From 22e062174f3d7c419eb30878efc7f8f35e7dbd9c Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Wed, 29 Apr 2026 17:38:35 +0000 Subject: [PATCH] https-dns-proxy: update to 2026.03.18-1 Maintainer: me Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1 Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1 Description: update to 2026.03.18, improve nftables rules - Update PKG_VERSION to 2026.03.18. - Set PKG_RELEASE to 1. - Update PKG_SOURCE_VERSION to 801881210ba8215dc9cd577222d8c10372423360. - Update PKG_MIRROR_HASH to 4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce. files/etc/init.d/https-dns-proxy: - Wrap the notrack chain in its own `inet https_dns_proxy_notrack` table. A top-level `chain` outside any table is invalid nftables syntax and is rejected on kernel 6.18+, breaking firewall load. Fixes mossdef-org/https-dns-proxy#7. - Syntax-check the generated snippet with `nft -c -f` after write and report OK/FAIL on the start path. - On remove, explicitly `nft delete table` in addition to removing the snippet file, so the live ruleset is cleaned up immediately rather than waiting for the next fw4 reload. Signed-off-by: Stan Grishin (cherry picked from commit 0d5f7a16c13c82e6b7adf4798eff1df46d4fa927) Signed-off-by: Stan Grishin --- net/https-dns-proxy/Makefile | 8 +++--- .../files/etc/init.d/https-dns-proxy | 28 +++++++++++++------ 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/net/https-dns-proxy/Makefile b/net/https-dns-proxy/Makefile index 27f3b7f5638a4..204cddfa06398 100644 --- a/net/https-dns-proxy/Makefile +++ b/net/https-dns-proxy/Makefile @@ -2,13 +2,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=https-dns-proxy -PKG_VERSION:=2025.12.29 -PKG_RELEASE:=5 +PKG_VERSION:=2026.03.18 +PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy/ -PKG_MIRROR_HASH:=df9b4dea9ce7d9a0f26e39b8e10631f0cb3c35b8c7ef8f2603453cb55d0e3d20 -PKG_SOURCE_VERSION:=67ecae05c0b9a5020b32782f9ff7ac8c887dda8a +PKG_MIRROR_HASH:=4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce +PKG_SOURCE_VERSION:=801881210ba8215dc9cd577222d8c10372423360 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=MIT diff --git a/net/https-dns-proxy/files/etc/init.d/https-dns-proxy b/net/https-dns-proxy/files/etc/init.d/https-dns-proxy index fa5a53b1c573e..de291d7d41681 100755 --- a/net/https-dns-proxy/files/etc/init.d/https-dns-proxy +++ b/net/https-dns-proxy/files/etc/init.d/https-dns-proxy @@ -145,20 +145,25 @@ notrack_nft() { return fi new_content="$(cat <<-EOF - chain raw_output_https_dns_proxy { - type filter hook output priority raw; policy accept; - meta l4proto { tcp, udp } th dport { ${port_set} } ip daddr 127.0.0.0/8 notrack - meta l4proto { tcp, udp } th sport { ${port_set} } ip saddr 127.0.0.0/8 notrack + table inet https_dns_proxy_notrack { + chain raw_output { + type filter hook output priority raw; policy accept; + meta l4proto { tcp, udp } th dport { ${port_set} } ip daddr 127.0.0.0/8 notrack + meta l4proto { tcp, udp } th sport { ${port_set} } ip saddr 127.0.0.0/8 notrack + } } EOF )" existing_content="$(cat "$NOTRACK_NFT_FILE" 2>/dev/null)" - [ "$new_content" = "$existing_content" ] && return 0 - echo "$new_content" > "$NOTRACK_NFT_FILE" + if [ "$new_content" != "$existing_content" ]; then + echo "$new_content" > "$NOTRACK_NFT_FILE" + fi + [ -s "$NOTRACK_NFT_FILE" ] && nft -c -f "$NOTRACK_NFT_FILE" ;; remove) - [ -f "$NOTRACK_NFT_FILE" ] || return 0 - rm -f "$NOTRACK_NFT_FILE" + [ -f "$NOTRACK_NFT_FILE" ] && rm -f "$NOTRACK_NFT_FILE" + nft delete table inet https_dns_proxy_notrack 2>/dev/null + [ ! -s "$NOTRACK_NFT_FILE" ] ;; esac } @@ -395,7 +400,12 @@ start_service() { ;; esac if [ -n "$notrack_dns" ] && [ -n "$notrack_ports" ]; then - notrack_nft update "$notrack_ports" + output "Updating notrack rules " + if notrack_nft update "$notrack_ports"; then + output_okn + else + output_failn + fi else notrack_nft remove fi