push.rocks/smartnftables
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial

Browse Source
This commit is contained in:
Jürgen Kunz
2026-03-26 10:32:05 +00:00
commit 450bc4a2b0
26 changed files with 10156 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
.gitignore vendored Normal file
View File

@@ -0,0 +1,20 @@
.nogit/
# artifacts
coverage/
public/
# installs
node_modules/
# caches
.yarn/
.cache/
.rpt2_cache
# builds
dist/
dist_*/
#------# custom
.claude/*

36
.smartconfig.json Normal file
View File

@@ -0,0 +1,36 @@
{
"@git.zone/cli": {
"projectType": "npm",
"module": {
"githost": "code.foss.global",
"gitscope": "push.rocks",
"gitrepo": "smartnftables",
"description": "A TypeScript module for managing nftables rules including NAT, firewall, and rate limiting with a high-level API.",
"npmPackagename": "@push.rocks/smartnftables",
"license": "MIT",
"projectDomain": "push.rocks",
"keywords": [
"nftables",
"firewall",
"nat",
"rate limiting",
"network",
"linux",
"packet filter",
"port forwarding",
"ip sets",
"kernel firewall"
]
},
"release": {
"registries": [
"https://verdaccio.lossless.digital",
"https://registry.npmjs.org"
],
"accessLevel": "public"
}
},
"@git.zone/tsdoc": {
"legal": "\n## License and Legal Information\n\nThis repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. \n\n**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.\n\n### Trademarks\n\nThis project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.\n\n### Company Information\n\nTask Venture Capital GmbH \nRegistered at District court Bremen HRB 35230 HB, Germany\n\nFor any legal inquiries or if you require further information, please contact us via email at hello@task.vc.\n\nBy using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.\n"
}
}

21
license Normal file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2024 Task Venture Capital GmbH
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

25
npmextra.json Normal file
View File

@@ -0,0 +1,25 @@
{
"gitzone": {
"projectType": "npm",
"module": {
"githost": "code.foss.global",
"gitscope": "push.rocks",
"gitrepo": "smartnftables",
"description": "A TypeScript module for managing nftables rules including NAT, firewall, and rate limiting with a high-level API.",
"npmPackagename": "@push.rocks/smartnftables",
"license": "MIT",
"keywords": [
"nftables",
"firewall",
"nat",
"rate limiting",
"network",
"linux",
"packet filter",
"port forwarding",
"ip sets",
"kernel firewall"
]
}
}
}

57
package.json Normal file
View File

@@ -0,0 +1,57 @@
{
"name": "@push.rocks/smartnftables",
"version": "1.0.0",
"private": false,
"description": "A TypeScript module for managing nftables rules including NAT, firewall, and rate limiting with a high-level API.",
"main": "dist_ts/index.js",
"typings": "dist_ts/index.d.ts",
"type": "module",
"author": "Lossless GmbH",
"license": "MIT",
"scripts": {
"test": "(tstest test/**/test*.ts --verbose --timeout 60)",
"build": "(tsbuild tsfolders)",
"format": "(gitzone format)",
"buildDocs": "tsdoc"
},
"devDependencies": {
"@git.zone/tsbuild": "^4.4.0",
"@git.zone/tsrun": "^2.0.2",
"@git.zone/tstest": "^3.6.0",
"@types/node": "^25.5.0",
"typescript": "^6.0.2"
},
"dependencies": {
"@push.rocks/smartlog": "^3.2.1",
"@push.rocks/smartpromise": "^4.2.3"
},
"files": [
"ts/**/*",
"dist/**/*",
"dist_*/**/*",
"dist_ts/**/*",
"assets/**/*",
"readme.md",
"changelog.md"
],
"keywords": [
"nftables",
"firewall",
"nat",
"rate limiting",
"network",
"linux",
"packet filter",
"port forwarding",
"ip sets",
"kernel firewall"
],
"homepage": "https://code.foss.global/push.rocks/smartnftables#readme",
"repository": {
"type": "git",
"url": "https://code.foss.global/push.rocks/smartnftables.git"
},
"bugs": {
"url": "https://code.foss.global/push.rocks/smartnftables/issues"
}
}

