From: Stan Grishin Date: Sat, 16 May 2026 02:49:46 +0000 (+0000) Subject: https-dns-proxy: update to 2026.03.18-4 X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=9c739e6d31702e65ed5c91cf160ef852b6b5df82;p=openwrt-packages.git https-dns-proxy: update to 2026.03.18-4 Maintainer: me Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1 Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1 Description: Robustify nftables notrack generation - Bump PKG_RELEASE to 4. - Add install rule to create /usr/share/nftables.d/ruleset-post. files/etc/init.d/https-dns-proxy: - Check if 'nft' command exists before generating rules. - Add robust error handling for directory creation and file writing. - Log errors when directory creation or file writing fails. tests/run_tests.sh: - Add test case for 'nft' binary absence, confirming no-op behavior. - Add test case for mkdir failure during notrack rule generation. Signed-off-by: Stan Grishin --- diff --git a/net/https-dns-proxy/Makefile b/net/https-dns-proxy/Makefile index 161076fb1..11db37807 100644 --- a/net/https-dns-proxy/Makefile +++ b/net/https-dns-proxy/Makefile @@ -3,7 +3,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=https-dns-proxy PKG_VERSION:=2026.03.18 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy/ @@ -41,7 +41,7 @@ endef define Package/https-dns-proxy/description Light-weight DNS-over-HTTPS, non-caching translation proxy for the RFC 8484 DoH standard. It receives regular, unencrypted (UDP) DNS requests and resolves them via DoH resolver. -Please see https://docs.openwrt.melmac.ca/https-dns-proxy/ for more information. +Please see https://docs.mossdef.org/https-dns-proxy/ for more information. endef define Package/https-dns-proxy/conffiles @@ -58,6 +58,8 @@ define Package/https-dns-proxy/install $(INSTALL_CONF) ./files/etc/config/https-dns-proxy $(1)/etc/config/https-dns-proxy $(INSTALL_DIR) $(1)/etc/uci-defaults/ $(INSTALL_BIN) ./files/etc/uci-defaults/50-https-dns-proxy-migrate-options.sh $(1)/etc/uci-defaults/50-https-dns-proxy-migrate-options.sh + $(INSTALL_DIR) $(1)/usr/share/nftables.d/ruleset-post + $(INSTALL_DATA) ./files/usr/share/nftables.d/ruleset-post/.placeholder $(1)/usr/share/nftables.d/ruleset-post/.placeholder endef $(eval $(call BuildPackage,https-dns-proxy)) diff --git a/net/https-dns-proxy/README.md b/net/https-dns-proxy/README.md index 3d4e7b9c2..2ee1ecb16 100644 --- a/net/https-dns-proxy/README.md +++ b/net/https-dns-proxy/README.md @@ -1,8 +1,8 @@ # https-dns-proxy [![OpenWrt](https://img.shields.io/badge/OpenWrt-Compatible-blueviolet)](https://openwrt.org) -[![Web UI](https://img.shields.io/badge/Web_UI-Available-blue)](https://docs.openwrt.melmac.ca/https-dns-proxy/) -[![Resolvers](https://img.shields.io/badge/Resolvers-40%2B%20Built--in-brightgreen)](https://docs.openwrt.melmac.ca/https-dns-proxy/) +[![Web UI](https://img.shields.io/badge/Web_UI-Available-blue)](https://docs.mossdef.org/https-dns-proxy/) +[![Resolvers](https://img.shields.io/badge/Resolvers-40%2B%20Built--in-brightgreen)](https://docs.mossdef.org/https-dns-proxy/) [![Minimal Footprint](https://img.shields.io/badge/Size-~40KB-green)](https://github.com/stangri/https-dns-proxy) [![License](https://img.shields.io/badge/License-MIT-lightgrey)](https://github.com/stangri/https-dns-proxy/blob/master/LICENSE) @@ -17,6 +17,6 @@ Includes optional integration with `dnsmasq`, automatic fallback, and canary dom **Full documentation:** -[https://docs.openwrt.melmac.ca/https-dns-proxy/](https://docs.openwrt.melmac.ca/https-dns-proxy/) +[https://docs.mossdef.org/https-dns-proxy/](https://docs.mossdef.org/https-dns-proxy/) Based on [@aarond10](https://github.com/aarond10)'s excellent [https_dns_proxy](https://github.com/aarond10/https_dns_proxy) diff --git a/net/https-dns-proxy/files/etc/config/https-dns-proxy b/net/https-dns-proxy/files/etc/config/https-dns-proxy index d43a8189d..62555f887 100644 --- a/net/https-dns-proxy/files/etc/config/https-dns-proxy +++ b/net/https-dns-proxy/files/etc/config/https-dns-proxy @@ -16,7 +16,7 @@ config main 'config' # list force_dns_port '8443' list force_dns_src_interface 'lan' option procd_trigger_wan6 '0' - option heartbeat_domain 'heartbeat.melmac.ca' + option heartbeat_domain 'heartbeat.mossdef.org' option heartbeat_sleep_timeout '10' option heartbeat_wait_timeout '10' option user 'nobody' diff --git a/net/https-dns-proxy/files/etc/init.d/https-dns-proxy b/net/https-dns-proxy/files/etc/init.d/https-dns-proxy index 134f3a261..c81de1daf 100755 --- a/net/https-dns-proxy/files/etc/init.d/https-dns-proxy +++ b/net/https-dns-proxy/files/etc/init.d/https-dns-proxy @@ -91,7 +91,7 @@ is_port_listening() { is_resolver_working() { local heartbeat_domain heartbeat_sleep_timeout heartbeat_wait_timeout config_load "$packageName" - config_get heartbeat_domain 'config' 'heartbeat_domain' 'heartbeat.melmac.ca' + config_get heartbeat_domain 'config' 'heartbeat_domain' 'heartbeat.mossdef.org' config_get heartbeat_sleep_timeout 'config' 'heartbeat_sleep_timeout' '10' config_get heartbeat_wait_timeout 'config' 'heartbeat_wait_timeout' '30' [ "$heartbeat_domain" = '-' ] && return 0 @@ -136,6 +136,7 @@ uci_changes() { [ -n "$(/sbin/uci ${UCI_CONFIG_DIR:+-c ${UCI_CONFIG_DIR}} changes "$PACKAGE${CONFIG:+.${CONFIG}}${OPTION:+.${OPTION}}")" ] } notrack_nft() { + command -v nft >/dev/null 2>&1 || return 0 case "$1" in update) local port_set="$2" @@ -154,8 +155,14 @@ notrack_nft() { )" existing_content="$(cat "$NOTRACK_NFT_FILE" 2>/dev/null)" if [ "$new_content" != "$existing_content" ]; then - mkdir -p "${NOTRACK_NFT_FILE%/*}" - echo "$new_content" > "$NOTRACK_NFT_FILE" + if ! mkdir -p "${NOTRACK_NFT_FILE%/*}"; then + logger -t "$packageName" "Failed to create ${NOTRACK_NFT_FILE%/*}; skipping notrack rules" + return 1 + fi + if ! echo "$new_content" > "$NOTRACK_NFT_FILE"; then + logger -t "$packageName" "Failed to write $NOTRACK_NFT_FILE; skipping notrack rules" + return 1 + fi fi [ -s "$NOTRACK_NFT_FILE" ] && nft -c -f "$NOTRACK_NFT_FILE" ;; diff --git a/net/https-dns-proxy/files/usr/share/nftables.d/ruleset-post/.placeholder b/net/https-dns-proxy/files/usr/share/nftables.d/ruleset-post/.placeholder new file mode 100644 index 000000000..e69de29bb diff --git a/net/https-dns-proxy/tests/run_tests.sh b/net/https-dns-proxy/tests/run_tests.sh index 4bf3f1093..207407160 100644 --- a/net/https-dns-proxy/tests/run_tests.sh +++ b/net/https-dns-proxy/tests/run_tests.sh @@ -4,7 +4,7 @@ # Tests helper functions, validation logic, dnsmasq integration, # and UCI migration by mocking OpenWrt's rc.common framework. # -# Usage: cd source.openwrt.melmac.ca/https-dns-proxy && bash tests/run_tests.sh +# Usage: cd source.mossdef.org/https-dns-proxy && bash tests/run_tests.sh set -o pipefail @@ -704,6 +704,41 @@ notrack_nft remove assert_rc "notrack_nft remove succeeds when file and table both absent" 0 $? __nft_rc=0 +# ── nft binary absent: notrack_nft is a no-op ── +# Without firewall4/nftables installed, the package should not error; +# `command -v nft` returns non-zero and notrack_nft returns 0 immediately. +rm -rf "$TESTDIR/usr/share" +__saved_nft_def="$(typeset -f nft 2>/dev/null || declare -f nft)" +unset -f nft +mkdir -p "$TESTDIR/empty-path" +__saved_path="$PATH" +PATH="$TESTDIR/empty-path" + +notrack_nft update "53" +assert_rc "notrack_nft update is a no-op when nft binary is absent" 0 $? + +[ ! -f "$NOTRACK_TEST_FILE" ] +assert_rc "notrack_nft did not write snippet when nft is absent" 0 $? + +PATH="$__saved_path" +eval "$__saved_nft_def" + +# ── mkdir failure path returns non-zero ── +# Place a regular file at the would-be parent dir so mkdir -p must fail. +# Defensive logic should return 1 instead of falling through to a broken +# redirection. +rm -rf "$TESTDIR/usr/share" +mkdir -p "$(dirname "$(dirname "$NOTRACK_TEST_FILE")")" +: > "$(dirname "$NOTRACK_TEST_FILE")" + +notrack_nft update "53" 2>/dev/null +assert_rc "notrack_nft update returns 1 when parent dir cannot be created" 1 $? + +[ ! -f "$NOTRACK_TEST_FILE" ] +assert_rc "notrack_nft did not write snippet on mkdir failure" 0 $? + +rm -f "$(dirname "$NOTRACK_TEST_FILE")" + ############################################################################### # SHELL SCRIPT SYNTAX # ###############################################################################