update docs

2026-03-15 22:46:09 +00:00 · 2025-12-21 21:56:00 +03:00 · 2025-12-21 21:52:42 +03:00 · 2025-12-21 21:45:18 +03:00 · 2025-12-21 21:42:31 +03:00 · 2025-12-21 21:38:51 +03:00
56 changed files with 7200 additions and 1133 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -26,6 +26,8 @@ jobs:
            tool: aarch64-unknown-linux-musl
          - arch: arm
            tool: arm-unknown-linux-musleabi
+          - arch: arm-old
+            tool: arm-unknown-linux-musleabi
          # - arch: armhf
          #   tool: arm-unknown-linux-musleabihf
          # - arch: armv7
@@ -108,7 +110,7 @@ jobs:
          export PKG_CONFIG_PATH=$DEPS_DIR/lib/pkgconfig
          export STAGING_DIR=$RUNNER_TEMP

-          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]]; then
+          if [[ "$ARCH" == lexra ]] || [[ "$ARCH" == ppc ]] || [[ "$ARCH" == x86 ]] || [[ "$ARCH" == arm-old ]]; then
            # use classic lua
            wget -qO- https://www.lua.org/ftp/lua-${LUA_RELEASE}.tar.gz | tar -xz
            (
@@ -527,6 +529,7 @@ jobs:
                *-android-x86_64 )      run_dir android-x86_64 ;;
                *-freebsd-x86_64 )      run_dir freebsd-x86_64 ;;
                *-linux-arm )           run_dir linux-arm ;;
+                *-linux-arm-old )       run_dir linux-arm-old ;;
                *-linux-arm64 )         run_dir linux-arm64 ;;
                *-linux-mips64 )        run_dir linux-mips64 ;;
                *-linux-mipselsf )      run_dir linux-mipsel ;;
--- a/blockcheck2.d/standard/20-multi.sh
+++ b/blockcheck2.d/standard/20-multi.sh
@@ -5,10 +5,10 @@ pktws_simple_split_tests()
 	# $3 - splits
 	# $4 - PRE args for nfqws2
 	local pos ok ok_any pre="$4"
-	local splitf splitfs="multisplit multidisorder"
+	local splitf splitfs="multisplit $MULTIDISORDER"

 	ok_any=0
-	for splitf in multisplit multidisorder; do
+	for splitf in $splitfs; do
 		eval need_$splitf=0
 		ok=0
 		for pos in $3; do
@@ -38,7 +38,7 @@ pktws_check_https_tls()
 	# $1 - test function
 	# $2 - domain
 	# $3 - PRE args for nfqws2
-	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local splits_tls='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,midsld,1220 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
 	local PAYLOAD="--payload tls_client_hello"

 	[ "$NOTEST_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return; }
--- a/blockcheck2.d/standard/23-seqovl.sh
+++ b/blockcheck2.d/standard/23-seqovl.sh
@@ -24,8 +24,8 @@ pktws_check_http()
 	for split in 'method+1 method+2' 'midsld-1 midsld' 'method+1 method+2,midsld'; do
 		f="$(extract_arg 1 $split)"
 		f2="$(extract_arg 2 $split)"
-		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f
-		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f:seqovl_pattern=$pat
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f
+		pktws_curl_test_update $1 $2 ${SEQOVL_PATTERN_HTTP:+--blob=$pat:@"$SEQOVL_PATTERN_HTTP" }$PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f:seqovl_pattern=$pat
 	done
 }

@@ -60,8 +60,8 @@ pktws_seqovl_tests_tls()
 	for split in '1 2' 'sniext sniext+1' 'sniext+3 sniext+4' 'midsld-1 midsld' '1 2,midsld'; do
 		f="$(extract_arg 1 $split)"
 		f2="$(extract_arg 2 $split)"
-		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f && ok=1
-		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=multidisorder:pos=$f2:seqovl=$f:seqovl_pattern=$pat && ok=1
+		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f && ok=1
+		pktws_curl_test_update $testf $domain ${SEQOVL_PATTERN_HTTPS:+--blob=$pat:@"$SEQOVL_PATTERN_HTTPS" }$rnd_mod $pre $PAYLOAD --lua-desync=$MULTIDISORDER:pos=$f2:seqovl=$f:seqovl_pattern=$pat && ok=1
 	done
 	[ "$ok" = 1 ] && ok_any=1
 	[ "$ok_any" = 1 ]
--- a/blockcheck2.d/standard/24-syndata.sh
+++ b/blockcheck2.d/standard/24-syndata.sh
@@ -0,0 +1,49 @@
+. "$TESTDIR/def.inc"
+
+pktws_check_http()
+{
+	# $1 - test function
+	# $2 - domain
+
+	local PAYLOAD="--payload http_req" split
+
+	for split in '' multisplit $MULTIDISORDER; do
+		pktws_curl_test_update "$1" "$2" --lua-desync=syndata ${split:+$PAYLOAD --lua-desync=$split}
+		pktws_curl_test_update "$1" "$2" --lua-desync=syndata:blob=fake_default_http $PAYLOAD ${split:+$PAYLOAD --lua-desync=$split}
+	done
+}
+
+pktws_check_https_tls()
+{
+	# $1 - test function
+	# $2 - domain
+	# $3 - PRE args for nfqws2
+
+	local PAYLOAD="--payload tls_client_hello" ok=0 pre="$3" split
+
+	for split in '' multisplit $MULTIDISORDER; do
+		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata ${split:+$PAYLOAD --lua-desync=$split} && ok=1
+		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=0x1603 ${split:+$PAYLOAD --lua-desync=$split} && ok=1
+		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=fake_default_tls:tls_mod=rnd,dupsid,rndsni ${split:+$PAYLOAD --lua-desync=$split} && ok=1
+		pktws_curl_test_update "$1" "$2" $pre --lua-desync=syndata:blob=fake_default_tls:tls_mod=rnd,dupsid,sni=google.com ${split:+$PAYLOAD --lua-desync=$split} && ok=1
+	done
+
+	[ "$ok" = 1 ]
+}
+
+pktws_check_https_tls12()
+{
+	# $1 - test function
+	# $2 - domain
+
+	pktws_check_https_tls "$1" "$2" && [ "$SCANLEVEL" != force ] && return
+	pktws_check_https_tls "$1" "$2" --lua-desync=wssize:wsize=1:scale=6
+}
+
+pktws_check_https_tls13()
+{
+	# $1 - test function
+	# $2 - domain
+
+	pktws_check_https_tls "$1" "$2"
+}
--- a/blockcheck2.d/standard/50-fake-multi.sh
+++ b/blockcheck2.d/standard/50-fake-multi.sh
@@ -22,7 +22,7 @@ pktws_check_http()
 	# do not test fake + multisplit if multisplit works
 	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
 	# do not test fake + multidisorder if multidisorder works
-	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }multidisorder"
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }$MULTIDISORDER"

 	for splitf in $splitfs; do
 		ok=0
@@ -95,7 +95,7 @@ pktws_check_https_tls()
 	[ "$NOTEST_FAKE_MULTI_HTTPS" = 1 ] && { echo "SKIPPED"; return 0; }

 	local testf=$1 domain="$2" pre="$3"
-	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
+	local ok ok_any ttls attls f fake fooling splitf splitfs= split splits='2 1 sniext+1 sniext+4 host+1 midsld 1,midsld 1,midsld,1220 1,sniext+1,host+1,midsld-2,midsld,midsld+2,endhost-1'
 	local PAYLOAD="--payload=tls_client_hello"

 	shift; shift
@@ -112,7 +112,7 @@ pktws_check_https_tls()
 	# do not test fake + multisplit if multisplit works
 	[ "$need_multisplit" = 0 -a "$SCANLEVEL" != force ] || splitfs=multisplit
 	# do not test fake + multidisorder if multidisorder works
-	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }multidisorder"
+	[ "$need_multidisorder" = 0 -a "$SCANLEVEL" != force ] || splitfs="${splitfs:+$splitfs }$MULTIDISORDER"

 	ok_any=0
 	for splitf in $splitfs; do
--- a/blockcheck2.d/standard/90-quic.sh
+++ b/blockcheck2.d/standard/90-quic.sh
@@ -1,3 +1,5 @@
+. "$TESTDIR/def.inc"
+
 pktws_check_http3()
 {
 	# $1 - test function
@@ -5,7 +7,7 @@ pktws_check_http3()

 	[ "$NOTEST_QUIC" = 1 ] && { echo "SKIPPED"; return; }

-	local repeats fake pos
+	local repeats fake pos fool
 	local PAYLOAD="--payload quic_initial"

 	if [ -n "$FAKE_QUIC" ]; then
@@ -18,6 +20,12 @@ pktws_check_http3()
 		pktws_curl_test_update $1 $2 ${FAKE_QUIC:+--blob=$fake:@"$FAKE_QUIC" }$PAYLOAD --lua-desync=fake:blob=$fake:repeats=$repeats && [ "$SCANLEVEL" != force ] && break
 	done

+	[ "$IPV" = 6 ] && {
+		for fool in ip6_hopbyhop ip6_destopt ip6_hopbyhop:ip6_destopt; do
+			pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=send:$fool --lua-desync=drop
+		done
+	}
+
 	for pos in 8 16 32 64; do
 		pktws_curl_test_update $1 $2 $PAYLOAD --lua-desync=send:ipfrag:ipfrag_pos_udp=$pos --lua-desync=drop && [ "$SCANLEVEL" != force ] && break
 	done
--- a/blockcheck2.d/standard/def.inc
+++ b/blockcheck2.d/standard/def.inc
@@ -2,6 +2,16 @@ FOOLINGS46_TCP=${FOOLINGS46_TCP:-"tcp_md5 badsum tcp_seq=-3000 tcp_seq=1000000 t
 FOOLINGS6_TCP=${FOOLINGS6_TCP:-"ip6_hopbyhop ip6_hopbyhop:ip6_hopbyhop2 ip6_destopt ip6_routing ip6_ah"}
 FOOLINGS_TCP="$FOOLINGS46_TCP"
 [ "$IPV" = 6 ] && FOOLINGS_TCP="$FOOLINGS_TCP $FOOLINGS6_TCP"
-FOOLINGS_UDP="badsum"
+FOOLINGS6_UDP="${FOOLINGS6_UDP:-$FOOLINGS6_TCP}"
+FOOLINGS_UDP="${FOOLINGS_UDP:-badsum}"
+[ "$IPV" = 6 ] && FOOLINGS_UDP="$FOOLINGS_UDP $FOOLINGS6_UDP"

 FAKE_REPEATS=${FAKE_REPEATS:-1}
+
+MIN_TTL=${MIN_TTL:-1}
+MAX_TTL=${MAX_TTL:-12}
+MIN_AUTOTTL_DELTA=${MIN_AUTOTTL_DELTA:-1}
+MAX_AUTOTTL_DELTA=${MAX_AUTOTTL_DELTA:-5}
+
+# can use MULTIDISORER=multidisorder_legacy
+MULTIDISORDER=${MULTIDISORDER:-multidisorder}
--- a/blockcheck2.sh
+++ b/blockcheck2.sh
@@ -26,7 +26,7 @@ CURL=${CURL:-curl}

 TEST_DEFAULT=${TEST_DEFAULT:-standard}
 DOMAINS_DEFAULT=${DOMAINS_DEFAULT:-rutracker.org}
-QNUM=${QNUM:-59780}
+QNUM=${QNUM:-59781}
 SOCKS_PORT=${SOCKS_PORT:-1993}
 WS_UID=${WS_UID:-1}
 WS_GID=${WS_GID:-3003}
@@ -40,10 +40,6 @@ IPFW_DIVERT_PORT=${IPFW_DIVERT_PORT:-59780}
 CURL_MAX_TIME=${CURL_MAX_TIME:-2}
 CURL_MAX_TIME_QUIC=${CURL_MAX_TIME_QUIC:-$CURL_MAX_TIME}
 CURL_MAX_TIME_DOH=${CURL_MAX_TIME_DOH:-2}
-MIN_TTL=${MIN_TTL:-1}
-MAX_TTL=${MAX_TTL:-12}
-MIN_AUTOTTL_DELTA=${MIN_AUTOTTL_DELTA:-1}
-MAX_AUTOTTL_DELTA=${MAX_AUTOTTL_DELTA:-5}
 USER_AGENT=${USER_AGENT:-Mozilla}
 HTTP_PORT=${HTTP_PORT:-80}
 HTTPS_PORT=${HTTPS_PORT:-443}
@@ -275,44 +271,45 @@ mdig_cache()
 mdig_resolve()
 {
 	# $1 - ip version 4/6
-	# $2 - hostname, possibly with uri : rutracker.org/xxx/xxxx
-	local hostvar cachevar countvar count ip n sdom
+	# $2 - var to receive result
+	# $3 - hostname, possibly with uri : rutracker.org/xxx/xxxx
+	local hostvar cachevar countvar count n sdom

-	split_by_separator "$2" / sdom
+	split_by_separator "$3" / sdom
 	mdig_vars "$1" "$sdom"
 	if [ -n "$count" ]; then
 		n=$(random 0 $(($count-1)))
-		eval ip=\$${cachevar}_$n
-		echo $ip
+		eval $2=\$${cachevar}_$n
 		return 0
 	else
-		mdig_cache "$1" "$sdom" && mdig_resolve "$1" "$sdom"
+		mdig_cache "$1" "$sdom" && mdig_resolve "$1" "$2" "$sdom"
 	fi
 }
 mdig_resolve_all()
 {
 	# $1 - ip version 4/6
-	# $2 - hostname
+	# $2 - var to receive result
+	# $3 - hostname

-	local hostvar cachevar countvar count ip ips n sdom
+	local hostvar cachevar countvar count ip__ ips__ n sdom

-	split_by_separator "$2" / sdom
+	split_by_separator "$3" / sdom
 	mdig_vars "$1" "$sdom"
 	if [ -n "$count" ]; then
 		n=0
 		while [ "$n" -le $count ]; do
-			eval ip=\$${cachevar}_$n
-			if [ -n "$ips" ]; then
-				ips="$ips $ip"
+			eval ip__=\$${cachevar}_$n
+			if [ -n "$ips__" ]; then
+				ips__="$ips__ $ip__"
 			else
-				ips="$ip"
+				ips__="$ip__"
 			fi
 			n=$(($n + 1))
 		done
-		echo "$ips"
+		eval $2="\$ips__"
 		return 0
 	else
-		mdig_cache "$1" "$sdom" && mdig_resolve_all "$1" "$sdom"
+		mdig_cache "$1" "$sdom" && mdig_resolve_all "$1" "$2" "$sdom"
 	fi
 }

@@ -640,7 +637,7 @@ curl_with_dig()
 	local sdom suri ip

 	split_by_separator "$dom" / sdom suri
-	ip=$(mdig_resolve $1 $sdom)
+	mdig_resolve $1 ip $sdom
 	shift ; shift ; shift
 	if [ -n "$ip" ]; then
 		curl_with_subst_ip "$sdom" "$port" "$ip" "$@"
@@ -965,7 +962,7 @@ check_domain_port_block()
 	echo
 	echo \* port block tests ipv$IPV $1:$2
 	if netcat_setup; then
-		ips=$(mdig_resolve_all $IPV $1)
+		mdig_resolve_all $IPV ips $1
 		if [ -n "$ips" ]; then
 			for ip in $ips; do
 				if netcat_test $ip $2; then
@@ -1198,8 +1195,8 @@ test_runner()
 				[ -f "$script" ] || continue
 				unset -f $FUNC
 				. "$script"
-				echo
 				existf $FUNC && {
+					echo
 					echo "* script : $TEST/$(basename "$script")"
 					$FUNC "$@"
 				}
@@ -1254,7 +1251,7 @@ check_dpi_ip_block()

 	echo "> testing $UNBLOCKED_DOM on it's original ip"
 	if curl_test $1 $UNBLOCKED_DOM; then
-		unblocked_ip=$(mdig_resolve $IPV $UNBLOCKED_DOM)
+		mdig_resolve $IPV unblocked_ip $UNBLOCKED_DOM
 		[ -n "$unblocked_ip" ] || {
 			echo $UNBLOCKED_DOM does not resolve. tests not possible.
 			return 1
@@ -1263,7 +1260,7 @@ check_dpi_ip_block()
 		echo "> testing $blocked_dom on $unblocked_ip ($UNBLOCKED_DOM)"
 		curl_test $1 $blocked_dom $unblocked_ip detail

-		blocked_ips=$(mdig_resolve_all $IPV $blocked_dom)
+		mdig_resolve_all $IPV blocked_ips $blocked_dom
 		for blocked_ip in $blocked_ips; do
 			echo "> testing $UNBLOCKED_DOM on $blocked_ip ($blocked_dom)"
 			curl_test $1 $UNBLOCKED_DOM $blocked_ip detail
@@ -1314,6 +1311,8 @@ check_domain_http_tcp()
 	# $3 - encrypted test : 0 = plain, 1 - encrypted with server reply risk, 2 - encrypted without server reply risk
 	# $4 - domain

+	local ips
+
 	# in case was interrupted before
 	pktws_ipt_unprepare_tcp $2
 	ws_kill
@@ -1325,7 +1324,8 @@ check_domain_http_tcp()
 	[ "$SKIP_PKTWS" = 1 ] || {
 		echo
 	        echo preparing $PKTWSD redirection
-		pktws_ipt_prepare_tcp $2 "$(mdig_resolve_all $IPV $4)"
+		mdig_resolve_all $IPV ips $4
+		pktws_ipt_prepare_tcp $2 "$ips"

 		pktws_check_domain_http_bypass $1 $3 $4

@@ -1339,6 +1339,8 @@ check_domain_http_udp()
 	# $2 - port
 	# $3 - domain

+	local ips
+
 	# in case was interrupted before
 	pktws_ipt_unprepare_udp $2
 	ws_kill
@@ -1348,7 +1350,8 @@ check_domain_http_udp()
 	[ "$SKIP_PKTWS" = 1 ] || {
 		echo
 	        echo preparing $PKTWSD redirection
-		pktws_ipt_prepare_udp $2 "$(mdig_resolve_all $IPV $3)"
+		mdig_resolve_all $IPV ips $3
+		pktws_ipt_prepare_udp $2 "$ips"

 		pktws_check_domain_http3_bypass $1 $3

--- a/common/ipt.sh
+++ b/common/ipt.sh
@@ -2,8 +2,6 @@ std_ports
 ipt_connbytes="-m connbytes --connbytes-dir=original --connbytes-mode=packets --connbytes"
 IPSET_EXCLUDE="-m set ! --match-set nozapret"
 IPSET_EXCLUDE6="-m set ! --match-set nozapret6"
-IPBAN_EXCLUDE="-m set ! --match-set ipban"
-IPBAN_EXCLUDE6="-m set ! --match-set ipban6"

 ipt()
 {
--- a/common/list.sh
+++ b/common/list.sh
@@ -25,7 +25,7 @@ filter_apply_hostlist_target()
 {
 	# $1 - var name of nfqws params

-	local v parm parm1 parm2 parm3 parm4 parm5 parm6 parm7 parm8 parmNA
+	local v parm parm1 parm2 parm3 parm4 parm5 parm6 parm7 parm8 parm9 parm10 parmNA
 	eval v="\$$1"
 	if contains "$v" "$HOSTLIST_MARKER" || contains "$v" "$HOSTLIST_NOAUTO_MARKER"; then
 		[ "$MODE_FILTER" = hostlist -o "$MODE_FILTER" = autohostlist ] &&
@@ -40,10 +40,14 @@ filter_apply_hostlist_target()
 				parm5="${AUTOHOSTLIST_FAIL_THRESHOLD:+--hostlist-auto-fail-threshold=$AUTOHOSTLIST_FAIL_THRESHOLD}"
 				parm6="${AUTOHOSTLIST_FAIL_TIME:+--hostlist-auto-fail-time=$AUTOHOSTLIST_FAIL_TIME}"
 				parm7="${AUTOHOSTLIST_RETRANS_THRESHOLD:+--hostlist-auto-retrans-threshold=$AUTOHOSTLIST_RETRANS_THRESHOLD}"
-				parm8="--hostlist=$HOSTLIST_AUTO"
+				parm8="${AUTOHOSTLIST_RETRANS_MAXSEQ:+--hostlist-auto-retrans-maxseq=$AUTOHOSTLIST_RETRANS_MAXSEQ}"
+				parm9="${AUTOHOSTLIST_INCOMING_MAXSEQ:+--hostlist-auto-incoming-maxseq=$AUTOHOSTLIST_INCOMING_MAXSEQ}"
+				parm10="${AUTOHOSTLIST_UDP_IN:+--hostlist-auto-udp-in=$AUTOHOSTLIST_UDP_IN}"
+				parm11="${AUTOHOSTLIST_UDP_OUT:+--hostlist-auto-udp-out=$AUTOHOSTLIST_UDP_OUT}"
+				parm12="--hostlist=$HOSTLIST_AUTO"
 			}
-			parm="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm4:+ $parm4}${parm5:+ $parm5}${parm6:+ $parm6}${parm7:+ $parm7}"
-			parmNA="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm8:+ $parm8}"
+			parm="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm4:+ $parm4}${parm5:+ $parm5}${parm6:+ $parm6}${parm7:+ $parm7}${parm8:+ $parm8}${parm9:+ $parm9}${parm10:+ $parm10}${parm11:+ $parm11}"
+			parmNA="$parm1${parm2:+ $parm2}${parm3:+ $parm3}${parm10:+ $parm12}"
 		}
 		v="$(replace_str $HOSTLIST_NOAUTO_MARKER "$parmNA" "$v")"
 		v="$(replace_str $HOSTLIST_MARKER "$parm" "$v")"
--- a/common/nft.sh
+++ b/common/nft.sh
@@ -97,17 +97,19 @@ nft_activate_chain4()
 {
 	# $1 - chain name
 	# $2 - saddr/daddr
-	local b rule markf= act
+	local b rule markf= act flt_ifname
 	[ "$DISABLE_IPV4" = "1" ] || {
 		eval act="\$${1}_act4"
 		[ -n "$act" ] && return

 		b=0
 		nft_wanif_filter_present && b=1
+		flt_ifname="oifname"
+		starts_with "$1" pre && flt_ifname="iifname"

 		[ "$2" = daddr ] && markf=$(nft_mark_filter)
 		rule="meta mark and $DESYNC_MARK == 0 $markf"
-		[ $b = 1 ] && rule="$rule oifname @wanif"
+		[ $b = 1 ] && rule="$rule $flt_ifname @wanif"
 		rule="$rule ip $2 != @nozapret jump $1"
 		nft_rule_exists ${1}_hook "$rule" || nft_add_rule ${1}_hook $rule

@@ -118,17 +120,19 @@ nft_activate_chain6()
 {
 	# $1 - chain name
 	# $2 - saddr/daddr
-	local b rule markf=
+	local b rule markf= act flt_ifname
 	[ "$DISABLE_IPV6" = "1" ] || {
 		eval act="\$${1}_act6"
 		[ -n "$act" ] && return

 		b=0
 		nft_wanif6_filter_present && b=1
+		flt_ifname="oifname"
+		starts_with "$1" pre && flt_ifname="iifname"

 		[ "$2" = daddr ] && markf=$(nft_mark_filter)
 		rule="meta mark and $DESYNC_MARK == 0 $markf"
-		[ $b = 1 ] && rule="$rule oifname @wanif6"
+		[ $b = 1 ] && rule="$rule $flt_ifname @wanif6"
 		rule="$rule ip6 $2 != @nozapret6 jump $1"
 		nft_rule_exists ${1}_hook "$rule" || nft_add_rule ${1}_hook $rule

--- a/config.default
+++ b/config.default
@@ -26,9 +26,15 @@ IPSET_OPT="hashsize 262144 maxelem $SET_MAXELEM"
 IP2NET_OPT4="--prefix-length=22-30 --v4-threshold=3/4"
 IP2NET_OPT6="--prefix-length=56-64 --v6-threshold=5"
 # options for auto hostlist
+# NOTE : in order for these adjustment to work it's required to redirect enough starting packets
+# NOTE : set PKT_IN, PKT_OUT variables appropriately
+AUTOHOSTLIST_INCOMING_MAXSEQ=4096
+AUTOHOSTLIST_RETRANS_MAXSEQ=32768
 AUTOHOSTLIST_RETRANS_THRESHOLD=3
 AUTOHOSTLIST_FAIL_THRESHOLD=3
 AUTOHOSTLIST_FAIL_TIME=60
+AUTOHOSTLIST_UDP_IN=1
+AUTOHOSTLIST_UDP_OUT=4
 # 1 = debug autohostlist positives to ipset/zapret-hosts-auto-debug.log
 AUTOHOSTLIST_DEBUGLOG=0

@@ -60,11 +66,10 @@ NFQWS2_PORTS_TCP=80,443
 NFQWS2_PORTS_UDP=443
 # PKT_OUT means connbytes dir original
 # PKT_IN means connbytes dir reply
-# this is --dpi-desync-cutoff=nX kernel mode implementation for linux. it saves a lot of CPU.
-NFQWS2_TCP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
-NFQWS2_TCP_PKT_IN=3
-NFQWS2_UDP_PKT_OUT=$((6+$AUTOHOSTLIST_RETRANS_THRESHOLD))
-NFQWS2_UDP_PKT_IN=0
+NFQWS2_TCP_PKT_OUT=20
+NFQWS2_TCP_PKT_IN=10
+NFQWS2_UDP_PKT_OUT=5
+NFQWS2_UDP_PKT_IN=3
 # redirect outgoing traffic without connbytes limiter and incoming with connbytes limiter
 # normally it's needed only for stateless DPI that matches every packet in a single TCP session
 # typical example are plain HTTP keep alives
@@ -92,11 +97,12 @@ FLOWOFFLOAD=donttouch
 #OPENWRT_WAN4="wan vpn"
 #OPENWRT_WAN6="wan6 vpn6"

-# for routers based on desktop linux and macos. has no effect in openwrt.
+# for routers based on classic linux. has no effect in openwrt.
 # CHOOSE LAN and optinally WAN/WAN6 NETWORK INTERFACES
 # or leave them commented if its not router
 # it's possible to specify multiple interfaces like this : IFACE_WAN="eth0 eth1 eth2"
 # if IFACE_WAN6 is not defined it take the value of IFACE_WAN
+#IFACE_LAN=eth0
 #IFACE_WAN=eth1
 #IFACE_WAN6="ipsec0 wireguard0 he_net"

--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -36,6 +36,92 @@ v0.2
 * zapret-pcap

 v0.3
+
 * init.d launch scripts
 * init.d: 40-webserver custom script
 * install_easy
+
+v0.4
+
+* nfqws2: profile names and cookies
+* nfqws2: profile templates
+* nfqws2: remove stun_binding_req, replace to stun. no more message type details
+* nfqws2: proper conntack position for replayed packets
+* nfqws2: execution_plan, execution_plan_cancel
+* blockcheck2: fix broken dns cache
+* nfqws2: LUA_COMPAT_VER tracking
+
+v0.5
+
+* nfqws2: u8add,u16add,u24add,u32add luacalls
+* nfqws2: abandon any arithmetics beyond 32bit (because lua 5.1 does not support 64 bit integers, store everything as double)
+* nfqws2: fix issues with 32-bit lua_Integer in lua<5.3 on 32-bit platforms
+* nfqws2: instance_cutoff luacall just warns and do nothing if ctx is nil
+* actions: build nfqws2 x86 binary with LUA 5.4, not with luajit
+* zapret-lib: http_reply, url and nld dissectors
+* zapret-lib: instance_cutoff_shim
+* zapret-auto: circular orchestrator
+
+v0.5.1
+
+* zapret-auto: separate failure detection logic
+* blockcheck2: fix broken http3 test
+
+v0.6
+
+* zapret-lib,zapret-antidpi: tls_mod_shim supports sni=%var subst
+* blockcheck2: syndata tests
+* nfqws2: reasm support negative overlaps. gaps are not supported.
+* nfqws2,zapret-auto: changed retransmission detection scheme.
+* zapret-auto: udp_in/udp_out failure detection
+
+v0.6.1
+
+* zapret-lib, zapret-auto: condition and stopif orchestrators
+* zapret-lib: detect_payload_str - sample lua payload detector
+* blockcheck2: unterminated string fix
+
+v0.7
+
+* nfqws2, zapret-lib : fix non-working % and # arg substitution under orchestrator
+* nfqws2, zapret-lib : structure conntrack in/out positions. pass in desync.track.pos.{client,server,direct,reverse} position tables
+* nfqws2: autohostlist: trigger RST and http redirect failures only within specified relative sequence
+* nfqws2: autohostlist: trigger http redirect failure if payload is http_req without connection proto check
+* nfqws2: push desync.track.pos.dt as float with nsec accuracy
+* zapret-auto: override host autostate key in automate_host_record
+* nfqws2: rewrite udp autohostlist failure detector logic
+
+v0.7.1
+
+* init.d: nft fix non-working incoming redirect
+* nfqws2: cancel reasm if server window size is smaller than expected reasm size
+* nfqws2: add EOL at the end of truncated buffered DLOG line if it's too large. increase log line buffer
+* nfqws2: autohostlist reset fail counter if udp_in > threshold
+* nfqws2: reduced default retrans maxseq to 32768
+* nfqws2: solved inability to get SSID using nl80211 on kernels 5.19+
+
+v0.7.2
+
+* zapret-lib: fix broken is_retransmission()
+* zapret-auto: add success detector logic
+* nfqws2: clean lua cutoff on profile change
+* zapret-auto: separate hostkey function
+
+v0.7.4
+
+* nfqws2, zapret-lib : check tcp sequence range overflow
+* zapret-lib: seq compare functions
+* nfqws2: add l3_len, l4_len to dissect
+* nfqws2: fix broken l7proto profile rediscovery
+* winws2: harden sandbox. disable child process execution , some UI interaction and desktop settings change
+
+v0.7.5
+
+* zapret-auto: orchestrator "repeater"
+* blockcheck2: check http3 with ipv6 exthdr
+* github actions: separate target arm-old with LUA classic, not JIT
+* zapret-auto: iff/neg in repeater
+* zapret-antidpi: multidisorder_legacy
+* ipset: remove get_reestr_hostlist.sh and get_reestr_resolve.sh because zapret-info does not and will probably not ever update
+* nfqws2: fix "reasm cancelled" if no incoming traffic redirected
+* blockcheck2: MULTIDISORDER=multidisorder_legacy
--- a/docs/changes_compat.txt
+++ b/docs/changes_compat.txt
@@ -0,0 +1,11 @@
+Here listed all api breaking changes.
+When something changes capable of breaking things NFQWS2_COMPAT_VER increases.
+
+v2
+* removed "stun_binding_req" specialized payload. replaced with common "stun" - any stun packets, not only binding request.
+every LUA relying on desync.l7payload should be revised.
+nfqws2 --payload option and init.d custom scripts must be updated.
+
+v3
+* restructured desync.track. pass positions in desync.track.pos.{client,server,direct,reverse}
+code relying on conntrack counters and sequence numbers must be rewritten
--- a/docs/manual.md
+++ b/docs/manual.md
--- a/docs/readme.md
+++ b/docs/readme.md
@@ -1,5 +1,3 @@
-# zapret2 v0.2
-
 ## Зачем это нужно

 Автономное средство противодействия DPI, которое не требует подключения каких-либо сторонних серверов. Может помочь
@@ -10,6 +8,20 @@ VPN. Может использоваться для частичной проз
 традиционные Linux-системы, FreeBSD, OpenBSD, Windows. В некоторых случаях возможна самостоятельная прикрутка
 решения к различным прошивкам.

+[Полный мануал](manual.md)
+
+
+## Поддержать разработчика
+
+Если вы считаете проект полезным и желаете поддержать разработку, направляйте ваши пожертвования на следующие адреса криптокошельков :
+
+USDT `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`  (предпочительно сеть ERC-20)
+
+BTC  `bc1qhqew3mrvp47uk2vevt5sctp7p2x9m7m5kkchve`
+
+ETH  `0x3d52Ce15B7Be734c53fc9526ECbAB8267b63d66E`
+
+
 ## Чем это отличается от zapret1

 zapret2 является дальнейшим развитием проекта zapret.
@@ -40,7 +52,7 @@ zapret2 - инструмент для таких энтузиастов. Но э

 ## С чего начать

-Хотелось бы избежать "талмуда" на главной странице. Поэтому начнем со способа запуска *nfqws2* и описания способов портирования стратегий *nfqws1* - как в *nfqws2* сделать то же самое, что можно было в *nfqws1*.
+Хотелось бы избежать [талмуда](manual.md) на главной странице. Поэтому начнем со способа запуска *nfqws2* и описания способов портирования стратегий *nfqws1* - как в *nfqws2* сделать то же самое, что можно было в *nfqws1*.
 Когда вы поймете как это работает, вы можете посмотреть LUA код, находящийся "под капотом". Разобрать как он работает, попробовать написать что-то свое.
 "талмуд" обязательно будет, как он есть у любых более-менее сложных проектов. Он нужен как справочник.

