v0.4.6

fix: hide extra configs for non-basic tabs

Dockerfile

@@ -1,6 +1,4 @@
-FROM openwrt/sdk:x86_64-v23.05.5
-
-RUN ./scripts/feeds update -a && ./scripts/feeds install luci-base && mkdir -p /builder/package/feeds/utilites/ && mkdir -p /builder/package/feeds/luci/
+FROM itdoginfo/openwrt-sdk:24.10.1
 
 COPY ./podkop /builder/package/feeds/utilites/podkop
 COPY ./luci-app-podkop /builder/package/feeds/luci/luci-app-podkop

Dockerfile-SDK

@@ -0,0 +1,3 @@
+FROM openwrt/sdk:x86_64-v24.10.1
+
+RUN ./scripts/feeds update -a && ./scripts/feeds install luci-base && mkdir -p /builder/package/feeds/utilites/ && mkdir -p /builder/package/feeds/luci/

README.md

@@ -1,15 +1,15 @@
 # Вещи, которые вам нужно знать перед установкой
 
-- Это альфа версия, которая находится в активной разработке. Из версии в версию что-то может меняться.
-- Основной функционал работает, но побочные штуки сейчас могут сбоить.
-- При обновлении **обязательно** сбрасывайте кэш LuCI.
+- Это бета-версия, которая находится в активной разработке. Из версии в версию что-то может меняться.
+- При возникновении проблем, нужен технически грамотный фидбэк в чат.
+- При обновлении **обязательно** [сбрасывайте кэш LuCI](https://podkop.net/docs/clearbrowsercache/).
 - Также при обновлении всегда заходите в конфигурацию и проверяйте свои настройки. Конфигурация может измениться.
-- Необходимо минимум 15МБ свободного места на роутере. Роутерами с флешками на 16МБ сразу мимо.
+- Необходимо минимум 15МБ свободного места на роутере. Роутеры с флешками на 16МБ сразу мимо.
 - При старте программы редактируется конфиг Dnsmasq.
 - Podkop редактирует конфиг sing-box. Обязательно сохраните ваш конфиг sing-box перед установкой, если он вам нужен.
-- Информация здесь может быть устаревшей. Все изменения фиксируются в телеграм-чате https://t.me/itdogchat - топик **Podkop**.
-- Если у вас не что-то не работает, то следуюет сходить в телеграм чат, прочитать закрепы и выполнить что там написано..
-- Если у вас установлен Getdomains, его следует удалить.
+- Информация здесь может быть устаревшей. Все изменения фиксируются в [телеграм-чате](https://t.me/itdogchat/81758/420321).
+- [Если у вас не что-то не работает.](https://podkop.net/docs/diagnostics/)
+- Если у вас установлен Getdomains, [его следует удалить](https://github.com/itdoginfo/domain-routing-openwrt?tab=readme-ov-file#%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82-%D0%B4%D0%BB%D1%8F-%D1%83%D0%B4%D0%B0%D0%BB%D0%B5%D0%BD%D0%B8%D1%8F).
 
 # Документация
 https://podkop.net/
@@ -17,7 +17,7 @@ https://podkop.net/
 # Установка Podkop
 Полная информация в [документации](https://podkop.net/docs/install/)
 
-Вкратце, достаточно одного скрипта:
+Вкратце, достаточно одного скрипта для установки и обновления:
 ```
 sh <(wget -O - https://raw.githubusercontent.com/itdoginfo/podkop/refs/heads/main/install.sh)
 ```
@@ -27,12 +27,28 @@ sh <(wget -O - https://raw.githubusercontent.com/itdoginfo/podkop/refs/heads/mai
 
 Основные задачи в issues.
 
-Низкий приоритет
-- [ ] Галочка, которая режет доступ к doh серверам
-- [ ] IPv6. Только после наполнения Wiki
+## Рефактор
+- [ ] Очевидные повторения в `/usr/bin/podkop` загнать в переменые
+- [ ] Возможно поменять структуру
 
-Рефактор
-- [ ] Handle для sing-box
-- [ ] Handle для dnsmasq
+## Списки
+- [ ] Speedtest
+- [x] Google AI
+- [x] Google PlayMarket. Здесь уточнить, что точно не работает через корректную настройку FakeIP, а не dnsmasq+nft.
+- [x] Hetzner ASN (AS24940)
+- [x] OVH ASN (AS16276)
+
+## Будущее
+- [ ] После наполнения вики про туннели, убрать всё что связано с их установкой из скрипта. Только с AWG что-то решить, лучше чтоб был скрипт в сторонем репозитории. 
+- [ ] Подписка. Здесь нужна реализация, чтоб для каждой секции помимо ручного выбора, был выбор фильтрации по тегу. Например, для main выбираем ключевые слова NL, DE, FI. А для extra секции фильтруем по RU. И создаётся outbound c urltest в которых перечислены outbound из фильтров.
+- [ ] Опция, когда все запросы (с роутера в первую очередь), а не только br-lan идут в прокси. С этим связана #95. Требуется много переделать для nftables.
+- [ ] Весь трафик в Proxy\VPN. Вопрос, что делать с экстрасекциями в этом случае. FakeIP здесь скорее не нужен, а значит только main секция остаётся. Всё что касается fakeip проверок, придётся выключать в этом режиме.
+- [ ] Поддержка Source format. Нужна расшифровка в json и если присуствуют подсети, заносить их в custom subnet nftset.
+- [ ] Переделывание функции формирования кастомных списков в JSON. Обрабатывать сразу скопом, а не по одному.
+- [ ] При успешном запуске переходит в фоновый режим и следит за состоянием sing-box. Если вдруг идёт exit 1, выполняется dnsmasq restore и снова следит за состоянием. Вопрос в том, как это искусcтвенно провернуть. Попробовать положить прокси и посмотреть, останется ли работать DNS в этом случае. И здесь, вероятно, можно обойтись триггером в init.d.
+- [ ] Галочка, которая режет доступ к doh серверам.
+- [ ] IPv6. Только после наполнения Wiki.
+
+## Тесты
 - [ ] Unit тесты (BATS)
-- [ ] Интеграционые тесты бекенда (OpenWrt rootfs + BATS)
+- [ ] Интеграционые тесты бекенда (OpenWrt rootfs + BATS)

install.sh

@@ -1,66 +1,35 @@
 #!/bin/sh
 
 REPO="https://api.github.com/repos/itdoginfo/podkop/releases/latest"
-
-IS_SHOULD_RESTART_NETWORK=
 DOWNLOAD_DIR="/tmp/podkop"
 COUNT=3
-UPGRADE=0
 
 rm -rf "$DOWNLOAD_DIR"
 mkdir -p "$DOWNLOAD_DIR"
 
-for arg in "$@"; do
-    if [ "$arg" = "--upgrade" ]; then
-        UPGRADE=1
-    fi
-done
+msg() {
+    printf "\033[32;1m%s\033[0m\n" "$1"
+}
 
 main() {
     check_system
     sing_box
-    
-    opkg update
+
+    /usr/sbin/ntpd -q -p 194.190.168.1 -p 216.239.35.0 -p 216.239.35.4 -p 162.159.200.1 -p 162.159.200.123
+
+    opkg update || { echo "opkg update failed"; exit 1; }
   
     if [ -f "/etc/init.d/podkop" ]; then
-        if [ "$UPGRADE" -eq 1 ]; then
-            echo "Upgraded podkop with flag..."
-            break
-        else
-            printf "\033[32;1mPodkop is already installed. Just upgrade it?\033[0m\n"
-            printf "\033[32;1my - Only upgrade podkop\033[0m\n"
-            printf "\033[32;1mn - Upgrade and install tunnels (WG, AWG, OpenVPN, OC)\033[0m\n"
-
-            while true; do
-                printf "\033[32;1mEnter (y/n): \033[0m"
-                read -r -p '' UPDATE
-                case $UPDATE in
-                y)
-                    echo "Upgraded podkop..."
-                    break
-                    ;;
-
-                n)
-                    add_tunnel
-                    break
-                    ;;
-
-                *)
-                    echo "Please enter y or n"
-                    ;;
-                esac
-            done
-        fi
+        msg "Podkop is already installed. Upgraded..."
     else
-        echo "Installed podkop..."
-        add_tunnel
+        msg "Installed podkop..."
     fi
     
     if command -v curl &> /dev/null; then
         check_response=$(curl -s "https://api.github.com/repos/itdoginfo/podkop/releases/latest")
 
         if echo "$check_response" | grep -q 'API rate limit '; then
-            echo "You've reached rate limit from GitHub. Repeat in five minutes."
+            msg "You've reached rate limit from GitHub. Repeat in five minutes."
             exit 1
         fi
     fi
@@ -72,33 +41,33 @@ main() {
                
         attempt=0
         while [ $attempt -lt $COUNT ]; do
-            echo "Download $filename (count $((attempt+1)))..."
+            msg "Download $filename (count $((attempt+1)))..."
             if wget -q -O "$filepath" "$url"; then
                 if [ -s "$filepath" ]; then
-                    echo "$filename successfully downloaded"
+                    msg "$filename successfully downloaded"
                     download_success=1
                     break
                 fi
             fi
-            echo "Download error $filename. Retry..."
+            msg "Download error $filename. Retry..."
             rm -f "$filepath"
             attempt=$((attempt+1))
         done
         
         if [ $attempt -eq $COUNT ]; then
-            echo "Failed to download $filename after $COUNT attempts"
+            msg "Failed to download $filename after $COUNT attempts"
         fi
     done < <(wget -qO- "$REPO" | grep -o 'https://[^"[:space:]]*\.ipk')
     
     if [ $download_success -eq 0 ]; then
-        echo "No packages were downloaded successfully"
+        msg "No packages were downloaded successfully"
         exit 1
     fi
     
     for pkg in podkop luci-app-podkop; do
         file=$(ls "$DOWNLOAD_DIR" | grep "^$pkg" | head -n 1)
         if [ -n "$file" ]; then
-            echo "Installing $file"
+            msg "Installing $file"
             opkg install "$DOWNLOAD_DIR/$file"
             sleep 3
         fi
@@ -106,340 +75,57 @@ main() {
 
     ru=$(ls "$DOWNLOAD_DIR" | grep "luci-i18n-podkop-ru" | head -n 1)
     if [ -n "$ru" ]; then
-        printf "\033[32;1mРусский язык интерфейса ставим? y/n (Need a Russian translation?)\033[0m "
-        while true; do
-            read -r -p '' RUS
-            case $RUS in
-            y)
+        if opkg list-installed | grep -q luci-i18n-podkop-ru; then
+                msg "Upgraded ru translation..."
+                opkg remove luci-i18n-podkop*
                 opkg install "$DOWNLOAD_DIR/$ru"
-                break
-                ;;
-            n)
-                break
-                ;;
-            *)
-                echo "Введите y или n"
-                ;;
-            esac
-        done
+        else
+            msg "Русский язык интерфейса ставим? y/n (Need a Russian translation?)"
+            while true; do
+                read -r -p '' RUS
+                case $RUS in
+                y)
+                    opkg remove luci-i18n-podkop*
+                    opkg install "$DOWNLOAD_DIR/$ru"
+                    break
+                    ;;
+                n)
+                    break
+                    ;;
+                *)
+                    echo "Введите y или n"
+                    ;;
+                esac
+            done
+        fi
     fi
 
