push.rocks/smartproxy
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(nftables): move NFTables forwarding management from the Rust engine to @push.rocks/smartnftables

Browse Source
This commit is contained in:
Jürgen Kunz
2026-03-26 13:11:57 +00:00
parent c0e432fd9b
commit a6ffa24e36
22 changed files with 149 additions and 650 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
readme.md
View File

@@ -1,6 +1,6 @@
# @push.rocks/smartproxy 🚀
**A high-performance, Rust-powered proxy toolkit for Node.js** — unified route-based configuration for SSL/TLS termination, HTTP/HTTPS reverse proxying, WebSocket support, UDP/QUIC/HTTP3, load balancing, custom protocol handlers, and kernel-level NFTables forwarding.
**A high-performance, Rust-powered proxy toolkit for Node.js** — unified route-based configuration for SSL/TLS termination, HTTP/HTTPS reverse proxying, WebSocket support, UDP/QUIC/HTTP3, load balancing, custom protocol handlers, and kernel-level NFTables forwarding via [`@push.rocks/smartnftables`](https://code.foss.global/push.rocks/smartnftables).
## 📦 Installation
@@ -384,7 +384,7 @@ const dualStackRoute: IRouteConfig = {
### ⚡ High-Performance NFTables Forwarding
For ultra-low latency on Linux, use kernel-level forwarding (requires root):
For ultra-low latency on Linux, use kernel-level forwarding via [`@push.rocks/smartnftables`](https://code.foss.global/push.rocks/smartnftables) (requires root):
```typescript
import { SmartProxy, createNfTablesTerminateRoute } from '@push.rocks/smartproxy';
@@ -694,22 +694,26 @@ SmartProxy uses a hybrid **Rust + TypeScript** architecture:
│ │ Listener│ │ Reverse │ │ Matcher │ │ Cert Mgr │ │
│ │ │ │ Proxy │ │ │ │ │ │
│ └─────────┘ └─────────┘ └─────────┘ └──────────┘ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌──────────┐
│ │ UDP │ │ Security│ │ Metrics │ │ NFTables │
│ │ QUIC │ │ Enforce │ │ Collect │ Mgr
│ │ HTTP/3 │ │ │ │ │
│ └─────────┘ └─────────┘ └─────────┘ └──────────┘
│ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ │ UDP │ │ Security│ │ Metrics │
│ │ QUIC │ │ Enforce │ │ Collect │
│ │ HTTP/3 │ │ │ │ │
│ └─────────┘ └─────────┘ └─────────┘
└──────────────────┬──────────────────────────────────┘
│ Unix Socket Relay
┌──────────────────▼──────────────────────────────────┐
│ TypeScript Socket & Datagram Handler Servers │
│ (for JS socket handlers, datagram handlers, │
│ and dynamic routes) │
├─────────────────────────────────────────────────────┤
│ @push.rocks/smartnftables (kernel-level NFTables) │
│ (DNAT/SNAT, firewall, rate limiting via nft CLI) │
└─────────────────────────────────────────────────────┘
```
- **Rust Engine** handles all networking: TCP, UDP, TLS, QUIC, HTTP proxying, connection management, security, and metrics
- **TypeScript** provides the npm API, configuration types, route helpers, validation, and handler callbacks
- **NFTables** managed by [`@push.rocks/smartnftables`](https://code.foss.global/push.rocks/smartnftables) — kernel-level DNAT/SNAT forwarding, firewall rules, and rate limiting via the `nft` CLI
- **IPC** — The TypeScript wrapper uses JSON commands/events over stdin/stdout to communicate with the Rust binary
- **Socket/Datagram Relay** — Unix domain socket servers for routes requiring TypeScript-side handling (socket handlers, datagram handlers, dynamic host/port functions)
@@ -938,8 +942,8 @@ class SmartProxy extends EventEmitter {
getCertificateStatus(routeName: string): Promise<any>;
getEligibleDomainsForCertificates(): string[];
// NFTables
getNfTablesStatus(): Promise<Record<string, any>>;
// NFTables (managed by @push.rocks/smartnftables)
getNfTablesStatus(): INftStatus | null;
// Events
on(event: 'error', handler: (err: Error) => void): this;
@@ -991,11 +995,11 @@ interface ISmartProxyOptions {
sendProxyProtocol?: boolean; // Send PROXY protocol to targets
// Timeouts
connectionTimeout?: number; // Backend connection timeout (default: 30s)
initialDataTimeout?: number; // Initial data/SNI timeout (default: 120s)
socketTimeout?: number; // Socket inactivity timeout (default: 1h)
maxConnectionLifetime?: number; // Max connection lifetime (default: 24h)
inactivityTimeout?: number; // Inactivity timeout (default: 4h)
connectionTimeout?: number; // Backend connection timeout (default: 60s)
initialDataTimeout?: number; // Initial data/SNI timeout (default: 60s)
socketTimeout?: number; // Socket inactivity timeout (default: 60s)
maxConnectionLifetime?: number; // Max connection lifetime (default: 1h)
inactivityTimeout?: number; // Inactivity timeout (default: 75s)
gracefulShutdownTimeout?: number; // Shutdown grace period (default: 30s)
// Connection limits
@@ -1004,8 +1008,8 @@ interface ISmartProxyOptions {
// Keep-alive
keepAliveTreatment?: 'standard' | 'extended' | 'immortal';
keepAliveInactivityMultiplier?: number; // (default: 6)
extendedKeepAliveLifetime?: number; // (default: 7 days)
keepAliveInactivityMultiplier?: number; // (default: 4)
extendedKeepAliveLifetime?: number; // (default: 1h)
// Metrics
metrics?: {
@@ -1137,7 +1141,7 @@ SmartProxy searches for the Rust binary in this order:
## License and Legal Information
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](./license) file.
**Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.