8011
pnpm-lock.yaml generated Normal file
View File

File diff suppressed because it is too large Load Diff

357
readme.md Normal file
View File

@@ -0,0 +1,357 @@
# @push.rocks/smartnftables
A TypeScript module for managing Linux nftables rules with a high-level, type-safe API. Handles NAT (DNAT/SNAT/masquerade), firewall rules, IP sets, and rate limiting — all from clean, declarative TypeScript.
## Issue Reporting and Security
For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
## Install
```bash
pnpm install @push.rocks/smartnftables
# or
npm install @push.rocks/smartnftables
```
> ⚠️ **Requires root privileges** to actually apply nftables rules to the kernel. Without root, rules are tracked in memory but not applied (a warning is logged). Great for development/testing!
## Quick Start
```typescript
import { SmartNftables } from '@push.rocks/smartnftables';
const nft = new SmartNftables();
await nft.initialize();
// Port forward 8080 → 192.168.1.100:80
await nft.nat.addPortForwarding('web', {
sourcePort: 8080,
targetHost: '192.168.1.100',
targetPort: 80,
});
// Block a suspicious IP
await nft.firewall.blockIP('10.0.0.99');
// Rate limit HTTP to 100 req/s per IP
await nft.rateLimit.addRateLimit('http-limit', {
port: 80,
protocol: 'tcp',
rate: '100/second',
perSourceIP: true,
});
// Clean up everything when done
await nft.cleanup();
```
## Architecture 🏗️
The library is organized around a **facade pattern** with specialized sub-managers:
```
SmartNftables (main facade)
├── nat → NatManager (DNAT, SNAT, masquerade)
├── firewall → FirewallManager (filter rules, IP sets, stateful tracking)
└── rateLimit → RateLimitManager (packet/connection rate limiting)
```
All rules are tracked in **rule groups** identified by string IDs, so you can add, inspect, and remove them programmatically.
## API Reference
### `SmartNftables` — Main Facade
```typescript
const nft = new SmartNftables({
tableName: 'smartnftables', // nftables table name (default: 'smartnftables')
family: 'ip', // 'ip' | 'ip6' | 'inet' (default: 'ip')
dryRun: false, // generate commands without executing (default: false)
});
```
| Method | Description |
|---|---|
| `initialize()` | Create the nftables table and NAT chains. Idempotent. |
| `cleanup()` | Delete the entire table and clear all tracking. |
| `status()` | Get an `INftStatus` report of the current managed state. |
| `applyRuleGroup(id, commands)` | Apply and track a group of raw nft commands. |
| `removeRuleGroup(id)` | Remove a tracked rule group. |
| `getRuleGroup(id)` | Retrieve a tracked rule group by ID. |
---
### 🌐 NAT — `nft.nat`
#### Port Forwarding (DNAT)
```typescript
await nft.nat.addPortForwarding('my-service', {
sourcePort: 443,
targetHost: '10.0.0.5',
targetPort: 8443,
protocol: 'tcp', // 'tcp' | 'udp' | 'both' (default: 'tcp')
preserveSourceIP: false, // skip masquerade if true (default: false)
});
await nft.nat.removePortForwarding('my-service');
```
#### Port Range Forwarding
Map a range of ports to another host:
```typescript
// Forward ports 3000-3010 → 10.0.0.5:3000-3010
await nft.nat.addPortRange('dev-ports', 3000, 3010, '10.0.0.5', 3000, 'tcp');
await nft.nat.removePortRange('dev-ports');
```
#### SNAT (Source NAT)
```typescript
await nft.nat.addSnat('egress', {
sourceAddress: '203.0.113.1',
targetPort: 80,
protocol: 'tcp',
});
```
#### Masquerade
```typescript
await nft.nat.addMasquerade('outbound', {
targetPort: 443,
protocol: 'tcp',
});
```
---
### 🛡️ Firewall — `nft.firewall`
#### Basic Rules
```typescript
await nft.firewall.addRule('allow-ssh', {
direction: 'input', // 'input' | 'output' | 'forward'
action: 'accept', // 'accept' | 'drop' | 'reject'
sourceIP: '10.0.0.0/24',
destPort: 22,
protocol: 'tcp',
comment: 'Allow SSH from trusted network',
});
await nft.firewall.removeRule('allow-ssh');
```
#### Block an IP
```typescript
await nft.firewall.blockIP('10.0.0.99');
await nft.firewall.blockIP('192.168.0.0/16', { direction: 'forward' });
```
#### Allow Only Specific IPs on a Port
```typescript
// Only these IPs can reach port 3306 — everything else is dropped
await nft.firewall.allowOnlyIPs('db-access', ['10.0.0.1', '10.0.0.2'], 3306, 'tcp');
```
#### Stateful Connection Tracking
```typescript
// Allow established/related, drop invalid — on the input chain
await nft.firewall.enableStatefulTracking('input');
```
#### IP Sets
Create named sets and match against them:
```typescript
// Create a set of blocked IPs
await nft.firewall.createIPSet({
name: 'blocklist',
type: 'ipv4_addr',
elements: ['10.0.0.50', '10.0.0.51'],
});
// Dynamically add/remove elements
await nft.firewall.addToIPSet('blocklist', ['10.0.0.52']);
await nft.firewall.removeFromIPSet('blocklist', ['10.0.0.50']);
// Clean up
await nft.firewall.deleteIPSet('blocklist');
```
You can also build set-matching rules directly with the low-level builder:
```typescript
import { buildIPSetMatchRule } from '@push.rocks/smartnftables';
const rule = buildIPSetMatchRule('smartnftables', 'ip', {
setName: 'blocklist',
direction: 'input',
matchField: 'saddr',
action: 'drop',
});
```
---
### ⏱️ Rate Limiting — `nft.rateLimit`
#### Packet Rate Limiting
```typescript
// Global: drop packets over 1000/second on port 80
await nft.rateLimit.addRateLimit('http-global', {
port: 80,
protocol: 'tcp',
rate: '1000/second',
burst: 50,
action: 'drop',
});
// Per-IP: each source IP gets its own 100/second limit
await nft.rateLimit.addRateLimit('http-per-ip', {
port: 80,
protocol: 'tcp',
rate: '100/second',
perSourceIP: true,
});
await nft.rateLimit.removeRateLimit('http-per-ip');
```
#### Connection Rate Limiting
Limit the rate of **new connections** (uses `ct state new`):
```typescript
await nft.rateLimit.addConnectionRateLimit('ssh-connrate', {
port: 22,
protocol: 'tcp',
rate: '5/second',
perSourceIP: true,
});
await nft.rateLimit.removeConnectionRateLimit('ssh-connrate');
```
---
### 🔧 Low-Level Rule Builders
For advanced use cases, you can generate raw nft command strings without applying them:
```typescript
import {
buildDnatRules,
buildSnatRule,
buildMasqueradeRule,
buildFirewallRule,
buildRateLimitRule,
buildPerIpRateLimitRule,
buildConnectionRateRule,
buildIPSetCreate,
buildIPSetAddElements,
buildIPSetRemoveElements,
buildIPSetDelete,
buildIPSetMatchRule,
buildTableSetup,
buildFilterChains,
buildTableCleanup,
} from '@push.rocks/smartnftables';
const commands = buildDnatRules('mytable', 'ip', {
sourcePort: 8080,
targetHost: '10.0.0.5',
targetPort: 80,
});
// → ['nft add rule ip mytable prerouting tcp dport 8080 dnat to 10.0.0.5:80',
// 'nft add rule ip mytable postrouting tcp dport 80 masquerade']
```
---
### Dry Run Mode 🧪
Generate commands without touching the kernel — perfect for testing, debugging, or CI:
```typescript
const nft = new SmartNftables({ dryRun: true });
await nft.initialize();
await nft.nat.addPortForwarding('test', {
sourcePort: 80,
targetHost: '10.0.0.1',
targetPort: 8080,
});
console.log(nft.status());
// Rules tracked in memory, nothing executed
```
---
### Status Reporting 📊
```typescript
const status = nft.status();
// {
// initialized: true,
// tableName: 'smartnftables',
// family: 'ip',
// isRoot: true,
// activeGroups: 3,
// groups: {
// 'nat:web': { ruleCount: 2, createdAt: 1711411200000 },
// 'fw:block-10_0_0_99': { ruleCount: 1, createdAt: 1711411200100 },
// 'ratelimit:http-limit': { ruleCount: 1, createdAt: 1711411200200 },
// }
// }
```
## Types
All interfaces and types are fully exported for use in your own code:
| Type | Description |
|---|---|
| `INftDnatRule` | DNAT port forwarding rule config |
| `INftSnatRule` | Source NAT rule config |
| `INftMasqueradeRule` | Masquerade rule config |
| `INftFirewallRule` | Firewall filter rule config |
| `INftIPSetConfig` | IP set creation config |
| `INftRateLimitRule` | Rate limiting rule config |
| `INftConnectionRateRule` | New-connection rate limit config |
| `ISmartNftablesOptions` | Constructor options |
| `INftStatus` | Status report shape |
| `TNftProtocol` | `'tcp' \| 'udp' \| 'both'` |
| `TNftFamily` | `'ip' \| 'ip6' \| 'inet'` |
| `TFirewallAction` | `'accept' \| 'drop' \| 'reject'` |
| `TCtState` | `'new' \| 'established' \| 'related' \| 'invalid'` |
## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
### Trademarks
This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
### Company Information
Task Venture Capital GmbH
Registered at District Court Bremen HRB 35230 HB, Germany
For any legal inquiries or further information, please contact us via email at hello@task.vc.
By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.

