From 62ec6c57498e97be490bb78d38cc5da81e352f31 Mon Sep 17 00:00:00 2001
From: OpenCode Agent <agent@stitch505.su>
Date: Sun, 10 May 2026 22:41:08 +0400
Subject: [PATCH] fix(core): critical fixes for service menu, autotest,
 strategy runner, dependencies

- service.sh: split service_remove into internal (no prompts) and interactive
  versions to prevent 'eternal wait' when installing new strategy.
  Install now calls service_remove_internal > /dev/null instead of service_remove.
  Also filter strategy list to general*.sh only to avoid clutter.
  Systemd ExecStart now points to run_strategy.sh <name> consistently.

- run_strategy.sh: add SIGTERM/SIGINT trap cleanup_strategy() that kills nfqws
  and cleans up firewall. Prevents stale nfqws/firewall rules after autotest kill.
  Also handles nfqws exit gracefully with final cleanup.

- autotest.sh: rewritten to test strategies by config name (not wrapper filename).
  Stop now sends SIGTERM to wrapper (which triggers trap cleanup) instead of
  bare kill. Added extra sleep after stop to let trap fire.
  Auto-install ExecStart fixed to run_strategy.sh <strategy>.

- setup.sh: added libmnl-dev and zlib1g-dev to Ubuntu/Debian dependency install
  to prevent build failures (missing libmnl/libmnl.h and zlib.h).

- general*.sh: removed UTF-8 BOM (0xEF 0xBB 0xBF) that caused 'exec format error'
  when running scripts on Linux. All 19 wrappers cleaned.

- ensure_wrappers.sh: always rewrite wrappers to ensure no stale BOM or paths.

Fixes: eternal wait on menu option 1, nfqws build failure, stale processes after test.
---
 autotest.sh                   | 82 ++++++++++++++++++-----------------
 ensure_wrappers.sh            | 15 +++----
 general.sh                    |  3 +-
 general_ALT.sh                |  2 +-
 general_ALT10.sh              |  2 +-
 general_ALT11.sh              |  2 +-
 general_ALT2.sh               |  2 +-
 general_ALT3.sh               |  2 +-
 general_ALT4.sh               |  2 +-
 general_ALT5.sh               |  2 +-
 general_ALT6.sh               |  2 +-
 general_ALT7.sh               |  2 +-
 general_ALT8.sh               |  2 +-
 general_ALT9.sh               |  2 +-
 general_FAKE_TLS_AUTO.sh      |  2 +-
 general_FAKE_TLS_AUTO_ALT.sh  |  2 +-
 general_FAKE_TLS_AUTO_ALT2.sh |  2 +-
 general_FAKE_TLS_AUTO_ALT3.sh |  2 +-
 general_SIMPLE_FAKE.sh        |  2 +-
 general_SIMPLE_FAKE_ALT.sh    |  2 +-
 general_SIMPLE_FAKE_ALT2.sh   |  2 +-
 install.sh                    |  0
 install_nfqws.sh              |  0
 lib/download_helper.sh        |  0
 lib/functions.sh              |  0
 prepare_offline_bundle.sh     |  0
 run_strategy.sh               | 32 ++++++++++++--
 service.sh                    | 33 ++++++++------
 setup.sh                      |  2 +-
 sync_from_upstream.sh         |  0
 update.sh                     |  0
 utils/test_zapret.sh          |  0
 32 files changed, 118 insertions(+), 85 deletions(-)
 mode change 100644 => 100755 autotest.sh
 mode change 100644 => 100755 ensure_wrappers.sh
 mode change 100644 => 100755 general.sh
 mode change 100644 => 100755 general_ALT.sh
 mode change 100644 => 100755 general_ALT10.sh
 mode change 100644 => 100755 general_ALT11.sh
 mode change 100644 => 100755 general_ALT2.sh
 mode change 100644 => 100755 general_ALT3.sh
 mode change 100644 => 100755 general_ALT4.sh
 mode change 100644 => 100755 general_ALT5.sh
 mode change 100644 => 100755 general_ALT6.sh
 mode change 100644 => 100755 general_ALT7.sh
 mode change 100644 => 100755 general_ALT8.sh
 mode change 100644 => 100755 general_ALT9.sh
 mode change 100644 => 100755 general_FAKE_TLS_AUTO.sh
 mode change 100644 => 100755 general_FAKE_TLS_AUTO_ALT.sh
 mode change 100644 => 100755 general_FAKE_TLS_AUTO_ALT2.sh
 mode change 100644 => 100755 general_FAKE_TLS_AUTO_ALT3.sh
 mode change 100644 => 100755 general_SIMPLE_FAKE.sh
 mode change 100644 => 100755 general_SIMPLE_FAKE_ALT.sh
 mode change 100644 => 100755 general_SIMPLE_FAKE_ALT2.sh
 mode change 100644 => 100755 install.sh
 mode change 100644 => 100755 install_nfqws.sh
 mode change 100644 => 100755 lib/download_helper.sh
 mode change 100644 => 100755 lib/functions.sh
 mode change 100644 => 100755 prepare_offline_bundle.sh
 mode change 100644 => 100755 run_strategy.sh
 mode change 100644 => 100755 service.sh
 mode change 100644 => 100755 setup.sh
 mode change 100644 => 100755 sync_from_upstream.sh
 mode change 100644 => 100755 update.sh
 mode change 100644 => 100755 utils/test_zapret.sh

