00
bol-van	69e8bb3c7f	AI fixes	2026-03-01 09:48:18 +03:00
bol-van	038f64ddad	update docs	2026-02-28 22:30:08 +03:00
bol-van	abdf88574c	github: build experiment	2026-02-28 22:25:47 +03:00
bol-van	318c625247	update builder-linux	2026-02-28 22:23:13 +03:00
bol-van	3e52d53df0	update builder-linux	2026-02-28 19:14:45 +03:00
bol-van	410ba5ae6e	github: build experiment	2026-02-28 19:02:11 +03:00
bol-van	bee761f0f7	github: build experiment	2026-02-28 18:53:51 +03:00
bol-van	863267e659	github: build experiment	2026-02-28 18:47:25 +03:00
bol-van	c0299a27e3	github: build experiment	2026-02-28 18:43:24 +03:00
bol-van	b9e22fd97e	github: luajit host CFLAGS -O2	2026-02-28 18:41:18 +03:00
bol-van	b3a6445d13	update builder-linux	2026-02-28 18:40:51 +03:00
bol-van	75e3c83d07	github: armv7 thumb	2026-02-28 18:33:56 +03:00
bol-van	1aaf73858c	builder-linux armv7 thumb	2026-02-28 18:29:28 +03:00
bol-van	827b1cf065	AI fixes	2026-02-28 10:10:26 +03:00
bol-van	e0f67fb203	AI fixes	2026-02-27 14:34:35 +03:00
bol-van	da6f4c8536	init.d: remove KillMode=none from systemd unit	2026-02-26 22:05:29 +03:00
bol-van	f83ecb64bb	pie experiment	2026-02-26 21:23:53 +03:00
bol-van	c634fd156c	update builder-linux	2026-02-26 20:03:50 +03:00
bol-van	c10cc5b83e	update builder-linux	2026-02-26 18:46:19 +03:00
bol-van	60988755b7	update builder-linux	2026-02-26 18:41:36 +03:00
bol-van	7584d5e38f	update makefiles	2026-02-26 16:44:58 +03:00
bol-van	d019627fba	nfqws2: e2k arch seccomp support	2026-02-26 16:34:47 +03:00
bol-van	1ac067ec32	nfqws2: separate strip option	2026-02-26 15:09:29 +03:00
bol-van	1b5811aa9a	nfqws2: silence warning	2026-02-26 11:01:13 +03:00
bol-van	60c3f56c36	pie experiment	2026-02-26 10:53:35 +03:00
bol-van	a0cfbbf958	pie experiment	2026-02-26 10:46:59 +03:00
bol-van	437c988f48	pie experiment	2026-02-26 10:43:45 +03:00
bol-van	a9a64b0462	pie experiment	2026-02-26 10:37:15 +03:00
bol-van	9887e470dc	update builder-linux	2026-02-26 10:35:31 +03:00
bol-van	5bacfcb65f	pie experiment	2026-02-26 10:28:58 +03:00
bol-van	0f04698f07	pie experiment	2026-02-26 10:21:23 +03:00
bol-van	31d5e5598b	pie experiment	2026-02-26 10:19:24 +03:00
bol-van	66e2cc2bc4	pie experiment	2026-02-26 10:10:28 +03:00
bol-van	8fcc64ad0c	pie experiment	2026-02-26 09:47:25 +03:00
bol-van	d2f3271542	dvtws2: build with PIE	2026-02-25 17:34:36 +03:00
bol-van	942c4956b8	github: rebase windivert.dll to >4gb to allow hi entropy aslr	2026-02-25 14:33:38 +03:00
bol-van	77a24a7ec1	github: set dynamicbase on windivert.dll	2026-02-25 12:22:28 +03:00
bol-van	43999d6077	winws2: enable ASLR	2026-02-25 10:49:07 +03:00
bol-van	697f9fc986	AI fixes	2026-02-25 08:56:35 +03:00
bol-van	8e76197dff	luacheck fixes	2026-02-24 19:07:04 +03:00
bol-van	190f46b6d7	zapret-lib: minor fix	2026-02-24 18:43:49 +03:00
bol-van	41e26b3ace	update docs	2026-02-24 16:32:21 +03:00
bol-van	8b6ea88a23	update docs	2026-02-24 10:19:01 +03:00
bol-van	59235827c4	nfqws2: fix broken wifi ssid update	2026-02-24 10:10:52 +03:00