140
test/test.rulebuilder-firewall.ts Normal file
View File

@@ -0,0 +1,140 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import {
buildFirewallRule,
buildIPSetCreate,
buildIPSetAddElements,
buildIPSetRemoveElements,
buildIPSetDelete,
buildIPSetMatchRule,
} from '../ts/nft.rulebuilder.firewall.js';
tap.test('should build basic firewall drop rule', async () => {
const rules = buildFirewallRule('mytable', 'ip', {
direction: 'input',
action: 'drop',
sourceIP: '192.168.1.100',
});
expect(rules.length).toEqual(1);
expect(rules[0]).toInclude('mytable input');
expect(rules[0]).toInclude('ip saddr 192.168.1.100');
expect(rules[0]).toInclude('drop');
});
tap.test('should build firewall rule with port and protocol', async () => {
const rules = buildFirewallRule('mytable', 'ip', {
direction: 'input',
action: 'accept',
destPort: 22,
protocol: 'tcp',
sourceIP: '10.0.0.0/8',
});
expect(rules.length).toEqual(1);
expect(rules[0]).toInclude('tcp');
expect(rules[0]).toInclude('ip saddr 10.0.0.0/8');
expect(rules[0]).toInclude('tcp dport 22');
expect(rules[0]).toInclude('accept');
});
tap.test('should build firewall rule with ct state', async () => {
const rules = buildFirewallRule('mytable', 'ip', {
direction: 'input',
action: 'accept',
ctStates: ['established', 'related'],
});
expect(rules.length).toEqual(1);
expect(rules[0]).toInclude('ct state { established, related }');
expect(rules[0]).toInclude('accept');
});
tap.test('should build firewall rule with comment', async () => {
const rules = buildFirewallRule('mytable', 'ip', {
direction: 'input',
action: 'drop',
sourceIP: '1.2.3.4',
comment: 'block bad actor',
});
expect(rules[0]).toInclude('comment "block bad actor"');
});
tap.test('should build firewall rule for both protocols', async () => {
const rules = buildFirewallRule('mytable', 'ip', {
direction: 'forward',
action: 'accept',
destPort: 80,
protocol: 'both',
});
expect(rules.length).toEqual(2);
expect(rules[0]).toInclude('tcp');
expect(rules[1]).toInclude('udp');
});
tap.test('should build IP set create command', async () => {
const cmds = buildIPSetCreate('mytable', 'ip', {
name: 'blocklist',
type: 'ipv4_addr',
});
expect(cmds.length).toEqual(1);
expect(cmds[0]).toInclude('add set ip mytable blocklist');
expect(cmds[0]).toInclude('type ipv4_addr');
});
tap.test('should build IP set with initial elements', async () => {
const cmds = buildIPSetCreate('mytable', 'ip', {
name: 'trusted',
type: 'ipv4_addr',
elements: ['10.0.0.1', '10.0.0.2', '10.0.0.3'],
});
expect(cmds.length).toEqual(2);
expect(cmds[1]).toInclude('add element');
expect(cmds[1]).toInclude('10.0.0.1, 10.0.0.2, 10.0.0.3');
});
tap.test('should build IP set add elements command', async () => {
const cmds = buildIPSetAddElements('mytable', 'ip', 'blocklist', ['1.2.3.4', '5.6.7.8']);
expect(cmds.length).toEqual(1);
expect(cmds[0]).toInclude('add element ip mytable blocklist');
expect(cmds[0]).toInclude('1.2.3.4, 5.6.7.8');
});
tap.test('should return empty for add with no elements', async () => {
const cmds = buildIPSetAddElements('mytable', 'ip', 'blocklist', []);
expect(cmds.length).toEqual(0);
});
tap.test('should build IP set remove elements command', async () => {
const cmds = buildIPSetRemoveElements('mytable', 'ip', 'blocklist', ['1.2.3.4']);
expect(cmds.length).toEqual(1);
expect(cmds[0]).toInclude('delete element ip mytable blocklist');
expect(cmds[0]).toInclude('1.2.3.4');
});
tap.test('should build IP set delete command', async () => {
const cmds = buildIPSetDelete('mytable', 'ip', 'blocklist');
expect(cmds.length).toEqual(1);
expect(cmds[0]).toInclude('delete set ip mytable blocklist');
});
tap.test('should build IP set match rule', async () => {
const cmds = buildIPSetMatchRule('mytable', 'ip', {
setName: 'blocklist',
direction: 'input',
matchField: 'saddr',
action: 'drop',
});
expect(cmds.length).toEqual(1);
expect(cmds[0]).toInclude('ip saddr @blocklist');
expect(cmds[0]).toInclude('drop');
});
export default tap.start();

103
test/test.rulebuilder-nat.ts Normal file
View File

@@ -0,0 +1,103 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import {
buildDnatRules,
buildSnatRule,
buildMasqueradeRule,
} from '../ts/nft.rulebuilder.nat.js';
tap.test('should build basic DNAT rule with masquerade', async () => {
const rules = buildDnatRules('mytable', 'ip', {
sourcePort: 443,
targetHost: '10.0.0.1',
targetPort: 8443,
});
expect(rules.length).toEqual(2);
expect(rules[0]).toInclude('dnat to 10.0.0.1:8443');
expect(rules[0]).toInclude('dport 443');
expect(rules[0]).toInclude('tcp');
expect(rules[1]).toInclude('masquerade');
expect(rules[1]).toInclude('dport 8443');
});
tap.test('should skip masquerade when preserveSourceIP is true', async () => {
const rules = buildDnatRules('mytable', 'ip', {
sourcePort: 443,
targetHost: '10.0.0.1',
targetPort: 8443,
preserveSourceIP: true,
});
expect(rules.length).toEqual(1);
expect(rules[0]).toInclude('dnat to 10.0.0.1:8443');
for (const r of rules) {
expect(r).not.toInclude('masquerade');
}
});
tap.test('should generate TCP and UDP rules for protocol both', async () => {
const rules = buildDnatRules('mytable', 'ip', {
sourcePort: 53,
targetHost: '10.0.0.53',
targetPort: 53,
protocol: 'both',
});
// TCP DNAT + masquerade + UDP DNAT + masquerade = 4
expect(rules.length).toEqual(4);
const tcpRules = rules.filter(r => r.includes('tcp'));
const udpRules = rules.filter(r => r.includes('udp'));
expect(tcpRules.length).toEqual(2);
expect(udpRules.length).toEqual(2);
});
tap.test('should generate UDP-only rules', async () => {
const rules = buildDnatRules('mytable', 'ip', {
sourcePort: 53,
targetHost: '10.0.0.53',
targetPort: 53,
protocol: 'udp',
});
for (const r of rules) {
expect(r).not.toInclude('tcp');
}
expect(rules.some(r => r.includes('udp dport 53 dnat'))).toBeTrue();
});
tap.test('should build SNAT rule', async () => {
const rules = buildSnatRule('mytable', 'ip', {
sourceAddress: '192.168.1.1',
targetPort: 80,
});
expect(rules.length).toEqual(1);
expect(rules[0]).toInclude('snat to 192.168.1.1');
expect(rules[0]).toInclude('dport 80');
});
tap.test('should build masquerade rule', async () => {
const rules = buildMasqueradeRule('mytable', 'ip', {
targetPort: 8080,
protocol: 'both',
});
expect(rules.length).toEqual(2);
expect(rules[0]).toInclude('tcp');
expect(rules[0]).toInclude('masquerade');
expect(rules[1]).toInclude('udp');
});
tap.test('should use correct family in commands', async () => {
const rules = buildDnatRules('mytable', 'inet', {
sourcePort: 80,
targetHost: '10.0.0.1',
targetPort: 8080,
});
for (const r of rules) {
expect(r).toInclude('inet mytable');
}
});
export default tap.start();

114
test/test.rulebuilder-ratelimit.ts Normal file
View File

@@ -0,0 +1,114 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import {
buildRateLimitRule,
buildPerIpRateLimitRule,
buildConnectionRateRule,
} from '../ts/nft.rulebuilder.ratelimit.js';
tap.test('should build global rate limit rule', async () => {
const rules = buildRateLimitRule('mytable', 'ip', {
port: 80,
protocol: 'tcp',
rate: '100/second',
});
expect(rules.length).toEqual(1);
expect(rules[0]).toInclude('limit rate over 100/second');
expect(rules[0]).toInclude('tcp dport 80');
expect(rules[0]).toInclude('drop');
});
tap.test('should build rate limit with burst', async () => {
const rules = buildRateLimitRule('mytable', 'ip', {
port: 8080,
rate: '50/second',
burst: 20,
});
expect(rules[0]).toInclude('burst 20 packets');
});
tap.test('should build rate limit with custom action', async () => {
const rules = buildRateLimitRule('mytable', 'ip', {
port: 80,
rate: '100/second',
action: 'reject',
});
expect(rules[0]).toInclude('reject');
expect(rules[0]).not.toInclude('drop');
});
tap.test('should build per-IP rate limit using meters', async () => {
const rules = buildRateLimitRule('mytable', 'ip', {
port: 80,
protocol: 'tcp',
rate: '10/second',
perSourceIP: true,
});
expect(rules.length).toEqual(1);
expect(rules[0]).toInclude('meter');
expect(rules[0]).toInclude('ip saddr');
expect(rules[0]).toInclude('limit rate over 10/second');
});
tap.test('should build per-IP rate limit via convenience function', async () => {
const rules = buildPerIpRateLimitRule('mytable', 'ip', {
port: 443,
rate: '50/second',
});
expect(rules[0]).toInclude('meter');
expect(rules[0]).toInclude('ip saddr');
});
tap.test('should build rate limit on custom chain', async () => {
const rules = buildRateLimitRule('mytable', 'ip', {
port: 80,
rate: '100/second',
chain: 'forward',
});
expect(rules[0]).toInclude('mytable forward');
});
tap.test('should build connection rate rule', async () => {
const rules = buildConnectionRateRule('mytable', 'ip', {
port: 22,
protocol: 'tcp',
rate: '5/second',
});
expect(rules.length).toEqual(1);
expect(rules[0]).toInclude('ct state new');
expect(rules[0]).toInclude('tcp dport 22');
expect(rules[0]).toInclude('limit rate over 5/second');
expect(rules[0]).toInclude('drop');
});
tap.test('should build per-IP connection rate rule', async () => {
const rules = buildConnectionRateRule('mytable', 'ip', {
port: 80,
rate: '10/second',
perSourceIP: true,
});
expect(rules[0]).toInclude('meter connrate');
expect(rules[0]).toInclude('ip saddr');
expect(rules[0]).toInclude('ct state new');
});
tap.test('should build rate limit for both protocols', async () => {
const rules = buildRateLimitRule('mytable', 'ip', {
port: 53,
protocol: 'both',
rate: '100/second',
});
expect(rules.length).toEqual(2);
expect(rules[0]).toInclude('tcp');
expect(rules[1]).toInclude('udp');
});
export default tap.start();

