initial
This commit is contained in:
102
ts/nft.types.ts
Normal file
102
ts/nft.types.ts
Normal file
@@ -0,0 +1,102 @@
|
||||
// ─── Protocol & Family ────────────────────────────────────────────
|
||||
export type TNftProtocol = 'tcp' | 'udp' | 'both';
|
||||
export type TNftFamily = 'ip' | 'ip6' | 'inet';
|
||||
export type TNftChainHook = 'prerouting' | 'postrouting' | 'input' | 'output' | 'forward';
|
||||
export type TNftChainType = 'nat' | 'filter';
|
||||
export type TNftPolicy = 'accept' | 'drop';
|
||||
export type TFirewallAction = 'accept' | 'drop' | 'reject';
|
||||
export type TCtState = 'new' | 'established' | 'related' | 'invalid';
|
||||
|
||||
// ─── NAT ──────────────────────────────────────────────────────────
|
||||
export interface INftDnatRule {
|
||||
sourcePort: number;
|
||||
targetHost: string;
|
||||
targetPort: number;
|
||||
protocol?: TNftProtocol;
|
||||
preserveSourceIP?: boolean;
|
||||
}
|
||||
|
||||
export interface INftSnatRule {
|
||||
sourceAddress: string;
|
||||
targetPort: number;
|
||||
protocol?: TNftProtocol;
|
||||
}
|
||||
|
||||
export interface INftMasqueradeRule {
|
||||
targetPort: number;
|
||||
protocol?: TNftProtocol;
|
||||
}
|
||||
|
||||
// ─── Rate Limiting ────────────────────────────────────────────────
|
||||
export interface INftRateLimitRule {
|
||||
/** Port to rate-limit on. If omitted, applies to all ports. */
|
||||
port?: number;
|
||||
protocol?: TNftProtocol;
|
||||
/** Rate expression, e.g. "100/second", "10 mbytes/second" */
|
||||
rate: string;
|
||||
/** Burst allowance in packets or bytes */
|
||||
burst?: number;
|
||||
/** If true, track rate per source IP using nft meters */
|
||||
perSourceIP?: boolean;
|
||||
/** Action for packets exceeding rate. Default: 'drop' */
|
||||
action?: TFirewallAction;
|
||||
/** Chain to apply the rule to. Default: 'input' */
|
||||
chain?: 'input' | 'forward' | 'prerouting';
|
||||
}
|
||||
|
||||
export interface INftConnectionRateRule {
|
||||
/** Port to limit new connections on */
|
||||
port?: number;
|
||||
protocol?: TNftProtocol;
|
||||
/** New connection rate, e.g. "10/second" */
|
||||
rate: string;
|
||||
/** If true, track per source IP */
|
||||
perSourceIP?: boolean;
|
||||
}
|
||||
|
||||
// ─── Firewall ─────────────────────────────────────────────────────
|
||||
export interface INftFirewallRule {
|
||||
direction: 'input' | 'output' | 'forward';
|
||||
action: TFirewallAction;
|
||||
sourceIP?: string;
|
||||
destIP?: string;
|
||||
sourcePort?: number;
|
||||
destPort?: number;
|
||||
protocol?: TNftProtocol;
|
||||
ctStates?: TCtState[];
|
||||
comment?: string;
|
||||
}
|
||||
|
||||
export interface INftIPSetConfig {
|
||||
name: string;
|
||||
type: 'ipv4_addr' | 'ipv6_addr' | 'inet_service';
|
||||
elements?: string[];
|
||||
comment?: string;
|
||||
}
|
||||
|
||||
// ─── Rule Group (tracking unit) ───────────────────────────────────
|
||||
export interface INftRuleGroup {
|
||||
id: string;
|
||||
commands: string[];
|
||||
createdAt: number;
|
||||
}
|
||||
|
||||
// ─── Manager Options ──────────────────────────────────────────────
|
||||
export interface ISmartNftablesOptions {
|
||||
/** nftables table name. Default: 'smartnftables' */
|
||||
tableName?: string;
|
||||
/** Address family. Default: 'ip' */
|
||||
family?: TNftFamily;
|
||||
/** If true, generate commands but never execute them */
|
||||
dryRun?: boolean;
|
||||
}
|
||||
|
||||
// ─── Status / Reporting ───────────────────────────────────────────
|
||||
export interface INftStatus {
|
||||
initialized: boolean;
|
||||
tableName: string;
|
||||
family: TNftFamily;
|
||||
isRoot: boolean;
|
||||
activeGroups: number;
|
||||
groups: Record<string, { ruleCount: number; createdAt: number }>;
|
||||
}
|
||||
Reference in New Issue
Block a user