diff --git a/src/api2/access/tfa.rs b/src/api2/access/tfa.rs
index 0298b2e1..ee2bcac7 100644
--- a/src/api2/access/tfa.rs
+++ b/src/api2/access/tfa.rs
@@ -331,13 +331,11 @@ fn list_tfa(rpcenv: &mut dyn RpcEnvironment) -> Result<Vec<TfaUser>, Error> {
                 entries: to_data(data),
             });
         }
-    } else {
-        if let Some(data) = { tfa_data }.remove(authid.user()) {
-            out.push(TfaUser {
-                userid: authid.into(),
-                entries: to_data(data),
-            });
-        }
+    } else if let Some(data) = { tfa_data }.remove(authid.user()) {
+        out.push(TfaUser {
+            userid: authid.into(),
+            entries: to_data(data),
+        });
     }
 
     Ok(out)
diff --git a/src/config/network/helper.rs b/src/config/network/helper.rs
index d9266e3f..d6d62d95 100644
--- a/src/config/network/helper.rs
+++ b/src/config/network/helper.rs
@@ -68,15 +68,16 @@ pub fn parse_cidr(cidr: &str) -> Result<(String, u8, bool), Error> {
 }
 
 pub fn check_netmask(mask: u8, is_v6: bool) -> Result<(), Error> {
-    if is_v6 {
-        if !(mask >= 1 && mask <= 128) {
-            bail!("IPv6 mask '{}' is out of range (1..128).", mask);
-        }
+    let (ver, min, max) = if is_v6 {
+        ("IPv6", 1, 128)
     } else {
-        if !(mask > 0 && mask <= 32) {
-            bail!("IPv4 mask '{}' is out of range (1..32).", mask);
-        }
+        ("IPv4", 1, 32)
+    };
+
+    if !(mask >= min && mask <= max) {
+        bail!("{} mask '{}' is out of range ({}..{}).", ver, mask, min, max);
     }
+
     Ok(())
 }
 
diff --git a/src/rrd/rrd.rs b/src/rrd/rrd.rs
index c8b16471..37bdf3b9 100644
--- a/src/rrd/rrd.rs
+++ b/src/rrd/rrd.rs
@@ -128,25 +128,20 @@ impl RRA {
         // derive counter value
         if self.flags.intersects(RRAFlags::DST_DERIVE | RRAFlags::DST_COUNTER) {
             let time_diff = time - self.last_update;
+            let is_counter = self.flags.contains(RRAFlags::DST_COUNTER);
+
             let diff = if self.counter_value.is_nan() {
                 0.0
+            } else if is_counter && value < 0.0 {
+                eprintln!("rrdb update failed - got negative value for counter");
+                return;
+            } else if is_counter && value < self.counter_value {
+                // Note: We do not try automatic overflow corrections
+                self.counter_value = value;
+                eprintln!("rrdb update failed - conter overflow/reset detected");
+                return;
             } else {
-                if self.flags.contains(RRAFlags::DST_COUNTER) { // check for overflow
-                    if value < 0.0 {
-                        eprintln!("rrdb update failed - got negative value for counter");
-                        return;
-                    }
-                    // Note: We do not try automatic overflow corrections
-                    if value < self.counter_value { // overflow or counter reset
-                        self.counter_value = value;
-                        eprintln!("rrdb update failed - conter overflow/reset detected");
-                        return;
-                    } else {
-                        value - self.counter_value
-                    }
-                } else {
-                    value - self.counter_value
-                }
+                value - self.counter_value
             };
             self.counter_value = value;
             value = diff/time_diff;