     find "$DOWNLOAD_DIR" -type f -name '*podkop*' -exec rm {} \;
-
-    if [ "$IS_SHOULD_RESTART_NETWORK" ]; then
-        printf "\033[32;1mRestart network\033[0m\n"
-        /etc/init.d/network restart
-    fi
-}
-
-add_tunnel() {
-    printf "\033[32;1mWill you be using Wireguard, AmneziaWG, OpenVPN, OpenConnect? If yes, select a number and they will be automatically installed\033[0m\n"
-    echo "1) Wireguard"
-    echo "2) AmneziaWG"
-    echo "3) OpenVPN"
-    echo "4) OpenConnect"
-    echo "5) I use VLESS/SS. Skip this step"
-
-    while true; do
-        read -r -p '' TUNNEL
-        case $TUNNEL in
-
-        1)
-            opkg install wireguard-tools luci-proto-wireguard luci-app-wireguard
-
-            printf "\033[32;1mDo you want to configure the wireguard interface? (y/n): \033[0m\n"
-            read IS_SHOULD_CONFIGURE_WG_INTERFACE
-
-            if [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "y" ] || [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "Y" ]; then
-                wg_awg_setup Wireguard
-            else
-            printf "\e[1;32mUse these instructions to manual configure https://itdog.info/nastrojka-klienta-wireguard-na-openwrt/\e[0m\n"
-            fi
-
-            break
-            ;;
-
-        2)
-            install_awg_packages
-
-            printf "\033[32;1mThere are no instructions for manual configure yet. Do you want to configure the amneziawg interface? (y/n): \033[0m\n"
-            read IS_SHOULD_CONFIGURE_WG_INTERFACE
-
-            if [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "y" ] || [ "$IS_SHOULD_CONFIGURE_WG_INTERFACE" = "Y" ]; then
-                wg_awg_setup AmneziaWG
-            fi
-
-            break
-            ;;
-
-        3)
-            opkg install openvpn-openssl luci-app-openvpn
-            printf "\e[1;32mUse these instructions to configure https://itdog.info/nastrojka-klienta-openvpn-na-openwrt/\e[0m\n"
-            break
-            ;;
-
-        4)
-            opkg install openconnect luci-proto-openconnect
-            printf "\e[1;32mUse these instructions to configure https://itdog.info/nastrojka-klienta-openconnect-na-openwrt/\e[0m\n"
-            break
-            ;;
-
-        5)
-            echo "Installation without additional dependencies."
-            break
-            ;;
-
-        *)
-            echo "Choose from the following options"
-            ;;
-        esac
-    done
-}
-
-handler_network_restart() {
-    IS_SHOULD_RESTART_NETWORK=true
-}
-
-install_awg_packages() {
-    # Получение pkgarch с наибольшим приоритетом
-    PKGARCH=$(opkg print-architecture | awk 'BEGIN {max=0} {if ($3 > max) {max = $3; arch = $2}} END {print arch}')
-
-    TARGET=$(ubus call system board | jsonfilter -e '@.release.target' | cut -d '/' -f 1)
-    SUBTARGET=$(ubus call system board | jsonfilter -e '@.release.target' | cut -d '/' -f 2)
-    VERSION=$(ubus call system board | jsonfilter -e '@.release.version')
-    PKGPOSTFIX="_v${VERSION}_${PKGARCH}_${TARGET}_${SUBTARGET}.ipk"
-    BASE_URL="https://github.com/Slava-Shchipunov/awg-openwrt/releases/download/"
-
-    AWG_DIR="/tmp/amneziawg"
-    mkdir -p "$AWG_DIR"
-    
-    if opkg list-installed | grep -q kmod-amneziawg; then
-        echo "kmod-amneziawg already installed"
-    else
-        KMOD_AMNEZIAWG_FILENAME="kmod-amneziawg${PKGPOSTFIX}"
-        DOWNLOAD_URL="${BASE_URL}v${VERSION}/${KMOD_AMNEZIAWG_FILENAME}"
-        wget -O "$AWG_DIR/$KMOD_AMNEZIAWG_FILENAME" "$DOWNLOAD_URL"
-
-        if [ $? -eq 0 ]; then
-            echo "kmod-amneziawg file downloaded successfully"
-        else
-            echo "Error downloading kmod-amneziawg. Please, install kmod-amneziawg manually and run the script again"
-            exit 1
-        fi
-        
-        opkg install "$AWG_DIR/$KMOD_AMNEZIAWG_FILENAME"
-
-        if [ $? -eq 0 ]; then
-            echo "kmod-amneziawg file downloaded successfully"
-        else
-            echo "Error installing kmod-amneziawg. Please, install kmod-amneziawg manually and run the script again"
-            exit 1
-        fi
-    fi
-
-    if opkg list-installed | grep -q amneziawg-tools; then
-        echo "amneziawg-tools already installed"
-    else
-        AMNEZIAWG_TOOLS_FILENAME="amneziawg-tools${PKGPOSTFIX}"
-        DOWNLOAD_URL="${BASE_URL}v${VERSION}/${AMNEZIAWG_TOOLS_FILENAME}"
-        wget -O "$AWG_DIR/$AMNEZIAWG_TOOLS_FILENAME" "$DOWNLOAD_URL"
-
-        if [ $? -eq 0 ]; then
-            echo "amneziawg-tools file downloaded successfully"
-        else
-            echo "Error downloading amneziawg-tools. Please, install amneziawg-tools manually and run the script again"
-            exit 1
-        fi
-
-        opkg install "$AWG_DIR/$AMNEZIAWG_TOOLS_FILENAME"
-
-        if [ $? -eq 0 ]; then
-            echo "amneziawg-tools file downloaded successfully"
-        else
-            echo "Error installing amneziawg-tools. Please, install amneziawg-tools manually and run the script again"
-            exit 1
-        fi
-    fi
-    
-    if opkg list-installed | grep -qE 'luci-app-amneziawg|luci-proto-amneziawg'; then
-        echo "luci-app-amneziawg or luci-proto-amneziawg already installed"
-    else
-        LUCI_APP_AMNEZIAWG_FILENAME="luci-app-amneziawg${PKGPOSTFIX}"
-        DOWNLOAD_URL="${BASE_URL}v${VERSION}/${LUCI_APP_AMNEZIAWG_FILENAME}"
-        wget -O "$AWG_DIR/$LUCI_APP_AMNEZIAWG_FILENAME" "$DOWNLOAD_URL"
-
-        if [ $? -eq 0 ]; then
-            echo "luci-app-amneziawg file downloaded successfully"
-        else
-            echo "Error downloading luci-app-amneziawg. Please, install luci-app-amneziawg manually and run the script again"
-            exit 1
-        fi
-
-        opkg install "$AWG_DIR/$LUCI_APP_AMNEZIAWG_FILENAME"
-
-        if [ $? -eq 0 ]; then
-            echo "luci-app-amneziawg file downloaded successfully"
-        else
-            echo "Error installing luci-app-amneziawg. Please, install luci-app-amneziawg manually and run the script again"
-            exit 1
-        fi
-    fi
-
-    rm -rf "$AWG_DIR"
-}
-
-wg_awg_setup() {
-    PROTOCOL_NAME=$1
-    printf "\033[32;1mConfigure ${PROTOCOL_NAME}\033[0m\n"
-    if [ "$PROTOCOL_NAME" = 'Wireguard' ]; then
-        INTERFACE_NAME="wg0"
-        CONFIG_NAME="wireguard_wg0"
-        PROTO="wireguard"
-        ZONE_NAME="wg"
-    fi
-
-    if [ "$PROTOCOL_NAME" = 'AmneziaWG' ]; then
-        INTERFACE_NAME="awg0"
-        CONFIG_NAME="amneziawg_awg0"
-        PROTO="amneziawg"
-        ZONE_NAME="awg"
-        
-        echo "Do you want to use AmneziaWG config or basic Wireguard config + automatic obfuscation?"
-        echo "1) AmneziaWG"
-        echo "2) Wireguard + automatic obfuscation"
-        read CONFIG_TYPE
-    fi
-
-    read -r -p "Enter the private key (from [Interface]):"$'\n' WG_PRIVATE_KEY_INT
-
-    while true; do
-        read -r -p "Enter internal IP address with subnet, example 192.168.100.5/24 (from [Interface]):"$'\n' WG_IP
-        if echo "$WG_IP" | egrep -oq '^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]+$'; then
-            break
-        else
-            echo "This IP is not valid. Please repeat"
-        fi
-    done
-
-    read -r -p "Enter the public key (from [Peer]):"$'\n' WG_PUBLIC_KEY_INT
-    read -r -p "If use PresharedKey, Enter this (from [Peer]). If your don't use leave blank:"$'\n' WG_PRESHARED_KEY_INT
-    read -r -p "Enter Endpoint host without port (Domain or IP) (from [Peer]):"$'\n' WG_ENDPOINT_INT
-
-    read -r -p "Enter Endpoint host port (from [Peer]) [51820]:"$'\n' WG_ENDPOINT_PORT_INT
-    WG_ENDPOINT_PORT_INT=${WG_ENDPOINT_PORT_INT:-51820}
-    if [ "$WG_ENDPOINT_PORT_INT" = '51820' ]; then
-        echo $WG_ENDPOINT_PORT_INT
-    fi
-
-    if [ "$PROTOCOL_NAME" = 'AmneziaWG' ]; then
-        if [ "$CONFIG_TYPE" = '1' ]; then
-            read -r -p "Enter Jc value (from [Interface]):"$'\n' AWG_JC
-            read -r -p "Enter Jmin value (from [Interface]):"$'\n' AWG_JMIN
-            read -r -p "Enter Jmax value (from [Interface]):"$'\n' AWG_JMAX
-            read -r -p "Enter S1 value (from [Interface]):"$'\n' AWG_S1
-            read -r -p "Enter S2 value (from [Interface]):"$'\n' AWG_S2
-            read -r -p "Enter H1 value (from [Interface]):"$'\n' AWG_H1
-            read -r -p "Enter H2 value (from [Interface]):"$'\n' AWG_H2
-            read -r -p "Enter H3 value (from [Interface]):"$'\n' AWG_H3
-            read -r -p "Enter H4 value (from [Interface]):"$'\n' AWG_H4
-        elif [ "$CONFIG_TYPE" = '2' ]; then
-            #Default values to wg automatic obfuscation
-            AWG_JC=4
-            AWG_JMIN=40
-            AWG_JMAX=70
-            AWG_S1=0
-            AWG_S2=0
-            AWG_H1=1
-            AWG_H2=2
-            AWG_H3=3
-            AWG_H4=4
-        fi
-    fi
-    
-    uci set network.${INTERFACE_NAME}=interface
-    uci set network.${INTERFACE_NAME}.proto=$PROTO
-    uci set network.${INTERFACE_NAME}.private_key=$WG_PRIVATE_KEY_INT
-    uci set network.${INTERFACE_NAME}.listen_port='51821'
-    uci set network.${INTERFACE_NAME}.addresses=$WG_IP
-
-    if [ "$PROTOCOL_NAME" = 'AmneziaWG' ]; then
-        uci set network.${INTERFACE_NAME}.awg_jc=$AWG_JC
-        uci set network.${INTERFACE_NAME}.awg_jmin=$AWG_JMIN
-        uci set network.${INTERFACE_NAME}.awg_jmax=$AWG_JMAX
-        uci set network.${INTERFACE_NAME}.awg_s1=$AWG_S1
-        uci set network.${INTERFACE_NAME}.awg_s2=$AWG_S2
-        uci set network.${INTERFACE_NAME}.awg_h1=$AWG_H1
-        uci set network.${INTERFACE_NAME}.awg_h2=$AWG_H2
-        uci set network.${INTERFACE_NAME}.awg_h3=$AWG_H3
-        uci set network.${INTERFACE_NAME}.awg_h4=$AWG_H4
-    fi
-
-    if ! uci show network | grep -q ${CONFIG_NAME}; then
-        uci add network ${CONFIG_NAME}
-    fi
-
-    uci set network.@${CONFIG_NAME}[0]=$CONFIG_NAME
-    uci set network.@${CONFIG_NAME}[0].name="${INTERFACE_NAME}_client"
-    uci set network.@${CONFIG_NAME}[0].public_key=$WG_PUBLIC_KEY_INT
-    uci set network.@${CONFIG_NAME}[0].preshared_key=$WG_PRESHARED_KEY_INT
-    uci set network.@${CONFIG_NAME}[0].route_allowed_ips='0'
-    uci set network.@${CONFIG_NAME}[0].persistent_keepalive='25'
-    uci set network.@${CONFIG_NAME}[0].endpoint_host=$WG_ENDPOINT_INT
-    uci set network.@${CONFIG_NAME}[0].allowed_ips='0.0.0.0/0'
-    uci set network.@${CONFIG_NAME}[0].endpoint_port=$WG_ENDPOINT_PORT_INT
-    uci commit network
-
-    if ! uci show firewall | grep -q "@zone.*name='${ZONE_NAME}'"; then
-        printf "\033[32;1mZone Create\033[0m\n"
-        uci add firewall zone
-        uci set firewall.@zone[-1].name=$ZONE_NAME
-        uci set firewall.@zone[-1].network=$INTERFACE_NAME
-        uci set firewall.@zone[-1].forward='REJECT'
-        uci set firewall.@zone[-1].output='ACCEPT'
-        uci set firewall.@zone[-1].input='REJECT'
-        uci set firewall.@zone[-1].masq='1'
-        uci set firewall.@zone[-1].mtu_fix='1'
-        uci set firewall.@zone[-1].family='ipv4'
-        uci commit firewall
-    fi
-
-    if ! uci show firewall | grep -q "@forwarding.*name='${ZONE_NAME}'"; then
-        printf "\033[32;1mConfigured forwarding\033[0m\n"
-        uci add firewall forwarding
-        uci set firewall.@forwarding[-1]=forwarding
-        uci set firewall.@forwarding[-1].name="${ZONE_NAME}-lan"
-        uci set firewall.@forwarding[-1].dest=${ZONE_NAME}
-        uci set firewall.@forwarding[-1].src='lan'
-        uci set firewall.@forwarding[-1].family='ipv4'
-        uci commit firewall
-    fi
-
-    handler_network_restart
 }
 
 check_system() {
     # Get router model
     MODEL=$(cat /tmp/sysinfo/model)
-    echo "Router model: $MODEL"
+    msg "Router model: $MODEL"
 
     # Check available space
     AVAILABLE_SPACE=$(df /overlay | awk 'NR==2 {print $4}')
     REQUIRED_SPACE=15360 # 15MB in KB
 
     if [ "$AVAILABLE_SPACE" -lt "$REQUIRED_SPACE" ]; then
-        printf "\033[31;1mError: Insufficient space in flash\033[0m\n"
-        echo "Available: $((AVAILABLE_SPACE/1024))MB"
-        echo "Required: $((REQUIRED_SPACE/1024))MB"
+        msg "Error: Insufficient space in flash"
+        msg "Available: $((AVAILABLE_SPACE/1024))MB"
+        msg "Required: $((REQUIRED_SPACE/1024))MB"
         exit 1
     fi
 
     if ! nslookup google.com >/dev/null 2>&1; then
-        printf "\033[31;1mDNS not working\033[0m\n"
+        msg "DNS not working"
         exit 1
     fi
 
     if opkg list-installed | grep -q https-dns-proxy; then
-        printf "\033[31;1mСonflicting package detected: https-dns-proxy. Remove? yes/no\033[0m\n"
+        msg "Сonflicting package detected: https-dns-proxy. Remove?"
 
         while true; do
                 read -r -p '' DNSPROXY
@@ -450,7 +136,7 @@ check_system() {
                     break
                     ;;
                 *)
-                    echo "Exit"
+                    msg "Exit"
                     exit 1
                     ;;
         esac
@@ -458,7 +144,7 @@ check_system() {
     fi
 
     if opkg list-installed | grep -q "iptables-mod-extra"; then
-        printf "\033[31;1mFound incompatible iptables packages. If you're using FriendlyWrt: https://t.me/itdogchat/44512/181082\033[0m\n"
+        msg "Found incompatible iptables packages. If you're using FriendlyWrt: https://t.me/itdogchat/44512/181082"
     fi
 }
 
@@ -471,6 +157,8 @@ sing_box() {
     required_version="1.11.1"
 
     if [ "$(echo -e "$sing_box_version\n$required_version" | sort -V | head -n 1)" != "$required_version" ]; then
+        msg "sing-box version $sing_box_version is older than required $required_version"
+        msg "Removing old version..."
         opkg remove sing-box
     fi
 }

luci-app-podkop/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=luci-app-podkop
-PKG_VERSION:=0.3.44
+PKG_VERSION:=0.4.6
 PKG_RELEASE:=1
 
 LUCI_TITLE:=LuCI podkop app

luci-app-podkop/htdocs/luci-static/resources/view/podkop/additionalTab.js

@@ -0,0 +1,242 @@
+'use strict';
+'require form';
+'require baseclass';
+'require view.podkop.constants as constants';
+'require tools.widgets as widgets';
+
+function createAdditionalSection(mainSection, network) {
+    let o = mainSection.tab('additional', _('Additional Settings'));
+
+    o = mainSection.taboption('additional', form.Flag, 'yacd', _('Yacd enable'), _('<a href="http://openwrt.lan:9090/ui" target="_blank">openwrt.lan:9090/ui</a>'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', form.Flag, 'exclude_ntp', _('Exclude NTP'), _('For issues with open connections sing-box'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', form.Flag, 'quic_disable', _('QUIC disable'), _('For issues with the video stream'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', form.ListValue, 'update_interval', _('List Update Frequency'), _('Select how often the lists will be updated'));
+    Object.entries(constants.UPDATE_INTERVAL_OPTIONS).forEach(([key, label]) => {
+        o.value(key, _(label));
+    });
+    o.default = '1d';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', form.ListValue, 'dns_type', _('DNS Protocol Type'), _('Select DNS protocol to use'));
+    o.value('doh', _('DNS over HTTPS (DoH)'));
+    o.value('dot', _('DNS over TLS (DoT)'));
+    o.value('udp', _('UDP (Unprotected DNS)'));
+    o.default = 'udp';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', form.Value, 'dns_server', _('DNS Server'), _('Select or enter DNS server address'));
+    Object.entries(constants.DNS_SERVER_OPTIONS).forEach(([key, label]) => {
+        o.value(key, _(label));
+    });
+    o.default = '8.8.8.8';
+    o.rmempty = false;
+    o.ucisection = 'main';
+    o.validate = function (section_id, value) {
+        if (!value) {
+            return _('DNS server address cannot be empty');
+        }
+
+        const ipRegex = /^(\d{1,3}\.){3}\d{1,3}$/;
+        if (ipRegex.test(value)) {
+            const parts = value.split('.');
+            for (const part of parts) {
+                const num = parseInt(part);
+                if (num < 0 || num > 255) {
+                    return _('IP address parts must be between 0 and 255');
+                }
+            }
+            return true;
+        }
+
+        const domainRegex = /^([a-zA-Z0-9-]+\.)*[a-zA-Z0-9-]+\.[a-zA-Z]{2,}(\/[^\s]*)?$/;
+        if (!domainRegex.test(value)) {
+            return _('Invalid DNS server format. Examples: 8.8.8.8 or dns.example.com or dns.example.com/nicedns for DoH');
+        }
+
+        return true;
+    };
+
+    o = mainSection.taboption('additional', form.Flag, 'split_dns_enabled', _('Split DNS'), _('DNS for the list via proxy'));
+    o.default = '1';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', form.ListValue, 'split_dns_type', _('Split DNS Protocol Type'), _('Select DNS protocol for split'));
+    o.value('doh', _('DNS over HTTPS (DoH)'));
+    o.value('dot', _('DNS over TLS (DoT)'));
+    o.value('udp', _('UDP (Unprotected DNS)'));
+    o.default = 'udp';
+    o.rmempty = false;
+    o.depends('split_dns_enabled', '1');
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', form.Value, 'split_dns_server', _('Split DNS Server'), _('Select or enter DNS server address'));
+    Object.entries(constants.DNS_SERVER_OPTIONS).forEach(([key, label]) => {
+        o.value(key, _(label));
+    });
+    o.default = '1.1.1.1';
+    o.rmempty = false;
+    o.depends('split_dns_enabled', '1');
+    o.ucisection = 'main';
+    o.validate = function (section_id, value) {
+        if (!value) {
+            return _('DNS server address cannot be empty');
+        }
+
+        const ipRegex = /^(\d{1,3}\.){3}\d{1,3}$/;
+        if (ipRegex.test(value)) {
+            const parts = value.split('.');
+            for (const part of parts) {
+                const num = parseInt(part);
+                if (num < 0 || num > 255) {
+                    return _('IP address parts must be between 0 and 255');
+                }
+            }
+            return true;
+        }
+
+        const domainRegex = /^([a-zA-Z0-9-]+\.)*[a-zA-Z0-9-]+\.[a-zA-Z]{2,}(\/[^\s]*)?$/;
+        if (!domainRegex.test(value)) {
+            return _('Invalid DNS server format. Examples: 8.8.8.8 or dns.example.com or dns.example.com/nicedns for DoH');
+        }
+
+        return true;
+    };
+
+    o = mainSection.taboption('additional', form.Value, 'dns_rewrite_ttl', _('DNS Rewrite TTL'), _('Time in seconds for DNS record caching (default: 60)'));
+    o.default = '60';
+    o.rmempty = false;
+    o.ucisection = 'main';
+    o.validate = function (section_id, value) {
+        if (!value) {
+            return _('TTL value cannot be empty');
+        }
+
+        const ttl = parseInt(value);
+        if (isNaN(ttl) || ttl < 0) {
+            return _('TTL must be a positive number');
+        }
+
+        return true;
+    };
+
+    o = mainSection.taboption('additional', form.Value, 'cache_file', _('Cache File Path'), _('Select or enter path for sing-box cache file. Change this ONLY if you know what you are doing'));
+    o.value('/tmp/cache.db', 'RAM (/tmp/cache.db)');
+    o.value('/usr/share/sing-box/cache.db', 'Flash (/usr/share/sing-box/cache.db)');
+    o.default = '/tmp/cache.db';
+    o.rmempty = false;
+    o.ucisection = 'main';
+    o.validate = function (section_id, value) {
+        if (!value) {
+            return _('Cache file path cannot be empty');
+        }
+
+        if (!value.startsWith('/')) {
+            return _('Path must be absolute (start with /)');
+        }
+
+        if (!value.endsWith('cache.db')) {
+            return _('Path must end with cache.db');
+        }
+
+        const parts = value.split('/').filter(Boolean);
+        if (parts.length < 2) {
+            return _('Path must contain at least one directory (like /tmp/cache.db)');
+        }
+
+        return true;
+    };
+
+    o = mainSection.taboption('additional', widgets.DeviceSelect, 'iface', _('Source Network Interface'), _('Select the network interface from which the traffic will originate'));
+    o.ucisection = 'main';
+    o.default = 'br-lan';
+    o.noaliases = true;
+    o.nobridges = false;
+    o.noinactive = false;
+    o.multiple = true;
+    o.filter = function (section_id, value) {
+        if (['wan', 'phy0-ap0', 'phy1-ap0', 'pppoe-wan'].indexOf(value) !== -1) {
+            return false;
+        }
+
+        var device = this.devices.filter(function (dev) {
+            return dev.getName() === value;
+        })[0];
+
+        if (device) {
+            var type = device.getType();
+            return type !== 'wifi' && type !== 'wireless' && !type.includes('wlan');
+        }
+
+        return true;
+    };
+
+    o = mainSection.taboption('additional', form.Flag, 'mon_restart_ifaces', _('Interface monitoring'), _('Interface monitoring for bad WAN'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', widgets.NetworkSelect, 'restart_ifaces', _('Interface for monitoring'), _('Select the WAN interfaces to be monitored'));
+    o.ucisection = 'main';
+    o.depends('mon_restart_ifaces', '1');
+    o.multiple = true;
+    o.filter = function (section_id, value) {
+        return ['lan', 'loopback'].indexOf(value) === -1 && !value.startsWith('@');
+    };
+
+    o = mainSection.taboption('additional', form.Flag, 'dont_touch_dhcp', _('Dont touch my DHCP!'), _('Podkop will not change the DHCP config'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('additional', form.Flag, 'detour', _('Proxy download of lists'), _('Downloading all lists via main Proxy/VPN'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    // Extra IPs and exclusions (main section)
+    o = mainSection.taboption('basic', form.Flag, 'exclude_from_ip_enabled', _('IP for exclusion'), _('Specify local IP addresses that will never use the configured route'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = mainSection.taboption('basic', form.DynamicList, 'exclude_traffic_ip', _('Local IPs'), _('Enter valid IPv4 addresses'));
+    o.placeholder = 'IP';
+    o.depends('exclude_from_ip_enabled', '1');
+    o.rmempty = false;
+    o.ucisection = 'main';
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) return true;
+        const ipRegex = /^(\d{1,3}\.){3}\d{1,3}$/;
+        if (!ipRegex.test(value)) return _('Invalid IP format. Use format: X.X.X.X (like 192.168.1.1)');
+        const ipParts = value.split('.');
+        for (const part of ipParts) {
+            const num = parseInt(part);
+            if (num < 0 || num > 255) return _('IP address parts must be between 0 and 255');
+        }
+        return true;
+    };
+
+    o = mainSection.taboption('basic', form.Flag, 'socks5', _('Mixed enable'), _('Browser port: 2080'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = 'main';
+}
+
+return baseclass.extend({
+    createAdditionalSection
+}); 