@@ -155,7 +167,7 @@ range задается как `mX-mY`, `mX<mY`, `-mY`, `<mY`, `mX-`.
 Следующий профиль снова принимает значения по умолчанию.

 Что будет, если вы не напишите фильтр `--payload` для fake или multisplit ? В *nfqws1* без `--dpi-desync-any-protocol` они работали только по известным пейлоадам.
-В *nfqws2* "any protocol" - режим по умолчанию. Однако, функции из библиотеки `zapret-antidpi.lua` написаны так, что по умолчанию работают только по известные пейлоадам
+В *nfqws2* "any protocol" - режим по умолчанию. Однако, функции из библиотеки `zapret-antidpi.lua` написаны так, что по умолчанию работают только по известным пейлоадам
 и не работают по пустым пакетам или unknown - точно так же, как это было в *nfqws1*.
 Но лучше все-же писать фильтры `--payload`, потому что они работают на уровне C кода, который выполняется существенно быстрее, чем LUA.

@@ -361,7 +373,7 @@ start "zapret: http,https,quic" /min "%~dp0winws2.exe" ^
  --new ^
 --filter-l7=wireguard,stun,discord ^
  --out-range=-d10 ^
-  --payload=wireguard_initiation,wireguard_cookie,stun_binding_req,discord_ip_discovery ^
+  --payload=wireguard_initiation,wireguard_cookie,stun,discord_ip_discovery ^
   --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2
 ```

--- a/files/fake/dns.bin
+++ b/files/fake/dns.bin
--- a/init.d/custom.d.examples.linux/20-fw-extra
+++ b/init.d/custom.d.examples.linux/20-fw-extra
@@ -1,31 +1,22 @@
 # this custom script runs standard mode with extra firewall rules

-# config: use TPWS_ENABLE_OVERRIDE, NFQWS_ENABLE_OVERRIDE to enable standard mode daemons
+# config: use NFQWS2_ENABLE_OVERRIDE to enable standard mode daemons
 # standard and override switches cannot be enabled simultaneously !

-TPWS_ENABLE_OVERRIDE=${TPWS_ENABLE_OVERRIDE:-0}
-NFQWS_ENABLE_OVERRIDE=${NFQWS_ENABLE_OVERRIDE:-0}
+NFQWS2_ENABLE_OVERRIDE=${NFQWS2_ENABLE_OVERRIDE:-0}

 # config: some if these values must be set in config. not setting any of these makes this script meaningless.
 # pre vars put ipt/nft code to the rule beginning
-#FW_EXTRA_PRE_TPWS_IPT=
-#FW_EXTRA_PRE_TPWS_NFT=
-#FW_EXTRA_PRE_NFQWS_IPT="-m mark --mark 0x10000000/0x10000000"
-#FW_EXTRA_PRE_NFQWS_NFT="mark and 0x10000000 != 0"
+#FW_EXTRA_PRE_NFQWS2_IPT="-m mark --mark 0x10000000/0x10000000"
+#FW_EXTRA_PRE_NFQWS2_NFT="mark and 0x10000000 != 0"
 # post vars put ipt/nft code to the rule end
-#FW_EXTRA_POST_TPWS_IPT=
-#FW_EXTRA_POST_TPWS_NFT=
-#FW_EXTRA_POST_NFQWS_IPT=
-#FW_EXTRA_POST_NFQWS_NFT=
+#FW_EXTRA_POST_NFQWS2_IPT=
+#FW_EXTRA_POST_NFQWS2_NFT=

 check_std_intersect()
 {
-	[ "$TPWS_ENABLE_OVERRIDE" = 1 -a "$TPWS_ENABLE" = 1 ] && {
-		echo "ERROR ! both TPWS_ENABLE_OVERRIDE and TPWS_ENABLE are enabled"
-		return 1
-	}
-	[ "$NFQWS_ENABLE_OVERRIDE" = 1 -a "$NFQWS_ENABLE" = 1 ] && {
-		echo "ERROR ! both NFQWS_ENABLE_OVERRIDE and NFQWS_ENABLE are enabled"
+	[ "$NFQWS2_ENABLE_OVERRIDE" = 1 -a "$NFQWS2_ENABLE" = 1 ] && {
+		echo "ERROR ! both NFQWS2_ENABLE_OVERRIDE and NFQWS2_ENABLE are enabled"
 		return 1
 	}
 	return 0
@@ -37,7 +28,7 @@ zapret_custom_daemons()

 	check_std_intersect || return

-	local TPWS_SOCKS_ENABLE=0 TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
+	local NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
 	standard_mode_daemons "$1"
 }
 zapret_custom_firewall()
@@ -46,10 +37,8 @@ zapret_custom_firewall()

 	check_std_intersect || return

-	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_IPT"
-	zapret_do_firewall_standard_tpws_rules_ipt $1
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_IPT"
+	local FW_EXTRA_PRE FW_EXTRA_POST NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS2_IPT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS2_IPT"
 	zapret_do_firewall_standard_nfqws_rules_ipt $1
 }
 zapret_custom_firewall_nft()
@@ -58,9 +47,7 @@ zapret_custom_firewall_nft()

 	check_std_intersect || return

-	local FW_EXTRA_PRE FW_EXTRA_POST TPWS_ENABLE=$TPWS_ENABLE_OVERRIDE NFQWS_ENABLE=$NFQWS_ENABLE_OVERRIDE
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_TPWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_TPWS_NFT"
-	zapret_apply_firewall_standard_tpws_rules_nft
-	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS_NFT"
+	local FW_EXTRA_PRE FW_EXTRA_POST NFQWS2_ENABLE=$NFQWS2_ENABLE_OVERRIDE
+	FW_EXTRA_PRE="$FW_EXTRA_PRE_NFQWS2_NFT" FW_EXTRA_POST="$FW_EXTRA_POST_NFQWS2_NFT"
 	zapret_apply_firewall_standard_nfqws_rules_nft
 }
--- a/init.d/custom.d.examples.linux/50-stun4all
+++ b/init.d/custom.d.examples.linux/50-stun4all
@@ -2,7 +2,7 @@
 # NOTE: @ih requires nft 1.0.1+ and updated kernel version. it's confirmed to work on 5.15 (openwrt 23) and not work on 5.10 (openwrt 22)

 # can override in config :
-NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---payload stun_binding_req --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"
+NFQWS_OPT_DESYNC_STUN="${NFQWS_OPT_DESYNC_STUN:---payload stun --lua-desync=fake:blob=0x00000000000000000000000000000000:repeats=2}"

 alloc_dnum DNUM_STUN4ALL
 alloc_qnum QNUM_STUN4ALL
--- a/init.d/openwrt/90-zapret2
+++ b/init.d/openwrt/90-zapret2
@@ -2,19 +2,6 @@

 ZAPRET=/etc/init.d/zapret2

-check_lan()
-{
-	IS_LAN=
-	[ -n "$OPENWRT_LAN" ] || OPENWRT_LAN=lan
-	for lan in $OPENWRT_LAN; do
-		[ "$INTERFACE" = "$lan" ] && {
-			IS_LAN=1
-			break
-		}
-	done
-}
-
-
 [ -n "$INTERFACE" ] && [ "$ACTION" = ifup -o "$ACTION" = ifdown ] && [ -x "$ZAPRET" ] && "$ZAPRET" enabled && {
 	SCRIPT=$(readlink "$ZAPRET")
 	if [ -n "$SCRIPT" ]; then
--- a/init.d/openwrt/zapret2
+++ b/init.d/openwrt/zapret2
@@ -41,7 +41,7 @@ PIDDIR=/var/run

 USEROPT="--user=$WS_USER"
 NFQWS2="${NFQWS2:-$ZAPRET_BASE/nfq2/nfqws2}"
-LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua"
+LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua --lua-init=@$ZAPRET_BASE/lua/zapret-auto.lua"
 NFQWS2_OPT_BASE="$USEROPT --fwmark=$DESYNC_MARK $LUAOPT"

 run_daemon()
--- a/init.d/sysv/functions
+++ b/init.d/sysv/functions
@@ -72,7 +72,7 @@ DESYNC_MARK_POSTNAT=${DESYNC_MARK_POSTNAT:-0x20000000}

 QNUM=${QNUM:-300}
 NFQWS2="${NFQWS2:-$ZAPRET_BASE/nfq2/nfqws2}"
-LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua"
+LUAOPT="--lua-init=@$ZAPRET_BASE/lua/zapret-lib.lua --lua-init=@$ZAPRET_BASE/lua/zapret-antidpi.lua --lua-init=@$ZAPRET_BASE/lua/zapret-auto.lua"
 NFQWS2_OPT_BASE="$USEROPT --fwmark=$DESYNC_MARK $LUAOPT"


--- a/install_easy.sh
+++ b/install_easy.sh
@@ -233,10 +233,10 @@ select_getlist()
 		echo
 		if ask_yes_no $D "do you want to auto download ip/host list"; then
 			if [ "$MODE_FILTER" = "hostlist" -o "$MODE_FILTER" = "autohostlist" ] ; then
-				GETLISTS="get_refilter_domains.sh get_antizapret_domains.sh get_reestr_resolvable_domains.sh get_reestr_hostlist.sh"
+				GETLISTS="get_refilter_domains.sh get_antizapret_domains.sh get_reestr_resolvable_domains.sh"
 				GETLIST_DEF="get_antizapret_domains.sh"
 			else
-				GETLISTS="get_user.sh get_refilter_ipsum.sh get_antifilter_ip.sh get_antifilter_ipsmart.sh get_antifilter_ipsum.sh get_antifilter_ipresolve.sh get_antifilter_allyouneed.sh get_reestr_resolve.sh get_reestr_preresolved.sh get_reestr_preresolved_smart.sh"
+				GETLISTS="get_user.sh get_refilter_ipsum.sh get_antifilter_ip.sh get_antifilter_ipsmart.sh get_antifilter_ipsum.sh get_antifilter_ipresolve.sh get_antifilter_allyouneed.sh get_reestr_preresolved.sh get_reestr_preresolved_smart.sh"
 				GETLIST_DEF="get_antifilter_allyouneed.sh"
 			fi
 			ask_list GETLIST "$GETLISTS" "$GETLIST_DEF" && write_config_var GETLIST
--- a/ipset/get_reestr_hostlist.sh
+++ b/ipset/get_reestr_hostlist.sh
@@ -1,65 +0,0 @@
-#!/bin/sh
-
-IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
-
-. "$IPSET_DIR/def.sh"
-
-ZREESTR="$TMPDIR/zapret.txt.gz"
-IPB="$TMPDIR/ipb.txt"
-ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz
-
-dl_checked()
-{
-  # $1 - url
-  # $2 - file
-  # $3 - minsize
-  # $4 - maxsize
-  # $5 - maxtime
-  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
-  {
-   echo list download failed : $1
-   return 2
-  }
-  dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
-   echo list is too small : $dlsize bytes. can be bad.
-   return 2
-  fi
-  return 0
-}
-
-reestr_list()
-{
- LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C  LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
-}
-reestr_extract_ip()
-{
- LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C  LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
-}
-
-ipban_fin()
-{
- getipban
- "$IPSET_DIR/create_ipset.sh"
-}
-
-dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || {
- ipban_fin
- exit 2
-}
-
-reestr_list | sort -u | zz "$ZHOSTLIST"
-
-reestr_extract_ip <"$ZREESTR" >"$IPB"
-
-rm -f "$ZREESTR"
-[ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
-[ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
-rm -f "$IPB"
-
-hup_zapret_daemons
-
-ipban_fin
-
-exit 0
--- a/ipset/get_reestr_preresolved.sh
+++ b/ipset/get_reestr_preresolved.sh
@@ -10,8 +10,8 @@ TMPLIST="$TMPDIR/list.txt"
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL4="$BASEURL/reestr_resolved4.txt"
 URL6="$BASEURL/reestr_resolved6.txt"
-IPB4="$BASEURL/reestr_ipban4.txt"
-IPB6="$BASEURL/reestr_ipban6.txt"
+#IPB4="$BASEURL/reestr_ipban4.txt"
+#IPB6="$BASEURL/reestr_ipban6.txt"

 dl()
 {
@@ -35,12 +35,12 @@ dl()

 getuser && {
 [ "$DISABLE_IPV4" != "1" ] && {
- 	dl "$URL4" "$ZIPLIST" 32768 4194304
- 	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+	dl "$URL4" "$ZIPLIST" 4096 4194304
+#	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
 }
 [ "$DISABLE_IPV6" != "1" ] && {
- 	dl "$URL6" "$ZIPLIST6" 8192 4194304
- 	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+	dl "$URL6" "$ZIPLIST6" 2048 4194304
+#	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
 }
 }

--- a/ipset/get_reestr_preresolved_smart.sh
+++ b/ipset/get_reestr_preresolved_smart.sh
@@ -10,8 +10,8 @@ TMPLIST="$TMPDIR/list.txt"
 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL4="$BASEURL/reestr_smart4.txt"
 URL6="$BASEURL/reestr_smart6.txt"
-IPB4="$BASEURL/reestr_ipban4.txt"
-IPB6="$BASEURL/reestr_ipban6.txt"
+#IPB4="$BASEURL/reestr_ipban4.txt"
+#IPB6="$BASEURL/reestr_ipban6.txt"

 dl()
 {
@@ -35,12 +35,12 @@ dl()

 getuser && {
 [ "$DISABLE_IPV4" != "1" ] && {
- 	dl "$URL4" "$ZIPLIST" 32768 4194304
- 	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+	dl "$URL4" "$ZIPLIST" 4096 4194304
+#	dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
 }
 [ "$DISABLE_IPV6" != "1" ] && {
- 	dl "$URL6" "$ZIPLIST6" 8192 4194304
- 	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+	dl "$URL6" "$ZIPLIST6" 2048 4194304
+#	dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
 }
 }

--- a/ipset/get_reestr_resolvable_domains.sh
+++ b/ipset/get_reestr_resolvable_domains.sh
@@ -9,8 +9,8 @@ TMPLIST="$TMPDIR/list_nethub.txt"

 BASEURL="https://raw.githubusercontent.com/bol-van/rulist/main"
 URL="$BASEURL/reestr_hostname_resolvable.txt"
-IPB4="$BASEURL/reestr_ipban4.txt"
-IPB6="$BASEURL/reestr_ipban6.txt"
+#IPB4="$BASEURL/reestr_ipban4.txt"
+#IPB6="$BASEURL/reestr_ipban6.txt"

 dl()
 {
@@ -36,8 +36,8 @@ dl "$URL" "$ZHOSTLIST" 65536 67108864

 hup_zapret_daemons

-[ "$DISABLE_IPV4" != "1" ] && dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
-[ "$DISABLE_IPV6" != "1" ] && dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576
+#[ "$DISABLE_IPV4" != "1" ] && dl "$IPB4" "$ZIPLIST_IPBAN" 8192 1048576
+#[ "$DISABLE_IPV6" != "1" ] && dl "$IPB6" "$ZIPLIST_IPBAN6" 128 1048576

 getipban
 "$IPSET_DIR/create_ipset.sh"
--- a/ipset/get_reestr_resolve.sh
+++ b/ipset/get_reestr_resolve.sh
@@ -1,83 +0,0 @@
-#!/bin/sh
-
-IPSET_DIR="$(dirname "$0")"
-IPSET_DIR="$(cd "$IPSET_DIR"; pwd)"
-
-. "$IPSET_DIR/def.sh"
-
-ZREESTR="$TMPDIR/zapret.txt.gz"
-ZDIG="$TMPDIR/zapret-dig.txt"
-IPB="$TMPDIR/ipb.txt"
-ZIPLISTTMP="$TMPDIR/zapret-ip.txt"
-#ZURL=https://reestr.rublacklist.net/api/current
-ZURL_REESTR=https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv.gz
-
-dl_checked()
-{
-  # $1 - url
-  # $2 - file
-  # $3 - minsize
-  # $4 - maxsize
-  # $5 - maxtime
-  curl -k --fail --max-time $5 --connect-timeout 10 --retry 4 --max-filesize $4 -o "$2" "$1" ||
-  {
-   echo list download failed : $1
-   return 2
-  }
-  dlsize=$(LC_ALL=C LANG=C wc -c "$2" | xargs | cut -f 1 -d ' ')
-  if test $dlsize -lt $3; then
-   echo list is too small : $dlsize bytes. can be bad.
-   return 2
-  fi
-  return 0
-}
-
-reestr_list()
-{
- LC_ALL=C LANG=C gunzip -c "$ZREESTR" | cut -s -f2 -d';' | LC_ALL=C LANG=C nice -n 5 sed -Ee 's/^\*\.(.+)$/\1/' -ne 's/^[a-z0-9A-Z._-]+$/&/p' | $AWK '{ print tolower($0) }'
-}
-reestr_extract_ip()
-{
- LC_ALL=C LANG=C gunzip -c | nice -n 5 $AWK -F ';' '($1 ~ /^([0-9]{1,3}\.){3}[0-9]{1,3}/) && (($2 == "" && $3 == "") || ($1 == $2)) {gsub(/ \| /, RS); print $1}' | LC_ALL=C LANG=C $AWK '{split($1, a, /\|/); for (i in a) {print a[i]}}'
-}
-
-getuser && {
- # both disabled
- [ "$DISABLE_IPV4" = "1" ] && [ "$DISABLE_IPV6" = "1" ] && exit 0
-
- dl_checked "$ZURL_REESTR" "$ZREESTR" 204800 251658240 600 || exit 2
- 
- echo preparing ipban list ..
- 
- reestr_extract_ip <"$ZREESTR" >"$IPB"
- [ "$DISABLE_IPV4" != "1" ] && $AWK '/^([0-9]{1,3}\.){3}[0-9]{1,3}($|(\/[0-9]{2}$))/' "$IPB" | cut_local | ip2net4 | zz "$ZIPLIST_IPBAN"
- [ "$DISABLE_IPV6" != "1" ] && $AWK '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}($|(\/[0-9]{2,3}$))/' "$IPB" | cut_local6 | ip2net6 | zz "$ZIPLIST_IPBAN6"
- rm -f "$IPB"
-
- echo preparing dig list ..
- reestr_list | sort -u >"$ZDIG"
-
- rm -f "$ZREESTR"
-
- echo digging started. this can take long ...
-
- [ "$DISABLE_IPV4" != "1" ] && {
-  filedigger "$ZDIG" 4 | cut_local >"$ZIPLISTTMP" || {
-   rm -f "$ZDIG"
-   exit 1
-  }
-  ip2net4 <"$ZIPLISTTMP" | zz "$ZIPLIST"
-  rm -f "$ZIPLISTTMP"
- }
- [ "$DISABLE_IPV6" != "1" ] && {
-  filedigger "$ZDIG" 6 | cut_local6 >"$ZIPLISTTMP" || {
-   rm -f "$ZDIG"
-   exit 1
-  }
-  ip2net6 <"$ZIPLISTTMP" | zz "$ZIPLIST6"
-  rm -f "$ZIPLISTTMP"
- }
- rm -f "$ZDIG"
-}
-
-"$IPSET_DIR/create_ipset.sh"
--- a/lua/zapret-antidpi.lua
+++ b/lua/zapret-antidpi.lua
@@ -113,7 +113,7 @@ end
 -- standard args : direction
 function http_domcase(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -139,7 +139,7 @@ end
 -- arg : spell=<str> . spelling of the "Host" header. must be exactly 4 chars long
 function http_hostcase(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -164,7 +164,7 @@ end
 -- standard args : direction
 function http_methodeol(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -221,10 +221,10 @@ function synack_split(ctx, desync)
 				error("synack_split: bad mode '"..mode.."'")
 			end
 		else
-			instance_cutoff(ctx) -- mission complete
+			instance_cutoff_shim(ctx, desync) -- mission complete
 		end
 	else
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 	end
 end

@@ -238,10 +238,10 @@ function synack(ctx, desync)
 			DLOG("synack: sending")
 			rawsend_dissect_ipfrag(dis, desync_opts(desync))
 		else
-			instance_cutoff(ctx) -- mission complete
+			instance_cutoff_shim(ctx, desync) -- mission complete
 		end
 	else
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 	end
 end

@@ -256,10 +256,10 @@ function wsize(ctx, desync)
 				return VERDICT_MODIFY
 			end
 		else
-			instance_cutoff(ctx) -- mission complete
+			instance_cutoff_shim(ctx, desync) -- mission complete
 		end
 	else
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 	end
 end

@@ -270,7 +270,7 @@ end
 -- arg : forced_cutoff=<list> - comma separated list of payloads that trigger forced wssize cutoff. by default - any non-empty payload
 function wssize(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	local verdict = VERDICT_PASS
@@ -281,7 +281,7 @@ function wssize(ctx, desync)
 		end
 		if #desync.dis.payload>0 and (not desync.arg.forced_cutoff or in_list(desync.arg.forced_cutoff, desync.l7payload)) then
 			DLOG("wssize: forced cutoff")
-			instance_cutoff(ctx)
+			instance_cutoff_shim(ctx, desync)
 		end
 	end
 	return verdict
@@ -290,7 +290,7 @@ end
 -- nfqws1 : "--dpi-desync=syndata"
 -- standard args : fooling, rawsend, reconstruct, ipfrag
 -- arg : blob=<blob> - fake payload. must fit to single packet. no segmentation possible. default - 16 zero bytes.
-- arg : tls_mod=<list> - comma separated list of tls mods : rnd,rndsni,sni=<str>,dupsid,padencap
+-- arg : tls_mod=<list> - comma separated list of tls mods : rnd,rndsni,sni=<str>. sni=%var is supported
 function syndata(ctx, desync)
 	if desync.dis.tcp then
 		if bitand(desync.dis.tcp.th_flags, TH_SYN + TH_ACK)==TH_SYN then
@@ -298,17 +298,17 @@ function syndata(ctx, desync)
 			dis.payload = blob(desync, desync.arg.blob, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
 			apply_fooling(desync, dis)
 			if desync.arg.tls_mod then
-				dis.payload = tls_mod(dis.payload, desync.arg.tls_mod, nil)
+				dis.payload = tls_mod_shim(desync, dis.payload, desync.arg.tls_mod, nil)
 			end
 			if b_debug then DLOG("syndata: "..hexdump_dlog(dis.payload)) end
 			if rawsend_dissect_ipfrag(dis, desync_opts(desync)) then
 				return VERDICT_DROP
 			end
 		else
-			instance_cutoff(ctx) -- mission complete
+			instance_cutoff_shim(ctx, desync) -- mission complete
 		end
 	else
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 	end
 end

@@ -317,7 +317,7 @@ end
 -- arg : rstack - send RST,ACK instead of RST
 function rst(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -340,7 +340,7 @@ end
 -- nfqws1 : "--dpi-desync=fake"
 -- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct, ipfrag
 -- arg : blob=<blob> - fake payload
-- arg : tls_mod=<list> - comma separated list of tls mods : rnd,rndsni,sni=<str>,dupsid,padencap
+-- arg : tls_mod=<list> - comma separated list of tls mods : rnd,rndsni,sni=<str>,dupsid,padencap . sni=%var is supported
 function fake(ctx, desync)
 	direction_cutoff_opposite(ctx, desync)
 	-- by default process only outgoing known payloads
@@ -351,7 +351,7 @@ function fake(ctx, desync)
 			end
 			local fake_payload = blob(desync, desync.arg.blob)
 			if desync.reasm_data and desync.arg.tls_mod then
-				fake_payload = tls_mod(fake_payload, desync.arg.tls_mod, desync.reasm_data)
+				fake_payload = tls_mod_shim(desync, fake_payload, desync.arg.tls_mod, desync.reasm_data)
 			end
 			-- check debug to save CPU
 			if b_debug then DLOG("fake: "..hexdump_dlog(fake_payload)) end
@@ -371,7 +371,7 @@ end
 -- arg : nodrop - do not drop current dissect
 function multisplit(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -416,16 +416,58 @@ function multisplit(ctx, desync)
 	end
 end

+-- internal function for code deduplication. do not call directly
+function pos_normalize(pos, low, hi)
+	return (pos>=low and pos<hi) and (pos-low+1) or nil
+end
+-- internal function for code deduplication. do not call directly
+function pos_array_normalize(pos, low, hi)
+	-- remove positions outside of hi,low range. normalize others to low
+	local i=1
+	while i<=#pos do
+		pos[i] = pos_normalize(pos[i], low, hi)
+		if pos[i] then
+			i = i + 1
+		else
+			table.remove(pos, i);
+		end
+	end
+end
+-- internal function for code deduplication. do not call directly
+function multidisorder_send(desync, data, seqovl, pos)
+	for i=#pos,0,-1 do
+		local pos_start = pos[i] or 1
+		local pos_end = i<#pos and pos[i+1]-1 or #data
+		local part = string.sub(data,pos_start,pos_end)
+		local ovl=0
+		if i==1 and seqovl and seqovl>0 then
+			if seqovl>=pos[1] then
+				DLOG("multidisorder: seqovl cancelled because seqovl "..(seqovl-1).." is not less than the first split pos "..(pos[1]-1))
+			else
+				ovl = seqovl - 1
+				local pat = desync.arg.seqovl_pattern and blob(desync,desync.arg.seqovl_pattern) or "\x00"
+				part = pattern(pat,1,ovl)..part
+			end
+		end
+		if b_debug then DLOG("multidisorder: sending part "..(i+1).." "..(pos_start-1).."-"..(pos_end-1).." len="..#part.." seqovl="..ovl.." : "..hexdump_dlog(part)) end
+		if not rawsend_payload_segmented(desync,part,pos_start-1-ovl) then
+			return VERDICT_PASS
+		end
+	end
+	return VERDICT_DROP
+end
+
 -- nfqws1 : "--dpi-desync=multidisorder"
+-- algorithm is not 100% the same as in nfqws1. multi-segment queries can produce different segment ordering.
 -- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct, ipfrag
 -- arg : pos=<postmarker list> . position marker list. example : "1,host,midsld+1,-10"
 -- arg : seqovl=N . decrease seq number of the second segment in the original order by N and fill N bytes with pattern (default - all zero). N must be less than the first split pos.
 -- arg : seqovl_pattern=<blob> . override pattern
-- arg : blob=<blob> - use this data instead of desync.dis.payload
+-- arg : blob=<blob> - use this data instead of reasm_data
 -- arg : nodrop - do not drop current dissect
 function multidisorder(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -440,32 +482,16 @@ function multidisorder(ctx, desync)
 			if b_debug then DLOG("multidisorder: resolved split pos: "..table.concat(zero_based_pos(pos)," ")) end
 			delete_pos_1(pos) -- cannot split at the first byte
 			if #pos>0 then
-				for i=#pos,0,-1 do
-					local pos_start = pos[i] or 1
-					local pos_end = i<#pos and pos[i+1]-1 or #data
-					local part = string.sub(data,pos_start,pos_end)
-					local seqovl=0
-					if i==1 and desync.arg.seqovl then
-						seqovl = resolve_pos(data, desync.l7payload, desync.arg.seqovl)
-						if not seqovl then
-							DLOG("multidisorder: seqovl cancelled because could not resolve marker '"..desync.arg.seqovl.."'")
-							seqovl = 0
-						else
-							seqovl = seqovl - 1
-							if seqovl>=(pos[1]-1) then
-								DLOG("multidisorder: seqovl cancelled because seqovl "..seqovl.." is not less than the first split pos "..(pos[1]-1))
-								seqovl = 0
-							else
-								local pat = desync.arg.seqovl_pattern and blob(desync,desync.arg.seqovl_pattern) or "\x00"
-								part = pattern(pat,1,seqovl)..part
-							end
-						end
-					end
-					if b_debug then DLOG("multidisorder: sending part "..(i+1).." "..(pos_start-1).."-"..(pos_end-1).." len="..#part.." seqovl="..seqovl.." : "..hexdump_dlog(part)) end
-					if not rawsend_payload_segmented(desync,part,pos_start-1-seqovl) then
-						return VERDICT_PASS
+				local seqovl
+				if desync.arg.seqovl then
+					seqovl = resolve_pos(data, desync.l7payload, desync.arg.seqovl)
+					if not seqovl then
+						DLOG("multidisorder: seqovl cancelled because could not resolve marker '"..desync.arg.seqovl.."'")
 					end
 				end
+				if multidisorder_send(desync, data, seqovl, pos)==VERDICT_PASS then
+					return VERDICT_PASS
+				end
 				replay_drop_set(desync)
 				return desync.arg.nodrop and VERDICT_PASS or VERDICT_DROP
 			else
@@ -481,6 +507,59 @@ function multidisorder(ctx, desync)
 	end
 end

+-- nfqws1 : "--dpi-desync=multidisorder". segment ordering is the same as in nfqws1
+-- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct, ipfrag
+-- arg : pos=<postmarker list> . position marker list. example : "1,host,midsld+1,-10"
+-- arg : seqovl=N . decrease seq number of the second segment in the original order by N and fill N bytes with pattern (default - all zero). N must be less than the first split pos.
+-- arg : seqovl_pattern=<blob> . override pattern
+function multidisorder_legacy(ctx, desync)
+	if not desync.dis.tcp then
+		instance_cutoff_shim(ctx, desync)
+		return
+	end
+	direction_cutoff_opposite(ctx, desync)
+	-- by default process only outgoing known payloads
+	local data = desync.dis.payload
+	local fulldata = desync.reasm_data
+	if #data>0 and direction_check(desync) and payload_check(desync) then
+		local range_low = (desync.reasm_offset or 0) + 1
+		local range_hi = range_low + #data
+		local spos = desync.arg.pos or "2"
+		-- check debug to save CPU
+		if b_debug then DLOG("multidisorder_legacy: split pos: "..spos) end
+		local pos = resolve_multi_pos(fulldata, desync.l7payload, spos)
+		if b_debug then DLOG("multidisorder_legacy: resolved split pos: "..table.concat(zero_based_pos(pos)," ")) end
+		DLOG("multidisorder_legacy: reasm piece range: "..(range_low-1).."-"..(range_hi-2))
+		pos_array_normalize(pos, range_low, range_hi)
+		delete_pos_1(pos) -- cannot split at the first byte
+		if #pos>0 then
+			if b_debug then DLOG("multidisorder_legacy: normalized split pos: "..table.concat(zero_based_pos(pos)," ")) end
+			local seqovl
+			if desync.arg.seqovl then
+				seqovl = resolve_pos(fulldata, desync.l7payload, desync.arg.seqovl)
+				if seqovl then
+					DLOG("multidisorder_legacy: resolved seqovl pos: "..(seqovl-1))
+					seqovl = pos_normalize(seqovl, range_low, range_hi)
+					if seqovl then
+						DLOG("multidisorder_legacy: normalized seqovl pos: "..(seqovl-1))
+					else
+						DLOG("multidisorder_legacy: normalized seqovl pos is outside of the reasm piece range")
+					end
+				else
+					DLOG("multidisorder_legacy: seqovl cancelled because could not resolve marker '"..desync.arg.seqovl.."'")
+				end
+			end
+			return multidisorder_send(desync, data, seqovl, pos)
+		else
+			DLOG("multidisorder_legacy: no normalized split pos in this packet")
+			-- send as is with applied options
+			if rawsend_payload_segmented(desync) then
+				return VERDICT_DROP
+			end
+		end
+	end
+end
+
 -- nfqws1 : "--dpi-desync=hostfakesplit"
 -- standard args : direction, payload, fooling, ip_id, rawsend, reconstruct. FOOLING AND REPEATS APPLIED ONLY TO FAKES.
 -- arg : host=<str> - hostname template. generate hosts like "random.template". example : e8nzn.vk.com
@@ -491,7 +570,7 @@ end
 -- arg : nodrop - do not drop current dissect
 function hostfakesplit(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -600,11 +679,11 @@ end
 -- arg : pattern=<blob> . fill fake parts with this pattern
 -- arg : seqovl=N . decrease seq number of the first segment by N and fill N bytes with pattern (default - all zero)
 -- arg : seqovl_pattern=<blob> . override seqovl pattern
-- arg : blob=<blob> - use this data instead of desync.dis.payload
+-- arg : blob=<blob> - use this data instead of reasm_data
 -- arg : nodrop - do not drop current dissect
 function fakedsplit(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -616,7 +695,7 @@ function fakedsplit(ctx, desync)