diff --git a/autotest.sh b/autotest.sh
old mode 100644
new mode 100755
index b45e5c1..ef3d234
--- a/autotest.sh
+++ b/autotest.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-# autotest.sh - Automatic strategy tester
+# autotest.sh - Automatic strategy tester v2
 # Iterates through all strategies, checks connectivity, suggests installation
 
 set -e
@@ -16,25 +16,25 @@ TEST_URLS=(
 
 # Strategy order (most common first)
 STRATEGIES=(
-    general.sh
-    general_ALT.sh
-    general_ALT2.sh
-    general_ALT3.sh
-    general_ALT4.sh
-    general_ALT6.sh
-    general_ALT7.sh
-    general_ALT8.sh
-    general_ALT9.sh
-    general_ALT10.sh
-    general_ALT11.sh
-    general_FAKE_TLS_AUTO.sh
-    general_FAKE_TLS_AUTO_ALT.sh
-    general_FAKE_TLS_AUTO_ALT2.sh
-    general_FAKE_TLS_AUTO_ALT3.sh
-    general_SIMPLE_FAKE.sh
-    general_SIMPLE_FAKE_ALT.sh
-    general_SIMPLE_FAKE_ALT2.sh
-    general_ALT5.sh   # NOT RECOMMENDED, last
+    general
+    ALT
+    ALT2
+    ALT3
+    ALT4
+    ALT6
+    ALT7
+    ALT8
+    ALT9
+    ALT10
+    ALT11
+    FAKE_TLS_AUTO
+    FAKE_TLS_AUTO_ALT
+    FAKE_TLS_AUTO_ALT2
+    FAKE_TLS_AUTO_ALT3
+    SIMPLE_FAKE
+    SIMPLE_FAKE_ALT
+    SIMPLE_FAKE_ALT2
+    ALT5   # NOT RECOMMENDED, last
 )
 
 # Test a single URL
@@ -75,18 +75,18 @@ test_strategy() {
 # Run a strategy with timeout
 run_strategy_test() {
     local strategy="$1"
-    local strategy_path="$SCRIPT_DIR/$strategy"
-    local strategy_name="${strategy%.sh}"
+    local strategy_path="$SCRIPT_DIR/run_strategy.sh"
+    local strategy_name="$strategy"
 
     echo ""
     echo "=============================================="
     echo "  Testing: $strategy_name"
-    echo "  $(describe_strategy "$strategy_path")"
+    echo "  $(describe_strategy "$SCRIPT_DIR/general_${strategy}.sh")"
     echo "=============================================="
 
-    # Check if strategy file exists
-    if [[ ! -f "$strategy_path" ]]; then
-        print_yellow "  [!] Strategy file not found, skipping..."
+    # Check if strategy config exists
+    if [[ ! -f "$SCRIPT_DIR/strategies/${strategy}.conf" ]]; then
+        print_yellow "  [!] Strategy config not found, skipping..."
         return 1
     fi
 
@@ -94,9 +94,9 @@ run_strategy_test() {
     cleanup_firewall >/dev/null 2>&1 || true
     sleep 1
 
-    # Start strategy in background
+    # Start strategy in background (run_strategy.sh handles its own cleanup on signals)
     echo "  [*] Starting $strategy_name..."
-    "$strategy_path" >/dev/null 2>&1 &
+    "$strategy_path" "$strategy" >/dev/null 2>&1 &
     local strategy_pid=$!
 
