https-dns-proxy: update to 2025.12.29-5

Maintainer: me Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1 Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1 Description:Add nftables notrack for localhost traffic - Removed. License is now included in the main project. net/https-dns-proxy/Makefile: - Bumped PKG_RELEASE to 5. net/https-dns-proxy/files/etc/config/https-dns-proxy: - Added 'option notrack_dns '1'' to the default configuration. net/https-dns-proxy/files/etc/init.d/https-dns-proxy: - Defined NOTRACK_NFT_FILE constant. - Added 'notrack_dns' and 'notrack_ports' variables. - Implemented 'notrack_nft' function to manage nftables rules for notracking local DNS traffic. - Enabled loading of 'notrack_dns' boolean from configuration. - Modified start_instance to collect listen_port into notrack_ports if notrack_dns is enabled. - Modified start_service to call notrack_nft update/remove based on notrack_dns and collected ports. - Modified stop_service to call notrack_nft remove. - Updated service_started and service_stopped to trigger firewall config changes when notrack_dns is enabled. Signed-off-by: Stan Grishin <stangri@melmac.ca>
2026-05-31 06:51:51 +08:00 · 2026-04-24 18:28:04 +00:00
parent 0d952684b7
commit ebe149b7f3
4 changed files with 44 additions and 24 deletions
@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2026 MOSSDeF
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
@@ -3,7 +3,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=https-dns-proxy
 PKG_VERSION:=2025.12.29
-PKG_RELEASE:=4
+PKG_RELEASE:=5

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy/
@@ -3,6 +3,7 @@ config main 'config'
 	option canary_domains_mozilla '1'
 	option dnsmasq_config_update '*'
 	option force_dns '1'
+	option notrack_dns '1'
 	list force_dns_port '53'
 	list force_dns_port '853'
 # ports listed below are used by some
@@ -27,6 +27,7 @@ readonly BOOTSTRAP_GOOGLE='8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::
 readonly DEFAULT_BOOTSTRAP="${BOOTSTRAP_CF},${BOOTSTRAP_GOOGLE}"
 readonly canaryDomainsMozilla='use-application-dns.net'
 readonly canaryDomainsiCloud='mask.icloud.com mask-h2.icloud.com'
+readonly NOTRACK_NFT_FILE='/usr/share/nftables.d/ruleset-post/20-https-dns-proxy-notrack.nft'

 # Silence "Command failed: Not found" for redundant procd service delete calls
 __UBUS_BIN="$(command -v ubus || echo /bin/ubus)"
@@ -46,6 +47,8 @@ canary_domains_mozilla=
 dnsmasq_config_update=
 force_dns=
 force_dns_port=
+notrack_dns=
+notrack_ports=
 force_dns_src_interface=
 procd_trigger_wan6=
 global_listen_addr=
@@ -132,6 +135,34 @@ uci_changes() {
 	[ -s "${UCI_CONFIG_DIR:-/etc/config/}${PACKAGE}" ] && \
 	[ -n "$(/sbin/uci ${UCI_CONFIG_DIR:+-c ${UCI_CONFIG_DIR}} changes "$PACKAGE${CONFIG:+.${CONFIG}}${OPTION:+.${OPTION}}")" ]
 }
+notrack_nft() {
+	case "$1" in
+		update)
+			local port_set="$2"
+			local new_content existing_content
+			if [ -z "$port_set" ]; then
+				notrack_nft remove
+				return
+			fi
+			new_content="$(cat <<-EOF
+				chain raw_output_https_dns_proxy {
+					type filter hook output priority raw; policy accept;
+					meta l4proto { tcp, udp } th dport { ${port_set} } ip daddr 127.0.0.0/8 notrack
+					meta l4proto { tcp, udp } th sport { ${port_set} } ip saddr 127.0.0.0/8 notrack
+				}
+			EOF
+			)"
+			existing_content="$(cat "$NOTRACK_NFT_FILE" 2>/dev/null)"
+			[ "$new_content" = "$existing_content" ] && return 0
+			echo "$new_content" > "$NOTRACK_NFT_FILE"
+		;;
+		remove)
+			[ -f "$NOTRACK_NFT_FILE" ] || return 0
+			rm -f "$NOTRACK_NFT_FILE"
+		;;
+	esac
+}
+
 version() { echo "$PKG_VERSION"; }

 xappend() { PROG_param="$PROG_param $1"; }
@@ -202,6 +233,7 @@ load_package_config() {
 	config_get_bool canary_domains_icloud  'config' 'canary_domains_icloud' '1'
 	config_get_bool canary_domains_mozilla 'config' 'canary_domains_mozilla' '1'
 	config_get_bool force_dns              'config' 'force_dns' '1'
+	config_get_bool notrack_dns            'config' 'notrack_dns' '1'
 	config_get_bool procd_trigger_wan6     'config' 'procd_trigger_wan6' '0'
 	config_get_bool global_force_http1     'config' 'force_http1' '0'
 	config_get_bool global_force_http3     'config' 'force_http3' '0'
@@ -226,6 +258,7 @@ load_package_config() {
 	[ "$canary_domains_icloud" = '1' ]  && canaryDomains="${canaryDomains:+${canaryDomains} }${canaryDomainsiCloud}"
 	[ "$canary_domains_mozilla" = '1' ] && canaryDomains="${canaryDomains:+${canaryDomains} }${canaryDomainsMozilla}"
 	[ "$force_dns" = '1' ]              || unset force_dns
+	[ "$notrack_dns" = '1' ]            || unset notrack_dns
 	[ "$procd_trigger_wan6" = '1' ]     || unset procd_trigger_wan6
 }

@@ -321,6 +354,7 @@ start_instance() {
 # shellcheck disable=SC2181
 	if [ "$?" -eq 0 ]; then
 		output_ok
+		notrack_ports="${notrack_ports:+${notrack_ports}, }${listen_port}"
 		port="$((port+1))"
 	else
 		output_fail
@@ -360,6 +394,11 @@ start_service() {
 			fi
 		;;
 	esac
+	if [ -n "$notrack_dns" ] && [ -n "$notrack_ports" ]; then
+		notrack_nft update "$notrack_ports"
+	else
+		notrack_nft remove
+	fi
 #	if ! is_resolver_working; then
 #		rc_procd stop_service 'on_failed_health_check' && service_stopped 'on_failed_health_check'
 #	fi
@@ -376,6 +415,7 @@ stop_service() {
 		uci_commit 'dhcp'
 		dnsmasq_restart || _error=1
 	fi
+	notrack_nft remove
 # shellcheck disable=SC2015
 	[ -z "$_error" ] && output_okn || output_failn
 }
@@ -404,8 +444,8 @@ service_triggers() {
 	fi
 }

-service_started() { [ -n "$force_dns" ] && procd_set_config_changed firewall; }
-service_stopped() { [ -n "$force_dns" ] && procd_set_config_changed firewall; }
+service_started() { { [ -n "$force_dns" ] || [ -n "$notrack_dns" ]; } && procd_set_config_changed firewall; }
+service_stopped() { { [ -n "$force_dns" ] || [ -n "$notrack_dns" ]; } && procd_set_config_changed firewall; }
 restart() { reload "$@"; }

 dnsmasq_instance_append_force_dns_port() {