initial

ts/nft.manager.ratelimit.ts

@@ -0,0 +1,43 @@
+import type { SmartNftables } from './nft.manager.js';
+import type { INftRateLimitRule, INftConnectionRateRule } from './nft.types.js';
+import { buildRateLimitRule, buildConnectionRateRule } from './nft.rulebuilder.ratelimit.js';
+
+/**
+ * Manages rate limiting rules using nft meters and limit expressions.
+ */
+export class RateLimitManager {
+  constructor(private parent: SmartNftables) {}
+
+  /**
+   * Add a rate limit rule (global or per-IP).
+   */
+  public async addRateLimit(groupId: string, rule: INftRateLimitRule): Promise<void> {
+    await this.parent.ensureFilterChains();
+    const commands = buildRateLimitRule(this.parent.tableName, this.parent.family, rule);
+    await this.parent.applyRuleGroup(`ratelimit:${groupId}`, commands);
+  }
+
+  /**
+   * Remove a rate limit rule group.
+   */
+  public async removeRateLimit(groupId: string): Promise<void> {
+    await this.parent.removeRuleGroup(`ratelimit:${groupId}`);
+  }
+
+  /**
+   * Add a new-connection rate limit rule.
+   * Limits the rate of new TCP/UDP connections (ct state new).
+   */
+  public async addConnectionRateLimit(groupId: string, rule: INftConnectionRateRule): Promise<void> {
+    await this.parent.ensureFilterChains();
+    const commands = buildConnectionRateRule(this.parent.tableName, this.parent.family, rule);
+    await this.parent.applyRuleGroup(`connrate:${groupId}`, commands);
+  }
+
+  /**
+   * Remove a connection rate limit rule group.
+   */
+  public async removeConnectionRateLimit(groupId: string): Promise<void> {
+    await this.parent.removeRuleGroup(`connrate:${groupId}`);
+  }
+}