v27.0.0

changelog.md

@@ -1,5 +1,63 @@
 # Changelog
 
+## 2026-03-26 - 27.0.0 - BREAKING CHANGE(smart-proxy)
+remove route helper APIs and standardize route configuration on plain route objects
+
+- Removes TypeScript route helper exports and related Rust config helpers in favor of defining routes directly with match and action properties.
+- Updates documentation and tests to use plain IRouteConfig objects and SocketHandlers imports instead of helper factory functions.
+- Moves socket handlers to a top-level utils export and keeps direct socket-handler route configuration as the supported pattern.
+
+## 2026-03-26 - 26.3.0 - feat(nftables)
+move NFTables forwarding management from the Rust engine to @push.rocks/smartnftables
+
+- add @push.rocks/smartnftables as a runtime dependency and export it via the plugin layer
+- remove the internal rustproxy-nftables crate along with Rust-side NFTables rule application and status management
+- apply and clean up NFTables port-forwarding rules in the TypeScript SmartProxy lifecycle and route update flow
+- change getNfTablesStatus to return local smartnftables status instead of querying the Rust bridge
+- update README documentation to describe NFTables support as provided through @push.rocks/smartnftables
+
+## 2026-03-26 - 26.2.4 - fix(rustproxy-http)
+improve HTTP/3 connection reuse and clean up stale proxy state
+
+- Reuse pooled HTTP/3 SendRequest handles to skip repeated SETTINGS handshakes and reduce request overhead on QUIC pool hits
+- Add periodic cleanup for per-route rate limiters and orphaned backend metrics to prevent unbounded memory growth after traffic or backend errors stop
+- Enforce HTTP max connection lifetime alongside idle timeouts and apply configured lifetime values from the TCP listener
+- Reduce HTTP/3 body copying by using owned Bytes paths for request and response streaming, and replace the custom response body adapter with a stream-based implementation
+- Harden auxiliary proxy components by capping datagram handler buffer growth and removing duplicate RustProxy exit listeners
+
+## 2026-03-25 - 26.2.3 - fix(repo)
+no changes to commit
+
+
+## 2026-03-25 - 26.2.2 - fix(proxy)
+improve connection cleanup and route validation handling
+
+- add timeouts for HTTP/1 upstream connection drivers to prevent lingering tasks
+- ensure QUIC relay sessions cancel and abort background tasks on drop
+- avoid registering unnamed routes as duplicates and label unnamed catch-all conflicts clearly
+- fix offset mapping route helper to forward only remaining route options without overriding derived values
+- update project config filename and toolchain versions for the current build setup
+
+## 2026-03-23 - 26.2.1 - fix(rustproxy-http)
+include the upstream request URL when caching H3 Alt-Svc discoveries
+
+- Tracks the request path that triggered Alt-Svc discovery in connection activity state
+- Adds request URL context to Alt-Svc debug logging and protocol cache insertion reasons for better traceability
+
+## 2026-03-23 - 26.2.0 - feat(protocol-cache)
+add sliding TTL re-probing and eviction for backend protocol detection
+
+- extend protocol cache entries and metrics with last accessed and last probed timestamps
+- trigger periodic ALPN re-probes for cached H1/H2 entries while keeping active entries alive with a sliding 1 day TTL
+- log protocol transitions with reasons and evict cache entries when all protocol fallback attempts fail
+
+## 2026-03-22 - 26.1.0 - feat(rustproxy-http)
+add protocol failure suppression, h3 fallback escalation, and protocol cache metrics exposure
+
+- introduces escalating cooldowns for failed H2/H3 protocol detection to prevent repeated upgrades to unstable backends
+- adds within-request escalation to cached HTTP/3 when TCP or TLS backend connections fail in auto-detect mode
+- exposes detected protocol cache entries and suppression state through Rust metrics and the TypeScript metrics adapter
+
 ## 2026-03-21 - 26.0.0 - BREAKING CHANGE(ts-api,rustproxy)
 remove deprecated TypeScript protocol and utility exports while hardening QUIC, HTTP/3, WebSocket, and rate limiter cleanup paths
 

license

@@ -1,4 +1,4 @@
-Copyright (c) 2019 Lossless GmbH (hello@lossless.com)
+Copyright (c) 2019 Task Venture Capital GmbH (hello@task.vc)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@push.rocks/smartproxy",
-  "version": "26.0.0",
+  "version": "27.0.0",
   "private": false,
   "description": "A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.",
   "main": "dist_ts/index.js",
@@ -16,18 +16,19 @@
     "buildDocs": "tsdoc"
   },
   "devDependencies": {
-    "@git.zone/tsbuild": "^4.3.0",
-    "@git.zone/tsrun": "^2.0.1",
-    "@git.zone/tsrust": "^1.3.0",
-    "@git.zone/tstest": "^3.5.0",
-    "@push.rocks/smartserve": "^2.0.1",
+    "@git.zone/tsbuild": "^4.4.0",
+    "@git.zone/tsrun": "^2.0.2",
+    "@git.zone/tsrust": "^1.3.2",
+    "@git.zone/tstest": "^3.6.0",
+    "@push.rocks/smartserve": "^2.0.3",
     "@types/node": "^25.5.0",
-    "typescript": "^5.9.3",
+    "typescript": "^6.0.2",
     "why-is-node-running": "^3.2.2"
   },
   "dependencies": {
     "@push.rocks/smartcrypto": "^2.0.4",
     "@push.rocks/smartlog": "^3.2.1",
+    "@push.rocks/smartnftables": "^1.0.1",
     "@push.rocks/smartrust": "^1.3.2",
     "@tsclass/tsclass": "^9.5.0",
     "minimatch": "^10.2.4"
@@ -41,7 +42,7 @@
     "dist_ts_web/**/*",
     "assets/**/*",
     "cli.js",
-    "npmextra.json",
+    ".smartconfig.json",
     "readme.md",
     "changelog.md"
   ],

readme.hints.md

@@ -462,35 +462,57 @@ For TLS termination modes (`terminate` and `terminate-and-reencrypt`), SmartProx
 
 **HTTP to HTTPS Redirect**:
 ```typescript
-import { createHttpToHttpsRedirect } from '@push.rocks/smartproxy';
+import { SocketHandlers } from '@push.rocks/smartproxy';
 
-const redirectRoute = createHttpToHttpsRedirect(['example.com', 'www.example.com']);
+const redirectRoute = {
+  name: 'http-to-https',
+  match: { ports: 80, domains: ['example.com', 'www.example.com'] },
+  action: {
+    type: 'socket-handler' as const,
+    socketHandler: SocketHandlers.httpRedirect('https://{domain}:443{path}', 301)
+  }
+};
 ```
 
 **Complete HTTPS Server (with redirect)**:
 ```typescript
-import { createCompleteHttpsServer } from '@push.rocks/smartproxy';
-
-const routes = createCompleteHttpsServer(
-  'example.com',
-  { host: 'localhost', port: 8080 },
-  { certificate: 'auto' }
-);
+const routes = [
+  {
+    name: 'https-server',
+    match: { ports: 443, domains: 'example.com' },
+    action: {
+      type: 'forward' as const,
+      targets: [{ host: 'localhost', port: 8080 }],
+      tls: { mode: 'terminate' as const, certificate: 'auto' as const }
+    }
+  },
+  {
+    name: 'http-redirect',
+    match: { ports: 80, domains: 'example.com' },
+    action: {
+      type: 'socket-handler' as const,
+      socketHandler: SocketHandlers.httpRedirect('https://{domain}:443{path}', 301)
+    }
+  }
+];
 ```
 
 **Load Balancer with Health Checks**:
 ```typescript
-import { createLoadBalancerRoute } from '@push.rocks/smartproxy';
-
-const lbRoute = createLoadBalancerRoute(
-  'api.example.com',
-  [
+const lbRoute = {
+  name: 'load-balancer',
+  match: { ports: 443, domains: 'api.example.com' },
+  action: {
+    type: 'forward' as const,
+    targets: [
       { host: 'backend1', port: 8080 },
       { host: 'backend2', port: 8080 },
       { host: 'backend3', port: 8080 }
     ],
-  { tls: { mode: 'terminate', certificate: 'auto' } }
-);
+    tls: { mode: 'terminate' as const, certificate: 'auto' as const },
+    loadBalancing: { algorithm: 'round-robin' as const }
+  }
+};
 ```
 
 ### Smart SNI Requirement (v22.3+)

readme.md

@@ -1,6 +1,6 @@
 # @push.rocks/smartproxy 🚀
 
-**A high-performance, Rust-powered proxy toolkit for Node.js** — unified route-based configuration for SSL/TLS termination, HTTP/HTTPS reverse proxying, WebSocket support, UDP/QUIC/HTTP3, load balancing, custom protocol handlers, and kernel-level NFTables forwarding.
+**A high-performance, Rust-powered proxy toolkit for Node.js** — unified route-based configuration for SSL/TLS termination, HTTP/HTTPS reverse proxying, WebSocket support, UDP/QUIC/HTTP3, load balancing, custom protocol handlers, and kernel-level NFTables forwarding via [`@push.rocks/smartnftables`](https://code.foss.global/push.rocks/smartnftables).
 
 ## 📦 Installation
 
@@ -44,7 +44,7 @@ Whether you're building microservices, deploying edge infrastructure, proxying U
 Get up and running in 30 seconds:
 
 ```typescript
-import { SmartProxy, createCompleteHttpsServer } from '@push.rocks/smartproxy';
+import { SmartProxy, SocketHandlers } from '@push.rocks/smartproxy';
 
 // Create a proxy with automatic HTTPS
 const proxy = new SmartProxy({
@@ -53,13 +53,25 @@ const proxy = new SmartProxy({
     useProduction: true
   },
   routes: [
-    // Complete HTTPS setup in one call! ✨
-    ...createCompleteHttpsServer('app.example.com', {
-      host: 'localhost',
-      port: 3000
-    }, {
-      certificate: 'auto'  // Automatic Let's Encrypt cert 🎩
-    })
+    // HTTPS route with automatic Let's Encrypt cert
+    {
+      name: 'https-app',
+      match: { ports: 443, domains: 'app.example.com' },
+      action: {
+        type: 'forward',
+        targets: [{ host: 'localhost', port: 3000 }],
+        tls: { mode: 'terminate', certificate: 'auto' }
+      }
+    },
+    // HTTP → HTTPS redirect
+    {
+      name: 'http-redirect',
+      match: { ports: 80, domains: 'app.example.com' },
+      action: {
+        type: 'socket-handler',
+        socketHandler: SocketHandlers.httpRedirect('https://{domain}:443{path}', 301)
+      }
+    }
   ]
 });
 
@@ -111,31 +123,38 @@ SmartProxy supports three TLS handling modes:
 ### 🌐 HTTP to HTTPS Redirect
 
 ```typescript
-import { SmartProxy, createHttpToHttpsRedirect } from '@push.rocks/smartproxy';
+import { SmartProxy, SocketHandlers } from '@push.rocks/smartproxy';
 
 const proxy = new SmartProxy({
-  routes: [
-    createHttpToHttpsRedirect(['example.com', '*.example.com'])
-  ]
+  routes: [{
+    name: 'http-to-https',
+    match: { ports: 80, domains: ['example.com', '*.example.com'] },
+    action: {
+      type: 'socket-handler',
+      socketHandler: SocketHandlers.httpRedirect('https://{domain}:443{path}', 301)
+    }
+  }]
 });
 ```
 
 ### ⚖️ Load Balancer with Health Checks
 
 ```typescript
-import { SmartProxy, createLoadBalancerRoute } from '@push.rocks/smartproxy';
+import { SmartProxy } from '@push.rocks/smartproxy';
 
 const proxy = new SmartProxy({
-  routes: [
-    createLoadBalancerRoute(
-      'app.example.com',
-      [
+  routes: [{
+    name: 'load-balancer',
+    match: { ports: 443, domains: 'app.example.com' },
+    action: {
+      type: 'forward',
+      targets: [
         { host: 'server1.internal', port: 8080 },
         { host: 'server2.internal', port: 8080 },
         { host: 'server3.internal', port: 8080 }
       ],
-      {
       tls: { mode: 'terminate', certificate: 'auto' },
+      loadBalancing: {
         algorithm: 'round-robin',
         healthCheck: {
           path: '/health',
@@ -145,57 +164,68 @@ const proxy = new SmartProxy({
           healthyThreshold: 2
         }
       }
-    )
-  ]
+    }
+  }]
 });
 ```
 
 ### 🔌 WebSocket Proxy
 
 ```typescript
-import { SmartProxy, createWebSocketRoute } from '@push.rocks/smartproxy';
+import { SmartProxy } from '@push.rocks/smartproxy';
 
 const proxy = new SmartProxy({
-  routes: [
-    createWebSocketRoute(
-      'ws.example.com',
-      { host: 'websocket-server', port: 8080 },
-      {
-        path: '/socket',
-        useTls: true,
-        certificate: 'auto',
+  routes: [{
+    name: 'websocket',
+    match: { ports: 443, domains: 'ws.example.com', path: '/socket' },
+    priority: 100,
+    action: {
+      type: 'forward',
+      targets: [{ host: 'websocket-server', port: 8080 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+      websocket: {
+        enabled: true,
         pingInterval: 30000,
         pingTimeout: 10000
       }
-    )
-  ]
+    }
+  }]
 });
 ```
 
 ### 🚦 API Gateway with Rate Limiting
 
 ```typescript
-import { SmartProxy, createApiGatewayRoute, addRateLimiting } from '@push.rocks/smartproxy';
+import { SmartProxy } from '@push.rocks/smartproxy';
 
-let apiRoute = createApiGatewayRoute(
-  'api.example.com',
-  '/api',
-  { host: 'api-backend', port: 8080 },
-  {
-    useTls: true,
-    certificate: 'auto',
-    addCorsHeaders: true
+const proxy = new SmartProxy({
+  routes: [{
+    name: 'api-gateway',
+    match: { ports: 443, domains: 'api.example.com', path: '/api/*' },
+    priority: 100,
+    action: {
+      type: 'forward',
+      targets: [{ host: 'api-backend', port: 8080 }],
+      tls: { mode: 'terminate', certificate: 'auto' }
+    },
+    headers: {
+      response: {
+        'Access-Control-Allow-Origin': '*',
+        'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+        'Access-Control-Max-Age': '86400'
       }
-);
-
-// Add rate limiting — 100 requests per minute per IP
-apiRoute = addRateLimiting(apiRoute, {
+    },
+    security: {
+      rateLimit: {
+        enabled: true,
         maxRequests: 100,
         window: 60,
         keyBy: 'ip'
+      }
+    }
+  }]
 });
-
-const proxy = new SmartProxy({ routes: [apiRoute] });
 ```
 
 ### 🎮 Custom Protocol Handler (TCP)
@@ -203,20 +233,23 @@ const proxy = new SmartProxy({ routes: [apiRoute] });
 SmartProxy lets you implement any protocol with full socket control. Routes with JavaScript socket handlers are automatically relayed from the Rust engine back to your TypeScript code:
 
 ```typescript
-import { SmartProxy, createSocketHandlerRoute, SocketHandlers } from '@push.rocks/smartproxy';
+import { SmartProxy, SocketHandlers } from '@push.rocks/smartproxy';
 
+const proxy = new SmartProxy({
+  routes: [
     // Use pre-built handlers
-const echoRoute = createSocketHandlerRoute(
-  'echo.example.com',
-  7777,
-  SocketHandlers.echo
-);
-
+    {
+      name: 'echo-server',
+      match: { ports: 7777, domains: 'echo.example.com' },
+      action: { type: 'socket-handler', socketHandler: SocketHandlers.echo }
+    },
     // Or create your own custom protocol
-const customRoute = createSocketHandlerRoute(
-  'custom.example.com',
-  9999,
-  async (socket) => {
+    {
+      name: 'custom-protocol',
+      match: { ports: 9999, domains: 'custom.example.com' },
+      action: {
+        type: 'socket-handler',
+        socketHandler: async (socket) => {
           console.log(`New connection on custom protocol`);
           socket.write('Welcome to my custom protocol!\n');
 
@@ -230,9 +263,10 @@ const customRoute = createSocketHandlerRoute(
             }
           });
         }
-);
-
-const proxy = new SmartProxy({ routes: [echoRoute, customRoute] });
+      }
+    }
+  ]
+});
 ```
 
 **Pre-built Socket Handlers:**
@@ -384,23 +418,26 @@ const dualStackRoute: IRouteConfig = {
 
 ### ⚡ High-Performance NFTables Forwarding
 
-For ultra-low latency on Linux, use kernel-level forwarding (requires root):
+For ultra-low latency on Linux, use kernel-level forwarding via [`@push.rocks/smartnftables`](https://code.foss.global/push.rocks/smartnftables) (requires root):
 
 ```typescript
-import { SmartProxy, createNfTablesTerminateRoute } from '@push.rocks/smartproxy';
+import { SmartProxy } from '@push.rocks/smartproxy';
 
 const proxy = new SmartProxy({
-  routes: [
-    createNfTablesTerminateRoute(
-      'fast.example.com',
-      { host: 'backend', port: 8080 },
-      {
-        ports: 443,
-        certificate: 'auto',
+  routes: [{
+    name: 'nftables-fast',
+    match: { ports: 443, domains: 'fast.example.com' },
+    action: {
+      type: 'forward',
+      forwardingEngine: 'nftables',
+      targets: [{ host: 'backend', port: 8080 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+      nftables: {
+        protocol: 'tcp',
         preserveSourceIP: true  // Backend sees real client IP
       }
-    )
-  ]
+    }
+  }]
 });
 ```
 
@@ -409,15 +446,18 @@ const proxy = new SmartProxy({
 Forward encrypted traffic to backends without terminating TLS — the proxy routes based on the SNI hostname alone:
 
 ```typescript
-import { SmartProxy, createHttpsPassthroughRoute } from '@push.rocks/smartproxy';
+import { SmartProxy } from '@push.rocks/smartproxy';
 
 const proxy = new SmartProxy({
-  routes: [
-    createHttpsPassthroughRoute('secure.example.com', {
-      host: 'backend-that-handles-tls',
-      port: 8443
-    })
-  ]
+  routes: [{
+    name: 'sni-passthrough',
+    match: { ports: 443, domains: 'secure.example.com' },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'backend-that-handles-tls', port: 8443 }],
+      tls: { mode: 'passthrough' }
+    }
+  }]
 });
 ```
 
@@ -524,15 +564,7 @@ Comprehensive per-route security options:
 }
 ```
 
-**Security modifier helpers** let you add security to any existing route:
-
-```typescript
-import { addRateLimiting, addBasicAuth, addJwtAuth } from '@push.rocks/smartproxy';
-
-let route = createHttpsTerminateRoute('api.example.com', { host: 'backend', port: 8080 });
-route = addRateLimiting(route, { maxRequests: 100, window: 60, keyBy: 'ip' });
-route = addBasicAuth(route, { users: [{ username: 'admin', password: 'secret' }] });
-```
+Security options are configured directly on each route's `security` property — no separate helpers needed.
 
 ### 📊 Runtime Management
 
@@ -694,22 +726,26 @@ SmartProxy uses a hybrid **Rust + TypeScript** architecture:
 │  │ Listener│ │ Reverse  │ │ Matcher │ │ Cert Mgr │  │
 │  │         │ │  Proxy   │ │         │ │          │  │
 │  └─────────┘ └─────────┘ └─────────┘ └──────────┘  │
-│  ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌──────────┐  │
-│  │   UDP   │ │ Security│ │ Metrics  │ │ NFTables │  │
-│  │  QUIC   │ │ Enforce │ │ Collect  │ │  Mgr     │  │
-│  │  HTTP/3 │ │         │ │          │ │          │  │
-│  └─────────┘ └─────────┘ └─────────┘ └──────────┘  │
+│  ┌─────────┐ ┌─────────┐ ┌─────────┐               │
+│  │   UDP   │ │ Security│ │ Metrics  │               │
+│  │  QUIC   │ │ Enforce │ │ Collect  │               │
+│  │  HTTP/3 │ │         │ │          │               │
+│  └─────────┘ └─────────┘ └─────────┘               │
 └──────────────────┬──────────────────────────────────┘
                    │  Unix Socket Relay
 ┌──────────────────▼──────────────────────────────────┐
 │   TypeScript Socket & Datagram Handler Servers       │
 │  (for JS socket handlers, datagram handlers,         │
 │   and dynamic routes)                                │
+├─────────────────────────────────────────────────────┤
+│   @push.rocks/smartnftables (kernel-level NFTables)  │
+│  (DNAT/SNAT, firewall, rate limiting via nft CLI)    │
 └─────────────────────────────────────────────────────┘
 ```
 
 - **Rust Engine** handles all networking: TCP, UDP, TLS, QUIC, HTTP proxying, connection management, security, and metrics
-- **TypeScript** provides the npm API, configuration types, route helpers, validation, and handler callbacks
+- **TypeScript** provides the npm API, configuration types, validation, and handler callbacks
+- **NFTables** managed by [`@push.rocks/smartnftables`](https://code.foss.global/push.rocks/smartnftables) — kernel-level DNAT/SNAT forwarding, firewall rules, and rate limiting via the `nft` CLI
 - **IPC** — The TypeScript wrapper uses JSON commands/events over stdin/stdout to communicate with the Rust binary
 - **Socket/Datagram Relay** — Unix domain socket servers for routes requiring TypeScript-side handling (socket handlers, datagram handlers, dynamic host/port functions)
 
@@ -854,47 +890,13 @@ interface IRouteQuic {
 }
 ```
 
-## 🛠️ Helper Functions Reference
-
-All helpers are fully typed and return `IRouteConfig` or `IRouteConfig[]`:
+## 🛠️ Exports Reference
 
 ```typescript
 import {
-  // HTTP/HTTPS
-  createHttpRoute,                 // Plain HTTP route
-  createHttpsTerminateRoute,       // HTTPS with TLS termination
-  createHttpsPassthroughRoute,     // SNI passthrough (no termination)
-  createHttpToHttpsRedirect,       // HTTP → HTTPS redirect
-  createCompleteHttpsServer,       // HTTPS + redirect combo (returns IRouteConfig[])
-
-  // Load Balancing
-  createLoadBalancerRoute,         // Multi-backend with health checks
-  createSmartLoadBalancer,         // Dynamic domain-based backend selection
-
-  // API & WebSocket
-  createApiRoute,                  // API route with path matching
-  createApiGatewayRoute,           // API gateway with CORS
-  createWebSocketRoute,            // WebSocket-enabled route
-
-  // Custom Protocols
-  createSocketHandlerRoute,        // Custom TCP socket handler
-  SocketHandlers,                  // Pre-built handlers (echo, proxy, block, etc.)
-
-  // NFTables (Linux, requires root)
-  createNfTablesRoute,             // Kernel-level packet forwarding
-  createNfTablesTerminateRoute,    // NFTables + TLS termination
-  createCompleteNfTablesHttpsServer, // NFTables HTTPS + redirect combo
-
-  // Dynamic Routing
-  createPortMappingRoute,          // Port mapping with context
-  createOffsetPortMappingRoute,    // Simple port offset
-  createDynamicRoute,              // Dynamic host/port via functions
-  createPortOffset,                // Port offset factory
-
-  // Security Modifiers
-  addRateLimiting,                 // Add rate limiting to any route
-  addBasicAuth,                    // Add basic auth to any route
-  addJwtAuth,                      // Add JWT auth to any route
+  // Core
+  SmartProxy,                      // Main proxy class
+  SocketHandlers,                  // Pre-built socket handlers (echo, proxy, block, httpRedirect, httpServer, etc.)
 
   // Route Utilities
   mergeRouteConfigs,               // Deep-merge two route configs
@@ -906,7 +908,7 @@ import {
 } from '@push.rocks/smartproxy';
 ```
 
-> **Tip:** For UDP datagram handler routes or QUIC/HTTP3 routes, construct `IRouteConfig` objects directly — there are no helper functions for these yet. See the [UDP Datagram Handler](#-udp-datagram-handler) and [QUIC / HTTP3 Forwarding](#-quic--http3-forwarding) examples above.
+All routes are configured as plain `IRouteConfig` objects with `match` and `action` properties — see the examples throughout this document.
 
 ## 📖 API Documentation
 
@@ -938,8 +940,8 @@ class SmartProxy extends EventEmitter {
   getCertificateStatus(routeName: string): Promise<any>;
   getEligibleDomainsForCertificates(): string[];
 
-  // NFTables
-  getNfTablesStatus(): Promise<Record<string, any>>;
+  // NFTables (managed by @push.rocks/smartnftables)
+  getNfTablesStatus(): INftStatus | null;
 
   // Events
   on(event: 'error', handler: (err: Error) => void): this;
@@ -991,11 +993,11 @@ interface ISmartProxyOptions {
   sendProxyProtocol?: boolean;              // Send PROXY protocol to targets
 
   // Timeouts
-  connectionTimeout?: number;               // Backend connection timeout (default: 30s)
-  initialDataTimeout?: number;              // Initial data/SNI timeout (default: 120s)
-  socketTimeout?: number;                   // Socket inactivity timeout (default: 1h)
-  maxConnectionLifetime?: number;           // Max connection lifetime (default: 24h)
-  inactivityTimeout?: number;               // Inactivity timeout (default: 4h)
+  connectionTimeout?: number;               // Backend connection timeout (default: 60s)
+  initialDataTimeout?: number;              // Initial data/SNI timeout (default: 60s)
+  socketTimeout?: number;                   // Socket inactivity timeout (default: 60s)
+  maxConnectionLifetime?: number;           // Max connection lifetime (default: 1h)
+  inactivityTimeout?: number;               // Inactivity timeout (default: 75s)
   gracefulShutdownTimeout?: number;         // Shutdown grace period (default: 30s)
 
   // Connection limits
@@ -1004,8 +1006,8 @@ interface ISmartProxyOptions {
 
   // Keep-alive
   keepAliveTreatment?: 'standard' | 'extended' | 'immortal';
-  keepAliveInactivityMultiplier?: number;   // (default: 6)
-  extendedKeepAliveLifetime?: number;       // (default: 7 days)
+  keepAliveInactivityMultiplier?: number;   // (default: 4)
+  extendedKeepAliveLifetime?: number;       // (default: 1h)
 
   // Metrics
   metrics?: {
@@ -1137,7 +1139,7 @@ SmartProxy searches for the Rust binary in this order:
 
 ## License and Legal Information
 
-This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [license](./license) file.
 
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 

rust/Cargo.lock

@@ -1238,7 +1238,6 @@ dependencies = [
  "rustproxy-config",
  "rustproxy-http",
  "rustproxy-metrics",
- "rustproxy-nftables",
  "rustproxy-passthrough",
  "rustproxy-routing",
  "rustproxy-security",
@@ -1270,6 +1269,7 @@ dependencies = [
  "arc-swap",
  "bytes",
  "dashmap",
+ "futures",
  "h3",
  "h3-quinn",
  "http-body",
@@ -1303,20 +1303,6 @@ dependencies = [
  "tracing",
 ]
 
-[[package]]
-name = "rustproxy-nftables"
-version = "0.1.0"
-dependencies = [
- "anyhow",
- "libc",
- "rustproxy-config",
- "serde",
- "serde_json",
- "thiserror 2.0.18",
- "tokio",
- "tracing",
-]
-
 [[package]]
 name = "rustproxy-passthrough"
 version = "0.1.0"

rust/Cargo.toml

@@ -7,7 +7,6 @@ members = [
     "crates/rustproxy-tls",
     "crates/rustproxy-passthrough",
     "crates/rustproxy-http",
-    "crates/rustproxy-nftables",
     "crates/rustproxy-metrics",
     "crates/rustproxy-security",
 ]
@@ -107,6 +106,5 @@ rustproxy-routing = { path = "crates/rustproxy-routing" }
 rustproxy-tls = { path = "crates/rustproxy-tls" }
 rustproxy-passthrough = { path = "crates/rustproxy-passthrough" }
 rustproxy-http = { path = "crates/rustproxy-http" }
-rustproxy-nftables = { path = "crates/rustproxy-nftables" }
 rustproxy-metrics = { path = "crates/rustproxy-metrics" }
 rustproxy-security = { path = "crates/rustproxy-security" }

rust/crates/rustproxy-config/src/helpers.rs

@@ -1,345 +0,0 @@
-use crate::route_types::*;
-use crate::tls_types::*;
-
-/// Create a simple HTTP forwarding route.
-/// Equivalent to SmartProxy's `createHttpRoute()`.
-pub fn create_http_route(
-    domains: impl Into<DomainSpec>,
-    target_host: impl Into<String>,
-    target_port: u16,
-) -> RouteConfig {
-    RouteConfig {
-        id: None,
-        route_match: RouteMatch {
-            ports: PortRange::Single(80),
-            domains: Some(domains.into()),
-            path: None,
-            client_ip: None,
-            transport: None,
-            tls_version: None,
-            headers: None,
-            protocol: None,
-        },
-        action: RouteAction {
-            action_type: RouteActionType::Forward,
-            targets: Some(vec![RouteTarget {
-                target_match: None,
-                host: HostSpec::Single(target_host.into()),
-                port: PortSpec::Fixed(target_port),
-                tls: None,
-                websocket: None,
-                load_balancing: None,
-                send_proxy_protocol: None,
-                headers: None,
-                advanced: None,
-                backend_transport: None,
-                priority: None,
-            }]),
-            tls: None,
-            websocket: None,
-            load_balancing: None,
-            advanced: None,
-            options: None,
-            forwarding_engine: None,
-            nftables: None,
-            send_proxy_protocol: None,
-            udp: None,
-        },
-        headers: None,
-        security: None,
-        name: None,
-        description: None,
-        priority: None,
-        tags: None,
-        enabled: None,
-    }
-}
-
-/// Create an HTTPS termination route.
-/// Equivalent to SmartProxy's `createHttpsTerminateRoute()`.
-pub fn create_https_terminate_route(
-    domains: impl Into<DomainSpec>,
-    target_host: impl Into<String>,
-    target_port: u16,
-) -> RouteConfig {
-    let mut route = create_http_route(domains, target_host, target_port);
-    route.route_match.ports = PortRange::Single(443);
-    route.action.tls = Some(RouteTls {
-        mode: TlsMode::Terminate,
-        certificate: Some(CertificateSpec::Auto("auto".to_string())),
-        acme: None,
-        versions: None,
-        ciphers: None,
-        honor_cipher_order: None,
-        session_timeout: None,
-    });
-    route
-}
-
-/// Create a TLS passthrough route.
-/// Equivalent to SmartProxy's `createHttpsPassthroughRoute()`.
-pub fn create_https_passthrough_route(
-    domains: impl Into<DomainSpec>,
-    target_host: impl Into<String>,
-    target_port: u16,
-) -> RouteConfig {
-    let mut route = create_http_route(domains, target_host, target_port);
-    route.route_match.ports = PortRange::Single(443);
-    route.action.tls = Some(RouteTls {
-        mode: TlsMode::Passthrough,
-        certificate: None,
-        acme: None,
-        versions: None,
-        ciphers: None,
-        honor_cipher_order: None,
-        session_timeout: None,
-    });
-    route
-}
-
-/// Create an HTTP-to-HTTPS redirect route.
-/// Equivalent to SmartProxy's `createHttpToHttpsRedirect()`.
-pub fn create_http_to_https_redirect(
-    domains: impl Into<DomainSpec>,
-) -> RouteConfig {
-    let domains = domains.into();
-    RouteConfig {
-        id: None,
-        route_match: RouteMatch {
-            ports: PortRange::Single(80),
-            domains: Some(domains),
-            path: None,
-            client_ip: None,
-            transport: None,
-            tls_version: None,
-            headers: None,
-            protocol: None,
-        },
-        action: RouteAction {
-            action_type: RouteActionType::Forward,
-            targets: None,
-            tls: None,
-            websocket: None,
-            load_balancing: None,
-            advanced: Some(RouteAdvanced {
-                timeout: None,
-                headers: None,
-                keep_alive: None,
-                static_files: None,
-                test_response: Some(RouteTestResponse {
-                    status: 301,
-                    headers: {
-                        let mut h = std::collections::HashMap::new();
-                        h.insert("Location".to_string(), "https://{domain}{path}".to_string());
-                        h
-                    },
-                    body: String::new(),
-                }),
-                url_rewrite: None,
-            }),
-            options: None,
-            forwarding_engine: None,
-            nftables: None,
-            send_proxy_protocol: None,
-            udp: None,
-        },
-        headers: None,
-        security: None,
-        name: Some("HTTP to HTTPS Redirect".to_string()),
-        description: None,
-        priority: None,
-        tags: None,
-        enabled: None,
-    }
-}
-
-/// Create a complete HTTPS server with HTTP redirect.
-/// Equivalent to SmartProxy's `createCompleteHttpsServer()`.
-pub fn create_complete_https_server(
-    domain: impl Into<String>,
-    target_host: impl Into<String>,
-    target_port: u16,
-) -> Vec<RouteConfig> {
-    let domain = domain.into();
-    let target_host = target_host.into();
-
-    vec![
-        create_http_to_https_redirect(DomainSpec::Single(domain.clone())),
-        create_https_terminate_route(
-            DomainSpec::Single(domain),
-            target_host,
-            target_port,
-        ),
-    ]
-}
-
-/// Create a load balancer route.
-/// Equivalent to SmartProxy's `createLoadBalancerRoute()`.
-pub fn create_load_balancer_route(
-    domains: impl Into<DomainSpec>,
-    targets: Vec<(String, u16)>,
-    tls: Option<RouteTls>,
-) -> RouteConfig {
-    let route_targets: Vec<RouteTarget> = targets
-        .into_iter()
-        .map(|(host, port)| RouteTarget {
-            target_match: None,
-            host: HostSpec::Single(host),
-            port: PortSpec::Fixed(port),
-            tls: None,
-            websocket: None,
-            load_balancing: None,
-            send_proxy_protocol: None,
-            headers: None,
-            advanced: None,
-            backend_transport: None,
-            priority: None,
-        })
-        .collect();
-
-    let port = if tls.is_some() { 443 } else { 80 };
-
-    RouteConfig {
-        id: None,
-        route_match: RouteMatch {
-            ports: PortRange::Single(port),
-            domains: Some(domains.into()),
-            path: None,
-            client_ip: None,
-            transport: None,
-            tls_version: None,
-            headers: None,
-            protocol: None,
-        },
-        action: RouteAction {
-            action_type: RouteActionType::Forward,
-            targets: Some(route_targets),
-            tls,
-            websocket: None,
-            load_balancing: Some(RouteLoadBalancing {
-                algorithm: LoadBalancingAlgorithm::RoundRobin,
-                health_check: None,
-            }),
-            advanced: None,
-            options: None,
-            forwarding_engine: None,
-            nftables: None,
-            send_proxy_protocol: None,
-            udp: None,
-        },
-        headers: None,
-        security: None,
-        name: Some("Load Balancer".to_string()),
-        description: None,
-        priority: None,
-        tags: None,
-        enabled: None,
-    }
-}
-
-// Convenience conversions for DomainSpec
-impl From<&str> for DomainSpec {
-    fn from(s: &str) -> Self {
-        DomainSpec::Single(s.to_string())
-    }
-}
-
-impl From<String> for DomainSpec {
-    fn from(s: String) -> Self {
-        DomainSpec::Single(s)
-    }
-}
-
-impl From<Vec<String>> for DomainSpec {
-    fn from(v: Vec<String>) -> Self {
-        DomainSpec::List(v)
-    }
-}
-
-impl From<Vec<&str>> for DomainSpec {
-    fn from(v: Vec<&str>) -> Self {
-        DomainSpec::List(v.into_iter().map(|s| s.to_string()).collect())
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::tls_types::TlsMode;
-
-    #[test]
-    fn test_create_http_route() {
-        let route = create_http_route("example.com", "localhost", 8080);
-        assert_eq!(route.route_match.ports.to_ports(), vec![80]);
-        let domains = route.route_match.domains.as_ref().unwrap().to_vec();
-        assert_eq!(domains, vec!["example.com"]);
-        let target = &route.action.targets.as_ref().unwrap()[0];
-        assert_eq!(target.host.first(), "localhost");
-        assert_eq!(target.port.resolve(80), 8080);
-        assert!(route.action.tls.is_none());
-    }
-
-    #[test]
-    fn test_create_https_terminate_route() {
-        let route = create_https_terminate_route("api.example.com", "backend", 3000);
-        assert_eq!(route.route_match.ports.to_ports(), vec![443]);
-        let tls = route.action.tls.as_ref().unwrap();
-        assert_eq!(tls.mode, TlsMode::Terminate);
-        assert!(tls.certificate.as_ref().unwrap().is_auto());
-    }
-
-    #[test]
-    fn test_create_https_passthrough_route() {
-        let route = create_https_passthrough_route("secure.example.com", "backend", 443);
-        assert_eq!(route.route_match.ports.to_ports(), vec![443]);
-        let tls = route.action.tls.as_ref().unwrap();
-        assert_eq!(tls.mode, TlsMode::Passthrough);
-        assert!(tls.certificate.is_none());
-    }
-
-    #[test]
-    fn test_create_http_to_https_redirect() {
-        let route = create_http_to_https_redirect("example.com");
-        assert_eq!(route.route_match.ports.to_ports(), vec![80]);
-        assert!(route.action.targets.is_none());
-        let test_response = route.action.advanced.as_ref().unwrap().test_response.as_ref().unwrap();
-        assert_eq!(test_response.status, 301);
-        assert!(test_response.headers.contains_key("Location"));
-    }
-
-    #[test]
-    fn test_create_complete_https_server() {
-        let routes = create_complete_https_server("example.com", "backend", 8080);
-        assert_eq!(routes.len(), 2);
-        // First route is HTTP redirect
-        assert_eq!(routes[0].route_match.ports.to_ports(), vec![80]);
-        // Second route is HTTPS terminate
-        assert_eq!(routes[1].route_match.ports.to_ports(), vec![443]);
-    }
-
-    #[test]
-    fn test_create_load_balancer_route() {
-        let targets = vec![
-            ("backend1".to_string(), 8080),
-            ("backend2".to_string(), 8080),
-            ("backend3".to_string(), 8080),
-        ];
-        let route = create_load_balancer_route("*.example.com", targets, None);
-        assert_eq!(route.route_match.ports.to_ports(), vec![80]);
-        assert_eq!(route.action.targets.as_ref().unwrap().len(), 3);
-        let lb = route.action.load_balancing.as_ref().unwrap();
-        assert_eq!(lb.algorithm, LoadBalancingAlgorithm::RoundRobin);
-    }
-
-    #[test]
-    fn test_domain_spec_from_str() {
-        let spec: DomainSpec = "example.com".into();
-        assert_eq!(spec.to_vec(), vec!["example.com"]);
-    }
-
-    #[test]
-    fn test_domain_spec_from_vec() {
-        let spec: DomainSpec = vec!["a.com", "b.com"].into();
-        assert_eq!(spec.to_vec(), vec!["a.com", "b.com"]);
-    }
-}

rust/crates/rustproxy-config/src/lib.rs

@@ -8,7 +8,6 @@ pub mod proxy_options;
 pub mod tls_types;
 pub mod security_types;
 pub mod validation;
-pub mod helpers;
 