 			local pos = resolve_pos(data, desync.l7payload, spos)
 			if pos then
 				if pos == 1 then
-					DLOG("multidisorder: split pos resolved to 0. cannot split.")
+					DLOG("fakedsplit: split pos resolved to 0. cannot split.")
 				else
 					if b_debug then DLOG("fakedsplit: resolved split pos: "..tostring(pos-1)) end

@@ -697,7 +776,7 @@ end
 -- arg : nodrop - do not drop current dissect
 function fakeddisorder(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -709,7 +788,7 @@ function fakeddisorder(ctx, desync)
 			local pos = resolve_pos(data, desync.l7payload, spos)
 			if pos then
 				if pos == 1 then
-					DLOG("multidisorder: split pos resolved to 0. cannot split.")
+					DLOG("fakeddisorder: split pos resolved to 0. cannot split.")
 				else
 					if b_debug then DLOG("fakeddisorder: resolved split pos: "..tostring(pos-1)) end

@@ -797,7 +876,7 @@ end
 -- arg : blob=<blob> - use this data instead of desync.dis.payload
 function tcpseg(ctx, desync)
 	if not desync.dis.tcp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -841,7 +920,7 @@ end
 -- arg : pattern_offset=N . offset in the pattern. 0 by default
 function udplen(ctx, desync)
 	if not desync.dis.udp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
@@ -877,7 +956,7 @@ end
 -- arg : dn=N - message starts from "dN". 2 by default
 function dht_dn(ctx, desync)
 	if not desync.dis.udp then
-		instance_cutoff(ctx)
+		instance_cutoff_shim(ctx, desync)
 		return
 	end
 	direction_cutoff_opposite(ctx, desync)
--- a/lua/zapret-auto.lua
+++ b/lua/zapret-auto.lua
@@ -0,0 +1,487 @@
+-- standard automation/orchestration code
+-- this is related to making dynamic strategy decisions without rewriting or altering strategy function code
+-- orchestrators can decide which instances to call or not to call or pass them dynamic arguments
+-- failure and success detectors test potential block conditions for orchestrators
+
+-- standard host key generator for per-host storage
+-- arg: reqhost - require hostname, do not work with ip
+-- arg: nld=N - cut hostname to N level domain. NLD=2 static.intranet.microsoft.com => microsoft.com
+function standard_hostkey(desync)
+	local hostkey = desync.track and desync.track.hostname
+	if hostkey then
+		if desync.arg.nld and tonumber(desync.arg.nld)>0 and not (desync.track and desync.track.hostname_is_ip) then
+			-- dissect_nld returns nil if domain is invalid or does not have this NLD
+			-- fall back to original hostkey if it fails
+			local hktemp = dissect_nld(hostkey, tonumber(desync.arg.nld))
+			if hktemp then
+				hostkey = hktemp
+			end
+		end
+	elseif not desync.arg.reqhost then
+		hostkey = host_ip(desync)
+	end
+	return hostkey
+end
+
+-- per-host storage
+-- arg: key - a string - table name inside autostate table. to allow multiple orchestrator instances to use single host storage
+-- arg: hostkey - hostkey generator function name
+function automate_host_record(desync)
+	local hostkey, hkf, askey
+
+	if desync.arg.hostkey then
+		if type(_G[desync.arg.hostkey])~="function" then
+			error("automate: invalid hostkey function '"..desync.arg.hostkey.."'")
+		end
+		hkf = _G[desync.arg.hostkey]
+	else
+		hkf = standard_hostkey
+	end
+	hostkey = hkf(desync)
+	if not hostkey then
+		DLOG("automate: host record key unavailable")
+		return nil
+	end
+
+	askey = (desync.arg.key and #desync.arg.key>0) and desync.arg.key or desync.func_instance
+	DLOG("automate: host record key 'autostate."..askey.."."..hostkey.."'")
+	if not autostate then
+		autostate = {}
+	end
+	if not autostate[askey] then
+		autostate[askey] = {}
+	end
+	if not autostate[askey][hostkey] then
+		autostate[askey][hostkey] = {}
+	end
+	return autostate[askey][hostkey]
+end
+-- per-connection storage
+function automate_conn_record(desync)
+	if not desync.track.lua_state.automate then
+		desync.track.lua_state.automate = {}
+	end
+	return desync.track.lua_state.automate
+end
+
+-- counts failure, optionally (if crec is given) prevents dup failure counts in a single connection
+-- if 'maxtime' between failures is exceeded then failure count is reset
+-- return true if threshold ('fails') is reached
+-- hres is host record. host or ip bound table
+-- cres is connection record. connection bound table
+function automate_failure_counter(hrec, crec, fails, maxtime)
+	if crec and crec.failure then
+		DLOG("automate: duplicate failure in the same connection. not counted")
+	else
+		if crec then crec.failure = true end
+		local tnow=os.time()
+		if not hrec.failure_time_last then
+			hrec.failure_time_last = tnow
+		end
+		if not hrec.failure_counter then
+			hrec.failure_counter = 0
+		elseif tnow>(hrec.failure_time_last + maxtime) then
+			DLOG("automate: failure counter reset because last failure was "..(tnow - hrec.failure_time_last).." seconds ago")
+			hrec.failure_counter = 0
+		end
+		hrec.failure_counter = hrec.failure_counter + 1
+		hrec.failure_time_last = tnow
+		if b_debug then DLOG("automate: failure counter "..hrec.failure_counter..(fails and ('/'..fails) or '')) end
+		if fails and hrec.failure_counter>=fails then
+			hrec.failure_counter = nil -- reset counter
+			return true
+		end
+	end
+	return false
+end
+-- resets failure counter if it has started counting
+function automate_failure_counter_reset(hrec)
+	if hrec.failure_counter then
+		DLOG("automate: failure counter reset")
+		hrec.failure_counter = nil
+	end
+end
+
+-- location is url compatible with Location: header
+-- hostname is original hostname
+function is_dpi_redirect(hostname, location)
+	local ds = dissect_url(location)
+	if ds.domain then
+		local sld1 = dissect_nld(hostname,2)
+		local sld2 = dissect_nld(ds.domain,2)
+		return sld2 and sld1~=sld2
+	end
+	return false
+end
+
+function standard_detector_defaults(arg)
+	return {
+		inseq = tonumber(arg.inseq) or 4096,
+		retrans = tonumber(arg.retrans) or 3,
+		maxseq = tonumber(arg.maxseq) or 32768,
+		udp_in = tonumber(arg.udp_in) or 1,
+		udp_out = tonumber(arg.udp_out) or 4,
+		no_http_redirect = arg.no_http_redirect,
+		no_rst = arg.no_rst
+	}
+end
+
+-- standard failure detector
+-- works with tcp and udp
+-- detected failures:
+--   incoming RST
+--   incoming http redirection
+--   outgoing retransmissions
+--   udp too much out with too few in
+-- arg: maxseq=<rseq> - tcp: test retransmissions only within this relative sequence. default is 32K
+-- arg: retrans=N - tcp: retrans count threshold. default is 3
+-- arg: inseq=<rseq> - tcp: maximum relative sequence number to treat incoming RST as DPI reset. default is 4K
+-- arg: no_http_redirect - tcp: disable http_reply dpi redirect trigger
+-- arg: no_rst - tcp: disable incoming RST trigger
+-- arg: udp_out - udp: >= outgoing udp packets. default is 4
+-- arg: udp_in - udp: with <= incoming udp packets. default is 1
+function standard_failure_detector(desync, crec)
+	local arg = standard_detector_defaults(desync.arg)
+	local trigger = false
+	if desync.dis.tcp then
+		local seq = pos_get(desync,'s')
+		if desync.outgoing then
+			if #desync.dis.payload>0 and arg.retrans and arg.maxseq>0 and seq<=arg.maxseq and (crec.retrans or 0)<arg.retrans then
+				if is_retransmission(desync) then
+					crec.retrans = crec.retrans and (crec.retrans+1) or 1
+					DLOG("standard_failure_detector: retransmission "..crec.retrans.."/"..arg.retrans)
+					trigger = crec.retrans>=arg.retrans
+				end
+			end
+		else
+			if not arg.no_rst and arg.inseq>0 and bitand(desync.dis.tcp.th_flags, TH_RST)~=0 and seq>=1 then
+				trigger = seq<=arg.inseq
+				if b_debug then
+					if trigger then
+						DLOG("standard_failure_detector: incoming RST s"..seq.." in range s"..arg.inseq)
+					else
+						DLOG("standard_failure_detector: not counting incoming RST s"..seq.." beyond s"..arg.inseq)
+					end
+				end
+			elseif not arg.no_http_redirect and desync.l7payload=="http_reply" and desync.track.hostname then
+				local hdis = http_dissect_reply(desync.dis.payload)
+				if hdis and (hdis.code==302 or hdis.code==307) and hdis.headers.location and hdis.headers.location then
+					trigger = is_dpi_redirect(desync.track.hostname, hdis.headers.location.value)
+					if b_debug then
+						if trigger then
+							DLOG("standard_failure_detector: http redirect "..hdis.code.." to '"..hdis.headers.location.value.."'. looks like DPI redirect.")
+						else
+							DLOG("standard_failure_detector: http redirect "..hdis.code.." to '"..hdis.headers.location.value.."'. NOT a DPI redirect.")
+						end
+					end
+				end
+			end
+		end
+	elseif desync.dis.udp then
+		if desync.outgoing then
+			if arg.udp_out>0 then
+				local pos_out = pos_get(desync,'n',false)
+				local pos_in = pos_get(desync,'n',true)
+				trigger = pos_out>=arg.udp_out and pos_in<=arg.udp_in
+				if trigger then
+					if b_debug then
+						DLOG("standard_failure_detector: arg.udp_out "..pos_out..">="..arg.udp_out.." arg.udp_in "..pos_in.."<="..arg.udp_in)
+					end
+				end
+			end
+		end
+	end
+	return trigger
+end
+
+-- standard success detector
+-- success means previous failures were temporary and counter should be reset
+-- detected successes:
+--   tcp: outgoing seq is beyond 'maxseq' and maxseq>0
+--   tcp: incoming seq is beyond 'inseq' and inseq>0
+--   udp: incoming packets count > `udp_in` and `udp_out`>0
+-- arg: maxseq=<rseq> - tcp: success if outgoing relative sequence is beyond this value. default is 32K
+-- arg: inseq=<rseq> - tcp: success if incoming relative sequence is beyond this value. default is 4K
+-- arg: udp_out - udp : must be nil or >0 to test udp_in
+-- arg: udp_in - udp: if number if incoming packets > udp_in it means success
+function standard_success_detector(desync, crec)
+	local arg = standard_detector_defaults(desync.arg)
+	if desync.dis.tcp then
+		local seq = pos_get(desync,'s')
+		if desync.outgoing then
+			if arg.maxseq>0 and seq>arg.maxseq then
+				DLOG("standard_success_detector: outgoing s"..seq.." is beyond s"..arg.maxseq..". treating connection as successful")
+				return true
+			end
+		else
+			if arg.inseq>0 and seq>arg.inseq then
+				DLOG("standard_success_detector: incoming s"..seq.." is beyond s"..arg.inseq..". treating connection as successful")
+				return true
+			end
+		end
+	elseif desync.dis.udp then
+		if not desync.outgoing then
+			local pos = pos_get(desync,'n')
+			if arg.udp_out>0 and pos>arg.udp_in then
+				if b_debug then
+					DLOG("standard_success_detector: arg.udp_in "..pos..">"..arg.udp_in)
+				end
+				return true
+			end
+		end
+	end
+
+	return false
+end
+
+-- calls success and failure detectors
+-- resets counter if success is detected
+-- increases counter if failure is detected
+-- returns true if failure counter exceeds threshold
+function automate_failure_check(desync, hrec, crec)
+	if crec.nocheck then return false end
+
+	local failure_detector, success_detector
+	if desync.arg.failure_detector then
+		if type(_G[desync.arg.failure_detector])~="function" then
+			error("automate: invalid failure detector function '"..desync.arg.failure_detector.."'")
+		end
+		failure_detector = _G[desync.arg.failure_detector]
+	else
+		failure_detector = standard_failure_detector
+	end
+	if desync.arg.success_detector then
+		if type(_G[desync.arg.success_detector])~="function" then
+			error("automate: invalid success detector function '"..desync.arg.success_detector.."'")
+		end
+		success_detector = _G[desync.arg.success_detector]
+	else
+		success_detector = standard_success_detector
+	end
+
+	if success_detector(desync, crec) then
+		crec.nocheck = true
+		DLOG("automate: success detected")
+		automate_failure_counter_reset(hrec)
+		return false
+	end
+	if failure_detector(desync, crec) then
+		crec.nocheck = true
+		DLOG("automate: failure detected")
+		local fails = tonumber(desync.arg.fails) or 3
+		local maxtime = tonumber(desync.arg.time) or 60
+		return automate_failure_counter(hrec, crec, fails, maxtime)
+	end
+
+	return false
+end
+
+
+-- circularily change strategy numbers when failure count reaches threshold ('fails')
+-- this orchestrator requires redirection of incoming traffic to cache RST and http replies !
+-- each orchestrated instance must have strategy=N arg, where N starts from 1 and increment without gaps
+-- if 'final' arg is present in an orchestrated instance it stops rotation
+-- arg: fails=N - failture count threshold. default is 3
+-- arg: time=<sec> - if last failure happened earlier than `maxtime` seconds ago - reset failure counter. default is 60.
+-- arg: success_detector - success detector function name
+-- arg: failure_detector - failure detector function name
+-- arg: hostkey - hostkey generator function name
+-- args for failure detector - see standard_failure_detector or your own detector
+-- args for success detector - see standard_success_detector or your own detector
+-- args for hostkey generator - see standard_hostkey or your own generator
+-- test case: --in-range=-s34228 --lua-desync=circular --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
+function circular(ctx, desync)
+	local function count_strategies(hrec)
+		if not hrec.ctstrategy then
+			local uniq={}
+			local n=0
+			for i,instance in pairs(desync.plan) do
+				if instance.arg.strategy then
+					n = tonumber(instance.arg.strategy)
+					if not n or n<1 then
+						error("circular: strategy number '"..tostring(instance.arg.strategy).."' is invalid")
+					end
+					uniq[tonumber(instance.arg.strategy)] = true
+					if instance.arg.final then
+						hrec.final = n
+					end
+				end
+			end
+			n=0
+			for i,v in pairs(uniq) do
+				n=n+1
+			end
+			if n~=#uniq then
+				error("circular: strategies numbers must start from 1 and increment. gaps are not allowed.")
+			end
+			hrec.ctstrategy = n
+		end
+	end
+
+	-- take over execution. prevent further instance execution in case of error
+	orchestrate(ctx, desync)
+
+	if not desync.track then
+		DLOG_ERR("circular: conntrack is missing but required")
+		return
+	end
+
+	local hrec = automate_host_record(desync)
+	if not hrec then
+		DLOG("circular: passing with no tampering")
+		return
+	end
+
+	count_strategies(hrec)
+	if hrec.ctstrategy==0 then
+		error("circular: add strategy=N tag argument to each following instance ! N must start from 1 and increment")
+	end
+	if not hrec.nstrategy then
+		DLOG("circular: start from strategy 1")
+		hrec.nstrategy = 1
+	end
+
+	local verdict = VERDICT_PASS
+	if hrec.final~=hrec.nstrategy then
+		local crec = automate_conn_record(desync)
+		if automate_failure_check(desync, hrec, crec) then
+			hrec.nstrategy = (hrec.nstrategy % hrec.ctstrategy) + 1
+			DLOG("circular: rotate strategy to "..hrec.nstrategy)
+			if hrec.nstrategy == hrec.final then
+				DLOG("circular: final strategy "..hrec.final.." reached. will rotate no more.")
+			end
+		end
+	end
+
+	DLOG("circular: current strategy "..hrec.nstrategy)
+	while true do
+		local instance = plan_instance_pop(desync)
+		if not instance then break end
+		if instance.arg.strategy and tonumber(instance.arg.strategy)==hrec.nstrategy then
+			verdict = plan_instance_execute(desync, verdict, instance)
+		end
+	end
+
+	return verdict
+end
+
+-- test iff functions
+function cond_true(desync)
+	return true
+end
+function cond_false(desync)
+	return false
+end
+-- arg: percent - of true . 50 by default
+function cond_random(desync)
+	return math.random(0,99)<(tonumber(desync.arg.percent) or 50)
+end
+-- this iif function detects packets having 'arg.pattern' string in their payload
+-- test case : --lua-desync=condition:iff=cond_payload_str:pattern=1234 --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
+-- test case (true)  : echo aaz1234zzz | ncat -4u 1.1.1.1 443
+-- test case (false) : echo aaze124zzz | ncat -4u 1.1.1.1 443
+function cond_payload_str(desync)
+	if not desync.arg.pattern then
+		error("cond_payload_str: missing 'pattern'")
+	end
+	return string.find(desync.dis.payload,desync.arg.pattern,1,true)
+end
+-- check iff function available. error if not
+function require_iff(desync, name)
+	if not desync.arg.iff then
+		error(name..": missing 'iff' function")
+	end
+	if type(_G[desync.arg.iff])~="function" then
+		error(name..": invalid 'iff' function '"..desync.arg.iff.."'")
+	end
+end
+-- execute further desync instances only if user-provided 'iff' function returns true
+-- for example, this can be used by custom protocol detectors
+-- arg: iff - condition function. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
+-- arg: neg - invert condition function result
+-- test case : --lua-desync=condition:iff=cond_random --lua-desync=argdebug:testarg=1 --lua-desync=argdebug:testarg=2:morearg=xyz
+function condition(ctx, desync)
+	require_iff(desync, "condition")
+	orchestrate(ctx, desync)
+	if logical_xor(_G[desync.arg.iff](desync), desync.arg.neg) then
+		DLOG("condition: true")
+		return replay_execution_plan(desync)
+	else
+		DLOG("condition: false")
+		plan_clear(desync)
+	end
+end
+-- clear execution plan if user provided 'iff' functions returns true
+-- can be used with other orchestrators to stop execution conditionally
+-- arg: iff - condition function. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
+-- arg: neg - invert condition function result
+-- test case : --in-range=-s1 --lua-desync=circular --lua-desync=stopif:iff=cond_random:strategy=1 --lua-desync=argdebug:strategy=1 --lua-desync=argdebug:strategy=2
+function stopif(ctx, desync)
+	require_iff(desync, "stopif")
+	orchestrate(ctx, desync)
+	if logical_xor(_G[desync.arg.iff](desync), desync.arg.neg) then
+		DLOG("stopif: true")
+		plan_clear(desync)
+	else
+		-- do not do anything. allow other orchestrator to finish the plan
+		DLOG("stopif: false")
+	end
+end
+
+-- repeat following 'instances' 'repeats' times, execute others with no tampering
+-- arg: instances - number of following instances to be repeated. 1 by default
+-- arg: repeats - number of repeats
+-- arg: iff - condition function to continue execution. takes desync as arg and returns bool. (cant use 'if' because of reserved word)
+-- arg: neg - invert condition function result
+-- arg: stop - do not replay remaining execution plan after 'instances'
+-- arg: clear - clear execution plan after 'instances'
+-- test case : --lua-desync=repeater:repeats=2:instances=2 --lua-desync=argdebug:v=1 --lua-desync=argdebug:v=2 --lua-desync=argdebug:v=3
+function repeater(ctx, desync)
+	local repeats = tonumber(desync.arg.repeats)
+	if not repeats then
+		error("repeat: missing 'repeats'")
+	end
+	local iff = desync.arg.iff or "cond_true"
+	if type(_G[iff])~="function" then
+		error(name..": invalid 'iff' function '"..iff.."'")
+	end
+	orchestrate(ctx, desync)
+	local neg = desync.arg.neg
+	local stop = desync.arg.stop
+	local clear = desync.arg.clear
+	local verdict = VERDICT_PASS
+	local instances = tonumber(desync.arg.instances) or 1
+	local repinst = desync.func_instance
+	if instances>#desync.plan then
+		instances = #desync.plan
+	end
+	-- save plan copy
+	local plancopy = deepcopy(desync.plan)
+	for r=1,repeats do
+		if not logical_xor(_G[iff](desync), neg) then
+			DLOG("repeater: break by iff")
+			break
+		end
+		DLOG("repeater: "..repinst.." "..r.."/"..repeats)
+		-- nested orchestrators can also pop
+		local ct_end = #desync.plan - instances
+		repeat
+			local instance = plan_instance_pop(desync)
+			verdict = plan_instance_execute(desync, verdict, instance)
+		until #desync.plan <= ct_end
+		-- rollback desync plan
+		desync.plan = deepcopy(plancopy)
+	end
+	-- remove repeated instances from desync plan
+	for i=1,instances do
+		table.remove(desync.plan,1)
+	end
+	if clear then
+		plan_clear(desync)
+		return verdict
+	elseif stop then
+		return verdict
+	end
+	-- replay the rest
+	return verdict_aggregate(verdict, replay_execution_plan(desync))
+end
--- a/lua/zapret-lib.lua
+++ b/lua/zapret-lib.lua
@@ -1,8 +1,8 @@
 HEXDUMP_DLOG_MAX = HEXDUMP_DLOG_MAX or 32
 NOT3=bitnot(3)
 NOT7=bitnot(7)
-math.randomseed(os.time())
-
+-- xor pid,tid,sec,nsec
+math.randomseed(bitxor(getpid(),gettid(),clock_gettime()))

 -- basic desync function
 -- execute given lua code. "desync" is temporary set as global var to be accessible to the code
@@ -35,8 +35,300 @@ function pktdebug(ctx, desync)
 	DLOG("desync:")
 	var_debug(desync)
 end
+-- basic desync function
+-- prints function args
+function argdebug(ctx, desync)
+	var_debug(desync.arg)
+end
+
+-- basic desync function
+-- prints conntrack positions to DLOG
+function posdebug(ctx, desync)
+	if not desync.track then
+		DLOG("posdebug: no track")
+		return
+	end
+	local s="posdebug: "..(desync.outgoing and "out" or "in").." time +"..desync.track.pos.dt.."s direct"
+	for i,pos in pairs({'n','d','b','s','p'}) do
+		s=s.." "..pos..pos_get(desync, pos, false)
+	end
+	s=s.." reverse"
+	for i,pos in pairs({'n','d','b','s','p'}) do
+		s=s.." "..pos..pos_get(desync, pos, true)
+	end
+	s=s.." payload "..#desync.dis.payload
+	if desync.reasm_data then
+		s=s.." reasm "..#desync.reasm_data
+	end
+	if desync.decrypt_data then
+		s=s.." decrypt "..#desync.decrypt_data
+	end
+	if desync.replay_piece_count then
+		s=s.." replay "..desync.replay_piece.."/"..desync.replay_piece_count
+	end
+	DLOG(s)
+end
+
+-- basic desync function
+-- set l7payload to 'arg.payload' if reasm.data or desync.dis.payload contains 'arg.pattern' substring
+-- NOTE : this does not set payload on C code side !
+-- NOTE : C code will not see payload change. --payload args take only payloads known to C code and cause error if unknown.
+-- arg: pattern - substring for search inside reasm_data or desync.dis.payload
+-- arg: payload - set desync.l7payload to this if detected
+-- arg: undetected - set desync.l7payload to this if not detected
+-- test case : --lua-desync=detect_payload_str:pattern=1234:payload=my --lua-desync=fake:blob=0x1234:payload=my
+function detect_payload_str(ctx, desync)
+	if not desync.arg.pattern then
+		error("detect_payload_str: missing 'pattern'")
+	end
+	local data = desync.reasm_data or desync.dis.payload
+	local b = string.find(data,desync.arg.pattern,1,true)
+	if b then
+		DLOG("detect_payload_str: detected '"..desync.arg.payload.."'")
+		if desync.arg.payload then desync.l7payload = desync.arg.payload end
+	else
+		DLOG("detect_payload_str: not detected '"..desync.arg.payload.."'")
+		if desync.arg.undetected then desync.l7payload = desync.arg.undetected end
+	end
+end


+-- this shim is needed then function is orchestrated. ctx services not available
+-- have to emulate cutoff in LUA using connection persistent table track.lua_state
+function instance_cutoff_shim(ctx, desync, dir)
+	if ctx then
+		instance_cutoff(ctx, dir)
+	elseif not desync.track then
+		DLOG("instance_cutoff_shim: cannot cutoff '"..desync.func_instance.."' because conntrack is absent")
+	else
+		if not desync.track.lua_state.cutoff_shim then
+			desync.track.lua_state.cutoff_shim = {}
+		end
+		if not desync.track.lua_state.cutoff_shim[desync.func_instance] then
+			desync.track.lua_state.cutoff_shim[desync.func_instance] = {}
+		end
+		if type(dir)=="nil" then
+			-- cutoff both directions by default
+			desync.track.lua_state.cutoff_shim[desync.func_instance][true] = true
+			desync.track.lua_state.cutoff_shim[desync.func_instance][false] = true
+		else
+			desync.track.lua_state.cutoff_shim[desync.func_instance][dir] = true
+		end
+		if b_debug then DLOG("instance_cutoff_shim: cutoff '"..desync.func_instance.."' in="..tostring(type(dir)=="nil" and true or not dir).." out="..tostring(type(dir)=="nil" or dir)) end
+	end
+end
+function cutoff_shim_check(desync)
+	if not desync.track then
+		DLOG("cutoff_shim_check: cannot check '"..desync.func_instance.."' cutoff because conntrack is absent")
+		return false
+	else
+		local b=desync.track.lua_state.cutoff_shim and
+			desync.track.lua_state.cutoff_shim[desync.func_instance] and
+			desync.track.lua_state.cutoff_shim[desync.func_instance][desync.outgoing]
+		if b and b_debug then 
+			DLOG("cutoff_shim_check: '"..desync.func_instance.."' "..(desync.outgoing and "out" or "in").." cutoff")
+		end
+		return b
+	end
+end
+
+
+-- applies # and $ prefixes. #var means var length, %var means var value
+function apply_arg_prefix(desync)
+	for a,v in pairs(desync.arg) do
+		local c = string.sub(v,1,1)
+		if c=='#' then
+			local blb = blob(desync,string.sub(v,2))
+			desync.arg[a] = (type(blb)=='string' or type(blb)=='table') and #blb or 0
+		elseif c=='%' then
+			desync.arg[a] = blob(desync,string.sub(v,2))
+		elseif c=='\\' then
+			c = string.sub(v,2,2);
+			if c=='#' or c=='%' then
+				desync.arg[a] = string.sub(v,2)
+			end
+		end
+	end
+end
+-- copy instance identification and args from execution plan to desync table
+-- NOTE : to not lose VERDICT_MODIFY dissect changes pass original desync table
+-- NOTE : if a copy was passed and VERDICT_MODIFY returned you must copy modified dissect back to desync table or resend it and return VERDICT_DROP
+-- NOTE : args and some fields are substituted. if you need them - make a copy before calling this.
+function apply_execution_plan(desync, instance)
+	desync.func = instance.func
+	desync.func_n = instance.func_n
+	desync.func_instance = instance.func_instance
+	desync.arg = deepcopy(instance.arg)
+	apply_arg_prefix(desync)
+end
+-- produce resulting verdict from 2 verdicts
+function verdict_aggregate(v1, v2)
+	local v
+	v1 = v1 or VERDICT_PASS
+	v2 = v2 or VERDICT_PASS
+	if v1==VERDICT_DROP or v2==VERDICT_DROP then
+		v=VERDICT_DROP
+	elseif v1==VERDICT_MODIFY or v2==VERDICT_MODIFY then
+		v=VERDICT_MODIFY
+	else
+		v=VERDICT_PASS
+	end
+	return v
+end
+function plan_instance_execute(desync, verdict, instance)
+	apply_execution_plan(desync, instance)
+	if cutoff_shim_check(desync) then
+		DLOG("plan_instance_execute: not calling '"..desync.func_instance.."' because of voluntary cutoff")
+	elseif not payload_match_filter(desync.l7payload, instance.payload_filter) then
+		DLOG("plan_instance_execute: not calling '"..desync.func_instance.."' because payload '"..desync.l7payload.."' does not match filter '"..instance.payload_filter.."'")