luci-app-podkop/htdocs/luci-static/resources/view/podkop/configSection.js

@@ -0,0 +1,529 @@
+'use strict';
+'require baseclass';
+'require form';
+'require ui';
+'require network';
+'require view.podkop.constants as constants';
+'require tools.widgets as widgets';
+
+function validateUrl(url, protocols = ['http:', 'https:']) {
+    try {
+        const parsedUrl = new URL(url);
+        if (!protocols.includes(parsedUrl.protocol)) {
+            return _('URL must use one of the following protocols: ') + protocols.join(', ');
+        }
+        return true;
+    } catch (e) {
+        return _('Invalid URL format');
+    }
+}
+
+function createConfigSection(section, map, network) {
+    const s = section;
+
+    let o = s.tab('basic', _('Basic Settings'));
+
+    o = s.taboption('basic', form.ListValue, 'mode', _('Connection Type'), _('Select between VPN and Proxy connection methods for traffic routing'));
+    o.value('proxy', ('Proxy'));
+    o.value('vpn', ('VPN'));
+    o.value('block', ('Block'));
+    o.ucisection = s.section;
+
+    o = s.taboption('basic', form.ListValue, 'proxy_config_type', _('Configuration Type'), _('Select how to configure the proxy'));
+    o.value('url', _('Connection URL'));
+    o.value('outbound', _('Outbound Config'));
+    o.default = 'url';
+    o.depends('mode', 'proxy');
+    o.ucisection = s.section;
+
+    o = s.taboption('basic', form.TextValue, 'proxy_string', _('Proxy Configuration URL'), _(''));
+    o.depends('proxy_config_type', 'url');
+    o.rows = 5;
+    o.rmempty = false;
+    o.ucisection = s.section;
+    o.sectionDescriptions = new Map();
+    o.placeholder = 'vless://uuid@server:port?type=tcp&security=tls#main\n// backup ss://method:pass@server:port\n// backup2 vless://uuid@server:port?type=grpc&security=reality#alt';
+
+    o.renderWidget = function (section_id, option_index, cfgvalue) {
+        const original = form.TextValue.prototype.renderWidget.apply(this, [section_id, option_index, cfgvalue]);
+        const container = E('div', {});
+        container.appendChild(original);
+
+        if (cfgvalue) {
+            try {
+                const activeConfig = cfgvalue.split('\n')
+                    .map(line => line.trim())
+                    .find(line => line && !line.startsWith('//'));
+
+                if (activeConfig) {
+                    if (activeConfig.includes('#')) {
+                        const label = activeConfig.split('#').pop();
+                        if (label && label.trim()) {
+                            const decodedLabel = decodeURIComponent(label);
+                            const descDiv = E('div', { 'class': 'cbi-value-description' }, _('Current config: ') + decodedLabel);
+                            container.appendChild(descDiv);
+                        } else {
+                            const descDiv = E('div', { 'class': 'cbi-value-description' }, _('Config without description'));
+                            container.appendChild(descDiv);
+                        }
+                    } else {
+                        const descDiv = E('div', { 'class': 'cbi-value-description' }, _('Config without description'));
+                        container.appendChild(descDiv);
+                    }
+                }
+            } catch (e) {
+                console.error('Error parsing config label:', e);
+                const descDiv = E('div', { 'class': 'cbi-value-description' }, _('Config without description'));
+                container.appendChild(descDiv);
+            }
+        } else {
+            const defaultDesc = E('div', { 'class': 'cbi-value-description' },
+                _('Enter connection string starting with vless:// or ss:// for proxy configuration. Add comments with // for backup configs'));
+            container.appendChild(defaultDesc);
+        }
+
+        return container;
+    };
+
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) {
+            return true;
+        }
+
+        try {
+            const activeConfig = value.split('\n')
+                .map(line => line.trim())
+                .find(line => line && !line.startsWith('//'));
+
+            if (!activeConfig) {
+                return _('No active configuration found. At least one non-commented line is required.');
+            }
+
+            if (!activeConfig.startsWith('vless://') && !activeConfig.startsWith('ss://')) {
+                return _('URL must start with vless:// or ss://');
+            }
+
+            if (activeConfig.startsWith('ss://')) {
+                let encrypted_part;
+                try {
+                    let mainPart = activeConfig.includes('?') ? activeConfig.split('?')[0] : activeConfig.split('#')[0];
+                    encrypted_part = mainPart.split('/')[2].split('@')[0];
+                    try {
+                        let decoded = atob(encrypted_part);
+                        if (!decoded.includes(':')) {
+                            if (!encrypted_part.includes(':') && !encrypted_part.includes('-')) {
+                                return _('Invalid Shadowsocks URL format: missing method and password separator ":"');
+                            }
+                        }
+                    } catch (e) {
+                        if (!encrypted_part.includes(':') && !encrypted_part.includes('-')) {
+                            return _('Invalid Shadowsocks URL format: missing method and password separator ":"');
+                        }
+                    }
+                } catch (e) {
+                    return _('Invalid Shadowsocks URL format');
+                }
+
+                try {
+                    let serverPart = activeConfig.split('@')[1];
+                    if (!serverPart) return _('Invalid Shadowsocks URL: missing server address');
+                    let [server, portAndRest] = serverPart.split(':');
+                    if (!server) return _('Invalid Shadowsocks URL: missing server');
+                    let port = portAndRest ? portAndRest.split(/[?#]/)[0] : null;
+                    if (!port) return _('Invalid Shadowsocks URL: missing port');
+                    let portNum = parseInt(port);
+                    if (isNaN(portNum) || portNum < 1 || portNum > 65535) {
+                        return _('Invalid port number. Must be between 1 and 65535');
+                    }
+                } catch (e) {
+                    return _('Invalid Shadowsocks URL: missing or invalid server/port format');
+                }
+            }
+
+            if (activeConfig.startsWith('vless://')) {
+                let uuid = activeConfig.split('/')[2].split('@')[0];
+                if (!uuid || uuid.length === 0) return _('Invalid VLESS URL: missing UUID');
+
+                try {
+                    let serverPart = activeConfig.split('@')[1];
+                    if (!serverPart) return _('Invalid VLESS URL: missing server address');
+                    let [server, portAndRest] = serverPart.split(':');
+                    if (!server) return _('Invalid VLESS URL: missing server');
+                    let port = portAndRest ? portAndRest.split(/[/?#]/)[0] : null;
+                    if (!port) return _('Invalid VLESS URL: missing port');
+                    let portNum = parseInt(port);
+                    if (isNaN(portNum) || portNum < 1 || portNum > 65535) {
+                        return _('Invalid port number. Must be between 1 and 65535');
+                    }
+                } catch (e) {
+                    return _('Invalid VLESS URL: missing or invalid server/port format');
+                }
+
+                let queryString = activeConfig.split('?')[1];
+                if (!queryString) return _('Invalid VLESS URL: missing query parameters');
+
+                let params = new URLSearchParams(queryString.split('#')[0]);
+                let type = params.get('type');
+                const validTypes = ['tcp', 'raw', 'udp', 'grpc', 'http', 'ws'];
+                if (!type || !validTypes.includes(type)) {
+                    return _('Invalid VLESS URL: type must be one of tcp, raw, udp, grpc, http, ws');
+                }
+
+                let security = params.get('security');
+                const validSecurities = ['tls', 'reality', 'none'];
+                if (!security || !validSecurities.includes(security)) {
+                    return _('Invalid VLESS URL: security must be one of tls, reality, none');
+                }
+
+                if (security === 'reality') {
+                    if (!params.get('pbk')) return _('Invalid VLESS URL: missing pbk parameter for reality security');
+                    if (!params.get('fp')) return _('Invalid VLESS URL: missing fp parameter for reality security');
+                }
+            }
+
+            return true;
+        } catch (e) {
+            console.error('Validation error:', e);
+            return _('Invalid URL format: ') + e.message;
+        }
+    };
+
+    o = s.taboption('basic', form.TextValue, 'outbound_json', _('Outbound Configuration'), _('Enter complete outbound configuration in JSON format'));
+    o.depends('proxy_config_type', 'outbound');
+    o.rows = 10;
+    o.ucisection = s.section;
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) return true;
+        try {
+            const parsed = JSON.parse(value);
+            if (!parsed.type || !parsed.server || !parsed.server_port) {
+                return _('JSON must contain at least type, server and server_port fields');
+            }
+            return true;
+        } catch (e) {
+            return _('Invalid JSON format');
+        }
+    };
+
+    o = s.taboption('basic', form.Flag, 'ss_uot', _('Shadowsocks UDP over TCP'), _('Apply for SS2022'));
+    o.default = '0';
+    o.depends('mode', 'proxy');
+    o.rmempty = false;
+    o.ucisection = 'main';
+
+    o = s.taboption('basic', widgets.DeviceSelect, 'interface', _('Network Interface'), _('Select network interface for VPN connection'));
+    o.depends('mode', 'vpn');
+    o.ucisection = s.section;
+    o.noaliases = true;
+    o.nobridges = false;
+    o.noinactive = false;
+    o.filter = function (section_id, value) {
+        if (['br-lan', 'eth0', 'eth1', 'wan', 'phy0-ap0', 'phy1-ap0', 'pppoe-wan', 'lan'].indexOf(value) !== -1) {
+            return false;
+        }
+
+        var device = this.devices.filter(function (dev) {
+            return dev.getName() === value;
+        })[0];
+
+        if (device) {
+            var type = device.getType();
+            return type !== 'wifi' && type !== 'wireless' && !type.includes('wlan');
+        }
+
+        return true;
+    };
+
+    o = s.taboption('basic', form.Flag, 'domain_list_enabled', _('Community Lists'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = s.section;
+
+    o = s.taboption('basic', form.DynamicList, 'domain_list', _('Service List'), _('Select predefined service for routing') + ' <a href="https://github.com/itdoginfo/allow-domains" target="_blank">github.com/itdoginfo/allow-domains</a>');
+    o.placeholder = 'Service list';
+    Object.entries(constants.DOMAIN_LIST_OPTIONS).forEach(([key, label]) => {
+        o.value(key, _(label));
+    });
+
+    o.depends('domain_list_enabled', '1');
+    o.rmempty = false;
+    o.ucisection = s.section;
+
+    let lastValues = [];
+    let isProcessing = false;
+
+    o.onchange = function (ev, section_id, value) {
+        if (isProcessing) return;
+        isProcessing = true;
+
+        try {
+            const values = Array.isArray(value) ? value : [value];
+            let newValues = [...values];
+            let notifications = [];
+
+            const selectedRegionalOptions = constants.REGIONAL_OPTIONS.filter(opt => newValues.includes(opt));
+
+            if (selectedRegionalOptions.length > 1) {
+                const lastSelected = selectedRegionalOptions[selectedRegionalOptions.length - 1];
+                const removedRegions = selectedRegionalOptions.slice(0, -1);
+                newValues = newValues.filter(v => v === lastSelected || !constants.REGIONAL_OPTIONS.includes(v));
+                notifications.push(E('p', { class: 'alert-message warning' }, [
+                    E('strong', {}, _('Regional options cannot be used together')), E('br'),
+                    _('Warning: %s cannot be used together with %s. Previous selections have been removed.')
+                        .format(removedRegions.join(', '), lastSelected)
+                ]));
+            }
+
+            if (newValues.includes('russia_inside')) {
+                const removedServices = newValues.filter(v => !constants.ALLOWED_WITH_RUSSIA_INSIDE.includes(v));
+                if (removedServices.length > 0) {
+                    newValues = newValues.filter(v => constants.ALLOWED_WITH_RUSSIA_INSIDE.includes(v));
+                    notifications.push(E('p', { class: 'alert-message warning' }, [
+                        E('strong', {}, _('Russia inside restrictions')), E('br'),
+                        _('Warning: Russia inside can only be used with %s. %s already in Russia inside and have been removed from selection.')
+                            .format(
+                                constants.ALLOWED_WITH_RUSSIA_INSIDE.map(key => constants.DOMAIN_LIST_OPTIONS[key]).filter(label => label !== 'Russia inside').join(', '),
+                                removedServices.join(', ')
+                            )
+                    ]));
+                }
+            }
+
+            if (JSON.stringify(newValues.sort()) !== JSON.stringify(values.sort())) {
+                this.getUIElement(section_id).setValue(newValues);
+            }
+
+            notifications.forEach(notification => ui.addNotification(null, notification));
+            lastValues = newValues;
+        } catch (e) {
+            console.error('Error in onchange handler:', e);
+        } finally {
+            isProcessing = false;
+        }
+    };
+
+    o = s.taboption('basic', form.ListValue, 'custom_domains_list_type', _('User Domain List Type'), _('Select how to add your custom domains'));
+    o.value('disabled', _('Disabled'));
+    o.value('dynamic', _('Dynamic List'));
+    o.value('text', _('Text List'));
+    o.default = 'disabled';
+    o.rmempty = false;
+    o.ucisection = s.section;
+
+    o = s.taboption('basic', form.DynamicList, 'custom_domains', _('User Domains'), _('Enter domain names without protocols (example: sub.example.com or example.com)'));
+    o.placeholder = 'Domains list';
+    o.depends('custom_domains_list_type', 'dynamic');
+    o.rmempty = false;
+    o.ucisection = s.section;
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) return true;
+        const domainRegex = /^(?!-)[A-Za-z0-9-]+([-.][A-Za-z0-9-]+)*(\.[A-Za-z]{2,})?$/;
+        if (!domainRegex.test(value)) {
+            return _('Invalid domain format. Enter domain without protocol (example: sub.example.com or ru)');
+        }
+        return true;
+    };
+
+    o = s.taboption('basic', form.TextValue, 'custom_domains_text', _('User Domains List'), _('Enter domain names separated by comma, space or newline. You can add comments after //'));
+    o.placeholder = 'example.com, sub.example.com\n// Social networks\ndomain.com test.com // personal domains';
+    o.depends('custom_domains_list_type', 'text');
+    o.rows = 8;
+    o.rmempty = false;
+    o.ucisection = s.section;
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) return true;
+
+        const domainRegex = /^(?!-)[A-Za-z0-9-]+([-.][A-Za-z0-9-]+)*(\.[A-Za-z]{2,})?$/;
+        const lines = value.split(/\n/).map(line => line.trim());
+        let hasValidDomain = false;
+
+        for (const line of lines) {
+            // Skip empty lines
+            if (!line) continue;
+
+            // Extract domain part (before any //)
+            const domainPart = line.split('//')[0].trim();
+
+            // Skip if line is empty after removing comments
+            if (!domainPart) continue;
+
+            // Process each domain in the line (separated by comma or space)
+            const domains = domainPart.split(/[,\s]+/).map(d => d.trim()).filter(d => d.length > 0);
+
+            for (const domain of domains) {
+                if (!domainRegex.test(domain)) {
+                    return _('Invalid domain format: %s. Enter domain without protocol').format(domain);
+                }
+                hasValidDomain = true;
+            }
+        }
+
+        if (!hasValidDomain) {
+            return _('At least one valid domain must be specified. Comments-only content is not allowed.');
+        }
+
+        return true;
+    };
+
+    o = s.taboption('basic', form.Flag, 'custom_local_domains_list_enabled', _('Local Domain Lists'), _('Use the list from the router filesystem'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = s.section;
+
+    o = s.taboption('basic', form.DynamicList, 'custom_local_domains', _('Local Domain Lists Path'), _('Enter the list file path'));
+    o.placeholder = '/path/file.lst';
+    o.depends('custom_local_domains_list_enabled', '1');
+    o.rmempty = false;
+    o.ucisection = s.section;
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) return true;
+        const pathRegex = /^\/[a-zA-Z0-9_\-\/\.]+$/;
+        if (!pathRegex.test(value)) {
+            return _('Invalid path format. Path must start with "/" and contain valid characters');
+        }
+        return true;
+    };
+
+    o = s.taboption('basic', form.Flag, 'custom_download_domains_list_enabled', _('Remote Domain Lists'), _('Download and use domain lists from remote URLs'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = s.section;
+
+    o = s.taboption('basic', form.DynamicList, 'custom_download_domains', _('Remote Domain URLs'), _('Enter full URLs starting with http:// or https://'));
+    o.placeholder = 'URL';
+    o.depends('custom_download_domains_list_enabled', '1');
+    o.rmempty = false;
+    o.ucisection = s.section;
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) return true;
+        return validateUrl(value);
+    };
+
+    o = s.taboption('basic', form.ListValue, 'custom_subnets_list_enabled', _('User Subnet List Type'), _('Select how to add your custom subnets'));
+    o.value('disabled', _('Disabled'));
+    o.value('dynamic', _('Dynamic List'));
+    o.value('text', _('Text List (comma/space/newline separated)'));
+    o.default = 'disabled';
+    o.rmempty = false;
+    o.ucisection = s.section;
+
+    o = s.taboption('basic', form.DynamicList, 'custom_subnets', _('User Subnets'), _('Enter subnets in CIDR notation (example: 103.21.244.0/22) or single IP addresses'));
+    o.placeholder = 'IP or subnet';
+    o.depends('custom_subnets_list_enabled', 'dynamic');
+    o.rmempty = false;
+    o.ucisection = s.section;
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) return true;
+        const subnetRegex = /^(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?$/;
+        if (!subnetRegex.test(value)) return _('Invalid format. Use format: X.X.X.X or X.X.X.X/Y');
+        const [ip, cidr] = value.split('/');
+        const ipParts = ip.split('.');
+        for (const part of ipParts) {
+            const num = parseInt(part);
+            if (num < 0 || num > 255) return _('IP address parts must be between 0 and 255');
+        }
+        if (cidr !== undefined) {
+            const cidrNum = parseInt(cidr);
+            if (cidrNum < 0 || cidrNum > 32) return _('CIDR must be between 0 and 32');
+        }
+        return true;
+    };
+
+    o = s.taboption('basic', form.TextValue, 'custom_subnets_text', _('User Subnets List'), _('Enter subnets in CIDR notation or single IP addresses, separated by comma, space or newline. You can add comments after //'));
+    o.placeholder = '103.21.244.0/22\n// Google DNS\n8.8.8.8\n1.1.1.1/32, 9.9.9.9 // Cloudflare and Quad9';
+    o.depends('custom_subnets_list_enabled', 'text');
+    o.rows = 10;
+    o.rmempty = false;
+    o.ucisection = s.section;
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) return true;
+
+        const subnetRegex = /^(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?$/;
+        const lines = value.split(/\n/).map(line => line.trim());
+        let hasValidSubnet = false;
+
+        for (const line of lines) {
+            // Skip empty lines
+            if (!line) continue;
+
+            // Extract subnet part (before any //)
+            const subnetPart = line.split('//')[0].trim();
+
+            // Skip if line is empty after removing comments
+            if (!subnetPart) continue;
+
+            // Process each subnet in the line (separated by comma or space)
+            const subnets = subnetPart.split(/[,\s]+/).map(s => s.trim()).filter(s => s.length > 0);
+
+            for (const subnet of subnets) {
+                if (!subnetRegex.test(subnet)) {
+                    return _('Invalid format: %s. Use format: X.X.X.X or X.X.X.X/Y').format(subnet);
+                }
+
+                const [ip, cidr] = subnet.split('/');
+                const ipParts = ip.split('.');
+                for (const part of ipParts) {
+                    const num = parseInt(part);
+                    if (num < 0 || num > 255) {
+                        return _('IP parts must be between 0 and 255 in: %s').format(subnet);
+                    }
+                }
+
+                if (cidr !== undefined) {
+                    const cidrNum = parseInt(cidr);
+                    if (cidrNum < 0 || cidrNum > 32) {
+                        return _('CIDR must be between 0 and 32 in: %s').format(subnet);
+                    }
+                }
+                hasValidSubnet = true;
+            }
+        }
+
+        if (!hasValidSubnet) {
+            return _('At least one valid subnet or IP must be specified. Comments-only content is not allowed.');
+        }
+
+        return true;
+    };
+
+    o = s.taboption('basic', form.Flag, 'custom_download_subnets_list_enabled', _('Remote Subnet Lists'), _('Download and use subnet lists from remote URLs'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = s.section;
+
+    o = s.taboption('basic', form.DynamicList, 'custom_download_subnets', _('Remote Subnet URLs'), _('Enter full URLs starting with http:// or https://'));
+    o.placeholder = 'URL';
+    o.depends('custom_download_subnets_list_enabled', '1');
+    o.rmempty = false;
+    o.ucisection = s.section;
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) return true;
+        return validateUrl(value);
+    };
+
+    o = s.taboption('basic', form.Flag, 'all_traffic_from_ip_enabled', _('IP for full redirection'), _('Specify local IP addresses whose traffic will always use the configured route'));
+    o.default = '0';
+    o.rmempty = false;
+    o.ucisection = s.section;
+
+    o = s.taboption('basic', form.DynamicList, 'all_traffic_ip', _('Local IPs'), _('Enter valid IPv4 addresses'));
+    o.placeholder = 'IP';
+    o.depends('all_traffic_from_ip_enabled', '1');
+    o.rmempty = false;
+    o.ucisection = s.section;
+    o.validate = function (section_id, value) {
+        if (!value || value.length === 0) return true;
+        const ipRegex = /^(\d{1,3}\.){3}\d{1,3}$/;
+        if (!ipRegex.test(value)) return _('Invalid IP format. Use format: X.X.X.X (like 192.168.1.1)');
+        const ipParts = value.split('.');
+        for (const part of ipParts) {
+            const num = parseInt(part);
+            if (num < 0 || num > 255) return _('IP address parts must be between 0 and 255');
+        }
+        return true;
+    };
+}
+
+return baseclass.extend({
+    createConfigSection
+}); 