 // Re-export all primary types
 pub use route_types::*;
@@ -16,4 +15,3 @@ pub use proxy_options::*;
 pub use tls_types::*;
 pub use security_types::*;
 pub use validation::*;
-pub use helpers::*;

rust/crates/rustproxy-config/src/proxy_options.rs

@@ -331,12 +331,48 @@ impl RustProxyOptions {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::helpers::*;
+    use crate::route_types::*;
+    use crate::tls_types::*;
+
+    fn make_route(domain: &str, host: &str, port: u16, listen_port: u16) -> RouteConfig {
+        RouteConfig {
+            id: None,
+            route_match: RouteMatch {
+                ports: PortRange::Single(listen_port),
+                domains: Some(DomainSpec::Single(domain.to_string())),
+                path: None, client_ip: None, transport: None, tls_version: None, headers: None, protocol: None,
+            },
+            action: RouteAction {
+                action_type: RouteActionType::Forward,
+                targets: Some(vec![RouteTarget {
+                    target_match: None,
+                    host: HostSpec::Single(host.to_string()),
+                    port: PortSpec::Fixed(port),
+                    tls: None, websocket: None, load_balancing: None, send_proxy_protocol: None,
+                    headers: None, advanced: None, backend_transport: None, priority: None,
+                }]),
+                tls: None, websocket: None, load_balancing: None, advanced: None,
+                options: None, send_proxy_protocol: None, udp: None,
+            },
+            headers: None, security: None, name: None, description: None,
+            priority: None, tags: None, enabled: None,
+        }
+    }
+
+    fn make_passthrough_route(domain: &str, host: &str, port: u16) -> RouteConfig {
+        let mut route = make_route(domain, host, port, 443);
+        route.action.tls = Some(RouteTls {
+            mode: TlsMode::Passthrough,
+            certificate: None, acme: None, versions: None, ciphers: None,
+            honor_cipher_order: None, session_timeout: None,
+        });
+        route
+    }
 
     #[test]
     fn test_serde_roundtrip_minimal() {
         let options = RustProxyOptions {
-            routes: vec![create_http_route("example.com", "localhost", 8080)],
+            routes: vec![make_route("example.com", "localhost", 8080, 80)],
             ..Default::default()
         };
         let json = serde_json::to_string(&options).unwrap();
@@ -348,8 +384,8 @@ mod tests {
     fn test_serde_roundtrip_full() {
         let options = RustProxyOptions {
             routes: vec![
-                create_http_route("a.com", "backend1", 8080),
-                create_https_passthrough_route("b.com", "backend2", 443),
+                make_route("a.com", "backend1", 8080, 80),
+                make_passthrough_route("b.com", "backend2", 443),
             ],
             connection_timeout: Some(5000),
             socket_timeout: Some(60000),
@@ -402,9 +438,9 @@ mod tests {
     fn test_all_listening_ports() {
         let options = RustProxyOptions {
             routes: vec![
-                create_http_route("a.com", "backend", 8080),       // port 80
-                create_https_passthrough_route("b.com", "backend", 443), // port 443
-                create_http_route("c.com", "backend", 9090),       // port 80 (duplicate)
+                make_route("a.com", "backend", 8080, 80),       // port 80
+                make_passthrough_route("b.com", "backend", 443), // port 443
+                make_route("c.com", "backend", 9090, 80),       // port 80 (duplicate)
             ],
             ..Default::default()
         };

rust/crates/rustproxy-config/src/route_types.rs

@@ -60,16 +60,6 @@ pub enum RouteActionType {
     SocketHandler,
 }
 
-// ─── Forwarding Engine ───────────────────────────────────────────────
-
-/// Forwarding engine specification.
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-#[serde(rename_all = "lowercase")]
-pub enum ForwardingEngine {
-    Node,
-    Nftables,
-}
-
 // ─── Route Match ─────────────────────────────────────────────────────
 
 /// Domain specification: single string or array.
@@ -89,6 +79,31 @@ impl DomainSpec {
     }
 }
 
+// Convenience conversions for DomainSpec
+impl From<&str> for DomainSpec {
+    fn from(s: &str) -> Self {
+        DomainSpec::Single(s.to_string())
+    }
+}
+
+impl From<String> for DomainSpec {
+    fn from(s: String) -> Self {
+        DomainSpec::Single(s)
+    }
+}
+
+impl From<Vec<String>> for DomainSpec {
+    fn from(v: Vec<String>) -> Self {
+        DomainSpec::List(v)
+    }
+}
+
+impl From<Vec<&str>> for DomainSpec {
+    fn from(v: Vec<&str>) -> Self {
+        DomainSpec::List(v.into_iter().map(|s| s.to_string()).collect())
+    }
+}
+
 /// Header match value: either exact string or regex pattern.
 /// In JSON, all values come as strings. Regex patterns are prefixed with `/` and suffixed with `/`.
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -341,38 +356,6 @@ pub struct RouteAdvanced {
     pub url_rewrite: Option<RouteUrlRewrite>,
 }
 
-// ─── NFTables Options ────────────────────────────────────────────────
-
-/// NFTables protocol type.
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-#[serde(rename_all = "lowercase")]
-pub enum NfTablesProtocol {
-    Tcp,
-    Udp,
-    All,
-}
-
-/// NFTables-specific configuration options.
-/// Matches TypeScript: `INfTablesOptions`
-#[derive(Debug, Clone, Serialize, Deserialize)]
-#[serde(rename_all = "camelCase")]
-pub struct NfTablesOptions {
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub preserve_source_ip: Option<bool>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub protocol: Option<NfTablesProtocol>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub max_rate: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub priority: Option<i32>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub table_name: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub use_ip_sets: Option<bool>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub use_advanced_nat: Option<bool>,
-}
-
 // ─── Backend Protocol ────────────────────────────────────────────────
 
 /// Backend protocol.
@@ -541,14 +524,6 @@ pub struct RouteAction {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub options: Option<ActionOptions>,
 
-    /// Forwarding engine specification
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub forwarding_engine: Option<ForwardingEngine>,
-
-    /// NFTables-specific options
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub nftables: Option<NfTablesOptions>,
-
     /// PROXY protocol support (default for all targets)
     #[serde(skip_serializing_if = "Option::is_none")]
     pub send_proxy_protocol: Option<bool>,

rust/crates/rustproxy-config/src/validation.rs

@@ -104,7 +104,49 @@ mod tests {
     use crate::route_types::*;
 
     fn make_valid_route() -> RouteConfig {
-        crate::helpers::create_http_route("example.com", "localhost", 8080)
+        RouteConfig {
+            id: None,
+            route_match: RouteMatch {
+                ports: PortRange::Single(80),
+                domains: Some(DomainSpec::Single("example.com".to_string())),
+                path: None,
+                client_ip: None,
+                transport: None,
+                tls_version: None,
+                headers: None,
+                protocol: None,
+            },
+            action: RouteAction {
+                action_type: RouteActionType::Forward,
+                targets: Some(vec![RouteTarget {
+                    target_match: None,
+                    host: HostSpec::Single("localhost".to_string()),
+                    port: PortSpec::Fixed(8080),
+                    tls: None,
+                    websocket: None,
+                    load_balancing: None,
+                    send_proxy_protocol: None,
+                    headers: None,
+                    advanced: None,
+                    backend_transport: None,
+                    priority: None,
+                }]),
+                tls: None,
+                websocket: None,
+                load_balancing: None,
+                advanced: None,
+                options: None,
+                send_proxy_protocol: None,
+                udp: None,
+            },
+            headers: None,
+            security: None,
+            name: None,
+            description: None,
+            priority: None,
+            tags: None,
+            enabled: None,
+        }
     }
 
     #[test]

rust/crates/rustproxy-http/Cargo.toml

@@ -30,3 +30,4 @@ socket2 = { workspace = true }
 quinn = { workspace = true }
 h3 = { workspace = true }
 h3-quinn = { workspace = true }
+futures = { version = "0.3", default-features = false, features = ["std"] }

rust/crates/rustproxy-http/src/connection_pool.rs

@@ -56,7 +56,11 @@ struct PooledH2 {
 }
 
 /// A pooled QUIC/HTTP/3 connection (multiplexed like H2).
+/// Stores the h3 `SendRequest` handle so pool hits skip the h3 SETTINGS handshake.
 pub struct PooledH3 {
+    /// Multiplexed h3 request handle — clone to open a new stream.
+    pub send_request: h3::client::SendRequest<h3_quinn::OpenStreams, Bytes>,
+    /// Raw QUIC connection — kept for liveness probing (close_reason) only.
     pub connection: quinn::Connection,
     pub created_at: Instant,
     pub generation: u64,
@@ -197,7 +201,10 @@ impl ConnectionPool {
 
     /// Try to get a pooled QUIC connection for the given key.
     /// QUIC connections are multiplexed — the connection is shared, not removed.
-    pub fn checkout_h3(&self, key: &PoolKey) -> Option<(quinn::Connection, Duration)> {
+    pub fn checkout_h3(
+        &self,
+        key: &PoolKey,
+    ) -> Option<(h3::client::SendRequest<h3_quinn::OpenStreams, Bytes>, quinn::Connection, Duration)> {
         let entry = self.h3_pool.get(key)?;
         let pooled = entry.value();
         let age = pooled.created_at.elapsed();
@@ -215,13 +222,20 @@ impl ConnectionPool {
             return None;
         }
 
-        Some((pooled.connection.clone(), age))
+        Some((pooled.send_request.clone(), pooled.connection.clone(), age))
     }
 
-    /// Register a QUIC connection in the pool. Returns the generation ID.
-    pub fn register_h3(&self, key: PoolKey, connection: quinn::Connection) -> u64 {
+    /// Register a QUIC connection and its h3 SendRequest handle in the pool.
+    /// Returns the generation ID.
+    pub fn register_h3(
+        &self,
+        key: PoolKey,
+        connection: quinn::Connection,
+        send_request: h3::client::SendRequest<h3_quinn::OpenStreams, Bytes>,
+    ) -> u64 {
         let gen = self.h2_generation.fetch_add(1, Ordering::Relaxed);
         self.h3_pool.insert(key, PooledH3 {
+            send_request,
             connection,
             created_at: Instant::now(),
             generation: gen,

rust/crates/rustproxy-http/src/h3_service.rs

@@ -116,7 +116,7 @@ async fn handle_h3_request(
     cancel: CancellationToken,
 ) -> anyhow::Result<()> {
     // Stream request body from H3 client via an mpsc channel.
-    let (body_tx, body_rx) = tokio::sync::mpsc::channel::<Bytes>(4);
+    let (body_tx, body_rx) = tokio::sync::mpsc::channel::<Bytes>(32);
 
     // Spawn the H3 body reader task with cancellation
     let body_cancel = cancel.clone();
@@ -132,8 +132,7 @@ async fn handle_h3_request(
                 }
             };
             let mut chunk = chunk;
-            let data = Bytes::copy_from_slice(chunk.chunk());
-            chunk.advance(chunk.remaining());
+            let data = chunk.copy_to_bytes(chunk.remaining());
             if body_tx.send(data).await.is_err() {
                 break;
             }
@@ -179,8 +178,8 @@ async fn handle_h3_request(
     while let Some(frame) = resp_body.frame().await {
         match frame {
             Ok(frame) => {
-                if let Some(data) = frame.data_ref() {
-                    stream.send_data(Bytes::copy_from_slice(data)).await
+                if let Ok(data) = frame.into_data() {
+                    stream.send_data(data).await
                         .map_err(|e| anyhow::anyhow!("Failed to send H3 data: {}", e))?;
                 }
             }

rust/crates/rustproxy-http/src/protocol_cache.rs

@@ -1,43 +1,99 @@
-//! Bounded, TTL-based protocol detection cache for backend protocol auto-detection.
+//! Bounded, sliding-TTL protocol detection cache with periodic re-probing and failure suppression.
 //!
 //! Caches the detected protocol (H1, H2, or H3) per backend endpoint and requested
 //! domain (host:port + requested_host). This prevents cache oscillation when multiple
 //! frontend domains share the same backend but differ in protocol support.
 //!
-//! H3 detection uses the browser model: Alt-Svc headers from H1/H2 responses are
-//! parsed and cached, including the advertised H3 port (which may differ from TCP).
+//! ## Sliding TTL
+//!
+//! Each cache hit refreshes the entry's expiry timer (`last_accessed_at`). Entries
+//! remain valid for up to 1 day of continuous use. Every 5 minutes, the next request
+//! triggers an inline ALPN re-probe to verify the cached protocol is still correct.
+//!
+//! ## Upgrade signals
+//!
+//! - ALPN (TLS handshake) → detects H2 vs H1
+//! - Alt-Svc (response header) → advertises H3
+//!
+//! ## Protocol transitions
+//!
+//! All protocol changes are logged at `info!()` level with the reason:
+//! "Protocol transition: H1 → H2 because periodic ALPN re-probe"
+//!
+//! ## Failure suppression
+//!
+//! When a protocol fails, `record_failure()` prevents upgrade signals from
+//! re-introducing it until an escalating cooldown expires (5s → 10s → ... → 300s).
+//! Within-request escalation is allowed via `can_retry()` after a 5s minimum gap.
+//!
+//! ## Total failure eviction
+//!
+//! When all protocols (H3, H2, H1) fail for a backend, the cache entry is evicted
+//! entirely via `evict()`, forcing a fresh probe on the next request.
+//!
+//! Cascading: when a lower protocol also fails, higher protocol cooldowns are
+//! reduced to 5s remaining (not instant clear), preventing tight retry loops.
 
 use std::sync::Arc;
 use std::time::{Duration, Instant};
 
 use dashmap::DashMap;
-use tracing::debug;
+use tracing::{debug, info};
 
-/// TTL for cached protocol detection results.
-/// After this duration, the next request will re-probe the backend.
-const PROTOCOL_CACHE_TTL: Duration = Duration::from_secs(300); // 5 minutes
+/// Sliding TTL for cached protocol detection results.
+/// Entries that haven't been accessed for this duration are evicted.
+/// Each `get()` call refreshes the timer (sliding window).
+const PROTOCOL_CACHE_TTL: Duration = Duration::from_secs(86400); // 1 day
+
+/// Interval between inline ALPN re-probes for H1/H2 entries.
+/// When a cached entry's `last_probed_at` exceeds this, the next request
+/// triggers an ALPN re-probe to verify the backend still speaks the same protocol.
+const PROTOCOL_REPROBE_INTERVAL: Duration = Duration::from_secs(300); // 5 minutes
 
 /// Maximum number of entries in the protocol cache.
-/// Prevents unbounded growth when backends come and go.
 const PROTOCOL_CACHE_MAX_ENTRIES: usize = 4096;
 
-/// Background cleanup interval for the protocol cache.
+/// Background cleanup interval.
 const PROTOCOL_CACHE_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);
 
+/// Minimum cooldown between retry attempts of a failed protocol.
+const PROTOCOL_FAILURE_COOLDOWN: Duration = Duration::from_secs(5);
+
+/// Maximum cooldown (escalation ceiling).
+const PROTOCOL_FAILURE_MAX_COOLDOWN: Duration = Duration::from_secs(300);
+
+/// Consecutive failure count at which cooldown reaches maximum.
+/// 5s × 2^5 = 160s, 5s × 2^6 = 320s → capped at 300s.
+const PROTOCOL_FAILURE_ESCALATION_CAP: u32 = 6;
+
 /// Detected backend protocol.
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
 pub enum DetectedProtocol {
     H1,
     H2,
     H3,
 }
 
+impl std::fmt::Display for DetectedProtocol {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            DetectedProtocol::H1 => write!(f, "H1"),
+            DetectedProtocol::H2 => write!(f, "H2"),
+            DetectedProtocol::H3 => write!(f, "H3"),
+        }
+    }
+}
+
 /// Result of a protocol cache lookup.
 #[derive(Debug, Clone, Copy)]
 pub struct CachedProtocol {
     pub protocol: DetectedProtocol,
     /// For H3: the port advertised by Alt-Svc (may differ from TCP port).
     pub h3_port: Option<u16>,
+    /// True if the entry's `last_probed_at` exceeds `PROTOCOL_REPROBE_INTERVAL`.
+    /// Caller should perform an inline ALPN re-probe and call `update_probe_result()`.
+    /// Always `false` for H3 entries (H3 is discovered via Alt-Svc, not ALPN).
+    pub needs_reprobe: bool,
 }
 
 /// Key for the protocol cache: (host, port, requested_host).
@@ -50,24 +106,111 @@ pub struct ProtocolCacheKey {
     pub requested_host: Option<String>,
 }
 
-/// A cached protocol detection result with a timestamp.
+/// A cached protocol detection result with timestamps.
 struct CachedEntry {
     protocol: DetectedProtocol,
+    /// When this protocol was first detected (or last changed).
     detected_at: Instant,
+    /// Last time any request used this entry (sliding-window TTL).
+    last_accessed_at: Instant,
+    /// Last time an ALPN re-probe was performed for this entry.
+    last_probed_at: Instant,
     /// For H3: the port advertised by Alt-Svc (may differ from TCP port).
     h3_port: Option<u16>,
 }
 
-/// Bounded, TTL-based protocol detection cache.
+/// Failure record for a single protocol level.
+#[derive(Debug, Clone)]
+struct FailureRecord {
+    /// When the failure was last recorded.
+    failed_at: Instant,
+    /// Current cooldown duration. Escalates on consecutive failures.
+    cooldown: Duration,
+    /// Number of consecutive failures (for escalation).
+    consecutive_failures: u32,
+}
+
+/// Per-key failure state. Tracks failures at each upgradeable protocol level.
+/// H1 is never tracked (it's the protocol floor — nothing to fall back to).
+#[derive(Debug, Clone, Default)]
+struct FailureState {
+    h2: Option<FailureRecord>,
+    h3: Option<FailureRecord>,
+}
+
+impl FailureState {
+    fn is_empty(&self) -> bool {
+        self.h2.is_none() && self.h3.is_none()
+    }
+
+    fn all_expired(&self) -> bool {
+        let h2_expired = self.h2.as_ref()
+            .map(|r| r.failed_at.elapsed() >= r.cooldown)
+            .unwrap_or(true);
+        let h3_expired = self.h3.as_ref()
+            .map(|r| r.failed_at.elapsed() >= r.cooldown)
+            .unwrap_or(true);
+        h2_expired && h3_expired
+    }
+
+    fn get(&self, protocol: DetectedProtocol) -> Option<&FailureRecord> {
+        match protocol {
+            DetectedProtocol::H2 => self.h2.as_ref(),
+            DetectedProtocol::H3 => self.h3.as_ref(),
+            DetectedProtocol::H1 => None,
+        }
+    }
+
+    fn get_mut(&mut self, protocol: DetectedProtocol) -> &mut Option<FailureRecord> {
+        match protocol {
+            DetectedProtocol::H2 => &mut self.h2,
+            DetectedProtocol::H3 => &mut self.h3,
+            DetectedProtocol::H1 => unreachable!("H1 failures are never recorded"),
+        }
+    }
+}
+
+/// Snapshot of a single protocol cache entry, suitable for metrics/UI display.
+#[derive(Debug, Clone)]
+pub struct ProtocolCacheEntry {
+    pub host: String,
+    pub port: u16,
+    pub domain: Option<String>,
+    pub protocol: String,
+    pub h3_port: Option<u16>,
+    pub age_secs: u64,
+    pub last_accessed_secs: u64,
+    pub last_probed_secs: u64,
+    pub h2_suppressed: bool,
+    pub h3_suppressed: bool,
+    pub h2_cooldown_remaining_secs: Option<u64>,
+    pub h3_cooldown_remaining_secs: Option<u64>,
+    pub h2_consecutive_failures: Option<u32>,
+    pub h3_consecutive_failures: Option<u32>,
+}
+
+/// Exponential backoff: PROTOCOL_FAILURE_COOLDOWN × 2^(n-1), capped at MAX.
+fn escalate_cooldown(consecutive: u32) -> Duration {
+    let base = PROTOCOL_FAILURE_COOLDOWN.as_secs();
+    let exp = consecutive.saturating_sub(1).min(63) as u64;
+    let secs = base.saturating_mul(1u64.checked_shl(exp as u32).unwrap_or(u64::MAX));
+    Duration::from_secs(secs.min(PROTOCOL_FAILURE_MAX_COOLDOWN.as_secs()))
+}
+
+/// Bounded, sliding-TTL protocol detection cache with failure suppression.
 ///
 /// Memory safety guarantees:
 /// - Hard cap at `PROTOCOL_CACHE_MAX_ENTRIES` — cannot grow unboundedly.
-/// - TTL expiry — stale entries naturally age out on lookup.
+/// - Sliding TTL expiry — entries age out after 1 day without access.
 /// - Background cleanup task — proactively removes expired entries every 60s.
 /// - `clear()` — called on route updates to discard stale detections.
 /// - `Drop` — aborts the background task to prevent dangling tokio tasks.
 pub struct ProtocolCache {
     cache: Arc<DashMap<ProtocolCacheKey, CachedEntry>>,
+    /// Generic protocol failure suppression map. Tracks per-protocol failure
+    /// records (H2, H3) for each cache key. Used to prevent upgrade signals
+    /// (ALPN, Alt-Svc) from re-introducing failed protocols.
+    failures: Arc<DashMap<ProtocolCacheKey, FailureState>>,
     cleanup_handle: Option<tokio::task::JoinHandle<()>>,
 }
 
@@ -75,26 +218,40 @@ impl ProtocolCache {
     /// Create a new protocol cache and start the background cleanup task.
     pub fn new() -> Self {
         let cache: Arc<DashMap<ProtocolCacheKey, CachedEntry>> = Arc::new(DashMap::new());
+        let failures: Arc<DashMap<ProtocolCacheKey, FailureState>> = Arc::new(DashMap::new());
         let cache_clone = Arc::clone(&cache);
+        let failures_clone = Arc::clone(&failures);
         let cleanup_handle = tokio::spawn(async move {
-            Self::cleanup_loop(cache_clone).await;
+            Self::cleanup_loop(cache_clone, failures_clone).await;
         });
 
         Self {
             cache,
+            failures,
             cleanup_handle: Some(cleanup_handle),
         }
     }
 
     /// Look up the cached protocol for a backend endpoint.
+    ///
     /// Returns `None` if not cached or expired (caller should probe via ALPN).
+    /// On hit, refreshes `last_accessed_at` (sliding TTL) and sets `needs_reprobe`
+    /// if the entry hasn't been probed in over 5 minutes (H1/H2 only).
     pub fn get(&self, key: &ProtocolCacheKey) -> Option<CachedProtocol> {
-        let entry = self.cache.get(key)?;
-        if entry.detected_at.elapsed() < PROTOCOL_CACHE_TTL {
-            debug!("Protocol cache hit: {:?} for {}:{} (requested: {:?})", entry.protocol, key.host, key.port, key.requested_host);
+        let mut entry = self.cache.get_mut(key)?;
+        if entry.last_accessed_at.elapsed() < PROTOCOL_CACHE_TTL {
+            // Refresh sliding TTL
+            entry.last_accessed_at = Instant::now();
+
+            // H3 is the ceiling — can't ALPN-probe for H3 (discovered via Alt-Svc).
+            // Only H1/H2 entries trigger periodic re-probing.
+            let needs_reprobe = entry.protocol != DetectedProtocol::H3
+                && entry.last_probed_at.elapsed() >= PROTOCOL_REPROBE_INTERVAL;
+
             Some(CachedProtocol {
                 protocol: entry.protocol,
                 h3_port: entry.h3_port,
+                needs_reprobe,
             })
         } else {
             // Expired — remove and return None to trigger re-probe
@@ -105,47 +262,328 @@ impl ProtocolCache {
     }
 
     /// Insert a detected protocol into the cache.
-    /// If the cache is at capacity, evict the oldest entry first.
-    pub fn insert(&self, key: ProtocolCacheKey, protocol: DetectedProtocol) {
-        self.insert_with_h3_port(key, protocol, None);
+    /// Returns `false` if suppressed due to active failure suppression.
+    ///
+    /// **Key semantic**: only suppresses if the protocol being inserted matches
+    /// a suppressed protocol. H1 inserts are NEVER suppressed — downgrades
+    /// always succeed.
+    pub fn insert(&self, key: ProtocolCacheKey, protocol: DetectedProtocol, reason: &str) -> bool {
+        if self.is_suppressed(&key, protocol) {
+            debug!(
+                host = %key.host, port = %key.port, domain = ?key.requested_host,
+                protocol = ?protocol,
+                "Protocol cache insert suppressed — recent failure"
+            );
+            return false;
+        }
+        self.insert_internal(key, protocol, None, reason);
+        true
     }
 
     /// Insert an H3 detection result with the Alt-Svc advertised port.
-    pub fn insert_h3(&self, key: ProtocolCacheKey, h3_port: u16) {
-        self.insert_with_h3_port(key, DetectedProtocol::H3, Some(h3_port));
+    /// Returns `false` if H3 is suppressed.
+    pub fn insert_h3(&self, key: ProtocolCacheKey, h3_port: u16, reason: &str) -> bool {
+        if self.is_suppressed(&key, DetectedProtocol::H3) {
+            debug!(
+                host = %key.host, port = %key.port, domain = ?key.requested_host,
+                "H3 upgrade suppressed — recent failure"
+            );
+            return false;
+        }
+        self.insert_internal(key, DetectedProtocol::H3, Some(h3_port), reason);
+        true
     }
 
-    /// Insert a protocol detection result with an optional H3 port.
-    fn insert_with_h3_port(&self, key: ProtocolCacheKey, protocol: DetectedProtocol, h3_port: Option<u16>) {
-        if self.cache.len() >= PROTOCOL_CACHE_MAX_ENTRIES && !self.cache.contains_key(&key) {
-            // Evict the oldest entry to stay within bounds
-            let oldest = self.cache.iter()
-                .min_by_key(|entry| entry.value().detected_at)
-                .map(|entry| entry.key().clone());
-            if let Some(oldest_key) = oldest {
-                self.cache.remove(&oldest_key);
+    /// Update the cache after an inline ALPN re-probe completes.
+    ///
+    /// Always updates `last_probed_at`. If the protocol changed, logs the transition
+    /// and updates the entry. Returns `Some(new_protocol)` if changed, `None` if unchanged.
+    pub fn update_probe_result(
+        &self,
+        key: &ProtocolCacheKey,
+        probed_protocol: DetectedProtocol,
+        reason: &str,
+    ) -> Option<DetectedProtocol> {
+        if let Some(mut entry) = self.cache.get_mut(key) {
+            let old_protocol = entry.protocol;
+            entry.last_probed_at = Instant::now();
+            entry.last_accessed_at = Instant::now();
+
+            if old_protocol != probed_protocol {
+                info!(
+                    host = %key.host, port = %key.port, domain = ?key.requested_host,
+                    old = %old_protocol, new = %probed_protocol, reason = %reason,
+                    "Protocol transition"
+                );
+                entry.protocol = probed_protocol;
+                entry.detected_at = Instant::now();
+                // Clear h3_port if downgrading from H3
+                if old_protocol == DetectedProtocol::H3 && probed_protocol != DetectedProtocol::H3 {
+                    entry.h3_port = None;
+                }
+                return Some(probed_protocol);
+            }
+
+            debug!(
+                host = %key.host, port = %key.port, domain = ?key.requested_host,
+                protocol = %old_protocol, reason = %reason,
+                "Re-probe confirmed — no protocol change"
+            );
+            None
+        } else {
+            // Entry was evicted between the get() and the probe completing.
+            // Insert as a fresh entry.
+            self.insert_internal(key.clone(), probed_protocol, None, reason);
+            Some(probed_protocol)
         }
     }
-        self.cache.insert(key, CachedEntry {
-            protocol,
-            detected_at: Instant::now(),
-            h3_port,
+
+    /// Record a protocol failure. Future `insert()` calls for this protocol
+    /// will be suppressed until the escalating cooldown expires.
+    ///
+    /// Cooldown escalation: 5s → 10s → 20s → 40s → 80s → 160s → 300s.
+    /// Consecutive counter resets if the previous failure is older than 2× its cooldown.
+    ///
+    /// Cascading: when H2 fails, H3 cooldown is reduced to 5s remaining.
+    /// H1 failures are ignored (H1 is the protocol floor).
+    pub fn record_failure(&self, key: ProtocolCacheKey, protocol: DetectedProtocol) {
+        if protocol == DetectedProtocol::H1 {
+            return; // H1 is the floor — nothing to suppress
+        }
+
+        let mut entry = self.failures.entry(key.clone()).or_default();
+
+        let record = entry.get_mut(protocol);
+        let (consecutive, new_cooldown) = match record {
+            Some(existing) if existing.failed_at.elapsed() < existing.cooldown.saturating_mul(2) => {
+                // Still within the "recent" window — escalate
+                let c = existing.consecutive_failures.saturating_add(1)
+                    .min(PROTOCOL_FAILURE_ESCALATION_CAP);
+                (c, escalate_cooldown(c))
+            }
+            _ => {
+                // First failure or old failure that expired long ago — reset
+                (1, PROTOCOL_FAILURE_COOLDOWN)
+            }
+        };
+
+        *record = Some(FailureRecord {
+            failed_at: Instant::now(),
+            cooldown: new_cooldown,
+            consecutive_failures: consecutive,
         });
+
+        // Cascading: when H2 fails, reduce H3 cooldown to 5s remaining
+        if protocol == DetectedProtocol::H2 {
+            Self::reduce_cooldown_to(entry.h3.as_mut(), PROTOCOL_FAILURE_COOLDOWN);
+        }
+
+        info!(
+            host = %key.host, port = %key.port, domain = ?key.requested_host,
+            protocol = ?protocol,
+            consecutive = consecutive,
+            cooldown_secs = new_cooldown.as_secs(),
+            "Protocol failure recorded — suppressing for {:?}", new_cooldown
+        );
+    }
+
+    /// Check whether a protocol is currently suppressed for the given key.
+    /// Returns `true` if the protocol failed within its cooldown period.
+    /// H1 is never suppressed.
+    pub fn is_suppressed(&self, key: &ProtocolCacheKey, protocol: DetectedProtocol) -> bool {
+        if protocol == DetectedProtocol::H1 {
+            return false;
+        }
+        self.failures.get(key)
+            .and_then(|entry| entry.get(protocol).map(|r| r.failed_at.elapsed() < r.cooldown))
+            .unwrap_or(false)
+    }
+
+    /// Check whether a protocol can be retried (for within-request escalation).
+    /// Returns `true` if there's no failure record OR if ≥5s have passed since
+    /// the last attempt. More permissive than `is_suppressed`.
+    pub fn can_retry(&self, key: &ProtocolCacheKey, protocol: DetectedProtocol) -> bool {
+        if protocol == DetectedProtocol::H1 {
+            return true;
+        }
+        match self.failures.get(key) {
+            Some(entry) => match entry.get(protocol) {
+                Some(r) => r.failed_at.elapsed() >= PROTOCOL_FAILURE_COOLDOWN,
+                None => true, // no failure record
+            },
+            None => true,
+        }
+    }
+
+    /// Record a retry attempt WITHOUT escalating the cooldown.
+    /// Resets the `failed_at` timestamp to prevent rapid retries (5s gate).
+    /// Called before an escalation attempt. If the attempt fails,
+    /// `record_failure` should be called afterward with proper escalation.
+    pub fn record_retry_attempt(&self, key: &ProtocolCacheKey, protocol: DetectedProtocol) {
+        if protocol == DetectedProtocol::H1 {
+            return;
+        }
+        if let Some(mut entry) = self.failures.get_mut(key) {
+            if let Some(ref mut r) = entry.get_mut(protocol) {
+                r.failed_at = Instant::now();
+            }
+        }
+    }
+
+    /// Clear the failure record for a protocol (it recovered).
+    /// Called when an escalation retry succeeds.
+    pub fn clear_failure(&self, key: &ProtocolCacheKey, protocol: DetectedProtocol) {
+        if protocol == DetectedProtocol::H1 {
+            return;
+        }
+        if let Some(mut entry) = self.failures.get_mut(key) {
+            *entry.get_mut(protocol) = None;
+            if entry.is_empty() {
+                drop(entry);
+                self.failures.remove(key);
+            }
+        }
+    }
+
+    /// Evict a cache entry entirely. Called when all protocol probes (H3, H2, H1)
+    /// have failed for a backend.
+    pub fn evict(&self, key: &ProtocolCacheKey) {
+        self.cache.remove(key);
+        self.failures.remove(key);
+        info!(
+            host = %key.host, port = %key.port, domain = ?key.requested_host,
+            "Cache entry evicted — all protocols failed"
+        );
     }
 
     /// Clear all entries. Called on route updates to discard stale detections.
     pub fn clear(&self) {
         self.cache.clear();
+        self.failures.clear();
     }
 
