push.rocks/smartproxy
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BREAKING CHANGE(smart-proxy/utils/route-validator): Consolidate and refactor route validators; move to class-based API and update usages

Browse Source 
Replaced legacy route-validators.ts with a unified route-validator.ts that provides a class-based RouteValidator plus the previous functional API (isValidPort, isValidDomain, validateRouteMatch, validateRouteAction, validateRouteConfig, validateRoutes, hasRequiredPropertiesForAction, assertValidRoute) for backwards compatibility. Updated utils exports and all imports/tests to reference the new module. Also switched static file loading in certificate manager to use SmartFileFactory.nodeFs(), and added @push.rocks/smartserve to devDependencies.
This commit is contained in:
Jürgen Kunz
2025-12-09 09:33:50 +00:00
parent be3ac75422
commit c4b9d7eb72
14 changed files with 725 additions and 2837 deletions
Download Patch File Download Diff File Expand all files Collapse all files

141
ts/proxies/nftables-proxy/nftables-proxy.ts
View File

@@ -76,22 +76,30 @@ export class NfTablesProxy {
// Register cleanup handlers if deleteOnExit is true
if (this.settings.deleteOnExit) {
const cleanup = () => {
// Synchronous cleanup for 'exit' event (only sync code runs here)
const syncCleanup = () => {
try {
this.stopSync();
} catch (err) {
this.log('error', 'Error cleaning nftables rules on exit:', { error: err.message });
}
};
process.on('exit', cleanup);
// Async cleanup for signal handlers (preferred, non-blocking)
const asyncCleanup = async () => {
try {
await this.stop();
} catch (err) {
this.log('error', 'Error cleaning nftables rules on signal:', { error: err.message });
}
};
process.on('exit', syncCleanup);
process.on('SIGINT', () => {
cleanup();
process.exit();
asyncCleanup().finally(() => process.exit());
});
process.on('SIGTERM', () => {
cleanup();
process.exit();
asyncCleanup().finally(() => process.exit());
});
}
}
@@ -219,37 +227,17 @@ export class NfTablesProxy {
}
/**
* Execute system command synchronously with multiple attempts
* @deprecated This method blocks the event loop and should be avoided. Use executeWithRetry instead.
* WARNING: This method contains a busy wait loop that will block the entire Node.js event loop!
* Execute system command synchronously (single attempt, no retry)
* Used only for exit handlers where the process is terminating anyway.
* For normal operations, use the async executeWithRetry method.
*/
private executeWithRetrySync(command: string, maxRetries = 3, retryDelayMs = 1000): string {
// Log deprecation warning
console.warn('[DEPRECATION WARNING] executeWithRetrySync blocks the event loop and should not be used. Consider using the async executeWithRetry method instead.');
let lastError: Error | undefined;
for (let i = 0; i < maxRetries; i++) {
try {
return execSync(command).toString();
} catch (err) {
lastError = err;
this.log('warn', `Command failed (attempt ${i+1}/${maxRetries}): ${command}`, { error: err.message });
// Wait before retry, unless it's the last attempt
if (i < maxRetries - 1) {
// CRITICAL: This busy wait loop blocks the entire event loop!
// This is a temporary fallback for sync contexts only.
// TODO: Remove this method entirely and make all callers async
const waitUntil = Date.now() + retryDelayMs;
while (Date.now() < waitUntil) {
// Busy wait - blocks event loop
}
}
}
private executeSync(command: string): string {
try {
return execSync(command, { timeout: 5000 }).toString();
} catch (err) {
this.log('warn', `Sync command failed: ${command}`, { error: err.message });
throw err;
}