bol-van	7073e1fd77	nfqws2: dns_extract_name OOB fixes	2026-02-23 22:47:14 +03:00
bol-van	340261da72	zapret-lib: harden apply_fooling checks	2026-02-23 19:33:58 +03:00
bol-van	937aa91e5d	nfqws2: prevent OOB read in addpool	2026-02-23 18:45:25 +03:00
bol-van	dbf673e24a	AI fixes	2026-02-23 18:10:37 +03:00
bol-van	61b0a70fa7	nfqws2: support mixed compressed+uncomressed DNS answers	2026-02-23 10:25:27 +03:00
bol-van	d985bb316f	nfqws2: support uncompressed names in DNS answers	2026-02-23 09:32:45 +03:00
bol-van	59b3734643	nfqws2: add comment	2026-02-22 19:41:08 +03:00
bol-van	37f45a132f	nfqws2: optimize	2026-02-22 18:49:44 +03:00
bol-van	4d753ecdc6	nfqws2: save some syscalls	2026-02-22 18:22:43 +03:00
bol-van	272f086639	nfqws2: optimize nfq buffers	2026-02-22 17:31:13 +03:00
bol-van	d9ae16e56f	nfqws2: nfq_handle_packet verbose error logging	2026-02-22 17:03:52 +03:00
bol-van	46d4208c76	zapret-pcap: use reconstruct_dissect if under orchestrator	2026-02-22 12:48:20 +03:00
bol-van	2a4195070f	AI fixes	2026-02-22 09:06:53 +03:00
bol-van	8e974e78e2	delete sip.bin dup	2026-02-21 19:44:00 +03:00
bol-van	7df42bc486	init.d: --payload= in custom examples	2026-02-21 10:35:14 +03:00
bol-van	7c12f60e1e	AI fixes	2026-02-21 10:23:25 +03:00
bol-van	4c7a3d08d8	github: upx 4.2.4 for all except riscv64	2026-02-20 18:43:22 +03:00
bol-van	e146fc24c5	github: upx 4.2.4 for all except riscv64	2026-02-20 18:41:18 +03:00
bol-van	6165c13468	AI fix	2026-02-20 15:25:56 +03:00
bol-van	f7b3946ec2	update docs	2026-02-20 13:19:17 +03:00
bol-van	9f29f2c0ae	update docs	2026-02-20 13:12:08 +03:00
bol-van	c13284b776	zapret-auto: per_instance_condition feed target desync to cond function, code=>cond_code	2026-02-20 07:18:31 +03:00
bol-van	6e85c9650d	nfqws2: use tcp seq for reasm_offset	2026-02-19 17:38:46 +03:00
bol-van	7f3b5f659f	update docs	2026-02-19 13:00:57 +03:00
bol-van	8e62b2e743	update docs	2026-02-19 12:57:50 +03:00
bol-van	94dfd5fded	quic2_example_com.bin	2026-02-19 10:26:42 +03:00
bol-van	70d8e5ad15	AI fixes	2026-02-19 10:05:50 +03:00
bol-van	a80aed5ccc	update builder-linux	2026-02-18 17:28:03 +03:00
bol-van	2b35dc8ecd	update builder-linux	2026-02-18 16:31:01 +03:00
bol-van	75fadab371	update builder-linux	2026-02-18 16:16:58 +03:00
bol-van	e70f4a000a	update builder-linux	2026-02-18 16:08:19 +03:00
bol-van	755c792797	github: luajit for ppc	2026-02-18 15:37:08 +03:00
bol-van	b17894eec1	nfqws2: goto lua desync if reasm is cancelled	2026-02-18 15:28:30 +03:00
bol-van	9e22ec883c	update builder-linux	2026-02-18 12:42:11 +03:00
bol-van	f70fb89754	AI fixes, update builder-linux	2026-02-18 12:15:46 +03:00
bol-van	e30f99e106	update docs	2026-02-18 10:46:10 +03:00
bol-van	fce76e59aa	build-linux update	2026-02-18 10:28:36 +03:00
bol-van	1b1c8ddb38	nfqws2, zapret-lib: always treat blobs, % and # as string	2026-02-17 19:22:17 +03:00
bol-van	5ced6811c8	winws: fix ensure_access for unix paths	2026-02-17 16:27:06 +03:00
bol-van	371612b000	install_bin: add mipsel64	2026-02-17 14:24:43 +03:00