45
test/test.rulebuilder-table.ts Normal file
View File

@@ -0,0 +1,45 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import {
buildTableSetup,
buildFilterChains,
buildTableCleanup,
} from '../ts/nft.rulebuilder.table.js';
tap.test('should build table setup commands', async () => {
const commands = buildTableSetup('mytest');
expect(commands.length).toEqual(3);
expect(commands[0]).toInclude('add table ip mytest');
expect(commands[1]).toInclude('prerouting');
expect(commands[1]).toInclude('nat hook prerouting');
expect(commands[2]).toInclude('postrouting');
expect(commands[2]).toInclude('nat hook postrouting');
});
tap.test('should build table setup with custom family', async () => {
const commands = buildTableSetup('mytest', 'inet');
for (const cmd of commands) {
expect(cmd).toInclude('inet mytest');
}
});
tap.test('should build filter chains', async () => {
const commands = buildFilterChains('mytest');
expect(commands.length).toEqual(3);
expect(commands[0]).toInclude('input');
expect(commands[0]).toInclude('filter hook input');
expect(commands[1]).toInclude('forward');
expect(commands[2]).toInclude('output');
});
tap.test('should build table cleanup command', async () => {
const commands = buildTableCleanup('mytest');
expect(commands.length).toEqual(1);
expect(commands[0]).toInclude('delete table ip mytest');
});
tap.test('should build table cleanup with custom family', async () => {
const commands = buildTableCleanup('mytest', 'ip6');
expect(commands[0]).toInclude('delete table ip6 mytest');
});
export default tap.start();

155
test/test.smartnftables.ts Normal file
View File

@@ -0,0 +1,155 @@
import { tap, expect } from '@git.zone/tstest/tapbundle';
import { SmartNftables } from '../ts/nft.manager.js';
tap.test('should create SmartNftables with default options', async () => {
const nft = new SmartNftables();
expect(nft.tableName).toEqual('smartnftables');
expect(nft.family).toEqual('ip');
expect(nft.nat).toBeDefined();
expect(nft.firewall).toBeDefined();
expect(nft.rateLimit).toBeDefined();
});
tap.test('should create SmartNftables with custom options', async () => {
const nft = new SmartNftables({
tableName: 'myapp',
family: 'inet',
});
expect(nft.tableName).toEqual('myapp');
expect(nft.family).toEqual('inet');
});
tap.test('should track rule groups when not root', async () => {
const nft = new SmartNftables({ tableName: 'test' });
await nft.initialize();
// NAT port forwarding
await nft.nat.addPortForwarding('web', {
sourcePort: 443,
targetHost: '10.0.0.5',
targetPort: 8443,
});
const status = nft.status();
expect(status.initialized).toBeTrue();
expect(status.activeGroups).toBeGreaterThan(0);
expect(status.groups['nat:web']).toBeDefined();
expect(status.groups['nat:web'].ruleCount).toEqual(2); // DNAT + masquerade
await nft.cleanup();
const statusAfter = nft.status();
expect(statusAfter.initialized).toBeFalse();
expect(statusAfter.activeGroups).toEqual(0);
});
tap.test('should track firewall rules when not root', async () => {
const nft = new SmartNftables({ tableName: 'test' });
await nft.initialize();
await nft.firewall.addRule('block-badguy', {
direction: 'input',
action: 'drop',
sourceIP: '192.168.1.100',
});
const status = nft.status();
expect(status.groups['fw:block-badguy']).toBeDefined();
expect(status.groups['fw:block-badguy'].ruleCount).toEqual(1);
await nft.firewall.removeRule('block-badguy');
const statusAfter = nft.status();
expect(statusAfter.groups['fw:block-badguy']).toBeUndefined();
await nft.cleanup();
});
tap.test('should track rate limit rules when not root', async () => {
const nft = new SmartNftables({ tableName: 'test' });
await nft.initialize();
await nft.rateLimit.addRateLimit('api-throttle', {
port: 8080,
protocol: 'tcp',
rate: '100/second',
burst: 50,
perSourceIP: true,
});
const status = nft.status();
expect(status.groups['ratelimit:api-throttle']).toBeDefined();
await nft.rateLimit.removeRateLimit('api-throttle');
const statusAfter = nft.status();
expect(statusAfter.groups['ratelimit:api-throttle']).toBeUndefined();
await nft.cleanup();
});
tap.test('should handle blockIP convenience method', async () => {
const nft = new SmartNftables({ tableName: 'test' });
await nft.initialize();
await nft.firewall.blockIP('1.2.3.4');
const status = nft.status();
expect(status.groups['fw:block-1_2_3_4']).toBeDefined();
await nft.cleanup();
});
tap.test('should handle stateful tracking convenience', async () => {
const nft = new SmartNftables({ tableName: 'test' });
await nft.initialize();
await nft.firewall.enableStatefulTracking('input');
const status = nft.status();
expect(status.groups['fw:stateful:input']).toBeDefined();
expect(status.groups['fw:stateful:input'].ruleCount).toEqual(2); // established+related, invalid
await nft.cleanup();
});
tap.test('should handle connection rate limiting', async () => {
const nft = new SmartNftables({ tableName: 'test' });
await nft.initialize();
await nft.rateLimit.addConnectionRateLimit('ssh-limit', {
port: 22,
protocol: 'tcp',
rate: '5/second',
perSourceIP: true,
});
const status = nft.status();
expect(status.groups['connrate:ssh-limit']).toBeDefined();
await nft.cleanup();
});
tap.test('should handle port range forwarding', async () => {
const nft = new SmartNftables({ tableName: 'test' });
await nft.initialize();
await nft.nat.addPortRange('gameservers', 27015, 27020, '10.0.0.10', 27015, 'udp');
const status = nft.status();
const group = status.groups['nat:range:gameservers'];
expect(group).toBeDefined();
// 6 ports * 2 commands each (DNAT + masquerade) = 12
expect(group.ruleCount).toEqual(12);
await nft.cleanup();
});
tap.test('should report correct status', async () => {
const nft = new SmartNftables({ tableName: 'statustest', family: 'inet' });
const status = nft.status();
expect(status.tableName).toEqual('statustest');
expect(status.family).toEqual('inet');
expect(status.initialized).toBeFalse();
expect(status.activeGroups).toEqual(0);
});
export default tap.start();

8
ts/00_commitinfo_data.ts Normal file
View File

@@ -0,0 +1,8 @@
/**
* autocreated commitinfo by @push.rocks/commitinfo
*/
export const commitinfo = {
name: '@push.rocks/smartnftables',
version: '1.0.0',
description: 'A TypeScript module for managing nftables rules including NAT, firewall, and rate limiting with a high-level API.'
}

