// ─── Protocol & Family ────────────────────────────────────────────
export type TNftProtocol = 'tcp' | 'udp' | 'both';
export type TNftFamily = 'ip' | 'ip6' | 'inet';
export type TNftChainHook = 'prerouting' | 'postrouting' | 'input' | 'output' | 'forward';
export type TNftChainType = 'nat' | 'filter';
export type TNftPolicy = 'accept' | 'drop';
export type TFirewallAction = 'accept' | 'drop' | 'reject';
export type TCtState = 'new' | 'established' | 'related' | 'invalid';

// ─── NAT ──────────────────────────────────────────────────────────
export interface INftDnatRule {
  sourcePort: number;
  targetHost: string;
  targetPort: number;
  protocol?: TNftProtocol;
  preserveSourceIP?: boolean;
}

export interface INftSnatRule {
  sourceAddress: string;
  targetPort: number;
  protocol?: TNftProtocol;
}

export interface INftMasqueradeRule {
  targetPort: number;
  protocol?: TNftProtocol;
}

// ─── Rate Limiting ────────────────────────────────────────────────
export interface INftRateLimitRule {
  /** Port to rate-limit on. If omitted, applies to all ports. */
  port?: number;
  protocol?: TNftProtocol;
  /** Rate expression, e.g. "100/second", "10 mbytes/second" */
  rate: string;
  /** Burst allowance in packets or bytes */
  burst?: number;
  /** If true, track rate per source IP using nft meters */
  perSourceIP?: boolean;
  /** Action for packets exceeding rate. Default: 'drop' */
  action?: TFirewallAction;
  /** Chain to apply the rule to. Default: 'input' */
  chain?: 'input' | 'forward' | 'prerouting';
}

export interface INftConnectionRateRule {
  /** Port to limit new connections on */
  port?: number;
  protocol?: TNftProtocol;
  /** New connection rate, e.g. "10/second" */
  rate: string;
  /** If true, track per source IP */
  perSourceIP?: boolean;
}

// ─── Firewall ─────────────────────────────────────────────────────
export interface INftFirewallRule {
  direction: 'input' | 'output' | 'forward';
  action: TFirewallAction;
  sourceIP?: string;
  destIP?: string;
  sourcePort?: number;
  destPort?: number;
  protocol?: TNftProtocol;
  ctStates?: TCtState[];
  comment?: string;
}

export interface INftIPSetConfig {
  name: string;
  type: 'ipv4_addr' | 'ipv6_addr' | 'inet_service';
  elements?: string[];
  comment?: string;
}

// ─── Rule Group (tracking unit) ───────────────────────────────────
export interface INftRuleGroup {
  id: string;
  commands: string[];
  createdAt: number;
}

// ─── Manager Options ──────────────────────────────────────────────
export interface ISmartNftablesOptions {
  /** nftables table name. Default: 'smartnftables' */
  tableName?: string;
  /** Address family. Default: 'ip' */
  family?: TNftFamily;
  /** If true, generate commands but never execute them */
  dryRun?: boolean;
}

// ─── Status / Reporting ───────────────────────────────────────────
export interface INftStatus {
  initialized: boolean;
  tableName: string;
  family: TNftFamily;
  isRoot: boolean;
  activeGroups: number;
  groups: Record<string, { ruleCount: number; createdAt: number }>;
}