test/test.rulebuilder-nat.ts

import { tap, expect } from '@git.zone/tstest/tapbundle';
import {
  buildDnatRules,
  buildSnatRule,
  buildMasqueradeRule,
} from '../ts/nft.rulebuilder.nat.js';

tap.test('should build basic DNAT rule with masquerade', async () => {
  const rules = buildDnatRules('mytable', 'ip', {
    sourcePort: 443,
    targetHost: '10.0.0.1',
    targetPort: 8443,
  });

  expect(rules.length).toEqual(2);
  expect(rules[0]).toInclude('dnat to 10.0.0.1:8443');
  expect(rules[0]).toInclude('dport 443');
  expect(rules[0]).toInclude('tcp');
  expect(rules[1]).toInclude('masquerade');
  expect(rules[1]).toInclude('dport 8443');
});

tap.test('should skip masquerade when preserveSourceIP is true', async () => {
  const rules = buildDnatRules('mytable', 'ip', {
    sourcePort: 443,
    targetHost: '10.0.0.1',
    targetPort: 8443,
    preserveSourceIP: true,
  });

  expect(rules.length).toEqual(1);
  expect(rules[0]).toInclude('dnat to 10.0.0.1:8443');
  for (const r of rules) {
    expect(r).not.toInclude('masquerade');
  }
});

tap.test('should generate TCP and UDP rules for protocol both', async () => {
  const rules = buildDnatRules('mytable', 'ip', {
    sourcePort: 53,
    targetHost: '10.0.0.53',
    targetPort: 53,
    protocol: 'both',
  });

  // TCP DNAT + masquerade + UDP DNAT + masquerade = 4
  expect(rules.length).toEqual(4);
  const tcpRules = rules.filter(r => r.includes('tcp'));
  const udpRules = rules.filter(r => r.includes('udp'));
  expect(tcpRules.length).toEqual(2);
  expect(udpRules.length).toEqual(2);
});

tap.test('should generate UDP-only rules', async () => {
  const rules = buildDnatRules('mytable', 'ip', {
    sourcePort: 53,
    targetHost: '10.0.0.53',
    targetPort: 53,
    protocol: 'udp',
  });

  for (const r of rules) {
    expect(r).not.toInclude('tcp');
  }
  expect(rules.some(r => r.includes('udp dport 53 dnat'))).toBeTrue();
});

tap.test('should build SNAT rule', async () => {
  const rules = buildSnatRule('mytable', 'ip', {
    sourceAddress: '192.168.1.1',
    targetPort: 80,
  });

  expect(rules.length).toEqual(1);
  expect(rules[0]).toInclude('snat to 192.168.1.1');
  expect(rules[0]).toInclude('dport 80');
});

tap.test('should build masquerade rule', async () => {
  const rules = buildMasqueradeRule('mytable', 'ip', {
    targetPort: 8080,
    protocol: 'both',
  });

  expect(rules.length).toEqual(2);
  expect(rules[0]).toInclude('tcp');
  expect(rules[0]).toInclude('masquerade');
  expect(rules[1]).toInclude('udp');
});

tap.test('should use correct family in commands', async () => {
  const rules = buildDnatRules('mytable', 'inet', {
    sourcePort: 80,
    targetHost: '10.0.0.1',
    targetPort: 8080,
  });

  for (const r of rules) {
    expect(r).toInclude('inet mytable');
  }
});

export default tap.start();
initial 2026-03-26 10:32:05 +00:00			`import { tap, expect } from '@git.zone/tstest/tapbundle';`
			`import {`
			`buildDnatRules,`
			`buildSnatRule,`
			`buildMasqueradeRule,`
			`} from '../ts/nft.rulebuilder.nat.js';`

			`tap.test('should build basic DNAT rule with masquerade', async () => {`
			`const rules = buildDnatRules('mytable', 'ip', {`
			`sourcePort: 443,`
			`targetHost: '10.0.0.1',`
			`targetPort: 8443,`
			`});`

			`expect(rules.length).toEqual(2);`
			`expect(rules[0]).toInclude('dnat to 10.0.0.1:8443');`
			`expect(rules[0]).toInclude('dport 443');`
			`expect(rules[0]).toInclude('tcp');`
			`expect(rules[1]).toInclude('masquerade');`
			`expect(rules[1]).toInclude('dport 8443');`
			`});`

			`tap.test('should skip masquerade when preserveSourceIP is true', async () => {`
			`const rules = buildDnatRules('mytable', 'ip', {`
			`sourcePort: 443,`
			`targetHost: '10.0.0.1',`
			`targetPort: 8443,`
			`preserveSourceIP: true,`
			`});`

			`expect(rules.length).toEqual(1);`
			`expect(rules[0]).toInclude('dnat to 10.0.0.1:8443');`
			`for (const r of rules) {`
			`expect(r).not.toInclude('masquerade');`
			`}`
			`});`

			`tap.test('should generate TCP and UDP rules for protocol both', async () => {`
			`const rules = buildDnatRules('mytable', 'ip', {`
			`sourcePort: 53,`
			`targetHost: '10.0.0.53',`
			`targetPort: 53,`
			`protocol: 'both',`
			`});`

			`// TCP DNAT + masquerade + UDP DNAT + masquerade = 4`
			`expect(rules.length).toEqual(4);`
			`const tcpRules = rules.filter(r => r.includes('tcp'));`
			`const udpRules = rules.filter(r => r.includes('udp'));`
			`expect(tcpRules.length).toEqual(2);`
			`expect(udpRules.length).toEqual(2);`
			`});`

			`tap.test('should generate UDP-only rules', async () => {`
			`const rules = buildDnatRules('mytable', 'ip', {`
			`sourcePort: 53,`
			`targetHost: '10.0.0.53',`
			`targetPort: 53,`
			`protocol: 'udp',`
			`});`

			`for (const r of rules) {`
			`expect(r).not.toInclude('tcp');`
			`}`
			`expect(rules.some(r => r.includes('udp dport 53 dnat'))).toBeTrue();`
			`});`

			`tap.test('should build SNAT rule', async () => {`
			`const rules = buildSnatRule('mytable', 'ip', {`
			`sourceAddress: '192.168.1.1',`
			`targetPort: 80,`
			`});`

			`expect(rules.length).toEqual(1);`
			`expect(rules[0]).toInclude('snat to 192.168.1.1');`
			`expect(rules[0]).toInclude('dport 80');`
			`});`

			`tap.test('should build masquerade rule', async () => {`
			`const rules = buildMasqueradeRule('mytable', 'ip', {`
			`targetPort: 8080,`
			`protocol: 'both',`
			`});`

			`expect(rules.length).toEqual(2);`
			`expect(rules[0]).toInclude('tcp');`
			`expect(rules[0]).toInclude('masquerade');`
			`expect(rules[1]).toInclude('udp');`
			`});`

			`tap.test('should use correct family in commands', async () => {`
			`const rules = buildDnatRules('mytable', 'inet', {`
			`sourcePort: 80,`
			`targetHost: '10.0.0.1',`
			`targetPort: 8080,`
			`});`

			`for (const r of rules) {`
			`expect(r).toInclude('inet mytable');`
			`}`
			`});`

			`export default tap.start();`