luci-app-podkop/htdocs/luci-static/resources/view/podkop/constants.js

@@ -0,0 +1,107 @@
+'use strict';
+'require baseclass';
+
+const STATUS_COLORS = {
+    SUCCESS: '#4caf50',
+    ERROR: '#f44336',
+    WARNING: '#ff9800'
+};
+
+const FAKEIP_CHECK_DOMAIN = 'fakeip.podkop.fyi';
+const IP_CHECK_DOMAIN = 'ip.podkop.fyi';
+
+const REGIONAL_OPTIONS = ['russia_inside', 'russia_outside', 'ukraine_inside'];
+const ALLOWED_WITH_RUSSIA_INSIDE = [
+    'russia_inside',
+    'meta',
+    'twitter',
+    'discord',
+    'telegram',
+    'cloudflare',
+    'google_ai',
+    'google_play',
+    'hetzner',
+    'ovh'
+];
+
+const DOMAIN_LIST_OPTIONS = {
+    russia_inside: 'Russia inside',
+    russia_outside: 'Russia outside',
+    ukraine_inside: 'Ukraine',
+    geoblock: 'Geo Block',
+    block: 'Block',
+    porn: 'Porn',
+    news: 'News',
+    anime: 'Anime',
+    youtube: 'Youtube',
+    discord: 'Discord',
+    meta: 'Meta',
+    twitter: 'Twitter (X)',
+    hdrezka: 'HDRezka',
+    tiktok: 'Tik-Tok',
+    telegram: 'Telegram',
+    cloudflare: 'Cloudflare',
+    google_ai: 'Google AI',
+    google_play: 'Google Play',
+    hetzner: 'Hetzner ASN',
+    ovh: 'OVH ASN'
+};
+
+const UPDATE_INTERVAL_OPTIONS = {
+    '1h': 'Every hour',
+    '3h': 'Every 3 hours',
+    '12h': 'Every 12 hours',
+    '1d': 'Every day',
+    '3d': 'Every 3 days'
+};
+
+const DNS_SERVER_OPTIONS = {
+    '1.1.1.1': 'Cloudflare (1.1.1.1)',
+    '8.8.8.8': 'Google (8.8.8.8)',
+    '9.9.9.9': 'Quad9 (9.9.9.9)',
+    'dns.adguard-dns.com': 'AdGuard Default (dns.adguard-dns.com)',
+    'unfiltered.adguard-dns.com': 'AdGuard Unfiltered (unfiltered.adguard-dns.com)',
+    'family.adguard-dns.com': 'AdGuard Family (family.adguard-dns.com)'
+};
+
+const DIAGNOSTICS_UPDATE_INTERVAL = 10000; // 10 seconds
+const CACHE_TIMEOUT = DIAGNOSTICS_UPDATE_INTERVAL - 1000; // 9 seconds
+const ERROR_POLL_INTERVAL = 10000; // 10 seconds
+const COMMAND_TIMEOUT = 10000; // 10 seconds
+const FETCH_TIMEOUT = 10000; // 10 seconds
+const BUTTON_FEEDBACK_TIMEOUT = 1000; // 1 second
+const DIAGNOSTICS_INITIAL_DELAY = 100; // 100 milliseconds
+
+// Интервалы планирования команд в диагностике (в миллисекундах)
+const COMMAND_SCHEDULING = {
+    P0_PRIORITY: 0,      // Наивысший приоритет (без задержки)
+    P1_PRIORITY: 100,    // Очень высокий приоритет
+    P2_PRIORITY: 300,    // Высокий приоритет
+    P3_PRIORITY: 500,    // Выше среднего
+    P4_PRIORITY: 700,    // Стандартный приоритет
+    P5_PRIORITY: 900,    // Ниже среднего
+    P6_PRIORITY: 1100,   // Низкий приоритет
+    P7_PRIORITY: 1300,   // Очень низкий приоритет
+    P8_PRIORITY: 1500,   // Фоновое выполнение
+    P9_PRIORITY: 1700,   // Выполнение в режиме простоя
+    P10_PRIORITY: 1900   // Наименьший приоритет
+};
+
+return baseclass.extend({
+    STATUS_COLORS,
+    FAKEIP_CHECK_DOMAIN,
+    IP_CHECK_DOMAIN,
+    REGIONAL_OPTIONS,
+    ALLOWED_WITH_RUSSIA_INSIDE,
+    DOMAIN_LIST_OPTIONS,
+    UPDATE_INTERVAL_OPTIONS,
+    DNS_SERVER_OPTIONS,
+    DIAGNOSTICS_UPDATE_INTERVAL,
+    ERROR_POLL_INTERVAL,
+    COMMAND_TIMEOUT,
+    FETCH_TIMEOUT,
+    BUTTON_FEEDBACK_TIMEOUT,
+    DIAGNOSTICS_INITIAL_DELAY,
+    COMMAND_SCHEDULING,
+    CACHE_TIMEOUT
+});