+	elseif not pos_check_range(desync, instance.range) then
+		DLOG("plan_instance_execute: not calling '"..desync.func_instance.."' because pos "..pos_str(desync,instance.range.from).." "..pos_str(desync,instance.range.to).." is out of range '"..pos_range_str(instance.range).."'")
+	else
+		DLOG("plan_instance_execute: calling '"..desync.func_instance.."'")
+		verdict = verdict_aggregate(verdict,_G[instance.func](nil, desync))
+	end
+	return verdict
+end
+function plan_instance_pop(desync)
+	return (desync.plan and #desync.plan>0) and table.remove(desync.plan, 1) or nil
+end
+function plan_clear(desync)
+	while table.remove(desync.plan) do end
+end
+-- this approach allows nested orchestrators
+function orchestrate(ctx, desync)
+	if not desync.plan then
+		execution_plan_cancel(ctx)
+		desync.plan = execution_plan(ctx)
+	end
+end
+-- copy desync preserving lua_state
+function desync_copy(desync)
+	local dcopy = deepcopy(desync)
+	if desync.track then
+		-- preserve lua state
+		dcopy.track.lua_state = desync.track.lua_state
+	end
+	if desync.plan then
+		-- preserve execution plan
+		dcopy.plan = desync.plan
+	end
+	return dcopy
+end
+-- redo what whould be done without orchestration
+function replay_execution_plan(desync)
+	local verdict = VERDICT_PASS
+	while true do
+		local instance = plan_instance_pop(desync)
+		if not instance then break end
+		verdict = plan_instance_execute(desync, verdict, instance)
+	end
+	return verdict
+end
+-- this function demonstrates how to stop execution of upcoming desync instances and take over their job
+-- this can be used, for example, for orchestrating conditional processing without modifying of desync functions code
+-- test case : --lua-desync=desync_orchestrator_example --lua-desync=pass --lua-desync=pass
+function desync_orchestrator_example(ctx, desync)
+	DLOG("orchestrator: taking over upcoming desync instances")
+	orchestrate(ctx, desync)
+	return replay_execution_plan(desync)
+end
+
+-- if seq is over 2G s and p position comparision can be wrong
+function pos_counter_overflow(desync, mode, reverse)
+	if not desync.track or not desync.track.tcp or (mode~='s' and mode~='p') then return false end
+	local track_pos = reverse and desync.track.pos.reverse or desync.track.pos.direct
+	return track_pos.tcp.rseq_over_2G
+end
+-- these functions duplicate range check logic from C code
+-- mode must be n,d,b,s,x,a
+-- pos is {mode,pos}
+-- range is {from={mode,pos}, to={mode,pos}, upper_cutoff}
+-- upper_cutoff = true means non-inclusive upper boundary
+function pos_get_pos(track_pos, mode)
+	if track_pos then
+		if mode=='n' then
+			return track_pos.pcounter
+		elseif mode=='d' then
+			return track_pos.pdcounter
+		elseif mode=='b' then
+			return track_pos.pbcounter
+		elseif track_pos.tcp then
+			if mode=='s' then
+				return track_pos.tcp.rseq
+			elseif mode=='p' then
+				return track_pos.tcp.pos
+			end
+		end
+	end
+	return 0
+end
+function pos_get(desync, mode, reverse)
+	if desync.track then
+		local track_pos = reverse and desync.track.pos.reverse or desync.track.pos.direct
+		return pos_get_pos(track_pos,mode)
+	end
+	return 0
+end
+function pos_check_from(desync, range)
+	if range.from.mode == 'x' or pos_counter_overflow(desync, range.from.mode) then return false end
+	if range.from.mode ~= 'a' then
+		if desync.track then
+			return pos_get(desync, range.from.mode) >= range.from.pos
+		else
+			return false
+		end
+	end
+	return true;
+end
+function pos_check_to(desync, range)
+	local ps
+	if range.to.mode == 'x' or pos_counter_overflow(desync, range.to.mode) then return false end
+	if range.to.mode ~= 'a' then
+		if desync.track then
+			ps = pos_get(desync, range.to.mode)
+			return (ps < range.to.pos) or not range.upper_cutoff and (ps == range.to.pos)
+		else
+			return false
+		end
+	end
+	return true;
+end
+function pos_check_range(desync, range)
+	return pos_check_from(desync,range) and pos_check_to(desync,range)
+end
+function pos_range_str(range)
+	return range.from.mode..range.from.pos..(range.upper_cutoff and '<' or '-')..range.to.mode..range.to.pos
+end
+function pos_str(desync, pos)
+	return pos.mode..pos_get(desync, pos.mode)
+end
+
+-- sequence comparision functions. they work only within 2G interval
+-- seq1>=seq2
+function seq_ge(seq1, seq2)
+	return 0==bitand(u32add(seq1, -seq2), 0x80000000)
+end
+-- seq1>seq2
+function seq_gt(seq1, seq2)
+	return seq1~=seq2 and seq_ge(seq1, seq2)
+end
+-- seq1<seq2
+function seq_lt(seq1, seq2)
+	return 0~=bitand(u32add(seq1, -seq2), 0x80000000)
+end
+-- seq1<=seq2
+function seq_le(seq1, seq2)
+	return seq1==seq2 or 0~=bitand(u32add(seq1, -seq2), 0x80000000)
+end
+-- seq_low<=seq<=seq_hi
+function seq_within(seq, seq_low, seq_hi)
+	return seq_ge(seq, seq_low) and seq_le(seq, seq_hi)
+end
+
+function is_retransmission(desync)
+	return desync.track and desync.track.pos.direct.tcp and seq_ge(desync.track.pos.direct.tcp.uppos_prev, desync.track.pos.direct.tcp.pos)
+end

 -- prepare standard rawsend options from desync
 -- repeats - how many time send the packet
@@ -108,12 +400,15 @@ function str_or_hex(s)
 		return s
 	end
 end
+function logical_xor(a,b)
+	return a and not b or not a and b
+end
 -- print to DLOG any variable. tables are expanded in the tree form, unprintables strings are hex dumped
 function var_debug(v)
 	local function dbg(v,level)
 		if type(v)=="table" then
 			for key, value in pairs(v) do
-				DLOG(string.rep(" ",2*level).."."..key)
+				DLOG(string.rep(" ",2*level).."."..tostring(key))
 				dbg(v[key],level+1)
 			end
 		elseif type(v)=="string" then
@@ -301,6 +596,88 @@ function http_dissect_req(http)
 	local uri = string.sub(req,pos,pnext-1)
 	return { method = method, uri = uri, headers = http_dissect_headers(http,hdrpos) }
 end
+function http_dissect_reply(http)
+	if not http then return nil; end
+	local s, pos, code
+	s = string.sub(http,1,8)
+	if s~="HTTP/1.1" and s~="HTTP/1.0" then return nil end
+	pos = string.find(http,"[ \t\r\n]",10)
+	code = tonumber(string.sub(http,10,pos-1))
+	if not code then return nil end
+	pos = find_next_line(http,pos)
+	return { code = code, headers = http_dissect_headers(http,pos) }
+end
+function dissect_url(url)
+	local p1,pb,pstart,pend
+	local proto, creds, domain, port, uri
+	p1 = string.find(url,"[^ \t]")
+	if not p1 then return nil end
+	pb = p1
+	pstart,pend = string.find(url,"[a-z]+://",p1)
+	if pend then
+		proto = string.sub(url,pstart,pend-3)
+		p1 = pend+1
+	end
+	pstart,pend = string.find(url,"[@/]",p1)
+	if pend and string.sub(url,pstart,pend)=='@' then
+		creds = string.sub(url,p1,pend-1)
+		p1 = pend+1
+	end
+	pstart,pend = string.find(url,"/",p1,true)
+	if pend then
+		if pend==pb then
+			uri = string.sub(url,pb)
+		else
+			uri = string.sub(url,pend)
+			domain = string.sub(url,p1,pend-1)
+		end
+	else
+		if proto then
+			domain = string.sub(url,p1)
+		else
+			uri = string.sub(url,p1)
+		end
+	end
+	if domain then
+		pstart,pend = string.find(domain,':',1,true)
+		if pend then
+			port = string.sub(domain, pend+1)
+			domain = string.sub(domain, 1, pstart-1)
+		end
+	end
+	return { proto = proto, creds = creds, domain = domain, port = port, uri=uri }
+end
+function dissect_nld(domain, level)
+	if domain then
+		local n=1
+		for pos=#domain,1,-1 do
+			if string.sub(domain,pos,pos)=='.' then
+				if n==level then
+					return string.sub(domain, pos+1)
+				end
+				n=n+1
+			end
+		end
+		if n==level then
+			return domain
+		end
+	end
+	return nil
+end
+
+-- support sni=%var
+function tls_mod_shim(desync, blob, modlist, payload)
+	local p1,p2 = string.find(modlist,"sni=%%[^,]+")
+	if p1 then
+		local var = string.sub(modlist,p1+5,p2)
+		local val = desync[var] or _G[var]
+		if not val then
+			error("tls_mod_shim: non-existent var '"..var.."'")
+		end
+		modlist = string.sub(modlist,1,p1+3)..val..string.sub(modlist,p2+1)
+	end
+	return tls_mod(blob,modlist,payload)
+end

 -- convert comma separated list of tcp flags to tcp.th_flags bit field
 function parse_tcp_flags(s)
@@ -453,6 +830,7 @@ end
 -- ip6_hopbyhop[=hex] - add hopbyhop ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_hopbyhop2[=hex] - add second hopbyhop ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_destopt[=hex] - add destopt ipv6 header with optional data. data size must be 6+N*8. all zero by default.
+-- ip6_destopt2[=hex] - add second destopt ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_routing[=hex] - add routing ipv6 header with optional data. data size must be 6+N*8. all zero by default.
 -- ip6_ah[=hex] - add authentication ipv6 header with optional data. data size must be 6+N*4. 0000 + 4 random bytes by default.

@@ -513,10 +891,10 @@ function apply_fooling(desync, dis, fooling_options)
 	if not dis then dis = desync.dis end
 	if dis.tcp then
 		if tonumber(fooling_options.tcp_seq) then
-			dis.tcp.th_seq = dis.tcp.th_seq + fooling_options.tcp_seq
+			dis.tcp.th_seq = u32add(dis.tcp.th_seq, fooling_options.tcp_seq)
 		end
 		if tonumber(fooling_options.tcp_ack) then
-			dis.tcp.th_ack = dis.tcp.th_ack + fooling_options.tcp_ack
+			dis.tcp.th_ack = u32add(dis.tcp.th_ack, fooling_options.tcp_ack)
 		end
 		if fooling_options.tcp_flags_unset then
 			dis.tcp.th_flags = bitand(dis.tcp.th_flags, bitnot(parse_tcp_flags(fooling_options.tcp_flags_unset)))
@@ -527,7 +905,7 @@ function apply_fooling(desync, dis, fooling_options)
 		if tonumber(fooling_options.tcp_ts) then
 			local idx = find_tcp_option(dis.tcp.options,TCP_KIND_TS)
 			if idx and (dis.tcp.options[idx].data and #dis.tcp.options[idx].data or 0)==8 then
-				dis.tcp.options[idx].data = bu32(u32(dis.tcp.options[idx].data)+fooling_options.tcp_ts)..string.sub(dis.tcp.options[idx].data,5)
+				dis.tcp.options[idx].data = bu32(u32add(u32(dis.tcp.options[idx].data),fooling_options.tcp_ts))..string.sub(dis.tcp.options[idx].data,5)
 			else
 				DLOG("apply_fooling: timestamp tcp option not present or invalid")
 			end
@@ -744,7 +1122,6 @@ end
 -- send dissect with tcp segmentation based on mss value. appply specified rawsend options.
 function rawsend_dissect_segmented(desync, dis, mss, options)
 	local discopy = deepcopy(dis)
-	apply_ip_id(desync, discopy, options and options.ipid)
 	apply_fooling(desync, discopy, options and options.fooling)

 	if dis.tcp then
@@ -760,6 +1137,7 @@ function rawsend_dissect_segmented(desync, dis, mss, options)
 				len = #payload - pos + 1
 				if len > max_data then len = max_data end
 				discopy.payload = string.sub(payload,pos,pos+len-1)
+				apply_ip_id(desync, discopy, options and options.ipid)
 				if not rawsend_dissect_ipfrag(discopy, options) then
 					-- stop if failed
 					return false
@@ -770,6 +1148,7 @@ function rawsend_dissect_segmented(desync, dis, mss, options)
 			return true
 		end
 	end
+	apply_ip_id(desync, discopy, options and options.ipid)
 	-- no reason to segment
 	return rawsend_dissect_ipfrag(discopy, options)
 end
@@ -796,23 +1175,27 @@ function direction_cutoff_opposite(ctx, desync, def)
 	local dir = desync.arg.dir or def or "out"
 	if dir=="out" then
 		-- cutoff in
-		instance_cutoff(ctx, false)
+		instance_cutoff_shim(ctx, desync, false)
 	elseif dir=="in" then
 		-- cutoff out
-		instance_cutoff(ctx, true)
+		instance_cutoff_shim(ctx, desync, true)
 	end
 end
+
+-- return true if l7payload matches filter l7payload_filter - comma separated list of payload types
+function payload_match_filter(l7payload, l7payload_filter, def)
+	local argpl = l7payload_filter or def or "known"
+	local neg = string.sub(argpl,1,1)=="~"
+	local pl = neg and string.sub(argpl,2) or argpl
+	return neg ~= (in_list(pl, "all") or in_list(pl, l7payload) or in_list(pl, "known") and l7payload~="unknown" and l7payload~="empty")
+end
 -- check if desync payload type comply with payload type list in arg.payload
 -- if arg.payload is not present - check for known payload - not empty and not unknown (nfqws1 behavior without "--desync-any-protocol" option)
 -- if arg.payload is prefixed with '~' - it means negation
 function payload_check(desync, def)
-	local b
-	local argpl = desync.arg.payload or def or "known"
-	local neg = string.sub(argpl,1,1)=="~"
-	local pl = neg and string.sub(argpl,2) or argpl
-
-	b = neg ~= (in_list(pl, "all") or in_list(pl, desync.l7payload) or in_list(pl, "known") and desync.l7payload~="unknown" and desync.l7payload~="empty")
-	if not b then
+	local b = payload_match_filter(desync.l7payload, desync.arg.payload, def)
+	if not b and b_debug then
+		local argpl = desync.arg.payload or def or "known"
 		DLOG("payload_check: payload '"..desync.l7payload.."' does not pass '"..argpl.."' filter")
 	end
 	return b
@@ -883,6 +1266,18 @@ function genhost(len, template)
 	end
 end

+-- return ip addr of target host in text form
+function host_ip(desync)
+	return desync.target.ip and ntop(desync.target.ip) or desync.target.ip6 and ntop(desync.target.ip6)
+end
+-- return hostname of target host if present or ip address in text form otherwise
+function host_or_ip(desync)
+	if desync.track and desync.track.hostname then
+		return desync.track.hostname
+	end
+	return host_ip(desync)
+end
+
 function is_absolute_path(path)
 	if string.sub(path,1,1)=='/' then return true end
 	local un = uname()
@@ -1031,4 +1426,3 @@ function ipfrag2(dis, ipfrag_options)

 	return {dis1,dis2}
 end
-
--- a/lua/zapret-pcap.lua
+++ b/lua/zapret-pcap.lua
@@ -16,7 +16,7 @@ function pcap_write(file, raw)
 	pcap_write_packet(file, raw)
 end

-- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-lib.lua --lua-init=@zapret-pcap.lua --writeable=zdir --in-range=a --lua-desync=pcap:file=test.pcap
+-- test case : --writeable=zdir --in-range=a --lua-desync=pcap:file=test.pcap
 -- arg : file=<filename> - file for storing pcap data. if --writeable is specified and filename is relative - append filename to writeable path
 -- arg : keep - do not overwrite file, append packets to existing
 function pcap(ctx, desync)
--- a/lua/zapret-tests.lua
+++ b/lua/zapret-tests.lua
@@ -264,8 +264,8 @@ end
 function test_bit()
 	local v, v2, v3, v4, b1, b2, pow

-	v = math.random(0,0xFFFFFFFFFFFF)
-	b1 = math.random(1,15)
+	v = math.random(0,0xFFFFFFFF)
+	b1 = math.random(1,16)

 	v2 = bitrshift(v, b1)
 	pow = 2^b1
@@ -275,17 +275,17 @@ function test_bit()

 	v2 = bitlshift(v, b1)
 	pow = 2^b1
-	v3 = v * pow
-	print(string.format("lshift(0x%X,%u) = 0x%X  0x%X*%u = 0x%X", v,b1,v2, v,pow,v3))
+	v3 = (v * pow) % 0x100000000
+	print(string.format("lshift(0x%X,%u) = 0x%X  0x%X*%u %% 0x10000000 = 0x%X", v,b1,v2, v,pow,v3))
 	test_assert(v2==v3)

-	v2 = math.random(0,0xFFFFFFFFFFFF)
+	v2 = math.random(0,0xFFFFFFFF)
 	v3 = bitxor(v, v2)
 	v4 = bitor(v, v2) - bitand(v, v2)
 	print(string.format("xor(0x%X,0x%X) = %X  or/and/minus = %X", v, v2, v3, v4))
 	test_assert(v3==v4)

-	b2 = b1 + math.random(1,31)
+	b2 = b1 + math.random(1,15)
 	v2 = bitget(v, b1, b2)
 	pow = 2^(b2-b1+1) - 1
 	v3 = bitand(bitrshift(v,b1), pow)
@@ -299,8 +299,32 @@ function test_bit()
 	test_assert(v2==v3)
 end

+function test_ux()
+	local v1, v2, v3, usum, sum
+	for k,test in pairs({
+		{ add=u8add, fname="u8add", max = 0xFF },
+		{ add=u16add, fname="u16add", max = 0xFFFF },
+		{ add=u24add, fname="u24add", max = 0xFFFFFF },
+		{ add=u32add, fname="u32add", max = 0xFFFFFFFF }
+	}) do
+		io.write(test.fname.." : ")
+		for i=1,1000 do
+			v1=math.random(-test.max,test.max)
+			v2=math.random(-test.max,test.max)
+			v3=math.random(-test.max,test.max)
+			usum = test.add(v1,v2,v3)
+			sum = bitand((v1+v2+v3)%(test.max+1),test.max)
+			if sum~=usum then
+				print("FAIL")
+			end
+			test_assert(sum==usum)
+		end
+		print("OK")
+	end
+end
+
 function test_bin(...)
-	test_run({test_ub, test_bit},...)
+	test_run({test_ub, test_bit, test_ux},...)
 end


--- a/lua/zapret-wgobfs.lua
+++ b/lua/zapret-wgobfs.lua
@@ -1,4 +1,4 @@
-- test case : nfqws2 --qnum 200 --debug --lua-init=@zapret-wgobfs.lua --in-range=a --out-range=a --lua-desync=wgobfs:secret=mycoolpassword
+-- test case : --in-range=a --out-range=a --lua-desync=wgobfs:secret=mycoolpassword
 -- encrypt standard wireguard messages - initiation, response, cookie - and change udp packet size
 -- do not encrypt data messages and keepalives
 -- wgobfs adds maximum of 30+padmax bytes to udp size
--- a/nfq2/conntrack.c
+++ b/nfq2/conntrack.c
@@ -37,7 +37,7 @@ void ConntrackClearHostname(t_ctrack *track)
 static void ConntrackClearTrack(t_ctrack *track)
 {
 	ConntrackClearHostname(track);
-	ReasmClear(&track->reasm_orig);
+	ReasmClear(&track->reasm_client);
 	rawpacket_queue_destroy(&track->delayed);
 	luaL_unref(params.L, LUA_REGISTRYINDEX, track->lua_state);
 	luaL_unref(params.L, LUA_REGISTRYINDEX, track->lua_instance_cutoff);
@@ -102,8 +102,7 @@ static void ConntrackInitTrack(t_ctrack *t)
 {
 	memset(t, 0, sizeof(*t));
 	t->l7proto = L7_UNKNOWN;
-	t->scale_orig = t->scale_reply = SCALE_NONE;
-	time(&t->t_start);
+	t->pos.client.scale = t->pos.server.scale = SCALE_NONE;
 	rawpacket_queue_init(&t->delayed);
 	lua_newtable(params.L);
 	t->lua_state = luaL_ref(params.L, LUA_REGISTRYINDEX);
@@ -128,6 +127,41 @@ static t_conntrack_pool *ConntrackNew(t_conntrack_pool **pp, const t_conn *c)
 	return ctnew;
 }

+static void ConntrackApplyPos(const struct tcphdr *tcp, t_ctrack *t, bool bReverse, uint32_t len_payload)
+{
+	uint8_t scale;
+	uint16_t mss;
+	t_ctrack_position *direct, *reverse;
+
+	direct = bReverse ? &t->pos.server : &t->pos.client;
+	reverse = bReverse ? &t->pos.client : &t->pos.server;
+
+	scale = tcp_find_scale_factor(tcp);
+	mss = ntohs(tcp_find_mss(tcp));
+
+	direct->seq_last = ntohl(tcp->th_seq);
+	direct->pos = direct->seq_last + len_payload;
+	reverse->pos = reverse->seq_last = ntohl(tcp->th_ack);
+	if (t->pos.state == SYN)
+		direct->uppos_prev = direct->uppos = direct->pos;
+	else if (len_payload)
+	{
+		direct->uppos_prev = direct->uppos;
+		if (!((direct->pos - direct->uppos) & 0x80000000))
+			direct->uppos = direct->pos;
+	}
+	direct->winsize = ntohs(tcp->th_win);
+	direct->winsize_calc = direct->winsize;
+	if (direct->scale != SCALE_NONE) direct->winsize_calc <<= direct->scale;
+	if (mss && !direct->mss) direct->mss = mss;
+	if (scale != SCALE_NONE) direct->scale = scale;
+
+	if (!direct->rseq_over_2G && ((direct->seq_last - direct->seq0) & 0x80000000))
+		direct->rseq_over_2G = true;
+	if (!reverse->rseq_over_2G && ((reverse->seq_last - reverse->seq0) & 0x80000000))
+		reverse->rseq_over_2G = true;
+}
+
 // non-tcp packets are passed with tcphdr=NULL but len_payload filled
 static void ConntrackFeedPacket(t_ctrack *t, bool bReverse, const struct tcphdr *tcphdr, uint32_t len_payload)
 {
@@ -136,86 +170,53 @@ static void ConntrackFeedPacket(t_ctrack *t, bool bReverse, const struct tcphdr

 	if (bReverse)
 	{
-		t->pcounter_reply++;
-		t->pdcounter_reply += !!len_payload;
-		t->pbcounter_reply += len_payload;
+		t->pos.server.pcounter++;
+		t->pos.server.pdcounter += !!len_payload;
+		t->pos.server.pbcounter += len_payload;
 	}

 	else
 	{
-		t->pcounter_orig++;
-		t->pdcounter_orig += !!len_payload;
-		t->pbcounter_orig += len_payload;
+		t->pos.client.pcounter++;
+		t->pos.client.pdcounter += !!len_payload;
+		t->pos.client.pbcounter += len_payload;
 	}

 	if (tcphdr)
 	{
 		if (tcp_syn_segment(tcphdr))
 		{
-			if (t->state != SYN) ConntrackReInitTrack(t); // erase current entry
-			t->seq0 = ntohl(tcphdr->th_seq);
+			if (t->pos.state != SYN) ConntrackReInitTrack(t); // erase current entry
+			t->pos.client.seq0 = ntohl(tcphdr->th_seq);
 		}
 		else if (tcp_synack_segment(tcphdr))
 		{
 			// ignore SA dups
 			uint32_t seq0 = ntohl(tcphdr->th_ack) - 1;
-			if (t->state != SYN && t->seq0 != seq0)
+			if (t->pos.state != SYN && t->pos.client.seq0 != seq0)
 				ConntrackReInitTrack(t); // erase current entry
-			if (!t->seq0) t->seq0 = seq0;
-			t->ack0 = ntohl(tcphdr->th_seq);
+			if (!t->pos.client.seq0) t->pos.client.seq0 = seq0;
+			t->pos.server.seq0 = ntohl(tcphdr->th_seq);
 		}
 		else if (tcphdr->th_flags & (TH_FIN | TH_RST))
 		{
-			t->state = FIN;
+			t->pos.state = FIN;
 		}
 		else
 		{
-			if (t->state == SYN)
+			if (t->pos.state == SYN)
 			{
-				t->state = ESTABLISHED;
-				if (!bReverse && !t->ack0) t->ack0 = ntohl(tcphdr->th_ack) - 1;
+				t->pos.state = ESTABLISHED;
+				if (!bReverse && !t->pos.server.seq0) t->pos.server.seq0 = ntohl(tcphdr->th_ack) - 1;
 			}
 		}
-		scale = tcp_find_scale_factor(tcphdr);
-		mss = ntohs(tcp_find_mss(tcphdr));
-		if (bReverse)
-		{
-			t->pos_orig = t->seq_last = ntohl(tcphdr->th_ack);
-			t->ack_last = ntohl(tcphdr->th_seq);
-			t->pos_reply = t->ack_last + len_payload;
-			t->winsize_reply = ntohs(tcphdr->th_win);
-			t->winsize_reply_calc = t->winsize_reply;
-			if (t->scale_reply != SCALE_NONE) t->winsize_reply_calc <<= t->scale_reply;
-			if (mss && !t->mss_reply) t->mss_reply = mss;
-			if (scale != SCALE_NONE) t->scale_reply = scale;
-		}
-		else
-		{
-			t->seq_last = ntohl(tcphdr->th_seq);
-			t->pos_orig = t->seq_last + len_payload;
-			t->pos_reply = t->ack_last = ntohl(tcphdr->th_ack);
-			t->winsize_orig = ntohs(tcphdr->th_win);
-			t->winsize_orig_calc = t->winsize_orig;
-			if (t->scale_orig != SCALE_NONE) t->winsize_orig_calc <<= t->scale_orig;
-			if (mss && !t->mss_reply) t->mss_orig = mss;
-			if (scale != SCALE_NONE) t->scale_orig = scale;
-		}
-	}
-	else
-	{
-		if (bReverse)
-		{
-			t->ack_last = t->pos_reply;
-			t->pos_reply += len_payload;
-		}
-		else
-		{
-			t->seq_last = t->pos_orig;
-			t->pos_orig += len_payload;
-		}
+
+		ConntrackApplyPos(tcphdr, t, bReverse, len_payload);
 	}

-	time(&t->t_last);
+	clock_gettime(CLOCK_REALTIME, &t->pos.t_last);
+	// make sure t_start gets exactly the same value as first t_last
+	if (!t->t_start.tv_sec) t->t_start = t->pos.t_last;
 }

 static bool ConntrackPoolDoubleSearchPool(t_conntrack_pool **pp, const struct ip *ip, const struct ip6_hdr *ip6, const struct tcphdr *tcphdr, const struct udphdr *udphdr, t_ctrack **ctrack, bool *bReverse)
@@ -311,25 +312,27 @@ bool ConntrackPoolDrop(t_conntrack *p, const struct ip *ip, const struct ip6_hdr

 void ConntrackPoolPurge(t_conntrack *p)
 {
-	time_t tidle, tnow = time(NULL);
+	time_t tidle;
+	struct timespec tnow;
 	t_conntrack_pool *t, *tmp;

-	if ((tnow - p->t_last_purge) >= p->t_purge_interval)
+	if (clock_gettime(CLOCK_REALTIME, &tnow)) return;
+	if ((tnow.tv_sec - p->t_last_purge) >= p->t_purge_interval)
 	{
 		HASH_ITER(hh, p->pool, t, tmp) {
-			tidle = tnow - t->track.t_last;
+			tidle = tnow.tv_sec - t->track.pos.t_last.tv_sec;
 			if (t->track.b_cutoff ||
 				(t->conn.l4proto == IPPROTO_TCP && (
-				(t->track.state == SYN && tidle >= p->timeout_syn) ||
-					(t->track.state == ESTABLISHED && tidle >= p->timeout_established) ||
-					(t->track.state == FIN && tidle >= p->timeout_fin))
+				(t->track.pos.state == SYN && tidle >= p->timeout_syn) ||
+					(t->track.pos.state == ESTABLISHED && tidle >= p->timeout_established) ||
+					(t->track.pos.state == FIN && tidle >= p->timeout_fin))
 					) || (t->conn.l4proto == IPPROTO_UDP && tidle >= p->timeout_udp)
 				)
 			{
 				HASH_DEL(p->pool, t); ConntrackFreeElem(t);
 			}
 		}
-		p->t_last_purge = tnow;
+		p->t_last_purge = tnow.tv_sec;
 	}
 }

@@ -341,29 +344,31 @@ static void taddr2str(uint8_t l3proto, const t_addr *a, char *buf, size_t bufsiz
 void ConntrackPoolDump(const t_conntrack *p)
 {
 	t_conntrack_pool *t, *tmp;
+	struct timespec tnow;
 	char sa1[40], sa2[40];
-	time_t tnow = time(NULL);
+
+	if (clock_gettime(CLOCK_REALTIME, &tnow)) return;
 	HASH_ITER(hh, p->pool, t, tmp) {
 		taddr2str(t->conn.l3proto, &t->conn.src, sa1, sizeof(sa1));
 		taddr2str(t->conn.l3proto, &t->conn.dst, sa2, sizeof(sa2));
-		printf("%s [%s]:%u => [%s]:%u : %s : t0=%llu last=t0+%llu now=last+%llu orig=d%llu/n%llu/b%llu reply=d%llu/n%llu/b%lld ",
+		printf("%s [%s]:%u => [%s]:%u : %s : t0=%llu last=t0+%llu now=last+%llu client=d%llu/n%llu/b%llu server=d%llu/n%llu/b%lld ",
 			proto_name(t->conn.l4proto),
 			sa1, t->conn.sport, sa2, t->conn.dport,
-			t->conn.l4proto == IPPROTO_TCP ? connstate_s[t->track.state] : "-",
-			(unsigned long long)t->track.t_start, (unsigned long long)(t->track.t_last - t->track.t_start), (unsigned long long)(tnow - t->track.t_last),
-			(unsigned long long)t->track.pdcounter_orig, (unsigned long long)t->track.pcounter_orig, (unsigned long long)t->track.pbcounter_orig,
-			(unsigned long long)t->track.pdcounter_reply, (unsigned long long)t->track.pcounter_reply, (unsigned long long)t->track.pbcounter_reply);
+			t->conn.l4proto == IPPROTO_TCP ? connstate_s[t->track.pos.state] : "-",
+			(unsigned long long)t->track.t_start.tv_sec, (unsigned long long)(t->track.pos.t_last.tv_sec - t->track.t_start.tv_sec), (unsigned long long)(tnow.tv_sec - t->track.pos.t_last.tv_sec),
+			(unsigned long long)t->track.pos.client.pdcounter, (unsigned long long)t->track.pos.client.pcounter, (unsigned long long)t->track.pos.client.pbcounter,
+			(unsigned long long)t->track.pos.server.pdcounter, (unsigned long long)t->track.pos.server.pcounter, (unsigned long long)t->track.pos.server.pbcounter);
 		if (t->conn.l4proto == IPPROTO_TCP)
-			printf("seq0=%u rseq=%u pos_orig=%u ack0=%u rack=%u pos_reply=%u mss_orig=%u mss_reply=%u wsize_orig=%u:%d wsize_reply=%u:%d",
-				t->track.seq0, t->track.seq_last - t->track.seq0, t->track.pos_orig - t->track.seq0,
-				t->track.ack0, t->track.ack_last - t->track.ack0, t->track.pos_reply - t->track.ack0,
-				t->track.mss_orig, t->track.mss_reply,
-				t->track.winsize_orig, t->track.scale_orig == SCALE_NONE ? -1 : t->track.scale_orig,
-				t->track.winsize_reply, t->track.scale_reply == SCALE_NONE ? -1 : t->track.scale_reply);
+			printf("seq0=%u rseq=%u client.pos=%u ack0=%u rack=%u server.pos=%u client.mss=%u server.mss=%u client.wsize=%u:%d server.wsize=%u:%d",
+				t->track.pos.client.seq0, t->track.pos.client.seq_last - t->track.pos.client.seq0, t->track.pos.client.pos - t->track.pos.client.seq0,
+				t->track.pos.server.seq0, t->track.pos.server.seq_last - t->track.pos.server.seq0, t->track.pos.server.pos - t->track.pos.server.seq0,
