npm - @bitcall/webrtc-sip-gateway - Versions diffs - 0.3.3 → 0.3.5 - Mend

@bitcall/webrtc-sip-gateway 0.3.3 → 0.3.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -7,10 +7,15 @@ Latest updates:
   startup, so advertise/origin/SIP transport values are runtime-accurate.
 - `init` and `reconfigure` stop an existing stack before preflight checks so
   the gateway's own `:5060` listener does not trigger false port conflicts.
-- `update` now syncs `BITCALL_GATEWAY_IMAGE` to the CLI target image tag
-  before pulling and restarting.
+- `update` now syncs `BITCALL_GATEWAY_IMAGE` to the CLI target image tag,
+  pulls, and force-recreates containers so new image layers are applied.
 - Docker image includes `sngrep` and `tcpdump` for SIP troubleshooting.
-- `sip-trace` opens a live SIP message viewer using `sngrep` in the container.
+- `sip-trace` opens a live SIP message viewer using `sngrep` in the container
+  via compose service execution.
+- Fixed nftables media firewall rule generation for IPv6 media-block mode
+  (nft-compatible port ranges and rule action order).
+- Media firewall status now checks both nft and ip6tables marker rules so
+  legacy ip6tables protections are reported correctly.
 - `TURN_MODE=coturn` now generates a compose stack with a dedicated coturn
   container.

package/lib/firewall.js CHANGED Viewed

@@ -94,8 +94,11 @@ function buildNftRuleset(options = {}) {
   ];
   for (const rule of rules) {
+    const nftDport = String(rule.dport).includes(":")
+      ? String(rule.dport).replace(":", "-")
+      : String(rule.dport);
     lines.push(
-      `    meta nfproto ipv6 ${rule.proto} dport ${rule.dport} comment \"${MARKER}\" drop`
+      `    meta nfproto ipv6 ${rule.proto} dport ${nftDport} drop comment \"${MARKER}\"`
     );
   }
@@ -282,8 +285,19 @@ function applyMediaIpv4OnlyRules(options = {}, runtime = {}) {
   const backend = runtime.backend || detectFirewallBackend(d);
   if (backend === "nft") {
-    applyNftRules(options, d);
-    return { backend };
+    try {
+      applyNftRules(options, d);
+      return { backend };
+    } catch (error) {
+      if (runtime.backend || !d.commandExists("ip6tables")) {
+        throw error;
+      }
+      applyIp6tablesRules(options, d);
+      return {
+        backend: "ip6tables",
+        fallbackFrom: "nft",
+      };
+    }
   }
   if (backend === "ip6tables") {
@@ -296,33 +310,77 @@ function applyMediaIpv4OnlyRules(options = {}, runtime = {}) {
 function removeMediaIpv4OnlyRules(options = {}, runtime = {}) {
   const d = withDeps(runtime.deps);
-  const backend = runtime.backend || detectFirewallBackend(d);
+  const backend = runtime.backend;
-  if (backend === "nft") {
+  if (!backend) {
+    const removed = [];
+    if (d.commandExists("nft") && isNftPresent(d)) {
+      removeNftRules(d);
+      removed.push("nft");
+    }
+    if (d.commandExists("ip6tables") && isIp6tablesPresent(d)) {
+      removeIp6tablesRules(options, d);
+      removed.push("ip6tables");
+    }
+    if (removed.length > 0) {
+      return { backend: removed.join("+") };
+    }
+  }
+  const selectedBackend = backend || detectFirewallBackend(d);
+  if (selectedBackend === "nft") {
     removeNftRules(d);
-    return { backend };
+    return { backend: selectedBackend };
   }
-  if (backend === "ip6tables") {
+  if (selectedBackend === "ip6tables") {
     removeIp6tablesRules(options, d);
-    return { backend };
+    return { backend: selectedBackend };
   }
-  throw new Error(`Unsupported firewall backend: ${backend}`);
+  throw new Error(`Unsupported firewall backend: ${selectedBackend}`);
 }
 function isMediaIpv4OnlyRulesPresent(runtime = {}) {
   const d = withDeps(runtime.deps);
-  let backend = runtime.backend;
+  const backend = runtime.backend;
+  if (!backend) {
+    const nftEnabled = d.commandExists("nft") ? isNftPresent(d) : false;
+    if (nftEnabled) {
+      return {
+        enabled: true,
+        backend: "nft",
+        marker: MARKER,
+      };
+    }
-  try {
-    backend = backend || detectFirewallBackend(d);
-  } catch (error) {
-    return {
-      enabled: false,
-      backend: null,
-      error: error.message,
-    };
+    const ip6tablesEnabled = d.commandExists("ip6tables") ? isIp6tablesPresent(d) : false;
+    if (ip6tablesEnabled) {
+      return {
+        enabled: true,
+        backend: "ip6tables",
+        marker: MARKER,
+      };
+    }
+    try {
+      const preferredBackend = detectFirewallBackend(d);
+      return {
+        enabled: false,
+        backend: preferredBackend,
+        marker: MARKER,
+      };
+    } catch (error) {
+      return {
+        enabled: false,
+        backend: null,
+        error: error.message,
+      };
+    }
   }
   if (backend === "nft") {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bitcall/webrtc-sip-gateway",
-  "version": "0.3.3",
+  "version": "0.3.5",
   "description": "Linux CLI for bootstrapping and managing the Bitcall WebRTC-to-SIP Gateway",
   "repository": {
     "type": "git",