luci-app-podkop/htdocs/luci-static/resources/view/podkop/diagnosticTab.js

@@ -0,0 +1,887 @@
+'use strict';
+'require baseclass';
+'require form';
+'require ui';
+'require uci';
+'require fs';
+'require view.podkop.constants as constants';
+'require view.podkop.utils as utils';
+
+// Cache system for network requests
+const fetchCache = {};
+
+// Helper function to fetch with cache
+async function cachedFetch(url, options = {}) {
+    const cacheKey = url;
+    const currentTime = Date.now();
+
+    // If we have a valid cached response, return it
+    if (fetchCache[cacheKey] && currentTime - fetchCache[cacheKey].timestamp < constants.CACHE_TIMEOUT) {
+        console.log(`Using cached response for ${url}`);
+        return Promise.resolve(fetchCache[cacheKey].response.clone());
+    }
+
+    // Otherwise, make a new request
+    try {
+        const response = await fetch(url, options);
+
+        // Cache the response
+        fetchCache[cacheKey] = {
+            response: response.clone(),
+            timestamp: currentTime
+        };
+
+        return response;
+    } catch (error) {
+        throw error;
+    }
+}
+
+// Helper functions for command execution with prioritization - Using from utils.js now
+function safeExec(command, args, priority, callback, timeout = constants.COMMAND_TIMEOUT) {
+    return utils.safeExec(command, args, priority, callback, timeout);
+}
+
+// Helper functions for handling checks
+function runCheck(checkFunction, priority, callback) {
+    // Default to highest priority execution if priority is not provided or invalid
+    let schedulingDelay = constants.COMMAND_SCHEDULING.P0_PRIORITY;
+
+    // If priority is a string, try to get the corresponding delay value
+    if (typeof priority === 'string' && constants.COMMAND_SCHEDULING[priority] !== undefined) {
+        schedulingDelay = constants.COMMAND_SCHEDULING[priority];
+    }
+
+    const executeCheck = async () => {
+        try {
+            const result = await checkFunction();
+            if (callback && typeof callback === 'function') {
+                callback(result);
+            }
+            return result;
+        } catch (error) {
+            if (callback && typeof callback === 'function') {
+                callback({ error });
+            }
+            return { error };
+        }
+    };
+
+    if (callback && typeof callback === 'function') {
+        setTimeout(executeCheck, schedulingDelay);
+        return;
+    } else {
+        return executeCheck();
+    }
+}
+
+function runAsyncTask(taskFunction, priority) {
+    // Default to highest priority execution if priority is not provided or invalid
+    let schedulingDelay = constants.COMMAND_SCHEDULING.P0_PRIORITY;
+
+    // If priority is a string, try to get the corresponding delay value
+    if (typeof priority === 'string' && constants.COMMAND_SCHEDULING[priority] !== undefined) {
+        schedulingDelay = constants.COMMAND_SCHEDULING[priority];
+    }
+
+    setTimeout(async () => {
+        try {
+            await taskFunction();
+        } catch (error) {
+            console.error('Async task error:', error);
+        }
+    }, schedulingDelay);
+}
+
+// Helper Functions for UI and formatting
+function createStatus(state, message, color) {
+    return {
+        state,
+        message: _(message),
+        color: constants.STATUS_COLORS[color]
+    };
+}
+
+function formatDiagnosticOutput(output) {
+    if (typeof output !== 'string') return '';
+    return output.trim()
+        .replace(/\x1b\[[0-9;]*m/g, '')
+        .replace(/\r\n/g, '\n')
+        .replace(/\r/g, '\n');
+}
+
+function copyToClipboard(text, button) {
+    const textarea = document.createElement('textarea');
+    textarea.value = text;
+    document.body.appendChild(textarea);
+    textarea.select();
+    try {
+        document.execCommand('copy');
+        const originalText = button.textContent;
+        button.textContent = _('Copied!');
+        setTimeout(() => button.textContent = originalText, constants.BUTTON_FEEDBACK_TIMEOUT);
+    } catch (err) {
+        ui.addNotification(null, E('p', {}, _('Failed to copy: ') + err.message));
+    }
+    document.body.removeChild(textarea);
+}
+
+// IP masking function
+function maskIP(ip) {
+    if (!ip) return '';
+    const parts = ip.split('.');
+    if (parts.length !== 4) return ip;
+    return ['XX', 'XX', 'XX', parts[3]].join('.');
+}
+
+// Status Check Functions
+async function checkFakeIP() {
+    try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), constants.FETCH_TIMEOUT);
+
+        try {
+            const response = await cachedFetch(`https://${constants.FAKEIP_CHECK_DOMAIN}/check`, { signal: controller.signal });
+            const data = await response.json();
+            clearTimeout(timeoutId);
+
+            if (data.fakeip === true) {
+                return createStatus('working', 'working', 'SUCCESS');
+            } else {
+                return createStatus('not_working', 'not working', 'ERROR');
+            }
+        } catch (fetchError) {
+            clearTimeout(timeoutId);
+            const message = fetchError.name === 'AbortError' ? 'timeout' : 'check error';
+            return createStatus('error', message, 'WARNING');
+        }
+    } catch (error) {
+        return createStatus('error', 'check error', 'WARNING');
+    }
+}
+
+async function checkFakeIPCLI() {
+    try {
+        return new Promise((resolve) => {
+            safeExec('nslookup', ['-timeout=2', constants.FAKEIP_CHECK_DOMAIN, '127.0.0.42'], 'P0_PRIORITY', result => {
+                if (result.stdout && result.stdout.includes('198.18')) {
+                    resolve(createStatus('working', 'working on router', 'SUCCESS'));
+                } else {
+                    resolve(createStatus('not_working', 'not working on router', 'ERROR'));
+                }
+            });
+        });
+    } catch (error) {
+        return createStatus('error', 'CLI check error', 'WARNING');
+    }
+}
+
+function checkDNSAvailability() {
+    return new Promise(async (resolve) => {
+        try {
+            safeExec('/usr/bin/podkop', ['check_dns_available'], 'P0_PRIORITY', dnsStatusResult => {
+                if (!dnsStatusResult || !dnsStatusResult.stdout) {
+                    return resolve({
+                        remote: createStatus('error', 'DNS check timeout', 'WARNING'),
+                        local: createStatus('error', 'DNS check timeout', 'WARNING')
+                    });
+                }
+
+                try {
+                    const dnsStatus = JSON.parse(dnsStatusResult.stdout);
+
+                    const remoteStatus = dnsStatus.is_available ?
+                        createStatus('available', `${dnsStatus.dns_type.toUpperCase()} (${dnsStatus.dns_server}) available`, 'SUCCESS') :
+                        createStatus('unavailable', `${dnsStatus.dns_type.toUpperCase()} (${dnsStatus.dns_server}) unavailable`, 'ERROR');
+
+                    const localStatus = dnsStatus.local_dns_working ?
+                        createStatus('available', 'Router DNS working', 'SUCCESS') :
+                        createStatus('unavailable', 'Router DNS not working', 'ERROR');
+
+                    return resolve({
+                        remote: remoteStatus,
+                        local: localStatus
+                    });
+                } catch (parseError) {
+                    return resolve({
+                        remote: createStatus('error', 'DNS check parse error', 'WARNING'),
+                        local: createStatus('error', 'DNS check parse error', 'WARNING')
+                    });
+                }
+            });
+        } catch (error) {
+            return resolve({
+                remote: createStatus('error', 'DNS check error', 'WARNING'),
+                local: createStatus('error', 'DNS check error', 'WARNING')
+            });
+        }
+    });
+}
+
+async function checkBypass() {
+    try {
+        const controller = new AbortController();
+        const timeoutId = setTimeout(() => controller.abort(), constants.FETCH_TIMEOUT);
+
+        try {
+            const response1 = await cachedFetch(`https://${constants.FAKEIP_CHECK_DOMAIN}/check`, { signal: controller.signal });
+            const data1 = await response1.json();
+
+            const response2 = await cachedFetch(`https://${constants.IP_CHECK_DOMAIN}/check`, { signal: controller.signal });
+            const data2 = await response2.json();
+
+            clearTimeout(timeoutId);
+
+            if (data1.IP && data2.IP) {
+                if (data1.IP !== data2.IP) {
+                    return createStatus('working', 'working', 'SUCCESS');
+                } else {
+                    return createStatus('not_working', 'same IP for both domains', 'ERROR');
+                }
+            } else {
+                return createStatus('error', 'check error (no IP)', 'WARNING');
+            }
+        } catch (fetchError) {
+            clearTimeout(timeoutId);
+            const message = fetchError.name === 'AbortError' ? 'timeout' : 'check error';
+            return createStatus('error', message, 'WARNING');
+        }
+    } catch (error) {
+        return createStatus('error', 'check error', 'WARNING');
+    }
+}
+
+// Modal Functions
+function createModalContent(title, content) {
+    return [
+        E('div', {
+            'class': 'panel-body',
+            style: 'max-height: 70vh; overflow-y: auto; margin: 1em 0; padding: 1.5em; ' +
+                'font-family: monospace; white-space: pre-wrap; word-wrap: break-word; ' +
+                'line-height: 1.5; font-size: 14px;'
+        }, [
+            E('pre', { style: 'margin: 0;' }, content)
+        ]),
+        E('div', {
+            'class': 'right',
+            style: 'margin-top: 1em;'
+        }, [
+            E('button', {
+                'class': 'btn',
+                'click': ev => copyToClipboard('```txt\n' + content + '\n```', ev.target)
+            }, _('Copy to Clipboard')),
+            E('button', {
+                'class': 'btn',
+                'click': ui.hideModal
+            }, _('Close'))
+        ])
+    ];
+}
+
+function showConfigModal(command, title) {
+    // Create and show modal immediately with loading state
+    const modalContent = E('div', { 'class': 'panel-body' }, [
+        E('div', {
+            'class': 'panel-body',
+            style: 'max-height: 70vh; overflow-y: auto; margin: 1em 0; padding: 1.5em; ' +
+                'font-family: monospace; white-space: pre-wrap; word-wrap: break-word; ' +
+                'line-height: 1.5; font-size: 14px;'
+        }, [
+            E('pre', {
+                'id': 'modal-content-pre',
+                style: 'margin: 0;'
+            }, _('Loading...'))
+        ]),
+        E('div', {
+            'class': 'right',
+            style: 'margin-top: 1em;'
+        }, [
+            E('button', {
+                'class': 'btn',
+                'id': 'copy-button',
+                'click': ev => copyToClipboard('```txt\n' + document.getElementById('modal-content-pre').innerText + '\n```', ev.target)
+            }, _('Copy to Clipboard')),
+            E('button', {
+                'class': 'btn',
+                'click': ui.hideModal
+            }, _('Close'))
+        ])
+    ]);
+
+    ui.showModal(_(title), modalContent);
+
+    // Function to update modal content
+    const updateModalContent = (content) => {
+        const pre = document.getElementById('modal-content-pre');
+        if (pre) {
+            pre.textContent = content;
+        }
+    };
+
+    try {
+        let formattedOutput = '';
+
+        if (command === 'global_check') {
+            safeExec('/usr/bin/podkop', [command], 'P0_PRIORITY', res => {
+                formattedOutput = formatDiagnosticOutput(res.stdout || _('No output'));
+
+                try {
+                    const controller = new AbortController();
+                    const timeoutId = setTimeout(() => controller.abort(), constants.FETCH_TIMEOUT);
+
+                    cachedFetch(`https://${constants.FAKEIP_CHECK_DOMAIN}/check`, { signal: controller.signal })
+                        .then(response => response.json())
+                        .then(data => {
+                            clearTimeout(timeoutId);
+
+                            if (data.fakeip === true) {
+                                formattedOutput += '\n✅ ' + _('FakeIP is working in browser!') + '\n';
+                            } else {
+                                formattedOutput += '\n❌ ' + _('FakeIP is not working in browser') + '\n';
+                                formattedOutput += _('Check DNS server on current device (PC, phone)') + '\n';
+                                formattedOutput += _('Its must be router!') + '\n';
+                            }
+
+                            // Bypass check
+                            cachedFetch(`https://${constants.FAKEIP_CHECK_DOMAIN}/check`, { signal: controller.signal })
+                                .then(bypassResponse => bypassResponse.json())
+                                .then(bypassData => {
+                                    cachedFetch(`https://${constants.IP_CHECK_DOMAIN}/check`, { signal: controller.signal })
+                                        .then(bypassResponse2 => bypassResponse2.json())
+                                        .then(bypassData2 => {
+                                            formattedOutput += '━━━━━━━━━━━━━━━━━━━━━━━━━━━\n';
+
+                                            if (bypassData.IP && bypassData2.IP && bypassData.IP !== bypassData2.IP) {
+                                                formattedOutput += '✅ ' + _('Proxy working correctly') + '\n';
+                                                formattedOutput += _('Direct IP: ') + maskIP(bypassData.IP) + '\n';
+                                                formattedOutput += _('Proxy IP: ') + maskIP(bypassData2.IP) + '\n';
+                                            } else if (bypassData.IP === bypassData2.IP) {
+                                                formattedOutput += '❌ ' + _('Proxy is not working - same IP for both domains') + '\n';
+                                                formattedOutput += _('IP: ') + maskIP(bypassData.IP) + '\n';
+                                            } else {
+                                                formattedOutput += '❌ ' + _('Proxy check failed') + '\n';
+                                            }
+
+                                            updateModalContent(formattedOutput);
+                                        })
+                                        .catch(error => {
+                                            formattedOutput += '\n❌ ' + _('Check failed: ') + (error.name === 'AbortError' ? _('timeout') : error.message) + '\n';
+                                            updateModalContent(formattedOutput);
+                                        });
+                                })
+                                .catch(error => {
+                                    formattedOutput += '\n❌ ' + _('Check failed: ') + (error.name === 'AbortError' ? _('timeout') : error.message) + '\n';
+                                    updateModalContent(formattedOutput);
+                                });
+                        })
+                        .catch(error => {
+                            formattedOutput += '\n❌ ' + _('Check failed: ') + (error.name === 'AbortError' ? _('timeout') : error.message) + '\n';
+                            updateModalContent(formattedOutput);
+                        });
+                } catch (error) {
+                    formattedOutput += '\n❌ ' + _('Check failed: ') + error.message + '\n';
+                    updateModalContent(formattedOutput);
+                }
+            });
+        } else {
+            safeExec('/usr/bin/podkop', [command], 'P0_PRIORITY', res => {
+                formattedOutput = formatDiagnosticOutput(res.stdout || _('No output'));
+                updateModalContent(formattedOutput);
+            });
+        }
+    } catch (error) {
+        updateModalContent(_('Error: ') + error.message);
+    }
+}
+
+// Button Factory
+const ButtonFactory = {
+    createButton: function (config) {
+        return E('button', {
+            'class': `btn ${config.additionalClass || ''}`.trim(),
+            'click': config.onClick,
+            'style': config.style || ''
+        }, _(config.label));
+    },
+
+    createActionButton: function (config) {
+        return this.createButton({
+            label: config.label,
+            additionalClass: `cbi-button-${config.type || ''}`,
+            onClick: () => safeExec('/usr/bin/podkop', [config.action], 'P0_PRIORITY')
+                .then(() => config.reload && location.reload()),
+            style: config.style
+        });
+    },
+
+    createInitActionButton: function (config) {
+        return this.createButton({
+            label: config.label,
+            additionalClass: `cbi-button-${config.type || ''}`,
+            onClick: () => safeExec('/etc/init.d/podkop', [config.action], 'P0_PRIORITY')
+                .then(() => config.reload && location.reload()),
+            style: config.style
+        });
+    },
+
+    createModalButton: function (config) {
+        return this.createButton({
+            label: config.label,
+            onClick: () => showConfigModal(config.command, config.title),
+            additionalClass: `cbi-button-${config.type || ''}`,
+            style: config.style
+        });
+    }
+};
+
+// Create a loading placeholder for status text
+function createLoadingStatusText() {
+    return E('span', { 'class': 'loading-indicator' }, _('Loading...'));
+}
+
+// Create the status section with buttons loaded immediately but status indicators loading asynchronously
+let createStatusSection = async function () {
+    // Get initial podkop status
+    let initialPodkopStatus = { enabled: false };
+    try {
+        const result = await fs.exec('/usr/bin/podkop', ['get_status']);
+        if (result && result.stdout) {
+            const status = JSON.parse(result.stdout);
+            initialPodkopStatus.enabled = status.enabled === 1;
+        }
+    } catch (e) {
+        console.error('Error getting initial podkop status:', e);
+    }
+
+    return E('div', { 'class': 'cbi-section' }, [
+        E('div', { 'class': 'table', style: 'display: flex; gap: 20px;' }, [
+            // Podkop Status Panel
+            E('div', { 'id': 'podkop-status-panel', 'class': 'panel', 'style': 'flex: 1; padding: 15px;' }, [
+                E('div', { 'class': 'panel-heading' }, [
+                    E('strong', {}, _('Podkop Status')),
+                    E('br'),
+                    E('span', { 'id': 'podkop-status-text' }, createLoadingStatusText())
+                ]),
+                E('div', { 'class': 'panel-body', 'style': 'display: flex; flex-direction: column; gap: 8px;' }, [
+                    ButtonFactory.createActionButton({
+                        label: 'Restart Podkop',
+                        type: 'apply',
+                        action: 'restart',
+                        reload: true
+                    }),
+                    ButtonFactory.createActionButton({
+                        label: 'Stop Podkop',
+                        type: 'apply',
+                        action: 'stop',
+                        reload: true
+                    }),
+                    // Autostart button - create with initial state
+                    ButtonFactory.createInitActionButton({
+                        label: initialPodkopStatus.enabled ? 'Disable Autostart' : 'Enable Autostart',
+                        type: initialPodkopStatus.enabled ? 'remove' : 'apply',
+                        action: initialPodkopStatus.enabled ? 'disable' : 'enable',
+                        reload: true
+                    }),
+                    ButtonFactory.createModalButton({
+                        label: _('Global check'),
+                        command: 'global_check',
+                        title: _('Click here for all the info')
+                    }),
+                    ButtonFactory.createModalButton({
+                        label: 'View Logs',
+                        command: 'check_logs',
+                        title: 'Podkop Logs'
+                    }),
+                    ButtonFactory.createModalButton({
+                        label: _('Update Lists'),
+                        command: 'list_update',
+                        title: _('Lists Update Results')
+                    })
+                ])
+            ]),
+
+            // Sing-box Status Panel
+            E('div', { 'id': 'singbox-status-panel', 'class': 'panel', 'style': 'flex: 1; padding: 15px;' }, [
+                E('div', { 'class': 'panel-heading' }, [
+                    E('strong', {}, _('Sing-box Status')),
+                    E('br'),
+                    E('span', { 'id': 'singbox-status-text' }, createLoadingStatusText())
+                ]),
+                E('div', { 'class': 'panel-body', 'style': 'display: flex; flex-direction: column; gap: 8px;' }, [
+                    ButtonFactory.createModalButton({
+                        label: 'Show Config',
+                        command: 'show_sing_box_config',
+                        title: 'Sing-box Configuration'
+                    }),
+                    ButtonFactory.createModalButton({
+                        label: 'View Logs',
+                        command: 'check_sing_box_logs',
+                        title: 'Sing-box Logs'
+                    }),
+                    ButtonFactory.createModalButton({
+                        label: 'Check Connections',
+                        command: 'check_sing_box_connections',
+                        title: 'Active Connections'
+                    }),
+                    ButtonFactory.createModalButton({
+                        label: _('Check NFT Rules'),
+                        command: 'check_nft',
+                        title: _('NFT Rules')
+                    }),
+                    ButtonFactory.createModalButton({
+                        label: _('Check DNSMasq'),
+                        command: 'check_dnsmasq',
+                        title: _('DNSMasq Configuration')
+                    })
+                ])
+            ]),
+
+            // FakeIP Status Panel
+            E('div', { 'id': 'fakeip-status-panel', 'class': 'panel', 'style': 'flex: 1; padding: 15px;' }, [
+                E('div', { 'class': 'panel-heading' }, [
+                    E('strong', {}, _('FakeIP Status'))
+                ]),
+                E('div', { 'class': 'panel-body', 'style': 'display: flex; flex-direction: column; gap: 8px;' }, [
+                    E('div', { style: 'margin-bottom: 5px;' }, [
+                        E('div', {}, [
+                            E('span', { 'id': 'fakeip-browser-status' }, createLoadingStatusText())
+                        ]),
+                        E('div', {}, [
+                            E('span', { 'id': 'fakeip-router-status' }, createLoadingStatusText())
+                        ])
+                    ]),
+                    E('div', { style: 'margin-bottom: 5px;' }, [
+                        E('div', {}, [
+                            E('strong', {}, _('DNS Status')),
+                            E('br'),
+                            E('span', { 'id': 'dns-remote-status' }, createLoadingStatusText()),
+                            E('br'),
+                            E('span', { 'id': 'dns-local-status' }, createLoadingStatusText())
+                        ])
+                    ]),
+                    E('div', { style: 'margin-bottom: 5px;' }, [
+                        E('div', {}, [
+                            E('strong', { 'id': 'config-name-text' }, _('Main config')),
+                            E('br'),
+                            E('span', { 'id': 'bypass-status' }, createLoadingStatusText())
+                        ])
+                    ])
+                ])
+            ]),
+
+            // Version Information Panel
+            E('div', { 'id': 'version-info-panel', 'class': 'panel', 'style': 'flex: 1; padding: 15px;' }, [
+                E('div', { 'class': 'panel-heading' }, [
+                    E('strong', {}, _('Version Information'))
+                ]),
+                E('div', { 'class': 'panel-body' }, [
+                    E('div', { 'style': 'margin-top: 10px; font-family: monospace; white-space: pre-wrap;' }, [
+                        E('strong', {}, _('Podkop: ')), E('span', { 'id': 'podkop-version' }, _('Loading...')), '\n',
+                        E('strong', {}, _('LuCI App: ')), E('span', { 'id': 'luci-version' }, _('Loading...')), '\n',
+                        E('strong', {}, _('Sing-box: ')), E('span', { 'id': 'singbox-version' }, _('Loading...')), '\n',
+                        E('strong', {}, _('OpenWrt Version: ')), E('span', { 'id': 'openwrt-version' }, _('Loading...')), '\n',
+                        E('strong', {}, _('Device Model: ')), E('span', { 'id': 'device-model' }, _('Loading...'))
+                    ])
+                ])
+            ])
+        ])
+    ]);
+};
+
+// Global variables for tracking state
+let diagnosticsUpdateTimer = null;
+let isInitialCheck = true;
+showConfigModal.busy = false;
+
+function startDiagnosticsUpdates() {
+    if (diagnosticsUpdateTimer) {
+        clearInterval(diagnosticsUpdateTimer);
+    }
+
+    // Immediately update when started
+    updateDiagnostics();
+
+    // Then set up periodic updates
+    diagnosticsUpdateTimer = setInterval(updateDiagnostics, constants.DIAGNOSTICS_UPDATE_INTERVAL);
+}
+
+function stopDiagnosticsUpdates() {
+    if (diagnosticsUpdateTimer) {
+        clearInterval(diagnosticsUpdateTimer);
+        diagnosticsUpdateTimer = null;
+    }
+}
+
+// Update individual text element with new content
+function updateTextElement(elementId, content) {
+    const element = document.getElementById(elementId);
+    if (element) {
+        element.innerHTML = '';
+        element.appendChild(content);
+    }
+}
+
+async function updateDiagnostics() {
+    // Podkop Status check
+    safeExec('/usr/bin/podkop', ['get_status'], 'P0_PRIORITY', result => {
+        try {
+            const parsedPodkopStatus = JSON.parse(result.stdout || '{"enabled":0,"status":"error"}');
+
+            // Update Podkop status text
+            updateTextElement('podkop-status-text',
+                E('span', {
+                    'style': `color: ${parsedPodkopStatus.enabled ? constants.STATUS_COLORS.SUCCESS : constants.STATUS_COLORS.ERROR}`
+                }, [
+                    parsedPodkopStatus.enabled ? '✔ Autostart enabled' : '✘ Autostart disabled'
+                ])
+            );
+
+            // Update autostart button
+            const autostartButton = parsedPodkopStatus.enabled ?
+                ButtonFactory.createInitActionButton({
+                    label: 'Disable Autostart',
+                    type: 'remove',
+                    action: 'disable',
+                    reload: true
+                }) :
+                ButtonFactory.createInitActionButton({
+                    label: 'Enable Autostart',
+                    type: 'apply',
+                    action: 'enable',
+                    reload: true
+                });
+
+            // Find the autostart button and replace it
+            const panel = document.getElementById('podkop-status-panel');
+            if (panel) {
+                const buttons = panel.querySelectorAll('.cbi-button');
+                if (buttons.length >= 3) {
+                    buttons[2].parentNode.replaceChild(autostartButton, buttons[2]);
+                }
+            }
+        } catch (error) {
+            updateTextElement('podkop-status-text',
+                E('span', { 'style': `color: ${constants.STATUS_COLORS.ERROR}` }, '✘ Error')
+            );
+        }
+    });
+
+    // Sing-box Status check
+    safeExec('/usr/bin/podkop', ['get_sing_box_status'], 'P0_PRIORITY', result => {
+        try {
+            const parsedSingboxStatus = JSON.parse(result.stdout || '{"running":0,"enabled":0,"status":"error"}');
+
+            // Update Sing-box status text
+            updateTextElement('singbox-status-text',
+                E('span', {
+                    'style': `color: ${parsedSingboxStatus.running && !parsedSingboxStatus.enabled ?
+                        constants.STATUS_COLORS.SUCCESS : constants.STATUS_COLORS.ERROR}`
+                }, [
+                    parsedSingboxStatus.running && !parsedSingboxStatus.enabled ?
+                        '✔ running' : '✘ ' + parsedSingboxStatus.status
+                ])
+            );
+        } catch (error) {
+            updateTextElement('singbox-status-text',
+                E('span', { 'style': `color: ${constants.STATUS_COLORS.ERROR}` }, '✘ Error')
+            );
+        }
+    });
+
+    // Version Information checks
+    safeExec('/usr/bin/podkop', ['show_version'], 'P2_PRIORITY', result => {
+        updateTextElement('podkop-version',
+            document.createTextNode(result.stdout ? result.stdout.trim() : _('Unknown'))
+        );
+    });
+
+    safeExec('/usr/bin/podkop', ['show_luci_version'], 'P2_PRIORITY', result => {
+        updateTextElement('luci-version',
+            document.createTextNode(result.stdout ? result.stdout.trim() : _('Unknown'))
+        );
+    });
+
+    safeExec('/usr/bin/podkop', ['show_sing_box_version'], 'P2_PRIORITY', result => {
+        updateTextElement('singbox-version',
+            document.createTextNode(result.stdout ? result.stdout.trim() : _('Unknown'))
+        );
+    });
+
+    safeExec('/usr/bin/podkop', ['show_system_info'], 'P2_PRIORITY', result => {
+        if (result.stdout) {
+            updateTextElement('openwrt-version',
+                document.createTextNode(result.stdout.split('\n')[1].trim())
+            );
+            updateTextElement('device-model',
+                document.createTextNode(result.stdout.split('\n')[4].trim())
+            );
+        } else {
+            updateTextElement('openwrt-version', document.createTextNode(_('Unknown')));
+            updateTextElement('device-model', document.createTextNode(_('Unknown')));
+        }
+    });
+
+    // FakeIP and DNS status checks
+    runCheck(checkFakeIP, 'P3_PRIORITY', result => {
+        updateTextElement('fakeip-browser-status',
+            E('span', { style: `color: ${result.error ? constants.STATUS_COLORS.WARNING : result.color}` }, [
+                result.error ? '! ' : result.state === 'working' ? '✔ ' : result.state === 'not_working' ? '✘ ' : '! ',
+                result.error ? 'check error' : result.state === 'working' ? _('works in browser') : _('does not work in browser')
+            ])
+        );
+    });
+
+    runCheck(checkFakeIPCLI, 'P8_PRIORITY', result => {
+        updateTextElement('fakeip-router-status',
+            E('span', { style: `color: ${result.error ? constants.STATUS_COLORS.WARNING : result.color}` }, [
+                result.error ? '! ' : result.state === 'working' ? '✔ ' : result.state === 'not_working' ? '✘ ' : '! ',
+                result.error ? 'check error' : result.state === 'working' ? _('works on router') : _('does not work on router')
+            ])
+        );
+    });
+
+    runCheck(checkDNSAvailability, 'P4_PRIORITY', result => {
+        if (result.error) {
+            updateTextElement('dns-remote-status',
+                E('span', { style: `color: ${constants.STATUS_COLORS.WARNING}` }, '! DNS check error')
+            );
+            updateTextElement('dns-local-status',
+                E('span', { style: `color: ${constants.STATUS_COLORS.WARNING}` }, '! DNS check error')
+            );
+        } else {
+            updateTextElement('dns-remote-status',
+                E('span', { style: `color: ${result.remote.color}` }, [
+                    result.remote.state === 'available' ? '✔ ' : result.remote.state === 'unavailable' ? '✘ ' : '! ',
+                    result.remote.message
+                ])
+            );
+
+            updateTextElement('dns-local-status',
+                E('span', { style: `color: ${result.local.color}` }, [
+                    result.local.state === 'available' ? '✔ ' : result.local.state === 'unavailable' ? '✘ ' : '! ',
+                    result.local.message
+                ])
+            );
+        }
+    });
+
+    runCheck(checkBypass, 'P1_PRIORITY', result => {
+        updateTextElement('bypass-status',
+            E('span', { style: `color: ${result.error ? constants.STATUS_COLORS.WARNING : result.color}` }, [
+                result.error ? '! ' : result.state === 'working' ? '✔ ' : result.state === 'not_working' ? '✘ ' : '! ',
+                result.error ? 'check error' : result.message
+            ])
+        );
+    }, 'P1_PRIORITY');
+
+    // Config name
+    runAsyncTask(async () => {
+        try {
+            let configName = _('Main config');
+            const data = await uci.load('podkop');
+            const proxyString = uci.get('podkop', 'main', 'proxy_string');
+
+            if (proxyString) {
+                const activeConfig = proxyString.split('\n')
+                    .map(line => line.trim())
+                    .find(line => line && !line.startsWith('//'));
+
+                if (activeConfig) {
+                    if (activeConfig.includes('#')) {
+                        const label = activeConfig.split('#').pop();
+                        if (label && label.trim()) {
+                            configName = _('Config: ') + decodeURIComponent(label);
+                        }
+                    }
+                }
+            }
+
+            updateTextElement('config-name-text', document.createTextNode(configName));
+        } catch (e) {
+            console.error('Error getting config name from UCI:', e);
+        }
+    }, 'P1_PRIORITY');
+}
+
+function createDiagnosticsSection(mainSection) {
+    let o = mainSection.tab('diagnostics', _('Diagnostics'));
+
+    o = mainSection.taboption('diagnostics', form.DummyValue, '_status');
+    o.rawhtml = true;
+    o.cfgvalue = () => E('div', {
+        id: 'diagnostics-status',
+        'data-loading': 'true'
+    });
+}
+
+function setupDiagnosticsEventHandlers(node) {
+    const titleDiv = E('h2', { 'class': 'cbi-map-title' }, _('Podkop'));
+    node.insertBefore(titleDiv, node.firstChild);
+
+    // Function to initialize diagnostics
+    function initDiagnostics(container) {
+        if (container && container.hasAttribute('data-loading')) {
+            container.innerHTML = '';
+            showConfigModal.busy = false;
+            createStatusSection().then(section => {
+                container.appendChild(section);
+                startDiagnosticsUpdates();
+                // Start error polling when diagnostics tab is active
+                utils.startErrorPolling();
+            });
+        }
+    }
+
+    document.addEventListener('visibilitychange', function () {
+        const diagnosticsContainer = document.getElementById('diagnostics-status');
+        const diagnosticsTab = document.querySelector('.cbi-tab[data-tab="diagnostics"]');
+
+        if (document.hidden || !diagnosticsTab || !diagnosticsTab.classList.contains('cbi-tab-active')) {
+            stopDiagnosticsUpdates();
+            // Don't stop error polling here - it's managed in podkop.js for all tabs
+        } else if (diagnosticsContainer && diagnosticsContainer.hasAttribute('data-loading')) {
+            startDiagnosticsUpdates();
+            // Ensure error polling is running when diagnostics tab is active
+            utils.startErrorPolling();
+        }
+    });
+
+    setTimeout(() => {
+        const diagnosticsContainer = document.getElementById('diagnostics-status');
+        const diagnosticsTab = document.querySelector('.cbi-tab[data-tab="diagnostics"]');
+        const otherTabs = document.querySelectorAll('.cbi-tab:not([data-tab="diagnostics"])');
+
+        // Check for direct page load case
+        const noActiveTabsExist = !Array.from(otherTabs).some(tab => tab.classList.contains('cbi-tab-active'));
+
+        if (diagnosticsContainer && diagnosticsTab && (diagnosticsTab.classList.contains('cbi-tab-active') || noActiveTabsExist)) {
+            initDiagnostics(diagnosticsContainer);
+        }
+
+        const tabs = node.querySelectorAll('.cbi-tabmenu');
+        if (tabs.length > 0) {
+            tabs[0].addEventListener('click', function (e) {
+                const tab = e.target.closest('.cbi-tab');
+                if (tab) {
+                    const tabName = tab.getAttribute('data-tab');
+                    if (tabName === 'diagnostics') {
+                        const container = document.getElementById('diagnostics-status');
+                        container.setAttribute('data-loading', 'true');
+                        initDiagnostics(container);
+                    } else {
+                        stopDiagnosticsUpdates();
+                        // Don't stop error polling - it should continue on all tabs
+                    }
+                }
+            });
+        }
+    }, constants.DIAGNOSTICS_INITIAL_DELAY);
+
+    node.classList.add('fade-in');
+    return node;
+}
+
+return baseclass.extend({
+    createDiagnosticsSection,
+    setupDiagnosticsEventHandlers
+}); 

