feat(smart-proxy): add UDP transport support with QUIC/HTTP3 routing and datagram handler relay

2026-03-19 15:06:27 +00:00
parent cfa958cf3d
commit 4fb91cd868
34 changed files with 2978 additions and 55 deletions
--- a/rust/crates/rustproxy-nftables/src/rule_builder.rs
+++ b/rust/crates/rustproxy-nftables/src/rule_builder.rs
@@ -9,34 +9,36 @@ pub fn build_dnat_rule(
    target_port: u16,
    options: &NfTablesOptions,
 ) -> Vec<String> {
-    let protocol = match options.protocol.as_ref().unwrap_or(&NfTablesProtocol::Tcp) {
-        NfTablesProtocol::Tcp => "tcp",
-        NfTablesProtocol::Udp => "udp",
-        NfTablesProtocol::All => "tcp", // TODO: handle "all"
+    let protocols: Vec<&str> = match options.protocol.as_ref().unwrap_or(&NfTablesProtocol::Tcp) {
+        NfTablesProtocol::Tcp => vec!["tcp"],
+        NfTablesProtocol::Udp => vec!["udp"],
+        NfTablesProtocol::All => vec!["tcp", "udp"],
    };

    let mut rules = Vec::new();

-    // DNAT rule
-    rules.push(format!(
-        "nft add rule ip {} {} {} dport {} dnat to {}:{}",
-        table_name, chain_name, protocol, source_port, target_host, target_port,
-    ));
-
-    // SNAT rule if preserving source IP is not enabled
-    if !options.preserve_source_ip.unwrap_or(false) {
+    for protocol in &protocols {
+        // DNAT rule
        rules.push(format!(
-            "nft add rule ip {} postrouting {} dport {} masquerade",
-            table_name, protocol, target_port,
+            "nft add rule ip {} {} {} dport {} dnat to {}:{}",
+            table_name, chain_name, protocol, source_port, target_host, target_port,
        ));
-    }

-    // Rate limiting
-    if let Some(max_rate) = &options.max_rate {
-        rules.push(format!(
-            "nft add rule ip {} {} {} dport {} limit rate {} accept",
-            table_name, chain_name, protocol, source_port, max_rate,
-        ));
+        // SNAT rule if preserving source IP is not enabled
+        if !options.preserve_source_ip.unwrap_or(false) {
+            rules.push(format!(
+                "nft add rule ip {} postrouting {} dport {} masquerade",
+                table_name, protocol, target_port,
+            ));
+        }
+
+        // Rate limiting
+        if let Some(max_rate) = &options.max_rate {
+            rules.push(format!(
+                "nft add rule ip {} {} {} dport {} limit rate {} accept",
+                table_name, chain_name, protocol, source_port, max_rate,
+            ));
+        }
    }

    rules
@@ -120,4 +122,25 @@ mod tests {
        assert_eq!(commands.len(), 1);
        assert!(commands[0].contains("delete table ip rustproxy"));
    }
+
+    #[test]
+    fn test_protocol_all_generates_tcp_and_udp_rules() {
+        let mut options = make_options();
+        options.protocol = Some(NfTablesProtocol::All);
+        let rules = build_dnat_rule("rustproxy", "prerouting", 53, "10.0.0.53", 53, &options);
+        // Should have TCP DNAT + masquerade + UDP DNAT + masquerade = 4 rules
+        assert_eq!(rules.len(), 4);
+        assert!(rules.iter().any(|r| r.contains("tcp dport 53 dnat")));
+        assert!(rules.iter().any(|r| r.contains("udp dport 53 dnat")));
+        assert!(rules.iter().filter(|r| r.contains("masquerade")).count() == 2);
+    }
+
+    #[test]
+    fn test_protocol_udp() {
+        let mut options = make_options();
+        options.protocol = Some(NfTablesProtocol::Udp);
+        let rules = build_dnat_rule("rustproxy", "prerouting", 53, "10.0.0.53", 53, &options);
+        assert!(rules.iter().all(|r| !r.contains("tcp")));
+        assert!(rules.iter().any(|r| r.contains("udp dport 53 dnat")));
+    }
 }