Implemented GitLab issue #3 (multi-connection YAML config), the largest change this session: #58

Merged
danny merged 4 commits from issue3_single_config_and_process into main 2026-07-04 17:00:35 +01:00
danny commented 2026-07-04 16:55:14 +01:00 (Migrated from gitlab.keyop.co.uk)

Claude's work:

New capability: nfq_forwarder --config runs many connections (queue number/jump host/network/ports) concurrently in a single process, replacing the current supervisord-based fan-out of ~30 separate OS processes.
Legacy single-connection CLI flags (-j/-l/-n/-p/-q) still work unchanged and take a different, mutually-exclusive path — --config fully governs when set, never merged with flags.

Key design points:

  • internal/config gained a Connection struct + LoadFromFile (YAML parsing with fail-fast validation: empty file, duplicate queue numbers, bad CIDR, out-of-range queue, missing ports).
  • NFQForwarderMain now spawns one runConnection goroutine per connection; a bad connection (queue conflict, bad CIDR) logs and stops in isolation without affecting siblings — required converting
    initNfqueue/initNfqIptables/deleteNfqIptablesRules from os.Exit/log.Fatalf to returning errors.
  • Chained/dependent tunnels (found in the real production config — some jump hosts are only reachable through another connection's own tunnel) rely entirely on the existing lazy-dial retry-cooldown from issue #14 to
    self-heal, with no new ordering config.
  • sshtunnel.Dial gained optional global SSH key/known_hosts path overrides, addressing the "hardcoded user data" concern from issue #6.
  • Caught and fixed a real bug during design review: a naive CLI-always-wins precedence for verbose/debug/profile would have silently stomped a YAML file's debug: true back to false; fixed with ctx.IsSet(...) guards.

Verified: make test/make lint clean, 5x repeated -race runs stable, coverage improved across all touched packages (config still 100%, setup 45%→53.6%, nfq_forwarder 47.2%→49.6%, sshtunnel 55.1%→59.0%). Confirmed --help
shows the new flag correctly.

Not verified (no root/iptables in this sandbox — saved to memory): real concurrent multi-queue operation, the chained-tunnel self-heal end-to-end, SSH key overrides against a real handshake, and per-connection isolation
under real misconfiguration. The real ~30-entry supervisord config still needs manual translation into YAML — explicitly out of scope here.

Should resolve
https://gitlab.keyop.co.uk/keyop/go/nfq_forwarder/-/work_items/3 but
needs testing.

Claude's work: New capability: nfq_forwarder --config <path> runs many connections (queue number/jump host/network/ports) concurrently in a single process, replacing the current supervisord-based fan-out of ~30 separate OS processes. Legacy single-connection CLI flags (-j/-l/-n/-p/-q) still work unchanged and take a different, mutually-exclusive path — --config fully governs when set, never merged with flags. Key design points: - internal/config gained a Connection struct + LoadFromFile (YAML parsing with fail-fast validation: empty file, duplicate queue numbers, bad CIDR, out-of-range queue, missing ports). - NFQForwarderMain now spawns one runConnection goroutine per connection; a bad connection (queue conflict, bad CIDR) logs and stops in isolation without affecting siblings — required converting initNfqueue/initNfqIptables/deleteNfqIptablesRules from os.Exit/log.Fatalf to returning errors. - Chained/dependent tunnels (found in the real production config — some jump hosts are only reachable through another connection's own tunnel) rely entirely on the existing lazy-dial retry-cooldown from issue #14 to self-heal, with no new ordering config. - sshtunnel.Dial gained optional global SSH key/known_hosts path overrides, addressing the "hardcoded user data" concern from issue #6. - Caught and fixed a real bug during design review: a naive CLI-always-wins precedence for verbose/debug/profile would have silently stomped a YAML file's debug: true back to false; fixed with ctx.IsSet(...) guards. Verified: make test/make lint clean, 5x repeated -race runs stable, coverage improved across all touched packages (config still 100%, setup 45%→53.6%, nfq_forwarder 47.2%→49.6%, sshtunnel 55.1%→59.0%). Confirmed --help shows the new flag correctly. Not verified (no root/iptables in this sandbox — saved to memory): real concurrent multi-queue operation, the chained-tunnel self-heal end-to-end, SSH key overrides against a real handshake, and per-connection isolation under real misconfiguration. The real ~30-entry supervisord config still needs manual translation into YAML — explicitly out of scope here. Should resolve https://gitlab.keyop.co.uk/keyop/go/nfq_forwarder/-/work_items/3 but needs testing.
danny commented 2026-07-04 16:55:14 +01:00 (Migrated from gitlab.keyop.co.uk)

requested review from @danny

requested review from @danny
danny commented 2026-07-04 16:55:14 +01:00 (Migrated from gitlab.keyop.co.uk)

assigned to @danny

assigned to @danny
danny (Migrated from gitlab.keyop.co.uk) approved these changes 2026-07-04 16:55:14 +01:00
danny commented 2026-07-04 17:00:19 +01:00 (Migrated from gitlab.keyop.co.uk)

This all seems to work as expected.

This all seems to work as expected.
danny commented 2026-07-04 17:00:19 +01:00 (Migrated from gitlab.keyop.co.uk)

approved this merge request

approved this merge request
danny commented 2026-07-04 17:00:35 +01:00 (Migrated from gitlab.keyop.co.uk)

mentioned in commit c25018fc07

mentioned in commit c25018fc07c6bc66c774c48b778b447e622b3ec8
danny (Migrated from gitlab.keyop.co.uk) merged commit c25018fc07 into main 2026-07-04 17:00:35 +01:00
danny commented 2026-07-06 07:42:17 +01:00 (Migrated from gitlab.keyop.co.uk)

mentioned in commit 4dce470255

mentioned in commit 4dce4702559a0af660cfad5a496e8e9ed7110ec3
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
keyop-go/nfq_forwarder!58
No description provided.