     # Wait for nfqws to initialize
@@ -109,6 +109,7 @@ run_strategy_test() {
         kill "$strategy_pid" 2>/dev/null || true
         wait "$strategy_pid" 2>/dev/null || true
         cleanup_firewall >/dev/null 2>&1 || true
+        sleep 1
         return 1
     fi
 
@@ -120,8 +121,12 @@ run_strategy_test() {
 
     # Stop strategy
     echo "  [*] Stopping $strategy_name..."
-    # Kill wrapper first, then cleanup_firewall will kill nfqws
-    kill "$strategy_pid" 2>/dev/null || true
+    # Send SIGTERM to wrapper — it will cleanup firewall + nfqws via trap
+    kill -TERM "$strategy_pid" 2>/dev/null || true
+    # Give trap time to fire and cleanup
+    sleep 2
+    # Ensure nfqws is gone
+    pkill -f "nfqws.*qnum=$NFQUEUE_NUM" 2>/dev/null || true
     wait "$strategy_pid" 2>/dev/null || true
     cleanup_firewall >/dev/null 2>&1 || true
     sleep 1
@@ -177,7 +182,7 @@ main() {
     for strat in "${STRATEGIES[@]}"; do
         if run_strategy_test "$strat"; then
             working_strategy="$strat"
-            working_desc="$(describe_strategy "$SCRIPT_DIR/$strat")"
+            working_desc="$(describe_strategy "$SCRIPT_DIR/general_${strat}.sh")"
             break
         fi
     done
@@ -186,7 +191,7 @@ main() {
     echo "=============================================="
     if [[ -n "$working_strategy" ]]; then
         print_green "  WORKING STRATEGY FOUND!"
-        print_green "  Strategy: ${working_strategy%.sh}"
+        print_green "  Strategy: $working_strategy"
         print_green "  Desc: $working_desc"
         echo "=============================================="
         echo ""
@@ -195,17 +200,17 @@ main() {
             echo "[*] Auto-installing to systemd..."
             # Write strategy marker directly
             mkdir -p "$SCRIPT_DIR/.service"
-            echo "${working_strategy%.sh}" > "$SCRIPT_DIR/.service/installed_strategy"
+            echo "$working_strategy" > "$SCRIPT_DIR/.service/installed_strategy"
 
             local service_path="$SYSTEMD_DIR/zapret.service"
             cat > "$service_path" <<EOF
 [Unit]
-Description=Zapret DPI bypass (strategy: ${working_strategy%.sh})
+Description=Zapret DPI bypass (strategy: $working_strategy)
 After=network.target
 
 [Service]
 Type=simple
-ExecStart=$SCRIPT_DIR/$working_strategy
+ExecStart=$SCRIPT_DIR/run_strategy.sh $working_strategy
 Restart=on-failure
 RestartSec=5
 StandardOutput=journal
@@ -228,12 +233,11 @@ EOF
             echo ""
             echo "       sudo ./service.sh"
             echo "       → 1. Install Service"
-            echo "       → Choose: ${working_strategy%.sh}"
+            echo "       → Choose: $working_strategy"
             echo ""
             read -rp "Install this strategy to systemd now? [Y/n]: " ans
             if [[ "${ans:-Y}" == [yY]* ]]; then
-                bash "$SCRIPT_DIR/service.sh" >&1 &
-                # The service.sh menu will handle installation
+                bash "$SCRIPT_DIR/service.sh"
             fi
         fi
     else
@@ -243,7 +247,7 @@ EOF
         echo "[*] Suggestions:"
         echo "    - Try adding custom domains to lists/list-general-user.txt"
         echo "    - Check that Secure DNS is enabled"
-        echo "    - Try modifying strategy parameters manually in run_strategy.sh"
+        echo "    - Try modifying strategy parameters manually in strategies/*.conf"
         echo "    - Check diagnostics: sudo ./service.sh → 10. Run Diagnostics"
     fi
 