-    /// Background cleanup loop — removes expired entries every `PROTOCOL_CACHE_CLEANUP_INTERVAL`.
-    async fn cleanup_loop(cache: Arc<DashMap<ProtocolCacheKey, CachedEntry>>) {
+    /// Snapshot all non-expired cache entries for metrics/UI display.
+    pub fn snapshot(&self) -> Vec<ProtocolCacheEntry> {
+        self.cache.iter()
+            .filter(|entry| entry.value().last_accessed_at.elapsed() < PROTOCOL_CACHE_TTL)
+            .map(|entry| {
+                let key = entry.key();
+                let val = entry.value();
+                let failure_info = self.failures.get(key);
+
+                let (h2_sup, h2_cd, h2_cons) = Self::suppression_info(
+                    failure_info.as_deref().and_then(|f| f.h2.as_ref()),
+                );
+                let (h3_sup, h3_cd, h3_cons) = Self::suppression_info(
+                    failure_info.as_deref().and_then(|f| f.h3.as_ref()),
+                );
+
+                ProtocolCacheEntry {
+                    host: key.host.clone(),
+                    port: key.port,
+                    domain: key.requested_host.clone(),
+                    protocol: match val.protocol {
+                        DetectedProtocol::H1 => "h1".to_string(),
+                        DetectedProtocol::H2 => "h2".to_string(),
+                        DetectedProtocol::H3 => "h3".to_string(),
+                    },
+                    h3_port: val.h3_port,
+                    age_secs: val.detected_at.elapsed().as_secs(),
+                    last_accessed_secs: val.last_accessed_at.elapsed().as_secs(),
+                    last_probed_secs: val.last_probed_at.elapsed().as_secs(),
+                    h2_suppressed: h2_sup,
+                    h3_suppressed: h3_sup,
+                    h2_cooldown_remaining_secs: h2_cd,
+                    h3_cooldown_remaining_secs: h3_cd,
+                    h2_consecutive_failures: h2_cons,
+                    h3_consecutive_failures: h3_cons,
+                }
+            })
+            .collect()
+    }
+
+    // --- Internal helpers ---
+
+    /// Insert a protocol detection result with an optional H3 port.
+    /// Logs protocol transitions when overwriting an existing entry.
+    /// No suppression check — callers must check before calling.
+    fn insert_internal(&self, key: ProtocolCacheKey, protocol: DetectedProtocol, h3_port: Option<u16>, reason: &str) {
+        // Check for existing entry to log protocol transitions
+        if let Some(existing) = self.cache.get(&key) {
+            if existing.protocol != protocol {
+                info!(
+                    host = %key.host, port = %key.port, domain = ?key.requested_host,
+                    old = %existing.protocol, new = %protocol, reason = %reason,
+                    "Protocol transition"
+                );
+            }
+            drop(existing);
+        }
+
+        // Evict oldest entry if at capacity
+        if self.cache.len() >= PROTOCOL_CACHE_MAX_ENTRIES && !self.cache.contains_key(&key) {
+            let oldest = self.cache.iter()
+                .min_by_key(|entry| entry.value().last_accessed_at)
+                .map(|entry| entry.key().clone());
+            if let Some(oldest_key) = oldest {
+                self.cache.remove(&oldest_key);
+            }
+        }
+
+        let now = Instant::now();
+        self.cache.insert(key, CachedEntry {
+            protocol,
+            detected_at: now,
+            last_accessed_at: now,
+            last_probed_at: now,
+            h3_port,
+        });
+    }
+
+    /// Reduce a failure record's remaining cooldown to `target`, if it currently
+    /// has MORE than `target` remaining. Never increases cooldown.
+    fn reduce_cooldown_to(record: Option<&mut FailureRecord>, target: Duration) {
+        if let Some(r) = record {
+            let elapsed = r.failed_at.elapsed();
+            if elapsed < r.cooldown {
+                let remaining = r.cooldown - elapsed;
+                if remaining > target {
+                    // Shrink cooldown so it expires in `target` from now
+                    r.cooldown = elapsed + target;
+                }
+            }
+        }
+    }
+
+    /// Extract suppression info from a failure record for metrics.
+    fn suppression_info(record: Option<&FailureRecord>) -> (bool, Option<u64>, Option<u32>) {
+        match record {
+            Some(r) => {
+                let elapsed = r.failed_at.elapsed();
+                let suppressed = elapsed < r.cooldown;
+                let remaining = if suppressed {
+                    Some((r.cooldown - elapsed).as_secs())
+                } else {
+                    None
+                };
+                (suppressed, remaining, Some(r.consecutive_failures))
+            }
+            None => (false, None, None),
+        }
+    }
+
+    /// Background cleanup loop.
+    async fn cleanup_loop(
+        cache: Arc<DashMap<ProtocolCacheKey, CachedEntry>>,
+        failures: Arc<DashMap<ProtocolCacheKey, FailureState>>,
+    ) {
         let mut interval = tokio::time::interval(PROTOCOL_CACHE_CLEANUP_INTERVAL);
         loop {
             interval.tick().await;
 
+            // Clean expired cache entries (sliding TTL based on last_accessed_at)
             let expired: Vec<ProtocolCacheKey> = cache.iter()
-                .filter(|entry| entry.value().detected_at.elapsed() >= PROTOCOL_CACHE_TTL)
+                .filter(|entry| entry.value().last_accessed_at.elapsed() >= PROTOCOL_CACHE_TTL)
                 .map(|entry| entry.key().clone())
                 .collect();
 
@@ -155,6 +593,31 @@ impl ProtocolCache {
                     cache.remove(&key);
                 }
             }
+
+            // Clean fully-expired failure entries
+            let expired_failures: Vec<ProtocolCacheKey> = failures.iter()
+                .filter(|entry| entry.value().all_expired())
+                .map(|entry| entry.key().clone())
+                .collect();
+
+            if !expired_failures.is_empty() {
+                debug!("Protocol cache cleanup: removing {} expired failure entries", expired_failures.len());
+                for key in expired_failures {
+                    failures.remove(&key);
+                }
+            }
+
+            // Safety net: cap failures map at 2× max entries
+            if failures.len() > PROTOCOL_CACHE_MAX_ENTRIES * 2 {
+                let oldest: Vec<ProtocolCacheKey> = failures.iter()
+                    .filter(|e| e.value().all_expired())
+                    .map(|e| e.key().clone())
+                    .take(failures.len() - PROTOCOL_CACHE_MAX_ENTRIES)
+                    .collect();
+                for key in oldest {
+                    failures.remove(&key);
+                }
+            }
         }
     }
 }

rust/crates/rustproxy-http/src/proxy_service.rs

@@ -47,6 +47,8 @@ pub struct ConnActivity {
     /// checks the backend's original response headers for Alt-Svc before our
     /// ResponseFilter injects its own. None when not in auto-detect mode or after H3 failure.
     alt_svc_cache_key: Option<crate::protocol_cache::ProtocolCacheKey>,
+    /// The upstream request path that triggered Alt-Svc discovery. Logged for traceability.
+    alt_svc_request_url: Option<String>,
 }
 
 impl ConnActivity {
@@ -58,6 +60,7 @@ impl ConnActivity {
             start: std::time::Instant::now(),
             active_requests: None,
             alt_svc_cache_key: None,
+            alt_svc_request_url: None,
         }
     }
 }
@@ -69,15 +72,16 @@ const DEFAULT_CONNECT_TIMEOUT: std::time::Duration = std::time::Duration::from_s
 /// If no new request arrives within this duration, the connection is closed.
 const DEFAULT_HTTP_IDLE_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(60);
 
+/// Default HTTP max connection lifetime (1 hour).
+/// HTTP connections are forcefully closed after this duration regardless of activity.
+const DEFAULT_HTTP_MAX_LIFETIME: std::time::Duration = std::time::Duration::from_secs(3600);
+
 /// Default WebSocket inactivity timeout (1 hour).
 const DEFAULT_WS_INACTIVITY_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(3600);
 
 /// Default WebSocket max lifetime (24 hours).
 const DEFAULT_WS_MAX_LIFETIME: std::time::Duration = std::time::Duration::from_secs(86400);
 
-/// Timeout for QUIC (H3) backend connections. Short because UDP is often firewalled.
-const QUIC_CONNECT_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(3);
-
 /// Protocol decision for backend connection.
 #[derive(Debug)]
 enum ProtocolDecision {
@@ -219,6 +223,8 @@ pub struct HttpProxyService {
     protocol_cache: Arc<crate::protocol_cache::ProtocolCache>,
     /// HTTP keep-alive idle timeout: close connection if no new request arrives within this duration.
     http_idle_timeout: std::time::Duration,
+    /// HTTP max connection lifetime: forcefully close connection after this duration regardless of activity.
+    http_max_lifetime: std::time::Duration,
     /// WebSocket inactivity timeout (no data in either direction).
     ws_inactivity_timeout: std::time::Duration,
     /// WebSocket maximum connection lifetime.
@@ -245,6 +251,7 @@ impl HttpProxyService {
             connection_pool: Arc::new(crate::connection_pool::ConnectionPool::new()),
             protocol_cache: Arc::new(crate::protocol_cache::ProtocolCache::new()),
             http_idle_timeout: DEFAULT_HTTP_IDLE_TIMEOUT,
+            http_max_lifetime: DEFAULT_HTTP_MAX_LIFETIME,
             ws_inactivity_timeout: DEFAULT_WS_INACTIVITY_TIMEOUT,
             ws_max_lifetime: DEFAULT_WS_MAX_LIFETIME,
             quinn_client_endpoint: Arc::new(Self::create_quinn_client_endpoint()),
@@ -272,21 +279,24 @@ impl HttpProxyService {
             connection_pool: Arc::new(crate::connection_pool::ConnectionPool::new()),
             protocol_cache: Arc::new(crate::protocol_cache::ProtocolCache::new()),
             http_idle_timeout: DEFAULT_HTTP_IDLE_TIMEOUT,
+            http_max_lifetime: DEFAULT_HTTP_MAX_LIFETIME,
             ws_inactivity_timeout: DEFAULT_WS_INACTIVITY_TIMEOUT,
             ws_max_lifetime: DEFAULT_WS_MAX_LIFETIME,
             quinn_client_endpoint: Arc::new(Self::create_quinn_client_endpoint()),
         }
     }
 
-    /// Set the HTTP keep-alive idle timeout, WebSocket inactivity timeout, and
-    /// WebSocket max lifetime from connection config values.
+    /// Set the HTTP keep-alive idle timeout, HTTP max lifetime, WebSocket inactivity
+    /// timeout, and WebSocket max lifetime from connection config values.
     pub fn set_connection_timeouts(
         &mut self,
         http_idle_timeout: std::time::Duration,
+        http_max_lifetime: std::time::Duration,
         ws_inactivity_timeout: std::time::Duration,
         ws_max_lifetime: std::time::Duration,
     ) {
         self.http_idle_timeout = http_idle_timeout;
+        self.http_max_lifetime = http_max_lifetime;
         self.ws_inactivity_timeout = ws_inactivity_timeout;
         self.ws_max_lifetime = ws_max_lifetime;
     }
@@ -311,6 +321,20 @@ impl HttpProxyService {
         self.protocol_cache.clear();
     }
 
+    /// Clean up expired entries in all per-route rate limiters.
+    /// Called from the background sampling task to prevent unbounded growth
+    /// when traffic stops after a burst of unique IPs.
+    pub fn cleanup_all_rate_limiters(&self) {
+        for entry in self.route_rate_limiters.iter() {
+            entry.value().cleanup();
+        }
+    }
+
+    /// Snapshot the protocol cache for metrics/UI display.
+    pub fn protocol_cache_snapshot(&self) -> Vec<crate::protocol_cache::ProtocolCacheEntry> {
+        self.protocol_cache.snapshot()
+    }
+
     /// Handle an incoming HTTP connection on a plain TCP stream.
     pub async fn handle_connection(
         self: Arc<Self>,
@@ -346,6 +370,7 @@ impl HttpProxyService {
 
         // Capture timeouts before `self` is moved into the service closure.
         let idle_timeout = self.http_idle_timeout;
+        let max_lifetime = self.http_max_lifetime;
 
         // Activity tracker: updated at the START and END of each request.
         // The idle watchdog checks this to determine if the connection is idle
@@ -366,7 +391,7 @@ impl HttpProxyService {
             let cn = cancel_inner.clone();
             let la = Arc::clone(&la_inner);
             let st = start;
-            let ca = ConnActivity { last_activity: Arc::clone(&la_inner), start, active_requests: Some(Arc::clone(&ar_inner)), alt_svc_cache_key: None };
+            let ca = ConnActivity { last_activity: Arc::clone(&la_inner), start, active_requests: Some(Arc::clone(&ar_inner)), alt_svc_cache_key: None, alt_svc_request_url: None };
             async move {
                 let req = req.map(|body| BoxBody::new(body));
                 let result = svc.handle_request(req, peer, port, cn, ca).await;
@@ -404,15 +429,23 @@ impl HttpProxyService {
                 }
             }
             _ = async {
-                // Idle watchdog: check every 5s whether the connection has been idle
-                // (no active requests AND no activity for idle_timeout).
-                // This avoids killing long-running requests or upgraded connections.
+                // Idle + lifetime watchdog: check every 5s whether the connection has been
+                // idle (no active requests AND no activity for idle_timeout) or exceeded
+                // the max connection lifetime.
                 let check_interval = std::time::Duration::from_secs(5);
                 let mut last_seen = 0u64;
                 loop {
                     tokio::time::sleep(check_interval).await;
 
-                    // Never close while a request is in progress
+                    // Check max connection lifetime (unconditional — even active connections
+                    // must eventually be recycled to prevent resource accumulation).
+                    if start.elapsed() >= max_lifetime {
+                        debug!("HTTP connection exceeded max lifetime ({}s) from {}",
+                            max_lifetime.as_secs(), peer_addr);
+                        return;
+                    }
+
+                    // Never close for idleness while a request is in progress
                     if active_requests.load(Ordering::Relaxed) > 0 {
                         last_seen = last_activity.load(Ordering::Relaxed);
                         continue;
@@ -429,7 +462,7 @@ impl HttpProxyService {
                     last_seen = current;
                 }
             } => {
-                debug!("HTTP connection idle timeout ({}s) from {}", idle_timeout.as_secs(), peer_addr);
+                debug!("HTTP connection timeout from {}", peer_addr);
                 conn.as_mut().graceful_shutdown();
                 // Give any in-flight work 5s to drain after graceful shutdown
                 let _ = tokio::time::timeout(std::time::Duration::from_secs(5), conn).await;
@@ -701,6 +734,14 @@ impl HttpProxyService {
             port: upstream.port,
             requested_host: host.clone(),
         };
+        // Save cached H3 port for within-request escalation (may be needed later
+        // if TCP connect fails and we escalate to H3 as a last resort)
+        let cached_h3_port = self.protocol_cache.get(&protocol_cache_key)
+            .and_then(|c| c.h3_port);
+
+        // Track whether this ALPN probe is a periodic re-probe (vs first-time detection)
+        let mut is_reprobe = false;
+
         let protocol_decision = match backend_protocol_mode {
             rustproxy_config::BackendProtocol::Http1 => ProtocolDecision::H1,
             rustproxy_config::BackendProtocol::Http2 => ProtocolDecision::H2,
@@ -711,19 +752,40 @@ impl HttpProxyService {
                     ProtocolDecision::H1
                 } else {
                     match self.protocol_cache.get(&protocol_cache_key) {
+                        Some(cached) if cached.needs_reprobe => {
+                            // Entry exists but 5+ minutes since last probe — force ALPN re-probe
+                            // (only fires for H1/H2; H3 entries have needs_reprobe=false)
+                            is_reprobe = true;
+                            ProtocolDecision::AlpnProbe
+                        }
                         Some(cached) => match cached.protocol {
                             crate::protocol_cache::DetectedProtocol::H3 => {
-                                if let Some(h3_port) = cached.h3_port {
+                                if self.protocol_cache.is_suppressed(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3) {
+                                    // H3 cached but suppressed — fall back to ALPN probe
+                                    ProtocolDecision::AlpnProbe
+                                } else if let Some(h3_port) = cached.h3_port {
                                     ProtocolDecision::H3 { port: h3_port }
                                 } else {
-                                    // H3 cached but no port — fall back to ALPN probe
                                     ProtocolDecision::AlpnProbe
                                 }
                             }
-                            crate::protocol_cache::DetectedProtocol::H2 => ProtocolDecision::H2,
+                            crate::protocol_cache::DetectedProtocol::H2 => {
+                                if self.protocol_cache.is_suppressed(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H2) {
+                                    ProtocolDecision::H1
+                                } else {
+                                    ProtocolDecision::H2
+                                }
+                            }
                             crate::protocol_cache::DetectedProtocol::H1 => ProtocolDecision::H1,
                         },
-                        None => ProtocolDecision::AlpnProbe,
+                        None => {
+                            // Cache miss — skip ALPN probe if H2 is suppressed
+                            if self.protocol_cache.is_suppressed(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H2) {
+                                ProtocolDecision::H1
+                            } else {
+                                ProtocolDecision::AlpnProbe
+                            }
+                        }
                     }
                 }
             }
@@ -741,6 +803,7 @@ impl HttpProxyService {
         // the backend's original Alt-Svc header before ResponseFilter injects our own.
         if is_auto_detect_mode {
             conn_activity.alt_svc_cache_key = Some(protocol_cache_key.clone());
+            conn_activity.alt_svc_request_url = Some(upstream_path.to_string());
         }
 
         // --- H3 path: try QUIC connection before TCP ---
@@ -753,10 +816,10 @@ impl HttpProxyService {
             };
 
             // Try H3 pool checkout first
-            if let Some((quic_conn, _age)) = self.connection_pool.checkout_h3(&h3_pool_key) {
+            if let Some((pooled_sr, quic_conn, _age)) = self.connection_pool.checkout_h3(&h3_pool_key) {
                 self.metrics.backend_pool_hit(&upstream_key);
                 let result = self.forward_h3(
-                    quic_conn, parts, body, upstream_headers, &upstream_path,
+                    quic_conn, Some(pooled_sr), parts, body, upstream_headers, &upstream_path,
                     route_match.route, route_id, &ip_str, &h3_pool_key, domain_str, &conn_activity, &upstream_key,
                 ).await;
                 self.upstream_selector.connection_ended(&upstream_key);
@@ -769,15 +832,23 @@ impl HttpProxyService {
                     self.metrics.backend_pool_miss(&upstream_key);
                     self.metrics.backend_connection_opened(&upstream_key, std::time::Instant::now().elapsed());
                     let result = self.forward_h3(
-                        quic_conn, parts, body, upstream_headers, &upstream_path,
+                        quic_conn, None, parts, body, upstream_headers, &upstream_path,
                         route_match.route, route_id, &ip_str, &h3_pool_key, domain_str, &conn_activity, &upstream_key,
                     ).await;
                     self.upstream_selector.connection_ended(&upstream_key);
                     return result;
                 }
                 Err(e) => {
-                    warn!(backend = %upstream_key, error = %e,
+                    warn!(backend = %upstream_key, domain = %domain_str, error = %e,
                         "H3 backend connect failed, falling back to H2/H1");
+                    // Record failure with escalating cooldown — prevents Alt-Svc
+                    // from re-upgrading to H3 during cooldown period
+                    if is_auto_detect_mode {
+                        self.protocol_cache.record_failure(
+                            protocol_cache_key.clone(),
+                            crate::protocol_cache::DetectedProtocol::H3,
+                        );
+                    }
                     // Suppress Alt-Svc caching for the fallback to prevent re-caching H3
                     // from our own injected Alt-Svc header or a stale backend Alt-Svc
                     conn_activity.alt_svc_cache_key = None;
@@ -860,7 +931,7 @@ impl HttpProxyService {
                         let alpn = tls.get_ref().1.alpn_protocol();
                         let is_h2 = alpn.map(|p| p == b"h2").unwrap_or(false);
 
-                        // Cache the result
+                        // Cache the result (or update existing entry for re-probes)
                         let cache_key = crate::protocol_cache::ProtocolCacheKey {
                             host: upstream.host.clone(),
                             port: upstream.port,
@@ -871,13 +942,18 @@ impl HttpProxyService {
                         } else {
                             crate::protocol_cache::DetectedProtocol::H1
                         };
-                        self.protocol_cache.insert(cache_key, detected);
+                        if is_reprobe {
+                            self.protocol_cache.update_probe_result(&cache_key, detected, "periodic ALPN re-probe");
+                        } else {
+                            self.protocol_cache.insert(cache_key, detected, "initial ALPN detection");
+                        }
 
                         info!(
                             backend = %upstream_key,
                             domain = %domain_str,
                             protocol = if is_h2 { "h2" } else { "h1" },
                             connect_time_ms = %connect_start.elapsed().as_millis(),
+                            reprobe = is_reprobe,
                             "Backend protocol detected via ALPN"
                         );
 
@@ -899,6 +975,38 @@ impl HttpProxyService {
                     );
                     self.metrics.backend_connect_error(&upstream_key);
                     self.upstream_selector.connection_ended(&upstream_key);
+
+                    // --- Within-request escalation: try H3 via QUIC if retryable ---
+                    if is_auto_detect_mode {
+                        if let Some(h3_port) = cached_h3_port {
+                            if self.protocol_cache.can_retry(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3) {
+                                self.protocol_cache.record_retry_attempt(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3);
+                                debug!(backend = %upstream_key, domain = %domain_str, "TLS connect failed — escalating to H3");
+                                match self.connect_quic_backend(&upstream.host, h3_port).await {
+                                    Ok(quic_conn) => {
+                                        self.protocol_cache.clear_failure(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3);
+                                        self.protocol_cache.insert_h3(protocol_cache_key.clone(), h3_port, "recovery — TLS failed, H3 succeeded");
+                                        let h3_pool_key = crate::connection_pool::PoolKey {
+                                            host: upstream.host.clone(), port: h3_port, use_tls: true,
+                                            protocol: crate::connection_pool::PoolProtocol::H3,
+                                        };
+                                        let result = self.forward_h3(
+                                            quic_conn, None, parts, body, upstream_headers, &upstream_path,
+                                            route_match.route, route_id, &ip_str, &h3_pool_key, domain_str, &conn_activity, &upstream_key,
+                                        ).await;
+                                        self.upstream_selector.connection_ended(&upstream_key);
+                                        return result;
+                                    }
+                                    Err(e3) => {
+                                        debug!(backend = %upstream_key, error = %e3, "H3 escalation also failed");
+                                        self.protocol_cache.record_failure(protocol_cache_key.clone(), crate::protocol_cache::DetectedProtocol::H3);
+                                    }
+                                }
+                            }
+                        }
+                        // All protocols failed — evict cache entry
+                        self.protocol_cache.evict(&protocol_cache_key);
+                    }
                     return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend TLS unavailable"));
                 }
                 Err(_) => {
@@ -910,6 +1018,38 @@ impl HttpProxyService {
                     );
                     self.metrics.backend_connect_error(&upstream_key);
                     self.upstream_selector.connection_ended(&upstream_key);
+
+                    // --- Within-request escalation: try H3 via QUIC if retryable ---
+                    if is_auto_detect_mode {
+                        if let Some(h3_port) = cached_h3_port {
+                            if self.protocol_cache.can_retry(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3) {
+                                self.protocol_cache.record_retry_attempt(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3);
+                                debug!(backend = %upstream_key, domain = %domain_str, "TLS connect timeout — escalating to H3");
+                                match self.connect_quic_backend(&upstream.host, h3_port).await {
+                                    Ok(quic_conn) => {
+                                        self.protocol_cache.clear_failure(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3);
+                                        self.protocol_cache.insert_h3(protocol_cache_key.clone(), h3_port, "recovery — TLS timeout, H3 succeeded");
+                                        let h3_pool_key = crate::connection_pool::PoolKey {
+                                            host: upstream.host.clone(), port: h3_port, use_tls: true,
+                                            protocol: crate::connection_pool::PoolProtocol::H3,
+                                        };
+                                        let result = self.forward_h3(
+                                            quic_conn, None, parts, body, upstream_headers, &upstream_path,
+                                            route_match.route, route_id, &ip_str, &h3_pool_key, domain_str, &conn_activity, &upstream_key,
+                                        ).await;
+                                        self.upstream_selector.connection_ended(&upstream_key);
+                                        return result;
+                                    }
+                                    Err(e3) => {
+                                        debug!(backend = %upstream_key, error = %e3, "H3 escalation also failed");
+                                        self.protocol_cache.record_failure(protocol_cache_key.clone(), crate::protocol_cache::DetectedProtocol::H3);
+                                    }
+                                }
+                            }
+                        }
+                        // All protocols failed — evict cache entry
+                        self.protocol_cache.evict(&protocol_cache_key);
+                    }
                     return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend TLS connect timeout"));
                 }
             }
@@ -937,6 +1077,38 @@ impl HttpProxyService {
                     );
                     self.metrics.backend_connect_error(&upstream_key);
                     self.upstream_selector.connection_ended(&upstream_key);
+
+                    // --- Within-request escalation: try H3 via QUIC if retryable ---
+                    if is_auto_detect_mode {
+                        if let Some(h3_port) = cached_h3_port {
+                            if self.protocol_cache.can_retry(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3) {
+                                self.protocol_cache.record_retry_attempt(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3);
+                                debug!(backend = %upstream_key, domain = %domain_str, "TCP connect failed — escalating to H3");
+                                match self.connect_quic_backend(&upstream.host, h3_port).await {
+                                    Ok(quic_conn) => {
+                                        self.protocol_cache.clear_failure(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3);
+                                        self.protocol_cache.insert_h3(protocol_cache_key.clone(), h3_port, "recovery — TCP failed, H3 succeeded");
+                                        let h3_pool_key = crate::connection_pool::PoolKey {
+                                            host: upstream.host.clone(), port: h3_port, use_tls: true,
+                                            protocol: crate::connection_pool::PoolProtocol::H3,
+                                        };
+                                        let result = self.forward_h3(
+                                            quic_conn, None, parts, body, upstream_headers, &upstream_path,
+                                            route_match.route, route_id, &ip_str, &h3_pool_key, domain_str, &conn_activity, &upstream_key,
+                                        ).await;
+                                        self.upstream_selector.connection_ended(&upstream_key);
+                                        return result;
+                                    }
+                                    Err(e3) => {
+                                        debug!(backend = %upstream_key, error = %e3, "H3 escalation also failed");
+                                        self.protocol_cache.record_failure(protocol_cache_key.clone(), crate::protocol_cache::DetectedProtocol::H3);
+                                    }
+                                }
+                            }
+                        }
+                        // All protocols failed — evict cache entry
+                        self.protocol_cache.evict(&protocol_cache_key);
+                    }
                     return Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable"));
                 }
                 Err(_) => {
@@ -948,6 +1120,38 @@ impl HttpProxyService {
                     );
                     self.metrics.backend_connect_error(&upstream_key);
                     self.upstream_selector.connection_ended(&upstream_key);
+
+                    // --- Within-request escalation: try H3 via QUIC if retryable ---
+                    if is_auto_detect_mode {
+                        if let Some(h3_port) = cached_h3_port {
+                            if self.protocol_cache.can_retry(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3) {
+                                self.protocol_cache.record_retry_attempt(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3);
+                                debug!(backend = %upstream_key, domain = %domain_str, "TCP connect timeout — escalating to H3");
+                                match self.connect_quic_backend(&upstream.host, h3_port).await {
+                                    Ok(quic_conn) => {
+                                        self.protocol_cache.clear_failure(&protocol_cache_key, crate::protocol_cache::DetectedProtocol::H3);
+                                        self.protocol_cache.insert_h3(protocol_cache_key.clone(), h3_port, "recovery — TCP timeout, H3 succeeded");
+                                        let h3_pool_key = crate::connection_pool::PoolKey {
+                                            host: upstream.host.clone(), port: h3_port, use_tls: true,
+                                            protocol: crate::connection_pool::PoolProtocol::H3,
+                                        };
+                                        let result = self.forward_h3(
+                                            quic_conn, None, parts, body, upstream_headers, &upstream_path,
+                                            route_match.route, route_id, &ip_str, &h3_pool_key, domain_str, &conn_activity, &upstream_key,
+                                        ).await;
+                                        self.upstream_selector.connection_ended(&upstream_key);
+                                        return result;
+                                    }
+                                    Err(e3) => {
+                                        debug!(backend = %upstream_key, error = %e3, "H3 escalation also failed");
+                                        self.protocol_cache.record_failure(protocol_cache_key.clone(), crate::protocol_cache::DetectedProtocol::H3);
+                                    }
+                                }
+                            }
+                        }
+                        // All protocols failed — evict cache entry
+                        self.protocol_cache.evict(&protocol_cache_key);
+                    }
                     return Ok(error_response(StatusCode::GATEWAY_TIMEOUT, "Backend connect timeout"));
                 }
             }
@@ -1030,8 +1234,10 @@ impl HttpProxyService {
         };
 
         tokio::spawn(async move {
-            if let Err(e) = conn.await {
-                debug!("Upstream connection error: {}", e);
+            match tokio::time::timeout(std::time::Duration::from_secs(300), conn).await {
+                Ok(Err(e)) => debug!("Upstream connection error: {}", e),
+                Err(_) => debug!("H1 connection driver timed out after 300s"),
+                _ => {}
             }
         });
 
@@ -1416,7 +1622,12 @@ impl HttpProxyService {
                     port: upstream.port,
                     requested_host: requested_host.clone(),
                 };
-                self.protocol_cache.insert(cache_key, crate::protocol_cache::DetectedProtocol::H1);
+                // Record H2 failure (escalating cooldown) before downgrading cache to H1
+                self.protocol_cache.record_failure(
+                    cache_key.clone(),
+                    crate::protocol_cache::DetectedProtocol::H2,
+                );
+                self.protocol_cache.insert(cache_key.clone(), crate::protocol_cache::DetectedProtocol::H1, "H2 handshake timeout — downgrade");
 
                 match self.reconnect_backend(upstream, domain, backend_key).await {
                     Some(fallback_backend) => {
@@ -1435,6 +1646,8 @@ impl HttpProxyService {
                         result
                     }
                     None => {
+                        // H2 failed and H1 reconnect also failed — evict cache
+                        self.protocol_cache.evict(&cache_key);
                         Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable after H2 timeout fallback"))
                     }
                 }
@@ -1549,13 +1762,17 @@ impl HttpProxyService {
                 self.metrics.backend_h2_failure(backend_key);
                 self.metrics.backend_handshake_error(backend_key);
 
-                // Update cache to H1 so subsequent requests skip H2
+                // Record H2 failure (escalating cooldown) and downgrade cache to H1
                 let cache_key = crate::protocol_cache::ProtocolCacheKey {
                     host: upstream.host.clone(),
                     port: upstream.port,
                     requested_host: requested_host.clone(),
                 };
-                self.protocol_cache.insert(cache_key, crate::protocol_cache::DetectedProtocol::H1);
+                self.protocol_cache.record_failure(
+                    cache_key.clone(),
+                    crate::protocol_cache::DetectedProtocol::H2,
+                );
+                self.protocol_cache.insert(cache_key.clone(), crate::protocol_cache::DetectedProtocol::H1, "H2 handshake error — downgrade");
 
                 // Reconnect for H1 (the original io was consumed by the failed h2 handshake)
                 match self.reconnect_backend(upstream, domain, backend_key).await {
@@ -1576,6 +1793,8 @@ impl HttpProxyService {
                         result
                     }
                     None => {
+                        // H2 failed and H1 reconnect also failed — evict cache
+                        self.protocol_cache.evict(&cache_key);
                         Ok(error_response(StatusCode::BAD_GATEWAY, "Backend unavailable after H2 fallback"))
                     }
                 }
@@ -1611,8 +1830,10 @@ impl HttpProxyService {
         };
 
         tokio::spawn(async move {
-            if let Err(e) = conn.await {
-                debug!("H1 fallback: upstream connection error: {}", e);
+            match tokio::time::timeout(std::time::Duration::from_secs(300), conn).await {
+                Ok(Err(e)) => debug!("H1 fallback: upstream connection error: {}", e),
+                Err(_) => debug!("H1 fallback: connection driver timed out after 300s"),
+                _ => {}
             }
         });
 
@@ -1791,8 +2012,10 @@ impl HttpProxyService {
         if let Some(ref cache_key) = conn_activity.alt_svc_cache_key {
             if let Some(alt_svc) = resp_parts.headers.get("alt-svc").and_then(|v| v.to_str().ok()) {
                 if let Some(h3_port) = parse_alt_svc_h3_port(alt_svc) {
-                    debug!(h3_port, "Backend advertises H3 via Alt-Svc");
-                    self.protocol_cache.insert_h3(cache_key.clone(), h3_port);
+                    let url = conn_activity.alt_svc_request_url.as_deref().unwrap_or("-");
+                    debug!(h3_port, url, "Backend advertises H3 via Alt-Svc");
+                    let reason = format!("Alt-Svc response header ({})", url);
+                    self.protocol_cache.insert_h3(cache_key.clone(), h3_port, &reason);
                 }
             }
         }
@@ -2546,7 +2769,12 @@ impl HttpProxyService {
 
         let quic_crypto = quinn::crypto::rustls::QuicClientConfig::try_from(tls_config)
             .expect("Failed to create QUIC client crypto config");
-        let client_config = quinn::ClientConfig::new(Arc::new(quic_crypto));
+
+        // Tune QUIC transport to match H2 flow-control: 2 MB per-stream receive window.
+        let mut transport = quinn::TransportConfig::default();
+        transport.stream_receive_window(quinn::VarInt::from_u32(2 * 1024 * 1024));
+        let mut client_config = quinn::ClientConfig::new(Arc::new(quic_crypto));
+        client_config.transport_config(Arc::new(transport));
 
         let mut endpoint = quinn::Endpoint::client("0.0.0.0:0".parse().unwrap())
             .expect("Failed to create QUIC client endpoint");
@@ -2568,8 +2796,8 @@ impl HttpProxyService {
         let server_name = host.to_string();
         let connecting = self.quinn_client_endpoint.connect(addr, &server_name)?;
 
-        let connection = tokio::time::timeout(QUIC_CONNECT_TIMEOUT, connecting).await
-            .map_err(|_| "QUIC connect timeout (3s)")??;
+        let connection = tokio::time::timeout(self.connect_timeout, connecting).await
+            .map_err(|_| format!("QUIC connect timeout ({:?}) for {}", self.connect_timeout, host))??;
 
         debug!("QUIC backend connection established to {}:{}", host, port);
         Ok(connection)
@@ -2579,6 +2807,7 @@ impl HttpProxyService {
     async fn forward_h3(
         &self,
         quic_conn: quinn::Connection,
+        pooled_sender: Option<h3::client::SendRequest<h3_quinn::OpenStreams, Bytes>>,
         parts: hyper::http::request::Parts,
         body: BoxBody<Bytes, hyper::Error>,
         upstream_headers: hyper::HeaderMap,
@@ -2591,8 +2820,14 @@ impl HttpProxyService {
         conn_activity: &ConnActivity,
         backend_key: &str,
     ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, hyper::Error> {
+        // Obtain the h3 SendRequest handle: skip handshake + driver on pool hit.
+        let (mut send_request, gen_holder) = if let Some(sr) = pooled_sender {
+            // Pool hit — reuse existing h3 session, no SETTINGS round-trip
+            (sr, None)
+        } else {
+            // Fresh QUIC connection — full h3 handshake + driver spawn
             let h3_quinn_conn = h3_quinn::Connection::new(quic_conn.clone());
-        let (mut driver, mut send_request) = match h3::client::builder()
+            let (mut driver, sr) = match h3::client::builder()
                 .send_grease(false)
                 .build(h3_quinn_conn)
                 .await
@@ -2605,10 +2840,10 @@ impl HttpProxyService {
                 }
             };
 
-        // Spawn the h3 connection driver
+            let gen_holder = Arc::new(std::sync::atomic::AtomicU64::new(u64::MAX));
+            {
                 let driver_pool = Arc::clone(&self.connection_pool);
                 let driver_pool_key = pool_key.clone();
-        let gen_holder = Arc::new(std::sync::atomic::AtomicU64::new(u64::MAX));
                 let driver_gen = Arc::clone(&gen_holder);
                 tokio::spawn(async move {
                     let close_err = std::future::poll_fn(|cx| driver.poll_close(cx)).await;
@@ -2618,6 +2853,9 @@ impl HttpProxyService {
                         driver_pool.remove_h3_if_generation(&driver_pool_key, g);
                     }
                 });
+            }
+            (sr, Some(gen_holder))
+        };
 
         // Build the H3 request
         let uri = hyper::Uri::builder()
@@ -2647,7 +2885,7 @@ impl HttpProxyService {
             }
         };
 
-        // Stream request body
+        // Stream request body (zero-copy: into_data yields owned Bytes)
         let rid: Option<Arc<str>> = route_id.map(Arc::from);
         let sip: Arc<str> = Arc::from(source_ip);
 
@@ -2657,9 +2895,9 @@ impl HttpProxyService {
             while let Some(frame) = body.frame().await {
                 match frame {
                     Ok(frame) => {
-                        if let Some(data) = frame.data_ref() {
+                        if let Ok(data) = frame.into_data() {
                             self.metrics.record_bytes(data.len() as u64, 0, rid.as_deref(), Some(&sip));
-                            if let Err(e) = stream.send_data(Bytes::copy_from_slice(data)).await {
+                            if let Err(e) = stream.send_data(data).await {
                                 error!(backend = %backend_key, error = %e, "H3 send_data failed");
                                 return Ok(error_response(StatusCode::BAD_GATEWAY, "H3 body send failed"));
                             }
@@ -2701,8 +2939,23 @@ impl HttpProxyService {
             ResponseFilter::apply_headers(route, headers, None);
         }
 
-        // Stream response body back via an adapter
-        let h3_body = H3ClientResponseBody { stream };
+        // Stream response body back via unfold — correctly preserves waker across polls
+        let body_stream = futures::stream::unfold(stream, |mut s| async move {
+            match s.recv_data().await {
+                Ok(Some(mut buf)) => {
+                    use bytes::Buf;
+                    let data = buf.copy_to_bytes(buf.remaining());
+                    Some((Ok::<_, hyper::Error>(http_body::Frame::data(data)), s))
+                }
+                Ok(None) => None,
+                Err(e) => {
+                    warn!("H3 response body recv error: {}", e);
+                    None
+                }
+            }
+        });
+        let h3_body = http_body_util::StreamBody::new(body_stream);
+
         let counting_body = CountingBody::new(
             h3_body,
             Arc::clone(&self.metrics),
@@ -2719,10 +2972,16 @@ impl HttpProxyService {
 
         let body: BoxBody<Bytes, hyper::Error> = BoxBody::new(counting_body);
 
