From ebe149b7f37ef7d91f85a1a7e8e626a58ac2cd48 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Fri, 24 Apr 2026 18:28:04 +0000 Subject: [PATCH] https-dns-proxy: update to 2025.12.29-5 Maintainer: me Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1 Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1 Description:Add nftables notrack for localhost traffic - Removed. License is now included in the main project. net/https-dns-proxy/Makefile: - Bumped PKG_RELEASE to 5. net/https-dns-proxy/files/etc/config/https-dns-proxy: - Added 'option notrack_dns '1'' to the default configuration. net/https-dns-proxy/files/etc/init.d/https-dns-proxy: - Defined NOTRACK_NFT_FILE constant. - Added 'notrack_dns' and 'notrack_ports' variables. - Implemented 'notrack_nft' function to manage nftables rules for notracking local DNS traffic. - Enabled loading of 'notrack_dns' boolean from configuration. - Modified start_instance to collect listen_port into notrack_ports if notrack_dns is enabled. - Modified start_service to call notrack_nft update/remove based on notrack_dns and collected ports. - Modified stop_service to call notrack_nft remove. - Updated service_started and service_stopped to trigger firewall config changes when notrack_dns is enabled. Signed-off-by: Stan Grishin --- net/https-dns-proxy/LICENSE | 21 --------- net/https-dns-proxy/Makefile | 2 +- .../files/etc/config/https-dns-proxy | 1 + .../files/etc/init.d/https-dns-proxy | 44 ++++++++++++++++++- 4 files changed, 44 insertions(+), 24 deletions(-) delete mode 100644 net/https-dns-proxy/LICENSE diff --git a/net/https-dns-proxy/LICENSE b/net/https-dns-proxy/LICENSE deleted file mode 100644 index d5f962817d..0000000000 --- a/net/https-dns-proxy/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2026 MOSSDeF - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/net/https-dns-proxy/Makefile b/net/https-dns-proxy/Makefile index 7103324acc..27f3b7f563 100644 --- a/net/https-dns-proxy/Makefile +++ b/net/https-dns-proxy/Makefile @@ -3,7 +3,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=https-dns-proxy PKG_VERSION:=2025.12.29 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy/ diff --git a/net/https-dns-proxy/files/etc/config/https-dns-proxy b/net/https-dns-proxy/files/etc/config/https-dns-proxy index 1ccec50f2c..d43a8189d1 100644 --- a/net/https-dns-proxy/files/etc/config/https-dns-proxy +++ b/net/https-dns-proxy/files/etc/config/https-dns-proxy @@ -3,6 +3,7 @@ config main 'config' option canary_domains_mozilla '1' option dnsmasq_config_update '*' option force_dns '1' + option notrack_dns '1' list force_dns_port '53' list force_dns_port '853' # ports listed below are used by some diff --git a/net/https-dns-proxy/files/etc/init.d/https-dns-proxy b/net/https-dns-proxy/files/etc/init.d/https-dns-proxy index c1b0c61fe0..fa5a53b1c5 100755 --- a/net/https-dns-proxy/files/etc/init.d/https-dns-proxy +++ b/net/https-dns-proxy/files/etc/init.d/https-dns-proxy @@ -27,6 +27,7 @@ readonly BOOTSTRAP_GOOGLE='8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860:: readonly DEFAULT_BOOTSTRAP="${BOOTSTRAP_CF},${BOOTSTRAP_GOOGLE}" readonly canaryDomainsMozilla='use-application-dns.net' readonly canaryDomainsiCloud='mask.icloud.com mask-h2.icloud.com' +readonly NOTRACK_NFT_FILE='/usr/share/nftables.d/ruleset-post/20-https-dns-proxy-notrack.nft' # Silence "Command failed: Not found" for redundant procd service delete calls __UBUS_BIN="$(command -v ubus || echo /bin/ubus)" @@ -46,6 +47,8 @@ canary_domains_mozilla= dnsmasq_config_update= force_dns= force_dns_port= +notrack_dns= +notrack_ports= force_dns_src_interface= procd_trigger_wan6= global_listen_addr= @@ -132,6 +135,34 @@ uci_changes() { [ -s "${UCI_CONFIG_DIR:-/etc/config/}${PACKAGE}" ] && \ [ -n "$(/sbin/uci ${UCI_CONFIG_DIR:+-c ${UCI_CONFIG_DIR}} changes "$PACKAGE${CONFIG:+.