59
ts/index.ts Normal file
View File

@@ -0,0 +1,59 @@
// Main facade
export { SmartNftables } from './nft.manager.js';
// Sub-managers
export { NatManager } from './nft.manager.nat.js';
export { FirewallManager } from './nft.manager.firewall.js';
export { RateLimitManager } from './nft.manager.ratelimit.js';
// Executor
export { NftExecutor, NftNotRootError, NftCommandError } from './nft.executor.js';
// Rule builders (for advanced usage)
export {
buildTableSetup,
buildFilterChains,
buildTableCleanup,
} from './nft.rulebuilder.table.js';
export {
buildDnatRules,
buildSnatRule,
buildMasqueradeRule,
} from './nft.rulebuilder.nat.js';
export {
buildRateLimitRule,
buildPerIpRateLimitRule,
buildConnectionRateRule,
} from './nft.rulebuilder.ratelimit.js';
export {
buildFirewallRule,
buildIPSetCreate,
buildIPSetAddElements,
buildIPSetRemoveElements,
buildIPSetDelete,
buildIPSetMatchRule,
} from './nft.rulebuilder.firewall.js';
// Types
export type {
TNftProtocol,
TNftFamily,
TNftChainHook,
TNftChainType,
TNftPolicy,
TFirewallAction,
TCtState,
INftDnatRule,
INftSnatRule,
INftMasqueradeRule,
INftRateLimitRule,
INftConnectionRateRule,
INftFirewallRule,
INftIPSetConfig,
INftRuleGroup,
ISmartNftablesOptions,
INftStatus,
} from './nft.types.js';

74
ts/nft.executor.ts Normal file
View File

@@ -0,0 +1,74 @@
import * as plugins from './plugins.js';
const execFile = plugins.util.promisify(plugins.childProcess.execFile);
export class NftNotRootError extends Error {
constructor() {
super('Not running as root — nftables commands require root privileges');
this.name = 'NftNotRootError';
}
}
export class NftCommandError extends Error {
public readonly command: string;
public readonly stderr: string;
constructor(command: string, stderr: string) {
super(`nft command failed: ${command}${stderr}`);
this.name = 'NftCommandError';
this.command = command;
this.stderr = stderr;
}
}
/**
* Low-level executor for nft CLI commands.
*/
export class NftExecutor {
private dryRun: boolean;
constructor(options?: { dryRun?: boolean }) {
this.dryRun = options?.dryRun ?? false;
}
/** Check if running as root (euid 0). */
public isRoot(): boolean {
return process.getuid?.() === 0;
}
/**
* Execute a single nft command.
* The command may or may not start with "nft " — the prefix is stripped if present.
* Returns stdout on success.
*/
public async exec(command: string): Promise<string> {
if (this.dryRun) {
return '';
}
// Strip "nft " prefix if present
const args = command.startsWith('nft ') ? command.slice(4) : command;
const { stdout } = await execFile('nft', args.split(/\s+/));
return stdout;
}
/**
* Execute multiple nft commands sequentially.
* By default stops on first failure. Set continueOnError to keep going.
*/
public async execBatch(
commands: string[],
options?: { continueOnError?: boolean }
): Promise<void> {
for (const cmd of commands) {
try {
await this.exec(cmd);
} catch (err) {
if (!options?.continueOnError) {
throw err;
}
}
}
}
}

148
ts/nft.manager.firewall.ts Normal file
View File

@@ -0,0 +1,148 @@
import type { SmartNftables } from './nft.manager.js';
import type { INftFirewallRule, INftIPSetConfig } from './nft.types.js';
import {
buildFirewallRule,
buildIPSetCreate,
buildIPSetAddElements,
buildIPSetRemoveElements,
buildIPSetDelete,
buildIPSetMatchRule,
} from './nft.rulebuilder.firewall.js';
/**
* Manages firewall (filter) rules, IP sets, and convenience methods.
*/
export class FirewallManager {
constructor(private parent: SmartNftables) {}
/**
* Add a firewall rule (input/output/forward).
*/
public async addRule(groupId: string, rule: INftFirewallRule): Promise<void> {
await this.parent.ensureFilterChains();
const commands = buildFirewallRule(this.parent.tableName, this.parent.family, rule);
await this.parent.applyRuleGroup(`fw:${groupId}`, commands);
}
/**
* Remove a firewall rule group.
*/
public async removeRule(groupId: string): Promise<void> {
await this.parent.removeRuleGroup(`fw:${groupId}`);
}
/**
* Create a named IP set.
*/
public async createIPSet(config: INftIPSetConfig): Promise<void> {
await this.parent.ensureInitialized();
const commands = buildIPSetCreate(this.parent.tableName, this.parent.family, config);
await this.parent.applyRuleGroup(`ipset:${config.name}`, commands);
}
/**
* Add elements to an existing IP set.
*/
public async addToIPSet(setName: string, elements: string[]): Promise<void> {
const commands = buildIPSetAddElements(this.parent.tableName, this.parent.family, setName, elements);
if (commands.length > 0) {
await this.parent.executor.execBatch(commands);
}
}
/**
* Remove elements from an IP set.
*/
public async removeFromIPSet(setName: string, elements: string[]): Promise<void> {
const commands = buildIPSetRemoveElements(this.parent.tableName, this.parent.family, setName, elements);
if (commands.length > 0) {
await this.parent.executor.execBatch(commands);
}
}
/**
* Delete an IP set entirely.
*/
public async deleteIPSet(setName: string): Promise<void> {
const commands = buildIPSetDelete(this.parent.tableName, this.parent.family, setName);
await this.parent.executor.execBatch(commands);
await this.parent.removeRuleGroup(`ipset:${setName}`);
}
/**
* Convenience: block an IP or CIDR subnet.
*/
public async blockIP(ip: string, options?: { direction?: 'input' | 'forward' }): Promise<void> {
const direction = options?.direction ?? 'input';
const safeId = ip.replace(/[/.]/g, '_');
await this.addRule(`block-${safeId}`, {
direction,
action: 'drop',
sourceIP: ip,
});
}
/**
* Convenience: allow only specific IPs on a port.
* Adds accept rules for each IP, then a drop rule for everything else on that port.
*/
public async allowOnlyIPs(
groupId: string,
ips: string[],
port?: number,
protocol?: 'tcp' | 'udp' | 'both',
): Promise<void> {
await this.parent.ensureFilterChains();
const commands: string[] = [];
for (const ip of ips) {
const acceptCmds = buildFirewallRule(this.parent.tableName, this.parent.family, {
direction: 'input',
action: 'accept',
sourceIP: ip,
destPort: port,
protocol,
});
commands.push(...acceptCmds);
}
// Drop everything else on that port
const dropCmds = buildFirewallRule(this.parent.tableName, this.parent.family, {
direction: 'input',
action: 'drop',
destPort: port,
protocol,
});
commands.push(...dropCmds);
await this.parent.applyRuleGroup(`fw:allowonly:${groupId}`, commands);
}
/**
* Convenience: enable stateful connection tracking.
* Allows established+related, drops invalid.
*/
public async enableStatefulTracking(chain?: 'input' | 'forward' | 'output'): Promise<void> {
await this.parent.ensureFilterChains();
const direction = chain ?? 'input';
const commands: string[] = [];
// Allow established and related connections
const allowCmds = buildFirewallRule(this.parent.tableName, this.parent.family, {
direction,
action: 'accept',
ctStates: ['established', 'related'],
});
commands.push(...allowCmds);
// Drop invalid connections
const dropCmds = buildFirewallRule(this.parent.tableName, this.parent.family, {
direction,
action: 'drop',
ctStates: ['invalid'],
});
commands.push(...dropCmds);
await this.parent.applyRuleGroup(`fw:stateful:${direction}`, commands);
}
}