-        // Register connection in pool on success
+        // Register connection in pool on success (fresh connections only)
         if status != StatusCode::BAD_GATEWAY {
-            let g = self.connection_pool.register_h3(pool_key.clone(), quic_conn);
-            gen_holder.store(g, std::sync::atomic::Ordering::Relaxed);
+            if let Some(gh) = gen_holder {
+                let g = self.connection_pool.register_h3(
+                    pool_key.clone(),
+                    quic_conn,
+                    send_request,
+                );
+                gh.store(g, std::sync::atomic::Ordering::Relaxed);
+            }
         }
 
         self.metrics.set_backend_protocol(backend_key, "h3");
@@ -2751,41 +3010,6 @@ fn parse_alt_svc_h3_port(header_value: &str) -> Option<u16> {
     None
 }
 
-/// Response body adapter for H3 client responses.
-/// Reads data from the h3 `RequestStream` recv side and presents it as an `http_body::Body`.
-struct H3ClientResponseBody {
-    stream: h3::client::RequestStream<h3_quinn::BidiStream<Bytes>, Bytes>,
-}
-
-impl http_body::Body for H3ClientResponseBody {
-    type Data = Bytes;
-    type Error = hyper::Error;
-
-    fn poll_frame(
-        mut self: Pin<&mut Self>,
-        _cx: &mut Context<'_>,
-    ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
-        // h3's recv_data is async, so we need to poll it manually.
-        // Use a small future to poll the recv_data call.
-        use std::future::Future;
-        let mut fut = Box::pin(self.stream.recv_data());
-        match fut.as_mut().poll(_cx) {
-            Poll::Ready(Ok(Some(mut buf))) => {
-                use bytes::Buf;
-                let data = Bytes::copy_from_slice(buf.chunk());
-                buf.advance(buf.remaining());
-                Poll::Ready(Some(Ok(http_body::Frame::data(data))))
-            }
-            Poll::Ready(Ok(None)) => Poll::Ready(None),
-            Poll::Ready(Err(e)) => {
-                warn!("H3 response body recv error: {}", e);
-                Poll::Ready(None)
-            }
-            Poll::Pending => Poll::Pending,
-        }
-    }
-}
-
 /// Insecure certificate verifier for backend TLS connections (fallback only).
 /// The production path uses the shared config from tls_handler which has the same
 /// behavior but with session resumption across all outbound connections.
@@ -2854,6 +3078,7 @@ impl Default for HttpProxyService {
             connection_pool: Arc::new(crate::connection_pool::ConnectionPool::new()),
             protocol_cache: Arc::new(crate::protocol_cache::ProtocolCache::new()),
             http_idle_timeout: DEFAULT_HTTP_IDLE_TIMEOUT,
+            http_max_lifetime: DEFAULT_HTTP_MAX_LIFETIME,
             ws_inactivity_timeout: DEFAULT_WS_INACTIVITY_TIMEOUT,
             ws_max_lifetime: DEFAULT_WS_MAX_LIFETIME,
             quinn_client_endpoint: Arc::new(Self::create_quinn_client_endpoint()),

rust/crates/rustproxy-metrics/src/collector.rs

@@ -31,6 +31,8 @@ pub struct Metrics {
     pub total_udp_sessions: u64,
     pub total_datagrams_in: u64,
     pub total_datagrams_out: u64,
+    // Protocol detection cache snapshot (populated by RustProxy from HttpProxyService)
+    pub detected_protocols: Vec<ProtocolCacheEntryMetric>,
 }
 
 /// Per-route metrics.
@@ -76,6 +78,27 @@ pub struct BackendMetrics {
     pub h2_failures: u64,
 }
 
+/// Protocol cache entry for metrics/UI display.
+/// Populated from the HTTP proxy service's protocol detection cache.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ProtocolCacheEntryMetric {
+    pub host: String,
+    pub port: u16,
+    pub domain: Option<String>,
+    pub protocol: String,
+    pub h3_port: Option<u16>,
+    pub age_secs: u64,
+    pub last_accessed_secs: u64,
+    pub last_probed_secs: u64,
+    pub h2_suppressed: bool,
+    pub h3_suppressed: bool,
+    pub h2_cooldown_remaining_secs: Option<u64>,
+    pub h3_cooldown_remaining_secs: Option<u64>,
+    pub h2_consecutive_failures: Option<u32>,
+    pub h3_consecutive_failures: Option<u32>,
+}
+
 /// Statistics snapshot.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
@@ -601,6 +624,24 @@ impl MetricsCollector {
         self.ip_pending_tp.retain(|k, _| self.ip_connections.contains_key(k));
         self.ip_throughput.retain(|k, _| self.ip_connections.contains_key(k));
         self.ip_total_connections.retain(|k, _| self.ip_connections.contains_key(k));
+
+        // Safety-net: prune orphaned backend error/stats entries for backends
+        // that have no active or total connections (error-only backends).
+        // These accumulate when backend_connect_error/backend_handshake_error
+        // create entries but backend_connection_opened is never called.
+        let known_backends: HashSet<String> = self.backend_active.iter()
+            .map(|e| e.key().clone())
+            .chain(self.backend_total.iter().map(|e| e.key().clone()))
+            .collect();
+        self.backend_connect_errors.retain(|k, _| known_backends.contains(k));
+        self.backend_handshake_errors.retain(|k, _| known_backends.contains(k));
+        self.backend_request_errors.retain(|k, _| known_backends.contains(k));
+        self.backend_connect_time_us.retain(|k, _| known_backends.contains(k));
+        self.backend_connect_count.retain(|k, _| known_backends.contains(k));
+        self.backend_pool_hits.retain(|k, _| known_backends.contains(k));
+        self.backend_pool_misses.retain(|k, _| known_backends.contains(k));
+        self.backend_h2_failures.retain(|k, _| known_backends.contains(k));
+        self.backend_protocol.retain(|k, _| known_backends.contains(k));
     }
 
     /// Remove per-route metrics for route IDs that are no longer active.
@@ -824,6 +865,7 @@ impl MetricsCollector {
             total_udp_sessions: self.total_udp_sessions.load(Ordering::Relaxed),
             total_datagrams_in: self.total_datagrams_in.load(Ordering::Relaxed),
             total_datagrams_out: self.total_datagrams_out.load(Ordering::Relaxed),
+            detected_protocols: vec![],
         }
     }
 }

rust/crates/rustproxy-nftables/Cargo.toml

@@ -1,17 +0,0 @@
-[package]
-name = "rustproxy-nftables"
-version.workspace = true
-edition.workspace = true
-license.workspace = true
-authors.workspace = true
-description = "NFTables kernel-level forwarding for RustProxy"
-
-[dependencies]
-rustproxy-config = { workspace = true }
-tokio = { workspace = true }
-tracing = { workspace = true }
-thiserror = { workspace = true }
-anyhow = { workspace = true }
-serde = { workspace = true }
-serde_json = { workspace = true }
-libc = { workspace = true }

rust/crates/rustproxy-nftables/src/lib.rs

@@ -1,10 +0,0 @@
-//! # rustproxy-nftables
-//!
-//! NFTables kernel-level forwarding for RustProxy.
-//! Generates and manages nft CLI rules for DNAT/SNAT.
-
-pub mod nft_manager;
-pub mod rule_builder;
-
-pub use nft_manager::*;
-pub use rule_builder::*;

rust/crates/rustproxy-nftables/src/nft_manager.rs

@@ -1,238 +0,0 @@
-use thiserror::Error;
-use std::collections::HashMap;
-use tracing::{debug, info, warn};
-
-#[derive(Debug, Error)]
-pub enum NftError {
-    #[error("nft command failed: {0}")]
-    CommandFailed(String),
-    #[error("IO error: {0}")]
-    Io(#[from] std::io::Error),
-    #[error("Not running as root")]
-    NotRoot,
-}
-
-/// Manager for nftables rules.
-///
-/// Executes `nft` CLI commands to manage kernel-level packet forwarding.
-/// Requires root privileges; operations are skipped gracefully if not root.
-pub struct NftManager {
-    table_name: String,
-    /// Active rules indexed by route ID
-    active_rules: HashMap<String, Vec<String>>,
-    /// Whether the table has been initialized
-    table_initialized: bool,
-}
-
-impl NftManager {
-    pub fn new(table_name: Option<String>) -> Self {
-        Self {
-            table_name: table_name.unwrap_or_else(|| "rustproxy".to_string()),
-            active_rules: HashMap::new(),
-            table_initialized: false,
-        }
-    }
-
-    /// Check if we are running as root.
-    fn is_root() -> bool {
-        unsafe { libc::geteuid() == 0 }
-    }
-
-    /// Execute a single nft command via the CLI.
-    async fn exec_nft(command: &str) -> Result<String, NftError> {
-        // The command starts with "nft ", strip it to get the args
-        let args = if command.starts_with("nft ") {
-            &command[4..]
-        } else {
-            command
-        };
-
-        let output = tokio::process::Command::new("nft")
-            .args(args.split_whitespace())
-            .output()
-            .await
-            .map_err(NftError::Io)?;
-
-        if output.status.success() {
-            Ok(String::from_utf8_lossy(&output.stdout).to_string())
-        } else {
-            let stderr = String::from_utf8_lossy(&output.stderr);
-            Err(NftError::CommandFailed(format!(
-                "Command '{}' failed: {}",
-                command, stderr
-            )))
-        }
-    }
-
-    /// Ensure the nftables table and chains are set up.
-    async fn ensure_table(&mut self) -> Result<(), NftError> {
-        if self.table_initialized {
-            return Ok(());
-        }
-
-        let setup_commands = crate::rule_builder::build_table_setup(&self.table_name);
-        for cmd in &setup_commands {
-            Self::exec_nft(cmd).await?;
-        }
-
-        self.table_initialized = true;
-        info!("NFTables table '{}' initialized", self.table_name);
-        Ok(())
-    }
-
-    /// Apply rules for a route.
-    ///
-    /// Executes the nft commands via the CLI. If not running as root,
-    /// the rules are stored locally but not applied to the kernel.
-    pub async fn apply_rules(&mut self, route_id: &str, rules: Vec<String>) -> Result<(), NftError> {
-        if !Self::is_root() {
-            warn!("Not running as root, nftables rules will not be applied to kernel");
-            self.active_rules.insert(route_id.to_string(), rules);
-            return Ok(());
-        }
-
-        self.ensure_table().await?;
-
-        for cmd in &rules {
-            Self::exec_nft(cmd).await?;
-            debug!("Applied nft rule: {}", cmd);
-        }
-
-        info!("Applied {} nftables rules for route '{}'", rules.len(), route_id);
-        self.active_rules.insert(route_id.to_string(), rules);
-        Ok(())
-    }
-
-    /// Remove rules for a route.
-    ///
-    /// Currently removes the route from tracking. To fully remove specific
-    /// rules would require handle-based tracking; for now, cleanup() removes
-    /// the entire table.
-    pub async fn remove_rules(&mut self, route_id: &str) -> Result<(), NftError> {
-        if let Some(rules) = self.active_rules.remove(route_id) {
-            info!("Removed {} tracked nft rules for route '{}'", rules.len(), route_id);
-        }
-        Ok(())
-    }
-
-    /// Clean up all managed rules by deleting the entire nftables table.
-    pub async fn cleanup(&mut self) -> Result<(), NftError> {
-        if !Self::is_root() {
-            warn!("Not running as root, skipping nftables cleanup");
-            self.active_rules.clear();
-            self.table_initialized = false;
-            return Ok(());
-        }
-
-        if self.table_initialized {
-            let cleanup_commands = crate::rule_builder::build_table_cleanup(&self.table_name);
-            for cmd in &cleanup_commands {
-                match Self::exec_nft(cmd).await {
-                    Ok(_) => debug!("Cleanup: {}", cmd),
-                    Err(e) => warn!("Cleanup command failed (may be ok): {}", e),
-                }
-            }
-            info!("NFTables table '{}' cleaned up", self.table_name);
-        }
-
-        self.active_rules.clear();
-        self.table_initialized = false;
-        Ok(())
-    }
-
-    /// Get the table name.
-    pub fn table_name(&self) -> &str {
-        &self.table_name
-    }
-
-    /// Whether the table has been initialized in the kernel.
-    pub fn is_initialized(&self) -> bool {
-        self.table_initialized
-    }
-
-    /// Get the number of active route rule sets.
-    pub fn active_route_count(&self) -> usize {
-        self.active_rules.len()
-    }
-
-    /// Get the status of all active rules.
-    pub fn status(&self) -> HashMap<String, serde_json::Value> {
-        let mut status = HashMap::new();
-        for (route_id, rules) in &self.active_rules {
-            status.insert(
-                route_id.clone(),
-                serde_json::json!({
-                    "ruleCount": rules.len(),
-                    "rules": rules,
-                }),
-            );
-        }
-        status
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn test_new_default_table_name() {
-        let mgr = NftManager::new(None);
-        assert_eq!(mgr.table_name(), "rustproxy");
-        assert!(!mgr.is_initialized());
-    }
-
-    #[test]
-    fn test_new_custom_table_name() {
-        let mgr = NftManager::new(Some("custom".to_string()));
-        assert_eq!(mgr.table_name(), "custom");
-    }
-
-    #[tokio::test]
-    async fn test_apply_rules_non_root() {
-        let mut mgr = NftManager::new(None);
-        // When not root, rules are stored but not applied to kernel
-        let rules = vec!["nft add rule ip rustproxy prerouting tcp dport 443 dnat to 10.0.0.1:8443".to_string()];
-        mgr.apply_rules("route-1", rules).await.unwrap();
-        assert_eq!(mgr.active_route_count(), 1);
-
-        let status = mgr.status();
-        assert!(status.contains_key("route-1"));
-        assert_eq!(status["route-1"]["ruleCount"], 1);
-    }
-
-    #[tokio::test]
-    async fn test_remove_rules() {
-        let mut mgr = NftManager::new(None);
-        let rules = vec!["nft add rule test".to_string()];
-        mgr.apply_rules("route-1", rules).await.unwrap();
-        assert_eq!(mgr.active_route_count(), 1);
-
-        mgr.remove_rules("route-1").await.unwrap();
-        assert_eq!(mgr.active_route_count(), 0);
-    }
-
-    #[tokio::test]
-    async fn test_cleanup_non_root() {
-        let mut mgr = NftManager::new(None);
-        let rules = vec!["nft add rule test".to_string()];
-        mgr.apply_rules("route-1", rules).await.unwrap();
-        mgr.apply_rules("route-2", vec!["nft add rule test2".to_string()]).await.unwrap();
-
-        mgr.cleanup().await.unwrap();
-        assert_eq!(mgr.active_route_count(), 0);
-        assert!(!mgr.is_initialized());
-    }
-
-    #[tokio::test]
-    async fn test_status_multiple_routes() {
-        let mut mgr = NftManager::new(None);
-        mgr.apply_rules("web", vec!["rule1".to_string(), "rule2".to_string()]).await.unwrap();
-        mgr.apply_rules("api", vec!["rule3".to_string()]).await.unwrap();
-
-        let status = mgr.status();
-        assert_eq!(status.len(), 2);
-        assert_eq!(status["web"]["ruleCount"], 2);
-        assert_eq!(status["api"]["ruleCount"], 1);
-    }
-}

rust/crates/rustproxy-nftables/src/rule_builder.rs

@@ -1,146 +0,0 @@
-use rustproxy_config::{NfTablesOptions, NfTablesProtocol};
-
-/// Build nftables DNAT rule for port forwarding.
-pub fn build_dnat_rule(
-    table_name: &str,
-    chain_name: &str,
-    source_port: u16,
-    target_host: &str,
-    target_port: u16,
-    options: &NfTablesOptions,
-) -> Vec<String> {
-    let protocols: Vec<&str> = match options.protocol.as_ref().unwrap_or(&NfTablesProtocol::Tcp) {
-        NfTablesProtocol::Tcp => vec!["tcp"],
-        NfTablesProtocol::Udp => vec!["udp"],
-        NfTablesProtocol::All => vec!["tcp", "udp"],
-    };
-
-    let mut rules = Vec::new();
-
-    for protocol in &protocols {
-        // DNAT rule
-        rules.push(format!(
-            "nft add rule ip {} {} {} dport {} dnat to {}:{}",
-            table_name, chain_name, protocol, source_port, target_host, target_port,
-        ));
-
-        // SNAT rule if preserving source IP is not enabled
-        if !options.preserve_source_ip.unwrap_or(false) {
-            rules.push(format!(
-                "nft add rule ip {} postrouting {} dport {} masquerade",
-                table_name, protocol, target_port,
-            ));
-        }
-
-        // Rate limiting
-        if let Some(max_rate) = &options.max_rate {
-            rules.push(format!(
-                "nft add rule ip {} {} {} dport {} limit rate {} accept",
-                table_name, chain_name, protocol, source_port, max_rate,
-            ));
-        }
-    }
-
-    rules
-}
-
-/// Build the initial table and chain setup commands.
-pub fn build_table_setup(table_name: &str) -> Vec<String> {
-    vec![
-        format!("nft add table ip {}", table_name),
-        format!("nft add chain ip {} prerouting {{ type nat hook prerouting priority 0 \\; }}", table_name),
-        format!("nft add chain ip {} postrouting {{ type nat hook postrouting priority 100 \\; }}", table_name),
-    ]
-}
-
-/// Build cleanup commands to remove the table.
-pub fn build_table_cleanup(table_name: &str) -> Vec<String> {
-    vec![format!("nft delete table ip {}", table_name)]
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn make_options() -> NfTablesOptions {
-        NfTablesOptions {
-            preserve_source_ip: None,
-            protocol: None,
-            max_rate: None,
-            priority: None,
-            table_name: None,
-            use_ip_sets: None,
-            use_advanced_nat: None,
-        }
-    }
-
-    #[test]
-    fn test_basic_dnat_rule() {
-        let options = make_options();
-        let rules = build_dnat_rule("rustproxy", "prerouting", 443, "10.0.0.1", 8443, &options);
-        assert!(rules.len() >= 1);
-        assert!(rules[0].contains("dnat to 10.0.0.1:8443"));
-        assert!(rules[0].contains("dport 443"));
-    }
-
-    #[test]
-    fn test_preserve_source_ip() {
-        let mut options = make_options();
-        options.preserve_source_ip = Some(true);
-        let rules = build_dnat_rule("rustproxy", "prerouting", 443, "10.0.0.1", 8443, &options);
-        // When preserving source IP, no masquerade rule
-        assert!(rules.iter().all(|r| !r.contains("masquerade")));
-    }
-
-    #[test]
-    fn test_without_preserve_source_ip() {
-        let options = make_options();
-        let rules = build_dnat_rule("rustproxy", "prerouting", 443, "10.0.0.1", 8443, &options);
-        assert!(rules.iter().any(|r| r.contains("masquerade")));
-    }
-
-    #[test]
-    fn test_rate_limited_rule() {
-        let mut options = make_options();
-        options.max_rate = Some("100/second".to_string());
-        let rules = build_dnat_rule("rustproxy", "prerouting", 80, "10.0.0.1", 8080, &options);
-        assert!(rules.iter().any(|r| r.contains("limit rate 100/second")));
-    }
-
-    #[test]
-    fn test_table_setup_commands() {
-        let commands = build_table_setup("rustproxy");
-        assert_eq!(commands.len(), 3);
-        assert!(commands[0].contains("add table ip rustproxy"));
-        assert!(commands[1].contains("prerouting"));
-        assert!(commands[2].contains("postrouting"));
-    }
-
-    #[test]
-    fn test_table_cleanup() {
-        let commands = build_table_cleanup("rustproxy");
-        assert_eq!(commands.len(), 1);
-        assert!(commands[0].contains("delete table ip rustproxy"));
-    }
-
-    #[test]
-    fn test_protocol_all_generates_tcp_and_udp_rules() {
-        let mut options = make_options();
-        options.protocol = Some(NfTablesProtocol::All);
-        let rules = build_dnat_rule("rustproxy", "prerouting", 53, "10.0.0.53", 53, &options);
-        // Should have TCP DNAT + masquerade + UDP DNAT + masquerade = 4 rules
-        assert_eq!(rules.len(), 4);
-        assert!(rules.iter().any(|r| r.contains("tcp dport 53 dnat")));
-        assert!(rules.iter().any(|r| r.contains("udp dport 53 dnat")));
-        assert!(rules.iter().filter(|r| r.contains("masquerade")).count() == 2);
-    }
-
-    #[test]
-    fn test_protocol_udp() {
-        let mut options = make_options();
-        options.protocol = Some(NfTablesProtocol::Udp);
-        let rules = build_dnat_rule("rustproxy", "prerouting", 53, "10.0.0.53", 53, &options);
-        assert!(rules.iter().all(|r| !r.contains("tcp")));
-        assert!(rules.iter().any(|r| r.contains("udp dport 53 dnat")));
-    }
-}

rust/crates/rustproxy-passthrough/src/lib.rs

@@ -10,7 +10,6 @@ pub mod forwarder;
 pub mod proxy_protocol;
 pub mod tls_handler;
 pub mod connection_tracker;
-pub mod socket_relay;
 pub mod socket_opts;
 pub mod udp_session;
 pub mod udp_listener;
@@ -22,7 +21,6 @@ pub use forwarder::*;
 pub use proxy_protocol::*;
 pub use tls_handler::*;
 pub use connection_tracker::*;
-pub use socket_relay::*;
 pub use socket_opts::*;
 pub use udp_session::*;
 pub use udp_listener::*;

rust/crates/rustproxy-passthrough/src/quic_handler.rs

@@ -77,6 +77,13 @@ struct RelaySession {
     cancel: CancellationToken,
 }
 
+impl Drop for RelaySession {
+    fn drop(&mut self) {
+        self.cancel.cancel();
+        self.return_task.abort();
+    }
+}
+
 /// Create a QUIC endpoint with a PROXY protocol v2 relay layer.
 ///
 /// Instead of giving the external socket to quinn, we:
@@ -634,7 +641,7 @@ async fn forward_quic_stream_to_tcp(
     let la_watch = Arc::clone(&last_activity);
     let c2b_abort = c2b.abort_handle();
     let b2c_abort = b2c.abort_handle();
-    tokio::spawn(async move {
+    let watchdog = tokio::spawn(async move {
         let check_interval = std::time::Duration::from_secs(5);
         let mut last_seen = 0u64;
         loop {
@@ -665,6 +672,7 @@ async fn forward_quic_stream_to_tcp(
 
     let bytes_in = c2b.await.unwrap_or(0);
     let bytes_out = b2c.await.unwrap_or(0);
+    watchdog.abort();
 
     Ok((bytes_in, bytes_out))
 }

rust/crates/rustproxy-passthrough/src/socket_relay.rs

@@ -1,126 +1,4 @@
-//! Socket handler relay for connecting client connections to a TypeScript handler
-//! via a Unix domain socket.
+//! Socket handler relay module.
 //!
-//! Protocol: Send a JSON metadata line terminated by `\n`, then bidirectional relay.
-
-use tokio::net::UnixStream;
-use tokio::io::{AsyncWriteExt, AsyncReadExt};
-use tokio::net::TcpStream;
-use serde::Serialize;
-use tracing::debug;
-
-#[derive(Serialize)]
-#[serde(rename_all = "camelCase")]
-struct RelayMetadata {
-    connection_id: u64,
-    remote_ip: String,
-    remote_port: u16,
-    local_port: u16,
-    sni: Option<String>,
-    route_name: String,
-    initial_data_base64: Option<String>,
-}
-
-/// Relay a client connection to a TypeScript handler via Unix domain socket.
-///
-/// Protocol: Send a JSON metadata line terminated by `\n`, then bidirectional relay.
-pub async fn relay_to_handler(
-    client: TcpStream,
-    relay_socket_path: &str,
-    connection_id: u64,
-    remote_ip: String,
-    remote_port: u16,
-    local_port: u16,
-    sni: Option<String>,
-    route_name: String,
-    initial_data: Option<&[u8]>,
-) -> std::io::Result<()> {
-    debug!(
-        "Relaying connection {} to handler socket {}",
-        connection_id, relay_socket_path
-    );
-
-    // Connect to TypeScript handler Unix socket
-    let mut handler = UnixStream::connect(relay_socket_path).await?;
-
-    // Build and send metadata header
-    let initial_data_base64 = initial_data.map(base64_encode);
-
-    let metadata = RelayMetadata {
-        connection_id,
-        remote_ip,
-        remote_port,
-        local_port,
-        sni,
-        route_name,
-        initial_data_base64,
-    };
-
-    let metadata_json = serde_json::to_string(&metadata)
-        .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e))?;
-
-    handler.write_all(metadata_json.as_bytes()).await?;
-    handler.write_all(b"\n").await?;
-
-    // Bidirectional relay between client and handler
-    let (mut client_read, mut client_write) = client.into_split();
-    let (mut handler_read, mut handler_write) = handler.into_split();
-
-    let c2h = tokio::spawn(async move {
-        let mut buf = vec![0u8; 65536];
-        loop {
-            let n = match client_read.read(&mut buf).await {
-                Ok(0) | Err(_) => break,
-                Ok(n) => n,
-            };
-            if handler_write.write_all(&buf[..n]).await.is_err() {
-                break;
-            }
-        }
-        let _ = handler_write.shutdown().await;
-    });
-
-    let h2c = tokio::spawn(async move {
-        let mut buf = vec![0u8; 65536];
-        loop {
-            let n = match handler_read.read(&mut buf).await {
-                Ok(0) | Err(_) => break,
-                Ok(n) => n,
-            };
-            if client_write.write_all(&buf[..n]).await.is_err() {
-                break;
-            }
-        }
-        let _ = client_write.shutdown().await;
-    });
-
-    let _ = tokio::join!(c2h, h2c);
-
-    debug!("Relay connection {} completed", connection_id);
-    Ok(())
-}
-
-/// Simple base64 encoding without external dependency.
-fn base64_encode(data: &[u8]) -> String {
-    const CHARS: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-    let mut result = String::new();
-    for chunk in data.chunks(3) {
-        let b0 = chunk[0] as u32;
-        let b1 = if chunk.len() > 1 { chunk[1] as u32 } else { 0 };
-        let b2 = if chunk.len() > 2 { chunk[2] as u32 } else { 0 };
-        let n = (b0 << 16) | (b1 << 8) | b2;
-        result.push(CHARS[((n >> 18) & 0x3F) as usize] as char);
-        result.push(CHARS[((n >> 12) & 0x3F) as usize] as char);
-        if chunk.len() > 1 {
-            result.push(CHARS[((n >> 6) & 0x3F) as usize] as char);
-        } else {
-            result.push('=');
-        }
-        if chunk.len() > 2 {
-            result.push(CHARS[(n & 0x3F) as usize] as char);
-        } else {
-            result.push('=');
-        }
-    }
-    result
-}
+//! Note: The actual relay logic lives in `tcp_listener::relay_to_socket_handler()`
+//! which has proper timeouts, cancellation, and metrics integration.

rust/crates/rustproxy-passthrough/src/tcp_listener.rs

@@ -182,6 +182,7 @@ impl TcpListenerManager {
         http_proxy_svc.set_backend_tls_config_alpn(tls_handler::shared_backend_tls_config_alpn());
         http_proxy_svc.set_connection_timeouts(
             std::time::Duration::from_millis(conn_config.socket_timeout_ms),
+            std::time::Duration::from_millis(conn_config.max_connection_lifetime_ms),
             std::time::Duration::from_millis(conn_config.socket_timeout_ms),
             std::time::Duration::from_millis(conn_config.max_connection_lifetime_ms),
         );
@@ -220,6 +221,7 @@ impl TcpListenerManager {
         http_proxy_svc.set_backend_tls_config_alpn(tls_handler::shared_backend_tls_config_alpn());
         http_proxy_svc.set_connection_timeouts(
             std::time::Duration::from_millis(conn_config.socket_timeout_ms),
+            std::time::Duration::from_millis(conn_config.max_connection_lifetime_ms),
             std::time::Duration::from_millis(conn_config.socket_timeout_ms),
             std::time::Duration::from_millis(conn_config.max_connection_lifetime_ms),
         );
@@ -263,6 +265,7 @@ impl TcpListenerManager {
         http_proxy_svc.set_backend_tls_config_alpn(tls_handler::shared_backend_tls_config_alpn());
         http_proxy_svc.set_connection_timeouts(
             std::time::Duration::from_millis(config.socket_timeout_ms),
+            std::time::Duration::from_millis(config.max_connection_lifetime_ms),
             std::time::Duration::from_millis(config.socket_timeout_ms),
             std::time::Duration::from_millis(config.max_connection_lifetime_ms),
         );

rust/crates/rustproxy-routing/src/route_manager.rs

@@ -355,8 +355,6 @@ mod tests {
                 load_balancing: None,
                 advanced: None,
                 options: None,
-                forwarding_engine: None,
-                nftables: None,
                 send_proxy_protocol: None,
                 udp: None,
             },

rust/crates/rustproxy/Cargo.toml

@@ -20,7 +20,6 @@ rustproxy-routing = { workspace = true }
 rustproxy-tls = { workspace = true }
 rustproxy-passthrough = { workspace = true }
 rustproxy-http = { workspace = true }
-rustproxy-nftables = { workspace = true }
 rustproxy-metrics = { workspace = true }
 rustproxy-security = { workspace = true }
 tokio = { workspace = true }

rust/crates/rustproxy/src/lib.rs

@@ -7,14 +7,40 @@
 //!
 //! ```rust,no_run
 //! use rustproxy::RustProxy;
-//! use rustproxy_config::{RustProxyOptions, create_https_passthrough_route};
+//! use rustproxy_config::*;
 //!
 //! #[tokio::main]
 //! async fn main() -> anyhow::Result<()> {
 //!     let options = RustProxyOptions {
-//!         routes: vec![
-//!             create_https_passthrough_route("example.com", "backend", 443),
-//!         ],
+//!         routes: vec![RouteConfig {
+//!             id: None,
+//!             route_match: RouteMatch {
+//!                 ports: PortRange::Single(443),
+//!                 domains: Some(DomainSpec::Single("example.com".to_string())),
+//!                 path: None, client_ip: None, transport: None,
+//!                 tls_version: None, headers: None, protocol: None,
+//!             },
+//!             action: RouteAction {
+//!                 action_type: RouteActionType::Forward,
+//!                 targets: Some(vec![RouteTarget {
+//!                     target_match: None,
+//!                     host: HostSpec::Single("backend".to_string()),
+//!                     port: PortSpec::Fixed(443),
+//!                     tls: None, websocket: None, load_balancing: None,
+//!                     send_proxy_protocol: None, headers: None, advanced: None,
+//!                     backend_transport: None, priority: None,
+//!                 }]),
+//!                 tls: Some(RouteTls {
+//!                     mode: TlsMode::Passthrough,
+//!                     certificate: None, acme: None, versions: None,
+//!                     ciphers: None, honor_cipher_order: None, session_timeout: None,
+//!                 }),
+//!                 websocket: None, load_balancing: None, advanced: None,
+//!                 options: None, send_proxy_protocol: None, udp: None,
+//!             },
+//!             headers: None, security: None, name: None, description: None,
+//!             priority: None, tags: None, enabled: None,
+//!         }],
 //!         ..Default::default()
 //!     };
 //!
@@ -41,16 +67,14 @@ pub use rustproxy_routing;
 pub use rustproxy_passthrough;
 pub use rustproxy_tls;
 pub use rustproxy_http;
-pub use rustproxy_nftables;
 pub use rustproxy_metrics;
 pub use rustproxy_security;
 
-use rustproxy_config::{RouteConfig, RustProxyOptions, TlsMode, CertificateSpec, ForwardingEngine};
+use rustproxy_config::{RouteConfig, RustProxyOptions, TlsMode, CertificateSpec};
 use rustproxy_routing::RouteManager;
 use rustproxy_passthrough::{TcpListenerManager, UdpListenerManager, TlsCertConfig, ConnectionConfig};
 use rustproxy_metrics::{MetricsCollector, Metrics, Statistics};
 use rustproxy_tls::{CertManager, CertStore, CertBundle, CertMetadata, CertSource};
-use rustproxy_nftables::{NftManager, rule_builder};
 use tokio_util::sync::CancellationToken;
 
 /// Certificate status.
@@ -74,7 +98,6 @@ pub struct RustProxy {
     challenge_server: Option<challenge_server::ChallengeServer>,
     renewal_handle: Option<tokio::task::JoinHandle<()>>,
     sampling_handle: Option<tokio::task::JoinHandle<()>>,
-    nft_manager: Option<NftManager>,
     started: bool,
     started_at: Option<Instant>,
     /// Shared path to a Unix domain socket for relaying socket-handler connections back to TypeScript.
@@ -121,7 +144,6 @@ impl RustProxy {
             challenge_server: None,
             renewal_handle: None,
             sampling_handle: None,
-            nft_manager: None,
             started: false,
             started_at: None,
             socket_handler_relay: Arc::new(std::sync::RwLock::new(None)),
@@ -363,6 +385,7 @@ impl RustProxy {
         // Start the throughput sampling task with cooperative cancellation
         let metrics = Arc::clone(&self.metrics);
         let conn_tracker = self.listener_manager.as_ref().unwrap().conn_tracker().clone();
+        let http_proxy = self.listener_manager.as_ref().unwrap().http_proxy().clone();
         let interval_ms = self.options.metrics.as_ref()
             .and_then(|m| m.sample_interval_ms)
             .unwrap_or(1000);
@@ -378,14 +401,14 @@ impl RustProxy {
                         metrics.sample_all();
                         // Periodically clean up stale rate-limit timestamp entries
                         conn_tracker.cleanup_stale_timestamps();
+                        // Clean up expired rate limiter entries to prevent unbounded
+                        // growth from unique IPs after traffic stops
+                        http_proxy.cleanup_all_rate_limiters();
                     }
                 }
             }
         }));
 
-        // Apply NFTables rules for routes using nftables forwarding engine
-        self.apply_nftables_rules(&self.options.routes.clone()).await;
-
         // Start renewal timer if ACME is enabled
         self.start_renewal_timer();
 
@@ -612,14 +635,6 @@ impl RustProxy {
         }
         self.challenge_server = None;
 
-        // Clean up NFTables rules
-        if let Some(ref mut nft) = self.nft_manager {
-            if let Err(e) = nft.cleanup().await {
-                warn!("NFTables cleanup failed: {}", e);
-            }
-        }
-        self.nft_manager = None;
-
         if let Some(ref mut listener) = self.listener_manager {
             listener.graceful_stop().await;
         }
@@ -821,9 +836,6 @@ impl RustProxy {
             }
         }
 
-        // Update NFTables rules: remove old, apply new
-        self.update_nftables_rules(&routes).await;
-
         self.options.routes = routes;
         Ok(())
     }
@@ -937,8 +949,31 @@ impl RustProxy {
     }
 
     /// Get current metrics snapshot.
+    /// Includes protocol cache entries from the HTTP proxy service.
     pub fn get_metrics(&self) -> Metrics {
-        self.metrics.snapshot()
+        let mut metrics = self.metrics.snapshot();
+        if let Some(ref lm) = self.listener_manager {
+            let entries = lm.http_proxy().protocol_cache_snapshot();
+            metrics.detected_protocols = entries.into_iter().map(|e| {
+                rustproxy_metrics::ProtocolCacheEntryMetric {
+                    host: e.host,
+                    port: e.port,
+                    domain: e.domain,
+                    protocol: e.protocol,
+                    h3_port: e.h3_port,
+                    age_secs: e.age_secs,
+                    last_accessed_secs: e.last_accessed_secs,
+                    last_probed_secs: e.last_probed_secs,
+                    h2_suppressed: e.h2_suppressed,
+                    h3_suppressed: e.h3_suppressed,
+                    h2_cooldown_remaining_secs: e.h2_cooldown_remaining_secs,
+                    h3_cooldown_remaining_secs: e.h3_cooldown_remaining_secs,
+                    h2_consecutive_failures: e.h2_consecutive_failures,
+                    h3_consecutive_failures: e.h3_consecutive_failures,
+                }
+            }).collect();
+        }
+        metrics
     }
 
     /// Add a listening port at runtime.
@@ -1122,99 +1157,6 @@ impl RustProxy {
         Ok(())
     }
 
