better error reporting/creation of /usr/share/nftables.d/ruleset-post

stangri · stangri · commit 454db63ac08b · 2026-05-16T02:25:46.000Z
diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=https-dns-proxy
 PKG_VERSION:=2026.03.18
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://github.com/aarond10/https_dns_proxy/
@@ -58,6 +58,7 @@ define Package/https-dns-proxy/install
 	$(INSTALL_CONF) ./files/etc/config/https-dns-proxy $(1)/etc/config/https-dns-proxy
 	$(INSTALL_DIR) $(1)/etc/uci-defaults/
 	$(INSTALL_BIN) ./files/etc/uci-defaults/50-https-dns-proxy-migrate-options.sh $(1)/etc/uci-defaults/50-https-dns-proxy-migrate-options.sh
+	$(INSTALL_DIR) $(1)/usr/share/nftables.d/ruleset-post
 endef
 
 $(eval $(call BuildPackage,https-dns-proxy))
diff --git a/files/etc/init.d/https-dns-proxy b/files/etc/init.d/https-dns-proxy
@@ -136,6 +136,7 @@ uci_changes() {
 	[ -n "$(/sbin/uci ${UCI_CONFIG_DIR:+-c ${UCI_CONFIG_DIR}} changes "$PACKAGE${CONFIG:+.${CONFIG}}${OPTION:+.${OPTION}}")" ]
 }
 notrack_nft() {
+	command -v nft >/dev/null 2>&1 || return 0
 	case "$1" in
 		update)
 			local port_set="$2"
@@ -154,8 +155,14 @@ notrack_nft() {
 			)"
 			existing_content="$(cat "$NOTRACK_NFT_FILE" 2>/dev/null)"
 			if [ "$new_content" != "$existing_content" ]; then
-				mkdir -p "${NOTRACK_NFT_FILE%/*}"
-				echo "$new_content" > "$NOTRACK_NFT_FILE"
+				if ! mkdir -p "${NOTRACK_NFT_FILE%/*}"; then
+					logger -t "$packageName" "Failed to create ${NOTRACK_NFT_FILE%/*}; skipping notrack rules"
+					return 1
+				fi
+				if ! echo "$new_content" > "$NOTRACK_NFT_FILE"; then
+					logger -t "$packageName" "Failed to write $NOTRACK_NFT_FILE; skipping notrack rules"
+					return 1
+				fi
 			fi
 			[ -s "$NOTRACK_NFT_FILE" ] && nft -c -f "$NOTRACK_NFT_FILE"
 		;;
diff --git a/tests/run_tests.sh b/tests/run_tests.sh
@@ -704,6 +704,41 @@ notrack_nft remove
 assert_rc "notrack_nft remove succeeds when file and table both absent" 0 $?
 __nft_rc=0
 
+# ── nft binary absent: notrack_nft is a no-op ──
+# Without firewall4/nftables installed, the package should not error;
+# `command -v nft` returns non-zero and notrack_nft returns 0 immediately.
+rm -rf "$TESTDIR/usr/share"
+__saved_nft_def="$(typeset -f nft 2>/dev/null || declare -f nft)"
+unset -f nft
+mkdir -p "$TESTDIR/empty-path"
+__saved_path="$PATH"
+PATH="$TESTDIR/empty-path"
+
+notrack_nft update "53"
+assert_rc "notrack_nft update is a no-op when nft binary is absent" 0 $?
+
+[ ! -f "$NOTRACK_TEST_FILE" ]
+assert_rc "notrack_nft did not write snippet when nft is absent" 0 $?
+
+PATH="$__saved_path"
+eval "$__saved_nft_def"
+
+# ── mkdir failure path returns non-zero ──
+# Place a regular file at the would-be parent dir so mkdir -p must fail.
+# Defensive logic should return 1 instead of falling through to a broken
+# redirection.
+rm -rf "$TESTDIR/usr/share"
+mkdir -p "$(dirname "$(dirname "$NOTRACK_TEST_FILE")")"
+: > "$(dirname "$NOTRACK_TEST_FILE")"
+
+notrack_nft update "53" 2>/dev/null
+assert_rc "notrack_nft update returns 1 when parent dir cannot be created" 1 $?
+
+[ ! -f "$NOTRACK_TEST_FILE" ]
+assert_rc "notrack_nft did not write snippet on mkdir failure" 0 $?
+
+rm -f "$(dirname "$NOTRACK_TEST_FILE")"
+
 ###############################################################################
 #                         SHELL SCRIPT SYNTAX                                 #
 ###############################################################################
