103 lines
3.7 KiB
TypeScript
103 lines
3.7 KiB
TypeScript
|
// ─── Protocol & Family ────────────────────────────────────────────
|
||
|
|
export type TNftProtocol = 'tcp' | 'udp' | 'both';
|
||
|
|
export type TNftFamily = 'ip' | 'ip6' | 'inet';
|
||
|
|
export type TNftChainHook = 'prerouting' | 'postrouting' | 'input' | 'output' | 'forward';
|
||
|
|
export type TNftChainType = 'nat' | 'filter';
|
||
|
|
export type TNftPolicy = 'accept' | 'drop';
|
||
|
|
export type TFirewallAction = 'accept' | 'drop' | 'reject';
|
||
|
|
export type TCtState = 'new' | 'established' | 'related' | 'invalid';
|
||
|
|
|
||
|
|
// ─── NAT ──────────────────────────────────────────────────────────
|
||
|
|
export interface INftDnatRule {
|
||
|
|
sourcePort: number;
|
||
|
|
targetHost: string;
|
||
|
|
targetPort: number;
|
||
|
|
protocol?: TNftProtocol;
|
||
|
|
preserveSourceIP?: boolean;
|
||
|
|
}
|
||
|
|
|
||
|
|
export interface INftSnatRule {
|
||
|
|
sourceAddress: string;
|
||
|
|
targetPort: number;
|
||
|
|
protocol?: TNftProtocol;
|
||
|
|
}
|
||
|
|
|
||
|
|
export interface INftMasqueradeRule {
|
||
|
|
targetPort: number;
|
||
|
|
protocol?: TNftProtocol;
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Rate Limiting ────────────────────────────────────────────────
|
||
|
|
export interface INftRateLimitRule {
|
||
|
|
/** Port to rate-limit on. If omitted, applies to all ports. */
|
||
|
|
port?: number;
|
||
|
|
protocol?: TNftProtocol;
|
||
|
|
/** Rate expression, e.g. "100/second", "10 mbytes/second" */
|
||
|
|
rate: string;
|
||
|
|
/** Burst allowance in packets or bytes */
|
||
|
|
burst?: number;
|
||
|
|
/** If true, track rate per source IP using nft meters */
|
||
|
|
perSourceIP?: boolean;
|
||
|
|
/** Action for packets exceeding rate. Default: 'drop' */
|
||
|
|
action?: TFirewallAction;
|
||
|
|
/** Chain to apply the rule to. Default: 'input' */
|
||
|
|
chain?: 'input' | 'forward' | 'prerouting';
|
||
|
|
}
|
||
|
|
|
||
|
|
export interface INftConnectionRateRule {
|
||
|
|
/** Port to limit new connections on */
|
||
|
|
port?: number;
|
||
|
|
protocol?: TNftProtocol;
|
||
|
|
/** New connection rate, e.g. "10/second" */
|
||
|
|
rate: string;
|
||
|
|
/** If true, track per source IP */
|
||
|
|
perSourceIP?: boolean;
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Firewall ─────────────────────────────────────────────────────
|
||
|
|
export interface INftFirewallRule {
|
||
|
|
direction: 'input' | 'output' | 'forward';
|
||
|
|
action: TFirewallAction;
|
||
|
|
sourceIP?: string;
|
||
|
|
destIP?: string;
|
||
|
|
sourcePort?: number;
|
||
|
|
destPort?: number;
|
||
|
|
protocol?: TNftProtocol;
|
||
|
|
ctStates?: TCtState[];
|
||
|
|
comment?: string;
|
||
|
|
}
|
||
|
|
|
||
|
|
export interface INftIPSetConfig {
|
||
|
|
name: string;
|
||
|
|
type: 'ipv4_addr' | 'ipv6_addr' | 'inet_service';
|
||
|
|
elements?: string[];
|
||
|
|
comment?: string;
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Rule Group (tracking unit) ───────────────────────────────────
|
||
|
|
export interface INftRuleGroup {
|
||
|
|
id: string;
|
||
|
|
commands: string[];
|
||
|
|
createdAt: number;
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Manager Options ──────────────────────────────────────────────
|
||
|
|
export interface ISmartNftablesOptions {
|
||
|
|
/** nftables table name. Default: 'smartnftables' */
|
||
|
|
tableName?: string;
|
||
|
|
/** Address family. Default: 'ip' */
|
||
|
|
family?: TNftFamily;
|
||
|
|
/** If true, generate commands but never execute them */
|
||
|
|
dryRun?: boolean;
|
||
|
|
}
|
||
|
|
|
||
|
|
// ─── Status / Reporting ───────────────────────────────────────────
|
||
|
|
export interface INftStatus {
|
||
|
|
initialized: boolean;
|
||
|
|
tableName: string;
|
||
|
|
family: TNftFamily;
|
||
|
|
isRoot: boolean;
|
||
|
|
activeGroups: number;
|
||
|
|
groups: Record<string, { ruleCount: number; createdAt: number }>;
|
||
|
|
}
|