-    /// Get NFTables status.
-    pub async fn get_nftables_status(&self) -> Result<HashMap<String, serde_json::Value>> {
-        match &self.nft_manager {
-            Some(nft) => Ok(nft.status()),
-            None => Ok(HashMap::new()),
-        }
-    }
-
-    /// Apply NFTables rules for routes using the nftables forwarding engine.
-    async fn apply_nftables_rules(&mut self, routes: &[RouteConfig]) {
-        let nft_routes: Vec<&RouteConfig> = routes.iter()
-            .filter(|r| r.action.forwarding_engine.as_ref() == Some(&ForwardingEngine::Nftables))
-            .collect();
-
-        if nft_routes.is_empty() {
-            return;
-        }
-
-        info!("Applying NFTables rules for {} routes", nft_routes.len());
-
-        let table_name = nft_routes.iter()
-            .find_map(|r| r.action.nftables.as_ref()?.table_name.clone())
-            .unwrap_or_else(|| "rustproxy".to_string());
-
-        let mut nft = NftManager::new(Some(table_name));
-
-        for route in &nft_routes {
-            let route_id = route.id.as_deref()
-                .or(route.name.as_deref())
-                .unwrap_or("unnamed");
-
-            let nft_options = match &route.action.nftables {
-                Some(opts) => opts.clone(),
-                None => rustproxy_config::NfTablesOptions {
-                    preserve_source_ip: None,
-                    protocol: None,
-                    max_rate: None,
-                    priority: None,
-                    table_name: None,
-                    use_ip_sets: None,
-                    use_advanced_nat: None,
-                },
-            };
-
-            let targets = match &route.action.targets {
-                Some(targets) => targets,
-                None => {
-                    warn!("NFTables route '{}' has no targets, skipping", route_id);
-                    continue;
-                }
-            };
-
-            let source_ports = route.route_match.ports.to_ports();
-            for target in targets {
-                let target_host = target.host.first().to_string();
-                let target_port_spec = &target.port;
-
-                for &source_port in &source_ports {
-                    let resolved_port = target_port_spec.resolve(source_port);
-                    let rules = rule_builder::build_dnat_rule(
-                        nft.table_name(),
-                        "prerouting",
-                        source_port,
-                        &target_host,
-                        resolved_port,
-                        &nft_options,
-                    );
-
-                    let rule_id = format!("{}-{}-{}", route_id, source_port, resolved_port);
-                    if let Err(e) = nft.apply_rules(&rule_id, rules).await {
-                        error!("Failed to apply NFTables rules for route '{}': {}", route_id, e);
-                    }
-                }
-            }
-        }
-
-        self.nft_manager = Some(nft);
-    }
-
-    /// Update NFTables rules when routes change.
-    async fn update_nftables_rules(&mut self, new_routes: &[RouteConfig]) {
-        // Clean up old rules
-        if let Some(ref mut nft) = self.nft_manager {
-            if let Err(e) = nft.cleanup().await {
-                warn!("NFTables cleanup during update failed: {}", e);
-            }
-        }
-        self.nft_manager = None;
-
-        // Apply new rules
-        self.apply_nftables_rules(new_routes).await;
-    }
-
     /// Extract TLS configurations from route configs.
     fn extract_tls_configs(routes: &[RouteConfig]) -> HashMap<String, TlsCertConfig> {
         let mut configs = HashMap::new();

rust/crates/rustproxy/src/management.rs

@@ -147,7 +147,6 @@ async fn handle_request(
         "renewCertificate" => handle_renew_certificate(&id, &request.params, proxy).await,
         "getCertificateStatus" => handle_get_certificate_status(&id, &request.params, proxy).await,
         "getListeningPorts" => handle_get_listening_ports(&id, proxy),
-        "getNftablesStatus" => handle_get_nftables_status(&id, proxy).await,
         "setSocketHandlerRelay" => handle_set_socket_handler_relay(&id, &request.params, proxy).await,
         "setDatagramHandlerRelay" => handle_set_datagram_handler_relay(&id, &request.params, proxy).await,
         "addListeningPort" => handle_add_listening_port(&id, &request.params, proxy).await,
@@ -352,26 +351,6 @@ fn handle_get_listening_ports(
     }
 }
 
-async fn handle_get_nftables_status(
-    id: &str,
-    proxy: &Option<RustProxy>,
-) -> ManagementResponse {
-    match proxy.as_ref() {
-        Some(p) => {
-            match p.get_nftables_status().await {
-                Ok(status) => {
-                    match serde_json::to_value(&status) {
-                        Ok(v) => ManagementResponse::ok(id.to_string(), v),
-                        Err(e) => ManagementResponse::err(id.to_string(), format!("Failed to serialize: {}", e)),
-                    }
-                }
-                Err(e) => ManagementResponse::err(id.to_string(), format!("Failed to get status: {}", e)),
-            }
-        }
-        None => ManagementResponse::ok(id.to_string(), serde_json::json!({})),
-    }
-}
-
 async fn handle_set_socket_handler_relay(
     id: &str,
     params: &serde_json::Value,

rust/crates/rustproxy/tests/common/mod.rs

@@ -297,8 +297,6 @@ pub fn make_test_route(
             load_balancing: None,
             advanced: None,
             options: None,
-            forwarding_engine: None,
-            nftables: None,
             send_proxy_protocol: None,
             udp: None,
         },

test/test.bun.ts

@@ -1,11 +1,5 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 
-import {
-  createHttpsTerminateRoute,
-  createCompleteHttpsServer,
-  createHttpRoute,
-} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
-
 import {
   mergeRouteConfigs,
   cloneRoute,
@@ -19,8 +13,11 @@ import {
 
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 
-tap.test('route creation - createHttpsTerminateRoute produces correct structure', async () => {
-  const route = createHttpsTerminateRoute('secure.example.com', { host: '127.0.0.1', port: 8443 });
+tap.test('route creation - HTTPS terminate route has correct structure', async () => {
+  const route: IRouteConfig = {
+    match: { ports: 443, domains: 'secure.example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 8443 }], tls: { mode: 'terminate', certificate: 'auto' } }
+  };
   expect(route).toHaveProperty('match');
   expect(route).toHaveProperty('action');
   expect(route.action.type).toEqual('forward');
@@ -29,20 +26,10 @@ tap.test('route creation - createHttpsTerminateRoute produces correct structure'
   expect(route.match.domains).toEqual('secure.example.com');
 });
 
-tap.test('route creation - createCompleteHttpsServer returns redirect and main route', async () => {
-  const routes = createCompleteHttpsServer('app.example.com', { host: '127.0.0.1', port: 3000 });
-  expect(routes).toBeArray();
-  expect(routes.length).toBeGreaterThanOrEqual(2);
-  // Should have an HTTP→HTTPS redirect and an HTTPS route
-  const hasRedirect = routes.some((r) => r.action.type === 'forward' && r.action.redirect !== undefined);
-  const hasHttps = routes.some((r) => r.action.tls?.mode === 'terminate');
-  expect(hasRedirect || hasHttps).toBeTrue();
-});
-
 tap.test('route validation - validateRoutes on a set of routes', async () => {
   const routes: IRouteConfig[] = [
-    createHttpRoute('a.com', { host: '127.0.0.1', port: 3000 }),
-    createHttpRoute('b.com', { host: '127.0.0.1', port: 4000 }),
+    { match: { ports: 80, domains: 'a.com' }, action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] } },
+    { match: { ports: 80, domains: 'b.com' }, action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 4000 }] } },
   ];
   const result = validateRoutes(routes);
   expect(result.valid).toBeTrue();
@@ -51,7 +38,7 @@ tap.test('route validation - validateRoutes on a set of routes', async () => {
 
 tap.test('route validation - validateRoutes catches invalid route in set', async () => {
   const routes: any[] = [
-    createHttpRoute('valid.com', { host: '127.0.0.1', port: 3000 }),
+    { match: { ports: 80, domains: 'valid.com' }, action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] } },
     { match: { ports: 80 } }, // missing action
   ];
   const result = validateRoutes(routes);
@@ -60,23 +47,30 @@ tap.test('route validation - validateRoutes catches invalid route in set', async
 });
 
 tap.test('path matching - routeMatchesPath with exact path', async () => {
-  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
-  route.match.path = '/api';
+  const route: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com', path: '/api' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] }
+  };
   expect(routeMatchesPath(route, '/api')).toBeTrue();
   expect(routeMatchesPath(route, '/other')).toBeFalse();
 });
 
 tap.test('path matching - route without path matches everything', async () => {
-  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
-  // No path set, should match any path
+  const route: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] }
+  };
   expect(routeMatchesPath(route, '/anything')).toBeTrue();
   expect(routeMatchesPath(route, '/')).toBeTrue();
 });
 
 tap.test('route merging - mergeRouteConfigs combines routes', async () => {
-  const base = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
-  base.priority = 10;
-  base.name = 'base-route';
+  const base: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] },
+    priority: 10,
+    name: 'base-route'
+  };
 
   const merged = mergeRouteConfigs(base, {
     priority: 50,
@@ -85,14 +79,16 @@ tap.test('route merging - mergeRouteConfigs combines routes', async () => {
 
   expect(merged.priority).toEqual(50);
   expect(merged.name).toEqual('merged-route');
-  // Original route fields should be preserved
   expect(merged.match.domains).toEqual('example.com');
   expect(merged.action.targets![0].host).toEqual('127.0.0.1');
 });
 
 tap.test('route merging - mergeRouteConfigs does not mutate original', async () => {
-  const base = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
-  base.name = 'original';
+  const base: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] },
+    name: 'original'
+  };
 
   const merged = mergeRouteConfigs(base, { name: 'changed' });
   expect(base.name).toEqual('original');
@@ -100,20 +96,21 @@ tap.test('route merging - mergeRouteConfigs does not mutate original', async ()
 });
 
 tap.test('route cloning - cloneRoute produces independent copy', async () => {
-  const original = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
-  original.priority = 42;
-  original.name = 'original-route';
+  const original: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] },
+    priority: 42,
+    name: 'original-route'
+  };
 
   const cloned = cloneRoute(original);
 
-  // Should be equal in value
   expect(cloned.match.domains).toEqual('example.com');
   expect(cloned.priority).toEqual(42);
   expect(cloned.name).toEqual('original-route');
   expect(cloned.action.targets![0].host).toEqual('127.0.0.1');
   expect(cloned.action.targets![0].port).toEqual(3000);
 
-  // Should be independent - modifying clone shouldn't affect original
   cloned.name = 'cloned-route';
   cloned.priority = 99;
   expect(original.name).toEqual('original-route');

test/test.deno.ts

@@ -1,11 +1,5 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 
-import {
-  createHttpRoute,
-  createHttpsTerminateRoute,
-  createLoadBalancerRoute,
-} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
-
 import {
   findMatchingRoutes,
   findBestMatchingRoute,
@@ -22,24 +16,11 @@ import {
 
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 
-tap.test('route creation - createHttpRoute produces correct structure', async () => {
-  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
-  expect(route).toHaveProperty('match');
-  expect(route).toHaveProperty('action');
-  expect(route.match.domains).toEqual('example.com');
-  expect(route.action.type).toEqual('forward');
-  expect(route.action.targets).toBeArray();
-  expect(route.action.targets![0].host).toEqual('127.0.0.1');
-  expect(route.action.targets![0].port).toEqual(3000);
-});
-
-tap.test('route creation - createHttpRoute with array of domains', async () => {
-  const route = createHttpRoute(['a.com', 'b.com'], { host: 'localhost', port: 8080 });
-  expect(route.match.domains).toEqual(['a.com', 'b.com']);
-});
-
 tap.test('route validation - validateRouteConfig accepts valid route', async () => {
-  const route = createHttpRoute('valid.example.com', { host: '10.0.0.1', port: 8080 });
+  const route: IRouteConfig = {
+    match: { ports: 80, domains: 'valid.example.com' },
+    action: { type: 'forward', targets: [{ host: '10.0.0.1', port: 8080 }] }
+  };
   const result = validateRouteConfig(route);
   expect(result.valid).toBeTrue();
   expect(result.errors).toHaveLength(0);
@@ -67,30 +48,44 @@ tap.test('route validation - isValidPort checks correctly', async () => {
 });
 
 tap.test('domain matching - exact domain', async () => {
-  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
+  const route: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] }
+  };
   expect(routeMatchesDomain(route, 'example.com')).toBeTrue();
   expect(routeMatchesDomain(route, 'other.com')).toBeFalse();
 });
 
 tap.test('domain matching - wildcard domain', async () => {
-  const route = createHttpRoute('*.example.com', { host: '127.0.0.1', port: 3000 });
+  const route: IRouteConfig = {
+    match: { ports: 80, domains: '*.example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] }
+  };
   expect(routeMatchesDomain(route, 'sub.example.com')).toBeTrue();
   expect(routeMatchesDomain(route, 'example.com')).toBeFalse();
 });
 
 tap.test('port matching - single port', async () => {
-  const route = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
-  // createHttpRoute defaults to port 80
+  const route: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] }
+  };
   expect(routeMatchesPort(route, 80)).toBeTrue();
   expect(routeMatchesPort(route, 443)).toBeFalse();
 });
 
 tap.test('route finding - findBestMatchingRoute selects by priority', async () => {
-  const lowPriority = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
-  lowPriority.priority = 10;
+  const lowPriority: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] },
+    priority: 10
+  };
 
-  const highPriority = createHttpRoute('example.com', { host: '127.0.0.1', port: 4000 });
-  highPriority.priority = 100;
+  const highPriority: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 4000 }] },
+    priority: 100
+  };
 
   const routes: IRouteConfig[] = [lowPriority, highPriority];
   const best = findBestMatchingRoute(routes, { domain: 'example.com', port: 80 });
@@ -100,9 +95,18 @@ tap.test('route finding - findBestMatchingRoute selects by priority', async () =
 });
 
 tap.test('route finding - findMatchingRoutes returns all matches', async () => {
-  const route1 = createHttpRoute('example.com', { host: '127.0.0.1', port: 3000 });
-  const route2 = createHttpRoute('example.com', { host: '127.0.0.1', port: 4000 });
-  const route3 = createHttpRoute('other.com', { host: '127.0.0.1', port: 5000 });
+  const route1: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 3000 }] }
+  };
+  const route2: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 4000 }] }
+  };
+  const route3: IRouteConfig = {
+    match: { ports: 80, domains: 'other.com' },
+    action: { type: 'forward', targets: [{ host: '127.0.0.1', port: 5000 }] }
+  };
 
   const matches = findMatchingRoutes([route1, route2, route3], { domain: 'example.com', port: 80 });
   expect(matches).toHaveLength(2);

test/test.forwarding.examples.ts

@@ -2,146 +2,101 @@ import * as path from 'path';
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
-import {
-  createHttpRoute,
-  createHttpsTerminateRoute,
-  createHttpsPassthroughRoute,
-  createHttpToHttpsRedirect,
-  createCompleteHttpsServer,
-  createLoadBalancerRoute,
-  createApiRoute,
-  createWebSocketRoute
-} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+import { SocketHandlers } from '../ts/proxies/smart-proxy/utils/socket-handlers.js';
 import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 
-// Test to demonstrate various route configurations using the new helpers
 tap.test('Route-based configuration examples', async (tools) => {
-  // Example 1: HTTP-only configuration
-  const httpOnlyRoute = createHttpRoute(
-    'http.example.com',
-    {
-      host: 'localhost',
-      port: 3000
-    },
-    {
+  const httpOnlyRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'http.example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
     name: 'Basic HTTP Route'
-    }
-  );
+  };
 
   console.log('HTTP-only route created successfully:', httpOnlyRoute.name);
   expect(httpOnlyRoute.action.type).toEqual('forward');
   expect(httpOnlyRoute.match.domains).toEqual('http.example.com');
 
-  // Example 2: HTTPS Passthrough (SNI) configuration
-  const httpsPassthroughRoute = createHttpsPassthroughRoute(
-    'pass.example.com',
-    {
-      host: ['10.0.0.1', '10.0.0.2'], // Round-robin target IPs
-      port: 443
-    },
-    {
+  const httpsPassthroughRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'pass.example.com' },
+    action: { type: 'forward', targets: [{ host: '10.0.0.1', port: 443 }, { host: '10.0.0.2', port: 443 }], tls: { mode: 'passthrough' } },
     name: 'HTTPS Passthrough Route'
-    }
-  );
+  };
 
   expect(httpsPassthroughRoute).toBeTruthy();
   expect(httpsPassthroughRoute.action.tls?.mode).toEqual('passthrough');
   expect(Array.isArray(httpsPassthroughRoute.action.targets)).toBeTrue();
 
-  // Example 3: HTTPS Termination to HTTP Backend
-  const terminateToHttpRoute = createHttpsTerminateRoute(
-    'secure.example.com',
-    {
-      host: 'localhost',
-      port: 8080
-    },
-    {
-      certificate: 'auto',
+  const terminateToHttpRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'secure.example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 8080 }], tls: { mode: 'terminate', certificate: 'auto' } },
     name: 'HTTPS Termination to HTTP Backend'
-    }
-  );
+  };
 
-  // Create the HTTP to HTTPS redirect for this domain
-  const httpToHttpsRedirect = createHttpToHttpsRedirect(
-    'secure.example.com',
-    443,
-    {
+  const httpToHttpsRedirect: IRouteConfig = {
+    match: { ports: 80, domains: 'secure.example.com' },
+    action: { type: 'socket-handler', socketHandler: SocketHandlers.httpRedirect('https://{domain}:443{path}', 301) },
     name: 'HTTP to HTTPS Redirect for secure.example.com'
-    }
-  );
+  };
 
   expect(terminateToHttpRoute).toBeTruthy();
   expect(terminateToHttpRoute.action.tls?.mode).toEqual('terminate');
-  expect(httpToHttpsRedirect.action.type).toEqual('socket-handler');
 
-  // Example 4: Load Balancer with HTTPS
-  const loadBalancerRoute = createLoadBalancerRoute(
-    'proxy.example.com',
-    ['internal-api-1.local', 'internal-api-2.local'],
-    8443,
-    {
-      tls: {
-        mode: 'terminate-and-reencrypt',
-        certificate: 'auto'
+  const loadBalancerRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'proxy.example.com' },
+    action: {
+      type: 'forward',
+      targets: [
+        { host: 'internal-api-1.local', port: 8443 },
+        { host: 'internal-api-2.local', port: 8443 }
+      ],
+      tls: { mode: 'terminate-and-reencrypt', certificate: 'auto' }
     },
     name: 'Load Balanced HTTPS Route'
-    }
-  );
+  };
 
   expect(loadBalancerRoute).toBeTruthy();
   expect(loadBalancerRoute.action.tls?.mode).toEqual('terminate-and-reencrypt');
   expect(Array.isArray(loadBalancerRoute.action.targets)).toBeTrue();
 
-  // Example 5: API Route
-  const apiRoute = createApiRoute(
-    'api.example.com',
-    '/api',
-    { host: 'localhost', port: 8081 },
-    {
-      name: 'API Route',
-      useTls: true,
-      addCorsHeaders: true
-    }
-  );
+  const apiRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'api.example.com', path: '/api' },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 8081 }],
+      tls: { mode: 'terminate', certificate: 'auto' }
+    },
+    name: 'API Route'
+  };
 
   expect(apiRoute.action.type).toEqual('forward');
   expect(apiRoute.match.path).toBeTruthy();
 
-  // Example 6: Complete HTTPS Server with HTTP Redirect
-  const httpsServerRoutes = createCompleteHttpsServer(
-    'complete.example.com',
-    {
-      host: 'localhost',
-      port: 8080
-    },
-    {
-      certificate: 'auto',
+  const httpsRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'complete.example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 8080 }], tls: { mode: 'terminate', certificate: 'auto' } },
     name: 'Complete HTTPS Server'
-    }
-  );
+  };
 
-  expect(Array.isArray(httpsServerRoutes)).toBeTrue();
-  expect(httpsServerRoutes.length).toEqual(2); // HTTPS route and HTTP redirect
-  expect(httpsServerRoutes[0].action.tls?.mode).toEqual('terminate');
-  expect(httpsServerRoutes[1].action.type).toEqual('socket-handler');
+  const httpsRedirectRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'complete.example.com' },
+    action: { type: 'socket-handler', socketHandler: SocketHandlers.httpRedirect('https://{domain}:443{path}', 301) },
+    name: 'Complete HTTPS Server - Redirect'
+  };
 
-  // Example 7: Static File Server - removed (use nginx/apache behind proxy)
-
-  // Example 8: WebSocket Route
-  const webSocketRoute = createWebSocketRoute(
-    'ws.example.com',
-    '/ws',
-    { host: 'localhost', port: 8082 },
-    {
-      useTls: true,
+  const webSocketRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'ws.example.com', path: '/ws' },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 8082 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+      websocket: { enabled: true }
+    },
     name: 'WebSocket Route'
-    }
-  );
+  };
 
   expect(webSocketRoute.action.type).toEqual('forward');
   expect(webSocketRoute.action.websocket?.enabled).toBeTrue();
 
-  // Create a SmartProxy instance with all routes
   const allRoutes: IRouteConfig[] = [
     httpOnlyRoute,
     httpsPassthroughRoute,
@@ -149,19 +104,17 @@ tap.test('Route-based configuration examples', async (tools) => {
     httpToHttpsRedirect,
     loadBalancerRoute,
     apiRoute,
-    ...httpsServerRoutes,
+    httpsRoute,
+    httpsRedirectRoute,
     webSocketRoute
   ];
 
-  // We're not actually starting the SmartProxy in this test,
-  // just verifying that the configuration is valid
   const smartProxy = new SmartProxy({
     routes: allRoutes
   });
 
-  // Just verify that all routes are configured correctly
   console.log(`Created ${allRoutes.length} example routes`);
-  expect(allRoutes.length).toEqual(9); // One less without static file route
+  expect(allRoutes.length).toEqual(9);
 });
 
 export default tap.start();

test/test.forwarding.ts

@@ -1,27 +1,8 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import * as plugins from '../ts/plugins.js';
 
-// Import route-based helpers
-import {
-  createHttpRoute,
-  createHttpsTerminateRoute,
-  createHttpsPassthroughRoute,
-  createHttpToHttpsRedirect,
-  createCompleteHttpsServer
-} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
 
-// Create helper functions for backward compatibility
-const helpers = {
-  httpOnly: (domains: string | string[], target: any) => createHttpRoute(domains, target),
-  tlsTerminateToHttp: (domains: string | string[], target: any) => 
-    createHttpsTerminateRoute(domains, target),
-  tlsTerminateToHttps: (domains: string | string[], target: any) => 
-    createHttpsTerminateRoute(domains, target, { reencrypt: true }),
-  httpsPassthrough: (domains: string | string[], target: any) => 
-    createHttpsPassthroughRoute(domains, target)
-};
-
-// Route-based utility functions for testing
 function findRouteForDomain(routes: any[], domain: string): any {
   return routes.find(route => {
     const domains = Array.isArray(route.match.domains)
@@ -31,55 +12,44 @@ function findRouteForDomain(routes: any[], domain: string): any {
   });
 }
 
-// Replace the old test with route-based tests
 tap.test('Route Helpers - Create HTTP routes', async () => {
-  const route = helpers.httpOnly('example.com', { host: 'localhost', port: 3000 });
+  const route: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] }
+  };
   expect(route.action.type).toEqual('forward');
   expect(route.match.domains).toEqual('example.com');
   expect(route.action.targets?.[0]).toEqual({ host: 'localhost', port: 3000 });
 });
 
 tap.test('Route Helpers - Create HTTPS terminate to HTTP routes', async () => {
-  const route = helpers.tlsTerminateToHttp('secure.example.com', { host: 'localhost', port: 3000 });
+  const route: IRouteConfig = {
+    match: { ports: 443, domains: 'secure.example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }], tls: { mode: 'terminate', certificate: 'auto' } }
+  };
   expect(route.action.type).toEqual('forward');
   expect(route.match.domains).toEqual('secure.example.com');
   expect(route.action.tls?.mode).toEqual('terminate');
 });
 
 tap.test('Route Helpers - Create HTTPS passthrough routes', async () => {
-  const route = helpers.httpsPassthrough('passthrough.example.com', { host: 'backend', port: 443 });
+  const route: IRouteConfig = {
+    match: { ports: 443, domains: 'passthrough.example.com' },
+    action: { type: 'forward', targets: [{ host: 'backend', port: 443 }], tls: { mode: 'passthrough' } }
+  };
   expect(route.action.type).toEqual('forward');
   expect(route.match.domains).toEqual('passthrough.example.com');
   expect(route.action.tls?.mode).toEqual('passthrough');
 });
 
 tap.test('Route Helpers - Create HTTPS to HTTPS routes', async () => {
-  const route = helpers.tlsTerminateToHttps('reencrypt.example.com', { host: 'backend', port: 443 });
+  const route: IRouteConfig = {
+    match: { ports: 443, domains: 'reencrypt.example.com' },
+    action: { type: 'forward', targets: [{ host: 'backend', port: 443 }], tls: { mode: 'terminate-and-reencrypt', certificate: 'auto' } }
+  };
   expect(route.action.type).toEqual('forward');
   expect(route.match.domains).toEqual('reencrypt.example.com');
   expect(route.action.tls?.mode).toEqual('terminate-and-reencrypt');
 });
 
-tap.test('Route Helpers - Create complete HTTPS server with redirect', async () => {
-  const routes = createCompleteHttpsServer(
-    'full.example.com',
-    { host: 'localhost', port: 3000 },
-    { certificate: 'auto' }
-  );
-  
-  expect(routes.length).toEqual(2);
-  
-  // Check HTTP to HTTPS redirect - find route by port
-  const redirectRoute = routes.find(r => r.match.ports === 80);
-  expect(redirectRoute.action.type).toEqual('socket-handler');
-  expect(redirectRoute.action.socketHandler).toBeDefined();
-  expect(redirectRoute.match.ports).toEqual(80);
-  
-  // Check HTTPS route
-  const httpsRoute = routes.find(r => r.action.type === 'forward');
-  expect(httpsRoute.match.ports).toEqual(443);
-  expect(httpsRoute.action.tls?.mode).toEqual('terminate');
-});
-
-// Export test runner
 export default tap.start();

test/test.nftables-integration.simple.ts

@@ -1,15 +1,14 @@
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
-import { createNfTablesRoute, createNfTablesTerminateRoute } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as child_process from 'child_process';
 import { promisify } from 'util';
 
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
 const exec = promisify(child_process.exec);
 
-// Check if we have root privileges to run NFTables tests
 async function checkRootPrivileges(): Promise<boolean> {
   try {
-    // Check if we're running as root
     const { stdout } = await exec('id -u');
     return stdout.trim() === '0';
   } catch (err) {
@@ -17,7 +16,6 @@ async function checkRootPrivileges(): Promise<boolean> {
   }
 }
 
-// Check if tests should run
 const isRoot = await checkRootPrivileges();
 
 if (!isRoot) {
@@ -29,38 +27,45 @@ if (!isRoot) {
   console.log('');
 }
 
-// Define the test with proper skip condition
 const testFn = isRoot ? tap.test : tap.skip.test;
 
 testFn('NFTables integration tests', async () => {
 
   console.log('Running NFTables tests with root privileges');
 
-  // Create test routes
-  const routes = [
-    createNfTablesRoute('tcp-forward', {
-      host: 'localhost',
-      port: 8080
-    }, {
-      ports: 9080,
-      protocol: 'tcp'
-    }),
+  const routes: IRouteConfig[] = [
+    {
+      match: { ports: 9080 },
+      action: {
+        type: 'forward',
+        forwardingEngine: 'nftables',
+        targets: [{ host: 'localhost', port: 8080 }],
+        nftables: { protocol: 'tcp' }
+      },
+      name: 'tcp-forward'
+    },
 
-    createNfTablesRoute('udp-forward', {
-      host: 'localhost',
-      port: 5353
-    }, {
-      ports: 5354,
-      protocol: 'udp'
-    }),
+    {
+      match: { ports: 5354 },
+      action: {
+        type: 'forward',
+        forwardingEngine: 'nftables',
+        targets: [{ host: 'localhost', port: 5353 }],
+        nftables: { protocol: 'udp' }
+      },
+      name: 'udp-forward'
+    },
 
-    createNfTablesRoute('port-range', {
-      host: 'localhost',
-      port: 8080
-    }, {
-      ports: [{ from: 9000, to: 9100 }],
-      protocol: 'tcp'
-    })
+    {
+      match: { ports: [{ from: 9000, to: 9100 }] },
+      action: {
+        type: 'forward',
+        forwardingEngine: 'nftables',
+        targets: [{ host: 'localhost', port: 8080 }],
+        nftables: { protocol: 'tcp' }
+      },
+      name: 'port-range'
+    }
   ];
 
   const smartProxy = new SmartProxy({
@@ -68,15 +73,12 @@ testFn('NFTables integration tests', async () => {
     routes
   });
 
-  // Start the proxy
   await smartProxy.start();
   console.log('SmartProxy started with NFTables routes');
 
-  // Get NFTables status
   const status = await smartProxy.getNfTablesStatus();
   console.log('NFTables status:', JSON.stringify(status, null, 2));
 
-  // Verify all routes are provisioned
   expect(Object.keys(status).length).toEqual(routes.length);
 
   for (const routeStatus of Object.values(status)) {
@@ -84,11 +86,9 @@ testFn('NFTables integration tests', async () => {
     expect(routeStatus.ruleCount.total).toBeGreaterThan(0);
   }
 
-  // Stop the proxy
   await smartProxy.stop();
   console.log('SmartProxy stopped');
 
-  // Verify all rules are cleaned up
   const finalStatus = await smartProxy.getNfTablesStatus();
   expect(Object.keys(finalStatus).length).toEqual(0);
 });

test/test.nftables-integration.ts

@@ -1,5 +1,4 @@
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
-import { createNfTablesRoute, createNfTablesTerminateRoute } from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 import * as http from 'http';
@@ -10,13 +9,13 @@ import { fileURLToPath } from 'url';
 import * as child_process from 'child_process';
 import { promisify } from 'util';
 
+import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.js';
+
 const exec = promisify(child_process.exec);
 
-// Get __dirname equivalent for ES modules
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
 
-// Check if we have root privileges
 async function checkRootPrivileges(): Promise<boolean> {
   try {
     const { stdout } = await exec('id -u');
@@ -26,7 +25,6 @@ async function checkRootPrivileges(): Promise<boolean> {
   }
 }
 
-// Check if tests should run
 const runTests = await checkRootPrivileges();
 
 if (!runTests) {
@@ -36,10 +34,8 @@ if (!runTests) {
   console.log('Skipping NFTables integration tests');
   console.log('========================================');
   console.log('');
-  // Skip tests when not running as root - tests are marked with tap.skip.test
 }
 
-// Test server and client utilities
 let testTcpServer: net.Server;
 let testHttpServer: http.Server;
 let testHttpsServer: https.Server;
@@ -53,10 +49,8 @@ const PROXY_HTTP_PORT = 5001;
 const PROXY_HTTPS_PORT = 5002;
 const TEST_DATA = 'Hello through NFTables!';
 
-// Helper to create test certificates
 async function createTestCertificates() {
   try {
-    // Import the certificate helper
     const certsModule = await import('./helpers/certificates.js');
     const certificates = certsModule.loadTestCertificates();
     return {
@@ -65,7 +59,6 @@ async function createTestCertificates() {
     };
   } catch (err) {
     console.error('Failed to load test certificates:', err);
-    // Use dummy certificates for testing
     return {
       cert: fs.readFileSync(path.join(__dirname, '..', 'assets', 'certs', 'cert.pem'), 'utf8'),
       key: fs.readFileSync(path.join(__dirname, '..', 'assets', 'certs', 'key.pem'), 'utf8')
@@ -76,7 +69,6 @@ async function createTestCertificates() {
 tap.skip.test('setup NFTables integration test environment', async () => {
   console.log('Running NFTables integration tests with root privileges');
 
-  // Create a basic TCP test server
   testTcpServer = net.createServer((socket) => {
     socket.on('data', (data) => {
       socket.write(`Server says: ${data.toString()}`);
@@ -90,7 +82,6 @@ tap.skip.test('setup NFTables integration test environment', async () => {
     });
   });
 
-  // Create an HTTP test server
   testHttpServer = http.createServer((req, res) => {
     res.writeHead(200, { 'Content-Type': 'text/plain' });
     res.end(`HTTP Server says: ${TEST_DATA}`);
@@ -103,7 +94,6 @@ tap.skip.test('setup NFTables integration test environment', async () => {
     });
   });
 
-  // Create an HTTPS test server
   const certs = await createTestCertificates();
   testHttpsServer = https.createServer({ key: certs.key, cert: certs.cert }, (req, res) => {
     res.writeHead(200, { 'Content-Type': 'text/plain' });
@@ -117,69 +107,73 @@ tap.skip.test('setup NFTables integration test environment', async () => {
     });
   });
 
-  // Create SmartProxy with various NFTables routes
   smartProxy = new SmartProxy({
     enableDetailedLogging: true,
     routes: [
-      // TCP forwarding route
-      createNfTablesRoute('tcp-nftables', {
-        host: 'localhost',
-        port: TEST_TCP_PORT
-      }, {
-        ports: PROXY_TCP_PORT,
-        protocol: 'tcp'
-      }),
+      {
+        match: { ports: PROXY_TCP_PORT },
+        action: {
+          type: 'forward',
+          forwardingEngine: 'nftables',
+          targets: [{ host: 'localhost', port: TEST_TCP_PORT }],
+          nftables: { protocol: 'tcp' }
+        },
+        name: 'tcp-nftables'
+      },
 
-      // HTTP forwarding route
-      createNfTablesRoute('http-nftables', {
-        host: 'localhost',
-        port: TEST_HTTP_PORT
-      }, {
-        ports: PROXY_HTTP_PORT,
-        protocol: 'tcp'
-      }),
+      {
+        match: { ports: PROXY_HTTP_PORT },
+        action: {
+          type: 'forward',
+          forwardingEngine: 'nftables',
+          targets: [{ host: 'localhost', port: TEST_HTTP_PORT }],
+          nftables: { protocol: 'tcp' }
+        },
+        name: 'http-nftables'
+      },
 
-      // HTTPS termination route
-      createNfTablesTerminateRoute('https-nftables.example.com', {
-        host: 'localhost',
-        port: TEST_HTTPS_PORT
-      }, {
-        ports: PROXY_HTTPS_PORT,
-        protocol: 'tcp',
-        certificate: certs
-      }),
+      {
+        match: { ports: PROXY_HTTPS_PORT, domains: 'https-nftables.example.com' },
+        action: {
+          type: 'forward',
+          forwardingEngine: 'nftables',
+          targets: [{ host: 'localhost', port: TEST_HTTPS_PORT }],
+          tls: { mode: 'terminate', certificate: 'auto' },
+          nftables: { protocol: 'tcp' }
+        },
+        name: 'https-nftables'
+      },
 
-      // Route with IP allow list
-      createNfTablesRoute('secure-tcp', {
-        host: 'localhost',
-        port: TEST_TCP_PORT
-      }, {
-        ports: 5003,
-        protocol: 'tcp',
-        ipAllowList: ['127.0.0.1', '::1']
-      }),
+      {
+        match: { ports: 5003 },
+        action: {
+          type: 'forward',
+          forwardingEngine: 'nftables',
+          targets: [{ host: 'localhost', port: TEST_TCP_PORT }],
+          nftables: { protocol: 'tcp', ipAllowList: ['127.0.0.1', '::1'] }
+        },
+        name: 'secure-tcp'
+      },
 
-      // Route with QoS settings
-      createNfTablesRoute('qos-tcp', {
-        host: 'localhost',
-        port: TEST_TCP_PORT
-      }, {
-        ports: 5004,
-        protocol: 'tcp',
-        maxRate: '10mbps',
-        priority: 1
-      })
+      {
+        match: { ports: 5004 },
+        action: {
+          type: 'forward',
+          forwardingEngine: 'nftables',
+          targets: [{ host: 'localhost', port: TEST_TCP_PORT }],
+          nftables: { protocol: 'tcp', maxRate: '10mbps', priority: 1 }
+        },
+        name: 'qos-tcp'
+      }
     ]
   });
 
   console.log('SmartProxy created, now starting...');
 
-  // Start the proxy
   try {
     await smartProxy.start();
     console.log('SmartProxy started successfully');
 
-    // Verify proxy is listening on expected ports
     const listeningPorts = smartProxy.getListeningPorts();
     console.log(`SmartProxy is listening on ports: ${listeningPorts.join(', ')}`);
   } catch (err) {
@@ -191,7 +185,6 @@ tap.skip.test('setup NFTables integration test environment', async () => {
 tap.skip.test('should forward TCP connections through NFTables', async () => {
   console.log(`Attempting to connect to proxy TCP port ${PROXY_TCP_PORT}...`);
 
-  // First verify our test server is running
   try {
     const testClient = new net.Socket();
     await new Promise<void>((resolve, reject) => {
@@ -206,7 +199,6 @@ tap.skip.test('should forward TCP connections through NFTables', async () => {
     console.error(`Test server on port ${TEST_TCP_PORT} is not accessible: ${err}`);
   }
 
-  // Connect to the proxy port
   const client = new net.Socket();
 
   const response = await new Promise<string>((resolve, reject) => {
@@ -259,14 +251,13 @@ tap.skip.test('should forward HTTP connections through NFTables', async () => {
 });
 
 tap.skip.test('should handle HTTPS termination with NFTables', async () => {
-  // Skip this test if running without proper certificates
   const response = await new Promise<string>((resolve, reject) => {
     const options = {
       hostname: 'localhost',
       port: PROXY_HTTPS_PORT,
       path: '/',
       method: 'GET',
-      rejectUnauthorized: false // For self-signed cert
+      rejectUnauthorized: false
     };
 
     https.get(options, (res) => {
@@ -284,7 +275,6 @@ tap.skip.test('should handle HTTPS termination with NFTables', async () => {
 });
 
 tap.skip.test('should respect IP allow lists in NFTables', async () => {
-  // This test should pass since we're connecting from localhost
   const client = new net.Socket();
 
   const connected = await new Promise<boolean>((resolve) => {
@@ -311,11 +301,9 @@ tap.skip.test('should respect IP allow lists in NFTables', async () => {
 tap.skip.test('should get NFTables status', async () => {
   const status = await smartProxy.getNfTablesStatus();
 
