44 lines
1.5 KiB
TypeScript
44 lines
1.5 KiB
TypeScript
|
import type { SmartNftables } from './nft.manager.js';
|
||
|
|
import type { INftRateLimitRule, INftConnectionRateRule } from './nft.types.js';
|
||
|
|
import { buildRateLimitRule, buildConnectionRateRule } from './nft.rulebuilder.ratelimit.js';
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Manages rate limiting rules using nft meters and limit expressions.
|
||
|
|
*/
|
||
|
|
export class RateLimitManager {
|
||
|
|
constructor(private parent: SmartNftables) {}
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Add a rate limit rule (global or per-IP).
|
||
|
|
*/
|
||
|
|
public async addRateLimit(groupId: string, rule: INftRateLimitRule): Promise<void> {
|
||
|
|
await this.parent.ensureFilterChains();
|
||
|
|
const commands = buildRateLimitRule(this.parent.tableName, this.parent.family, rule);
|
||
|
|
await this.parent.applyRuleGroup(`ratelimit:${groupId}`, commands);
|
||
|
|
}
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Remove a rate limit rule group.
|
||
|
|
*/
|
||
|
|
public async removeRateLimit(groupId: string): Promise<void> {
|
||
|
|
await this.parent.removeRuleGroup(`ratelimit:${groupId}`);
|
||
|
|
}
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Add a new-connection rate limit rule.
|
||
|
|
* Limits the rate of new TCP/UDP connections (ct state new).
|
||
|
|
*/
|
||
|
|
public async addConnectionRateLimit(groupId: string, rule: INftConnectionRateRule): Promise<void> {
|
||
|
|
await this.parent.ensureFilterChains();
|
||
|
|
const commands = buildConnectionRateRule(this.parent.tableName, this.parent.family, rule);
|
||
|
|
await this.parent.applyRuleGroup(`connrate:${groupId}`, commands);
|
||
|
|
}
|
||
|
|
|
||
|
|
/**
|
||
|
|
* Remove a connection rate limit rule group.
|
||
|
|
*/
|
||
|
|
public async removeConnectionRateLimit(groupId: string): Promise<void> {
|
||
|
|
await this.parent.removeRuleGroup(`connrate:${groupId}`);
|
||
|
|
}
|
||
|
|
}
|