https-dns-proxy: update to 2026.03.18-1

Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1

Description:
update to 2026.03.18, improve nftables rules

  - Update PKG_VERSION to 2026.03.18.
  - Set PKG_RELEASE to 1.
  - Update PKG_SOURCE_VERSION to 801881210ba8215dc9cd577222d8c10372423360.
  - Update PKG_MIRROR_HASH to 4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce.

files/etc/init.d/https-dns-proxy:
  - Wrap the notrack chain in its own `inet https_dns_proxy_notrack`
    table. A top-level `chain` outside any table is invalid nftables
    syntax and is rejected on kernel 6.18+, breaking firewall load.
    Fixes mossdef-org/https-dns-proxy#7.
  - Syntax-check the generated snippet with `nft -c -f` after write
    and report OK/FAIL on the start path.
  - On remove, explicitly `nft delete table` in addition to removing
    the snippet file, so the live ruleset is cleaned up immediately
    rather than waiting for the next fw4 reload.

Signed-off-by: Stan Grishin <redacted>

diff --git a/net/https-dns-proxy/Makefile b/net/https-dns-proxy/Makefile
index 27f3b7f5638a4707c38e28fd341955b96e887375..204cddfa06398e08dfc51157e42e52538c55c2de 100644 (file)
--- a/net/https-dns-proxy/Makefile
+++ b/net/https-dns-proxy/Makefile
@@ -2,13 +2,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=https-dns-proxy
-PKG_VERSION:=2025.12.29
-PKG_RELEASE:=5
+PKG_VERSION:=2026.03.18
+PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy/
-PKG_MIRROR_HASH:=df9b4dea9ce7d9a0f26e39b8e10631f0cb3c35b8c7ef8f2603453cb55d0e3d20
-PKG_SOURCE_VERSION:=67ecae05c0b9a5020b32782f9ff7ac8c887dda8a
+PKG_MIRROR_HASH:=4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce
+PKG_SOURCE_VERSION:=801881210ba8215dc9cd577222d8c10372423360
 
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
 PKG_LICENSE:=MIT

diff --git a/net/https-dns-proxy/files/etc/init.d/https-dns-proxy b/net/https-dns-proxy/files/etc/init.d/https-dns-proxy
index fa5a53b1c573ea0447114d361308edee5fc550f7..de291d7d41681cd6ec3399b31a3d999b656557d1 100755 (executable)
--- a/net/https-dns-proxy/files/etc/init.d/https-dns-proxy
+++ b/net/https-dns-proxy/files/etc/init.d/https-dns-proxy
@@ -145,20 +145,25 @@ notrack_nft() {
                                return
                        fi
                        new_content="$(cat <<-EOF
-                               chain raw_output_https_dns_proxy {
-                                       type filter hook output priority raw; policy accept;
-                                       meta l4proto { tcp, udp } th dport { ${port_set} } ip daddr 127.0.0.0/8 notrack
-                                       meta l4proto { tcp, udp } th sport { ${port_set} } ip saddr 127.0.0.0/8 notrack
+                               table inet https_dns_proxy_notrack {
+                                       chain raw_output {
+                                               type filter hook output priority raw; policy accept;
+                                               meta l4proto { tcp, udp } th dport { ${port_set} } ip daddr 127.0.0.0/8 notrack
+                                               meta l4proto { tcp, udp } th sport { ${port_set} } ip saddr 127.0.0.0/8 notrack
+                                       }
                                }
                        EOF
                        )"
                        existing_content="$(cat "$NOTRACK_NFT_FILE" 2>/dev/null)"
-                       [ "$new_content" = "$existing_content" ] && return 0
-                       echo "$new_content" > "$NOTRACK_NFT_FILE"
+                       if [ "$new_content" != "$existing_content" ]; then
+                               echo "$new_content" > "$NOTRACK_NFT_FILE"
+                       fi
+                       [ -s "$NOTRACK_NFT_FILE" ] && nft -c -f "$NOTRACK_NFT_FILE"
                ;;
                remove)
-                       [ -f "$NOTRACK_NFT_FILE" ] || return 0
-                       rm -f "$NOTRACK_NFT_FILE"
+                       [ -f "$NOTRACK_NFT_FILE" ] && rm -f "$NOTRACK_NFT_FILE"
+                       nft delete table inet https_dns_proxy_notrack 2>/dev/null
+                       [ ! -s "$NOTRACK_NFT_FILE" ]
                ;;
        esac
 }
@@ -395,7 +400,12 @@ start_service() {
                ;;
        esac
        if [ -n "$notrack_dns" ] && [ -n "$notrack_ports" ]; then
-               notrack_nft update "$notrack_ports"
+               output "Updating notrack rules "
+               if notrack_nft update "$notrack_ports"; then
+                       output_okn
+               else
+                       output_failn
+               fi
        else
                notrack_nft remove
        fi