luci-app-podkop/htdocs/luci-static/resources/view/podkop/utils.js

@@ -0,0 +1,152 @@
+'use strict';
+'require baseclass';
+'require ui';
+'require fs';
+'require view.podkop.constants as constants';
+
+// Flag to track if this is the first error check
+let isInitialCheck = true;
+
+// Set to track which errors we've already seen
+const lastErrorsSet = new Set();
+
+// Timer for periodic error polling
+let errorPollTimer = null;
+
+// Helper function to fetch errors from the podkop command
+async function getPodkopErrors() {
+    return new Promise(resolve => {
+        safeExec('/usr/bin/podkop', ['check_logs'], 'P0_PRIORITY', result => {
+            if (!result || !result.stdout) return resolve([]);
+
+            const logs = result.stdout.split('\n');
+            const errors = logs.filter(log =>
+                log.includes('[critical]')
+            );
+
+            resolve(errors);
+        });
+    });
+}
+
+// Show error notification to the user
+function showErrorNotification(error, isMultiple = false) {
+    const notificationContent = E('div', { 'class': 'alert-message error' }, [
+        E('pre', { 'class': 'error-log' }, error)
+    ]);
+
+    ui.addNotification(null, notificationContent);
+}
+
+// Helper function for command execution with prioritization
+function safeExec(command, args, priority, callback, timeout = constants.COMMAND_TIMEOUT) {
+    // Default to highest priority execution if priority is not provided or invalid
+    let schedulingDelay = constants.COMMAND_SCHEDULING.P0_PRIORITY;
+
+    // If priority is a string, try to get the corresponding delay value
+    if (typeof priority === 'string' && constants.COMMAND_SCHEDULING[priority] !== undefined) {
+        schedulingDelay = constants.COMMAND_SCHEDULING[priority];
+    }
+
+    const executeCommand = async () => {
+        try {
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), timeout);
+
+            const result = await Promise.race([
+                fs.exec(command, args),
+                new Promise((_, reject) => {
+                    controller.signal.addEventListener('abort', () => {
+                        reject(new Error('Command execution timed out'));
+                    });
+                })
+            ]);
+
+            clearTimeout(timeoutId);
+
+            if (callback && typeof callback === 'function') {
+                callback(result);
+            }
+
+            return result;
+        } catch (error) {
+            console.warn(`Command execution failed or timed out: ${command} ${args.join(' ')}`);
+            const errorResult = { stdout: '', stderr: error.message, error: error };
+
+            if (callback && typeof callback === 'function') {
+                callback(errorResult);
+            }
+
+            return errorResult;
+        }
+    };
+
+    if (callback && typeof callback === 'function') {
+        setTimeout(executeCommand, schedulingDelay);
+        return;
+    }
+    else {
+        return executeCommand();
+    }
+}
+
+// Check for critical errors and show notifications
+async function checkForCriticalErrors() {
+    try {
+        const errors = await getPodkopErrors();
+
+        if (errors && errors.length > 0) {
+            // Filter out errors we've already seen
+            const newErrors = errors.filter(error => !lastErrorsSet.has(error));
+
+            if (newErrors.length > 0) {
+                // On initial check, just store errors without showing notifications
+                if (!isInitialCheck) {
+                    // Show each new error as a notification
+                    newErrors.forEach(error => {
+                        showErrorNotification(error, newErrors.length > 1);
+                    });
+                }
+
+                // Add new errors to our set of seen errors
+                newErrors.forEach(error => lastErrorsSet.add(error));
+            }
+        }
+
+        // After first check, mark as no longer initial
+        isInitialCheck = false;
+    } catch (error) {
+        console.error('Error checking for critical messages:', error);
+    }
+}
+
+// Start polling for errors at regular intervals
+function startErrorPolling() {
+    if (errorPollTimer) {
+        clearInterval(errorPollTimer);
+    }
+
+    // Reset initial check flag to make sure we show errors
+    isInitialCheck = false;
+
+    // Immediately check for errors on start
+    checkForCriticalErrors();
+
+    // Then set up periodic checks
+    errorPollTimer = setInterval(checkForCriticalErrors, constants.ERROR_POLL_INTERVAL);
+}
+
+// Stop polling for errors
+function stopErrorPolling() {
+    if (errorPollTimer) {
+        clearInterval(errorPollTimer);
+        errorPollTimer = null;
+    }
+}
+
+return baseclass.extend({
+    startErrorPolling,
+    stopErrorPolling,
+    checkForCriticalErrors,
+    safeExec
+}); 

luci-app-podkop/po/ru/podkop.po

@@ -745,10 +745,10 @@ msgstr "Проверка FakeIP через CLI"
 msgid "FakeIP CLI Check Results"
 msgstr "Результаты проверки FakeIP через CLI"
 
-msgid "not works in browser"
+msgid "does not work in browser"
 msgstr "не работает в браузере"
 
-msgid "not works on router"
+msgid "does not work on router"
 msgstr "не работает на роутере"
 
 msgid "Diagnostics"
@@ -842,4 +842,34 @@ msgid "Its must be router!"
 msgstr "Это должен быть роутер!"
 
 msgid "Global check"
-msgstr "Глобальная проверка"
+msgstr "Глобальная проверка"
+
+msgid "Starting lists update..."
+msgstr "Начало обновления списков..."
+
+msgid "DNS check passed"
+msgstr "Проверка DNS пройдена"
+
+msgid "DNS check failed after 60 attempts"
+msgstr "Проверка DNS не удалась после 60 попыток"
+
+msgid "GitHub connection check passed"
+msgstr "Проверка подключения к GitHub пройдена"
+
+msgid "GitHub connection check passed (via proxy)"
+msgstr "Проверка подключения к GitHub пройдена (через прокси)"
+
+msgid "GitHub connection check failed after 60 attempts"
+msgstr "Проверка подключения к GitHub не удалась после 60 попыток"
+
+msgid "Downloading and processing lists..."
+msgstr "Загрузка и обработка списков..."
+
+msgid "Lists update completed successfully"
+msgstr "Обновление списков успешно завершено"
+
+msgid "Lists update failed"
+msgstr "Обновление списков не удалось"
+
+msgid "Error: "
+msgstr "Ошибка: "

luci-app-podkop/po/templates/podkop.pot

@@ -1096,10 +1096,10 @@ msgstr ""
 msgid "FakeIP CLI Check Results"
 msgstr ""
 
-msgid "not works in browser"
+msgid "does not work in browser"
 msgstr ""
 
-msgid "not works on router"
+msgid "does not work on router"
 msgstr ""
 
 msgid "Diagnostics"
@@ -1193,4 +1193,37 @@ msgid "Its must be router!"
 msgstr ""
 
 msgid "Global check"
+msgstr ""
+
+msgid "Starting lists update..."
+msgstr ""
+
+msgid "DNS check passed"
+msgstr ""
+
+msgid "DNS check failed after 60 attempts"
+msgstr ""
+
+msgid "GitHub connection check passed"
+msgstr ""
+
+msgid "GitHub connection check passed (via proxy)"
+msgstr ""
+
+msgid "GitHub connection check failed after 60 attempts"
+msgstr ""
+
+msgid "Downloading and processing lists..."
+msgstr ""
+
+msgid "Lists update completed successfully"
+msgstr ""
+
+msgid "Lists update failed"
+msgstr ""
+
+msgid "Loading..."
+msgstr ""
+
+msgid "Error: "
 msgstr ""

podkop/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=podkop
-PKG_VERSION:=0.3.44
+PKG_VERSION:=0.4.6
 PKG_RELEASE:=1
 
 PKG_MAINTAINER:=ITDog <podkop@itdog.info>
@@ -15,7 +15,7 @@ define Package/podkop
 	DEPENDS:=+sing-box +curl +jq +kmod-nft-tproxy +coreutils-base64
 	CONFLICTS:=https-dns-proxy
 	TITLE:=Domain routing app
-	URL:=https://itdog.info
+	URL:=https://podkop.net
 	PKGARCH:=all
 endef
 

podkop/files/etc/config/podkop

@@ -31,8 +31,11 @@ config main 'main'
 	option quic_disable '0'
 	option dont_touch_dhcp '0'
 	option update_interval '1d'
-	option dns_type 'doh'
+	option dns_type 'udp'
 	option dns_server '8.8.8.8'
+	option split_dns_enabled '1'
+	option split_dns_type 'udp'
+	option split_dns_server '1.1.1.1'
 	option dns_rewrite_ttl '60'
 	option cache_file '/tmp/cache.db'
 	list iface 'br-lan'

podkop/files/etc/init.d/podkop

@@ -35,12 +35,14 @@ service_triggers() {
 	config_get mon_restart_ifaces "main" "mon_restart_ifaces"
 	config_get restart_ifaces "main" "restart_ifaces"
 
+    PROCD_RELOAD_DELAY=2000
+
 	procd_open_trigger
 		procd_add_config_trigger "config.change" "$NAME" "$initscript" restart 'on_config_change'
 
         if [ "$mon_restart_ifaces" = "1" ]; then
 			for iface in $restart_ifaces; do
-				procd_add_reload_interface_trigger $iface
+            	procd_add_interface_trigger "interface.*.up" "$iface" /etc/init.d/podkop reload
 			done
 		fi
 	procd_close_trigger

podkop/files/usr/bin/podkop

@@ -16,16 +16,23 @@ SUBNETS_META="${GITHUB_RAW_URL}/Subnets/IPv4/meta.lst"
 SUBNETS_DISCORD="${GITHUB_RAW_URL}/Subnets/IPv4/discord.lst"
 SUBNETS_TELERAM="${GITHUB_RAW_URL}/Subnets/IPv4/telegram.lst"
 SUBNETS_CLOUDFLARE="${GITHUB_RAW_URL}/Subnets/IPv4/cloudflare.lst"
+SUBNETS_HETZNER="${GITHUB_RAW_URL}/Subnets/IPv4/hetzner.lst"
+SUBNETS_OVH="${GITHUB_RAW_URL}/Subnets/IPv4/ovh.lst"
 SING_BOX_CONFIG="/etc/sing-box/config.json"
 FAKEIP="198.18.0.0/15"
-VALID_SERVICES="russia_inside russia_outside ukraine_inside geoblock block porn news anime youtube discord meta twitter hdrezka tiktok telegram cloudflare"
+VALID_SERVICES="russia_inside russia_outside ukraine_inside geoblock block porn news anime youtube discord meta twitter hdrezka tiktok telegram cloudflare google_ai google_play hetzner ovh"
 DNS_RESOLVERS="1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 9.9.9.9 9.9.9.11 94.140.14.14 94.140.15.15 208.67.220.220 208.67.222.222 77.88.8.1 77.88.8.8"
-TEST_DOMAIN="fakeip.podkop.net"
+TEST_DOMAIN="fakeip.podkop.fyi"
 INTERFACES_LIST=""
 SRC_INTERFACE=""
 RESOLV_CONF="/etc/resolv.conf"
 CLOUDFLARE_OCTETS="103.21 103.22 103.31 104.16 104.17 104.18 104.19 104.20 104.21 104.22 104.23 104.24 104.25 104.26 104.27 104.28 108.162 131.0 141.101 162.158 162.159 172.64 172.65 172.66 172.67 172.68 172.69 172.70 172.71 173.245 188.114 190.93 197.234 198.41"
 
