https-dns-proxy: update to 2026.03.18-1

Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1

Description:
update to 2026.03.18, improve nftables rules

  - Update PKG_VERSION to 2026.03.18.
  - Set PKG_RELEASE to 1.
  - Update PKG_SOURCE_VERSION to 801881210ba8215dc9cd577222d8c10372423360.
  - Update PKG_MIRROR_HASH to 4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce.

files/etc/init.d/https-dns-proxy:
  - Wrap the notrack chain in its own `inet https_dns_proxy_notrack`
    table. A top-level `chain` outside any table is invalid nftables
    syntax and is rejected on kernel 6.18+, breaking firewall load.
    Fixes mossdef-org/https-dns-proxy#7.
  - Syntax-check the generated snippet with `nft -c -f` after write
    and report OK/FAIL on the start path.
  - On remove, explicitly `nft delete table` in addition to removing
    the snippet file, so the live ruleset is cleaned up immediately
    rather than waiting for the next fw4 reload.

Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 0d5f7a16c1)
Signed-off-by: Stan Grishin <stangri@melmac.ca>

net/https-dns-proxy/Makefile

@@ -2,13 +2,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=https-dns-proxy
-PKG_VERSION:=2025.12.29
-PKG_RELEASE:=5
+PKG_VERSION:=2026.03.18
+PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy/
-PKG_MIRROR_HASH:=df9b4dea9ce7d9a0f26e39b8e10631f0cb3c35b8c7ef8f2603453cb55d0e3d20
-PKG_SOURCE_VERSION:=67ecae05c0b9a5020b32782f9ff7ac8c887dda8a
+PKG_MIRROR_HASH:=4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce
+PKG_SOURCE_VERSION:=801881210ba8215dc9cd577222d8c10372423360
 
 PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
 PKG_LICENSE:=MIT

net/https-dns-proxy/files/etc/init.d/https-dns-proxy

@@ -145,20 +145,25 @@ notrack_nft() {
 				return
 			fi
 			new_content="$(cat <<-EOF
-				chain raw_output_https_dns_proxy {
-					type filter hook output priority raw; policy accept;
-					meta l4proto { tcp, udp } th dport { ${port_set} } ip daddr 127.0.0.0/8 notrack
-					meta l4proto { tcp, udp } th sport { ${port_set} } ip saddr 127.0.0.0/8 notrack
+				table inet https_dns_proxy_notrack {
+					chain raw_output {
+						type filter hook output priority raw; policy accept;
+						meta l4proto { tcp, udp } th dport { ${port_set} } ip daddr 127.0.0.0/8 notrack
+						meta l4proto { tcp, udp } th sport { ${port_set} } ip saddr 127.0.0.0/8 notrack
+					}
 				}
 			EOF
 			)"
 			existing_content="$(cat "$NOTRACK_NFT_FILE" 2>/dev/null)"
-			[ "$new_content" = "$existing_content" ] && return 0
-			echo "$new_content" > "$NOTRACK_NFT_FILE"
+			if [ "$new_content" != "$existing_content" ]; then
+				echo "$new_content" > "$NOTRACK_NFT_FILE"
+			fi
+			[ -s "$NOTRACK_NFT_FILE" ] && nft -c -f "$NOTRACK_NFT_FILE"
 		;;
 		remove)
-			[ -f "$NOTRACK_NFT_FILE" ] || return 0
-			rm -f "$NOTRACK_NFT_FILE"
+			[ -f "$NOTRACK_NFT_FILE" ] && rm -f "$NOTRACK_NFT_FILE"
+			nft delete table inet https_dns_proxy_notrack 2>/dev/null
+			[ ! -s "$NOTRACK_NFT_FILE" ]
 		;;
 	esac
 }
@@ -395,7 +400,12 @@ start_service() {
 		;;
 	esac
 	if [ -n "$notrack_dns" ] && [ -n "$notrack_ports" ]; then
-		notrack_nft update "$notrack_ports"
+		output "Updating notrack rules "
+		if notrack_nft update "$notrack_ports"; then
+			output_okn
+		else
+			output_failn
+		fi
 	else
 		notrack_nft remove
 	fi