package/src/index.js CHANGED Viewed

@@ -1424,16 +1424,23 @@ function logsCommand(service, options) {
 function sipTraceCommand() {
   ensureInitialized();
-  const compose = detectComposeCommand();
-  const containerName = "bitcall-gateway";
+  const serviceName = "gateway";
+  const containerNameFallback = "bitcall-gateway";
   // Check if sngrep is available in the container
-  const check = run(
-    compose.command,
-    [...compose.prefixArgs, "exec", "-T", containerName, "which", "sngrep"],
-    { cwd: GATEWAY_DIR, check: false, stdio: "pipe" }
+  let check = runCompose(
+    ["exec", "-T", serviceName, "which", "sngrep"],
+    { check: false, stdio: "pipe" }
   );
+  // Backward-compatible fallback for stacks where service naming diverged.
+  if (check.status !== 0) {
+    check = run("docker", ["exec", containerNameFallback, "which", "sngrep"], {
+      check: false,
+      stdio: "pipe",
+    });
+  }
   if (check.status !== 0) {
     console.error("sngrep is not available in this gateway image.");
     console.error("Update to the latest image: sudo bitcall-gateway update");
@@ -1441,11 +1448,10 @@ function sipTraceCommand() {
   }
   // Run sngrep interactively inside the container
-  const result = run(
-    compose.command,
-    [...compose.prefixArgs, "exec", containerName, "sngrep"],
-    { cwd: GATEWAY_DIR, stdio: "inherit" }
-  );
+  const result = runCompose(["exec", serviceName, "sngrep"], {
+    check: false,
+    stdio: "inherit",
+  });
   process.exit(result.status || 0);
 }
@@ -1624,7 +1630,8 @@ function updateCommand() {
   }
   runCompose(["pull"], { stdio: "inherit" });
-  runSystemctl(["reload", SERVICE_NAME], ["up", "-d", "--remove-orphans"]);
+  runCompose(["up", "-d", "--force-recreate", "--remove-orphans"], { stdio: "inherit" });
+  run("systemctl", ["start", SERVICE_NAME], { check: false, stdio: "ignore" });
   console.log(`\n${clr(_c.green, "✓")} Gateway updated to ${clr(_c.bold, PACKAGE_VERSION)}.`);
   console.log(clr(_c.dim, "  To update the CLI: sudo npm i -g @bitcall/webrtc-sip-gateway@latest"));
@@ -1835,7 +1842,16 @@ function buildProgram() {
 async function main(argv = process.argv) {
   const program = buildProgram();
-  await program.parseAsync(argv);
+  const normalizedArgv = argv.map((value, index) => {
+    if (index <= 1) {
+      return value;
+    }
+    if (value === "--sip-trace" || value === "-sip-trace") {
+      return "sip-trace";
+    }
+    return value;
+  });
+  await program.parseAsync(normalizedArgv);
 }
 module.exports = {