+# Color constants
+COLOR_CYAN="\033[0;36m"
+COLOR_GREEN="\033[0;32m"
+COLOR_RESET="\033[0m"
+
 log() {
     local message="$1"
     local timestamp=$(date +"%Y-%m-%d %H:%M:%S")
@@ -36,11 +43,18 @@ log() {
 nolog() {
     local message="$1"
     local timestamp=$(date +"%Y-%m-%d %H:%M:%S")
-    local CYAN="\033[0;36m"
-    local GREEN="\033[0;32m"
-    local RESET="\033[0m"
 
-    echo -e "${CYAN}[$timestamp]${RESET} ${GREEN}$message${RESET}"
+    echo -e "${COLOR_CYAN}[$timestamp]${COLOR_RESET} ${COLOR_GREEN}$message${COLOR_RESET}"
+}
+
+echolog() {
+    local message="$1"
+    log "$message"
+    nolog "$message"
+}
+
+build_sing_box_config() {
+    cat > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
 }
 
 start_main() {
@@ -55,10 +69,6 @@ start_main() {
         exit 1
     fi
 
-    if opkg list-installed | grep -q iptables-mod-extra; then
-        log "[critical] Conflicting package detected: iptables-mod-extra"
-    fi
-
     if grep -qE 'doh_backup_noresolv|doh_backup_server|doh_server' /etc/config/dhcp; then
         log "[critical] Detected https-dns-proxy in dhcp config. Edit /etc/config/dhcp"
     fi
@@ -66,8 +76,13 @@ start_main() {
     migration
 
     config_foreach process_validate_service
+    
+    br_netfilter_disable
 
-    sleep 3
+    # Sync time for DoH/DoT
+    /usr/sbin/ntpd -q -p 194.190.168.1 -p 216.239.35.0 -p 216.239.35.4 -p 162.159.200.1 -p 162.159.200.123
+
+    sleep 1
 
     mkdir -p /tmp/podkop
 
@@ -113,7 +128,7 @@ start_main() {
         jq '.experimental.clash_api = {
             "external_ui": "ui",
             "external_controller": "0.0.0.0:9090"
-        }' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        }' "$SING_BOX_CONFIG" | build_sing_box_config
     fi
 
     config_get_bool exclude_ntp "main" "exclude_ntp" "0"
@@ -136,7 +151,6 @@ start_main() {
 
     sing_box_config_check
     /etc/init.d/sing-box start
-    #/etc/init.d/sing-box enable
     log "Nice"
 }
 
@@ -160,7 +174,7 @@ stop_main() {
 
     if [ -f /var/run/podkop_list_update.pid ]; then
         pid=$(cat /var/run/podkop_list_update.pid)
-        if kill -0 "$pid"; then
+        if kill -0 "$pid" 2>/dev/null; then
             kill "$pid" 2>/dev/null
             log "Stopped list_update"
         fi
@@ -286,6 +300,14 @@ process_validate_service() {
     fi
 }
 
+br_netfilter_disable() {
+    if lsmod | grep -q br_netfilter && [ "$(sysctl -n net.bridge.bridge-nf-call-iptables 2>/dev/null)" = "1" ]; then
+        log "br_netfilter enabled detected. Disabling"
+        sysctl -w net.bridge.bridge-nf-call-iptables=0
+        sysctl -w net.bridge.bridge-nf-call-ip6tables=0
+	fi
+}
+
 # Main funcs
 
 route_table_rule_mark() {
@@ -375,8 +397,6 @@ save_dnsmasq_config() {
 
 dnsmasq_add_resolver() {
     log "Save dnsmasq config"
-    save_dnsmasq_config "dhcp.@dnsmasq[0].noresolv" "dhcp.@dnsmasq[0].podkop_noresolv"
-    save_dnsmasq_config "dhcp.@dnsmasq[0].cachesize" "dhcp.@dnsmasq[0].podkop_cachesize"
 
     uci -q delete dhcp.@dnsmasq[0].podkop_server
     for server in $(uci get dhcp.@dnsmasq[0].server 2>/dev/null); do
@@ -388,6 +408,9 @@ dnsmasq_add_resolver() {
         fi
     done
 
+    save_dnsmasq_config "dhcp.@dnsmasq[0].noresolv" "dhcp.@dnsmasq[0].podkop_noresolv"
+    save_dnsmasq_config "dhcp.@dnsmasq[0].cachesize" "dhcp.@dnsmasq[0].podkop_cachesize"
+
     log "Configure dnsmasq for sing-box"
     uci set dhcp.@dnsmasq[0].noresolv="1"
     uci set dhcp.@dnsmasq[0].cachesize="0"
@@ -402,8 +425,9 @@ dnsmasq_restore() {
     log "Removing configuration for dnsmasq"
 
     local cachesize=$(uci get dhcp.@dnsmasq[0].podkop_cachesize 2>/dev/null)
-    if [ -z "$cachesize" ]; then
+    if [[ "$cachesize" == "unset" ]]; then
         log "dnsmasq revert: cachesize is unset"
+        uci -q delete dhcp.@dnsmasq[0].cachesize
     else
         uci set dhcp.@dnsmasq[0].cachesize="$cachesize"
     fi
@@ -418,11 +442,11 @@ dnsmasq_restore() {
 
     local server=$(uci get dhcp.@dnsmasq[0].server 2>/dev/null)
     if [[ "$server" == "127.0.0.42" ]]; then
-        uci -q delete dhcp.@dnsmasq[0].server
+        uci -q delete dhcp.@dnsmasq[0].server 2>/dev/null
         for server in $(uci get dhcp.@dnsmasq[0].podkop_server 2>/dev/null); do
             uci add_list dhcp.@dnsmasq[0].server="$server"
         done
-        uci delete dhcp.@dnsmasq[0].podkop_server
+        uci delete dhcp.@dnsmasq[0].podkop_server 2>/dev/null
     fi
 
     uci delete dhcp.@dnsmasq[0].podkop_cachesize
@@ -543,7 +567,7 @@ prepare_custom_ruleset() {
             "type": "local",
             "format": "source",
             "path": $file
-        }]' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        }]' "$SING_BOX_CONFIG" | build_sing_box_config
 
         sing_box_rules $tag $section
         sing_box_dns_rule_fakeip_section $tag $tag
@@ -553,13 +577,13 @@ prepare_custom_ruleset() {
 }
 
 list_update() {
-    log "Update remote lists"
+    echolog "🔄 Starting lists update..."
 
     local i
 
     for i in $(seq 1 60); do
         if nslookup -timeout=1 openwrt.org >/dev/null 2>&1; then
-            log "DNS is available"
+            echolog "✅ DNS check passed"
             break
         fi
         log "DNS is unavailable [$i/60]"
@@ -567,7 +591,7 @@ list_update() {
     done
 
     if [ "$i" -eq 60 ]; then
-        log "Error: DNS check failed after 10 attempts"
+        echolog "❌ DNS check failed after 60 attempts"
         return 1
     fi
 
@@ -575,28 +599,36 @@ list_update() {
         config_get_bool detour "main" "detour" "0"
         if [ "$detour" -eq 1 ]; then
             if http_proxy="http://127.0.0.1:4534" https_proxy="http://127.0.0.1:4534" curl -s -m 3 https://github.com >/dev/null; then
-                log "GitHub is available"
+                echolog "✅ GitHub connection check passed (via proxy)"
                 break
             fi
         else
             if curl -s -m 3 https://github.com >/dev/null; then
-                log "GitHub is available"
+                echolog "✅ GitHub connection check passed"
                 break
             fi
         fi
 
-        log "GitHub is unavailable [$i/60]"
+        echolog "GitHub is unavailable [$i/60]"
         sleep 3
     done
 
     if [ "$i" -eq 60 ]; then
-        log "Error: Cannot connect to GitHub after 10 attempts"
+        echolog "❌ GitHub connection check failed after 60 attempts"
         return 1
     fi
 
+    echolog "📥 Downloading and processing lists..."
+    
     config_foreach process_remote_ruleset_subnet
     config_foreach process_domains_list_url
     config_foreach process_subnet_for_section_remote
+
+    if [ $? -eq 0 ]; then
+        echolog "✅ Lists update completed successfully"
+    else
+        echolog "❌ Lists update failed"
+    fi
 }
 
 find_working_resolver() {
@@ -652,7 +684,7 @@ add_socks5_for_section() {
         "inbound": [$tag],
         "outbound": $section,
         "action": "route"
-    }]' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }]' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 process_socks5() {
@@ -709,10 +741,14 @@ sing_box_dns() {
     local dns_type
     local dns_server
     local resolver_tag="resolver"
+    local split_resolver_tag="split-resolver"
 
     config_get dns_type "main" "dns_type" "doh"
     config_get dns_server "main" "dns_server" "1.1.1.1"
-    
+    config_get split_dns_enabled "main" "split_dns_enabled" "0"
+    config_get split_dns_type "main" "split_dns_type" "udp"
+    config_get split_dns_server "main" "split_dns_server" "1.1.1.1"
+
     local server_json
     local is_ip=$(echo "$dns_server" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' && echo "1" || echo "0")
     
@@ -768,19 +804,79 @@ sing_box_dns() {
             }]')
     fi
     
+    if [ "$split_dns_enabled" = "1" ]; then
+        local split_is_ip=$(echo "$split_dns_server" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' && echo "1" || echo "0")
+        if [ "$split_is_ip" = "0" ]; then
+            log "Finding working resolver for split DNS"
+            local split_dns_resolver=$(find_working_resolver)
+            if [ -z "$split_dns_resolver" ]; then
+                log "No working resolver found for split DNS, using default"
+                split_dns_resolver="1.1.1.1"
+            else
+                log "Found working resolver for split DNS: $split_dns_resolver"
+            fi
+        fi
+
+        server_json=$(echo "$server_json" | jq \
+            --arg type "$split_dns_type" \
+            --arg server "$split_dns_server" \
+            --arg split_is_ip "$split_is_ip" \
+            --arg split_resolver_tag "$split_resolver_tag" \
+            ' .servers += [
+                {
+                    "tag": "split-dns-server",
+                    "address": (
+                        if $type == "doh" then
+                            "https://" + $server + "/dns-query"
+                        elif $type == "dot" then
+                            "tls://" + $server
+                        else
+                            $server
+                        end
+                    ),
+                    "detour": "main"
+                } + (
+                    if $split_is_ip == "0" then
+                        {"address_resolver": $split_resolver_tag}
+                    else
+                        {}
+                    end
+                )
+            ]')
+
+        if [ "$split_is_ip" = "0" ]; then
+            server_json=$(echo "$server_json" | jq \
+                --arg split_resolver_tag "$split_resolver_tag" \
+                --arg split_dns_resolver "$split_dns_resolver" \
+                '.servers += [{
+                    "tag": $split_resolver_tag,
+                    "address": $split_dns_resolver
+                }]')
+        fi
+    fi
+
     server_json=$(echo "$server_json" | jq '.servers += [{"tag": "fakeip-server", "address": "fakeip"}]')
     
     jq \
         --argjson dns_config "$server_json" \
         --arg fakeip "$FAKEIP" \
+        --argjson split_dns_enabled "$split_dns_enabled" \
         '.dns = {
             "strategy": "ipv4_only",
+            "independent_cache": true,
+            "final": (
+                if $split_dns_enabled == 1 then
+                    "split-dns-server"
+                else
+                    "dns-server"
+                end
+                ),
             "fakeip": {
                 "enabled": true,
                 "inet4_range": $fakeip
             },
             "servers": $dns_config.servers
-        }' $SING_BOX_CONFIG > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        }' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_create_bypass_ruleset() {
@@ -793,11 +889,11 @@ sing_box_create_bypass_ruleset() {
         "rules": [
             {
                 "domain_suffix": [
-                    "ip.podkop.net"
+                    "ip.podkop.fyi"
                 ]
             }
         ]
-    }]' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }]' "$SING_BOX_CONFIG" | build_sing_box_config
     
     # Add a rule to route bypass domains to direct-out outbound
     jq '
@@ -806,49 +902,64 @@ sing_box_create_bypass_ruleset() {
         "rule_set": ["bypass"],
         "outbound": "main",
         "action": "route"
-    }]' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }]' "$SING_BOX_CONFIG" | build_sing_box_config
     
     # Make sure the bypass ruleset is in the fakeip DNS rule
     jq '
     .dns.rules = (.dns.rules | map(
-        if .server == "fakeip-server" then 
-            .rule_set += ["bypass"] 
-        else 
-            . 
+        if (.server == "fakeip-server" or (.server == "dns-server" and .invert == true)) then 
+            if any(.rule_set[]?; . == "bypass") then
+                .
+            else
+                .rule_set += ["bypass"]
+            end
+        else
+            .
         end
-    ))' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    ))' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_dns_rule_fakeip() {
     local rewrite_ttl
-    config_get rewrite_ttl "main" "dns_rewrite_ttl" "600"
-    
+    config_get rewrite_ttl "main" "dns_rewrite_ttl" "60"
+    config_get split_dns_enabled "main" "split_dns_enabled" "0"
+
     log "Configure fakeip route in sing-box and set TTL to $rewrite_ttl seconds"
     
     jq \
     --arg ttl "$rewrite_ttl" \
-    '.dns += {
-        "rules": [
-              {
-            "query_type": [
-                "HTTPS"
-            ],
-            "action": "reject"
-            },
+    --argjson split_dns_enabled "$split_dns_enabled" \
+    '.dns.rules = [
             {
-            "domain_suffix": [
-                "use-application-dns.net"
-            ],
+                "query_type": [
+                    "HTTPS"
+                ],
                 "action": "reject"
             },
             {
-            "server": "fakeip-server",
-            "domain": "",
-            "rewrite_ttl": ($ttl | tonumber),
-            "rule_set": []
+                "domain_suffix": [
+                    "use-application-dns.net"
+                ],
+                    "action": "reject"
+            },
+            {
+                "server": "fakeip-server",
+                "domain": "",
+                "rewrite_ttl": ($ttl | tonumber),
+                "rule_set": []
             }
         ]
-    }' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        + (
+            if $split_dns_enabled == 1 then
+                [{
+                    "server": "dns-server",
+                    "domain": "",
+                    "invert": true,
+                    "rule_set": []
+                }]
+            else []
+            end
+    )' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_dns_rule_fakeip_section() {
@@ -859,16 +970,16 @@ sing_box_dns_rule_fakeip_section() {
     jq \
     --arg rule_set "$rule_set" \
     '.dns.rules |= map(
-        if .server == "fakeip-server" then 
+        if (.server == "fakeip-server" or (.server == "dns-server" and .invert == true)) then 
             if any(.rule_set[]?; . == $rule_set) then 
                 .
-            else 
+            else
                 .rule_set += [$rule_set] 
             end
-        else 
-            . 
+        else
+            .
         end
-    )' "$SING_BOX_CONFIG" >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+    )' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_cache_file() {
@@ -884,7 +995,7 @@ sing_box_cache_file() {
         "store_fakeip": true,
         "path": $cache_file
         }
-    }' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_outdound() {
@@ -939,6 +1050,9 @@ sing_box_outdound() {
             fi
         fi
         ;;
+    "block")
+        log "Block mode"
+        ;;
     *)
         log "Requires *vpn* or *proxy* value"
         return
@@ -964,7 +1078,7 @@ sing_box_outbound_interface() {
                 [{"tag": $section, "type": "direct", "bind_interface": $interface}]
               else [] end
             )
-          )' "$SING_BOX_CONFIG" > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+          )' "$SING_BOX_CONFIG" | build_sing_box_config
 
     if [ $? -eq 0 ]; then
         log "Config updated successfully"
@@ -992,7 +1106,7 @@ sing_box_rule_dns() {
         }
         ],
         "auto_detect_interface": true
-    }' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 sing_box_config_check() {
@@ -1024,7 +1138,7 @@ sing_box_config_outbound_json() {
                 [$outbound]
               else [] end
             )
-          )' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+          )' "$SING_BOX_CONFIG" | build_sing_box_config
 
     if [ $? -eq 0 ]; then
         log "Outbound config updated successfully"
@@ -1087,7 +1201,7 @@ sing_box_config_shadowsocks() {
             } + (if $ss_uot == 1 then { "udp_over_tcp": { "enabled": true, "version": 2 } } else {} end)]
           else [] end
         )
-      )' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+      )' "$SING_BOX_CONFIG" | build_sing_box_config
 
     if [ $? -eq 0 ]; then
         log "Config Shadowsocks updated successfully"
@@ -1213,14 +1327,14 @@ sing_box_config_vless() {
             else . end
           else . end
         )
-      else . end' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+      else . end' "$SING_BOX_CONFIG" | build_sing_box_config
 
 
     if [ $? -eq 0 ]; then
         log "Config VLESS created successfully"
     else
-        log "Error: VLESS invalid JSON config generated"
-        return 1
+        log "[critical] Error: VLESS invalid JSON config generated"
+        exit 1
     fi
 }
 