-  // Check that we have status for our routes
   const statusKeys = Object.keys(status);
   expect(statusKeys.length).toBeGreaterThan(0);
 
-  // Check status structure for one of the routes
   const firstStatus = status[statusKeys[0]];
   expect(firstStatus).toHaveProperty('active');
   expect(firstStatus).toHaveProperty('ruleCount');
@@ -324,7 +312,6 @@ tap.skip.test('should get NFTables status', async () => {
 });
 
 tap.skip.test('cleanup NFTables integration test environment', async () => {
-  // Stop the proxy and test servers
   await smartProxy.stop();
 
   await new Promise<void>((resolve) => {

test/test.port-mapping.ts

@@ -1,30 +1,20 @@
 import { expect, tap } from '@git.zone/tstest/tapbundle';
 import * as net from 'net';
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
-import {
-  createPortMappingRoute,
-  createOffsetPortMappingRoute,
-  createDynamicRoute,
-  createSmartLoadBalancer,
-  createPortOffset
-} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
 import type { IRouteConfig, IRouteContext } from '../ts/proxies/smart-proxy/models/route-types.js';
 import { findFreePorts, assertPortsFree } from './helpers/port-allocator.js';
 
-// Test server and client utilities
 let testServers: Array<{ server: net.Server; port: number }> = [];
 let smartProxy: SmartProxy;
 
-let TEST_PORTS: number[];    // 3 test server ports
-let PROXY_PORTS: number[];   // 6 proxy ports
+let TEST_PORTS: number[];
+let PROXY_PORTS: number[];
 const TEST_DATA = 'Hello through dynamic port mapper!';
 
-// Cleanup function to close all servers and proxies
 function cleanup() {
   console.log('Starting cleanup...');
   const promises = [];
 
-  // Close test servers
   for (const { server, port } of testServers) {
     promises.push(new Promise<void>(resolve => {
       console.log(`Closing test server on port ${port}`);
@@ -35,7 +25,6 @@ function cleanup() {
     }));
   }
 
-  // Stop SmartProxy
   if (smartProxy) {
     console.log('Stopping SmartProxy...');
     promises.push(smartProxy.stop().then(() => {
@@ -46,12 +35,10 @@ function cleanup() {
   return Promise.all(promises);
 }
 
-// Helper: Creates a test TCP server that listens on a given port
 function createTestServer(port: number): Promise<net.Server> {
   return new Promise((resolve) => {
     const server = net.createServer((socket) => {
       socket.on('data', (data) => {
-        // Echo the received data back with a server identifier
         socket.write(`Server ${port} says: ${data.toString()}`);
       });
       socket.on('error', (error) => {
@@ -67,7 +54,6 @@ function createTestServer(port: number): Promise<net.Server> {
   });
 }
 
-// Helper: Creates a test client connection with timeout
 function createTestClient(port: number, data: string): Promise<string> {
   return new Promise((resolve, reject) => {
     const client = new net.Socket();
@@ -100,123 +86,108 @@ function createTestClient(port: number, data: string): Promise<string> {
   });
 }
 
-// Set up test environment
 tap.test('setup port mapping test environment', async () => {
   const allPorts = await findFreePorts(9);
   TEST_PORTS = allPorts.slice(0, 3);
   PROXY_PORTS = allPorts.slice(3, 9);
 
-  // Create multiple test servers on different ports
   await Promise.all([
     createTestServer(TEST_PORTS[0]),
     createTestServer(TEST_PORTS[1]),
     createTestServer(TEST_PORTS[2]),
   ]);
 
-  // Compute dynamic offset between proxy and test ports
   const portOffset = TEST_PORTS[1] - PROXY_PORTS[1];
 
-  // Create a SmartProxy with dynamic port mapping routes
   smartProxy = new SmartProxy({
     routes: [
-      // Simple function that returns the same port (identity mapping)
-      createPortMappingRoute({
-        sourcePortRange: PROXY_PORTS[0],
-        targetHost: 'localhost',
-        portMapper: (context) => TEST_PORTS[0],
+      {
+        match: { ports: PROXY_PORTS[0] },
+        action: {
+          type: 'forward',
+          targets: [{
+            host: 'localhost',
+            port: (context: IRouteContext) => TEST_PORTS[0]
+          }]
+        },
         name: 'Identity Port Mapping'
-      }),
+      },
 
-      // Offset port mapping using dynamic offset
-      createOffsetPortMappingRoute({
-        ports: PROXY_PORTS[1],
-        targetHost: 'localhost',
-        offset: portOffset,
+      {
+        match: { ports: PROXY_PORTS[1] },
+        action: {
+          type: 'forward',
+          targets: [{
+            host: 'localhost',
+            port: (context: IRouteContext) => context.port + portOffset
+          }]
+        },
         name: `Offset Port Mapping (${portOffset})`
-      }),
+      },
 
-      // Dynamic route with conditional port mapping
-      createDynamicRoute({
-        ports: [PROXY_PORTS[2], PROXY_PORTS[3]],
-        targetHost: (context) => {
-          // Dynamic host selection based on port
+      {
+        match: { ports: [PROXY_PORTS[2], PROXY_PORTS[3]] },
+        action: {
+          type: 'forward',
+          targets: [{
+            host: (context: IRouteContext) => {
               return context.port === PROXY_PORTS[2] ? 'localhost' : '127.0.0.1';
             },
-        portMapper: (context) => {
-          // Port mapping logic based on incoming port
+            port: (context: IRouteContext) => {
               if (context.port === PROXY_PORTS[2]) {
                 return TEST_PORTS[0];
               } else {
                 return TEST_PORTS[2];
               }
+            }
+          }]
         },
         name: 'Dynamic Host and Port Mapping'
-      }),
-
-      // Smart load balancer for domain-based routing
-      createSmartLoadBalancer({
-        ports: PROXY_PORTS[4],
-        domainTargets: {
-          'test1.example.com': 'localhost',
-          'test2.example.com': '127.0.0.1'
       },
-        portMapper: (context) => {
-          // Use different backend ports based on domain
+
+      {
+        match: { ports: PROXY_PORTS[4] },
+        action: {
+          type: 'forward',
+          targets: [{
+            host: (context: IRouteContext) => {
+              if (context.domain === 'test1.example.com') return 'localhost';
+              if (context.domain === 'test2.example.com') return '127.0.0.1';
+              return 'localhost';
+            },
+            port: (context: IRouteContext) => {
               if (context.domain === 'test1.example.com') {
                 return TEST_PORTS[0];
               } else {
                 return TEST_PORTS[1];
               }
+            }
+          }]
         },
-        defaultTarget: 'localhost',
         name: 'Smart Domain Load Balancer'
-      })
+      }
     ]
   });
 
-  // Start the SmartProxy
   await smartProxy.start();
 });
 
-// Test 1: Simple identity port mapping
 tap.test('should map port using identity function', async () => {
   const response = await createTestClient(PROXY_PORTS[0], TEST_DATA);
   expect(response).toEqual(`Server ${TEST_PORTS[0]} says: ${TEST_DATA}`);
 });
 
-// Test 2: Offset port mapping
 tap.test('should map port using offset function', async () => {
   const response = await createTestClient(PROXY_PORTS[1], TEST_DATA);
   expect(response).toEqual(`Server ${TEST_PORTS[1]} says: ${TEST_DATA}`);
 });
 
-// Test 3: Dynamic port and host mapping (conditional logic)
 tap.test('should map port using dynamic logic', async () => {
   const response = await createTestClient(PROXY_PORTS[2], TEST_DATA);
   expect(response).toEqual(`Server ${TEST_PORTS[0]} says: ${TEST_DATA}`);
 });
 
-// Test 4: Test reuse of createPortOffset helper
-tap.test('should use createPortOffset helper for port mapping', async () => {
-  // Test the createPortOffset helper with dynamic offset
-  const portOffset = TEST_PORTS[1] - PROXY_PORTS[1];
-  const offsetFn = createPortOffset(portOffset);
-  const context = {
-    port: PROXY_PORTS[1],
-    clientIp: '127.0.0.1',
-    serverIp: '127.0.0.1',
-    isTls: false,
-    timestamp: Date.now(),
-    connectionId: 'test-connection'
-  } as IRouteContext;
-
-  const mappedPort = offsetFn(context);
-  expect(mappedPort).toEqual(TEST_PORTS[1]);
-});
-
-// Test 5: Test error handling for invalid port mapping functions
 tap.test('should handle errors in port mapping functions', async () => {
-  // Create a route with a function that throws an error
   const errorRoute: IRouteConfig = {
     match: {
       ports: PROXY_PORTS[5]
@@ -233,23 +204,17 @@ tap.test('should handle errors in port mapping functions', async () => {
     name: 'Error Route'
   };
 
-  // Add the route to SmartProxy
   await smartProxy.updateRoutes([...smartProxy.settings.routes, errorRoute]);
 
-  // The connection should fail or timeout
   try {
     await createTestClient(PROXY_PORTS[5], TEST_DATA);
-    // Connection should not succeed
     expect(false).toBeTrue();
   } catch (error) {
-    // Connection failed as expected
     expect(true).toBeTrue();
   }
 });
 
-// Cleanup
 tap.test('cleanup port mapping test environment', async () => {
-  // Add timeout to prevent hanging if SmartProxy shutdown has issues
   const cleanupPromise = cleanup();
   const timeoutPromise = new Promise((_, reject) =>
     setTimeout(() => reject(new Error('Cleanup timeout after 5 seconds')), 5000)
@@ -259,7 +224,6 @@ tap.test('cleanup port mapping test environment', async () => {
     await Promise.race([cleanupPromise, timeoutPromise]);
   } catch (error) {
     console.error('Cleanup error:', error);
-    // Force cleanup even if there's an error
     testServers = [];
     smartProxy = null as any;
   }

test/test.route-config.ts

@@ -6,7 +6,7 @@ import { expect, tap } from '@git.zone/tstest/tapbundle';
 // Import from core modules
 import { SmartProxy } from '../ts/proxies/smart-proxy/index.js';
 
-// Import route utilities and helpers
+// Import route utilities
 import {
   findMatchingRoutes,
   findBestMatchingRoute,
@@ -28,16 +28,7 @@ import {
   assertValidRoute
 } from '../ts/proxies/smart-proxy/utils/route-validator.js';
 
-import {
-  createHttpRoute,
-  createHttpsTerminateRoute,
-  createHttpsPassthroughRoute,
-  createHttpToHttpsRedirect,
-  createCompleteHttpsServer,
-  createLoadBalancerRoute,
-  createApiRoute,
-  createWebSocketRoute
-} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
+import { SocketHandlers } from '../ts/proxies/smart-proxy/utils/socket-handlers.js';
 
 // Import test helpers
 import { loadTestCertificates } from './helpers/certificates.js';
@@ -47,12 +38,12 @@ import type { IRouteConfig } from '../ts/proxies/smart-proxy/models/route-types.
 // --------------------------------- Route Creation Tests ---------------------------------
 
 tap.test('Routes: Should create basic HTTP route', async () => {
-  // Create a simple HTTP route
-  const httpRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 }, {
+  const httpRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
     name: 'Basic HTTP Route'
-  });
+  };
 
-  // Validate the route configuration
   expect(httpRoute.match.ports).toEqual(80);
   expect(httpRoute.match.domains).toEqual('example.com');
   expect(httpRoute.action.type).toEqual('forward');
@@ -62,14 +53,17 @@ tap.test('Routes: Should create basic HTTP route', async () => {
 });
 
 tap.test('Routes: Should create HTTPS route with TLS termination', async () => {
-  // Create an HTTPS route with TLS termination
-  const httpsRoute = createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8080 }, {
-    certificate: 'auto',
+  const httpsRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'secure.example.com' },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 8080 }],
+      tls: { mode: 'terminate', certificate: 'auto' }
+    },
     name: 'HTTPS Route'
-  });
+  };
 
-  // Validate the route configuration
-  expect(httpsRoute.match.ports).toEqual(443); // Default HTTPS port
+  expect(httpsRoute.match.ports).toEqual(443);
   expect(httpsRoute.match.domains).toEqual('secure.example.com');
   expect(httpsRoute.action.type).toEqual('forward');
   expect(httpsRoute.action.tls?.mode).toEqual('terminate');
@@ -80,10 +74,15 @@ tap.test('Routes: Should create HTTPS route with TLS termination', async () => {
 });
 
 tap.test('Routes: Should create HTTP to HTTPS redirect', async () => {
-  // Create an HTTP to HTTPS redirect
-  const redirectRoute = createHttpToHttpsRedirect('example.com', 443);
+  const redirectRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: {
+      type: 'socket-handler',
+      socketHandler: SocketHandlers.httpRedirect('https://{domain}:443{path}', 301)
+    },
+    name: 'HTTP to HTTPS Redirect for example.com'
+  };
 
-  // Validate the route configuration
   expect(redirectRoute.match.ports).toEqual(80);
   expect(redirectRoute.match.domains).toEqual('example.com');
   expect(redirectRoute.action.type).toEqual('socket-handler');
@@ -91,22 +90,34 @@ tap.test('Routes: Should create HTTP to HTTPS redirect', async () => {
 });
 
 tap.test('Routes: Should create complete HTTPS server with redirects', async () => {
-  // Create a complete HTTPS server setup
-  const routes = createCompleteHttpsServer('example.com', { host: 'localhost', port: 8080 }, {
-    certificate: 'auto'
-  });
+  const routes: IRouteConfig[] = [
+    {
+      match: { ports: 443, domains: 'example.com' },
+      action: {
+        type: 'forward',
+        targets: [{ host: 'localhost', port: 8080 }],
+        tls: { mode: 'terminate', certificate: 'auto' }
+      },
+      name: 'HTTPS Terminate Route for example.com'
+    },
+    {
+      match: { ports: 80, domains: 'example.com' },
+      action: {
+        type: 'socket-handler',
+        socketHandler: SocketHandlers.httpRedirect('https://{domain}:443{path}', 301)
+      },
+      name: 'HTTP to HTTPS Redirect for example.com'
+    }
+  ];
 
-  // Validate that we got two routes (HTTPS route and HTTP redirect)
   expect(routes.length).toEqual(2);
 
-  // Validate HTTPS route
   const httpsRoute = routes[0];
   expect(httpsRoute.match.ports).toEqual(443);
   expect(httpsRoute.match.domains).toEqual('example.com');
   expect(httpsRoute.action.type).toEqual('forward');
   expect(httpsRoute.action.tls?.mode).toEqual('terminate');
 
-  // Validate HTTP redirect route
   const redirectRoute = routes[1];
   expect(redirectRoute.match.ports).toEqual(80);
   expect(redirectRoute.action.type).toEqual('socket-handler');
@@ -114,21 +125,17 @@ tap.test('Routes: Should create complete HTTPS server with redirects', async ()
 });
 
 tap.test('Routes: Should create load balancer route', async () => {
-  // Create a load balancer route
-  const lbRoute = createLoadBalancerRoute(
-    'app.example.com',
-    ['10.0.0.1', '10.0.0.2', '10.0.0.3'],
-    8080,
-    {
-      tls: {
-        mode: 'terminate',
-        certificate: 'auto'
+  const lbRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'app.example.com' },
+    action: {
+      type: 'forward',
+      targets: [{ host: ['10.0.0.1', '10.0.0.2', '10.0.0.3'], port: 8080 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+      loadBalancing: { algorithm: 'round-robin' }
     },
     name: 'Load Balanced Route'
-    }
-  );
+  };
 
-  // Validate the route configuration
   expect(lbRoute.match.domains).toEqual('app.example.com');
   expect(lbRoute.action.type).toEqual('forward');
   expect(Array.isArray(lbRoute.action.targets?.[0]?.host)).toBeTrue();
@@ -139,15 +146,25 @@ tap.test('Routes: Should create load balancer route', async () => {
 });
 
 tap.test('Routes: Should create API route with CORS', async () => {
-  // Create an API route with CORS headers
-  const apiRoute = createApiRoute('api.example.com', '/v1', { host: 'localhost', port: 3000 }, {
-    useTls: true,
-    certificate: 'auto',
-    addCorsHeaders: true,
+  const apiRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'api.example.com', path: '/v1/*' },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 3000 }],
+      tls: { mode: 'terminate', certificate: 'auto' }
+    },
+    headers: {
+      response: {
+        'Access-Control-Allow-Origin': '*',
+        'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+        'Access-Control-Max-Age': '86400'
+      }
+    },
+    priority: 100,
     name: 'API Route'
-  });
+  };
 
-  // Validate the route configuration
   expect(apiRoute.match.domains).toEqual('api.example.com');
   expect(apiRoute.match.path).toEqual('/v1/*');
   expect(apiRoute.action.type).toEqual('forward');
@@ -155,7 +172,6 @@ tap.test('Routes: Should create API route with CORS', async () => {
   expect(apiRoute.action.targets?.[0]?.host).toEqual('localhost');
   expect(apiRoute.action.targets?.[0]?.port).toEqual(3000);
 
-  // Check CORS headers
   expect(apiRoute.headers).toBeDefined();
   if (apiRoute.headers?.response) {
     expect(apiRoute.headers.response['Access-Control-Allow-Origin']).toEqual('*');
@@ -164,15 +180,18 @@ tap.test('Routes: Should create API route with CORS', async () => {
 });
 
 tap.test('Routes: Should create WebSocket route', async () => {
-  // Create a WebSocket route
-  const wsRoute = createWebSocketRoute('ws.example.com', '/socket', { host: 'localhost', port: 5000 }, {
-    useTls: true,
-    certificate: 'auto',
-    pingInterval: 15000,
+  const wsRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'ws.example.com', path: '/socket' },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'localhost', port: 5000 }],
+      tls: { mode: 'terminate', certificate: 'auto' },
+      websocket: { enabled: true, pingInterval: 15000 }
+    },
+    priority: 100,
     name: 'WebSocket Route'
-  });
+  };
 
-  // Validate the route configuration
   expect(wsRoute.match.domains).toEqual('ws.example.com');
   expect(wsRoute.match.path).toEqual('/socket');
   expect(wsRoute.action.type).toEqual('forward');
@@ -180,7 +199,6 @@ tap.test('Routes: Should create WebSocket route', async () => {
   expect(wsRoute.action.targets?.[0]?.host).toEqual('localhost');
   expect(wsRoute.action.targets?.[0]?.port).toEqual(5000);
 
-  // Check WebSocket configuration
   expect(wsRoute.action.websocket).toBeDefined();
   if (wsRoute.action.websocket) {
     expect(wsRoute.action.websocket.enabled).toBeTrue();
@@ -191,22 +209,27 @@ tap.test('Routes: Should create WebSocket route', async () => {
 // Static file serving has been removed - should be handled by external servers
 
 tap.test('SmartProxy: Should create instance with route-based config', async () => {
-  // Create TLS certificates for testing
   const certs = loadTestCertificates();
 
-  // Create a SmartProxy instance with route-based configuration
   const proxy = new SmartProxy({
     routes: [
-      createHttpRoute('example.com', { host: 'localhost', port: 3000 }, {
+      {
+        match: { ports: 80, domains: 'example.com' },
+        action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
         name: 'HTTP Route'
-      }),
-      createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 8443 }, {
-        certificate: {
-          key: certs.privateKey,
-          cert: certs.publicKey
+      },
+      {
+        match: { ports: 443, domains: 'secure.example.com' },
+        action: {
+          type: 'forward',
+          targets: [{ host: 'localhost', port: 8443 }],
+          tls: {
+            mode: 'terminate',
+            certificate: { key: certs.privateKey, cert: certs.publicKey }
+          }
         },
         name: 'HTTPS Route'
-      })
+      }
     ],
     defaults: {
       target: {
@@ -218,13 +241,11 @@ tap.test('SmartProxy: Should create instance with route-based config', async ()
         maxConnections: 100
       }
     },
-    // Additional settings
     initialDataTimeout: 10000,
     inactivityTimeout: 300000,
     enableDetailedLogging: true
   });
 
-  // Simply verify the instance was created successfully
   expect(typeof proxy).toEqual('object');
   expect(typeof proxy.start).toEqual('function');
   expect(typeof proxy.stop).toEqual('function');
@@ -233,7 +254,6 @@ tap.test('SmartProxy: Should create instance with route-based config', async ()
 // --------------------------------- Edge Case Tests ---------------------------------
 
 tap.test('Edge Case - Empty Routes Array', async () => {
-  // Attempting to find routes in an empty array
   const emptyRoutes: IRouteConfig[] = [];
   const matches = findMatchingRoutes(emptyRoutes, { domain: 'example.com', port: 80 });
 
@@ -245,82 +265,98 @@ tap.test('Edge Case - Empty Routes Array', async () => {
 });
 
 tap.test('Edge Case - Multiple Matching Routes with Same Priority', async () => {
-  // Create multiple routes with identical priority but different targets
-  const route1 = createHttpRoute('example.com', { host: 'server1', port: 3000 });
-  const route2 = createHttpRoute('example.com', { host: 'server2', port: 3000 });
-  const route3 = createHttpRoute('example.com', { host: 'server3', port: 3000 });
+  const route1: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'server1', port: 3000 }] },
+    name: 'HTTP Route for example.com'
+  };
+  const route2: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'server2', port: 3000 }] },
+    name: 'HTTP Route for example.com'
+  };
+  const route3: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'server3', port: 3000 }] },
+    name: 'HTTP Route for example.com'
+  };
 
-  // Set all to the same priority
   route1.priority = 100;
   route2.priority = 100;
   route3.priority = 100;
 
   const routes = [route1, route2, route3];
 
-  // Find matching routes
   const matches = findMatchingRoutes(routes, { domain: 'example.com', port: 80 });
 
-  // Should find all three routes
   expect(matches.length).toEqual(3);
 
-  // First match could be any of the routes since they have the same priority
-  // But the implementation should be consistent (likely keep the original order)
   const bestMatch = findBestMatchingRoute(routes, { domain: 'example.com', port: 80 });
   expect(bestMatch).not.toBeUndefined();
 });
 
 tap.test('Edge Case - Wildcard Domains and Path Matching', async () => {
-  // Create routes with wildcard domains and path patterns
-  const wildcardApiRoute = createApiRoute('*.example.com', '/api', { host: 'api-server', port: 3000 }, {
-    useTls: true,
-    certificate: 'auto'
-  });
+  const wildcardApiRoute: IRouteConfig = {
+    match: { ports: 443, domains: '*.example.com', path: '/api/*' },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'api-server', port: 3000 }],
+      tls: { mode: 'terminate', certificate: 'auto' }
+    },
+    priority: 100,
+    name: 'API Route for *.example.com'
+  };
 
-  const exactApiRoute = createApiRoute('api.example.com', '/api', { host: 'specific-api-server', port: 3001 }, {
-    useTls: true,
-    certificate: 'auto',
-    priority: 200 // Higher priority
-  });
+  const exactApiRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'api.example.com', path: '/api/*' },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'specific-api-server', port: 3001 }],
+      tls: { mode: 'terminate', certificate: 'auto' }
+    },
+    priority: 200,
+    name: 'API Route for api.example.com'
+  };
 
   const routes = [wildcardApiRoute, exactApiRoute];
 
-  // Test with a specific subdomain that matches both routes
   const matches = findMatchingRoutes(routes, { domain: 'api.example.com', path: '/api/users', port: 443 });
 
-  // Should match both routes
   expect(matches.length).toEqual(2);
 
-  // The exact domain match should have higher priority
   const bestMatch = findBestMatchingRoute(routes, { domain: 'api.example.com', path: '/api/users', port: 443 });
   expect(bestMatch).not.toBeUndefined();
   if (bestMatch) {
-    expect(bestMatch.action.targets[0].port).toEqual(3001); // Should match the exact domain route
+    expect(bestMatch.action.targets[0].port).toEqual(3001);
   }
 
-  // Test with a different subdomain - should only match the wildcard route
   const otherMatches = findMatchingRoutes(routes, { domain: 'other.example.com', path: '/api/products', port: 443 });
   expect(otherMatches.length).toEqual(1);
-  expect(otherMatches[0].action.targets[0].port).toEqual(3000); // Should match the wildcard domain route
+  expect(otherMatches[0].action.targets[0].port).toEqual(3000);
 });
 
 tap.test('Edge Case - Disabled Routes', async () => {
-  // Create enabled and disabled routes
-  const enabledRoute = createHttpRoute('example.com', { host: 'server1', port: 3000 });
-  const disabledRoute = createHttpRoute('example.com', { host: 'server2', port: 3001 });
+  const enabledRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'server1', port: 3000 }] },
+    name: 'HTTP Route for example.com'
+  };
+  const disabledRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'server2', port: 3001 }] },
+    name: 'HTTP Route for example.com'
+  };
   disabledRoute.enabled = false;
 
   const routes = [enabledRoute, disabledRoute];
 
-  // Find matching routes
   const matches = findMatchingRoutes(routes, { domain: 'example.com', port: 80 });
 
-  // Should only find the enabled route
   expect(matches.length).toEqual(1);
   expect(matches[0].action.targets[0].port).toEqual(3000);
 });
 
 tap.test('Edge Case - Complex Path and Headers Matching', async () => {
-  // Create route with complex path and headers matching
   const complexRoute: IRouteConfig = {
     match: {
       domains: 'api.example.com',
@@ -345,7 +381,6 @@ tap.test('Edge Case - Complex Path and Headers Matching', async () => {
     name: 'Complex API Route'
   };
 
-  // Test with matching criteria
   const matchingPath = routeMatchesPath(complexRoute, '/api/v2/users');
   expect(matchingPath).toBeTrue();
 
@@ -356,7 +391,6 @@ tap.test('Edge Case - Complex Path and Headers Matching', async () => {
   });
   expect(matchingHeaders).toBeTrue();
 
-  // Test with non-matching criteria
   const nonMatchingPath = routeMatchesPath(complexRoute, '/api/v1/users');
   expect(nonMatchingPath).toBeFalse();
 
@@ -368,7 +402,6 @@ tap.test('Edge Case - Complex Path and Headers Matching', async () => {
 });
 
 tap.test('Edge Case - Port Range Matching', async () => {
-  // Create route with port range matching
   const portRangeRoute: IRouteConfig = {
     match: {
       domains: 'example.com',
@@ -384,16 +417,13 @@ tap.test('Edge Case - Port Range Matching', async () => {
     name: 'Port Range Route'
   };
 
-  // Test with ports in the range
-  expect(routeMatchesPort(portRangeRoute, 8000)).toBeTrue(); // Lower bound
-  expect(routeMatchesPort(portRangeRoute, 8500)).toBeTrue(); // Middle
-  expect(routeMatchesPort(portRangeRoute, 9000)).toBeTrue(); // Upper bound
+  expect(routeMatchesPort(portRangeRoute, 8000)).toBeTrue();
+  expect(routeMatchesPort(portRangeRoute, 8500)).toBeTrue();
+  expect(routeMatchesPort(portRangeRoute, 9000)).toBeTrue();
 
-  // Test with ports outside the range
-  expect(routeMatchesPort(portRangeRoute, 7999)).toBeFalse(); // Just below
-  expect(routeMatchesPort(portRangeRoute, 9001)).toBeFalse(); // Just above
+  expect(routeMatchesPort(portRangeRoute, 7999)).toBeFalse();
+  expect(routeMatchesPort(portRangeRoute, 9001)).toBeFalse();
 
-  // Test with multiple port ranges
   const multiRangeRoute: IRouteConfig = {
     match: {
       domains: 'example.com',
@@ -420,55 +450,56 @@ tap.test('Edge Case - Port Range Matching', async () => {
 // --------------------------------- Wildcard Domain Tests ---------------------------------
 
 tap.test('Wildcard Domain Handling', async () => {
-  // Create routes with different wildcard patterns
-  const simpleDomainRoute = createHttpRoute('example.com', { host: 'server1', port: 3000 });
-  const wildcardSubdomainRoute = createHttpRoute('*.example.com', { host: 'server2', port: 3001 });
-  const specificSubdomainRoute = createHttpRoute('api.example.com', { host: 'server3', port: 3002 });
+  const simpleDomainRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'server1', port: 3000 }] },
+    name: 'HTTP Route for example.com'
+  };
+  const wildcardSubdomainRoute: IRouteConfig = {
+    match: { ports: 80, domains: '*.example.com' },
+    action: { type: 'forward', targets: [{ host: 'server2', port: 3001 }] },
+    name: 'HTTP Route for *.example.com'
+  };
+  const specificSubdomainRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'api.example.com' },
+    action: { type: 'forward', targets: [{ host: 'server3', port: 3002 }] },
+    name: 'HTTP Route for api.example.com'
+  };
 
-  // Set explicit priorities to ensure deterministic matching
-  specificSubdomainRoute.priority = 200; // Highest priority for specific domain
-  wildcardSubdomainRoute.priority = 100; // Medium priority for wildcard
-  simpleDomainRoute.priority = 50;       // Lowest priority for generic domain
+  specificSubdomainRoute.priority = 200;
+  wildcardSubdomainRoute.priority = 100;
+  simpleDomainRoute.priority = 50;
 
   const routes = [simpleDomainRoute, wildcardSubdomainRoute, specificSubdomainRoute];
 
-  // Test exact domain match
   expect(routeMatchesDomain(simpleDomainRoute, 'example.com')).toBeTrue();
   expect(routeMatchesDomain(simpleDomainRoute, 'sub.example.com')).toBeFalse();
 
-  // Test wildcard subdomain match
   expect(routeMatchesDomain(wildcardSubdomainRoute, 'any.example.com')).toBeTrue();
   expect(routeMatchesDomain(wildcardSubdomainRoute, 'nested.sub.example.com')).toBeTrue();
   expect(routeMatchesDomain(wildcardSubdomainRoute, 'example.com')).toBeFalse();
 
-  // Test specific subdomain match
   expect(routeMatchesDomain(specificSubdomainRoute, 'api.example.com')).toBeTrue();
   expect(routeMatchesDomain(specificSubdomainRoute, 'other.example.com')).toBeFalse();
   expect(routeMatchesDomain(specificSubdomainRoute, 'sub.api.example.com')).toBeFalse();
 
-  // Test finding best match when multiple domains match
   const specificSubdomainRequest = { domain: 'api.example.com', port: 80 };
   const bestSpecificMatch = findBestMatchingRoute(routes, specificSubdomainRequest);
   expect(bestSpecificMatch).not.toBeUndefined();
   if (bestSpecificMatch) {
-    // Find which route was matched
     const matchedPort = bestSpecificMatch.action.targets[0].port;
     console.log(`Matched route with port: ${matchedPort}`);
 
-    // Verify it's the specific subdomain route (with highest priority)
     expect(bestSpecificMatch.priority).toEqual(200);
   }
 
-  // Test with a subdomain that matches wildcard but not specific
   const otherSubdomainRequest = { domain: 'other.example.com', port: 80 };
   const bestWildcardMatch = findBestMatchingRoute(routes, otherSubdomainRequest);
   expect(bestWildcardMatch).not.toBeUndefined();
   if (bestWildcardMatch) {
-    // Find which route was matched
     const matchedPort = bestWildcardMatch.action.targets[0].port;
     console.log(`Matched route with port: ${matchedPort}`);
 
-    // Verify it's the wildcard subdomain route (with medium priority)
     expect(bestWildcardMatch.priority).toEqual(100);
   }
 });
@@ -476,39 +507,68 @@ tap.test('Wildcard Domain Handling', async () => {
 // --------------------------------- Integration Tests ---------------------------------
 
 tap.test('Route Integration - Combining Multiple Route Types', async () => {
-  // Create a comprehensive set of routes for a full application
   const routes: IRouteConfig[] = [
-    // Main website with HTTPS and HTTP redirect
-    ...createCompleteHttpsServer('example.com', { host: 'web-server', port: 8080 }, {
-      certificate: 'auto'
-    }),
-    
-    // API endpoints
-    createApiRoute('api.example.com', '/v1', { host: 'api-server', port: 3000 }, {
-      useTls: true,
-      certificate: 'auto',
-      addCorsHeaders: true
-    }),
-    
-    // WebSocket for real-time updates
-    createWebSocketRoute('ws.example.com', '/live', { host: 'websocket-server', port: 5000 }, {
-      useTls: true,
-      certificate: 'auto'
-    }),
-    
-    
-    // Legacy system with passthrough
-    createHttpsPassthroughRoute('legacy.example.com', { host: 'legacy-server', port: 443 })
+    {
+      match: { ports: 443, domains: 'example.com' },
+      action: {
+        type: 'forward',
+        targets: [{ host: 'web-server', port: 8080 }],
+        tls: { mode: 'terminate', certificate: 'auto' }
+      },
+      name: 'HTTPS Terminate Route for example.com'
+    },
+    {
+      match: { ports: 80, domains: 'example.com' },
+      action: {
+        type: 'socket-handler',
+        socketHandler: SocketHandlers.httpRedirect('https://{domain}:443{path}', 301)
+      },
+      name: 'HTTP to HTTPS Redirect for example.com'
+    },
+    {
+      match: { ports: 443, domains: 'api.example.com', path: '/v1/*' },
+      action: {
+        type: 'forward',
+        targets: [{ host: 'api-server', port: 3000 }],
+        tls: { mode: 'terminate', certificate: 'auto' }
+      },
+      headers: {
+        response: {
+          'Access-Control-Allow-Origin': '*',
+          'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
+          'Access-Control-Allow-Headers': 'Content-Type, Authorization',
+          'Access-Control-Max-Age': '86400'
+        }
+      },
+      priority: 100,
+      name: 'API Route for api.example.com'
+    },
+    {
+      match: { ports: 443, domains: 'ws.example.com', path: '/live' },
+      action: {
+        type: 'forward',
+        targets: [{ host: 'websocket-server', port: 5000 }],
+        tls: { mode: 'terminate', certificate: 'auto' },
+        websocket: { enabled: true }
+      },
+      priority: 100,
+      name: 'WebSocket Route for ws.example.com'
+    },
+    {
+      match: { ports: 443, domains: 'legacy.example.com' },
+      action: {
+        type: 'forward',
+        targets: [{ host: 'legacy-server', port: 443 }],
+        tls: { mode: 'passthrough' }
+      },
+      name: 'HTTPS Passthrough Route for legacy.example.com'
+    }
   ];
 
-  // Validate all routes
   const validationResult = validateRoutes(routes);
   expect(validationResult.valid).toBeTrue();
   expect(validationResult.errors.length).toEqual(0);
 
-  // Test route matching for different endpoints
-  
-  // Web server (HTTPS)
   const webServerMatch = findBestMatchingRoute(routes, { domain: 'example.com', port: 443 });
   expect(webServerMatch).not.toBeUndefined();
   if (webServerMatch) {
@@ -516,14 +576,12 @@ tap.test('Route Integration - Combining Multiple Route Types', async () => {
     expect(webServerMatch.action.targets[0].host).toEqual('web-server');
   }
 
-  // Web server (HTTP redirect via socket handler)
   const webRedirectMatch = findBestMatchingRoute(routes, { domain: 'example.com', port: 80 });
   expect(webRedirectMatch).not.toBeUndefined();
   if (webRedirectMatch) {
     expect(webRedirectMatch.action.type).toEqual('socket-handler');
   }
 
-  // API server
   const apiMatch = findBestMatchingRoute(routes, {
     domain: 'api.example.com',
     port: 443,
@@ -535,7 +593,6 @@ tap.test('Route Integration - Combining Multiple Route Types', async () => {
     expect(apiMatch.action.targets[0].host).toEqual('api-server');
   }
 
-  // WebSocket server
   const wsMatch = findBestMatchingRoute(routes, {
     domain: 'ws.example.com',
     port: 443,
@@ -548,9 +605,6 @@ tap.test('Route Integration - Combining Multiple Route Types', async () => {
     expect(wsMatch.action.websocket?.enabled).toBeTrue();
   }
 
-  // Static assets route was removed - static file serving should be handled externally
-  
-  // Legacy system
   const legacyMatch = findBestMatchingRoute(routes, {
     domain: 'legacy.example.com',
     port: 443
@@ -565,7 +619,6 @@ tap.test('Route Integration - Combining Multiple Route Types', async () => {
 // --------------------------------- Protocol Match Field Tests ---------------------------------
 
 tap.test('Routes: Should accept protocol field on route match', async () => {
-  // Create a route with protocol: 'http'
   const httpOnlyRoute: IRouteConfig = {
     match: {
       ports: 443,
@@ -583,16 +636,13 @@ tap.test('Routes: Should accept protocol field on route match', async () => {
     name: 'HTTP-only Route',
   };
 