76
ts/nft.manager.nat.ts Normal file
View File

@@ -0,0 +1,76 @@
import type { SmartNftables } from './nft.manager.js';
import type { INftDnatRule, INftSnatRule, INftMasqueradeRule, TNftProtocol } from './nft.types.js';
import { buildDnatRules, buildSnatRule, buildMasqueradeRule } from './nft.rulebuilder.nat.js';
/**
* Manages NAT (DNAT/SNAT/masquerade) rules.
*/
export class NatManager {
constructor(private parent: SmartNftables) {}
/**
* Add a port forwarding rule (DNAT + optional masquerade).
*/
public async addPortForwarding(groupId: string, rule: INftDnatRule): Promise<void> {
const commands = buildDnatRules(this.parent.tableName, this.parent.family, rule);
await this.parent.applyRuleGroup(`nat:${groupId}`, commands);
}
/**
* Remove a previously added port forwarding group.
*/
public async removePortForwarding(groupId: string): Promise<void> {
await this.parent.removeRuleGroup(`nat:${groupId}`);
}
/**
* Add SNAT (source NAT) rule.
*/
public async addSnat(groupId: string, rule: INftSnatRule): Promise<void> {
const commands = buildSnatRule(this.parent.tableName, this.parent.family, rule);
await this.parent.applyRuleGroup(`nat:snat:${groupId}`, commands);
}
/**
* Add masquerade rule for outgoing traffic.
*/
public async addMasquerade(groupId: string, rule: INftMasqueradeRule): Promise<void> {
const commands = buildMasqueradeRule(this.parent.tableName, this.parent.family, rule);
await this.parent.applyRuleGroup(`nat:masq:${groupId}`, commands);
}
/**
* Add port forwarding for a range of ports.
* Maps sourceStart..sourceStart+count to targetStart..targetStart+count.
*/
public async addPortRange(
groupId: string,
sourceStart: number,
sourceEnd: number,
targetHost: string,
targetStart: number,
protocol?: TNftProtocol,
): Promise<void> {
const allCommands: string[] = [];
const count = sourceEnd - sourceStart;
for (let i = 0; i <= count; i++) {
const commands = buildDnatRules(this.parent.tableName, this.parent.family, {
sourcePort: sourceStart + i,
targetHost,
targetPort: targetStart + i,
protocol,
});
allCommands.push(...commands);
}
await this.parent.applyRuleGroup(`nat:range:${groupId}`, allCommands);
}
/**
* Remove a port range forwarding group.
*/
public async removePortRange(groupId: string): Promise<void> {
await this.parent.removeRuleGroup(`nat:range:${groupId}`);
}
}

43
ts/nft.manager.ratelimit.ts Normal file
View File

@@ -0,0 +1,43 @@
import type { SmartNftables } from './nft.manager.js';
import type { INftRateLimitRule, INftConnectionRateRule } from './nft.types.js';
import { buildRateLimitRule, buildConnectionRateRule } from './nft.rulebuilder.ratelimit.js';
/**
* Manages rate limiting rules using nft meters and limit expressions.
*/
export class RateLimitManager {
constructor(private parent: SmartNftables) {}
/**
* Add a rate limit rule (global or per-IP).
*/
public async addRateLimit(groupId: string, rule: INftRateLimitRule): Promise<void> {
await this.parent.ensureFilterChains();
const commands = buildRateLimitRule(this.parent.tableName, this.parent.family, rule);
await this.parent.applyRuleGroup(`ratelimit:${groupId}`, commands);
}
/**
* Remove a rate limit rule group.
*/
public async removeRateLimit(groupId: string): Promise<void> {
await this.parent.removeRuleGroup(`ratelimit:${groupId}`);
}
/**
* Add a new-connection rate limit rule.
* Limits the rate of new TCP/UDP connections (ct state new).
*/
public async addConnectionRateLimit(groupId: string, rule: INftConnectionRateRule): Promise<void> {
await this.parent.ensureFilterChains();
const commands = buildConnectionRateRule(this.parent.tableName, this.parent.family, rule);
await this.parent.applyRuleGroup(`connrate:${groupId}`, commands);
}
/**
* Remove a connection rate limit rule group.
*/
public async removeConnectionRateLimit(groupId: string): Promise<void> {
await this.parent.removeRuleGroup(`connrate:${groupId}`);
}
}

157
ts/nft.manager.ts Normal file
View File

@@ -0,0 +1,157 @@
import { NftExecutor } from './nft.executor.js';
import { buildTableSetup, buildFilterChains, buildTableCleanup } from './nft.rulebuilder.table.js';
import { NatManager } from './nft.manager.nat.js';
import { FirewallManager } from './nft.manager.firewall.js';
import { RateLimitManager } from './nft.manager.ratelimit.js';
import type { TNftFamily, INftRuleGroup, INftStatus, ISmartNftablesOptions } from './nft.types.js';
/**
* SmartNftables — high-level facade for managing nftables rules.
*
* Provides sub-managers for NAT, firewall, and rate limiting.
* All rules are tracked in logical groups and can be removed individually or cleaned up entirely.
*/
export class SmartNftables {
public readonly nat: NatManager;
public readonly firewall: FirewallManager;
public readonly rateLimit: RateLimitManager;
public readonly tableName: string;
public readonly family: TNftFamily;
public readonly executor: NftExecutor;
private initialized = false;
private hasFilterChains = false;
private warnedNonRoot = false;
private ruleGroups: Map<string, INftRuleGroup> = new Map();
constructor(options?: ISmartNftablesOptions) {
this.tableName = options?.tableName ?? 'smartnftables';
this.family = options?.family ?? 'ip';
this.executor = new NftExecutor({ dryRun: options?.dryRun });
this.nat = new NatManager(this);
this.firewall = new FirewallManager(this);
this.rateLimit = new RateLimitManager(this);
}
/**
* Initialize the nftables table and NAT chains. Idempotent.
*/
public async initialize(): Promise<void> {
if (this.initialized) return;
if (!this.executor.isRoot()) {
if (!this.warnedNonRoot) {
console.warn('smartnftables: not running as root. Rules are tracked but not applied to kernel.');
this.warnedNonRoot = true;
}
this.initialized = true;
return;
}
const commands = buildTableSetup(this.tableName, this.family);
await this.executor.execBatch(commands);
this.initialized = true;
}
/**
* Ensure filter chains (input/forward/output) are created.
* Called automatically when firewall or rate-limit rules are added.
*/
public async ensureFilterChains(): Promise<void> {
if (this.hasFilterChains) return;
await this.ensureInitialized();
if (this.executor.isRoot()) {
const commands = buildFilterChains(this.tableName, this.family);
await this.executor.execBatch(commands);
}
this.hasFilterChains = true;
}
/**
* Ensure the table is initialized before applying rules.
*/
public async ensureInitialized(): Promise<void> {
if (!this.initialized) {
await this.initialize();
}
}
/**
* Apply a group of nft commands and track them under the given ID.
*/
public async applyRuleGroup(groupId: string, commands: string[]): Promise<void> {
// Always track the group locally
this.ruleGroups.set(groupId, {
id: groupId,
commands,
createdAt: Date.now(),
});
if (!this.executor.isRoot()) {
if (!this.warnedNonRoot) {
console.warn('smartnftables: not running as root. Rules are tracked but not applied to kernel.');
this.warnedNonRoot = true;
}
return;
}
await this.ensureInitialized();
await this.executor.execBatch(commands);
}
/**
* Remove a tracked rule group. Removes from tracking.
* Note: full kernel cleanup requires cleanup() — individual rule removal
* would require handle-based tracking.
*/
public async removeRuleGroup(groupId: string): Promise<void> {
this.ruleGroups.delete(groupId);
}
/**
* Get a tracked rule group by ID.
*/
public getRuleGroup(groupId: string): INftRuleGroup | undefined {
return this.ruleGroups.get(groupId);
}
/**
* Delete the entire nftables table and clear all tracking.
*/
public async cleanup(): Promise<void> {
if (this.executor.isRoot() && this.initialized) {
const commands = buildTableCleanup(this.tableName, this.family);
await this.executor.execBatch(commands, { continueOnError: true });
}
this.ruleGroups.clear();
this.initialized = false;
this.hasFilterChains = false;
}
/**
* Get status report of the managed nftables state.
*/
public status(): INftStatus {
const groups: Record<string, { ruleCount: number; createdAt: number }> = {};
for (const [id, group] of this.ruleGroups) {
groups[id] = {
ruleCount: group.commands.length,
createdAt: group.createdAt,
};
}
return {
initialized: this.initialized,
tableName: this.tableName,
family: this.family,
isRoot: this.executor.isRoot(),
activeGroups: this.ruleGroups.size,
groups,
};
}
}