+				t->track.pos.client.mss, t->track.pos.server.mss,
+				t->track.pos.client.winsize, t->track.pos.client.scale == SCALE_NONE ? -1 : t->track.pos.client.scale,
+				t->track.pos.server.winsize, t->track.pos.server.scale == SCALE_NONE ? -1 : t->track.pos.server.scale);
 		else
-			printf("rseq=%u pos_orig=%u rack=%u pos_reply=%u",
-				t->track.seq_last, t->track.pos_orig,
-				t->track.ack_last, t->track.pos_reply);
+			printf("rseq=%u client.pos=%u rack=%u server.pos=%u",
+				t->track.pos.client.seq_last, t->track.pos.client.pos,
+				t->track.pos.server.seq_last, t->track.pos.server.pos);
 		printf(" req_retrans=%u cutoff=%u lua_in_cutoff=%u lua_out_cutoff=%u hostname=%s l7proto=%s\n",
 			t->track.req_retrans_counter, t->track.b_cutoff, t->track.b_lua_in_cutoff, t->track.b_lua_out_cutoff, t->track.hostname, l7proto_str(t->track.l7proto));
 	};
@@ -394,17 +399,30 @@ bool ReasmResize(t_reassemble *reasm, size_t new_size)
 	if (reasm->size_present > new_size) reasm->size_present = new_size;
 	return true;
 }
+#define REASM_MAX_NEG 0x100000
 bool ReasmFeed(t_reassemble *reasm, uint32_t seq, const void *payload, size_t len)
 {
-	if (reasm->seq != seq) return false; // fail session if out of sequence
-
-	size_t szcopy;
-	szcopy = reasm->size - reasm->size_present;
-	if (len < szcopy) szcopy = len;
-	memcpy(reasm->packet + reasm->size_present, payload, szcopy);
-	reasm->size_present += szcopy;
-	reasm->seq += (uint32_t)szcopy;
+	uint32_t dseq = seq - reasm->seq;
+	if (dseq && (dseq < REASM_MAX_NEG))
+		return false; // fail session if a gap about to appear
+	uint32_t neg_overlap = reasm->seq - seq;
+	if (neg_overlap > REASM_MAX_NEG)
+		return false; // too big minus

+	size_t szcopy, szignore;
+	szignore = (neg_overlap > reasm->size_present) ? neg_overlap - reasm->size_present : 0;
+	if (szignore>=len) return true; // everyting is before the starting pos
+	szcopy = len - szignore;
+	neg_overlap -= szignore;
+	if ((reasm->size_present - neg_overlap + szcopy) > reasm->size)
+		return false; // buffer overflow
+	// in case of seq overlap new data replaces old - unix behavior
+	memcpy(reasm->packet + reasm->size_present - neg_overlap, payload + szignore, szcopy);
+	if (szcopy>neg_overlap)
+	{
+		reasm->size_present += szcopy - neg_overlap;
+		reasm->seq += (uint32_t)szcopy - neg_overlap;
+	}
 	return true;
 }
 bool ReasmHasSpace(t_reassemble *reasm, size_t len)
--- a/nfq2/conntrack.h
+++ b/nfq2/conntrack.h
@@ -8,7 +8,6 @@
 #include <stdint.h>
 #include <ctype.h>
 #include <sys/types.h>
-#include <time.h>
 #include <netinet/in.h>

 #define __FAVOR_BSD
@@ -17,6 +16,7 @@
 #include <netinet/tcp.h>
 #include <netinet/udp.h>

+#include "conntrack_base.h"
 #include "packet_queue.h"
 #include "protocol.h"

@@ -43,43 +43,27 @@ typedef struct
 // this structure helps to reassemble continuous packets streams. it does not support out-of-orders
 typedef struct {
 	uint8_t *packet;		// allocated for size during reassemble request. requestor must know the message size.
-	uint32_t seq;			// current seq number. if a packet comes with an unexpected seq - it fails reassemble session.
+	uint32_t seq;			// current seq number. if a packet comes with unsupported seq overlap - it fails reassemble session.
 	size_t size;			// expected message size. success means that we have received exactly 'size' bytes and have them in 'packet'
 	size_t size_present;		// how many bytes already stored in 'packet'
 } t_reassemble;

-// SYN - SYN or SYN/ACK received
-// ESTABLISHED - any except SYN or SYN/ACK received
-// FIN - FIN or RST received
-typedef enum {SYN=0, ESTABLISHED, FIN} t_connstate;

 typedef struct
 {
 	bool bCheckDone, bCheckResult, bCheckExcluded; // hostlist check result cache
 	uint8_t ipproto;

+	struct timespec t_start;
+
+	// this block of data can change between delayed (queued) packets. need to remeber this data for each packet for further replay
+	t_ctrack_positions pos;
+
 	struct desync_profile *dp;		// desync profile cache
 	bool dp_search_complete;

-	// common state
-	time_t t_start, t_last;
-	uint64_t pcounter_orig, pcounter_reply;	// packet counter
-	uint64_t pdcounter_orig, pdcounter_reply; // data packet counter (with payload)
-	uint64_t pbcounter_orig, pbcounter_reply; // transferred byte counter. includes retransmissions. it's not the same as relative seq.
-	uint32_t pos_orig, pos_reply;		// TCP: seq_last+payload, ack_last+payload  UDP: sum of all seen payload lenghts including current
-	uint32_t seq_last, ack_last;		// TCP: last seen seq and ack  UDP: sum of all seen payload lenghts NOT including current
-
-	// tcp only state, not used in udp
-	t_connstate state;
-	uint32_t seq0, ack0;			// starting seq and ack
-	uint16_t winsize_orig, winsize_reply;	// last seen window size
-	uint8_t scale_orig, scale_reply;	// last seen window scale factor. SCALE_NONE if none
-	uint32_t winsize_orig_calc, winsize_reply_calc;	// calculated window size
-	uint16_t mss_orig, mss_reply;
-	
 	uint8_t req_retrans_counter;		// number of request retransmissions
-	bool req_seq_present,req_seq_finalized,req_seq_abandoned;
-	uint32_t req_seq_start,req_seq_end;	// sequence interval of the request (to track retransmissions)
+	bool failure_detect_finalized;

 	uint8_t incoming_ttl;

@@ -96,7 +80,7 @@ typedef struct
 	int lua_state;				// registry index of associated LUA object
 	int lua_instance_cutoff;		// registry index of per connection function instance cutoff table

-	t_reassemble reasm_orig;
+	t_reassemble reasm_client;
 	struct rawpacket_tailhead delayed;
 } t_ctrack;

--- a/nfq2/conntrack_base.h
+++ b/nfq2/conntrack_base.h
@@ -0,0 +1,40 @@
+#pragma once
+
+#include <time.h>
+
+#define CTRACK_T_SYN	60
+#define CTRACK_T_FIN	60
+#define CTRACK_T_EST	300
+#define CTRACK_T_UDP	60
+
+// SYN - SYN or SYN/ACK received
+// ESTABLISHED - any except SYN or SYN/ACK received
+// FIN - FIN or RST received
+typedef enum {SYN=0, ESTABLISHED, FIN} t_connstate;
+
+typedef struct
+{
+	uint64_t pcounter;	// packet counter
+	uint64_t pdcounter;	// data packet counter (with payload)
+	uint64_t pbcounter;	// transferred byte counter. includes retransmissions. it's not the same as relative seq.
+
+	// tcp only state, not used in udp
+	uint32_t pos;		// TCP: seq_last+payload, ack_last+payload  UDP: sum of all seen payload lenghts including current
+	uint32_t uppos;		// max seen position. useful to detect retransmissions
+	uint32_t uppos_prev; 	// previous max seen position. useful to detect retransmissions
+	uint32_t seq_last;	// TCP: last seen seq and ack  UDP: sum of all seen payload lenghts NOT including current
+	uint32_t seq0;		// starting seq and ack
+	uint16_t winsize;	// last seen window size
+	uint16_t mss;
+	uint32_t winsize_calc;	// calculated window size
+	uint8_t scale;		// last seen window scale factor. SCALE_NONE if none
+	bool rseq_over_2G;
+} t_ctrack_position;
+
+typedef struct
+{
+	struct timespec t_last;
+	t_connstate state;
+	t_ctrack_position client, server;
+}
+t_ctrack_positions;
--- a/nfq2/darkmagic.c
+++ b/nfq2/darkmagic.c
@@ -40,9 +40,6 @@
 #include <linux/genetlink.h>
 #include <libmnl/libmnl.h>
 #include <net/if.h>
-#define _LINUX_IF_H // prevent conflict between linux/if.h and net/if.h in old gcc 4.x
-#include <linux/wireless.h>
-#include <sys/ioctl.h>
 #endif

 uint32_t net32_add(uint32_t netorder_value, uint32_t cpuorder_increment)
@@ -721,13 +718,36 @@ bool prepare_low_appdata()
 	return b;
 }

+BOOL JobSandbox()
+{
+	BOOL bRes = FALSE;
+	HANDLE hJob;
+	JOBOBJECT_BASIC_LIMIT_INFORMATION basic_limit;
+	JOBOBJECT_BASIC_UI_RESTRICTIONS basic_ui;
+
+	if (hJob = CreateJobObjectW(NULL, NULL))
+	{
+		basic_limit.LimitFlags = JOB_OBJECT_LIMIT_ACTIVE_PROCESS;
+		// prevent child process creation
+		basic_limit.ActiveProcessLimit = 1;
+		// prevent some UI interaction and settings change
+		basic_ui.UIRestrictionsClass = JOB_OBJECT_UILIMIT_DESKTOP | JOB_OBJECT_UILIMIT_DISPLAYSETTINGS | JOB_OBJECT_UILIMIT_EXITWINDOWS | JOB_OBJECT_UILIMIT_GLOBALATOMS | JOB_OBJECT_UILIMIT_HANDLES | JOB_OBJECT_UILIMIT_READCLIPBOARD | JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS | JOB_OBJECT_UILIMIT_WRITECLIPBOARD;
+		bRes = SetInformationJobObject(hJob, JobObjectBasicLimitInformation, &basic_limit, sizeof(basic_limit)) &&
+			SetInformationJobObject(hJob, JobObjectBasicUIRestrictions, &basic_ui, sizeof(basic_ui)) &&
+			AssignProcessToJobObject(hJob, GetCurrentProcess());
+		w_win32_error = GetLastError();
+		CloseHandle(hJob);
+	}
+	return bRes;
+}
+

 #define WINDIVERT_DEVICE_NAME "WinDivert"
-static bool b_isandbox_set = false;
+static bool b_sandbox_set = false;
 bool win_sandbox(void)
 {
 	// there's no way to return privs
-	if (!b_isandbox_set)
+	if (!b_sandbox_set)
 	{
 		if (!RemoveTokenPrivs())
 			return FALSE;
@@ -737,8 +757,9 @@ bool win_sandbox(void)
 			return FALSE;
 		if (!LowMandatoryLevel())
 			return false;
-		// for LUA code to find where to store files
-		b_isandbox_set = true;
+		if (!JobSandbox())
+			return false;
+		b_sandbox_set = true;
 	}
 	return true;
 }
@@ -1578,9 +1599,9 @@ bool rawsend_queue(struct rawpacket_tailhead *q)

 // linux-specific wlan retrieval implementation

-typedef void netlink_prepare_nlh_cb_t(struct nlmsghdr *nlh);
+typedef void netlink_prepare_nlh_cb_t(struct nlmsghdr *nlh, void *param);

-static bool netlink_genl_simple_transact(struct mnl_socket* nl, uint16_t type, uint16_t flags, uint8_t cmd, uint8_t version, netlink_prepare_nlh_cb_t cb_prepare_nlh, mnl_cb_t cb_data, void *data)
+static bool netlink_genl_simple_transact(struct mnl_socket* nl, uint16_t type, uint16_t flags, uint8_t cmd, uint8_t version, netlink_prepare_nlh_cb_t cb_prepare_nlh, void *prepare_data, mnl_cb_t cb_data, void *data)
 {
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nlmsghdr *nlh;
@@ -1595,7 +1616,7 @@ static bool netlink_genl_simple_transact(struct mnl_socket* nl, uint16_t type, u
 	genl->cmd = cmd;
 	genl->version = version;

-	if (cb_prepare_nlh) cb_prepare_nlh(nlh);
+	if (cb_prepare_nlh) cb_prepare_nlh(nlh, prepare_data);

 	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0)
 	{
@@ -1619,7 +1640,7 @@ static bool netlink_genl_simple_transact(struct mnl_socket* nl, uint16_t type, u
 	return false;
 }

-static void wlan_id_prepare(struct nlmsghdr *nlh)
+static void wlan_id_prepare(struct nlmsghdr *nlh, void *param)
 {
 	mnl_attr_put_strz(nlh, CTRL_ATTR_FAMILY_NAME, "nl80211");
 }
@@ -1651,7 +1672,7 @@ static int wlan_id_cb(const struct nlmsghdr *nlh, void *data)
 static uint16_t wlan_get_family_id(struct mnl_socket* nl)
 {
 	uint16_t id;
-	return netlink_genl_simple_transact(nl, GENL_ID_CTRL, NLM_F_REQUEST | NLM_F_ACK, CTRL_CMD_GETFAMILY, 1, wlan_id_prepare, wlan_id_cb, &id) ? id : 0;
+	return netlink_genl_simple_transact(nl, GENL_ID_CTRL, NLM_F_REQUEST | NLM_F_ACK, CTRL_CMD_GETFAMILY, 1, wlan_id_prepare, NULL, wlan_id_cb, &id) ? id : 0;
 }

 static int wlan_info_attr_cb(const struct nlattr *attr, void *data)
@@ -1686,42 +1707,130 @@ static int wlan_info_attr_cb(const struct nlattr *attr, void *data)
 	}
 	return MNL_CB_OK;
 }
+struct wlan_info_req
+{
+	struct wlan_interface_collection *wc;
+	bool bReqSSID;
+};
 static int wlan_info_cb(const struct nlmsghdr *nlh, void *data)
+{
+	int ret;
+	struct wlan_info_req *wr = (struct wlan_info_req*)data;
+	if (wr->wc->count>=WLAN_INTERFACE_MAX) return MNL_CB_OK;
+	memset(wr->wc->wlan + wr->wc->count,0,sizeof(struct wlan_interface));
+	ret = mnl_attr_parse(nlh, sizeof(struct genlmsghdr), wlan_info_attr_cb, wr->wc->wlan + wr->wc->count);
+	if (ret>=0 && (!wr->bReqSSID || *wr->wc->wlan[wr->wc->count].ssid) && *wr->wc->wlan[wr->wc->count].ifname && wr->wc->wlan[wr->wc->count].ifindex)
+		wr->wc->count++;
+	return ret;
+}
+static bool wlan_info(struct mnl_socket* nl, uint16_t wlan_family_id, struct wlan_interface_collection* w, bool bReqSSID)
+{
+	struct wlan_info_req req = { .bReqSSID = bReqSSID, .wc = w };
+	return netlink_genl_simple_transact(nl, wlan_family_id, NLM_F_REQUEST | NLM_F_ACK | NLM_F_DUMP, NL80211_CMD_GET_INTERFACE, 0, NULL, NULL, wlan_info_cb, &req);
+}
+
+
+static void scan_prepare(struct nlmsghdr *nlh, void *param)
+{
+	mnl_attr_put_u32(nlh, NL80211_ATTR_IFINDEX, *(int*)param);
+}
+static uint8_t *find_ie(uint8_t *buf, size_t len, uint8_t ie)
+{
+	while (len>=2)
+	{
+		if (len<(2+buf[1])) break;
+		if (buf[0]==ie) return buf;
+		buf+=buf[1]+2;
+		len-=buf[1]+2;
+	}
+	return NULL;
+}
+static int scan_info_attr_cb(const struct nlattr *attr, void *data)
+{
+	struct wlan_interface *wlan = (struct wlan_interface *)data;
+	const struct nlattr *nested;
+	uint8_t *payload, *ie;
+	uint16_t payload_len;
+	bool ok;
+
+	switch(mnl_attr_get_type(attr))
+	{
+		case NL80211_ATTR_IFINDEX:
+			if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
+			{
+				DLOG_PERROR("mnl_attr_validate");
+				return MNL_CB_ERROR;
+			}
+			wlan->ifindex = mnl_attr_get_u32(attr);
+			if (!if_indextoname(wlan->ifindex, wlan->ifname))
+				DLOG_PERROR("if_indextoname");
+			break;
+		case NL80211_ATTR_BSS:
+			if (mnl_attr_validate(attr, MNL_TYPE_NESTED) < 0)
+			{
+				DLOG_PERROR("mnl_attr_validate");
+				return MNL_CB_ERROR;
+			}
+			ok = false;
+			mnl_attr_for_each_nested(nested, attr)
+			{
+				if (mnl_attr_get_type(nested)==NL80211_BSS_STATUS)
+				{
+					uint32_t status = mnl_attr_get_u32(nested);
+					if (status==NL80211_BSS_STATUS_ASSOCIATED || status==NL80211_BSS_STATUS_AUTHENTICATED || status==NL80211_BSS_STATUS_IBSS_JOINED)
+					{
+						ok=1;
+						break;
+					}
+				}
+			}
+			if (!ok) break;
+			mnl_attr_for_each_nested(nested, attr)
+			{
+				switch(mnl_attr_get_type(nested))
+				{
+					case NL80211_BSS_INFORMATION_ELEMENTS:
+						payload_len = mnl_attr_get_payload_len(nested);
+						payload = mnl_attr_get_payload(nested);
+						ie = find_ie(payload,payload_len,0);
+						if (ie)
+						{
+							uint8_t l = ie[1];
+							if (l>=(sizeof(wlan->ssid))) l=sizeof(wlan->ssid)-1;
+							memcpy(wlan->ssid,ie+2,l);
+							wlan->ssid[l]=0;
+						}
+						break;
+				}
+			}
+			break;
+	}
+	return MNL_CB_OK;
+}
+static int scan_info_cb(const struct nlmsghdr *nlh, void *data)
 {
 	int ret;
 	struct wlan_interface_collection *wc = (struct wlan_interface_collection*)data;
 	if (wc->count>=WLAN_INTERFACE_MAX) return MNL_CB_OK;
 	memset(wc->wlan+wc->count,0,sizeof(wc->wlan[0]));
-	ret = mnl_attr_parse(nlh, sizeof(struct genlmsghdr), wlan_info_attr_cb, wc->wlan+wc->count);
-	if (ret>=0 && *wc->wlan[wc->count].ifname && wc->wlan[wc->count].ifindex)
-	{
-		if (*wc->wlan[wc->count].ssid)
-			wc->count++;
-		else
-		{
-			// sometimes nl80211 does not return SSID but wireless ext does
-			int wext_fd = socket(AF_INET, SOCK_DGRAM, 0);
-			if (wext_fd!=-1)
-			{
-				struct iwreq req;
-				snprintf(req.ifr_ifrn.ifrn_name,sizeof(req.ifr_ifrn.ifrn_name),"%s",wc->wlan[wc->count].ifname);
-				req.u.essid.pointer = wc->wlan[wc->count].ssid;
-				req.u.essid.length = sizeof(wc->wlan[wc->count].ssid);
-				req.u.essid.flags = 0;
-				if (ioctl(wext_fd, SIOCGIWESSID, &req)!=-1)
-					if (*wc->wlan[wc->count].ssid)
-						wc->count++;
-				close(wext_fd);
-			}
-		}
-	}
+	ret = mnl_attr_parse(nlh, sizeof(struct genlmsghdr), scan_info_attr_cb, wc->wlan+wc->count);
+	if (ret>=0 && *wc->wlan[wc->count].ssid && *wc->wlan[wc->count].ifname && wc->wlan[wc->count].ifindex)
+		wc->count++;
 	return ret;
 }
-static bool wlan_info(struct mnl_socket* nl, uint16_t wlan_family_id, struct wlan_interface_collection* w)
+static bool scan_info(struct mnl_socket* nl, uint16_t wlan_family_id, struct wlan_interface_collection* w)
 {
-	return netlink_genl_simple_transact(nl, wlan_family_id, NLM_F_REQUEST | NLM_F_ACK | NLM_F_DUMP, NL80211_CMD_GET_INTERFACE, 0, NULL, wlan_info_cb, w);
+	struct wlan_interface_collection wc_all = { .count = 0 };
+	// wlan_info does not return ssid since kernel 5.19
+	// it's used to enumerate all wifi interfaces then call scan_info on each
+	if (!wlan_info(nl, wlan_family_id, &wc_all, false)) return false;
+	for(int i=0;i<wc_all.count;i++)
+		if (!netlink_genl_simple_transact(nl, wlan_family_id, NLM_F_REQUEST | NLM_F_ACK | NLM_F_DUMP, NL80211_CMD_GET_SCAN, 0, scan_prepare, (void*)&wc_all.wlan[i].ifindex, scan_info_cb, w))
+			return false;
+	return true;
 }

+
 static bool wlan_init80211(struct mnl_socket** nl)
 {
 	if (!(*nl = mnl_socket_open(NETLINK_GENERIC)))
@@ -1755,7 +1864,7 @@ static bool wlan_info_rate_limited(struct mnl_socket* nl, uint16_t wlan_family_i
 	// do not purge too often to save resources
 	if (wlan_info_last != now)
 	{
-		bres = wlan_info(nl,wlan_family_id,w);
+		bres = scan_info(nl,wlan_family_id,w);
 		wlan_info_last = now;
 	}
 	return bres;
@@ -1781,10 +1890,6 @@ bool wlan_info_init(void)
 	}
 	return true;
 }
-bool wlan_info_get(void)
-{
-	return wlan_info(nl_wifi, id_nl80211, &wlans);
-}
 bool wlan_info_get_rate_limited(void)
 {
 	return wlan_info_rate_limited(nl_wifi, id_nl80211, &wlans);
--- a/nfq2/darkmagic.h
+++ b/nfq2/darkmagic.h
@@ -190,7 +190,6 @@ extern struct wlan_interface_collection wlans;

 void wlan_info_deinit(void);
 bool wlan_info_init(void);
-bool wlan_info_get(void);
 bool wlan_info_get_rate_limited(void);
 const char *wlan_ssid_search_ifname(const char *ifname);
 const char *wlan_ssid_search_ifidx(int ifidx);
--- a/nfq2/desync.c
+++ b/nfq2/desync.c
--- a/nfq2/desync.h
+++ b/nfq2/desync.h
@@ -13,8 +13,10 @@

 #ifdef __linux__
 #define DPI_DESYNC_FWMARK_DEFAULT 0x40000000
-#else
+#elif defined(SO_USER_COOKIE)
 #define DPI_DESYNC_FWMARK_DEFAULT 512
+#else
+#define DPI_DESYNC_FWMARK_DEFAULT 0
 #endif

 uint8_t dpi_desync_packet(uint32_t fwmark, const char *ifin, const char *ifout, const uint8_t *data_pkt, size_t len_pkt, uint8_t *mod_pkt, size_t *len_mod_pkt);
--- a/nfq2/helpers.c
+++ b/nfq2/helpers.c
@@ -514,7 +514,7 @@ bool pf_is_empty(const port_filter *pf)

 bool packet_pos_parse(const char *s, struct packet_pos *pos)
 {
-	if (*s!='n' && *s!='d' && *s!='s' && *s!='b' && *s!='x' && *s!='a') return false;
+	if (*s!='n' && *s!='d' && *s!='s' && *s!='p' && *s!='b' && *s!='x' && *s!='a') return false;
 	pos->mode=*s;
 	if (pos->mode=='x' || pos->mode=='a')
 	{
--- a/nfq2/hostlist.c
+++ b/nfq2/hostlist.c
@@ -258,7 +258,7 @@ static bool HostlistCheck_(const struct hostlist_collection_head *hostlists, con
 // return : true = apply fooling, false = do not apply
 bool HostlistCheck(const struct desync_profile *dp, const char *host, bool no_match_subdomains, bool *excluded, bool bSkipReloadCheck)
 {
-	DLOG("* hostlist check for profile %u\n",dp->n);
+	DLOG("* hostlist check for profile %u (%s)\n",dp->n,PROFILE_NAME(dp));
 	return HostlistCheck_(&dp->hl_collection, &dp->hl_collection_exclude, host, no_match_subdomains, excluded, bSkipReloadCheck);
 }

@@ -301,13 +301,34 @@ struct hostlist_file *RegisterHostlist(struct desync_profile *dp, bool bExclude,
 		filename);
 }

+static void HostlistsDebugProfile(const struct desync_profile *dp, const char *entity)
+{
+	struct hostlist_item *hl_item;
+
+	LIST_FOREACH(hl_item, &dp->hl_collection, next)
+		if (hl_item->hfile!=dp->hostlist_auto)
+		{
+			if (hl_item->hfile->filename)
+				DLOG("%s %u (%s) include hostlist %s%s\n",entity, dp->n, PROFILE_NAME(dp), hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
+			else
+				DLOG("%s %u (%s) include fixed hostlist%s\n",entity, dp->n, PROFILE_NAME(dp), hl_item->hfile->hostlist ? "" : " (empty)");
+		}
+	LIST_FOREACH(hl_item, &dp->hl_collection_exclude, next)
+	{
+		if (hl_item->hfile->filename)
+			DLOG("%s %u (%s) exclude hostlist %s%s\n",entity, dp->n,PROFILE_NAME(dp),hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
+		else
+			DLOG("%s %u (%s) exclude fixed hostlist%s\n",entity, dp->n,PROFILE_NAME(dp),hl_item->hfile->hostlist ? "" : " (empty)");
+	}
+	if (dp->hostlist_auto)
+		DLOG("%s %u (%s) auto hostlist %s%s\n",entity, dp->n,PROFILE_NAME(dp),dp->hostlist_auto->filename,dp->hostlist_auto->hostlist ? "" : " (empty)");
+}
 void HostlistsDebug()
 {
 	if (!params.debug) return;

 	struct hostlist_file *hfile;
 	struct desync_profile_list *dpl;
-	struct hostlist_item *hl_item;

 	LIST_FOREACH(hfile, &params.hostlists, next)
 	{
@@ -319,22 +340,10 @@ void HostlistsDebug()

 	LIST_FOREACH(dpl, &params.desync_profiles, next)
 	{
-		LIST_FOREACH(hl_item, &dpl->dp.hl_collection, next)
-			if (hl_item->hfile!=dpl->dp.hostlist_auto)
-			{
-				if (hl_item->hfile->filename)
-					DLOG("profile %u include hostlist %s%s\n",dpl->dp.n, hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
-				else
-					DLOG("profile %u include fixed hostlist%s\n",dpl->dp.n, hl_item->hfile->hostlist ? "" : " (empty)");
-			}
-		LIST_FOREACH(hl_item, &dpl->dp.hl_collection_exclude, next)
-		{
-			if (hl_item->hfile->filename)
-				DLOG("profile %u exclude hostlist %s%s\n",dpl->dp.n,hl_item->hfile->filename,hl_item->hfile->hostlist ? "" : " (empty)");
-			else
-				DLOG("profile %u exclude fixed hostlist%s\n",dpl->dp.n,hl_item->hfile->hostlist ? "" : " (empty)");
-		}
-		if (dpl->dp.hostlist_auto)
-			DLOG("profile %u auto hostlist %s%s\n",dpl->dp.n,dpl->dp.hostlist_auto->filename,dpl->dp.hostlist_auto->hostlist ? "" : " (empty)");
+		HostlistsDebugProfile(&dpl->dp, "profile");
+	}
+	LIST_FOREACH(dpl, &params.desync_templates, next)
+	{
+		HostlistsDebugProfile(&dpl->dp, "template");
 	}
 }
--- a/nfq2/ipset.c
+++ b/nfq2/ipset.c
@@ -235,7 +235,7 @@ static bool IpsetCheck_(const struct ipset_collection_head *ips, const struct ip
 bool IpsetCheck(const struct desync_profile *dp, const struct in_addr *ipv4, const struct in6_addr *ipv6)
 {
 	if (PROFILE_IPSETS_ABSENT(dp)) return true;
-	DLOG("* ipset check for profile %u\n",dp->n);
+	DLOG("* ipset check for profile %u (%s)\n",dp->n,PROFILE_NAME(dp));
 	return IpsetCheck_(&dp->ips_collection,&dp->ips_collection_exclude,ipv4,ipv6);
 }

@@ -287,13 +287,31 @@ static const char *dbg_ipset_fill(const ipset *ips)
 		else
 			return "empty";
 }
+void IpsetsDebugProfile(const struct desync_profile *dp, const char *entity)
+{
+	struct ipset_item *ips_item;
+
+	LIST_FOREACH(ips_item, &dp->ips_collection, next)
+	{
+		if (ips_item->hfile->filename)
+			DLOG("%s %u (%s) include ipset %s (%s)\n",entity,dp->n,PROFILE_NAME(dp),ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
+		else
+			DLOG("%s %u (%s) include fixed ipset (%s)\n",entity,dp->n,PROFILE_NAME(dp),dbg_ipset_fill(&ips_item->hfile->ipset));
+	}
+	LIST_FOREACH(ips_item, &dp->ips_collection_exclude, next)
+	{
+		if (ips_item->hfile->filename)
+			DLOG("%s %u (%s) exclude ipset %s (%s)\n",entity,dp->n,PROFILE_NAME(dp),ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
+		else
+			DLOG("%s %u (%s) exclude fixed ipset (%s)\n",entity,dp->n,PROFILE_NAME(dp),dbg_ipset_fill(&ips_item->hfile->ipset));
+	}
+}
 void IpsetsDebug()
 {
 	if (!params.debug) return;

 	struct ipset_file *hfile;
 	struct desync_profile_list *dpl;
-	struct ipset_item *ips_item;

 	LIST_FOREACH(hfile, &params.ipsets, next)
 	{
@@ -305,15 +323,10 @@ void IpsetsDebug()

 	LIST_FOREACH(dpl, &params.desync_profiles, next)
 	{
-		LIST_FOREACH(ips_item, &dpl->dp.ips_collection, next)
-			if (ips_item->hfile->filename)
-				DLOG("profile %u include ipset %s (%s)\n",dpl->dp.n,ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
-			else
-				DLOG("profile %u include fixed ipset (%s)\n",dpl->dp.n,dbg_ipset_fill(&ips_item->hfile->ipset));
-		LIST_FOREACH(ips_item, &dpl->dp.ips_collection_exclude, next)
-			if (ips_item->hfile->filename)
-				DLOG("profile %u exclude ipset %s (%s)\n",dpl->dp.n,ips_item->hfile->filename,dbg_ipset_fill(&ips_item->hfile->ipset));
-			else
-				DLOG("profile %u exclude fixed ipset (%s)\n",dpl->dp.n,dbg_ipset_fill(&ips_item->hfile->ipset));
+		IpsetsDebugProfile(&dpl->dp, "profile");
+	}
+	LIST_FOREACH(dpl, &params.desync_templates, next)
+	{
+		IpsetsDebugProfile(&dpl->dp, "template");
 	}
 }
--- a/nfq2/lua.c
+++ b/nfq2/lua.c
@@ -19,6 +19,11 @@
 #include "crypto/aes-ctr.h"


+void desync_instance(const char *func, unsigned int dp_n, unsigned int func_n, char *instance, size_t inst_size)
+{
+	snprintf(instance, inst_size, "%s_%u_%u", func, dp_n, func_n);
+}
+
 static void lua_check_argc(lua_State *L, const char *where, int argc)
 {
 	int num_args = lua_gettop(L);
@@ -63,72 +68,100 @@ static int luacall_DLOG_CONDUP(lua_State *L)
 static int luacall_bitlshift(lua_State *L)
 {
 	lua_check_argc(L,"bitlshift",2);
-	lua_pushinteger(L,luaL_checkinteger(L,1) << luaL_checkinteger(L,2));
+	int64_t v=(int64_t)luaL_checklint(L,1);
+	if (v>0xFFFFFFFF || v<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
+	lua_pushlint(L,((uint32_t)v) << luaL_checkinteger(L,2));
 	return 1;
 }
 static int luacall_bitrshift(lua_State *L)
 {
 	lua_check_argc(L,"bitrshift",2);
-	lua_pushinteger(L,((LUA_UNSIGNED)luaL_checkinteger(L,1)) >> luaL_checkinteger(L,2));
+	int64_t v=(int64_t)luaL_checklint(L,1);
+	if (v>0xFFFFFFFF || v<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
+	lua_pushlint(L,((uint32_t)v) >> luaL_checkinteger(L,2));
 	return 1;
 }
 static int luacall_bitand(lua_State *L)
 {
 	lua_check_argc_range(L,"bitand",2,100);
 	int argc = lua_gettop(L);
-	lua_Integer v=luaL_checkinteger(L,1);
-	for(int i=2;i<=argc;i++) v&=luaL_checkinteger(L,i);
-	lua_pushinteger(L,v);
+	int64_t v;
+	uint32_t sum=0xFFFFFFFF;
+	for(int i=1;i<=argc;i++)
+	{
+		v=(int64_t)luaL_checklint(L,i);
+		if (v>0xFFFFFFFF || v<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
+		sum&=(uint32_t)v;
+	}
+	lua_pushlint(L,sum);
 	return 1;
 }
 static int luacall_bitor(lua_State *L)
 {
-	lua_check_argc_range(L,"bitor",2,100);
+	lua_check_argc_range(L,"bitor",1,100);
 	int argc = lua_gettop(L);
-	lua_Integer v=0;
-	for(int i=1;i<=argc;i++) v|=luaL_checkinteger(L,i);
-	lua_pushinteger(L,v);
+	int64_t v;
+	uint32_t sum=0;
+	for(int i=1;i<=argc;i++)
+	{
+		v=(int64_t)luaL_checklint(L,i);
+		if (v>0xFFFFFFFF || v<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
+		sum|=(uint32_t)v;
+	}
+	lua_pushlint(L,sum);
 	return 1;
 }
 static int luacall_bitnot(lua_State *L)
 {
 	lua_check_argc(L,"bitnot",1);
-	lua_pushinteger(L,~luaL_checkinteger(L,1));
+	lua_pushlint(L,~(uint32_t)luaL_checklint(L,1));