diff --git a/ensure_wrappers.sh b/ensure_wrappers.sh
old mode 100644
new mode 100755
index 0a10ed1..4639720
--- a/ensure_wrappers.sh
+++ b/ensure_wrappers.sh
@@ -10,22 +10,21 @@ for conf in "$SCRIPT_DIR/strategies"/*.conf; do
     [[ -f "$conf" ]] || continue
     name=$(basename "$conf" .conf)
     wrapper="$SCRIPT_DIR/general_${name}.sh"
-    
+
     # Skip general.sh as special case (name = general)
     if [[ "$name" == "general" ]]; then
         wrapper="$SCRIPT_DIR/general.sh"
     fi
-    
-    if [[ ! -f "$wrapper" ]]; then
-        echo "[*] Creating wrapper: $(basename "$wrapper") → $name"
-        cat > "$wrapper" <<EOF
+
+    # Always rewrite wrapper to ensure consistency (no BOM, correct shebang)
+    cat > "$wrapper" <<EOF
 #!/bin/bash
 # Auto-generated wrapper: $name
-SCRIPT_DIR="\$(cd "\$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "\$SCRIPT_DIR/run_strategy.sh" "$name"
 EOF
-        chmod +x "$wrapper"
-    fi
+    chmod +x "$wrapper"
+    echo "[*] Wrapper updated: $(basename "$wrapper") → $name"
 done
 
 echo "[OK] All wrappers checked."
diff --git a/general.sh b/general.sh
old mode 100644
new mode 100755
index 9c316fd..c8ba450
--- a/general.sh
+++ b/general.sh
@@ -1,4 +1,3 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "general"
-
diff --git a/general_ALT.sh b/general_ALT.sh
old mode 100644
new mode 100755
index 51e1611..869536f
--- a/general_ALT.sh
+++ b/general_ALT.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT"
 
diff --git a/general_ALT10.sh b/general_ALT10.sh
old mode 100644
new mode 100755
index fc8276e..e41eca0
--- a/general_ALT10.sh
+++ b/general_ALT10.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT10"
 
diff --git a/general_ALT11.sh b/general_ALT11.sh
old mode 100644
new mode 100755
index df462a0..721d186
--- a/general_ALT11.sh
+++ b/general_ALT11.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT11"
 
diff --git a/general_ALT2.sh b/general_ALT2.sh
old mode 100644
new mode 100755
index 96786fc..2f366ce
--- a/general_ALT2.sh
+++ b/general_ALT2.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT2"
 
diff --git a/general_ALT3.sh b/general_ALT3.sh
old mode 100644
new mode 100755
index f3b9ff9..4145c69
--- a/general_ALT3.sh
+++ b/general_ALT3.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT3"
 
diff --git a/general_ALT4.sh b/general_ALT4.sh
old mode 100644
new mode 100755
index 6af195b..c4e0ddb
--- a/general_ALT4.sh
+++ b/general_ALT4.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT4"
 
diff --git a/general_ALT5.sh b/general_ALT5.sh
old mode 100644
new mode 100755
index c2c4392..d7a3ae6
--- a/general_ALT5.sh
+++ b/general_ALT5.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT5"
 
diff --git a/general_ALT6.sh b/general_ALT6.sh
old mode 100644
new mode 100755
index 95ac126..ab647f0
--- a/general_ALT6.sh
+++ b/general_ALT6.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT6"
 
diff --git a/general_ALT7.sh b/general_ALT7.sh
old mode 100644
new mode 100755
index eda9e66..f7d46cd
--- a/general_ALT7.sh
+++ b/general_ALT7.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT7"
 
diff --git a/general_ALT8.sh b/general_ALT8.sh
old mode 100644
new mode 100755
index 95e7107..a02c4e9
--- a/general_ALT8.sh
+++ b/general_ALT8.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT8"
 
diff --git a/general_ALT9.sh b/general_ALT9.sh
old mode 100644
new mode 100755
index e7714ba..7b66e50
--- a/general_ALT9.sh
+++ b/general_ALT9.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "ALT9"
 
diff --git a/general_FAKE_TLS_AUTO.sh b/general_FAKE_TLS_AUTO.sh
old mode 100644
new mode 100755
index ffc388b..5df10a2
--- a/general_FAKE_TLS_AUTO.sh
+++ b/general_FAKE_TLS_AUTO.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "FAKE_TLS_AUTO"
 