173
ts/nft.rulebuilder.firewall.ts Normal file
View File

@@ -0,0 +1,173 @@
import type { TNftFamily, INftFirewallRule, INftIPSetConfig } from './nft.types.js';
/**
* Build an nft firewall rule for input/output/forward chains.
*/
export function buildFirewallRule(
tableName: string,
family: TNftFamily,
rule: INftFirewallRule,
): string[] {
const chain = rule.direction;
const parts: string[] = [`nft add rule ${family} ${tableName} ${chain}`];
// Connection tracking states
if (rule.ctStates && rule.ctStates.length > 0) {
parts.push(`ct state { ${rule.ctStates.join(', ')} }`);
}
// Protocol and port matching
const protocols = expandProtocols(rule.protocol);
const commands: string[] = [];
for (const proto of protocols) {
const ruleParts = [...parts];
if (rule.protocol) {
ruleParts.push(proto);
}
if (rule.sourceIP) {
ruleParts.push(`ip saddr ${rule.sourceIP}`);
}
if (rule.destIP) {
ruleParts.push(`ip daddr ${rule.destIP}`);
}
if (rule.sourcePort != null) {
ruleParts.push(`${proto} sport ${rule.sourcePort}`);
}
if (rule.destPort != null) {
// If protocol wasn't explicitly set but we have a port, we need the protocol
if (!rule.protocol) {
ruleParts.push(`tcp dport ${rule.destPort}`);
} else {
ruleParts.push(`${proto} dport ${rule.destPort}`);
}
}
if (rule.comment) {
ruleParts.push(`comment "${rule.comment}"`);
}
ruleParts.push(rule.action);
commands.push(ruleParts.join(' '));
}
// If no protocol expansion needed (no protocol-specific fields)
if (commands.length === 0) {
const ruleParts = [...parts];
if (rule.sourceIP) {
ruleParts.push(`ip saddr ${rule.sourceIP}`);
}
if (rule.destIP) {
ruleParts.push(`ip daddr ${rule.destIP}`);
}
if (rule.comment) {
ruleParts.push(`comment "${rule.comment}"`);
}
ruleParts.push(rule.action);
commands.push(ruleParts.join(' '));
}
return commands;
}
/**
* Build commands to create an nft named set (IP set).
*/
export function buildIPSetCreate(
tableName: string,
family: TNftFamily,
config: INftIPSetConfig,
): string[] {
const commands: string[] = [];
// Create the set
commands.push(
`nft add set ${family} ${tableName} ${config.name} { type ${config.type} \\; }`
);
// Add initial elements if provided
if (config.elements && config.elements.length > 0) {
commands.push(
`nft add element ${family} ${tableName} ${config.name} { ${config.elements.join(', ')} }`
);
}
return commands;
}
/**
* Build command to add elements to an existing set.
*/
export function buildIPSetAddElements(
tableName: string,
family: TNftFamily,
setName: string,
elements: string[],
): string[] {
if (elements.length === 0) return [];
return [
`nft add element ${family} ${tableName} ${setName} { ${elements.join(', ')} }`
];
}
/**
* Build command to remove elements from a set.
*/
export function buildIPSetRemoveElements(
tableName: string,
family: TNftFamily,
setName: string,
elements: string[],
): string[] {
if (elements.length === 0) return [];
return [
`nft delete element ${family} ${tableName} ${setName} { ${elements.join(', ')} }`
];
}
/**
* Build command to delete an entire set.
*/
export function buildIPSetDelete(
tableName: string,
family: TNftFamily,
setName: string,
): string[] {
return [
`nft delete set ${family} ${tableName} ${setName}`
];
}
/**
* Build a rule that matches against a named set.
*/
export function buildIPSetMatchRule(
tableName: string,
family: TNftFamily,
options: {
setName: string;
direction: 'input' | 'output' | 'forward';
matchField: 'saddr' | 'daddr';
action: 'accept' | 'drop' | 'reject';
},
): string[] {
return [
`nft add rule ${family} ${tableName} ${options.direction} ip ${options.matchField} @${options.setName} ${options.action}`
];
}
// ─── Internal helpers ─────────────────────────────────────────────
function expandProtocols(protocol?: 'tcp' | 'udp' | 'both'): string[] {
if (!protocol) return [];
switch (protocol) {
case 'tcp': return ['tcp'];
case 'udp': return ['udp'];
case 'both': return ['tcp', 'udp'];
}
}

82
ts/nft.rulebuilder.nat.ts Normal file
View File

@@ -0,0 +1,82 @@
import type { TNftFamily, TNftProtocol, INftDnatRule, INftSnatRule, INftMasqueradeRule } from './nft.types.js';
/**
* Expand a protocol spec into concrete protocol strings.
*/
function expandProtocols(protocol?: TNftProtocol): string[] {
switch (protocol ?? 'tcp') {
case 'tcp': return ['tcp'];
case 'udp': return ['udp'];
case 'both': return ['tcp', 'udp'];
}
}
/**
* Build DNAT rules for port forwarding.
* Generates DNAT + optional masquerade for each protocol.
* Direct port of Rust build_dnat_rule.
*/
export function buildDnatRules(
tableName: string,
family: TNftFamily,
rule: INftDnatRule,
): string[] {
const protocols = expandProtocols(rule.protocol);
const commands: string[] = [];
for (const proto of protocols) {
// DNAT rule
commands.push(
`nft add rule ${family} ${tableName} prerouting ${proto} dport ${rule.sourcePort} dnat to ${rule.targetHost}:${rule.targetPort}`
);
// Masquerade (SNAT) unless preserveSourceIP is set
if (!rule.preserveSourceIP) {
commands.push(
`nft add rule ${family} ${tableName} postrouting ${proto} dport ${rule.targetPort} masquerade`
);
}
}
return commands;
}
/**
* Build an SNAT rule to rewrite source address.
*/
export function buildSnatRule(
tableName: string,
family: TNftFamily,
rule: INftSnatRule,
): string[] {
const protocols = expandProtocols(rule.protocol);
const commands: string[] = [];
for (const proto of protocols) {
commands.push(
`nft add rule ${family} ${tableName} postrouting ${proto} dport ${rule.targetPort} snat to ${rule.sourceAddress}`
);
}
return commands;
}
/**
* Build a masquerade rule for outgoing NAT.
*/
export function buildMasqueradeRule(
tableName: string,
family: TNftFamily,
rule: INftMasqueradeRule,
): string[] {
const protocols = expandProtocols(rule.protocol);
const commands: string[] = [];
for (const proto of protocols) {
commands.push(
`nft add rule ${family} ${tableName} postrouting ${proto} dport ${rule.targetPort} masquerade`
);
}
return commands;
}