throw new NftExecutionError(`Failed after ${maxRetries} attempts: ${lastError?.message || 'Unknown error'}`);
}
/**
@@ -1649,67 +1637,66 @@ export class NfTablesProxy {
}
/**
* Synchronous version of stop, for use in exit handlers
* Synchronous version of stop, for use in exit handlers only.
* Uses single-attempt commands without retry (process is exiting anyway).
*/
public stopSync(): void {
try {
let rulesetContent = '';
// Process rules in reverse order (LIFO)
for (let i = this.rules.length - 1; i >= 0; i--) {
const rule = this.rules[i];
if (rule.added) {
// Create delete rules by replacing 'add' with 'delete'
const deleteRule = rule.ruleContents.replace('add rule', 'delete rule');
rulesetContent += `${deleteRule}\n`;
}
}
// Apply the ruleset if we have any rules to delete
if (rulesetContent) {
// Write to temporary file
fs.writeFileSync(this.tempFilePath, rulesetContent);
// Apply the ruleset
this.executeWithRetrySync(
`${NfTablesProxy.NFT_CMD} -f ${this.tempFilePath}`,
this.settings.maxRetries,
this.settings.retryDelayMs
);
// Apply the ruleset (single attempt, no retry - process is exiting)
this.executeSync(`${NfTablesProxy.NFT_CMD} -f ${this.tempFilePath}`);
this.log('info', 'Removed all added rules');
// Mark all rules as removed
this.rules.forEach(rule => {
rule.added = false;
rule.verified = false;
});
// Remove temporary file
fs.unlinkSync(this.tempFilePath);
try {
fs.unlinkSync(this.tempFilePath);
} catch {
// Ignore - process is exiting
}
}
// Clean up IP sets if we created any
if (this.settings.useIPSets && this.ipSets.size > 0) {
for (const [key, _] of this.ipSets) {
const [family, setName] = key.split(':');
try {
this.executeWithRetrySync(
`${NfTablesProxy.NFT_CMD} delete set ${family} ${this.tableName} ${setName}`,
this.settings.maxRetries,
this.settings.retryDelayMs
this.executeSync(
`${NfTablesProxy.NFT_CMD} delete set ${family} ${this.tableName} ${setName}`
);
} catch (err) {
} catch {
// Non-critical error, continue
}
}
}
// Optionally clean up tables if they're empty (sync version)
this.cleanupEmptyTablesSync();
this.log('info', 'NfTablesProxy stopped successfully');
} catch (err) {
this.log('error', `Error stopping NfTablesProxy: ${err.message}`);
@@ -1760,7 +1747,7 @@ export class NfTablesProxy {
}
/**
* Synchronous version of cleanupEmptyTables
* Synchronous version of cleanupEmptyTables (for exit handlers only)
*/
private cleanupEmptyTablesSync(): void {
// Check if tables are empty, and if so, delete them
@@ -1769,38 +1756,32 @@ export class NfTablesProxy {
if (family === 'ip6' && !this.settings.ipv6Support) {
continue;
}
try {
// Check if table exists
const tableExistsOutput = this.executeWithRetrySync(
`${NfTablesProxy.NFT_CMD} list tables ${family}`,
this.settings.maxRetries,
this.settings.retryDelayMs
const tableExistsOutput = this.executeSync(
`${NfTablesProxy.NFT_CMD} list tables ${family}`
);
const tableExists = tableExistsOutput.includes(`table ${family} ${this.tableName}`);
if (!tableExists) {
continue;
}
// Check if the table has any rules
const stdout = this.executeWithRetrySync(
`${NfTablesProxy.NFT_CMD} list table ${family} ${this.tableName}`,
this.settings.maxRetries,
this.settings.retryDelayMs
const stdout = this.executeSync(
`${NfTablesProxy.NFT_CMD} list table ${family} ${this.tableName}`
);
const hasRules = stdout.includes('rule');
if (!hasRules) {
// Table is empty, delete it
this.executeWithRetrySync(
`${NfTablesProxy.NFT_CMD} delete table ${family} ${this.tableName}`,
this.settings.maxRetries,
this.settings.retryDelayMs
this.executeSync(
`${NfTablesProxy.NFT_CMD} delete table ${family} ${this.tableName}`
);
this.log('info', `Deleted empty table ${family} ${this.tableName}`);
}
} catch (err) {