diff --git a/general_FAKE_TLS_AUTO_ALT.sh b/general_FAKE_TLS_AUTO_ALT.sh
old mode 100644
new mode 100755
index 1e602cf..cf35e88
--- a/general_FAKE_TLS_AUTO_ALT.sh
+++ b/general_FAKE_TLS_AUTO_ALT.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "FAKE_TLS_AUTO_ALT"
 
diff --git a/general_FAKE_TLS_AUTO_ALT2.sh b/general_FAKE_TLS_AUTO_ALT2.sh
old mode 100644
new mode 100755
index eb16ec1..12e98c0
--- a/general_FAKE_TLS_AUTO_ALT2.sh
+++ b/general_FAKE_TLS_AUTO_ALT2.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "FAKE_TLS_AUTO_ALT2"
 
diff --git a/general_FAKE_TLS_AUTO_ALT3.sh b/general_FAKE_TLS_AUTO_ALT3.sh
old mode 100644
new mode 100755
index 18f9247..b4d3ab0
--- a/general_FAKE_TLS_AUTO_ALT3.sh
+++ b/general_FAKE_TLS_AUTO_ALT3.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "FAKE_TLS_AUTO_ALT3"
 
diff --git a/general_SIMPLE_FAKE.sh b/general_SIMPLE_FAKE.sh
old mode 100644
new mode 100755
index ed1c6af..804616b
--- a/general_SIMPLE_FAKE.sh
+++ b/general_SIMPLE_FAKE.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "SIMPLE_FAKE"
 
diff --git a/general_SIMPLE_FAKE_ALT.sh b/general_SIMPLE_FAKE_ALT.sh
old mode 100644
new mode 100755
index 3a9b2a7..2364704
--- a/general_SIMPLE_FAKE_ALT.sh
+++ b/general_SIMPLE_FAKE_ALT.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "SIMPLE_FAKE_ALT"
 
diff --git a/general_SIMPLE_FAKE_ALT2.sh b/general_SIMPLE_FAKE_ALT2.sh
old mode 100644
new mode 100755
index 39223d5..215a442
--- a/general_SIMPLE_FAKE_ALT2.sh
+++ b/general_SIMPLE_FAKE_ALT2.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 exec "$SCRIPT_DIR/run_strategy.sh" "SIMPLE_FAKE_ALT2"
 
diff --git a/install.sh b/install.sh
old mode 100644
new mode 100755
diff --git a/install_nfqws.sh b/install_nfqws.sh
old mode 100644
new mode 100755
diff --git a/lib/download_helper.sh b/lib/download_helper.sh
old mode 100644
new mode 100755
diff --git a/lib/functions.sh b/lib/functions.sh
old mode 100644
new mode 100755
diff --git a/prepare_offline_bundle.sh b/prepare_offline_bundle.sh
old mode 100644
new mode 100755
diff --git a/run_strategy.sh b/run_strategy.sh
old mode 100644
new mode 100755
index 255b02a..cde089e
--- a/run_strategy.sh
+++ b/run_strategy.sh
@@ -2,8 +2,6 @@
 # run_strategy.sh - Generic strategy runner using .conf files
 # Loads strategies/strategy_name.conf, substitutes variables, runs nfqws.
 
-# set -e removed: nfqws may exit non-zero on SIGTERM; empty arrays are fine
-
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "$SCRIPT_DIR/lib/functions.sh"
 