-  // Validate the route - protocol field should not cause errors
   const validation = validateRouteConfig(httpOnlyRoute);
   expect(validation.valid).toBeTrue();
 
-  // Verify the protocol field is preserved
   expect(httpOnlyRoute.match.protocol).toEqual('http');
 });
 
 tap.test('Routes: Should accept protocol tcp on route match', async () => {
-  // Create a route with protocol: 'tcp'
   const tcpOnlyRoute: IRouteConfig = {
     match: {
       ports: 443,
@@ -616,28 +666,26 @@ tap.test('Routes: Should accept protocol tcp on route match', async () => {
 });
 
 tap.test('Routes: Protocol field should work with terminate-and-reencrypt', async () => {
-  // Create a terminate-and-reencrypt route that only accepts HTTP
-  const reencryptRoute = createHttpsTerminateRoute(
-    'secure.example.com',
-    { host: 'backend', port: 443 },
-    { reencrypt: true, certificate: 'auto', name: 'Reencrypt HTTP Route' }
-  );
+  const reencryptRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'secure.example.com' },
+    action: {
+      type: 'forward',
+      targets: [{ host: 'backend', port: 443 }],
+      tls: { mode: 'terminate-and-reencrypt', certificate: 'auto' }
+    },
+    name: 'Reencrypt HTTP Route'
+  };
 
-  // Set protocol restriction to http
   reencryptRoute.match.protocol = 'http';
 
-  // Validate the route
   const validation = validateRouteConfig(reencryptRoute);
   expect(validation.valid).toBeTrue();
 
-  // Verify TLS mode
   expect(reencryptRoute.action.tls?.mode).toEqual('terminate-and-reencrypt');
-  // Verify protocol field is preserved
   expect(reencryptRoute.match.protocol).toEqual('http');
 });
 
 tap.test('Routes: Protocol field should not affect domain/port matching', async () => {
-  // Routes with and without protocol field should both match the same domain/port
   const routeWithProtocol: IRouteConfig = {
     match: {
       ports: 443,
@@ -669,11 +717,9 @@ tap.test('Routes: Protocol field should not affect domain/port matching', async
 
   const routes = [routeWithProtocol, routeWithoutProtocol];
 
-  // Both routes should match the domain/port (protocol is a hint for Rust-side matching)
   const matches = findMatchingRoutes(routes, { domain: 'example.com', port: 443 });
   expect(matches.length).toEqual(2);
 
-  // The one with higher priority should be first
   const best = findBestMatchingRoute(routes, { domain: 'example.com', port: 443 });
   expect(best).not.toBeUndefined();
   expect(best!.name).toEqual('With Protocol');
@@ -696,11 +742,9 @@ tap.test('Routes: Protocol field preserved through route cloning', async () => {
 
   const cloned = cloneRoute(original);
 
-  // Verify protocol is preserved in clone
   expect(cloned.match.protocol).toEqual('http');
   expect(cloned.action.tls?.mode).toEqual('terminate-and-reencrypt');
 
-  // Modify clone should not affect original
   cloned.match.protocol = 'tcp';
   expect(original.match.protocol).toEqual('http');
 });
@@ -720,7 +764,6 @@ tap.test('Routes: Protocol field preserved through route merging', async () => {
     name: 'Merge Base',
   };
 
-  // Merge with override that changes name but not protocol
   const merged = mergeRouteConfigs(base, { name: 'Merged Route' });
   expect(merged.match.protocol).toEqual('http');
   expect(merged.name).toEqual('Merged Route');

test/test.route-utils.ts

@@ -1,21 +1,7 @@
 import { tap, expect } from '@git.zone/tstest/tapbundle';
 import * as plugins from '../ts/plugins.js';
 
-// Import from individual modules to avoid naming conflicts
 import {
-  // Route helpers
-  createHttpRoute,
-  createHttpsTerminateRoute,
-  createApiRoute,
-  createWebSocketRoute,
-  createHttpToHttpsRedirect,
-  createHttpsPassthroughRoute,
-  createCompleteHttpsServer,
-  createLoadBalancerRoute
-} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
-
-import {
-  // Route validators
   validateRouteConfig,
   validateRoutes,
   isValidDomain,
@@ -27,7 +13,6 @@ import {
 } from '../ts/proxies/smart-proxy/utils/route-validator.js';
 
 import {
-  // Route utilities
   mergeRouteConfigs,
   findMatchingRoutes,
   findBestMatchingRoute,
@@ -39,16 +24,6 @@ import {
   cloneRoute
 } from '../ts/proxies/smart-proxy/utils/route-utils.js';
 
-import {
-  // Route patterns
-  createApiGatewayRoute,
-  createWebSocketRoute as createWebSocketPattern,
-  createLoadBalancerRoute as createLbPattern,
-  addRateLimiting,
-  addBasicAuth,
-  addJwtAuth
-} from '../ts/proxies/smart-proxy/utils/route-helpers.js';
-
 import type {
   IRouteConfig,
   IRouteMatch,
@@ -179,7 +154,11 @@ tap.test('Route Validation - validateRouteAction', async () => {
 
 tap.test('Route Validation - validateRouteConfig', async () => {
   // Valid route config
-  const validRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const validRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
   const validResult = validateRouteConfig(validRoute);
   expect(validResult.valid).toBeTrue();
   expect(validResult.errors.length).toEqual(0);
@@ -203,7 +182,11 @@ tap.test('Route Validation - validateRouteConfig', async () => {
 tap.test('Route Validation - validateRoutes', async () => {
   // Create valid and invalid routes
   const routes = [
-    createHttpRoute('example.com', { host: 'localhost', port: 3000 }),
+    {
+      match: { ports: 80, domains: 'example.com' },
+      action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+      name: 'HTTP Route for example.com',
+    } as IRouteConfig,
     {
       match: {
         domains: 'invalid..domain',
@@ -217,7 +200,11 @@ tap.test('Route Validation - validateRoutes', async () => {
         }
       }
     } as IRouteConfig,
-    createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 3001 })
+    {
+      match: { ports: 443, domains: 'secure.example.com' },
+      action: { type: 'forward', targets: [{ host: 'localhost', port: 3001 }], tls: { mode: 'terminate', certificate: 'auto' } },
+      name: 'HTTPS Terminate Route for secure.example.com',
+    } as IRouteConfig
   ];
 
   const result = validateRoutes(routes);
@@ -230,13 +217,13 @@ tap.test('Route Validation - validateRoutes', async () => {
 
 tap.test('Route Validation - hasRequiredPropertiesForAction', async () => {
   // Forward action
-  const forwardRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const forwardRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
   expect(hasRequiredPropertiesForAction(forwardRoute, 'forward')).toBeTrue();
 
-  // Socket handler action (redirect functionality)
-  const redirectRoute = createHttpToHttpsRedirect('example.com');
-  expect(hasRequiredPropertiesForAction(redirectRoute, 'socket-handler')).toBeTrue();
-  
   // Socket handler action
   const socketRoute: IRouteConfig = {
     match: {
@@ -269,7 +256,11 @@ tap.test('Route Validation - hasRequiredPropertiesForAction', async () => {
 
 tap.test('Route Validation - assertValidRoute', async () => {
   // Valid route
-  const validRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const validRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
   expect(() => assertValidRoute(validRoute)).not.toThrow();
 
   // Invalid route
@@ -290,7 +281,11 @@ tap.test('Route Validation - assertValidRoute', async () => {
 
 tap.test('Route Utilities - mergeRouteConfigs', async () => {
   // Base route
-  const baseRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const baseRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
 
   // Override with different name and port
   const overrideRoute: Partial<IRouteConfig> = {
@@ -345,13 +340,25 @@ tap.test('Route Utilities - mergeRouteConfigs', async () => {
 
 tap.test('Route Matching - routeMatchesDomain', async () => {
   // Create route with wildcard domain
-  const wildcardRoute = createHttpRoute('*.example.com', { host: 'localhost', port: 3000 });
+  const wildcardRoute: IRouteConfig = {
+    match: { ports: 80, domains: '*.example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for *.example.com',
+  };
 
   // Create route with exact domain
-  const exactRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const exactRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
 
   // Create route with multiple domains
-  const multiDomainRoute = createHttpRoute(['example.com', 'example.org'], { host: 'localhost', port: 3000 });
+  const multiDomainRoute: IRouteConfig = {
+    match: { ports: 80, domains: ['example.com', 'example.org'] },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com,example.org',
+  };
 
   // Test wildcard domain matching
   expect(routeMatchesDomain(wildcardRoute, 'sub.example.com')).toBeTrue();
@@ -374,7 +381,11 @@ tap.test('Route Matching - routeMatchesDomain', async () => {
 
 tap.test('Route Matching - routeMatchesPort', async () => {
   // Create routes with different port configurations
-  const singlePortRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const singlePortRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
 
   const multiPortRoute: IRouteConfig = {
     match: {
@@ -527,7 +538,11 @@ tap.test('Route Matching - routeMatchesHeaders', async () => {
   })).toBeFalse();
 
   // Route without header matching should match any headers
-  const noHeaderRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const noHeaderRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
   expect(routeMatchesHeaders(noHeaderRoute, {
     'Content-Type': 'application/json'
   })).toBeTrue();
@@ -536,10 +551,26 @@ tap.test('Route Matching - routeMatchesHeaders', async () => {
 tap.test('Route Finding - findMatchingRoutes', async () => {
   // Create multiple routes
   const routes: IRouteConfig[] = [
-    createHttpRoute('example.com', { host: 'localhost', port: 3000 }),
-    createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 3001 }),
-    createApiRoute('api.example.com', '/v1', { host: 'localhost', port: 3002 }),
-    createWebSocketRoute('ws.example.com', '/socket', { host: 'localhost', port: 3003 })
+    {
+      match: { ports: 80, domains: 'example.com' },
+      action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+      name: 'HTTP Route for example.com',
+    },
+    {
+      match: { ports: 443, domains: 'secure.example.com' },
+      action: { type: 'forward', targets: [{ host: 'localhost', port: 3001 }], tls: { mode: 'terminate', certificate: 'auto' } },
+      name: 'HTTPS Route for secure.example.com',
+    },
+    {
+      match: { ports: 443, domains: 'api.example.com', path: '/v1/*' },
+      action: { type: 'forward', targets: [{ host: 'localhost', port: 3002 }], tls: { mode: 'terminate', certificate: 'auto' } },
+      name: 'API Route for api.example.com',
+    },
+    {
+      match: { ports: 443, domains: 'ws.example.com', path: '/socket' },
+      action: { type: 'forward', targets: [{ host: 'localhost', port: 3003 }], tls: { mode: 'terminate', certificate: 'auto' }, websocket: { enabled: true } },
+      name: 'WebSocket Route for ws.example.com',
+    },
   ];
 
   // Set priorities
@@ -566,10 +597,18 @@ tap.test('Route Finding - findMatchingRoutes', async () => {
   expect(wsMatches[0].name).toInclude('WebSocket Route');
 
   // Test finding multiple routes that match same criteria
-  const route1 = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const route1: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
   route1.priority = 10;
 
-  const route2 = createHttpRoute('example.com', { host: 'localhost', port: 3001 });
+  const route2: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3001 }] },
+    name: 'HTTP Route for example.com',
+  };
   route2.priority = 20;
   route2.match.path = '/api';
 
@@ -581,7 +620,11 @@ tap.test('Route Finding - findMatchingRoutes', async () => {
   expect(multiMatches[1].priority).toEqual(10);
 
   // Test disabled routes
-  const disabledRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const disabledRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
   disabledRoute.enabled = false;
 
   const enabledRoutes = findMatchingRoutes([disabledRoute], { domain: 'example.com', port: 80 });
@@ -590,14 +633,26 @@ tap.test('Route Finding - findMatchingRoutes', async () => {
 
 tap.test('Route Finding - findBestMatchingRoute', async () => {
   // Create multiple routes with different priorities
-  const route1 = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const route1: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
   route1.priority = 10;
 
-  const route2 = createHttpRoute('example.com', { host: 'localhost', port: 3001 });
+  const route2: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3001 }] },
+    name: 'HTTP Route for example.com',
+  };
   route2.priority = 20;
   route2.match.path = '/api';
 
-  const route3 = createHttpRoute('example.com', { host: 'localhost', port: 3002 });
+  const route3: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3002 }] },
+    name: 'HTTP Route for example.com',
+  };
   route3.priority = 30;
   route3.match.path = '/api/users';
 
@@ -615,29 +670,42 @@ tap.test('Route Finding - findBestMatchingRoute', async () => {
 
 tap.test('Route Utilities - generateRouteId', async () => {
   // Test ID generation for different route types
-  const httpRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
+  const httpRoute: IRouteConfig = {
+    match: { ports: 80, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com',
+  };
   const httpId = generateRouteId(httpRoute);
   expect(httpId).toInclude('example-com');
   expect(httpId).toInclude('80');
   expect(httpId).toInclude('forward');
 
-  const httpsRoute = createHttpsTerminateRoute('secure.example.com', { host: 'localhost', port: 3001 });
+  const httpsRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'secure.example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3001 }], tls: { mode: 'terminate', certificate: 'auto' } },
+    name: 'HTTPS Terminate Route for secure.example.com',
+  };
   const httpsId = generateRouteId(httpsRoute);
   expect(httpsId).toInclude('secure-example-com');
   expect(httpsId).toInclude('443');
   expect(httpsId).toInclude('forward');
 
-  const multiDomainRoute = createHttpRoute(['example.com', 'example.org'], { host: 'localhost', port: 3000 });
+  const multiDomainRoute: IRouteConfig = {
+    match: { ports: 80, domains: ['example.com', 'example.org'] },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }] },
+    name: 'HTTP Route for example.com,example.org',
+  };
   const multiDomainId = generateRouteId(multiDomainRoute);
   expect(multiDomainId).toInclude('example-com-example-org');
 });
 
 tap.test('Route Utilities - cloneRoute', async () => {
   // Create a route and clone it
-  const originalRoute = createHttpsTerminateRoute('example.com', { host: 'localhost', port: 3000 }, {
-    certificate: 'auto',
-    name: 'Original Route'
-  });
+  const originalRoute: IRouteConfig = {
+    match: { ports: 443, domains: 'example.com' },
+    action: { type: 'forward', targets: [{ host: 'localhost', port: 3000 }], tls: { mode: 'terminate', certificate: 'auto' } },
+    name: 'Original Route',
+  };
 
   const clonedRoute = cloneRoute(originalRoute);
 
@@ -652,352 +720,4 @@ tap.test('Route Utilities - cloneRoute', async () => {
   expect(originalRoute.name).toEqual('Original Route');
 });
 
-// --------------------------------- Route Helper Tests ---------------------------------
-
-tap.test('Route Helpers - createHttpRoute', async () => {
-  const route = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
-  
-  expect(route.match.domains).toEqual('example.com');
-  expect(route.match.ports).toEqual(80);
-  expect(route.action.type).toEqual('forward');
-  expect(route.action.targets?.[0]?.host).toEqual('localhost');
-  expect(route.action.targets?.[0]?.port).toEqual(3000);
-  
-  const validationResult = validateRouteConfig(route);
-  expect(validationResult.valid).toBeTrue();
-});
-
-tap.test('Route Helpers - createHttpsTerminateRoute', async () => {
-  const route = createHttpsTerminateRoute('example.com', { host: 'localhost', port: 3000 }, {
-    certificate: 'auto'
-  });
-  
-  expect(route.match.domains).toEqual('example.com');
-  expect(route.match.ports).toEqual(443);
-  expect(route.action.type).toEqual('forward');
-  expect(route.action.tls.mode).toEqual('terminate');
-  expect(route.action.tls.certificate).toEqual('auto');
-  
-  const validationResult = validateRouteConfig(route);
-  expect(validationResult.valid).toBeTrue();
-});
-
-tap.test('Route Helpers - createHttpToHttpsRedirect', async () => {
-  const route = createHttpToHttpsRedirect('example.com');
-  
-  expect(route.match.domains).toEqual('example.com');
-  expect(route.match.ports).toEqual(80);
-  expect(route.action.type).toEqual('socket-handler');
-  expect(route.action.socketHandler).toBeDefined();
-  
-  const validationResult = validateRouteConfig(route);
-  expect(validationResult.valid).toBeTrue();
-});
-
-tap.test('Route Helpers - createHttpsPassthroughRoute', async () => {
-  const route = createHttpsPassthroughRoute('example.com', { host: 'localhost', port: 3000 });
-  
-  expect(route.match.domains).toEqual('example.com');
-  expect(route.match.ports).toEqual(443);
-  expect(route.action.type).toEqual('forward');
-  expect(route.action.tls.mode).toEqual('passthrough');
-  
-  const validationResult = validateRouteConfig(route);
-  expect(validationResult.valid).toBeTrue();
-});
-
-tap.test('Route Helpers - createCompleteHttpsServer', async () => {
-  const routes = createCompleteHttpsServer('example.com', { host: 'localhost', port: 3000 }, {
-    certificate: 'auto'
-  });
-  
-  expect(routes.length).toEqual(2);
-  
-  // HTTPS route
-  expect(routes[0].match.domains).toEqual('example.com');
-  expect(routes[0].match.ports).toEqual(443);
-  expect(routes[0].action.type).toEqual('forward');
-  expect(routes[0].action.tls.mode).toEqual('terminate');
-  
-  // HTTP redirect route
-  expect(routes[1].match.domains).toEqual('example.com');
-  expect(routes[1].match.ports).toEqual(80);
-  expect(routes[1].action.type).toEqual('socket-handler');
-  
-  const validation1 = validateRouteConfig(routes[0]);
-  const validation2 = validateRouteConfig(routes[1]);
-  expect(validation1.valid).toBeTrue();
-  expect(validation2.valid).toBeTrue();
-});
-
-// createStaticFileRoute has been removed - static file serving should be handled by
-// external servers (nginx/apache) behind the proxy
-
-tap.test('Route Helpers - createApiRoute', async () => {
-  const route = createApiRoute('api.example.com', '/v1', { host: 'localhost', port: 3000 }, {
-    useTls: true,
-    certificate: 'auto',
-    addCorsHeaders: true
-  });
-  
-  expect(route.match.domains).toEqual('api.example.com');
-  expect(route.match.ports).toEqual(443);
-  expect(route.match.path).toEqual('/v1/*');
-  expect(route.action.type).toEqual('forward');
-  expect(route.action.tls.mode).toEqual('terminate');
-  
-  // Check CORS headers if they exist
-  if (route.headers && route.headers.response) {
-    expect(route.headers.response['Access-Control-Allow-Origin']).toEqual('*');
-  }
-  
-  const validationResult = validateRouteConfig(route);
-  expect(validationResult.valid).toBeTrue();
-});
-
-tap.test('Route Helpers - createWebSocketRoute', async () => {
-  const route = createWebSocketRoute('ws.example.com', '/socket', { host: 'localhost', port: 3000 }, {
-    useTls: true,
-    certificate: 'auto',
-    pingInterval: 15000
-  });
-  
-  expect(route.match.domains).toEqual('ws.example.com');
-  expect(route.match.ports).toEqual(443);
-  expect(route.match.path).toEqual('/socket');
-  expect(route.action.type).toEqual('forward');
-  expect(route.action.tls.mode).toEqual('terminate');
-  
-  // Check websocket configuration if it exists
-  if (route.action.websocket) {
-    expect(route.action.websocket.enabled).toBeTrue();
-    expect(route.action.websocket.pingInterval).toEqual(15000);
-  }
-  
-  const validationResult = validateRouteConfig(route);
-  expect(validationResult.valid).toBeTrue();
-});
-
-tap.test('Route Helpers - createLoadBalancerRoute', async () => {
-  const route = createLoadBalancerRoute(
-    'loadbalancer.example.com',
-    ['server1.local', 'server2.local', 'server3.local'],
-    8080,
-    {
-      tls: {
-        mode: 'terminate',
-        certificate: 'auto'
-      }
-    }
-  );
-  
-  expect(route.match.domains).toEqual('loadbalancer.example.com');
-  expect(route.match.ports).toEqual(443);
-  expect(route.action.type).toEqual('forward');
-  expect(route.action.targets).toBeDefined();
-  if (route.action.targets && Array.isArray(route.action.targets[0]?.host)) {
-    expect((route.action.targets[0].host as string[]).length).toEqual(3);
-  }
-  expect(route.action.targets?.[0]?.port).toEqual(8080);
-  expect(route.action.tls.mode).toEqual('terminate');
-  
-  const validationResult = validateRouteConfig(route);
-  expect(validationResult.valid).toBeTrue();
-});
-
-// --------------------------------- Route Pattern Tests ---------------------------------
-
-tap.test('Route Patterns - createApiGatewayRoute', async () => {
-  // Create API Gateway route
-  const apiGatewayRoute = createApiGatewayRoute(
-    'api.example.com',
-    '/v1',
-    { host: 'localhost', port: 3000 },
-    {
-      useTls: true,
-      addCorsHeaders: true
-    }
-  );
-  
-  // Validate route configuration
-  expect(apiGatewayRoute.match.domains).toEqual('api.example.com');
-  expect(apiGatewayRoute.match.path).toInclude('/v1');
-  expect(apiGatewayRoute.action.type).toEqual('forward');
-  expect(apiGatewayRoute.action.targets?.[0]?.port).toEqual(3000);
-  
-  // Check TLS configuration
-  if (apiGatewayRoute.action.tls) {
-    expect(apiGatewayRoute.action.tls.mode).toEqual('terminate');
-  }
-  
-  // Check CORS headers
-  if (apiGatewayRoute.headers && apiGatewayRoute.headers.response) {
-    expect(apiGatewayRoute.headers.response['Access-Control-Allow-Origin']).toEqual('*');
-  }
-  
-  const result = validateRouteConfig(apiGatewayRoute);
-  expect(result.valid).toBeTrue();
-});
-
-// createStaticFileServerRoute has been removed - static file serving should be handled by
-// external servers (nginx/apache) behind the proxy
-
-tap.test('Route Patterns - createWebSocketPattern', async () => {
-  // Create WebSocket route pattern
-  const wsRoute = createWebSocketPattern(
-    'ws.example.com',
-    { host: 'localhost', port: 3000 },
-    {
-      useTls: true,
-      path: '/socket',
-      pingInterval: 10000
-    }
-  );
-  
-  // Validate route configuration
-  expect(wsRoute.match.domains).toEqual('ws.example.com');
-  expect(wsRoute.match.path).toEqual('/socket');
-  expect(wsRoute.action.type).toEqual('forward');
-  expect(wsRoute.action.targets?.[0]?.port).toEqual(3000);
-  
-  // Check TLS configuration
-  if (wsRoute.action.tls) {
-    expect(wsRoute.action.tls.mode).toEqual('terminate');
-  }
-  
-  // Check websocket configuration if it exists
-  if (wsRoute.action.websocket) {
-    expect(wsRoute.action.websocket.enabled).toBeTrue();
-    expect(wsRoute.action.websocket.pingInterval).toEqual(10000);
-  }
-  
-  const result = validateRouteConfig(wsRoute);
-  expect(result.valid).toBeTrue();
-});
-
-tap.test('Route Patterns - createLoadBalancerRoute pattern', async () => {
-  // Create load balancer route pattern with missing algorithm as it might not be implemented yet
-  try {
-    const lbRoute = createLbPattern(
-      'lb.example.com',
-      [
-        { host: 'server1.local', port: 8080 },
-        { host: 'server2.local', port: 8080 },
-        { host: 'server3.local', port: 8080 }
-      ],
-      {
-        useTls: true
-      }
-    );
-    
-    // Validate route configuration
-    expect(lbRoute.match.domains).toEqual('lb.example.com');
-    expect(lbRoute.action.type).toEqual('forward');
-    
-    // Check target hosts
-    if (lbRoute.action.targets && Array.isArray(lbRoute.action.targets[0]?.host)) {
-      expect((lbRoute.action.targets[0].host as string[]).length).toEqual(3);
-    }
-    
-    // Check TLS configuration
-    if (lbRoute.action.tls) {
-      expect(lbRoute.action.tls.mode).toEqual('terminate');
-    }
-    
-    const result = validateRouteConfig(lbRoute);
-    expect(result.valid).toBeTrue();
-  } catch (error) {
-    // If the pattern is not implemented yet, skip this test
-    console.log('Load balancer pattern might not be fully implemented yet');
-  }
-});
-
-tap.test('Route Security - addRateLimiting', async () => {
-  // Create base route
-  const baseRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
-
-  // Add rate limiting
-  const secureRoute = addRateLimiting(baseRoute, {
-    maxRequests: 100,
-    window: 60, // 1 minute
-    keyBy: 'ip'
-  });
-
-  // Check if rate limiting is applied
-  if (secureRoute.security) {
-    expect(secureRoute.security.rateLimit?.enabled).toBeTrue();
-    expect(secureRoute.security.rateLimit?.maxRequests).toEqual(100);
-    expect(secureRoute.security.rateLimit?.window).toEqual(60);
-    expect(secureRoute.security.rateLimit?.keyBy).toEqual('ip');
-  } else {
-    // Skip this test if security features are not implemented yet
-    console.log('Security features not implemented yet in route configuration');
-  }
-
-  // Just check that the route itself is valid
-  const result = validateRouteConfig(secureRoute);
-  expect(result.valid).toBeTrue();
-});
-
-tap.test('Route Security - addBasicAuth', async () => {
-  // Create base route
-  const baseRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
-
-  // Add basic authentication
-  const authRoute = addBasicAuth(baseRoute, {
-    users: [
-      { username: 'admin', password: 'secret' },
-      { username: 'user', password: 'password' }
-    ],
-    realm: 'Protected Area',
-    excludePaths: ['/public']
-  });
-
-  // Check if basic auth is applied
-  if (authRoute.security) {
-    expect(authRoute.security.basicAuth?.enabled).toBeTrue();
-    expect(authRoute.security.basicAuth?.users.length).toEqual(2);
-    expect(authRoute.security.basicAuth?.realm).toEqual('Protected Area');
-    expect(authRoute.security.basicAuth?.excludePaths).toInclude('/public');
-  } else {
-    // Skip this test if security features are not implemented yet
-    console.log('Security features not implemented yet in route configuration');
-  }
-
-  // Check that the route itself is valid
-  const result = validateRouteConfig(authRoute);
-  expect(result.valid).toBeTrue();
-});
-
-tap.test('Route Security - addJwtAuth', async () => {
-  // Create base route
-  const baseRoute = createHttpRoute('example.com', { host: 'localhost', port: 3000 });
-
-  // Add JWT authentication
-  const jwtRoute = addJwtAuth(baseRoute, {
-    secret: 'your-jwt-secret-key',
-    algorithm: 'HS256',
-    issuer: 'auth.example.com',
-    audience: 'api.example.com',
-    expiresIn: 3600
-  });
-
-  // Check if JWT auth is applied
-  if (jwtRoute.security) {
-    expect(jwtRoute.security.jwtAuth?.enabled).toBeTrue();
-    expect(jwtRoute.security.jwtAuth?.secret).toEqual('your-jwt-secret-key');
-    expect(jwtRoute.security.jwtAuth?.algorithm).toEqual('HS256');
-    expect(jwtRoute.security.jwtAuth?.issuer).toEqual('auth.example.com');
-    expect(jwtRoute.security.jwtAuth?.audience).toEqual('api.example.com');
-    expect(jwtRoute.security.jwtAuth?.expiresIn).toEqual(3600);
-  } else {
-    // Skip this test if security features are not implemented yet
-    console.log('Security features not implemented yet in route configuration');
-  }
-
-  // Check that the route itself is valid
-  const result = validateRouteConfig(jwtRoute);
-  expect(result.valid).toBeTrue();
-});
-
 export default tap.start();

ts/00_commitinfo_data.ts

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@push.rocks/smartproxy',
-  version: '26.0.0',
+  version: '27.0.0',
   description: 'A powerful proxy package with unified route-based configuration for high traffic management. Features include SSL/TLS support, flexible routing patterns, WebSocket handling, advanced security options, and automatic ACME certificate management.'
 }

ts/plugins.ts

@@ -19,12 +19,14 @@ export { tsclass };
 import * as smartcrypto from '@push.rocks/smartcrypto';
 import * as smartlog from '@push.rocks/smartlog';
 import * as smartlogDestinationLocal from '@push.rocks/smartlog/destination-local';
+import * as smartnftables from '@push.rocks/smartnftables';
 import * as smartrust from '@push.rocks/smartrust';
 
 export {
   smartcrypto,
   smartlog,
   smartlogDestinationLocal,
+  smartnftables,
   smartrust,
 };
 

ts/proxies/smart-proxy/datagram-handler-server.ts

@@ -26,6 +26,8 @@ interface IDatagramRelayMessage {
  * - TS→Rust: { type: "reply", sourceIp, sourcePort, destPort, payloadBase64 }
  */
 export class DatagramHandlerServer {
+  private static readonly MAX_BUFFER_SIZE = 50 * 1024 * 1024; // 50 MB
+
   private server: plugins.net.Server | null = null;
   private connection: plugins.net.Socket | null = null;
   private socketPath: string;
@@ -100,6 +102,11 @@ export class DatagramHandlerServer {
 
     socket.on('data', (chunk: Buffer) => {
       this.readBuffer = Buffer.concat([this.readBuffer, chunk]);
+      if (this.readBuffer.length > DatagramHandlerServer.MAX_BUFFER_SIZE) {
+        logger.log('error', `DatagramHandlerServer: buffer exceeded ${DatagramHandlerServer.MAX_BUFFER_SIZE} bytes, resetting`);
+        this.readBuffer = Buffer.alloc(0);
+        return;
+      }
       this.processFrames();
     });
 

ts/proxies/smart-proxy/models/metrics-types.ts

@@ -72,6 +72,7 @@ export interface IMetrics {
     byBackend(): Map<string, IBackendMetrics>;
     protocols(): Map<string, string>;
     topByErrors(limit?: number): Array<{ backend: string; errors: number }>;
+    detectedProtocols(): IProtocolCacheEntry[];
   };
 
   // UDP metrics
@@ -113,6 +114,28 @@ export interface IMetricsConfig {
   prometheusPrefix: string;        // Default: smartproxy_
 }
 
+/**
+ * Protocol cache entry from the Rust proxy's auto-detection cache.
+ * Shows which protocol (h1/h2/h3) is detected for each backend+domain pair,
+ * including failure suppression state with escalating cooldowns.
+ */
+export interface IProtocolCacheEntry {
+  host: string;
+  port: number;
+  domain: string | null;
+  protocol: string;
+  h3Port: number | null;
+  ageSecs: number;
+  lastAccessedSecs: number;
+  lastProbedSecs: number;
+  h2Suppressed: boolean;
+  h3Suppressed: boolean;
+  h2CooldownRemainingSecs: number | null;
+  h3CooldownRemainingSecs: number | null;
+  h2ConsecutiveFailures: number | null;
+  h3ConsecutiveFailures: number | null;
+}
+
 /**
  * Per-backend metrics
  */

ts/proxies/smart-proxy/rust-metrics-adapter.ts

@@ -1,4 +1,4 @@
-import type { IMetrics, IBackendMetrics, IThroughputData, IThroughputHistoryPoint } from './models/metrics-types.js';
+import type { IMetrics, IBackendMetrics, IProtocolCacheEntry, IThroughputData, IThroughputHistoryPoint } from './models/metrics-types.js';
 import type { RustProxyBridge } from './rust-proxy-bridge.js';
 
 /**
@@ -216,6 +216,9 @@ export class RustMetricsAdapter implements IMetrics {
       result.sort((a, b) => b.errors - a.errors);
       return result.slice(0, limit);
     },
+    detectedProtocols: (): IProtocolCacheEntry[] => {
+      return this.cache?.detectedProtocols ?? [];
+    },
   };
 
   public udp = {

ts/proxies/smart-proxy/rust-proxy-bridge.ts

@@ -15,7 +15,6 @@ type TSmartProxyCommands = {
   renewCertificate:      { params: { routeName: string };        result: void };
   getCertificateStatus:  { params: { routeName: string };        result: any };
   getListeningPorts:     { params: Record<string, never>;        result: { ports: number[] } };
-  getNftablesStatus:     { params: Record<string, never>;        result: any };
   setSocketHandlerRelay: { params: { socketPath: string };       result: void };
   addListeningPort:      { params: { port: number };             result: void };
   removeListeningPort:   { params: { port: number };             result: void };
@@ -159,10 +158,6 @@ export class RustProxyBridge extends plugins.EventEmitter {
     return result?.ports ?? [];
   }
 
-  public async getNftablesStatus(): Promise<any> {
-    return this.bridge.sendCommand('getNftablesStatus', {} as Record<string, never>);
-  }
-
   public async setSocketHandlerRelay(socketPath: string): Promise<void> {
     await this.bridge.sendCommand('setSocketHandlerRelay', { socketPath });
   }

ts/proxies/smart-proxy/smart-proxy.ts

@@ -23,8 +23,8 @@ import type { IMetrics } from './models/metrics-types.js';
 /**
  * SmartProxy - Rust-backed proxy engine with TypeScript configuration API.
  *
- * All networking (TCP, TLS, HTTP reverse proxy, connection management, security,
- * NFTables) is handled by the Rust binary. TypeScript is only:
+ * All networking (TCP, TLS, HTTP reverse proxy, connection management, security)
+ * is handled by the Rust binary. TypeScript is only:
  * - The npm module interface (types, route helpers)
  * - The thin IPC wrapper (this class)
  * - Socket-handler callback relay (for JS-defined handlers)
@@ -39,6 +39,7 @@ export class SmartProxy extends plugins.EventEmitter {
   private socketHandlerServer: SocketHandlerServer | null = null;
   private datagramHandlerServer: DatagramHandlerServer | null = null;
   private metricsAdapter: RustMetricsAdapter;
+  private nftablesManager: InstanceType<typeof plugins.smartnftables.SmartNftables> | null = null;
   private routeUpdateLock: Mutex;
   private stopping = false;
   private certProvisionPromise: Promise<void> | null = null;
@@ -128,6 +129,7 @@ export class SmartProxy extends plugins.EventEmitter {
     }
 
     // Handle unexpected exit (only emits error if not intentionally stopping)
+    this.bridge.removeAllListeners('exit');
     this.bridge.on('exit', (code: number | null, signal: string | null) => {
       if (this.stopping) return;
       logger.log('error', `RustProxy exited unexpectedly (code=${code}, signal=${signal})`, { component: 'smart-proxy' });
@@ -210,6 +212,9 @@ export class SmartProxy extends plugins.EventEmitter {
       }
     }
 
+    // Apply NFTables rules for routes using nftables forwarding engine
+    await this.applyNftablesRules(this.settings.routes);
+
     // Start metrics polling BEFORE cert provisioning — the Rust engine is already
     // running and accepting connections, so metrics should be available immediately.
     // Cert provisioning can hang indefinitely (e.g. DNS-01 ACME timeouts) and must
@@ -237,6 +242,12 @@ export class SmartProxy extends plugins.EventEmitter {
       this.certProvisionPromise = null;
     }
 
+    // Clean up NFTables rules
+    if (this.nftablesManager) {
+      await this.nftablesManager.cleanup();
+      this.nftablesManager = null;
+    }
+
     // Stop metrics polling
     this.metricsAdapter.stopPolling();
 
@@ -318,6 +329,13 @@ export class SmartProxy extends plugins.EventEmitter {
         this.datagramHandlerServer = null;
       }
 
+      // Update NFTables rules
+      if (this.nftablesManager) {
+        await this.nftablesManager.cleanup();
+        this.nftablesManager = null;
+      }
+      await this.applyNftablesRules(newRoutes);
+
       // Update stored routes
       this.settings.routes = newRoutes;
 
@@ -410,14 +428,59 @@ export class SmartProxy extends plugins.EventEmitter {
   }
 
   /**
-   * Get NFTables status (async - calls Rust).
+   * Get NFTables status.
    */
-  public async getNfTablesStatus(): Promise<Record<string, any>> {
-    return this.bridge.getNftablesStatus();
+  public getNfTablesStatus(): plugins.smartnftables.INftStatus | null {
+    return this.nftablesManager?.status() ?? null;
   }
 