 	return 1;
 }
 static int luacall_bitxor(lua_State *L)
 {
-	lua_check_argc_range(L,"bitxor",2,100);
+	lua_check_argc_range(L,"bitxor",1,100);
 	int argc = lua_gettop(L);
-	lua_Integer v=0;
-	for(int i=1;i<=argc;i++) v^=luaL_checkinteger(L,i);
-	lua_pushinteger(L,v);
+	int64_t v;
+	uint32_t sum=0;
+	for(int i=1;i<=argc;i++)
+	{
+		v=(int64_t)luaL_checklint(L,i);
+		if (v>0xFFFFFFFF || v<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
+		sum^=(uint32_t)v;
+	}
+	lua_pushlint(L,sum);
 	return 1;
 }
 static int luacall_bitget(lua_State *L)
 {
 	lua_check_argc(L,"bitget",3);

-	LUA_UNSIGNED what = (LUA_UNSIGNED)luaL_checkinteger(L,1);
+	int64_t iwhat = (int64_t)luaL_checklint(L,1);
+	if (iwhat>0xFFFFFFFF || iwhat<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
+	uint32_t what = (uint32_t)iwhat;
 	lua_Integer from = luaL_checkinteger(L,2);
 	lua_Integer to = luaL_checkinteger(L,3);
-	if (from>to || from>63 || to>63)
+	if (from>to || from>31 || to>31)
 		luaL_error(L, "bit range invalid");

 	what = (what >> from) & ~((lua_Integer)-1 << (to-from+1));

-	lua_pushinteger(L,what);
+	lua_pushlint(L,what);
 	return 1;
 }
 static int luacall_bitset(lua_State *L)
 {
 	lua_check_argc(L,"bitset",4);

-	LUA_UNSIGNED what = (LUA_UNSIGNED)luaL_checkinteger(L,1);
+	int64_t iwhat = (int64_t)luaL_checklint(L,1);
+	if (iwhat>0xFFFFFFFF || iwhat<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
+	uint32_t what = (uint32_t)iwhat;
 	lua_Integer from = luaL_checkinteger(L,2);
 	lua_Integer to = luaL_checkinteger(L,3);
-	LUA_UNSIGNED set = (LUA_UNSIGNED)luaL_checkinteger(L,4);
-	if (from>to || from>63 || to>63)
+	int64_t iset = (int64_t)luaL_checklint(L,4);
+	if (iset>0xFFFFFFFF || iset<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
+	uint32_t set = (uint32_t)iset;
+	if (from>to || from>31 || to>31)
 		luaL_error(L, "bit range invalid");

 	lua_Integer mask = ~((lua_Integer)-1 << (to-from+1));
@@ -136,7 +169,7 @@ static int luacall_bitset(lua_State *L)
 	mask <<= from;
 	what = what & ~mask | set;

-	lua_pushinteger(L,what);
+	lua_pushlint(L,what);
 	return 1;
 }

@@ -193,15 +226,15 @@ static int luacall_u32(lua_State *L)
 	offset = (argc>=2 && lua_type(L,2)!=LUA_TNIL) ? luaL_checkinteger(L,2)-1 : 0;
 	if (offset<0 || (offset+4)>l) luaL_error(L, "out of range");

-	lua_pushinteger(L,pntoh32(p+offset));
+	lua_pushlint(L,pntoh32(p+offset));
 	return 1;
 }
 static int luacall_swap16(lua_State *L)
 {
 	lua_check_argc(L,"swap16",1);

-	lua_Integer i = luaL_checkinteger(L,1);
-	if (i>0xFFFF || i<-(lua_Integer)0xFFFF) luaL_error(L, "out of range");
+	int64_t i = (int64_t)luaL_checklint(L,1);
+	if (i>0xFFFF || i<-(int64_t)0xFFFF) luaL_error(L, "out of range");
 	uint16_t u = (uint16_t)i;
 	// __builtin_bswap16 is absent in ancient lexra gcc 4.6
 	lua_pushinteger(L,(u>>8) | ((u&0xFF)<<8));
@@ -211,17 +244,52 @@ static int luacall_swap32(lua_State *L)
 {
 	lua_check_argc(L,"swap32",1);

-	lua_Integer i = luaL_checkinteger(L,1);
-	if (i>0xFFFFFFFF || i<-(lua_Integer)0xFFFFFFFF) luaL_error(L, "out of range");
+	int64_t i =(int64_t)luaL_checklint(L,1);
+	if (i>0xFFFFFFFF || i<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
 	uint32_t u = (uint32_t)i;
-	lua_pushinteger(L,__builtin_bswap32(u));
+	lua_pushlint(L,__builtin_bswap32(u));
 	return 1;
 }
+static int lua_uxadd(lua_State *L, uint32_t max)
+{
+	int64_t v;
+	uint32_t sum=0;
+	int argc = lua_gettop(L);
+	for(int i=1;i<=argc;i++)
+	{
+		v = (int64_t)luaL_checklint(L,i);
+		if (v>max || v<-(int64_t)max) luaL_error(L, "out of range");
+		sum+=(uint32_t)v;
+	}
+	lua_pushlint(L, sum & max);
+	return 1;
+}
+static int luacall_u8add(lua_State *L)
+{
+	lua_check_argc_range(L,"u8add",1,100);
+	return lua_uxadd(L, 0xFF);
+}
+static int luacall_u16add(lua_State *L)
+{
+	lua_check_argc_range(L,"u16add",1,100);
+	return lua_uxadd(L, 0xFFFF);
+}
+static int luacall_u24add(lua_State *L)
+{
+	lua_check_argc_range(L,"u24add",1,100);
+	return lua_uxadd(L, 0xFFFFFF);
+}
+static int luacall_u32add(lua_State *L)
+{
+	lua_check_argc_range(L,"u32add",1,100);
+	return lua_uxadd(L, 0xFFFFFFFF);
+}
+
 static int luacall_bu8(lua_State *L)
 {
 	lua_check_argc(L,"bu8",1);

-	lua_Integer i = luaL_checkinteger(L,1);
+	int64_t i = (int64_t)luaL_checklint(L,1);
 	if (i>0xFF || i<-(lua_Integer)0xFF) luaL_error(L, "out of range");
 	uint8_t v=(uint8_t)i;
 	lua_pushlstring(L,(char*)&v,1);
@@ -231,7 +299,7 @@ static int luacall_bu16(lua_State *L)
 {
 	lua_check_argc(L,"bu16",1);

-	lua_Integer i = luaL_checkinteger(L,1);
+	int64_t i = (int64_t)luaL_checklint(L,1);
 	if (i>0xFFFF || i<-(lua_Integer)0xFFFF) luaL_error(L, "out of range");
 	uint8_t v[2];
 	phton16(v,(uint16_t)i);
@@ -242,7 +310,7 @@ static int luacall_bu24(lua_State *L)
 {
 	lua_check_argc(L,"bu24",1);

-	lua_Integer i = luaL_checkinteger(L,1);
+	int64_t i = (int64_t)luaL_checklint(L,1);
 	if (i>0xFFFFFF || i<-(lua_Integer)0xFFFFFF) luaL_error(L, "out of range");
 	uint8_t v[3];
 	phton24(v,(uint32_t)i);
@@ -253,8 +321,8 @@ static int luacall_bu32(lua_State *L)
 {
 	lua_check_argc(L,"bu32",1);

-	lua_Integer i = luaL_checkinteger(L,1);
-	if (i>0xFFFFFFFF || i<-(lua_Integer)0xFFFFFFFF) luaL_error(L, "out of range");
+	int64_t i = (int64_t)luaL_checklint(L,1);
+	if (i>0xFFFFFFFF || i<-(int64_t)0xFFFFFFFF) luaL_error(L, "out of range");
 	uint8_t v[4];
 	phton32(v,(uint32_t)i);
 	lua_pushlstring(L,(char*)v,4);
@@ -264,10 +332,10 @@ static int luacall_bu32(lua_State *L)
 static int luacall_divint(lua_State *L)
 {
 	lua_check_argc(L,"divint",2);
-	lua_Integer v1=luaL_checkinteger(L,1);
-	lua_Integer v2=luaL_checkinteger(L,2);
+	int64_t v1=(int64_t)luaL_checklint(L,1);
+	int64_t v2=(int64_t)luaL_checklint(L,2);
 	if (v2)
-		lua_pushinteger(L,v1/v2);
+		lua_pushlint(L,v1/v2);
 	else
 		lua_pushnil(L);
 	return 1;
@@ -617,61 +685,78 @@ static int luacall_clock_gettime(lua_State *L)
 	}
 	else
 	{
-		lua_pushinteger(L, ts.tv_sec);
+		lua_pushlint(L, ts.tv_sec);
 		lua_pushinteger(L, ts.tv_nsec);
 	}
 	LUA_STACK_GUARD_RETURN(L,2)
 }
+
+static t_lua_desync_context *lua_desync_ctx()
+{
+	if (lua_isnil(params.L,1))
+		luaL_error(params.L, "missing ctx");
+	if (!lua_islightuserdata(params.L,1))
+		luaL_error(params.L, "bad ctx - invalid data type");
+
+	t_lua_desync_context *ctx = lua_touserdata(params.L,1);
+	// ensure it's really ctx. LUA could pass us any lightuserdata pointer
+	if (ctx->magic!=MAGIC_CTX)
+		luaL_error(params.L, "bad ctx - magic bytes invalid");
+
+	return ctx;
+}
+
 static int luacall_instance_cutoff(lua_State *L)
 {
-	// out : func_name.profile_number[0]
-	// in  : func_name.profile_number[1]
+	// out : instance_name.profile_number[0]
+	// in  : instance_name.profile_number[1]

 	lua_check_argc_range(L,"instance_cutoff",1,2);

 	LUA_STACK_GUARD_ENTER(L)

-	const t_lua_desync_context *ctx;
-
-	if (!lua_islightuserdata(L,1))
-		luaL_error(L, "instance_cutoff expect desync context in the first argument");
-	ctx = lua_touserdata(L,1);
-
-	int argc=lua_gettop(L);
-	bool bIn,bOut;
-	if (argc>=2)
-	{
-		luaL_checktype(L,2,LUA_TBOOLEAN);
-		bOut = lua_toboolean(L,2);
-		bIn = !bOut;
-	}
+	if (lua_isnil(L,1))
+		// this can happen in orchestrated function. they do not have their own ctx and they cant cutoff
+		DLOG("instance cutoff not possible because missing ctx\n");
 	else
-		bIn = bOut = true;
-
-	if (ctx->ctrack)
 	{
-		DLOG("instance cutoff for '%s' in=%u out=%u\n",ctx->instance,bIn,bOut);
-		lua_rawgeti(L,LUA_REGISTRYINDEX,ctx->ctrack->lua_instance_cutoff);
-		lua_getfield(L,-1,ctx->instance);
-		if (!lua_istable(L,-1))
+		const t_lua_desync_context *ctx = lua_desync_ctx();
+
+		int argc=lua_gettop(L);
+		bool bIn,bOut;
+		if (argc>=2 && lua_type(L,2)!=LUA_TNIL)
 		{
-			lua_pop(L,1);
-			lua_pushf_table(ctx->instance);
+			luaL_checktype(L,2,LUA_TBOOLEAN);
+			bOut = lua_toboolean(L,2);
+			bIn = !bOut;
+		}
+		else
+			bIn = bOut = true;
+		if (ctx->ctrack)
+		{
+			DLOG("instance cutoff for '%s' in=%u out=%u\n",ctx->instance,bIn,bOut);
+			lua_rawgeti(L,LUA_REGISTRYINDEX,ctx->ctrack->lua_instance_cutoff);
 			lua_getfield(L,-1,ctx->instance);
-		}
-		lua_rawgeti(L,-1,ctx->dp->n);
-		if (!lua_istable(L,-1))
-		{
-			lua_pop(L,1);
-			lua_pushi_table(ctx->dp->n);
+			if (!lua_istable(L,-1))
+			{
+				lua_pop(L,1);
+				lua_pushf_table(ctx->instance);
+				lua_getfield(L,-1,ctx->instance);
+			}
 			lua_rawgeti(L,-1,ctx->dp->n);
+			if (!lua_istable(L,-1))
+			{
+				lua_pop(L,1);
+				lua_pushi_table(ctx->dp->n);
+				lua_rawgeti(L,-1,ctx->dp->n);
+			}
+			if (bOut) lua_pushi_bool(0,true);
+			if (bIn) lua_pushi_bool(1,true);
+			lua_pop(L,3);
 		}
-		if (bOut) lua_pushi_bool(0,true);
-		if (bIn) lua_pushi_bool(1,true);
-		lua_pop(L,3);
+		else
+			DLOG("instance cutoff requested for '%s' in=%u out=%u but not possible without conntrack\n",ctx->instance,bIn,bOut);
 	}
-	else
-		DLOG("instance cutoff requested for '%s' in=%u out=%u but not possible without conntrack\n",ctx->instance,bIn,bOut);

 	LUA_STACK_GUARD_RETURN(L,0)
 }
@@ -705,17 +790,97 @@ bool lua_instance_cutoff_check(const t_lua_desync_context *ctx, bool bIn)
 	return b;
 }

+static int luacall_lua_cutoff(lua_State *L)
+{
+	lua_check_argc_range(L,"lua_cutoff",1,2);
+
+	LUA_STACK_GUARD_ENTER(L)
+
+	t_lua_desync_context *ctx = lua_desync_ctx();
+
+	int argc=lua_gettop(L);
+	bool bIn,bOut;
+	if (argc>=2 && lua_type(L,2)!=LUA_TNIL)
+	{
+		luaL_checktype(L,2,LUA_TBOOLEAN);
+		bOut = lua_toboolean(L,2);
+		bIn = !bOut;
+	}
+	else
+		bIn = bOut = true;
+
+	if (ctx->ctrack)
+	{
+		DLOG("lua cutoff from '%s' in=%u out=%u\n",ctx->instance,bIn,bOut);
+		// lua cutoff is one way transition
+		if (bIn) ctx->ctrack->b_lua_in_cutoff = true;
+		if (bOut) ctx->ctrack->b_lua_out_cutoff = true;
+	}
+	else
+		DLOG("lua cutoff requested from '%s' in=%u out=%u but not possible without conntrack\n",ctx->instance,bIn,bOut);
+
+	LUA_STACK_GUARD_RETURN(L,0)
+}
+
+static int luacall_execution_plan(lua_State *L)
+{
+	lua_check_argc(L,"execution_plan",1);
+
+	LUA_STACK_GUARD_ENTER(L)
+
+	t_lua_desync_context *ctx = lua_desync_ctx();
+
+	lua_newtable(L);
+
+	struct func_list *func;
+	char instance[256], pls[2048];
+	struct packet_range *range;
+	unsigned int n=1;
+	LIST_FOREACH(func, &ctx->dp->lua_desync, next)
+	{
+		if (n > ctx->func_n)
+		{
+			desync_instance(func->func, ctx->dp->n, n, instance, sizeof(instance));
+			range = ctx->incoming ? &func->range_in : &func->range_out;
+			lua_pushinteger(params.L, n - ctx->func_n);
+			lua_createtable(params.L, 0, 6);
+			lua_pushf_args(&func->args, -1, false);
+			lua_pushf_str("func", func->func);
+			lua_pushf_int("func_n", ctx->func_n);
+			lua_pushf_str("func_instance", instance);
+			lua_pushf_range("range", range);
+			if (l7_payload_str_list(func->payload_type, pls, sizeof(pls)))
+				lua_pushf_str("payload_filter", pls);
+			else
+				lua_pushf_nil("payload_filter");
+
+			lua_rawset(params.L,-3);
+		}
+		n++;
+	}
+
+	LUA_STACK_GUARD_RETURN(L,1)
+}
+static int luacall_execution_plan_cancel(lua_State *L)
+{
+	lua_check_argc(L,"execution_plan_cancel",1);
+
+	t_lua_desync_context *ctx = lua_desync_ctx();
+
+	DLOG("execution plan cancel from '%s'\n",ctx->instance);
+
+	ctx->cancel = true;
+	return 0;
+}
+
+
 static int luacall_raw_packet(lua_State *L)
 {
 	lua_check_argc(L,"raw_packet",1);

 	LUA_STACK_GUARD_ENTER(L)

-	const t_lua_desync_context *ctx;
-
-	if (!lua_islightuserdata(L,1))
-		luaL_error(L, "raw_packet expect desync context in the first argument");
-	ctx = lua_touserdata(L,1);
+	const t_lua_desync_context *ctx = lua_desync_ctx();

 	lua_pushlstring(L, (const char*)ctx->dis->data_pkt, ctx->dis->len_pkt);

@@ -738,13 +903,37 @@ void lua_pushi_nil(lua_Integer idx)
 void lua_pushf_int(const char *field, lua_Integer v)
 {
 	lua_pushstring(params.L, field);
-	lua_pushinteger(params.L, v);
+	lua_pushlint(params.L, v);
 	lua_rawset(params.L,-3);
 }
 void lua_pushi_int(lua_Integer idx, lua_Integer v)
 {
 	lua_pushinteger(params.L, idx);
-	lua_pushinteger(params.L, v);
+	lua_pushlint(params.L, v);
+	lua_rawset(params.L,-3);
+}
+void lua_pushf_lint(const char *field, int64_t v)
+{
+	lua_pushstring(params.L, field);
+	lua_pushlint(params.L, v);
+	lua_rawset(params.L,-3);
+}
+void lua_pushi_lint(lua_Integer idx, int64_t v)
+{
+	lua_pushinteger(params.L, idx);
+	lua_pushlint(params.L, v);
+	lua_rawset(params.L,-3);
+}
+void lua_pushf_number(const char *field, lua_Number v)
+{
+	lua_pushstring(params.L, field);
+	lua_pushnumber(params.L, v);
+	lua_rawset(params.L,-3);
+}
+void lua_pushi_number(lua_Integer idx, lua_Number v)
+{
+	lua_pushinteger(params.L, idx);
+	lua_pushnumber(params.L, v);
 	lua_rawset(params.L,-3);
 }
 void lua_pushf_bool(const char *field, bool b)
@@ -771,6 +960,18 @@ void lua_pushi_str(lua_Integer idx, const char *str)
 	lua_pushstring(params.L, str); // pushes nil if str==NULL
 	lua_rawset(params.L,-3);
 }
+void lua_pushf_lstr(const char *field, const char *str, size_t size)
+{
+	lua_pushstring(params.L, field);
+	lua_pushlstring(params.L, str, size);
+	lua_rawset(params.L,-3);
+}
+void lua_pushi_lstr(lua_Integer idx, const char *str, size_t size)
+{
+	lua_pushinteger(params.L, idx);
+	lua_pushlstring(params.L, str, size);
+	lua_rawset(params.L,-3);
+}
 void lua_push_raw(const void *v, size_t l)
 {
 	if (v)
@@ -889,8 +1090,8 @@ void lua_pushf_tcphdr(const struct tcphdr *tcp, size_t len)
 		lua_createtable(params.L, 0, 11);
 		lua_pushf_int("th_sport",ntohs(tcp->th_sport));
 		lua_pushf_int("th_dport",ntohs(tcp->th_dport));
-		lua_pushf_int("th_seq",ntohl(tcp->th_seq));
-		lua_pushf_int("th_ack",ntohl(tcp->th_ack));
+		lua_pushf_lint("th_seq",ntohl(tcp->th_seq));
+		lua_pushf_lint("th_ack",ntohl(tcp->th_ack));
 		lua_pushf_int("th_x2",tcp->th_x2);
 		lua_pushf_int("th_off",tcp->th_off);
 		lua_pushf_int("th_flags",tcp->th_flags);
@@ -1025,8 +1226,8 @@ void lua_pushf_ip6hdr(const struct ip6_hdr *ip6, size_t len)
 	if (ip6)
 	{
 		lua_createtable(params.L, 0, 7);
-		lua_pushf_int("ip6_flow",ntohl(ip6->ip6_ctlun.ip6_un1.ip6_un1_flow));
-		lua_pushf_int("ip6_plen",ntohs(ip6->ip6_ctlun.ip6_un1.ip6_un1_plen));
+		lua_pushf_lint("ip6_flow",ntohl(ip6->ip6_ctlun.ip6_un1.ip6_un1_flow));
+		lua_pushf_lint("ip6_plen",ntohs(ip6->ip6_ctlun.ip6_un1.ip6_un1_plen));
 		lua_pushf_int("ip6_nxt",ip6->ip6_ctlun.ip6_un1.ip6_un1_nxt);
 		lua_pushf_int("ip6_hlim",ip6->ip6_ctlun.ip6_un1.ip6_un1_hlim);
 		lua_pushf_raw("ip6_src",&ip6->ip6_src,sizeof(struct in6_addr));
@@ -1045,13 +1246,15 @@ void lua_push_dissect(const struct dissect *dis)

 	if (dis)
 	{
-		lua_createtable(params.L, 0, 7);
+		lua_createtable(params.L, 0, 9);
 		lua_pushf_iphdr(dis->ip, dis->len_l3);
 		lua_pushf_ip6hdr(dis->ip6, dis->len_l3);
 		lua_pushf_tcphdr(dis->tcp, dis->len_l4);
 		lua_pushf_udphdr(dis->udp, dis->len_l4);
 		lua_pushf_int("l4proto",dis->proto);
 		lua_pushf_int("transport_len",dis->transport_len);
+		lua_pushf_int("l3_len",dis->len_l3);
+		lua_pushf_int("l4_len",dis->len_l4);
 		lua_pushf_raw("payload",dis->data_payload,dis->len_payload);
 	}
 	else
@@ -1066,21 +1269,45 @@ void lua_pushf_dissect(const struct dissect *dis)
 	lua_rawset(params.L,-3);
 }

-void lua_pushf_ctrack(const t_ctrack *ctrack)
+void lua_pushf_ctrack_pos(const t_ctrack *ctrack, const t_ctrack_position *pos)
 {
 	LUA_STACK_GUARD_ENTER(params.L)

+	lua_pushf_lint("pcounter", pos->pcounter);
+	lua_pushf_lint("pdcounter", pos->pdcounter);
+	lua_pushf_lint("pbcounter", pos->pbcounter);
+	if (ctrack->ipproto == IPPROTO_TCP)
+	{
+		lua_pushliteral(params.L, "tcp");
+		lua_createtable(params.L, 0, 11);
+		lua_pushf_lint("seq0", pos->seq0);
+		lua_pushf_lint("seq", pos->seq_last);
+		lua_pushf_lint("rseq", pos->seq_last - pos->seq0);
+		lua_pushf_bool("rseq_over_2G", pos->rseq_over_2G);
+		lua_pushf_int("pos", pos->pos - pos->seq0);
+		lua_pushf_int("uppos", pos->uppos - pos->seq0);
+		lua_pushf_int("uppos_prev", pos->uppos_prev - pos->seq0);
+		lua_pushf_int("winsize", pos->winsize);
+		lua_pushf_int("winsize_calc", pos->winsize_calc);
+		lua_pushf_int("scale", pos->scale);
+		lua_pushf_int("mss", pos->mss);
+		lua_rawset(params.L,-3);
+	}
+
+	LUA_STACK_GUARD_LEAVE(params.L, 0)
+}
+
+void lua_pushf_ctrack(const t_ctrack *ctrack, const t_ctrack_positions *tpos, bool bIncoming)
+{
+	LUA_STACK_GUARD_ENTER(params.L)
+
+	if (!tpos) tpos = &ctrack->pos;
+
 	lua_pushliteral(params.L, "track");
 	if (ctrack)
 	{
-		lua_createtable(params.L, 0, 13 + (ctrack->ipproto == IPPROTO_TCP));
+		lua_createtable(params.L, 0, 9);

-		lua_pushf_int("pcounter_orig", ctrack->pcounter_orig);
-		lua_pushf_int("pdcounter_orig", ctrack->pdcounter_orig);
-		lua_pushf_int("pbcounter_orig", ctrack->pbcounter_orig);
-		lua_pushf_int("pcounter_reply", ctrack->pcounter_reply);
-		lua_pushf_int("pdcounter_reply", ctrack->pdcounter_reply);
-		lua_pushf_int("pbcounter_reply", ctrack->pbcounter_reply);
 		if (ctrack->incoming_ttl)
 			lua_pushf_int("incoming_ttl", ctrack->incoming_ttl);
 		else
@@ -1091,27 +1318,38 @@ void lua_pushf_ctrack(const t_ctrack *ctrack)
 		lua_pushf_reg("lua_state", ctrack->lua_state);
 		lua_pushf_bool("lua_in_cutoff", ctrack->b_lua_in_cutoff);
 		lua_pushf_bool("lua_out_cutoff", ctrack->b_lua_out_cutoff);
+		lua_pushf_lint("t_start", (lua_Number)ctrack->t_start.tv_sec + ctrack->t_start.tv_nsec/1000000000.);

-		if (ctrack->ipproto == IPPROTO_TCP)
-		{
-			lua_pushliteral(params.L, "tcp");
-			lua_createtable(params.L, 0, 14);
-			lua_pushf_int("seq0", ctrack->seq0);
-			lua_pushf_int("seq", ctrack->seq_last);
-			lua_pushf_int("ack0", ctrack->ack0);
-			lua_pushf_int("ack", ctrack->ack_last);
-			lua_pushf_int("pos_orig", ctrack->pos_orig - ctrack->seq0);
-			lua_pushf_int("winsize_orig", ctrack->winsize_orig);
-			lua_pushf_int("winsize_orig_calc", ctrack->winsize_orig_calc);
-			lua_pushf_int("scale_orig", ctrack->scale_orig);
-			lua_pushf_int("mss_orig", ctrack->mss_orig);
-			lua_pushf_int("pos_reply", ctrack->pos_reply - ctrack->ack0);
-			lua_pushf_int("winsize_reply", ctrack->winsize_reply);
-			lua_pushf_int("winsize_reply_calc", ctrack->winsize_reply_calc);
-			lua_pushf_int("scale_reply", ctrack->scale_reply);
-			lua_pushf_int("mss_reply", ctrack->mss_reply);
-			lua_rawset(params.L,-3);
-		}
+		lua_pushliteral(params.L, "pos");
+		lua_createtable(params.L, 0, 5);
+
+		// orig, reply related to connection logical direction
+		// for tcp orig is client (who connects), reply is server (who listens). 
+		// for orig is the first seen party, reply is another party
+		lua_pushf_number("dt",
+			(lua_Number)tpos->t_last.tv_sec - (lua_Number)ctrack->t_start.tv_sec +
+			(tpos->t_last.tv_nsec - ctrack->t_start.tv_nsec)/1000000000.);
+
+		lua_pushliteral(params.L, "client");
+		lua_newtable(params.L);
+		lua_pushf_ctrack_pos(ctrack, &tpos->client);
+		lua_rawset(params.L,-3);
+
+		lua_pushliteral(params.L, "server");
+		lua_newtable(params.L);
+		lua_pushf_ctrack_pos(ctrack, &tpos->server);
+		lua_rawset(params.L,-3);
+
+		// direct and reverse are adjusted for server mode. in server mode orig and reply are exchanged.
+		lua_pushliteral(params.L, "direct");
+		lua_getfield(params.L, -2, (params.server ^ bIncoming) ? "server" : "client");
+		lua_rawset(params.L,-3);
+
+		lua_pushliteral(params.L, "reverse");
+		lua_getfield(params.L, -2, (params.server ^ bIncoming) ? "client" : "server");
+		lua_rawset(params.L,-3);
+
+		lua_rawset(params.L,-3);
 	}
 	else
 		lua_pushnil(params.L);
@@ -1120,7 +1358,7 @@ void lua_pushf_ctrack(const t_ctrack *ctrack)
 	LUA_STACK_GUARD_LEAVE(params.L, 0)
 }

-void lua_pushf_args(const struct ptr_list_head *args, int idx_desync)
+void lua_pushf_args(const struct str2_list_head *args, int idx_desync, bool subst_prefix)
 {
 	// var=val - pass val string
 	// var=%val - subst 'val' blob
@@ -1130,7 +1368,7 @@ void lua_pushf_args(const struct ptr_list_head *args, int idx_desync)

 	LUA_STACK_GUARD_ENTER(params.L)

-	struct ptr_list *arg;
+	struct str2_list *arg;
 	const char *var, *val;

 	idx_desync = lua_absindex(params.L, idx_desync);
@@ -1139,19 +1377,24 @@ void lua_pushf_args(const struct ptr_list_head *args, int idx_desync)
 	lua_newtable(params.L);
 	LIST_FOREACH(arg, args, next)
 	{
-		var = (char*)arg->ptr1;
-		val = arg->ptr2 ? (char*)arg->ptr2 : "";
-		if (val[0]=='\\' && (val[1]=='%' || val[1]=='#'))
-			// escape char
-			lua_pushf_str(var, val+1);
-		else if (val[0]=='%')
-			lua_pushf_blob(idx_desync, var, val+1);
-		else if (val[0]=='#')
+		var = arg->str1;
+		val = arg->str2 ? arg->str2 : "";
+		if (subst_prefix)
 		{
-			lua_push_blob(idx_desync, val+1);
-			lua_Integer len = lua_rawlen(params.L, -1);
-			lua_pop(params.L,1);
-			lua_pushf_int(var, len);
+			if (val[0]=='\\' && (val[1]=='%' || val[1]=='#'))
+				// escape char
+				lua_pushf_str(var, val+1);
+			else if (val[0]=='%')
+				lua_pushf_blob(idx_desync, var, val+1);
+			else if (val[0]=='#')
+			{
+				lua_push_blob(idx_desync, val+1);
+				lua_Integer len = lua_rawlen(params.L, -1);
+				lua_pop(params.L,1);
+				lua_pushf_int(var, len);
+			}
+			else
+				lua_pushf_str(var, val);
 		}
 		else
 			lua_pushf_str(var, val);
@@ -1160,7 +1403,33 @@ void lua_pushf_args(const struct ptr_list_head *args, int idx_desync)

 	LUA_STACK_GUARD_LEAVE(params.L, 0)
 }
+void lua_pushf_pos(const char *name, const struct packet_pos *pos)
+{
+	LUA_STACK_GUARD_ENTER(params.L)

+	char smode[2]="?";
+	lua_pushf_table(name);
+	lua_getfield(params.L,-1,name);
+	*smode=pos->mode;
+	lua_pushf_str("mode",smode);
+	lua_pushf_lint("pos",pos->pos);
+	lua_pop(params.L,1);
+
+	LUA_STACK_GUARD_LEAVE(params.L, 0)
+}
+void lua_pushf_range(const char *name, const struct packet_range *range)
+{
+	LUA_STACK_GUARD_ENTER(params.L)
+
+	lua_pushf_table(name);
+	lua_getfield(params.L,-1,"range");
+	lua_pushf_bool("upper_cutoff",range->upper_cutoff);
+	lua_pushf_pos("from", &range->from);
+	lua_pushf_pos("to", &range->to);
+	lua_pop(params.L,1);
+
+	LUA_STACK_GUARD_LEAVE(params.L, 0)
+}


 static void lua_reconstruct_extract_options(lua_State *L, int idx, bool *badsum, bool *ip6_preserve_next, uint8_t *ip6_last_proto)
@@ -1277,7 +1546,7 @@ bool lua_reconstruct_ip6hdr(int idx, struct ip6_hdr *ip6, size_t *len, uint8_t l
 	idx = lua_absindex(params.L, idx);

 	lua_getfield(params.L,idx,"ip6_flow");
-	ip6->ip6_ctlun.ip6_un1.ip6_un1_flow = htonl(lua_type(params.L,-1)==LUA_TNUMBER ? (uint32_t)lua_tointeger(params.L,-1) : 0x60000000);
+	ip6->ip6_ctlun.ip6_un1.ip6_un1_flow = htonl(lua_type(params.L,-1)==LUA_TNUMBER ? (uint32_t)lua_tolint(params.L,-1) : 0x60000000);
 	lua_pop(params.L, 1);

 	lua_getfield(params.L,idx,"ip6_plen");
@@ -1537,12 +1806,12 @@ bool lua_reconstruct_tcphdr(int idx, struct tcphdr *tcp, size_t *len)

 	lua_getfield(params.L,idx,"th_seq");
 	if (lua_type(params.L,-1)!=LUA_TNUMBER) goto err;
-	tcp->th_seq = htonl((uint32_t)lua_tointeger(params.L,-1));
+	tcp->th_seq = htonl((uint32_t)lua_tolint(params.L,-1));
 	lua_pop(params.L, 1);

 	lua_getfield(params.L,idx,"th_ack");
 	if (lua_type(params.L,-1)!=LUA_TNUMBER) goto err;
-	tcp->th_ack = htonl((uint32_t)lua_tointeger(params.L,-1));
+	tcp->th_ack = htonl((uint32_t)lua_tolint(params.L,-1));
 	lua_pop(params.L, 1);

 	lua_getfield(params.L,idx,"th_x2");
@@ -1864,7 +2133,7 @@ static int luacall_csum_ip4_fix(lua_State *L)
 }
 static int luacall_csum_tcp_fix(lua_State *L)
 {
-	// csum_ip4_fix(ip_header, tcp_header, payload) returns tcp_header
+	// csum_tcp_fix(ip_header, tcp_header, payload) returns tcp_header
 	lua_check_argc(L,"csum_tcp_fix",3);

 	LUA_STACK_GUARD_ENTER(L)
@@ -1905,7 +2174,7 @@ static int luacall_csum_tcp_fix(lua_State *L)
 }
 static int luacall_csum_udp_fix(lua_State *L)
 {
-	// csum_ip4_fix(ip_header, tcp_header, payload) returns tcp_header
+	// csum_udp_fix(ip_header, udp_header, payload) returns udp_header
 	lua_check_argc(L,"csum_udp_fix",3);

 	LUA_STACK_GUARD_ENTER(L)
@@ -2017,7 +2286,7 @@ static void lua_rawsend_extract_options(lua_State *L, int idx, int *repeats, uin
 		if (fwmark)
 		{
 			lua_getfield(L,idx,"fwmark");
-			*fwmark=(uint32_t)lua_tointeger(L,-1) | params.desync_fwmark;
+			*fwmark=(uint32_t)lua_tolint(L,-1) | params.desync_fwmark;
 			lua_pop(L,1);
 		}
 		if (ifout)
@@ -2663,6 +2932,21 @@ static void lua_init_const(void)
 {
 	LUA_STACK_GUARD_ENTER(params.L)

+	const struct
+	{
+		const char *name, *v;
+	} cstr[] = {
+		{"NFQWS2_VER",params.verstr}
+	};
+
+	DLOG("LUA STR:");
+	for (int i=0;i<sizeof(cstr)/sizeof(*cstr);i++)
+	{
+		lua_pushstring(params.L, cstr[i].v);
+		lua_setglobal(params.L, cstr[i].name);
+		DLOG(" %s", cstr[i].name);
+	}
+
 	const struct
 	{
 		const char *name;
@@ -2674,6 +2958,7 @@ static void lua_init_const(void)
 		{"divert_port",params.port},
 #endif
 		{"desync_fwmark",params.desync_fwmark},
+		{"NFQWS2_COMPAT_VER",LUA_COMPAT_VER},

 		{"VERDICT_PASS",VERDICT_PASS},
 		{"VERDICT_MODIFY",VERDICT_MODIFY},
@@ -2713,9 +2998,11 @@ static void lua_init_const(void)
 		{"IP_OFFMASK",IP_OFFMASK},
 		{"IP_FLAGMASK",IP_RF|IP_DF|IP_MF},
 		{"IPTOS_ECN_MASK",IPTOS_ECN_MASK},
+		{"IPTOS_ECN_NOT_ECT",0},
 		{"IPTOS_ECN_ECT1",IPTOS_ECN_ECT1},
 		{"IPTOS_ECN_ECT0",IPTOS_ECN_ECT0},
 		{"IPTOS_ECN_CE",IPTOS_ECN_CE},
+		{"IPTOS_DSCP_MASK",0xF0},
 		{"IP6F_MORE_FRAG",0x0001}, // in ip6.h it's defined depending of machine byte order

 		{"IPPROTO_IP",IPPROTO_IP},
@@ -2735,7 +3022,7 @@ static void lua_init_const(void)
 		{"IPPROTO_SHIM6",IPPROTO_SHIM6},
 		{"IPPROTO_NONE",IPPROTO_NONE}
 	};
-	DLOG("LUA NUMERIC:");
+	DLOG("\nLUA NUMERIC:");
 	for (int i=0;i<sizeof(cuint)/sizeof(*cuint);i++)
 	{
 		lua_pushinteger(params.L, (lua_Integer)cuint[i].v);
@@ -2803,6 +3090,11 @@ static void lua_init_functions(void)
 		{"u16",luacall_u16},
 		{"u24",luacall_u24},
 		{"u32",luacall_u32},
+		// add any number of arguments as they would be unsigned int of specific size
+		{"u8add",luacall_u8add},
+		{"u16add",luacall_u16add},
+		{"u24add",luacall_u24add},
+		{"u32add",luacall_u32add},
 		// convert number to blob (string) - big endian
 		{"bu8",luacall_bu8},
 		{"bu16",luacall_bu16},
@@ -2836,6 +3128,12 @@ static void lua_init_functions(void)

 		// voluntarily stop receiving packets