@@ -102,4 +100,32 @@ done < "$TMP_ARGS"
 rm -f "$TMP_ARGS"
 trap - EXIT
 
-run_nfqws "$0" "${CLEAN_ARGS[@]}"
+# Setup firewall and start nfqws
+check_nfqws || exit 1
+tcp_enable_timestamps
+setup_firewall
+
+# Trap cleanup on SIGTERM/SIGINT (e.g. from systemd or autotest kill)
+cleanup_strategy() {
+    print_yellow ""
+    print_yellow "[*] Caught stop signal, cleaning up..."
+    pkill -f "nfqws.*qnum=$NFQUEUE_NUM" 2>/dev/null || true
+    cleanup_firewall >/dev/null 2>&1 || true
+    exit 0
+}
+trap cleanup_strategy SIGTERM SIGINT
+
+echo ""
+print_cyan "[*] Starting strategy: $STRATEGY"
+print_cyan "[*] $(describe_strategy "$SCRIPT_DIR/general_${STRATEGY}.sh")"
+echo ""
+
+# Start nfqws in background so this shell handles signals and cleanup
+"$BIN_DIR/nfqws" --qnum=$NFQUEUE_NUM "${CLEAN_ARGS[@]}" &
+NFQWS_PID=$!
+wait "$NFQWS_PID"
+EXIT_CODE=$?
+
+# If nfqws exited on its own, cleanup firewall
+cleanup_firewall >/dev/null 2>&1 || true
+exit $EXIT_CODE
diff --git a/service.sh b/service.sh
old mode 100644
new mode 100755
index 0cbaecc..ba7a3fb
--- a/service.sh
+++ b/service.sh
@@ -126,16 +126,14 @@ service_install() {
     while IFS= read -r -d '' f; do
         local name
         name=$(basename "$f")
-        [[ "$name" == service.sh ]] && continue
-        [[ "$name" == run_strategy.sh ]] && continue
-        [[ "$name" == install_nfqws.sh ]] && continue
-        [[ "$name" == lib ]] && continue
+        # Only list strategy wrappers (general*.sh), skip service/utility scripts
+        [[ "$name" == general*.sh ]] || continue
         files+=("$f")
         local desc
         desc=$(describe_strategy "$f")
         printf "    %2d. %-35s %s\n" "$i" "$name" "$desc"
         ((i++))
-    done < <(find "$SCRIPT_DIR" -maxdepth 1 -type f -name '*.sh' -print0 | sort -z)
+    done < <(find "$SCRIPT_DIR" -maxdepth 1 -type f -name 'general*.sh' -print0 | sort -z)
 
     echo ""
     read -rp "   Input file index (number): " choice
@@ -156,8 +154,8 @@ service_install() {
     echo ""
     echo "[*] Installing strategy: $strategy_name"
 
-    # Stop any existing service
-    service_remove >/dev/null 2>&1 || true
+    # Stop any existing service (internal — no prompts)
+    service_remove_internal > /dev/null 2>&1 || true
 
     # Write strategy marker
     mkdir -p "$SCRIPT_DIR/.service"
@@ -172,7 +170,7 @@ After=network.target
 
 [Service]
 Type=simple
-ExecStart=$selected
+ExecStart=$SCRIPT_DIR/run_strategy.sh $strategy_name
 Restart=on-failure
 RestartSec=5
 StandardOutput=journal
@@ -195,19 +193,16 @@ EOF
     else
         echo ""
         print_yellow "[!] systemctl not found. Service file created but not installed automatically."
-        echo "    To start manually: $selected"
+        echo "    To start manually: $SCRIPT_DIR/run_strategy.sh $strategy_name"
     fi
 
     read -rp "Press Enter to continue..."
 }
 
 # ============================================
-# SERVICE REMOVE
+# SERVICE REMOVE (internal — no prompts)
 # ============================================
-service_remove() {
-    echo ""
-    echo "[*] Removing services..."
-
+service_remove_internal() {
     # Stop systemd service
     if command -v systemctl >/dev/null 2>&1; then
         systemctl stop zapret.service 2>/dev/null || true
@@ -225,6 +220,16 @@ service_remove() {
 
     # Remove markers
     rm -f "$SCRIPT_DIR/.service/installed_strategy"
+}
+
+# ============================================
+# SERVICE REMOVE (interactive)
+# ============================================
+service_remove() {
+    echo ""
+    echo "[*] Removing services..."
+
+    service_remove_internal
 
     echo ""
     print_green "[OK] Services removed."
diff --git a/setup.sh b/setup.sh
old mode 100644
new mode 100755
index 1c12051..13d284c
--- a/setup.sh
+++ b/setup.sh
@@ -60,7 +60,7 @@ if [[ ${#missing[@]} -gt 0 ]]; then
     case "$DISTRO" in
         ubuntu|debian|linuxmint|pop)
             apt-get update
-            apt-get install -y curl git make gcc build-essential
+            apt-get install -y curl git make gcc build-essential libmnl-dev zlib1g-dev
             ;;
         arch|manjaro)
             pacman -Syu --noconfirm curl git make gcc
diff --git a/sync_from_upstream.sh b/sync_from_upstream.sh
old mode 100644
new mode 100755
diff --git a/update.sh b/update.sh
old mode 100644
new mode 100755
diff --git a/utils/test_zapret.sh b/utils/test_zapret.sh
old mode 100644
new mode 100755