${CONFIG}}${OPTION:+.${OPTION}}")" ] } +notrack_nft() { + case "$1" in + update) + local port_set="$2" + local new_content existing_content + if [ -z "$port_set" ]; then + notrack_nft remove + return + fi + new_content="$(cat <<-EOF + chain raw_output_https_dns_proxy { + type filter hook output priority raw; policy accept; + meta l4proto { tcp, udp } th dport { ${port_set} } ip daddr 127.0.0.0/8 notrack + meta l4proto { tcp, udp } th sport { ${port_set} } ip saddr 127.0.0.0/8 notrack + } + EOF + )" + existing_content="$(cat "$NOTRACK_NFT_FILE" 2>/dev/null)" + [ "$new_content" = "$existing_content" ] && return 0 + echo "$new_content" > "$NOTRACK_NFT_FILE" + ;; + remove) + [ -f "$NOTRACK_NFT_FILE" ] || return 0 + rm -f "$NOTRACK_NFT_FILE" + ;; + esac +} + version() { echo "$PKG_VERSION"; } xappend() { PROG_param="$PROG_param $1"; } @@ -202,6 +233,7 @@ load_package_config() { config_get_bool canary_domains_icloud 'config' 'canary_domains_icloud' '1' config_get_bool canary_domains_mozilla 'config' 'canary_domains_mozilla' '1' config_get_bool force_dns 'config' 'force_dns' '1' + config_get_bool notrack_dns 'config' 'notrack_dns' '1' config_get_bool procd_trigger_wan6 'config' 'procd_trigger_wan6' '0' config_get_bool global_force_http1 'config' 'force_http1' '0' config_get_bool global_force_http3 'config' 'force_http3' '0' @@ -226,6 +258,7 @@ load_package_config() { [ "$canary_domains_icloud" = '1' ] && canaryDomains="${canaryDomains:+${canaryDomains} }${canaryDomainsiCloud}" [ "$canary_domains_mozilla" = '1' ] && canaryDomains="${canaryDomains:+${canaryDomains} }${canaryDomainsMozilla}" [ "$force_dns" = '1' ] || unset force_dns + [ "$notrack_dns" = '1' ] || unset notrack_dns [ "$procd_trigger_wan6" = '1' ] || unset procd_trigger_wan6 } @@ -321,6 +354,7 @@ start_instance() { # shellcheck disable=SC2181 if [ "$?" -eq 0 ]; then output_ok + notrack_ports="${notrack_ports:+${notrack_ports}, }${listen_port}" port="$((port+1))" else output_fail @@ -360,6 +394,11 @@ start_service() { fi ;; esac + if [ -n "$notrack_dns" ] && [ -n "$notrack_ports" ]; then + notrack_nft update "$notrack_ports" + else + notrack_nft remove + fi # if ! is_resolver_working; then # rc_procd stop_service 'on_failed_health_check' && service_stopped 'on_failed_health_check' # fi @@ -376,6 +415,7 @@ stop_service() { uci_commit 'dhcp' dnsmasq_restart || _error=1 fi + notrack_nft remove # shellcheck disable=SC2015 [ -z "$_error" ] && output_okn || output_failn } @@ -404,8 +444,8 @@ service_triggers() { fi } -service_started() { [ -n "$force_dns" ] && procd_set_config_changed firewall; } -service_stopped() { [ -n "$force_dns" ] && procd_set_config_changed firewall; } +service_started() { { [ -n "$force_dns" ] || [ -n "$notrack_dns" ]; } && procd_set_config_changed firewall; } +service_stopped() { { [ -n "$force_dns" ] || [ -n "$notrack_dns" ]; } && procd_set_config_changed firewall; } restart() { reload "$@"; } dnsmasq_instance_append_force_dns_port() {