 		{"instance_cutoff",luacall_instance_cutoff},
+		// voluntarily stop receiving packets of the current connection for all instances
+		{"lua_cutoff",luacall_lua_cutoff},
+		// get info about upcoming desync instances and their arguments
+		{"execution_plan",luacall_execution_plan},
+		// cancel execution of upcoming desync instances and their arguments
+		{"execution_plan_cancel",luacall_execution_plan_cancel},
 		// get raw packet data
 		{"raw_packet",luacall_raw_packet},

--- a/nfq2/lua.h
+++ b/nfq2/lua.h
@@ -22,12 +22,27 @@
 #define LUA_UNSIGNED uint64_t
 #endif

+// in old lua integer is 32 bit on 32 bit platforms and 64 bit on 64 bit platforms
+#if LUA_VERSION_NUM < 503 && __SIZEOF_POINTER__==4
+#define lua_pushlint lua_pushnumber
+#define lua_tolint lua_tonumber
+#define luaL_checklint luaL_checknumber
+#else
+#define lua_pushlint lua_pushinteger
+#define luaL_checklint luaL_checkinteger
+#define lua_tolint lua_tointeger
+#endif
+
 // pushing and not popping inside luacall cause memory leak
+// these macros ensure correct stack position or throw error if not
 #define LUA_STACK_GUARD_ENTER(L) int _lsg=lua_gettop(L);
 #define LUA_STACK_GUARD_LEAVE(L,N) if ((_lsg+N)!=lua_gettop(L)) luaL_error(L,"stack guard failure");
 #define LUA_STACK_GUARD_RETURN(L,N) LUA_STACK_GUARD_LEAVE(L,N); return N;


+void desync_instance(const char *func, unsigned int dp_n, unsigned int func_n, char *instance, size_t inst_size);
+
+
 bool lua_test_init_script_files(void);
 bool lua_init(void);
 void lua_shutdown(void);
@@ -48,8 +63,14 @@ void lua_pushf_bool(const char *field, bool b);
 void lua_pushi_bool(lua_Integer idx, bool b);
 void lua_pushf_str(const char *field, const char *str);
 void lua_pushi_str(lua_Integer idx, const char *str);
+void lua_pushf_lstr(const char *field, const char *str, size_t len);
+void lua_pushi_lstr(lua_Integer idx, const char *str, size_t len);
 void lua_pushf_int(const char *field, lua_Integer v);
 void lua_pushi_int(lua_Integer idx, lua_Integer v);
+void lua_pushf_lint(const char *field, int64_t v);
+void lua_pushi_lint(lua_Integer idx, int64_t v);
+void lua_pushf_number(const char *field, lua_Number v);
+void lua_pushi_number(lua_Integer idx, lua_Number v);
 void lua_push_raw(const void *v, size_t l);
 void lua_pushf_raw(const char *field, const void *v, size_t l);
 void lua_pushi_raw(lua_Integer idx, const void *v, size_t l);
@@ -68,8 +89,10 @@ void lua_pushf_iphdr(const struct ip *ip, size_t len);
 void lua_pushf_ip6hdr(const struct ip6_hdr *ip6, size_t len);
 void lua_push_dissect(const struct dissect *dis);
 void lua_pushf_dissect(const struct dissect *dis);
-void lua_pushf_ctrack(const t_ctrack *ctrack);
-void lua_pushf_args(const struct ptr_list_head *args, int idx_desync);
+void lua_pushf_ctrack(const t_ctrack *ctrack, const t_ctrack_positions *tpos, bool bIncoming);
+void lua_pushf_args(const struct str2_list_head *args, int idx_desync, bool subst_prefix);
+void lua_pushf_pos(const char *name, const struct packet_pos *pos);
+void lua_pushf_range(const char *name, const struct packet_range *range);
 void lua_pushf_global(const char *field, const char *global);

 bool lua_reconstruct_ip6hdr(int idx, struct ip6_hdr *ip6, size_t *len, uint8_t last_proto, bool preserve_next);
@@ -78,11 +101,15 @@ bool lua_reconstruct_tcphdr(int idx, struct tcphdr *tcp, size_t *len);
 bool lua_reconstruct_udphdr(int idx, struct udphdr *udp);
 bool lua_reconstruct_dissect(int idx, uint8_t *buf, size_t *len, bool badsum, bool ip6_preserve_next);

+#define MAGIC_CTX	0xE73DC935
 typedef struct {
+	uint32_t magic;
+	unsigned int func_n;
 	const char *func, *instance;
 	const struct desync_profile *dp;
-	const t_ctrack *ctrack;
 	const struct dissect *dis;
+	t_ctrack *ctrack;
+	bool incoming,cancel;
 } t_lua_desync_context;

 bool lua_instance_cutoff_check(const t_lua_desync_context *ctx, bool bIn);
--- a/nfq2/nfqws.c
+++ b/nfq2/nfqws.c
@@ -48,11 +48,6 @@
 #define NF_ACCEPT 1
 #endif

-#define CTRACK_T_SYN	60
-#define CTRACK_T_FIN	60
-#define CTRACK_T_EST	300
-#define CTRACK_T_UDP	60
-
 #define MAX_CONFIG_FILE_SIZE 16384

 struct params_s params;
@@ -99,7 +94,7 @@ static void onusr2(int sig)
 	struct desync_profile_list *dpl;
 	LIST_FOREACH(dpl, &params.desync_profiles, next)
 	{
-		printf("\nDESYNC profile %u\n", dpl->dp.n);
+		printf("\nDESYNC profile %u (%s)\n", dpl->dp.n, PROFILE_NAME(&dpl->dp));
 		HostFailPoolDump(dpl->dp.hostlist_auto_fail_counters);
 	}
 	printf("\nIPCACHE\n");
@@ -635,6 +630,7 @@ static int win_main()
 		{
 			res=w_win32_error; goto ex;
 		}
+
 		if (!win_sandbox())
 		{
 			res=w_win32_error;
@@ -642,7 +638,6 @@ static int win_main()
 			goto ex;
 		}

-
 		// init LUA only here because of possible sandbox. no LUA code with high privs
 		if (!params.L && !lua_init())
 		{
@@ -1007,27 +1002,28 @@ static bool parse_pf_list(char *opt, struct port_filters_head *pfl)
 	return true;
 }

-bool lua_call_param_add(char *opt, struct ptr_list_head *args)
+bool lua_call_param_add(char *opt, struct str2_list_head *args)
 {
 	char c,*p;
-	struct ptr_list *arg;
+	struct str2_list *arg;

 	if ((p = strchr(opt,'=')))
 	{
 		c = *p; *p = 0;
 	}
-	if (!is_identifier(opt) || !(arg=ptrlist_add(args)))
+	if (!is_identifier(opt) || !(arg=str2list_add(args)))
 	{
 		if (p) *p = c;
 		return false;
 	}
-	arg->ptr1 = strdup(opt);
+	arg->str1 = strdup(opt);
 	if (p)
 	{
-		arg->ptr2 = strdup(p+1);
+		arg->str2 = strdup(p+1);
 		*p = c;
+		if (!arg->str2) return false;
 	}
-	return arg->ptr1;
+	return !!arg->str1;
 }

 struct func_list *parse_lua_call(char *opt, struct func_list_head *flist)
@@ -1053,7 +1049,6 @@ struct func_list *parse_lua_call(char *opt, struct func_list_head *flist)
 		last = !*e;
 		c = *e;
 		*e = 0;
-
 		b = lua_call_param_add(p, &f->args);
 		if (!last) *e++ = c;
 		if (!b) goto err;
@@ -1156,21 +1151,21 @@ static void BlobDebug()
 	}
 }

-static void LuaDesyncDebug(struct desync_profile *dp)
+static void LuaDesyncDebug(struct desync_profile *dp, const char *entity)
 {
 	if (params.debug)
 	{
 		struct func_list *func;
-		struct ptr_list *arg;
+		struct str2_list *arg;
 		int n,i;
 		LIST_FOREACH(func, &dp->lua_desync, next)
 		{
-			DLOG("profile %u lua %s(",dp->n,func->func);
+			DLOG("%s %u (%s) lua %s(",entity,dp->n,PROFILE_NAME(dp),func->func);
 			n=0;
 			LIST_FOREACH(arg, &func->args, next)
 			{
 				if (n) DLOG(",");
-				DLOG(arg->ptr2 ? "%s=\"%s\"" : "%s=\"\"", (char*)arg->ptr1, (char*)arg->ptr2);
+				DLOG(arg->str2 ? "%s=\"%s\"" : "%s=\"\"", arg->str1, arg->str2);
 				n++;
 			}
 			DLOG(" range_in=%c%u%c%c%u range_out=%c%u%c%c%u payload_type=",
@@ -1288,8 +1283,10 @@ static bool wf_make_filter(

 	if (bHaveTCP)
 	{
-		if (dp_list_have_autohostlist(&params.desync_profiles))
-			snprintf(wf + strlen(wf), len - strlen(wf), " or\n " DIVERT_HTTP_REDIRECT);
+//		may be required by orchestrators - always redirect
+//		if (dp_list_have_autohostlist(&params.desync_profiles))
+
+		snprintf(wf + strlen(wf), len - strlen(wf), " or\n " DIVERT_HTTP_REDIRECT);
 	}

 	if (!LIST_EMPTY(wf_raw_part))
@@ -1412,8 +1409,12 @@ static void exithelp(void)
 		" --lua-init=@<filename>|<lua_text>\t\t\t; load LUA program from a file or string. if multiple parameters present order of execution is preserved.\n"
 		" --lua-gc=<int>\t\t\t\t\t\t; forced garbage collection every N sec. default %u sec. triggers only when a packet arrives. 0 = disable.\n"
 		"\nMULTI-STRATEGY:\n"
-		" --new\t\t\t\t\t\t\t; begin new strategy\n"
-		" --skip\t\t\t\t\t\t\t; do not use this strategy\n"
+		" --new\t\t\t\t\t\t\t; begin new profile\n"
+		" --skip\t\t\t\t\t\t\t; do not use this profile\n"
+		" --name=<name>\t\t\t\t\t\t; set profile name\n"
+		" --template[=<name>]\t\t\t\t\t; use this profile as template (must be named or will be useless)\n"
+		" --cookie[=<string>]\t\t\t\t\t; pass this profile-bound string to LUA\n"
+		" --import=<name>\t\t\t\t\t; populate current profile with template data\n"
 		" --filter-l3=ipv4|ipv6\t\t\t\t\t; L3 protocol filter. multiple comma separated values allowed.\n"
 		" --filter-tcp=[~]port1[-port2]|*\t\t\t; TCP port filter. ~ means negation. setting tcp and not setting udp filter denies udp. comma separated list allowed.\n"
 		" --filter-udp=[~]port1[-port2]|*\t\t\t; UDP port filter. ~ means negation. setting udp and not setting tcp filter denies tcp. comma separated list allowed.\n"
@@ -1433,11 +1434,15 @@ static void exithelp(void)
 		" --hostlist-auto-fail-threshold=<int>\t\t\t; how many failed attempts cause hostname to be added to auto hostlist (default : %d)\n"
 		" --hostlist-auto-fail-time=<int>\t\t\t; all failed attemps must be within these seconds (default : %d)\n"
 		" --hostlist-auto-retrans-threshold=<int>\t\t; how many request retransmissions cause attempt to fail (default : %d)\n"
+		" --hostlist-auto-retrans-maxseq=<int>\t\t\t; count retransmissions only within this relative sequence (default : %u)\n"
+		" --hostlist-auto-incoming-maxseq=<int>\t\t\t; treat tcp connection as successful if incoming relative sequence exceedes this threshold (default : %u)\n"
+		" --hostlist-auto-udp-out=<int>\t\t\t\t; udp failure condition : sent at least `udp_out` packets (default : %u)\n"
+		" --hostlist-auto-udp-in=<int>\t\t\t\t; udp failure condition : received not more than `udp_in` packets (default : %u)\n"
 		" --hostlist-auto-debug=<logfile>\t\t\t; debug auto hostlist positives (global parameter)\n"
 		"\nLUA PACKET PASS MODE:\n"
 		" --payload=type[,type]\t\t\t\t\t; set payload types following LUA functions should process : %s\n"
-		" --out-range=[(n|a|d|s)<int>](-|<)[(n|a|d|s)<int>]\t; set outgoing packet range for following LUA functions. '-' - include end pos, '<' - not include. prefix meaning : n - packet number, d - data packet number, s - relative sequence, b - byte count, x - never, a - always\n"
-		" --in-range=[(n|a|d|s)<int>](-|<)[(n|a|d|s)<int>]\t; set incoming packet range for following LUA functions. '-' - include end pos, '<' - not include. prefix meaning : n - packet number, d - data packet number, s - relative sequence, b - byte count, x - never, a - always\n"
+		" --out-range=[(n|a|d|s|p)<int>](-|<)[(n|a|d|s|p)<int>]\t; set outgoing packet range for following LUA functions. '-' - include end pos, '<' - not include. prefix meaning : n - packet number, d - data packet number, s - relative sequence, p - data position relative sequence, b - byte count, x - never, a - always\n"
+		" --in-range=[(n|a|d|s|p)<int>](-|<)[(n|a|d|s|p)<int>]\t; set incoming packet range for following LUA functions. '-' - include end pos, '<' - not include. prefix meaning : n - packet number, d - data packet number, s - relative sequence, p - data position relative sequence, b - byte count, x - never, a - always\n"
 		"\nLUA DESYNC ACTION:\n"
 		" --lua-desync=<functon>[:param1=val1[:param2=val2]]\t; call LUA function when packet received\n",
 #if defined(__linux__) || defined(SO_USER_COOKIE)
@@ -1447,7 +1452,10 @@ static void exithelp(void)
 		IPCACHE_LIFETIME,
 		LUA_GC_INTERVAL,
 		all_protos,
-		HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT, HOSTLIST_AUTO_FAIL_TIME_DEFAULT, HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT,
+		HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT, HOSTLIST_AUTO_FAIL_TIME_DEFAULT,
+		HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT,
+		HOSTLIST_AUTO_RETRANS_MAXSEQ, HOSTLIST_AUTO_INCOMING_MAXSEQ,
+		HOSTLIST_AUTO_UDP_OUT, HOSTLIST_AUTO_UDP_IN,
 		all_payloads
 	);
 	exit(1);
@@ -1500,22 +1508,6 @@ static void ApplyDefaultBlobs(struct blob_collection_head *blobs)
 	load_const_blob_to_collection("fake_default_quic",buf,620,blobs,0);
 }

-#define STRINGIFY(x) #x
-#define TOSTRING(x) STRINGIFY(x)
-#if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH)
-#ifdef __ANDROID__
-#define PRINT_VER printf("github android version %s (%s)\n\n", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH))
-#else
-#define PRINT_VER printf("github version %s (%s)\n\n", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH))
-#endif
-#else
-#ifdef __ANDROID__
-#define PRINT_VER printf("self-built android version %s %s\n\n", __DATE__, __TIME__)
-#else
-#define PRINT_VER printf("self-built version %s %s\n\n", __DATE__, __TIME__)
-#endif
-#endif
-
 enum opt_indices {
 	IDX_DEBUG,
 	IDX_DRY_RUN,
@@ -1560,9 +1552,17 @@ enum opt_indices {
 	IDX_HOSTLIST_AUTO_FAIL_THRESHOLD,
 	IDX_HOSTLIST_AUTO_FAIL_TIME,
 	IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD,
+	IDX_HOSTLIST_AUTO_RETRANS_MAXSEQ,
+	IDX_HOSTLIST_AUTO_INCOMING_MAXSEQ,
+	IDX_HOSTLIST_AUTO_UDP_IN,
+	IDX_HOSTLIST_AUTO_UDP_OUT,
 	IDX_HOSTLIST_AUTO_DEBUG,
 	IDX_NEW,
 	IDX_SKIP,
+	IDX_NAME,
+	IDX_TEMPLATE,
+	IDX_IMPORT,
+	IDX_COOKIE,
 	IDX_FILTER_L3,
 	IDX_FILTER_TCP,
 	IDX_FILTER_UDP,
@@ -1640,9 +1640,17 @@ static const struct option long_options[] = {
 	[IDX_HOSTLIST_AUTO_FAIL_THRESHOLD] = {"hostlist-auto-fail-threshold", required_argument, 0, 0},
 	[IDX_HOSTLIST_AUTO_FAIL_TIME] = {"hostlist-auto-fail-time", required_argument, 0, 0},
 	[IDX_HOSTLIST_AUTO_RETRANS_THRESHOLD] = {"hostlist-auto-retrans-threshold", required_argument, 0, 0},
+	[IDX_HOSTLIST_AUTO_RETRANS_MAXSEQ] = {"hostlist-auto-retrans-maxseq", required_argument, 0, 0},
+	[IDX_HOSTLIST_AUTO_INCOMING_MAXSEQ] = {"hostlist-auto-incoming-maxseq", required_argument, 0, 0},
+	[IDX_HOSTLIST_AUTO_UDP_IN] = {"hostlist-auto-udp-in", required_argument, 0, 0},
+	[IDX_HOSTLIST_AUTO_UDP_OUT] = {"hostlist-auto-udp-out", required_argument, 0, 0},
 	[IDX_HOSTLIST_AUTO_DEBUG] = {"hostlist-auto-debug", required_argument, 0, 0},
 	[IDX_NEW] = {"new", no_argument, 0, 0},
 	[IDX_SKIP] = {"skip", no_argument, 0, 0},
+	[IDX_NAME] = {"name", required_argument, 0, 0},
+	[IDX_TEMPLATE] = {"template", optional_argument, 0, 0},
+	[IDX_IMPORT] = {"import", required_argument, 0, 0},
+	[IDX_COOKIE] = {"cookie", required_argument, 0, 0},
 	[IDX_FILTER_L3] = {"filter-l3", required_argument, 0, 0},
 	[IDX_FILTER_TCP] = {"filter-tcp", required_argument, 0, 0},
 	[IDX_FILTER_UDP] = {"filter-udp", required_argument, 0, 0},
@@ -1679,16 +1687,26 @@ static const struct option long_options[] = {
 	[IDX_LAST] = {NULL, 0, NULL, 0},
 };

+
+#define STRINGIFY(x) #x
+#define TOSTRING(x) STRINGIFY(x)
+#if defined(ZAPRET_GH_VER) || defined (ZAPRET_GH_HASH)
+#ifdef __ANDROID__
+#define MAKE_VER(s,size) snprintf(s,size,"github android version %s (%s) lua_compat_ver %u", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH), LUA_COMPAT_VER)
+#else
+#define MAKE_VER(s,size) snprintf(s,size,"github version %s (%s) lua_compat_ver %u", TOSTRING(ZAPRET_GH_VER), TOSTRING(ZAPRET_GH_HASH), LUA_COMPAT_VER)
+#endif
+#else
+#ifdef __ANDROID__
+#define MAKE_VER(s,size) snprintf(s,size,"self-built android version %s %s lua_compat_ver %u", __DATE__, __TIME__, LUA_COMPAT_VER)
+#else
+#define MAKE_VER(s,size) snprintf(s,size,"self-built version %s %s lua_compat_ver %u", __DATE__, __TIME__, LUA_COMPAT_VER)
+#endif
+#endif
+
 int main(int argc, char **argv)
 {
-	if (argc < 2) exithelp();
-
-	aes_init_keygen_tables(); // required for aes
-	set_console_io_buffering();
-	set_env_exedir(argv[0]);
-
 #ifdef __CYGWIN__
-	prepare_low_appdata();
 	if (service_run(argc, argv))
 	{
 		// we were running as service. now exit.
@@ -1697,7 +1715,7 @@ int main(int argc, char **argv)
 #endif
 	int result, v;
 	int option_index = 0;
-	bool bSkip = false, bDry = false;
+	bool bSkip = false, bDry = false, bTemplate;
 	struct hostlist_file *anon_hl = NULL, *anon_hl_exclude = NULL;
 	struct ipset_file *anon_ips = NULL, *anon_ips_exclude = NULL;
 	uint64_t payload_type=0;
@@ -1709,17 +1727,29 @@ int main(int argc, char **argv)
 	unsigned int hash_wf_tcp_in = 0, hash_wf_udp_in = 0, hash_wf_tcp_out = 0, hash_wf_udp_out = 0, hash_wf_raw = 0, hash_wf_raw_part = 0, hash_ssid_filter = 0, hash_nlm_filter = 0;
 #endif

+	if (argc < 2) exithelp();
+
 	srandom(time(NULL));
+	aes_init_keygen_tables(); // required for aes
 	mask_from_preflen6_prepare();
+	set_env_exedir(argv[0]);
+	set_console_io_buffering();
+#ifdef __CYGWIN__
+	prepare_low_appdata();
+#endif

-	PRINT_VER;
+	init_params(&params);

-	memset(&params, 0, sizeof(params));
+	MAKE_VER(params.verstr, sizeof(params.verstr));
+	printf("%s\n\n",params.verstr);
+
+	ApplyDefaultBlobs(&params.blobs);

 	struct desync_profile_list *dpl;
 	struct desync_profile *dp;
-	unsigned int desync_profile_count = 0;
+	unsigned int desync_profile_count = 0, desync_template_count = 0;

+	bTemplate = false;
 	if (!(dpl = dp_list_add(&params.desync_profiles)))
 	{
 		DLOG_ERR("desync_profile_add: out of memory\n");
@@ -1728,39 +1758,6 @@ int main(int argc, char **argv)
 	dp = &dpl->dp;
 	dp->n = ++desync_profile_count;

-#ifdef __linux__
-	params.qnum = -1;
-#elif defined(BSD)
-	params.port = 0;
-#endif
-	params.desync_fwmark = DPI_DESYNC_FWMARK_DEFAULT;
-	params.ctrack_t_syn = CTRACK_T_SYN;
-	params.ctrack_t_est = CTRACK_T_EST;
-	params.ctrack_t_fin = CTRACK_T_FIN;
-	params.ctrack_t_udp = CTRACK_T_UDP;
-	params.ipcache_lifetime = IPCACHE_LIFETIME;
-	params.lua_gc = LUA_GC_INTERVAL;
-
-	LIST_INIT(&params.hostlists);
-	LIST_INIT(&params.ipsets);
-	LIST_INIT(&params.blobs);
-	LIST_INIT(&params.lua_init_scripts);
-
-	ApplyDefaultBlobs(&params.blobs);
-
-#ifdef __CYGWIN__
-	LIST_INIT(&params.ssid_filter);
-	LIST_INIT(&params.nlm_filter);
-	LIST_INIT(&params.wf_raw_part);
-#else
-	if (can_drop_root())
-	{
-		params.uid = params.gid[0] = 0x7FFFFFFF; // default uid:gid
-		params.gid_count = 1;
-		params.droproot = true;
-	}
-#endif
-
 #if !defined( __OpenBSD__) && !defined(__ANDROID__)
 	if (argc >= 2 && (argv[1][0] == '@' || argv[1][0] == '$'))
 	{
@@ -1815,6 +1812,7 @@ int main(int argc, char **argv)
 						fprintf(stderr, "cannot create %s\n", params.debug_logfile);
 						exit_clean(1);
 					}
+					fclose(F);
 					params.debug = true;
 					params.debug_target = LOG_TARGET_FILE;
 				}
@@ -2095,6 +2093,18 @@ int main(int argc, char **argv)
 				exit_clean(1);
 			}
 			break;
+		case IDX_HOSTLIST_AUTO_RETRANS_MAXSEQ:
+			dp->hostlist_auto_retrans_maxseq = (uint32_t)atoi(optarg);
+			break;
+		case IDX_HOSTLIST_AUTO_INCOMING_MAXSEQ:
+			dp->hostlist_auto_incoming_maxseq = (uint32_t)atoi(optarg);
+			break;
+		case IDX_HOSTLIST_AUTO_UDP_OUT:
+			dp->hostlist_auto_udp_out = atoi(optarg);
+			break;
+		case IDX_HOSTLIST_AUTO_UDP_IN:
+			dp->hostlist_auto_udp_in = atoi(optarg);
+			break;
 		case IDX_HOSTLIST_AUTO_DEBUG:
 		{
 			FILE *F = fopen(optarg, "a+t");
@@ -2120,23 +2130,83 @@ int main(int argc, char **argv)
 			else
 			{
 				check_dp(dp);
+				if (bTemplate)
+				{
+					if (dp->name && dp_list_search_name(&params.desync_templates, dp->name))
+					{
+						DLOG_ERR("template '%s' already present\n", dp->name);
+						exit_clean(1);
+					}
+					dpl->dp.n = ++desync_template_count;
+					dp_list_move(&params.desync_templates, dpl);
+				}
+				else
+				{
+					desync_profile_count++;
+				}
 				if (!(dpl = dp_list_add(&params.desync_profiles)))
 				{
 					DLOG_ERR("desync_profile_add: out of memory\n");
 					exit_clean(1);
 				}
 				dp = &dpl->dp;
-				dp->n = ++desync_profile_count;
+				dp->n = desync_profile_count;
 			}
 			anon_hl = anon_hl_exclude = NULL;
 			anon_ips = anon_ips_exclude = NULL;
 			payload_type = 0;
 			range_in = PACKET_RANGE_NEVER;
 			range_out = PACKET_RANGE_ALWAYS;
+
+			bTemplate = false;
 			break;
 		case IDX_SKIP:
 			bSkip = true;
 			break;
+		case IDX_TEMPLATE:
+			bTemplate = true;
+		case IDX_NAME:
+			if (optarg)
+			{
+				free(dp->name);
+				if (!(dp->name = strdup(optarg)))
+				{
+					DLOG_ERR("out of memory\n");
+					exit_clean(1);
+				}
+			}
+			break;
+		case IDX_COOKIE:
+			free(dp->cookie);
+			if (!(dp->cookie = strdup(optarg)))
+			{
+				DLOG_ERR("out of memory\n");
+				exit_clean(1);
+			}
+			break;
+		case IDX_IMPORT:
+			{
+				struct desync_profile_list *tpl = dp_list_search_name(&params.desync_templates, optarg);
+				if (!tpl)
+				{
+					DLOG_ERR("template '%s' not found\n", optarg);
+					exit_clean(1);
+				}
+				if (!dp_list_copy(dp, &tpl->dp))
+				{
+					DLOG_ERR("could not copy template\n");
+					exit_clean(1);
+				}
+				dp->n = desync_profile_count;
+				free(dp->name_tpl);
+				if (tpl->dp.name && !(dp->name_tpl = strdup(tpl->dp.name)))
+				{
+					DLOG_ERR("out of memory\n");
+					exit_clean(1);
+				}
+				dp->n_tpl = tpl->dp.n;
+			}
+			break;

 		case IDX_FILTER_L3:
 			if (!wf_make_l3(optarg, &dp->filter_ipv4, &dp->filter_ipv6))
@@ -2399,7 +2469,20 @@ int main(int argc, char **argv)
 		desync_profile_count--;
 	}
 	else
+	{
 		check_dp(dp);
+		if (bTemplate)
+		{
+			if (dp->name && dp_list_search_name(&params.desync_templates, dp->name))
+			{
+				DLOG_ERR("template '%s' already present\n", dp->name);
+				exit_clean(1);
+			}
+			dpl->dp.n = ++desync_template_count;
+			dp_list_move(&params.desync_templates, dpl);
+			desync_profile_count--;
+		}
+	}

 	// do not need args from file anymore
 #if !defined( __OpenBSD__) && !defined(__ANDROID__)
@@ -2423,13 +2506,14 @@ int main(int argc, char **argv)

 	DLOG("adding low-priority default empty desync profile\n");
 	// add default empty profile
-	if (!(dpl = dp_list_add(&params.desync_profiles)))
+	if (!(dpl = dp_list_add(&params.desync_profiles)) || !(dpl->dp.name=strdup("no_action")))
 	{
 		DLOG_ERR("desync_profile_add: out of memory\n");
 		exit_clean(1);
 	}

-	DLOG_CONDUP("we have %d user defined desync profile(s) and default low priority profile 0\n", desync_profile_count);
+	DLOG_CONDUP("we have %u user defined desync profile(s) and default low priority profile 0\n", desync_profile_count);
+	DLOG_CONDUP("we have %u user defined desync template(s)\n", desync_template_count);

 	if (params.writeable_dir_enable)
 	{
@@ -2463,11 +2547,16 @@ int main(int argc, char **argv)
 		if (params.droproot)
 #endif
 		{
-			if (dp->hostlist_auto && ensure_file_access(dp->hostlist_auto->filename))
+			if (dp->hostlist_auto && !ensure_file_access(dp->hostlist_auto->filename))
 				DLOG_ERR("could not make '%s' accessible. auto hostlist file may not be writable after privilege drop\n", dp->hostlist_auto->filename);

 		}
-		LuaDesyncDebug(dp);
+		LuaDesyncDebug(dp,"profile");
+	}
+	LIST_FOREACH(dpl, &params.desync_templates, next)
+	{
+		dp = &dpl->dp;
+		LuaDesyncDebug(dp,"template");
 	}

 	if (!test_list_files())
@@ -2493,6 +2582,9 @@ int main(int argc, char **argv)
 	BlobDebug();
 	DLOG("\n");

+	// not required anymore. free memory
+	dp_list_destroy(&params.desync_templates);
+
 #ifdef __CYGWIN__
 	if (!*params.windivert_filter)
 	{
--- a/nfq2/nfqws.h
+++ b/nfq2/nfqws.h
@@ -10,3 +10,6 @@
 extern bool bQuit;
 #endif
 int main(int argc, char *argv[]);
+
+// when something changes that can break LUA compatibility this version should be increased
+#define LUA_COMPAT_VER	3
--- a/nfq2/packet_queue.c
+++ b/nfq2/packet_queue.c
@@ -26,7 +26,7 @@ void rawpacket_queue_destroy(struct rawpacket_tailhead *q)
 	while((rp = rawpacket_dequeue(q))) rawpacket_free(rp);
 }

-struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload)
+struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload,const t_ctrack_positions *tpos)
 {
 	struct rawpacket *rp = malloc(sizeof(struct rawpacket));
 	if (!rp) return NULL;
@@ -52,6 +52,15 @@ struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sock
 	memcpy(rp->packet,data,len);
 	rp->len=len;
 	rp->len_payload=len_payload;
+
+	// make a copy for replay
+	if (tpos)
+	{
+		rp->tpos = *tpos;
+		rp->tpos_present = true;
+	}
+	else
+		rp->tpos_present = false;
 	
 	TAILQ_INSERT_TAIL(q, rp, next);
 	
--- a/nfq2/packet_queue.h
+++ b/nfq2/packet_queue.h
@@ -6,6 +6,8 @@
 #include <net/if.h>
 #include <sys/socket.h>

+#include "conntrack_base.h"
+
 struct rawpacket
 {
 	struct sockaddr_storage dst;
@@ -14,6 +16,8 @@ struct rawpacket
 	uint32_t fwmark;
 	size_t len, len_payload;
 	uint8_t *packet;
+	t_ctrack_positions tpos;
+	bool tpos_present;
 	TAILQ_ENTRY(rawpacket) next;
 };
 TAILQ_HEAD(rawpacket_tailhead, rawpacket);
@@ -22,6 +26,6 @@ void rawpacket_queue_init(struct rawpacket_tailhead *q);
 void rawpacket_queue_destroy(struct rawpacket_tailhead *q);
 bool rawpacket_queue_empty(const struct rawpacket_tailhead *q);
 unsigned int rawpacket_queue_count(const struct rawpacket_tailhead *q);
-struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload);
+struct rawpacket *rawpacket_queue(struct rawpacket_tailhead *q,const struct sockaddr_storage* dst,uint32_t fwmark_orig,uint32_t fwmark,const char *ifin,const char *ifout,const void *data,size_t len,size_t len_payload,const t_ctrack_positions *tpos);
 struct rawpacket *rawpacket_dequeue(struct rawpacket_tailhead *q);
 void rawpacket_free(struct rawpacket *rp);
--- a/nfq2/params.c
+++ b/nfq2/params.c
@@ -112,7 +112,7 @@ int DLOG_FILENAME_VA(const char *filename, const char *format, va_list args)

 typedef void (*f_log_function)(int priority, const char *line);

-static char log_buf[1024];
+static char log_buf[4096];
 static size_t log_buf_sz=0;
 static void syslog_log_function(int priority, const char *line)
 {
@@ -158,11 +158,18 @@ static void android_log_function(int priority, const char *line)
 #endif
 static void log_buffered(f_log_function log_function, int syslog_priority, const char *format, va_list args)
 {
-	if (vsnprintf(log_buf+log_buf_sz,sizeof(log_buf)-log_buf_sz,format,args)>0)
+	if (vsnprintf(log_buf+log_buf_sz,sizeof(log_buf)-log_buf_sz-1,format,args)>0)
 	{
 		log_buf_sz=strlen(log_buf);
 		// log when buffer is full or buffer ends with \n
-		if (log_buf_sz>=(sizeof(log_buf)-1) || (log_buf_sz && log_buf[log_buf_sz-1]=='\n'))
+		if (log_buf_sz==(sizeof(log_buf)-2))
+		{
+			log_buf[log_buf_sz++] = '\n';
+			log_buf[log_buf_sz] = 0;
+			log_function(syslog_priority,log_buf);
+			log_buf_sz = 0;
+		}
+		else if (log_buf_sz && log_buf[log_buf_sz-1]=='\n')
 		{
 			log_function(syslog_priority,log_buf);
 			log_buf_sz = 0;
@@ -322,7 +329,7 @@ void hexdump_limited_dlog(const uint8_t *data, size_t size, size_t limit)
 	}
 }

-void dp_init(struct desync_profile *dp)
+void dp_init_dynamic(struct desync_profile *dp)
 {
 	LIST_INIT(&dp->hl_collection);
