@bitcall/webrtc-sip-gateway 0.3.4 → 0.3.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +6 -0
- package/lib/firewall.js +76 -18
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -12,6 +12,12 @@ Latest updates:
|
|
|
12
12
|
- Docker image includes `sngrep` and `tcpdump` for SIP troubleshooting.
|
|
13
13
|
- `sip-trace` opens a live SIP message viewer using `sngrep` in the container
|
|
14
14
|
via compose service execution.
|
|
15
|
+
- Fixed nftables media firewall rule generation for IPv6 media-block mode
|
|
16
|
+
(nft-compatible port ranges and rule action order).
|
|
17
|
+
- Media firewall status now checks both nft and ip6tables marker rules so
|
|
18
|
+
legacy ip6tables protections are reported correctly.
|
|
19
|
+
- In-dialog BYE handling is hardened: BYE requests with broken/missing route-set
|
|
20
|
+
now attempt alias/usrloc fallback before 404.
|
|
15
21
|
- `TURN_MODE=coturn` now generates a compose stack with a dedicated coturn
|
|
16
22
|
container.
|
|
17
23
|
|
package/lib/firewall.js
CHANGED
|
@@ -94,8 +94,11 @@ function buildNftRuleset(options = {}) {
|
|
|
94
94
|
];
|
|
95
95
|
|
|
96
96
|
for (const rule of rules) {
|
|
97
|
+
const nftDport = String(rule.dport).includes(":")
|
|
98
|
+
? String(rule.dport).replace(":", "-")
|
|
99
|
+
: String(rule.dport);
|
|
97
100
|
lines.push(
|
|
98
|
-
` meta nfproto ipv6 ${rule.proto} dport ${
|
|
101
|
+
` meta nfproto ipv6 ${rule.proto} dport ${nftDport} drop comment \"${MARKER}\"`
|
|
99
102
|
);
|
|
100
103
|
}
|
|
101
104
|
|
|
@@ -282,8 +285,19 @@ function applyMediaIpv4OnlyRules(options = {}, runtime = {}) {
|
|
|
282
285
|
const backend = runtime.backend || detectFirewallBackend(d);
|
|
283
286
|
|
|
284
287
|
if (backend === "nft") {
|
|
285
|
-
|
|
286
|
-
|
|
288
|
+
try {
|
|
289
|
+
applyNftRules(options, d);
|
|
290
|
+
return { backend };
|
|
291
|
+
} catch (error) {
|
|
292
|
+
if (runtime.backend || !d.commandExists("ip6tables")) {
|
|
293
|
+
throw error;
|
|
294
|
+
}
|
|
295
|
+
applyIp6tablesRules(options, d);
|
|
296
|
+
return {
|
|
297
|
+
backend: "ip6tables",
|
|
298
|
+
fallbackFrom: "nft",
|
|
299
|
+
};
|
|
300
|
+
}
|
|
287
301
|
}
|
|
288
302
|
|
|
289
303
|
if (backend === "ip6tables") {
|
|
@@ -296,33 +310,77 @@ function applyMediaIpv4OnlyRules(options = {}, runtime = {}) {
|
|
|
296
310
|
|
|
297
311
|
function removeMediaIpv4OnlyRules(options = {}, runtime = {}) {
|
|
298
312
|
const d = withDeps(runtime.deps);
|
|
299
|
-
const backend = runtime.backend
|
|
313
|
+
const backend = runtime.backend;
|
|
300
314
|
|
|
301
|
-
if (backend
|
|
315
|
+
if (!backend) {
|
|
316
|
+
const removed = [];
|
|
317
|
+
|
|
318
|
+
if (d.commandExists("nft") && isNftPresent(d)) {
|
|
319
|
+
removeNftRules(d);
|
|
320
|
+
removed.push("nft");
|
|
321
|
+
}
|
|
322
|
+
if (d.commandExists("ip6tables") && isIp6tablesPresent(d)) {
|
|
323
|
+
removeIp6tablesRules(options, d);
|
|
324
|
+
removed.push("ip6tables");
|
|
325
|
+
}
|
|
326
|
+
|
|
327
|
+
if (removed.length > 0) {
|
|
328
|
+
return { backend: removed.join("+") };
|
|
329
|
+
}
|
|
330
|
+
}
|
|
331
|
+
|
|
332
|
+
const selectedBackend = backend || detectFirewallBackend(d);
|
|
333
|
+
|
|
334
|
+
if (selectedBackend === "nft") {
|
|
302
335
|
removeNftRules(d);
|
|
303
|
-
return { backend };
|
|
336
|
+
return { backend: selectedBackend };
|
|
304
337
|
}
|
|
305
338
|
|
|
306
|
-
if (
|
|
339
|
+
if (selectedBackend === "ip6tables") {
|
|
307
340
|
removeIp6tablesRules(options, d);
|
|
308
|
-
return { backend };
|
|
341
|
+
return { backend: selectedBackend };
|
|
309
342
|
}
|
|
310
343
|
|
|
311
|
-
throw new Error(`Unsupported firewall backend: ${
|
|
344
|
+
throw new Error(`Unsupported firewall backend: ${selectedBackend}`);
|
|
312
345
|
}
|
|
313
346
|
|
|
314
347
|
function isMediaIpv4OnlyRulesPresent(runtime = {}) {
|
|
315
348
|
const d = withDeps(runtime.deps);
|
|
316
|
-
|
|
349
|
+
const backend = runtime.backend;
|
|
350
|
+
|
|
351
|
+
if (!backend) {
|
|
352
|
+
const nftEnabled = d.commandExists("nft") ? isNftPresent(d) : false;
|
|
353
|
+
if (nftEnabled) {
|
|
354
|
+
return {
|
|
355
|
+
enabled: true,
|
|
356
|
+
backend: "nft",
|
|
357
|
+
marker: MARKER,
|
|
358
|
+
};
|
|
359
|
+
}
|
|
317
360
|
|
|
318
|
-
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
|
|
325
|
-
}
|
|
361
|
+
const ip6tablesEnabled = d.commandExists("ip6tables") ? isIp6tablesPresent(d) : false;
|
|
362
|
+
if (ip6tablesEnabled) {
|
|
363
|
+
return {
|
|
364
|
+
enabled: true,
|
|
365
|
+
backend: "ip6tables",
|
|
366
|
+
marker: MARKER,
|
|
367
|
+
};
|
|
368
|
+
}
|
|
369
|
+
|
|
370
|
+
try {
|
|
371
|
+
const preferredBackend = detectFirewallBackend(d);
|
|
372
|
+
return {
|
|
373
|
+
enabled: false,
|
|
374
|
+
backend: preferredBackend,
|
|
375
|
+
marker: MARKER,
|
|
376
|
+
};
|
|
377
|
+
} catch (error) {
|
|
378
|
+
return {
|
|
379
|
+
enabled: false,
|
|
380
|
+
backend: null,
|
|
381
|
+
error: error.message,
|
|
382
|
+
};
|
|
383
|
+
}
|
|
326
384
|
}
|
|
327
385
|
|
|
328
386
|
if (backend === "nft") {
|