   // --- Private helpers ---
 
+  /**
+   * Apply NFTables rules for routes using the nftables forwarding engine.
+   */
+  private async applyNftablesRules(routes: IRouteConfig[]): Promise<void> {
+    const nftRoutes = routes.filter(r => r.action.forwardingEngine === 'nftables');
+    if (nftRoutes.length === 0) return;
+
+    const tableName = nftRoutes.find(r => r.action.nftables?.tableName)?.action.nftables?.tableName ?? 'smartproxy';
+    const nft = new plugins.smartnftables.SmartNftables({ tableName });
+    await nft.initialize();
+
+    for (const route of nftRoutes) {
+      const routeId = route.name || 'unnamed';
+      const targets = route.action.targets;
+      if (!targets) continue;
+
+      const nftOpts = route.action.nftables;
+      const protocol: plugins.smartnftables.TNftProtocol = (nftOpts?.protocol as any) ?? 'tcp';
+      const preserveSourceIP = nftOpts?.preserveSourceIP ?? false;
+
+      const ports = Array.isArray(route.match.ports)
+        ? route.match.ports.flatMap(p => typeof p === 'number' ? [p] : [])
+        : typeof route.match.ports === 'number' ? [route.match.ports] : [];
+
+      for (const target of targets) {
+        const targetHost = Array.isArray(target.host) ? target.host[0] : target.host;
+        if (typeof targetHost !== 'string') continue;
+
+        for (const sourcePort of ports) {
+          const targetPort = typeof target.port === 'number' ? target.port : sourcePort;
+          await nft.nat.addPortForwarding(`${routeId}-${sourcePort}-${targetPort}`, {
+            sourcePort,
+            targetHost,
+            targetPort,
+            protocol,
+            preserveSourceIP,
+          });
+        }
+      }
+    }
+
+    this.nftablesManager = nft;
+    logger.log('info', `Applied NFTables rules for ${nftRoutes.length} route(s)`, { component: 'smart-proxy' });
+  }
+
   /**
    * Build the Rust configuration object from TS settings.
    */

ts/proxies/smart-proxy/utils/index.ts

@@ -2,12 +2,9 @@
  * SmartProxy Route Utilities
  *
  * This file exports all route-related utilities for the SmartProxy module,
- * including helpers, validators, utilities, and patterns for working with routes.
+ * including validators, utilities, and socket handlers for working with routes.
  */
 
-// Export route helpers for creating route configurations
-export * from './route-helpers.js';
-
 // Export route validator (class-based and functional API)
 export * from './route-validator.js';
 
@@ -20,10 +17,5 @@ export { generateDefaultCertificate } from './default-cert-generator.js';
 // Export concurrency semaphore
 export { ConcurrencySemaphore } from './concurrency-semaphore.js';
 
-// Export additional functions from route-helpers that weren't already exported
-export {
-  createApiGatewayRoute,
-  addRateLimiting,
-  addBasicAuth,
-  addJwtAuth
-} from './route-helpers.js';
+// Export socket handlers
+export { SocketHandlers } from './socket-handlers.js';

ts/proxies/smart-proxy/utils/route-helpers.ts

@@ -1,11 +0,0 @@
-/**
- * Route Helper Functions
- *
- * This file re-exports all route helper functions for backwards compatibility.
- * The actual implementations have been split into focused modules in the route-helpers/ directory.
- *
- * @see ./route-helpers/index.ts for the modular exports
- */
-
-// Re-export everything from the modular helpers
-export * from './route-helpers/index.js';

ts/proxies/smart-proxy/utils/route-helpers/api-helpers.ts

@@ -1,144 +0,0 @@
-/**
- * API Route Helper Functions
- *
- * This module provides utility functions for creating API route configurations.
- */
-
-import type { IRouteConfig, IRouteMatch, IRouteAction } from '../../models/route-types.js';
-import { mergeRouteConfigs } from '../route-utils.js';
-import { createHttpRoute } from './http-helpers.js';
-import { createHttpsTerminateRoute } from './https-helpers.js';
-
-/**
- * Create an API route configuration
- * @param domains Domain(s) to match
- * @param apiPath API base path (e.g., "/api")
- * @param target Target host and port
- * @param options Additional route options
- * @returns Route configuration object
- */
-export function createApiRoute(
-  domains: string | string[],
-  apiPath: string,
-  target: { host: string | string[]; port: number },
-  options: {
-    useTls?: boolean;
-    certificate?: 'auto' | { key: string; cert: string };
-    addCorsHeaders?: boolean;
-    httpPort?: number | number[];
-    httpsPort?: number | number[];
-    name?: string;
-    [key: string]: any;
-  } = {}
-): IRouteConfig {
-  // Normalize API path
-  const normalizedPath = apiPath.startsWith('/') ? apiPath : `/${apiPath}`;
-  const pathWithWildcard = normalizedPath.endsWith('/')
-    ? `${normalizedPath}*`
-    : `${normalizedPath}/*`;
-
-  // Create route match
-  const match: IRouteMatch = {
-    ports: options.useTls
-      ? (options.httpsPort || 443)
-      : (options.httpPort || 80),
-    domains,
-    path: pathWithWildcard
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'forward',
-    targets: [target]
-  };
-
-  // Add TLS configuration if using HTTPS
-  if (options.useTls) {
-    action.tls = {
-      mode: 'terminate',
-      certificate: options.certificate || 'auto'
-    };
-  }
-
-  // Add CORS headers if requested
-  const headers: Record<string, Record<string, string>> = {};
-  if (options.addCorsHeaders) {
-    headers.response = {
-      'Access-Control-Allow-Origin': '*',
-      'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
-      'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-      'Access-Control-Max-Age': '86400'
-    };
-  }
-
-  // Create the route config
-  return {
-    match,
-    action,
-    headers: Object.keys(headers).length > 0 ? headers : undefined,
-    name: options.name || `API Route ${normalizedPath} for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
-    priority: options.priority || 100, // Higher priority for specific path matches
-    ...options
-  };
-}
-
-/**
- * Create an API Gateway route pattern
- * @param domains Domain(s) to match
- * @param apiBasePath Base path for API endpoints (e.g., '/api')
- * @param target Target host and port
- * @param options Additional route options
- * @returns API route configuration
- */
-export function createApiGatewayRoute(
-  domains: string | string[],
-  apiBasePath: string,
-  target: { host: string | string[]; port: number },
-  options: {
-    useTls?: boolean;
-    certificate?: 'auto' | { key: string; cert: string };
-    addCorsHeaders?: boolean;
-    [key: string]: any;
-  } = {}
-): IRouteConfig {
-  // Normalize apiBasePath to ensure it starts with / and doesn't end with /
-  const normalizedPath = apiBasePath.startsWith('/')
-    ? apiBasePath
-    : `/${apiBasePath}`;
-
-  // Add wildcard to path to match all API endpoints
-  const apiPath = normalizedPath.endsWith('/')
-    ? `${normalizedPath}*`
-    : `${normalizedPath}/*`;
-
-  // Create base route
-  const baseRoute = options.useTls
-    ? createHttpsTerminateRoute(domains, target, {
-        certificate: options.certificate || 'auto'
-      })
-    : createHttpRoute(domains, target);
-
-  // Add API-specific configurations
-  const apiRoute: Partial<IRouteConfig> = {
-    match: {
-      ...baseRoute.match,
-      path: apiPath
-    },
-    name: options.name || `API Gateway: ${apiPath} -> ${Array.isArray(target.host) ? target.host.join(', ') : target.host}:${target.port}`,
-    priority: options.priority || 100 // Higher priority for specific path matching
-  };
-
-  // Add CORS headers if requested
-  if (options.addCorsHeaders) {
-    apiRoute.headers = {
-      response: {
-        'Access-Control-Allow-Origin': '*',
-        'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
-        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
-        'Access-Control-Max-Age': '86400'
-      }
-    };
-  }
-
-  return mergeRouteConfigs(baseRoute, apiRoute);
-}

ts/proxies/smart-proxy/utils/route-helpers/dynamic-helpers.ts

@@ -1,124 +0,0 @@
-/**
- * Dynamic Route Helper Functions
- *
- * This module provides utility functions for creating dynamic routes
- * with context-based host and port mapping.
- */
-
-import type { IRouteConfig, IRouteMatch, IRouteAction, TPortRange, IRouteContext } from '../../models/route-types.js';
-
-/**
- * Create a helper function that applies a port offset
- * @param offset The offset to apply to the matched port
- * @returns A function that adds the offset to the matched port
- */
-export function createPortOffset(offset: number): (context: IRouteContext) => number {
-  return (context: IRouteContext) => context.port + offset;
-}
-
-/**
- * Create a port mapping route with context-based port function
- * @param options Port mapping route options
- * @returns Route configuration object
- */
-export function createPortMappingRoute(options: {
-  sourcePortRange: TPortRange;
-  targetHost: string | string[] | ((context: IRouteContext) => string | string[]);
-  portMapper: (context: IRouteContext) => number;
-  name?: string;
-  domains?: string | string[];
-  priority?: number;
-  [key: string]: any;
-}): IRouteConfig {
-  // Create route match
-  const match: IRouteMatch = {
-    ports: options.sourcePortRange,
-    domains: options.domains
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'forward',
-    targets: [{
-      host: options.targetHost,
-      port: options.portMapper
-    }]
-  };
-
-  // Create the route config
-  return {
-    match,
-    action,
-    name: options.name || `Port Mapping Route for ${options.domains || 'all domains'}`,
-    priority: options.priority,
-    ...options
-  };
-}
-
-/**
- * Create a simple offset port mapping route
- * @param options Offset port mapping route options
- * @returns Route configuration object
- */
-export function createOffsetPortMappingRoute(options: {
-  ports: TPortRange;
-  targetHost: string | string[];
-  offset: number;
-  name?: string;
-  domains?: string | string[];
-  priority?: number;
-  [key: string]: any;
-}): IRouteConfig {
-  return createPortMappingRoute({
-    sourcePortRange: options.ports,
-    targetHost: options.targetHost,
-    portMapper: (context) => context.port + options.offset,
-    name: options.name || `Offset Mapping (${options.offset > 0 ? '+' : ''}${options.offset}) for ${options.domains || 'all domains'}`,
-    domains: options.domains,
-    priority: options.priority,
-    ...options
-  });
-}
-
-/**
- * Create a dynamic route with context-based host and port mapping
- * @param options Dynamic route options
- * @returns Route configuration object
- */
-export function createDynamicRoute(options: {
-  ports: TPortRange;
-  targetHost: (context: IRouteContext) => string | string[];
-  portMapper: (context: IRouteContext) => number;
-  name?: string;
-  domains?: string | string[];
-  path?: string;
-  clientIp?: string[];
-  priority?: number;
-  [key: string]: any;
-}): IRouteConfig {
-  // Create route match
-  const match: IRouteMatch = {
-    ports: options.ports,
-    domains: options.domains,
-    path: options.path,
-    clientIp: options.clientIp
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'forward',
-    targets: [{
-      host: options.targetHost,
-      port: options.portMapper
-    }]
-  };
-
-  // Create the route config
-  return {
-    match,
-    action,
-    name: options.name || `Dynamic Route for ${options.domains || 'all domains'}`,
-    priority: options.priority,
-    ...options
-  };
-}

ts/proxies/smart-proxy/utils/route-helpers/http-helpers.ts

@@ -1,40 +0,0 @@
-/**
- * HTTP Route Helper Functions
- *
- * This module provides utility functions for creating HTTP route configurations.
- */
-
-import type { IRouteConfig, IRouteMatch, IRouteAction } from '../../models/route-types.js';
-
-/**
- * Create an HTTP-only route configuration
- * @param domains Domain(s) to match
- * @param target Target host and port
- * @param options Additional route options
- * @returns Route configuration object
- */
-export function createHttpRoute(
-  domains: string | string[],
-  target: { host: string | string[]; port: number },
-  options: Partial<IRouteConfig> = {}
-): IRouteConfig {
-  // Create route match
-  const match: IRouteMatch = {
-    ports: options.match?.ports || 80,
-    domains
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'forward',
-    targets: [target]
-  };
-
-  // Create the route config
-  return {
-    match,
-    action,
-    name: options.name || `HTTP Route for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
-    ...options
-  };
-}

ts/proxies/smart-proxy/utils/route-helpers/https-helpers.ts

@@ -1,163 +0,0 @@
-/**
- * HTTPS Route Helper Functions
- *
- * This module provides utility functions for creating HTTPS route configurations
- * including TLS termination and passthrough routes.
- */
-
-import type { IRouteConfig, IRouteMatch, IRouteAction } from '../../models/route-types.js';
-import { SocketHandlers } from './socket-handlers.js';
-
-/**
- * Create an HTTPS route with TLS termination
- * @param domains Domain(s) to match
- * @param target Target host and port
- * @param options Additional route options
- * @returns Route configuration object
- */
-export function createHttpsTerminateRoute(
-  domains: string | string[],
-  target: { host: string | string[]; port: number },
-  options: {
-    certificate?: 'auto' | { key: string; cert: string };
-    httpPort?: number | number[];
-    httpsPort?: number | number[];
-    reencrypt?: boolean;
-    name?: string;
-    [key: string]: any;
-  } = {}
-): IRouteConfig {
-  // Create route match
-  const match: IRouteMatch = {
-    ports: options.httpsPort || 443,
-    domains
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'forward',
-    targets: [target],
-    tls: {
-      mode: options.reencrypt ? 'terminate-and-reencrypt' : 'terminate',
-      certificate: options.certificate || 'auto'
-    }
-  };
-
-  // Create the route config
-  return {
-    match,
-    action,
-    name: options.name || `HTTPS Route for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
-    ...options
-  };
-}
-
-/**
- * Create an HTTP to HTTPS redirect route
- * @param domains Domain(s) to match
- * @param httpsPort HTTPS port to redirect to (default: 443)
- * @param options Additional route options
- * @returns Route configuration object
- */
-export function createHttpToHttpsRedirect(
-  domains: string | string[],
-  httpsPort: number = 443,
-  options: Partial<IRouteConfig> = {}
-): IRouteConfig {
-  // Create route match
-  const match: IRouteMatch = {
-    ports: options.match?.ports || 80,
-    domains
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'socket-handler',
-    socketHandler: SocketHandlers.httpRedirect(`https://{domain}:${httpsPort}{path}`, 301)
-  };
-
-  // Create the route config
-  return {
-    match,
-    action,
-    name: options.name || `HTTP to HTTPS Redirect for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
-    ...options
-  };
-}
-
-/**
- * Create an HTTPS passthrough route (SNI-based forwarding without TLS termination)
- * @param domains Domain(s) to match
- * @param target Target host and port
- * @param options Additional route options
- * @returns Route configuration object
- */
-export function createHttpsPassthroughRoute(
-  domains: string | string[],
-  target: { host: string | string[]; port: number },
-  options: Partial<IRouteConfig> = {}
-): IRouteConfig {
-  // Create route match
-  const match: IRouteMatch = {
-    ports: options.match?.ports || 443,
-    domains
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'forward',
-    targets: [target],
-    tls: {
-      mode: 'passthrough'
-    }
-  };
-
-  // Create the route config
-  return {
-    match,
-    action,
-    name: options.name || `HTTPS Passthrough for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
-    ...options
-  };
-}
-
-/**
- * Create a complete HTTPS server with HTTP to HTTPS redirects
- * @param domains Domain(s) to match
- * @param target Target host and port
- * @param options Additional configuration options
- * @returns Array of two route configurations (HTTPS and HTTP redirect)
- */
-export function createCompleteHttpsServer(
-  domains: string | string[],
-  target: { host: string | string[]; port: number },
-  options: {
-    certificate?: 'auto' | { key: string; cert: string };
-    httpPort?: number | number[];
-    httpsPort?: number | number[];
-    reencrypt?: boolean;
-    name?: string;
-    [key: string]: any;
-  } = {}
-): IRouteConfig[] {
-  // Create the HTTPS route
-  const httpsRoute = createHttpsTerminateRoute(domains, target, options);
-
-  // Create the HTTP redirect route
-  const httpRedirectRoute = createHttpToHttpsRedirect(
-    domains,
-    // Extract the HTTPS port from the HTTPS route - ensure it's a number
-    typeof options.httpsPort === 'number' ? options.httpsPort :
-      Array.isArray(options.httpsPort) ? options.httpsPort[0] : 443,
-    {
-      // Set the HTTP port
-      match: {
-        ports: options.httpPort || 80,
-        domains
-      },
-      name: `HTTP to HTTPS Redirect for ${Array.isArray(domains) ? domains.join(', ') : domains}`
-    }
-  );
-
-  return [httpsRoute, httpRedirectRoute];
-}

ts/proxies/smart-proxy/utils/route-helpers/index.ts

@@ -1,62 +0,0 @@
-/**
- * Route Helper Functions
- *
- * This module provides utility functions for creating route configurations for common scenarios.
- * These functions aim to simplify the creation of route configurations for typical use cases.
- *
- * This barrel file re-exports all helper functions for backwards compatibility.
- */
-
-// HTTP helpers
-export { createHttpRoute } from './http-helpers.js';
-
-// HTTPS helpers
-export {
-  createHttpsTerminateRoute,
-  createHttpToHttpsRedirect,
-  createHttpsPassthroughRoute,
-  createCompleteHttpsServer
-} from './https-helpers.js';
-
-// WebSocket helpers
-export { createWebSocketRoute } from './websocket-helpers.js';
-
-// Load balancer helpers
-export {
-  createLoadBalancerRoute,
-  createSmartLoadBalancer
-} from './load-balancer-helpers.js';
-
-// NFTables helpers
-export {
-  createNfTablesRoute,
-  createNfTablesTerminateRoute,
-  createCompleteNfTablesHttpsServer
-} from './nftables-helpers.js';
-
-// Dynamic routing helpers
-export {
-  createPortOffset,
-  createPortMappingRoute,
-  createOffsetPortMappingRoute,
-  createDynamicRoute
-} from './dynamic-helpers.js';
-
-// API helpers
-export {
-  createApiRoute,
-  createApiGatewayRoute
-} from './api-helpers.js';
-
-// Security helpers
-export {
-  addRateLimiting,
-  addBasicAuth,
-  addJwtAuth
-} from './security-helpers.js';
-
-// Socket handlers
-export {
-  SocketHandlers,
-  createSocketHandlerRoute
-} from './socket-handlers.js';

ts/proxies/smart-proxy/utils/route-helpers/load-balancer-helpers.ts

@@ -1,154 +0,0 @@
-/**
- * Load Balancer Route Helper Functions
- *
- * This module provides utility functions for creating load balancer route configurations.
- */
-
-import type { IRouteConfig, IRouteMatch, IRouteAction, IRouteTarget, TPortRange, IRouteContext } from '../../models/route-types.js';
-
-/**
- * Create a load balancer route (round-robin between multiple backend hosts)
- * @param domains Domain(s) to match
- * @param backendsOrHosts Array of backend servers OR array of host strings (legacy)
- * @param portOrOptions Port number (legacy) OR options object
- * @param options Additional route options (legacy)
- * @returns Route configuration object
- */
-export function createLoadBalancerRoute(
-  domains: string | string[],
-  backendsOrHosts: Array<{ host: string; port: number }> | string[],
-  portOrOptions?: number | {
-    tls?: {
-      mode: 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
-      certificate?: 'auto' | { key: string; cert: string };
-    };
-    useTls?: boolean;
-    certificate?: 'auto' | { key: string; cert: string };
-    algorithm?: 'round-robin' | 'least-connections' | 'ip-hash';
-    healthCheck?: {
-      path: string;
-      interval: number;
-      timeout: number;
-      unhealthyThreshold: number;
-      healthyThreshold: number;
-    };
-    [key: string]: any;
-  },
-  options?: {
-    tls?: {
-      mode: 'passthrough' | 'terminate' | 'terminate-and-reencrypt';
-      certificate?: 'auto' | { key: string; cert: string };
-    };
-    [key: string]: any;
-  }
-): IRouteConfig {
-  // Handle legacy signature: (domains, hosts[], port, options)
-  let backends: Array<{ host: string; port: number }>;
-  let finalOptions: any;
-
-  if (Array.isArray(backendsOrHosts) && backendsOrHosts.length > 0 && typeof backendsOrHosts[0] === 'string') {
-    // Legacy signature
-    const hosts = backendsOrHosts as string[];
-    const port = portOrOptions as number;
-    backends = hosts.map(host => ({ host, port }));
-    finalOptions = options || {};
-  } else {
-    // New signature
-    backends = backendsOrHosts as Array<{ host: string; port: number }>;
-    finalOptions = (portOrOptions as any) || {};
-  }
-
-  // Extract hosts and ensure all backends use the same port
-  const port = backends[0].port;
-  const hosts = backends.map(backend => backend.host);
-
-  // Create route match
-  const match: IRouteMatch = {
-    ports: finalOptions.match?.ports || (finalOptions.tls || finalOptions.useTls ? 443 : 80),
-    domains
-  };
-
-  // Create route target
-  const target: IRouteTarget = {
-    host: hosts,
-    port
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'forward',
-    targets: [target]
-  };
-
-  // Add TLS configuration if provided
-  if (finalOptions.tls || finalOptions.useTls) {
-    action.tls = {
-      mode: finalOptions.tls?.mode || 'terminate',
-      certificate: finalOptions.tls?.certificate || finalOptions.certificate || 'auto'
-    };
-  }
-
-  // Add load balancing options
-  if (finalOptions.algorithm || finalOptions.healthCheck) {
-    action.loadBalancing = {
-      algorithm: finalOptions.algorithm || 'round-robin',
-      healthCheck: finalOptions.healthCheck
-    };
-  }
-
-  // Create the route config
-  return {
-    match,
-    action,
-    name: finalOptions.name || `Load Balancer for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
-    ...finalOptions
-  };
-}
-
-/**
- * Create a smart load balancer with dynamic domain-based backend selection
- * @param options Smart load balancer options
- * @returns Route configuration object
- */
-export function createSmartLoadBalancer(options: {
-  ports: TPortRange;
-  domainTargets: Record<string, string | string[]>;
-  portMapper: (context: IRouteContext) => number;
-  name?: string;
-  defaultTarget?: string | string[];
-  priority?: number;
-  [key: string]: any;
-}): IRouteConfig {
-  // Extract all domain keys to create the match criteria
-  const domains = Object.keys(options.domainTargets);
-
-  // Create the smart host selector function
-  const hostSelector = (context: IRouteContext) => {
-    const domain = context.domain || '';
-    return options.domainTargets[domain] || options.defaultTarget || 'localhost';
-  };
-
-  // Create route match
-  const match: IRouteMatch = {
-    ports: options.ports,
-    domains
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'forward',
-    targets: [{
-      host: hostSelector,
-      port: options.portMapper
-    }]
-  };
-
-  // Create the route config
-  return {
-    match,
-    action,
-    name: options.name || `Smart Load Balancer for ${domains.join(', ')}`,
-    priority: options.priority,
-    ...options
-  };
-}

ts/proxies/smart-proxy/utils/route-helpers/nftables-helpers.ts

@@ -1,202 +0,0 @@
-/**
- * NFTables Route Helper Functions
- *
- * This module provides utility functions for creating NFTables-based route configurations
- * for high-performance packet forwarding at the kernel level.
- */
-
-import type { IRouteConfig, IRouteMatch, IRouteAction, TPortRange } from '../../models/route-types.js';
-import { createHttpToHttpsRedirect } from './https-helpers.js';
-
-/**
- * Create an NFTables-based route for high-performance packet forwarding
- * @param nameOrDomains Name or domain(s) to match
- * @param target Target host and port
- * @param options Additional route options
- * @returns Route configuration object
- */
-export function createNfTablesRoute(
-  nameOrDomains: string | string[],
-  target: { host: string; port: number | 'preserve' },
-  options: {
-    ports?: TPortRange;
-    protocol?: 'tcp' | 'udp' | 'all';
-    preserveSourceIP?: boolean;
-    ipAllowList?: string[];
-    ipBlockList?: string[];
-    maxRate?: string;
-    priority?: number;
-    useTls?: boolean;
-    tableName?: string;
-    useIPSets?: boolean;
-    useAdvancedNAT?: boolean;
-  } = {}
-): IRouteConfig {
-  // Determine if this is a name or domain
-  let name: string;
-  let domains: string | string[] | undefined;
-
-  if (Array.isArray(nameOrDomains) || (typeof nameOrDomains === 'string' && nameOrDomains.includes('.'))) {
-    domains = nameOrDomains;
-    name = Array.isArray(nameOrDomains) ? nameOrDomains[0] : nameOrDomains;
-  } else {
-    name = nameOrDomains;
-    domains = undefined; // No domains
-  }
-
-  // Create route match
-  const match: IRouteMatch = {
-    domains,
-    ports: options.ports || 80
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'forward',
-    targets: [{
-      host: target.host,
-      port: target.port
-    }],
-    forwardingEngine: 'nftables',
-    nftables: {
-      protocol: options.protocol || 'tcp',
-      preserveSourceIP: options.preserveSourceIP,
-      maxRate: options.maxRate,
-      priority: options.priority,
-      tableName: options.tableName,
-      useIPSets: options.useIPSets,
-      useAdvancedNAT: options.useAdvancedNAT
-    }
-  };
-
-  // Add TLS options if needed
-  if (options.useTls) {
-    action.tls = {
-      mode: 'passthrough'
-    };
-  }
-
-  // Create the route config
-  const routeConfig: IRouteConfig = {
-    name,
-    match,
-    action
-  };
-
-  // Add security if allowed or blocked IPs are specified
-  if (options.ipAllowList?.length || options.ipBlockList?.length) {
-    routeConfig.security = {
-      ipAllowList: options.ipAllowList,
-      ipBlockList: options.ipBlockList
-    };
-  }
-
-  return routeConfig;
-}
-
-/**
- * Create an NFTables-based TLS termination route
- * @param nameOrDomains Name or domain(s) to match
- * @param target Target host and port
- * @param options Additional route options
- * @returns Route configuration object
- */
-export function createNfTablesTerminateRoute(
-  nameOrDomains: string | string[],
-  target: { host: string; port: number | 'preserve' },
-  options: {
-    ports?: TPortRange;
-    protocol?: 'tcp' | 'udp' | 'all';
-    preserveSourceIP?: boolean;
-    ipAllowList?: string[];
-    ipBlockList?: string[];
-    maxRate?: string;
-    priority?: number;
-    tableName?: string;
-    useIPSets?: boolean;
-    useAdvancedNAT?: boolean;
-    certificate?: 'auto' | { key: string; cert: string };
-  } = {}
-): IRouteConfig {
-  // Create basic NFTables route
-  const route = createNfTablesRoute(
-    nameOrDomains,
-    target,
-    {
-      ...options,
-      ports: options.ports || 443,
-      useTls: false
-    }
-  );
-
-  // Set TLS termination
-  route.action.tls = {
-    mode: 'terminate',
-    certificate: options.certificate || 'auto'
-  };
-
-  return route;
-}
-
-/**
- * Create a complete NFTables-based HTTPS setup with HTTP redirect
- * @param nameOrDomains Name or domain(s) to match
- * @param target Target host and port
- * @param options Additional route options
- * @returns Array of two route configurations (HTTPS and HTTP redirect)
- */
-export function createCompleteNfTablesHttpsServer(
-  nameOrDomains: string | string[],
-  target: { host: string; port: number | 'preserve' },
-  options: {
-    httpPort?: TPortRange;
-    httpsPort?: TPortRange;
-    protocol?: 'tcp' | 'udp' | 'all';
-    preserveSourceIP?: boolean;
-    ipAllowList?: string[];
-    ipBlockList?: string[];
-    maxRate?: string;
-    priority?: number;
-    tableName?: string;
-    useIPSets?: boolean;
-    useAdvancedNAT?: boolean;
-    certificate?: 'auto' | { key: string; cert: string };
-  } = {}
-): IRouteConfig[] {
-  // Create the HTTPS route using NFTables
-  const httpsRoute = createNfTablesTerminateRoute(
-    nameOrDomains,
-    target,
-    {
-      ...options,
-      ports: options.httpsPort || 443
-    }
-  );
-
-  // Determine the domain(s) for HTTP redirect
-  const domains = typeof nameOrDomains === 'string' && !nameOrDomains.includes('.')
-    ? undefined
-    : nameOrDomains;
-
-  // Extract the HTTPS port for the redirect destination
-  const httpsPort = typeof options.httpsPort === 'number'
-    ? options.httpsPort
-    : Array.isArray(options.httpsPort) && typeof options.httpsPort[0] === 'number'
-      ? options.httpsPort[0]
-      : 443;
-
-  // Create the HTTP redirect route (this uses standard forwarding, not NFTables)
-  const httpRedirectRoute = createHttpToHttpsRedirect(
-    domains as any, // Type cast needed since domains can be undefined now
-    httpsPort,
-    {
-      match: {
-        ports: options.httpPort || 80,
-        domains: domains as any // Type cast needed since domains can be undefined now
-      },
-      name: `HTTP to HTTPS Redirect for ${Array.isArray(domains) ? domains.join(', ') : domains || 'all domains'}`
-    }
-  );
-
-  return [httpsRoute, httpRedirectRoute];
-}

ts/proxies/smart-proxy/utils/route-helpers/security-helpers.ts

@@ -1,96 +0,0 @@
-/**
- * Security Route Helper Functions
- *
- * This module provides utility functions for adding security features to routes.
- */
-
-import type { IRouteConfig } from '../../models/route-types.js';
-import { mergeRouteConfigs } from '../route-utils.js';
-
-/**
- * Create a rate limiting route pattern
- * @param baseRoute Base route to add rate limiting to
- * @param rateLimit Rate limiting configuration
- * @returns Route with rate limiting
- */
-export function addRateLimiting(
-  baseRoute: IRouteConfig,
-  rateLimit: {
-    maxRequests: number;
-    window: number; // Time window in seconds
-    keyBy?: 'ip' | 'path' | 'header';
-    headerName?: string; // Required if keyBy is 'header'
-    errorMessage?: string;
-  }
-): IRouteConfig {
-  return mergeRouteConfigs(baseRoute, {
-    security: {
-      rateLimit: {
-        enabled: true,
-        maxRequests: rateLimit.maxRequests,
-        window: rateLimit.window,
-        keyBy: rateLimit.keyBy || 'ip',
-        headerName: rateLimit.headerName,
-        errorMessage: rateLimit.errorMessage || 'Rate limit exceeded. Please try again later.'
-      }
-    }
-  });
-}
-
-/**
- * Create a basic authentication route pattern
- * @param baseRoute Base route to add authentication to
- * @param auth Authentication configuration
- * @returns Route with basic authentication
- */
-export function addBasicAuth(
-  baseRoute: IRouteConfig,
-  auth: {
-    users: Array<{ username: string; password: string }>;
-    realm?: string;
-    excludePaths?: string[];
-  }
-): IRouteConfig {
-  return mergeRouteConfigs(baseRoute, {
-    security: {
-      basicAuth: {
-        enabled: true,
-        users: auth.users,
-        realm: auth.realm || 'Restricted Area',
-        excludePaths: auth.excludePaths || []
-      }
-    }
-  });
-}
-
-/**
- * Create a JWT authentication route pattern
- * @param baseRoute Base route to add JWT authentication to
- * @param jwt JWT authentication configuration
- * @returns Route with JWT authentication
- */
-export function addJwtAuth(
-  baseRoute: IRouteConfig,
-  jwt: {
-    secret: string;
-    algorithm?: string;
-    issuer?: string;
-    audience?: string;
-    expiresIn?: number; // Time in seconds
-    excludePaths?: string[];
-  }
-): IRouteConfig {
-  return mergeRouteConfigs(baseRoute, {
-    security: {
-      jwtAuth: {
-        enabled: true,
-        secret: jwt.secret,
-        algorithm: jwt.algorithm || 'HS256',
-        issuer: jwt.issuer,
-        audience: jwt.audience,
-        expiresIn: jwt.expiresIn,
-        excludePaths: jwt.excludePaths || []
-      }
-    }
-  });
-}

ts/proxies/smart-proxy/utils/route-helpers/websocket-helpers.ts

@@ -1,98 +0,0 @@
-/**
- * WebSocket Route Helper Functions
- *
- * This module provides utility functions for creating WebSocket route configurations.
- */
-
-import type { IRouteConfig, IRouteMatch, IRouteAction } from '../../models/route-types.js';
-
-/**
- * Create a WebSocket route configuration
- * @param domains Domain(s) to match
- * @param targetOrPath Target server OR WebSocket path (legacy)
- * @param targetOrOptions Target server (legacy) OR options
- * @param options Additional route options (legacy)
- * @returns Route configuration object
- */
-export function createWebSocketRoute(
-  domains: string | string[],
-  targetOrPath: { host: string | string[]; port: number } | string,
-  targetOrOptions?: { host: string | string[]; port: number } | {
-    useTls?: boolean;
-    certificate?: 'auto' | { key: string; cert: string };
-    path?: string;
-    httpPort?: number | number[];
-    httpsPort?: number | number[];
-    pingInterval?: number;
-    pingTimeout?: number;
-    name?: string;
-    [key: string]: any;
-  },
-  options?: {
-    useTls?: boolean;
-    certificate?: 'auto' | { key: string; cert: string };
-    httpPort?: number | number[];
-    httpsPort?: number | number[];
-    pingInterval?: number;
-    pingTimeout?: number;
-    name?: string;
-    [key: string]: any;
-  }
-): IRouteConfig {
-  // Handle different signatures
-  let target: { host: string | string[]; port: number };
-  let wsPath: string;
-  let finalOptions: any;
-
-  if (typeof targetOrPath === 'string') {
-    // Legacy signature: (domains, path, target, options)
-    wsPath = targetOrPath;
-    target = targetOrOptions as { host: string | string[]; port: number };
-    finalOptions = options || {};
-  } else {
-    // New signature: (domains, target, options)
-    target = targetOrPath;
-    finalOptions = (targetOrOptions as any) || {};
-    wsPath = finalOptions.path || '/ws';
-  }
-
-  // Normalize WebSocket path
-  const normalizedPath = wsPath.startsWith('/') ? wsPath : `/${wsPath}`;
-
-  // Create route match
-  const match: IRouteMatch = {
-    ports: finalOptions.useTls
-      ? (finalOptions.httpsPort || 443)
-      : (finalOptions.httpPort || 80),
-    domains,
-    path: normalizedPath
-  };
-
-  // Create route action
-  const action: IRouteAction = {
-    type: 'forward',
-    targets: [target],
-    websocket: {
-      enabled: true,
-      pingInterval: finalOptions.pingInterval || 30000, // 30 seconds
-      pingTimeout: finalOptions.pingTimeout || 5000    // 5 seconds
-    }
-  };
-
-  // Add TLS configuration if using HTTPS
-  if (finalOptions.useTls) {
-    action.tls = {
-      mode: 'terminate',
-      certificate: finalOptions.certificate || 'auto'
-    };
-  }
-
-  // Create the route config
-  return {
-    match,
-    action,
-    name: finalOptions.name || `WebSocket Route ${normalizedPath} for ${Array.isArray(domains) ? domains.join(', ') : domains}`,
-    priority: finalOptions.priority || 100, // Higher priority for WebSocket routes
-    ...finalOptions
-  };
-}

ts/proxies/smart-proxy/utils/route-validator.ts

@@ -258,8 +258,10 @@ export class RouteValidator {
         errorMap.set(route.name, existingErrors);
         valid = false;
       }
+      if (route.name) {
         routeNames.add(route.name);
       }
+    }
 
     // Validate each route
     for (const route of routes) {
@@ -328,7 +330,7 @@ export class RouteValidator {
       if (catchAllRoutes.length > 1) {
         for (const route of catchAllRoutes) {
           conflicts.push({
-            route: route.name,
+            route: route.name || 'unnamed',
             message: `Multiple catch-all routes on port ${port}`
           });
         }

ts/proxies/smart-proxy/utils/socket-handlers.ts

@@ -5,9 +5,9 @@
  * like echoing, proxying, HTTP responses, and redirects.
  */
 
-import * as plugins from '../../../../plugins.js';
-import type { IRouteConfig, TPortRange, IRouteContext } from '../../models/route-types.js';
-import { createSocketTracker } from '../../../../core/utils/socket-tracker.js';
+import * as plugins from '../../../plugins.js';
+import type { IRouteContext } from '../models/route-types.js';
+import { createSocketTracker } from '../../../core/utils/socket-tracker.js';
 
 /**
  * Minimal HTTP request parser for socket handlers.
@@ -308,31 +308,3 @@ export const SocketHandlers = {
     });
   }
 };
-
-/**
- * Create a socket handler route configuration
- */
-export function createSocketHandlerRoute(
-  domains: string | string[],
-  ports: TPortRange,
-  handler: (socket: plugins.net.Socket) => void | Promise<void>,
-  options: {
-    name?: string;
-    priority?: number;
-    path?: string;
-  } = {}
-): IRouteConfig {
-  return {
-    name: options.name || 'socket-handler-route',
-    priority: options.priority !== undefined ? options.priority : 50,
-    match: {
-      domains,
-      ports,
-      ...(options.path && { path: options.path })
-    },
-    action: {
-      type: 'socket-handler',
-      socketHandler: handler
-    }
-  };
-}

tsconfig.json

@@ -1,14 +1,10 @@
 {
   "compilerOptions": {
-    "experimentalDecorators": true,
-    "useDefineForClassFields": false,
     "target": "ES2022",
     "module": "NodeNext",
     "moduleResolution": "NodeNext",
     "esModuleInterop": true,
-    "verbatimModuleSyntax": true,
-    "baseUrl": ".",
-    "paths": {}
+    "verbatimModuleSyntax": true
   },
   "exclude": [
     "dist_*/**/*.d.ts"