 	LIST_INIT(&dp->hl_collection_exclude);
@@ -331,33 +338,29 @@ void dp_init(struct desync_profile *dp)
 	LIST_INIT(&dp->pf_tcp);
 	LIST_INIT(&dp->pf_udp);
 	LIST_INIT(&dp->lua_desync);
+#ifdef HAS_FILTER_SSID
+	LIST_INIT(&dp->filter_ssid);
+#endif
+}
+void dp_init(struct desync_profile *dp)
+{
+	dp_init_dynamic(dp);

 	dp->hostlist_auto_fail_threshold = HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT;
 	dp->hostlist_auto_fail_time = HOSTLIST_AUTO_FAIL_TIME_DEFAULT;
 	dp->hostlist_auto_retrans_threshold = HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT;
+	dp->hostlist_auto_retrans_maxseq = HOSTLIST_AUTO_RETRANS_MAXSEQ;
+	dp->hostlist_auto_incoming_maxseq = HOSTLIST_AUTO_INCOMING_MAXSEQ;
+	dp->hostlist_auto_udp_out = HOSTLIST_AUTO_UDP_OUT;
+	dp->hostlist_auto_udp_in = HOSTLIST_AUTO_UDP_IN;
 	dp->filter_ipv4 = dp->filter_ipv6 = true;
 }
-struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head)
-{
-	struct desync_profile_list *entry = calloc(1,sizeof(struct desync_profile_list));
-	if (!entry) return NULL;
-
-	dp_init(&entry->dp);
-
-	// add to the tail
-	struct desync_profile_list *dpn,*dpl=LIST_FIRST(&params.desync_profiles);
-	if (dpl)
-	{
-		while ((dpn=LIST_NEXT(dpl,next))) dpl = dpn;
-		LIST_INSERT_AFTER(dpl, entry, next);
-	}
-	else
-		LIST_INSERT_HEAD(&params.desync_profiles, entry, next);
-
-	return entry;
-}
 static void dp_clear_dynamic(struct desync_profile *dp)
 {
+	free(dp->name);
+	free(dp->name_tpl);
+	free(dp->cookie);
+
 	hostlist_collection_destroy(&dp->hl_collection);
 	hostlist_collection_destroy(&dp->hl_collection_exclude);
 	ipset_collection_destroy(&dp->ips_collection);
@@ -389,6 +392,67 @@ void dp_list_destroy(struct desync_profile_list_head *head)
 		dp_entry_destroy(entry);
 	}
 }
+
+static struct desync_profile_list *desync_profile_entry_alloc()
+{
+	struct desync_profile_list *entry = calloc(1,sizeof(struct desync_profile_list));
+	if (entry) dp_init(&entry->dp);
+	return entry;
+}
+struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head)
+{
+	struct desync_profile_list *entry = desync_profile_entry_alloc();
+	if (!entry) return false;
+
+	struct desync_profile_list *tail, *item;
+	LIST_TAIL(head, tail, item);
+	LIST_INSERT_TAIL(head, tail, entry, next);
+
+	return entry;
+}
+bool dp_list_copy(struct desync_profile *to, const struct desync_profile *from)
+{
+	// clear everything in target
+	dp_clear(to);
+	// first copy all simple type values
+	*to = *from;
+	// prepare empty dynamic structures
+	dp_init_dynamic(to);
+	// copy dynamic structures
+	if (from->name && !(to->name = strdup(from->name))) return false;
+	if (from->name_tpl && !(to->name_tpl = strdup(from->name_tpl))) return false;
+	if (from->cookie && !(to->cookie = strdup(from->cookie))) return false;
+	if (
+#ifdef HAS_FILTER_SSID
+		!strlist_copy(&to->filter_ssid, &from->filter_ssid) ||
+#endif
+		!funclist_copy(&to->lua_desync, &from->lua_desync) ||
+		!ipset_collection_copy(&to->ips_collection, &from->ips_collection) ||
+		!ipset_collection_copy(&to->ips_collection_exclude, &from->ips_collection_exclude) ||
+		!hostlist_collection_copy(&to->hl_collection, &from->hl_collection) ||
+		!hostlist_collection_copy(&to->hl_collection_exclude, &from->hl_collection_exclude))
+	{
+		return false;
+	}
+	return true;
+}
+void dp_list_move(struct desync_profile_list_head *target, struct desync_profile_list *dpl)
+{
+	struct desync_profile_list *tail, *item;
+	LIST_TAIL(target, tail, item);
+	LIST_REMOVE(dpl, next);
+	LIST_INSERT_TAIL(target, tail, dpl, next);
+}
+struct desync_profile_list *dp_list_search_name(struct desync_profile_list_head *head, const char *name)
+{
+	struct desync_profile_list *dpl;
+	if (name)
+		LIST_FOREACH(dpl, head, next)
+			if (dpl->dp.name && !strcmp(dpl->dp.name, name))
+				return dpl;
+	return NULL;
+}
+
 bool dp_list_have_autohostlist(struct desync_profile_list_head *head)
 {
 	struct desync_profile_list *dpl;
@@ -427,6 +491,7 @@ void cleanup_params(struct params_s *params)

 	ConntrackPoolDestroy(&params->conntrack);
 	dp_list_destroy(&params->desync_profiles);
+	dp_list_destroy(&params->desync_templates);
 	hostlist_files_destroy(&params->hostlists);
 	ipset_files_destroy(&params->ipsets);
 	ipcacheDestroy(&params->ipcache);
@@ -440,3 +505,40 @@ void cleanup_params(struct params_s *params)
 	free(params->user); params->user=NULL;
 #endif
 }
+
+void init_params(struct params_s *params)
+{
+	memset(params, 0, sizeof(*params));
+
+#ifdef __linux__
+	params->qnum = -1;
+#elif defined(BSD)
+	params->port = 0;
+#endif
+	params->desync_fwmark = DPI_DESYNC_FWMARK_DEFAULT;
+	params->ctrack_t_syn = CTRACK_T_SYN;
+	params->ctrack_t_est = CTRACK_T_EST;
+	params->ctrack_t_fin = CTRACK_T_FIN;
+	params->ctrack_t_udp = CTRACK_T_UDP;
+	params->ipcache_lifetime = IPCACHE_LIFETIME;
+	params->lua_gc = LUA_GC_INTERVAL;
+
+	LIST_INIT(&params->hostlists);
+	LIST_INIT(&params->ipsets);
+	LIST_INIT(&params->blobs);
+	LIST_INIT(&params->lua_init_scripts);
+
+#ifdef __CYGWIN__
+	LIST_INIT(&params->ssid_filter);
+	LIST_INIT(&params->nlm_filter);
+	LIST_INIT(&params->wf_raw_part);
+#else
+	if (can_drop_root())
+	{
+		params->uid = params->gid[0] = 0x7FFFFFFF; // default uid:gid
+		params->gid_count = 1;
+		params->droproot = true;
+	}
+#endif
+
+}
--- a/nfq2/params.h
+++ b/nfq2/params.h
@@ -6,6 +6,7 @@
 #include "desync.h"
 #include "protocol.h"
 #include "helpers.h"
+#include "sec.h"

 #include <sys/param.h>
 #include <sys/types.h>
@@ -29,6 +30,10 @@
 #define HOSTLIST_AUTO_FAIL_THRESHOLD_DEFAULT	3
 #define	HOSTLIST_AUTO_FAIL_TIME_DEFAULT 	60
 #define	HOSTLIST_AUTO_RETRANS_THRESHOLD_DEFAULT	3
+#define HOSTLIST_AUTO_RETRANS_MAXSEQ		32768
+#define HOSTLIST_AUTO_INCOMING_MAXSEQ		4096
+#define HOSTLIST_AUTO_UDP_OUT			4
+#define HOSTLIST_AUTO_UDP_IN			1

 #define IPCACHE_LIFETIME		7200

@@ -38,7 +43,7 @@
 #define BLOB_EXTRA_BYTES		128

 // this MSS is used for ipv6 in windows and linux
-#define DEFAULT_MSS			1360
+#define DEFAULT_MSS			1220

 #define RECONSTRUCT_MAX_SIZE		16384

@@ -53,6 +58,10 @@ enum log_target { LOG_TARGET_CONSOLE=0, LOG_TARGET_FILE, LOG_TARGET_SYSLOG, LOG_
 struct desync_profile
 {
 	unsigned int n;	// number of the profile
+	char *name; // optional malloced name string
+	unsigned int n_tpl; // number of imported template
+	char *name_tpl; // imported template name
+	char *cookie; // optional malloced string

 	bool filter_ipv4,filter_ipv6;
 	struct port_filters_head pf_tcp,pf_udp;
@@ -73,11 +82,14 @@ struct desync_profile
 	// pointer to autohostlist. NULL if no autohostlist for the profile.
 	struct hostlist_file *hostlist_auto;
 	int hostlist_auto_fail_threshold, hostlist_auto_fail_time, hostlist_auto_retrans_threshold;
+	int hostlist_auto_udp_in, hostlist_auto_udp_out;
+	uint32_t hostlist_auto_retrans_maxseq, hostlist_auto_incoming_maxseq;

 	hostfail_pool *hostlist_auto_fail_counters;

 	struct func_list_head lua_desync;
 };
+#define PROFILE_NAME(dp) ((dp)->name ? (dp)->name : "noname")

 #define PROFILE_IPSETS_ABSENT(dp) (!LIST_FIRST(&(dp)->ips_collection) && !LIST_FIRST(&(dp)->ips_collection_exclude))
 #define PROFILE_IPSETS_EMPTY(dp) (ipset_collection_is_empty(&(dp)->ips_collection) && ipset_collection_is_empty(&(dp)->ips_collection_exclude))
@@ -89,6 +101,9 @@ struct desync_profile_list {
 };
 LIST_HEAD(desync_profile_list_head, desync_profile_list);
 struct desync_profile_list *dp_list_add(struct desync_profile_list_head *head);
+void dp_list_move(struct desync_profile_list_head *target, struct desync_profile_list *dpl);
+bool dp_list_copy(struct desync_profile *to, const struct desync_profile *from);
+struct desync_profile_list *dp_list_search_name(struct desync_profile_list_head *head, const char *name);
 void dp_entry_destroy(struct desync_profile_list *entry);
 void dp_list_destroy(struct desync_profile_list_head *head);
 bool dp_list_have_autohostlist(struct desync_profile_list_head *head);
@@ -104,6 +119,7 @@ struct params_s
 #if !defined( __OpenBSD__) && !defined(__ANDROID__)
 	wordexp_t wexp; // for file based config
 #endif
+	char verstr[128];

 	enum log_target debug_target;
 	char debug_logfile[PATH_MAX];
@@ -119,7 +135,7 @@ struct params_s
 	bool bind_fix4,bind_fix6;
 	uint32_t desync_fwmark; // unused in BSD
 	
-	struct desync_profile_list_head desync_profiles;
+	struct desync_profile_list_head desync_profiles, desync_templates;
 	
 #ifdef __CYGWIN__
 	struct str_list_head ssid_filter,nlm_filter;
@@ -170,6 +186,8 @@ struct params_s

 extern struct params_s params;
 extern const char *progname;
+
+void init_params(struct params_s *params);
 #if !defined( __OpenBSD__) && !defined(__ANDROID__)
 void cleanup_args(struct params_s *params);
 #endif
--- a/nfq2/pools.c
+++ b/nfq2/pools.c
@@ -155,20 +155,33 @@ bool strlist_add(struct str_list_head *head, const char *str)
 	LIST_INSERT_HEAD(head, entry, next);
 	return true;
 }
+static struct str_list *strlist_entry_copy(const struct str_list *entry)
+{
+	return strlist_entry_alloc(entry->str);
+}
+bool strlist_copy(struct str_list_head *to, const struct str_list_head *from)
+{
+	struct str_list *tail, *item, *entry;
+
+	LIST_TAIL(to, tail, item);
+	LIST_FOREACH(item, from, next)
+	{
+		if (!(entry = strlist_entry_copy(item))) return false;
+		LIST_INSERT_TAIL(to, tail, entry, next);
+		tail = tail ? LIST_NEXT(tail, next) : LIST_FIRST(to);
+	}
+	return true;
+}
+
 bool strlist_add_tail(struct str_list_head *head, const char *str)
 {
 	struct str_list *entry = strlist_entry_alloc(str);
 	if (!entry) return false;

-	// add to the tail
-	struct str_list *strn,*strl=LIST_FIRST(head);
-	if (strl)
-	{
-		while ((strn=LIST_NEXT(strl,next))) strl = strn;
-		LIST_INSERT_AFTER(strl, entry, next);
-	}
-	else
-		LIST_INSERT_HEAD(head, entry, next);
+	struct str_list *tail, *item;
+	LIST_TAIL(head, tail, item);
+	LIST_INSERT_TAIL(head, tail, entry, next);
+
 	return true;
 }
 static void strlist_entry_destroy(struct str_list *entry)
@@ -200,35 +213,77 @@ bool strlist_search(const struct str_list_head *head, const char *str)
 }


-static struct ptr_list *ptrlist_entry_alloc()
+static void str2list_entry_destroy(struct str2_list *entry)
 {
-	return (struct ptr_list*)calloc(1,sizeof(struct ptr_list));
+	free(entry->str1);
+	free(entry->str2);
+	free(entry);
+}
+void str2list_destroy(struct str2_list_head *head)
+{
+	struct str2_list *entry;
+	while ((entry = LIST_FIRST(head)))
+	{
+		LIST_REMOVE(entry, next);
+		str2list_entry_destroy(entry);
+	}
+}
+static struct str2_list *str2list_entry_alloc()
+{
+	return (struct str2_list*)calloc(1,sizeof(struct str2_list));
 }

-struct ptr_list *ptrlist_add(struct ptr_list_head *head)
+struct str2_list *str2list_add(struct str2_list_head *head)
 {
-	struct ptr_list *entry = ptrlist_entry_alloc();
+	struct str2_list *entry = str2list_entry_alloc();
 	if (!entry) return NULL;
 	LIST_INSERT_HEAD(head, entry, next);
 	return entry;
 }
-static void ptrlist_entry_destroy(struct ptr_list *entry)
+static struct str2_list *str2list_entry_copy(const struct str2_list *entry)
 {
-	free(entry->ptr1);
-	free(entry->ptr2);
+	struct str2_list *e2 = str2list_entry_alloc();
+	if (!e2) return NULL;
+	e2->str1 = strdup(entry->str1);
+	e2->str2 = strdup(entry->str2);
+	if (!e2->str1 || !e2->str2)
+	{
+		str2list_entry_destroy(e2);
+		return false;
+	}
+	return e2;
+}
+bool str2list_copy(struct str2_list_head *to, const struct str2_list_head *from)
+{
+	struct str2_list *tail, *item, *entry;
+
+	LIST_TAIL(to, tail, item);
+	LIST_FOREACH(item, from, next)
+	{
+		if (!(entry = str2list_entry_copy(item))) return false;
+		LIST_INSERT_TAIL(to, tail, entry, next);
+		tail = tail ? LIST_NEXT(tail, next) : LIST_FIRST(to);
+	}
+	return true;
+}
+
+
+
+static void funclist_entry_destroy(struct func_list *entry)
+{
+	free(entry->func);
+	str2list_destroy(&entry->args);
 	free(entry);
 }
-void ptrlist_destroy(struct ptr_list_head *head)
+void funclist_destroy(struct func_list_head *head)
 {
-	struct ptr_list *entry;
+	struct func_list *entry;
 	while ((entry = LIST_FIRST(head)))
 	{
 		LIST_REMOVE(entry, next);
-		ptrlist_entry_destroy(entry);
+		funclist_entry_destroy(entry);
 	}
 }
-
-
 static struct func_list *funclist_entry_alloc(const char *func)
 {
 	struct func_list *entry = malloc(sizeof(struct func_list));
@@ -250,31 +305,38 @@ struct func_list *funclist_add_tail(struct func_list_head *head, const char *fun
 	struct func_list *entry = funclist_entry_alloc(func);
 	if (!entry) return NULL;

-	// add to the tail
-	struct func_list *funcn,*funcl=LIST_FIRST(head);
-	if (funcl)
-	{
-		while ((funcn=LIST_NEXT(funcl,next))) funcl = funcn;
-		LIST_INSERT_AFTER(funcl, entry, next);
-	}
-	else
-		LIST_INSERT_HEAD(head, entry, next);
+	struct func_list *tail, *item;
+	LIST_TAIL(head, tail, item);
+	LIST_INSERT_TAIL(head, tail, entry, next);
+
 	return entry;
 }
-static void funclist_entry_destroy(struct func_list *entry)
+static struct func_list *funclist_entry_copy(const struct func_list *entry)
 {
-	free(entry->func);
-	ptrlist_destroy(&entry->args);
-	free(entry);
-}
-void funclist_destroy(struct func_list_head *head)
-{
-	struct func_list *entry;
-	while ((entry = LIST_FIRST(head)))
+	struct func_list *e2 = funclist_entry_alloc(entry->func);
+	if (!e2) return NULL;
+	e2->payload_type = entry->payload_type;
+	e2->range_in = entry->range_in;
+	e2->range_out = entry->range_out;
+	if (!str2list_copy(&e2->args, &entry->args))
 	{
-		LIST_REMOVE(entry, next);
-		funclist_entry_destroy(entry);
+		funclist_entry_destroy(e2);
+		return false;
 	}
+	return e2;
+}
+bool funclist_copy(struct func_list_head *to, const struct func_list_head *from)
+{
+	struct func_list *tail, *item, *entry;
+
+	LIST_TAIL(to, tail, item);
+	LIST_FOREACH(item, from, next)
+	{
+		if (!(entry = funclist_entry_copy(item))) return false;
+		LIST_INSERT_TAIL(to, tail, entry, next);
+		tail = tail ? LIST_NEXT(tail, next) : LIST_FIRST(to);
+	}
+	return true;
 }


@@ -333,16 +395,36 @@ void hostlist_files_reset_modtime(struct hostlist_files_head *list)
 		FILE_MOD_RESET(&hfile->mod_sig);
 }

-struct hostlist_item *hostlist_collection_add(struct hostlist_collection_head *head, struct hostlist_file *hfile)
+static struct hostlist_item *hostlist_collection_entry_alloc(struct hostlist_file *hfile)
 {
 	struct hostlist_item *entry = malloc(sizeof(struct hostlist_item));
-	if (entry)
-	{
-		entry->hfile = hfile;
-		LIST_INSERT_HEAD(head, entry, next);
-	}
+	if (entry) entry->hfile = hfile;
 	return entry;
 }
+struct hostlist_item *hostlist_collection_add(struct hostlist_collection_head *head, struct hostlist_file *hfile)
+{
+	struct hostlist_item *entry = hostlist_collection_entry_alloc(hfile);
+	if (entry) LIST_INSERT_HEAD(head, entry, next);
+	return entry;
+}
+static struct hostlist_item *hostlist_collection_entry_copy(const struct hostlist_item *entry)
+{
+	return hostlist_collection_entry_alloc(entry->hfile);
+}
+bool hostlist_collection_copy(struct hostlist_collection_head *to, const struct hostlist_collection_head *from)
+{
+	struct hostlist_item *tail, *item, *entry;
+
+	LIST_TAIL(to, tail, item);
+	LIST_FOREACH(item, from, next)
+	{
+		if (!(entry = hostlist_collection_entry_copy(item))) return false;
+		LIST_INSERT_TAIL(to, tail, entry, next);
+		tail = tail ? LIST_NEXT(tail, next) : LIST_FIRST(to);
+	}
+	return true;
+}
+
 void hostlist_collection_destroy(struct hostlist_collection_head *head)
 {
 	struct hostlist_item *entry;
@@ -579,16 +661,36 @@ void ipset_files_reset_modtime(struct ipset_files_head *list)
 		FILE_MOD_RESET(&hfile->mod_sig);
 }

-struct ipset_item *ipset_collection_add(struct ipset_collection_head *head, struct ipset_file *hfile)
+static struct ipset_item *ipset_collection_entry_alloc(struct ipset_file *hfile)
 {
 	struct ipset_item *entry = malloc(sizeof(struct ipset_item));
-	if (entry)
-	{
-		entry->hfile = hfile;
-		LIST_INSERT_HEAD(head, entry, next);
-	}
+	if (entry) entry->hfile = hfile;
 	return entry;
 }
+struct ipset_item *ipset_collection_add(struct ipset_collection_head *head, struct ipset_file *hfile)
+{
+	struct ipset_item *entry = ipset_collection_entry_alloc(hfile);
+	if (entry) LIST_INSERT_HEAD(head, entry, next);
+	return entry;
+}
+static struct ipset_item *ipset_collection_entry_copy(const struct ipset_item *entry)
+{
+	return ipset_collection_entry_alloc(entry->hfile);
+}
+bool ipset_collection_copy(struct ipset_collection_head *to, const struct ipset_collection_head *from)
+{
+	struct ipset_item *tail, *item, *entry;
+
+	LIST_TAIL(to, tail, item);
+	LIST_FOREACH(item, from, next)
+	{
+		if (!(entry = ipset_collection_entry_copy(item))) return false;
+		LIST_INSERT_TAIL(to, tail, entry, next);
+		tail = tail ? LIST_NEXT(tail, next) : LIST_FIRST(to);
+	}
+	return true;
+}
+
 void ipset_collection_destroy(struct ipset_collection_head *head)
 {
 	struct ipset_item *entry;
@@ -645,7 +747,7 @@ bool port_filters_in_range(const struct port_filters_head *head, uint16_t port)
 {
 	const struct port_filter_item *item;

-	if (!LIST_FIRST(head)) return true;
+	if (LIST_EMPTY(head)) return true;
 	LIST_FOREACH(item, head, next)
 	{
 		if (pf_in_range(port, &item->pf))
@@ -656,7 +758,7 @@ bool port_filters_in_range(const struct port_filters_head *head, uint16_t port)
 bool port_filters_deny_if_empty(struct port_filters_head *head)
 {
 	port_filter pf;
-	if (LIST_FIRST(head)) return true;
+	if (!LIST_EMPTY(head)) return true;
 	return pf_parse("0",&pf) && port_filter_add(head,&pf);
 }

@@ -667,15 +769,9 @@ struct blob_item *blob_collection_add(struct blob_collection_head *head)
 	struct blob_item *entry = calloc(1,sizeof(struct blob_item));
 	if (entry)
 	{
-		// insert to the end
-		struct blob_item *itemc,*iteml=LIST_FIRST(head);
-		if (iteml)
-		{
-			while ((itemc=LIST_NEXT(iteml,next))) iteml = itemc;
-			LIST_INSERT_AFTER(iteml, entry, next);
-		}
-		else
-			LIST_INSERT_HEAD(head, entry, next);
+		struct blob_item *tail, *item;
+		LIST_TAIL(head, tail, item);
+		LIST_INSERT_TAIL(head, tail, entry, next);
 	}
 	return entry;
 }
@@ -693,14 +789,9 @@ struct blob_item *blob_collection_add_blob(struct blob_collection_head *head, co
 	entry->size_buf = size+size_reserve;

 	// insert to the end
-	struct blob_item *itemc,*iteml=LIST_FIRST(head);
-	if (iteml)
-	{
-		while ((itemc=LIST_NEXT(iteml,next))) iteml = itemc;
-		LIST_INSERT_AFTER(iteml, entry, next);
-	}
-	else
-		LIST_INSERT_HEAD(head, entry, next);
+	struct blob_item *tail, *item;
+	LIST_TAIL(head, tail, item);
+	LIST_INSERT_TAIL(head, tail, entry, next);

 	return entry;
 }
@@ -725,7 +816,7 @@ void blob_collection_destroy(struct blob_collection_head *head)
 }
 bool blob_collection_empty(const struct blob_collection_head *head)
 {
-	return !LIST_FIRST(head);
+	return LIST_EMPTY(head);
 }
 struct blob_item *blob_collection_search_name(struct blob_collection_head *head, const char *name)
 {
--- a/nfq2/pools.h
+++ b/nfq2/pools.h
@@ -17,6 +17,17 @@

 #define HOSTLIST_POOL_FLAG_STRICT_MATCH		1

+#define LIST_TAIL(head, tail, temp) {\
+	tail=LIST_FIRST(head); \
+	if (tail) while ((temp=LIST_NEXT(tail,next))) tail = temp; }
+
+#define LIST_INSERT_TAIL(head, tail, elm, field) { \
+	if (LIST_FIRST(head)) \
+		LIST_INSERT_AFTER(tail, elm, field); \
+	else \
+		LIST_INSERT_HEAD(head, elm, field); }
+
+
 typedef struct hostlist_pool {
 	char *str;		/* key */
 	uint32_t flags;		/* custom data */
@@ -38,25 +49,28 @@ bool strlist_add(struct str_list_head *head, const char *str);
 bool strlist_add_tail(struct str_list_head *head, const char *str);
 void strlist_destroy(struct str_list_head *head);
 bool strlist_search(const struct str_list_head *head, const char *str);
+bool strlist_copy(struct str_list_head *to, const struct str_list_head *from);

-struct ptr_list {
-	void *ptr1,*ptr2;
-	LIST_ENTRY(ptr_list) next;
+struct str2_list {
+	char *str1,*str2;
+	LIST_ENTRY(str2_list) next;
 };
-LIST_HEAD(ptr_list_head, ptr_list);
+LIST_HEAD(str2_list_head, str2_list);

-struct ptr_list *ptrlist_add(struct ptr_list_head *head);
-void ptrlist_destroy(struct ptr_list_head *head);
+struct str2_list *str2list_add(struct str2_list_head *head);
+bool str2list_copy(struct str2_list_head *to, const struct str2_list_head *from);
+void str2list_destroy(struct str2_list_head *head);

 struct func_list {
 	char *func;
 	uint64_t payload_type;
 	struct packet_range range_in, range_out;
-	struct ptr_list_head args;
+	struct str2_list_head args;
 	LIST_ENTRY(func_list) next;
 };
 LIST_HEAD(func_list_head, func_list);
 struct func_list *funclist_add_tail(struct func_list_head *head, const char *func);
+bool funclist_copy(struct func_list_head *to, const struct func_list_head *from);
 void funclist_destroy(struct func_list_head *head);


@@ -96,6 +110,7 @@ struct hostlist_item {
 LIST_HEAD(hostlist_collection_head, hostlist_item);
 struct hostlist_item *hostlist_collection_add(struct hostlist_collection_head *head, struct hostlist_file *hfile);
 void hostlist_collection_destroy(struct hostlist_collection_head *head);
+bool hostlist_collection_copy(struct hostlist_collection_head *to, const struct hostlist_collection_head *from);
 struct hostlist_item *hostlist_collection_search(struct hostlist_collection_head *head, const char *filename);
 bool hostlist_collection_is_empty(const struct hostlist_collection_head *head);

@@ -158,6 +173,7 @@ struct ipset_item {
 };
 LIST_HEAD(ipset_collection_head, ipset_item);
 struct ipset_item * ipset_collection_add(struct ipset_collection_head *head, struct ipset_file *hfile);
+bool ipset_collection_copy(struct ipset_collection_head *to, const struct ipset_collection_head *from);
 void ipset_collection_destroy(struct ipset_collection_head *head);
 struct ipset_item *ipset_collection_search(struct ipset_collection_head *head, const char *filename);
 bool ipset_collection_is_empty(const struct ipset_collection_head *head);
--- a/nfq2/protocol.c
+++ b/nfq2/protocol.c
@@ -48,7 +48,7 @@ bool l7_proto_match(t_l7proto l7proto, uint64_t filter_l7)
 static const char *l7payload_name[] = {
 "all","unknown","empty","known","http_req","http_reply","tls_client_hello","tls_server_hello","quic_initial",
 "wireguard_initiation","wireguard_response","wireguard_cookie","wireguard_keepalive","wireguard_data",
- "dht","discord_ip_discovery","stun_binding_req",
+ "dht","discord_ip_discovery","stun",
 "xmpp_stream", "xmpp_starttls", "xmpp_proceed", "xmpp_features",
 "dns_query", "dns_response",
 "mtproto_initial"};
@@ -66,6 +66,35 @@ bool l7_payload_match(t_l7payload l7payload, uint64_t filter_l7p)
 {
 	return filter_l7p==L7P_ALL || (filter_l7p & (1<<l7payload)) || (filter_l7p & (1<<L7P_KNOWN)) && l7payload>L7P_KNOWN && l7payload<L7P_LAST;
 }
+bool l7_payload_str_list(uint64_t l7p, char *buf, size_t size)
+{
+	char *p;
+	const char *pstr;
+	size_t lstr;
+	t_l7payload pl;
+
+	if (!size) return false;
+	if (l7p==L7P_ALL)
+	{
+		if (size<4) return false;
+		memcpy(buf,"all",4);
+		return true;
+	}
+	for(pl=0, p=buf, *buf=0 ; pl<L7P_LAST ; pl++)
+	{
+		if (l7p & (1<<pl))
+		{
+			pstr = l7payload_str(pl);
+			lstr = strlen(pstr);
+			if (size < ((p!=buf) + lstr + 1)) return false;
+			if (p!=buf) *p++=','; // not first
+			memcpy(p,pstr,lstr);
+			p[lstr]=0;
+			p+=lstr;
+		}
+	}
+	return true;
+}


 static const char *posmarker_names[] = {"abs","host","endhost","sld","midsld","endsld","method","extlen","sniext"};
@@ -339,8 +368,10 @@ bool HttpReplyLooksLikeDPIRedirect(const uint8_t *data, size_t len, const char *
 	
 	// extract 2nd level domains
 	const char *dhost, *drhost;
-	if (!FindNLD((uint8_t*)host,strlen(host),2,(const uint8_t**)&dhost,NULL) || !FindNLD((uint8_t*)redirect_host,strlen(redirect_host),2,(const uint8_t**)&drhost,NULL))
+	if (!FindNLD((uint8_t*)redirect_host,strlen(redirect_host),2,(const uint8_t**)&drhost,NULL))
 		return false;
+	if (!FindNLD((uint8_t*)host,strlen(host),2,(const uint8_t**)&dhost,NULL))
+		return true; // no SLD redirects to SLD

 	// compare 2nd level domains		
 	return strcasecmp(dhost, drhost)!=0;
@@ -819,7 +850,7 @@ bool TLSMod(const struct fake_tls_mod *tls_mod, const uint8_t *payload, size_t p
 	{
 		if (tls_mod->mod & FAKE_TLS_MOD_DUP_SID)
 		{
-			if (IsTLSClientHello(payload, payload_len, false))
+			if (IsTLSClientHelloPartial(payload, payload_len))
 			{
 				if (payload_len < 44)
 				{
@@ -1380,11 +1411,11 @@ bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len)
 		!memcmp(data+8,"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",64);
 		// address is not set in request
 }
-bool IsStunBindingRequest(const uint8_t *data, size_t len)
+bool IsStunMessage(const uint8_t *data, size_t len)
 {
 	return len>=20 && // header size
-		data[0]==0 && data[1]==1 &&
-		(data[3]&0b11)==0 && // length must be a multiple of 4
+		(data[0]&0xC0)==0 && // 2 most significant bits must be zeroes
+		(data[3]&3)==0 && // length must be a multiple of 4
 		ntohl(*(uint32_t*)(&data[4]))==0x2112A442 && // magic cookie
 		ntohs(*(uint16_t*)(&data[2]))==len-20;
 }
--- a/nfq2/protocol.h
+++ b/nfq2/protocol.h
@@ -42,7 +42,7 @@ typedef enum {
 	L7P_WIREGUARD_DATA,
 	L7P_DHT,
 	L7P_DISCORD_IP_DISCOVERY,
-	L7P_STUN_BINDING_REQ,
+	L7P_STUN,
 	L7P_XMPP_STREAM,
 	L7P_XMPP_STARTTLS,
 	L7P_XMPP_PROCEED,
@@ -55,6 +55,7 @@ typedef enum {
 t_l7payload l7payload_from_name(const char *name);
 const char *l7payload_str(t_l7payload l7);
 bool l7_payload_match(t_l7payload l7payload, uint64_t filter_l7p);
+bool l7_payload_str_list(uint64_t l7p, char *buf, size_t size);

 typedef enum {
 	PM_ABS=0,
@@ -126,7 +127,7 @@ bool TLSHelloExtractHostFromHandshake(const uint8_t *data, size_t len, char *hos

 struct fake_tls_mod
 {
-	char sni[128];
+	char sni[256];
 	uint32_t mod;
 };
 #define FAKE_TLS_MOD_RND		0x01
@@ -152,7 +153,7 @@ bool IsWireguardKeepalive(const uint8_t *data, size_t len);
 bool IsWireguardData(const uint8_t *data, size_t len);
 bool IsDht(const uint8_t *data, size_t len);
 bool IsDiscordIpDiscoveryRequest(const uint8_t *data, size_t len);
-bool IsStunBindingRequest(const uint8_t *data, size_t len);
+bool IsStunMessage(const uint8_t *data, size_t len);
 bool IsMTProto(const uint8_t *data, size_t len);

 #define QUIC_MAX_CID_LENGTH  20