https-dns-proxy: correct duplicate nft rules and error tracking

[egc112]

Refactor https-dns-proxy init script for nftables
The problem from issue #7 is solved 👍

Some small remaining things:
Every time the firewall restarts there are duplicate nft rules.

A better approach might be to add the table and then flush it.

Furthermore seeing line

https-dns-proxy/files/etc/init.d/https-dns-proxy

Line 166 in 64d18e1

[ ! -s "$NOTRACK_NFT_FILE" ]

makes me think you have added it for error tracking?

In that case you might need to add code when that is called see my last proposed change

Signed-off-by: Erik Conijn egc112@msn.com

[stangri]

Hey Erik, thank you for this PR. I wonder if the service should report the nft errors as less critical events compared to being unable to start instances and/or being unable to set up DNS hijack and as such should report nft issues as warnings?

[stangri]

Ah, sorry, missed the most important part of the PR -- so the proposed style matches pbr a bit better, can you please elaborate why is it a better approach?

[egc112]

Hey Erik, thank you for this PR. I wonder if the service should report the nft errors as less critical events compared to being unable to start instances and/or being unable to set up DNS hijack and as such should report nft issues as warnings?

A warning should be better indeed instead of an error

[egc112]

Ah, sorry, missed the most important part of the PR -- so the proposed style matches pbr a bit better, can you please elaborate why is it a better approach?

I looked into that and it seems the style does not matter, the rules are still executed in one pass.

I actually made two PR's also one with the style which is now used so like:

table inet https_dns_proxy_notrack
flush table inet https_dns_proxy_notrack
table inet https_dns_proxy_notrack {
		chain raw_output {
			type filter hook output priority raw; policy accept;
			meta l4proto { tcp, udp } th dport { ${port_set} } ip daddr 127.0.0.0/8 counter notrack
			meta l4proto { tcp, udp } th sport { ${port_set} } ip saddr 127.0.0.0/8 counter notrack
		}
}

that is also perfectly fine, I also tested that and I can imagine you like that better and want to opt for that in which case you only need to add the first to rules and should be good

But in the end both do the same

[stangri]

@egc112 it's still marked as draft, should I merge this and then address the nft delete table fails separately?

PS. I don't mind imperative style over declarative style, if anything imperative style you used is easier to understand.

[egc112]

I removed the draft status but use it anyway you like, you can also make the necessary changes and just discard this PR.

[stangri]

Merged with thanks!