89
ts/nft.rulebuilder.ratelimit.ts Normal file
View File

@@ -0,0 +1,89 @@
import type { TNftFamily, INftRateLimitRule, INftConnectionRateRule } from './nft.types.js';
/**
* Expand a protocol spec into concrete protocol strings.
*/
function expandProtocols(protocol?: 'tcp' | 'udp' | 'both'): string[] {
switch (protocol ?? 'tcp') {
case 'tcp': return ['tcp'];
case 'udp': return ['udp'];
case 'both': return ['tcp', 'udp'];
}
}
/**
* Build a rate limit rule.
* Packets exceeding the rate are subjected to the specified action (default: drop).
*/
export function buildRateLimitRule(
tableName: string,
family: TNftFamily,
rule: INftRateLimitRule,
): string[] {
const protocols = expandProtocols(rule.protocol);
const chain = rule.chain ?? 'input';
const action = rule.action ?? 'drop';
const commands: string[] = [];
for (const proto of protocols) {
const portMatch = rule.port != null ? ` ${proto} dport ${rule.port}` : '';
const burstClause = rule.burst != null ? ` burst ${rule.burst} packets` : '';
if (rule.perSourceIP) {
// Per-IP rate limiting using nft meters
const meterName = `meter_${proto}_${rule.port ?? 'all'}`;
commands.push(
`nft add rule ${family} ${tableName} ${chain}${portMatch} meter ${meterName} { ip saddr limit rate over ${rule.rate}${burstClause} } ${action}`
);
} else {
// Global rate limiting
commands.push(
`nft add rule ${family} ${tableName} ${chain}${portMatch} limit rate over ${rule.rate}${burstClause} ${action}`
);
}
}
return commands;
}
/**
* Build a per-IP rate limit rule using nft meters.
* Convenience wrapper around buildRateLimitRule with perSourceIP=true.
*/
export function buildPerIpRateLimitRule(
tableName: string,
family: TNftFamily,
rule: Omit<INftRateLimitRule, 'perSourceIP'>,
): string[] {
return buildRateLimitRule(tableName, family, { ...rule, perSourceIP: true });
}
/**
* Build a new-connection rate limit rule.
* Limits the rate of new connections (ct state new) on the given port.
*/
export function buildConnectionRateRule(
tableName: string,
family: TNftFamily,
rule: INftConnectionRateRule,
): string[] {
const protocols = expandProtocols(rule.protocol);
const commands: string[] = [];
for (const proto of protocols) {
const portMatch = rule.port != null ? ` ${proto} dport ${rule.port}` : '';
if (rule.perSourceIP) {
const meterName = `connrate_${proto}_${rule.port ?? 'all'}`;
commands.push(
`nft add rule ${family} ${tableName} input ct state new${portMatch} meter ${meterName} { ip saddr limit rate over ${rule.rate} } drop`
);
} else {
commands.push(
`nft add rule ${family} ${tableName} input ct state new${portMatch} limit rate over ${rule.rate} drop`
);
}
}
return commands;
}

30
ts/nft.rulebuilder.table.ts Normal file
View File

@@ -0,0 +1,30 @@
import type { TNftFamily } from './nft.types.js';
/**
* Build commands to create the nftables table and NAT chains (prerouting + postrouting).
*/
export function buildTableSetup(tableName: string, family: TNftFamily = 'ip'): string[] {
return [
`nft add table ${family} ${tableName}`,
`nft add chain ${family} ${tableName} prerouting { type nat hook prerouting priority 0 \\; }`,
`nft add chain ${family} ${tableName} postrouting { type nat hook postrouting priority 100 \\; }`,
];
}
/**
* Build commands to create filter chains (input, forward, output).
*/
export function buildFilterChains(tableName: string, family: TNftFamily = 'ip'): string[] {
return [
`nft add chain ${family} ${tableName} input { type filter hook input priority 0 \\; policy accept \\; }`,
`nft add chain ${family} ${tableName} forward { type filter hook forward priority 0 \\; policy accept \\; }`,
`nft add chain ${family} ${tableName} output { type filter hook output priority 0 \\; policy accept \\; }`,
];
}
/**
* Build command to delete the entire nftables table.
*/
export function buildTableCleanup(tableName: string, family: TNftFamily = 'ip'): string[] {
return [`nft delete table ${family} ${tableName}`];
}

102
ts/nft.types.ts Normal file
View File

@@ -0,0 +1,102 @@
// ─── Protocol & Family ────────────────────────────────────────────
export type TNftProtocol = 'tcp' | 'udp' | 'both';
export type TNftFamily = 'ip' | 'ip6' | 'inet';
export type TNftChainHook = 'prerouting' | 'postrouting' | 'input' | 'output' | 'forward';
export type TNftChainType = 'nat' | 'filter';
export type TNftPolicy = 'accept' | 'drop';
export type TFirewallAction = 'accept' | 'drop' | 'reject';
export type TCtState = 'new' | 'established' | 'related' | 'invalid';
// ─── NAT ──────────────────────────────────────────────────────────
export interface INftDnatRule {
sourcePort: number;
targetHost: string;
targetPort: number;
protocol?: TNftProtocol;
preserveSourceIP?: boolean;
}
export interface INftSnatRule {
sourceAddress: string;
targetPort: number;
protocol?: TNftProtocol;
}
export interface INftMasqueradeRule {
targetPort: number;
protocol?: TNftProtocol;
}
// ─── Rate Limiting ────────────────────────────────────────────────
export interface INftRateLimitRule {
/** Port to rate-limit on. If omitted, applies to all ports. */
port?: number;
protocol?: TNftProtocol;
/** Rate expression, e.g. "100/second", "10 mbytes/second" */
rate: string;
/** Burst allowance in packets or bytes */
burst?: number;
/** If true, track rate per source IP using nft meters */
perSourceIP?: boolean;
/** Action for packets exceeding rate. Default: 'drop' */
action?: TFirewallAction;
/** Chain to apply the rule to. Default: 'input' */
chain?: 'input' | 'forward' | 'prerouting';
}
export interface INftConnectionRateRule {
/** Port to limit new connections on */
port?: number;
protocol?: TNftProtocol;
/** New connection rate, e.g. "10/second" */
rate: string;
/** If true, track per source IP */
perSourceIP?: boolean;
}
// ─── Firewall ─────────────────────────────────────────────────────
export interface INftFirewallRule {
direction: 'input' | 'output' | 'forward';
action: TFirewallAction;
sourceIP?: string;
destIP?: string;
sourcePort?: number;
destPort?: number;
protocol?: TNftProtocol;
ctStates?: TCtState[];
comment?: string;
}
export interface INftIPSetConfig {
name: string;
type: 'ipv4_addr' | 'ipv6_addr' | 'inet_service';
elements?: string[];
comment?: string;
}
// ─── Rule Group (tracking unit) ───────────────────────────────────
export interface INftRuleGroup {
id: string;
commands: string[];
createdAt: number;
}
// ─── Manager Options ──────────────────────────────────────────────
export interface ISmartNftablesOptions {
/** nftables table name. Default: 'smartnftables' */
tableName?: string;
/** Address family. Default: 'ip' */
family?: TNftFamily;
/** If true, generate commands but never execute them */
dryRun?: boolean;
}
// ─── Status / Reporting ───────────────────────────────────────────
export interface INftStatus {
initialized: boolean;
tableName: string;
family: TNftFamily;
isRoot: boolean;
activeGroups: number;
groups: Record<string, { ruleCount: number; createdAt: number }>;
}

16
ts/plugins.ts Normal file
View File

@@ -0,0 +1,16 @@
// node native scope
import * as childProcess from 'node:child_process';
import * as util from 'node:util';
export {
childProcess,
util,
};
// @push.rocks scope
import * as smartlog from '@push.rocks/smartlog';
import * as smartpromise from '@push.rocks/smartpromise';
export {
smartlog,
smartpromise,
};

15
tsconfig.json Normal file
View File

@@ -0,0 +1,15 @@
{
"compilerOptions": {
"experimentalDecorators": true,
"useDefineForClassFields": false,
"target": "ES2022",
"module": "NodeNext",
"moduleResolution": "NodeNext",
"esModuleInterop": true,
"verbatimModuleSyntax": true,
"types": ["node"]
},
"exclude": [
"dist_*/**/*.d.ts"
]
}