@@ -1249,7 +1363,7 @@ sing_box_ruleset_domains() {
         else
             .
         end
-        ' /etc/sing-box/config.json > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json /etc/sing-box/config.json
+        ' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "$domain added to the list for tag $tag"
     else
@@ -1268,7 +1382,7 @@ sing_box_ruleset_domains() {
                     }
                 ]
             }
-        ]' /etc/sing-box/config.json > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json /etc/sing-box/config.json
+        ]' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "$domain added as a new rule set for tag $tag"
     fi
@@ -1300,7 +1414,7 @@ sing_box_ruleset_subnets() {
         else
             .
         end
-        ' /etc/sing-box/config.json > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json /etc/sing-box/config.json
+        ' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "$subnet added to the list for tag $tag"
     else
@@ -1319,7 +1433,7 @@ sing_box_ruleset_subnets() {
                     }
                 ]
             }
-        ]' /etc/sing-box/config.json > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json /etc/sing-box/config.json
+        ]' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "$subnet added as a new rule set for tag $tag"
     fi
@@ -1402,7 +1516,7 @@ sing_box_ruleset_remote() {
                 } +
                     (if $detour == "1" then {"download_detour": "main"} else {} end)
             )
-        ]' "$SING_BOX_CONFIG" > /tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+        ]' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "Added new ruleset with tag $tag"
     fi
@@ -1425,6 +1539,12 @@ list_subnets_download() {
         "cloudflare")
             URL=$SUBNETS_CLOUDFLARE
             ;;
+        "hetzner")
+            URL=$SUBNETS_HETZNER
+            ;;
+        "ovh")
+            URL=$SUBNETS_OVH
+            ;;
         "discord")
             URL=$SUBNETS_DISCORD
             nft add set inet $table podkop_discord_subnets { type ipv4_addr\; flags interval\; auto-merge\; }
@@ -1458,27 +1578,54 @@ sing_box_rules() {
     local rule_set="$1"
     local outbound="$2"
 
-    # Check if there is an outbound rule for "tproxy-in"
-    local rule_exists=$(jq -r '.route.rules[] | select(.outbound == "'"$outbound"'" and .inbound == ["tproxy-in"])' "$SING_BOX_CONFIG")
+    config_get mode "$section" "mode"
 
-    if [[ -n "$rule_exists" ]]; then
-        # If a rule for tproxy-in exists, add a new rule_set to the existing rule
-        jq \
-        --arg rule_set "$rule_set" \
-        --arg outbound "$outbound" \
-        '(.route.rules[] | select(.outbound == $outbound and .inbound == ["tproxy-in"]) .rule_set) += [$rule_set]' \
-        "$SING_BOX_CONFIG" >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+    if [[ "$mode" == "block" ]]; then
+        # Action reject
+        # Check if there is an rule with reject"
+        local rule_exists=$(jq -r '.route.rules[] | select(.inbound == ["tproxy-in"] and .action == "reject")' "$SING_BOX_CONFIG")
+
+        if [[ -n "$rule_exists" ]]; then
+            # If a rule for rejectexists, add a new rule_set to the existing rule
+            jq \
+            --arg rule_set "$rule_set" \
+            '(.route.rules[] | select(.inbound == ["tproxy-in"] and .action == "reject") .rule_set) += [$rule_set]' \
+            "$SING_BOX_CONFIG" | build_sing_box_config
+        else
+            # If there is no rule for reject, create a new one with rule_set
+            jq \
+            --arg rule_set "$rule_set" \
+            '.route.rules += [{
+                "inbound": ["tproxy-in"],
+                "rule_set": [$rule_set],
+                "action": "reject"
+            }]' "$SING_BOX_CONFIG" | build_sing_box_config
+        fi
+        return
     else
-        # If there is no rule for tproxy-in, create a new one with rule_set
-        jq \
-        --arg rule_set "$rule_set" \
-        --arg outbound "$outbound" \
-        '.route.rules += [{
-            "inbound": ["tproxy-in"],
-            "rule_set": [$rule_set],
-            "outbound": $outbound,
-            "action": "route"
-        }]' "$SING_BOX_CONFIG" >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+        # Action route
+        # Check if there is an outbound rule for "tproxy-in"
+        local rule_exists=$(jq -r '.route.rules[] | select(.outbound == "'"$outbound"'" and .inbound == ["tproxy-in"])' "$SING_BOX_CONFIG")
+
+        if [[ -n "$rule_exists" ]]; then
+            # If a rule for tproxy-in exists, add a new rule_set to the existing rule
+            jq \
+            --arg rule_set "$rule_set" \
+            --arg outbound "$outbound" \
+            '(.route.rules[] | select(.outbound == $outbound and .inbound == ["tproxy-in"]) .rule_set) += [$rule_set]' \
+            "$SING_BOX_CONFIG" | build_sing_box_config
+        else
+            # If there is no rule for tproxy-in, create a new one with rule_set
+            jq \
+            --arg rule_set "$rule_set" \
+            --arg outbound "$outbound" \
+            '.route.rules += [{
+                "inbound": ["tproxy-in"],
+                "rule_set": [$rule_set],
+                "outbound": $outbound,
+                "action": "route"
+            }]' "$SING_BOX_CONFIG" | build_sing_box_config
+        fi
     fi
 }
 
@@ -1495,7 +1642,7 @@ sing_box_quic_reject() {
                     . + [$rule]
                 end
             )
-        )' "$SING_BOX_CONFIG" >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+        )' "$SING_BOX_CONFIG" | build_sing_box_config
 
         log "QUIC reject rule added successfully"
     fi
@@ -1572,18 +1719,24 @@ list_custom_url_domains_create() {
     local section="$2"
     local URL="$1"
     local filename=$(basename "$URL")
+    local filepath="/tmp/podkop/${filename}"
 
     config_get_bool detour "main" "detour" "0"
     if [ "$detour" -eq 1 ]; then
-        http_proxy="http://127.0.0.1:4534" https_proxy="http://127.0.0.1:4534" wget -O "/tmp/podkop/${filename}" "$URL"
+        http_proxy="http://127.0.0.1:4534" https_proxy="http://127.0.0.1:4534" wget -O "$filepath" "$URL"
     else
-        wget -O "/tmp/podkop/${filename}" "$URL"
+        wget -O "$filepath" "$URL"
+    fi
+
+    if grep -q $'\r' "$filepath"; then
+        log "$filename has Windows line endings (CRLF). Converting to Unix (LF)"
+        sed -i 's/\r$//' "$filepath"
     fi
 
     while IFS= read -r domain; do
         log "From downloaded file: $domain"
         sing_box_ruleset_domains_json $domain $section
-    done <"/tmp/podkop/$filename"
+    done <"$filepath"
 }
 
 process_domains_list_url() {
@@ -1617,19 +1770,25 @@ list_custom_url_subnets_create() {
     local section="$2"
     local URL="$1"
     local filename=$(basename "$URL")
+    local filepath="/tmp/podkop/${filename}"
 
     config_get_bool detour "main" "detour" "0"
     if [ "$detour" -eq 1 ]; then
-        http_proxy="http://127.0.0.1:4534" https_proxy="http://127.0.0.1:4534" wget -O "/tmp/podkop/${filename}" "$URL"
+        http_proxy="http://127.0.0.1:4534" https_proxy="http://127.0.0.1:4534" wget -O "$filepath" "$URL"
     else
-        wget -O "/tmp/podkop/${filename}" "$URL"
+        wget -O "$filepath" "$URL"
+    fi
+
+    if grep -q $'\r' "$filepath"; then
+        log "$filename has Windows line endings (CRLF). Converting to Unix (LF)"
+        sed -i 's/\r$//' "$filepath"
     fi
 
     while IFS= read -r subnet; do
         log "From local file: $subnet"
         sing_box_ruleset_subnets_json $subnet $section
         nft add element inet PodkopTable podkop_subnets { $subnet }
-    done <"/tmp/podkop/$filename"
+    done <"$filepath"
 }
 
 process_subnet_for_section_remote() {
@@ -1658,15 +1817,13 @@ sing_box_rules_source_ip_cidr() {
     local source_ip_cidr="$1"
     local outbound="$2"
 
-    local current_source_ip_cidr=$(jq -r '.route.rules[] | select(.outbound == "'"$outbound"'" and .action == "route" and (.rule_set | not))' $SING_BOX_CONFIG)
-
+    local current_source_ip_cidr=$(jq -r '.route.rules[] | select(.outbound == "'"$outbound"'" and .action == "route" and .source_ip_cidr and (.inbound // [] | contains(["tproxy-in"])))' $SING_BOX_CONFIG)
 
     if [[ -n "$current_source_ip_cidr" ]]; then
         jq \
         --arg source_ip_cidr "$source_ip_cidr" \
         --arg outbound "$outbound" \
-        '(.route.rules[] | select(.outbound == $outbound and .action == "route" and (.rule_set | not)) | .source_ip_cidr) += [$source_ip_cidr]' \
-        $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        '(.route.rules[] | select(.outbound == $outbound and .action == "route" and .source_ip_cidr and (.inbound // [] | contains(["tproxy-in"]))) | .source_ip_cidr) += [$source_ip_cidr]' "$SING_BOX_CONFIG" | build_sing_box_config
     else
         jq \
         --arg source_ip_cidr "$source_ip_cidr" \
@@ -1678,7 +1835,7 @@ sing_box_rules_source_ip_cidr() {
                 "outbound": $outbound,
                 "action": "route"
             }
-        ] + .route.rules' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+        ] + .route.rules' "$SING_BOX_CONFIG" | build_sing_box_config
     fi
 }
 
@@ -1704,7 +1861,7 @@ detour_mixed() {
         "inbound": [$tag],
         "outbound": $section,
         "action": "route"
-    }]' $SING_BOX_CONFIG >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json $SING_BOX_CONFIG
+    }]' "$SING_BOX_CONFIG" | build_sing_box_config
 }
 
 ## nftables
@@ -1816,16 +1973,66 @@ check_nft() {
     
     # Check if table exists
     if ! nft list table inet PodkopTable >/dev/null 2>&1; then
-        nolog "PodkopTable not found"
+        nolog "❌ PodkopTable not found"
         return 1
     fi
+    
+    local found_hetzner=0
+    local found_ovh=0
+    
+    check_domain_list_contains() {
+        local section="$1"
+        
+        config_get_bool domain_list_enabled "$section" "domain_list_enabled" "0"
+        if [ "$domain_list_enabled" -eq 1 ]; then
+            config_list_foreach "$section" "domain_list" check_domain_value
+        fi
+    }
+    
+    check_domain_value() {
+        local domain_value="$1"
+        
+        if [ "$domain_value" = "hetzner" ]; then
+            found_hetzner=1
+        elif [ "$domain_value" = "ovh" ]; then
+            found_ovh=1
+        fi
+    }
+    
+    config_foreach check_domain_list_contains
+    
+    if [ "$found_hetzner" -eq 1 ] || [ "$found_ovh" -eq 1 ]; then
 
-    # Get all sets
-    nolog "\nSets configuration:"
+        local sets="podkop_subnets podkop_domains interfaces podkop_discord_subnets localv4"
+        
+        nolog "Sets statistics:"
+        for set_name in $sets; do
+            if nft list set inet PodkopTable $set_name >/dev/null 2>&1; then
+                # Count elements using grep to count commas and add 1 (last element has no comma)
+                local count=$(nft list set inet PodkopTable $set_name 2>/dev/null | grep -o ',\|{' | wc -l)
+                echo "- $set_name: $count elements"
+            fi
+        done
 
-    nft list table inet PodkopTable
-
-    nolog "\nNFT check completed"
+        nolog "Chain configurations:"
+        
+        # Create a temporary file for processing
+        local tmp_file=$(mktemp)
+        nft list table inet PodkopTable > "$tmp_file"
+        
+        # Extract chain configurations without element listings
+        sed -n '/chain mangle {/,/}/p' "$tmp_file" | grep -v "elements" | grep -v "^[[:space:]]*[0-9]"
+        sed -n '/chain proxy {/,/}/p' "$tmp_file" | grep -v "elements" | grep -v "^[[:space:]]*[0-9]"
+        
+        # Clean up
+        rm -f "$tmp_file"
+    else
+        # Simple view as originally implemented
+        nolog "Sets configuration:"
+        nft list table inet PodkopTable
+    fi
+    
+    nolog "NFT check completed"
 }
 
 check_github() {
@@ -2149,25 +2356,48 @@ check_dns_available() {
     fi
 
     if [ "$dns_type" = "doh" ]; then
-        local result=""
-        
-        if echo "$dns_server" | grep -q "quad9.net" || \
-           echo "$dns_server" | grep -qE "^9\.9\.9\.(9|10|11)$|^149\.112\.112\.(112|10|11)$|^2620:fe::(fe|9|10|11)$|^2620:fe::fe:(10|11)$"; then
-            result=$(curl --connect-timeout 5 -s -H "accept: application/dns-json" "https://$dns_server:5053/dns-query?name=itdog.info&type=A")
+        # Generate random DNS query ID (2 bytes)
+        local random_id=$(head -c2 /dev/urandom | hexdump -ve '1/1 "%.2x"' 2>/dev/null)
+        if [ $? -ne 0 ]; then
+            error_message="Failed to generate random ID"
+            status="internal error"
         else
-            result=$(curl --connect-timeout 5 -s -H "accept: application/dns-json" "https://$dns_server/dns-query?name=itdog.info&type=A")
-            if [ $? -eq 0 ] && echo "$result" | grep -q "data"; then
-                is_available=1
-                status="available"
+            # Create DNS wire format query for google.com A record with random ID
+            local dns_query=$(printf "\x${random_id:0:2}\x${random_id:2:2}\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03www\x06google\x03com\x00\x00\x01\x00\x01" | base64 2>/dev/null)
+            if [ $? -ne 0 ]; then
+                error_message="Failed to generate DNS query"
+                status="internal error"
             else
-                result=$(curl --connect-timeout 5 -s -H "accept: application/dns-json" "https://$dns_server/resolve?name=itdog.info&type=A")
+                # Try POST method first (RFC 8484 compliant) with shorter timeout
+                local result=$(echo "$dns_query" | base64 -d 2>/dev/null | curl -H "Content-Type: application/dns-message" \
+                    -H "Accept: application/dns-message" \
+                    --data-binary @- \
+                    --max-time 2 \
+                    --connect-timeout 1 \
+                    -s \
+                    "https://$dns_server/dns-query" 2>/dev/null)
+                
+                if [ $? -eq 0 ] && [ -n "$result" ]; then
+                    is_available=1
+                    status="available"
+                else
+                    # Try GET method as fallback with shorter timeout
+                    local dns_query_no_padding=$(echo "$dns_query" | tr -d '=' 2>/dev/null)
+                    result=$(curl -H "accept: application/dns-message" \
+                        --max-time 2 \
+                        --connect-timeout 1 \
+                        -s \
+                        "https://$dns_server/dns-query?dns=$dns_query_no_padding" 2>/dev/null)
+                    
+                    if [ $? -eq 0 ] && [ -n "$result" ]; then
+                        is_available=1
+                        status="available"
+                    else
+                        error_message="DoH server not responding"
+                    fi
+                fi
             fi
         fi
-        
-        if [ $? -eq 0 ] && echo "$result" | grep -q "data"; then
-            is_available=1
-            status="available"
-        fi
     elif [ "$dns_type" = "dot" ]; then
         (nc "$dns_server" 853 </dev/null >/dev/null 2>&1) & pid=$!
         sleep 2
@@ -2204,7 +2434,7 @@ sing_box_add_secure_dns_probe_domain() {
     --arg domain "$domain" \
     --argjson override_port "$override_port" \
     '.dns.rules |= map(
-        if .server == "fakeip-server" then
+        if (.server == "fakeip-server" or (.server == "dns-server" and .invert == true)) then
             . + {
                 "domain": $domain
             }
@@ -2218,7 +2448,7 @@ sing_box_add_secure_dns_probe_domain() {
             "action": "route-options",
             "override_port": $override_port
         }
-    ]' "$SING_BOX_CONFIG" >/tmp/sing-box-config-tmp.json && mv /tmp/sing-box-config-tmp.json "$SING_BOX_CONFIG"
+    ]' "$SING_BOX_CONFIG" | build_sing_box_config
 
     log "DNS probe domain ${domain} configured with override to port ${override_port}"
 }
@@ -2275,11 +2505,7 @@ global_check() {
 
     print_global "━━━━━━━━━━━━━━━━━━━━━━━━━━━"
     print_global "🧱 NFT table"
-    if ! nft list table inet PodkopTable >/dev/null 2>&1; then
-        print_global "❌ PodkopTable not found"
-    else
-        nft list table inet PodkopTable
-    fi
+    check_nft
 
     print_global "━━━━━━━━━━━━━━━━━━━━━━━━━━━"
     print_global "📄 WAN config"
@@ -2321,6 +2547,11 @@ global_check() {
         done
     fi
 
+    if [ -d "/etc/init.d/zapret" ]; then
+        print_global "━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+        print_global "⚠️ Zapret detected"
+    fi
+
     print_global "━━━━━━━━━━━━━━━━━━━━━━━━━━━"
     print_global "➡️ DNS status"
     dns_info=$(check_dns_available)
@@ -2371,6 +2602,40 @@ global_check() {
     fi
 }
 
+show_help() {
+    cat << EOF
+Usage: $0 COMMAND
+
+Available commands:
+    start                   Start podkop service
+    stop                    Stop podkop service
+    reload                  Reload podkop configuration
+    restart                 Restart podkop service
+    enable                  Enable podkop autostart
+    disable                 Disable podkop autostart
+    main                    Run main podkop process
+    list_update             Update domain lists
+    check_proxy             Check proxy connectivity
+    check_nft               Check NFT rules
+    check_github            Check GitHub connectivity
+    check_logs              Show podkop logs from system journal
+    check_sing_box_connections  Show active sing-box connections
+    check_sing_box_logs     Show sing-box logs
+    check_fakeip            Check FakeIP DNS functionality
+    check_dnsmasq           Check DNSMasq configuration
+    show_config             Display current podkop configuration
+    show_version            Show podkop version
+    show_sing_box_config    Show sing-box configuration
+    show_luci_version       Show LuCI app version
+    show_sing_box_version   Show sing-box version
+    show_system_info        Show system information
+    get_status              Get podkop service status
+    get_sing_box_status     Get sing-box service status
+    check_dns_available     Check DNS server availability
+    global_check            Run global system check
+EOF
+}
+
 case "$1" in
     start)
         start
@@ -2445,7 +2710,7 @@ case "$1" in
         global_check
         ;;
     *)
-        echo "Usage: $0 {start|stop|reload|restart|enable|disable|main|list_update|check_proxy|check_nft|check_github|check_logs|check_sing_box_connections|check_sing_box_logs|check_fakeip|check_dnsmasq|show_config|show_version|show_sing_box_config|show_luci_version|show_sing_box_version|show_system_info|get_status|get_sing_box_status|check_dns_available|global_check}"
+        show_help
         exit 1
         ;;
 esac