@push.rocks/smartproxy 18.0.0 → 18.0.2

package/ts/proxies/smart-proxy/smart-proxy.ts

@@ -9,6 +9,7 @@ import { TimeoutManager } from './timeout-manager.js';
 import { PortManager } from './port-manager.js';
 import { RouteManager } from './route-manager.js';
 import { RouteConnectionHandler } from './route-connection-handler.js';
+import { NFTablesManager } from './nftables-manager.js';
 
 // External dependencies
 import { Port80Handler } from '../../http/port80/port80-handler.js';
@@ -50,6 +51,7 @@ export class SmartProxy extends plugins.EventEmitter {
   private timeoutManager: TimeoutManager;
   public routeManager: RouteManager; // Made public for route management
   private routeConnectionHandler: RouteConnectionHandler;
+  private nftablesManager: NFTablesManager;
   
   // Port80Handler for ACME certificate management
   private port80Handler: Port80Handler | null = null;
@@ -82,7 +84,7 @@ export class SmartProxy extends plugins.EventEmitter {
    *   ],
    *   defaults: {
    *     target: { host: 'localhost', port: 8080 },
-   *     security: { allowedIps: ['*'] }
+   *     security: { ipAllowList: ['*'] }
    *   }
    * });
    * ```
@@ -167,6 +169,9 @@ export class SmartProxy extends plugins.EventEmitter {
 
     // Initialize port manager
     this.portManager = new PortManager(this.settings, this.routeConnectionHandler);
+    
+    // Initialize NFTablesManager
+    this.nftablesManager = new NFTablesManager(this.settings);
   }
   
   /**
@@ -270,6 +275,13 @@ export class SmartProxy extends plugins.EventEmitter {
     // Get listening ports from RouteManager
     const listeningPorts = this.routeManager.getListeningPorts();
 
+    // Provision NFTables rules for routes that use NFTables
+    for (const route of this.settings.routes) {
+      if (route.action.forwardingEngine === 'nftables') {
+        await this.nftablesManager.provisionRoute(route);
+      }
+    }
+
     // Start port listeners using the PortManager
     await this.portManager.addPorts(listeningPorts);
 
@@ -364,6 +376,10 @@ export class SmartProxy extends plugins.EventEmitter {
       await this.certProvisioner.stop();
       console.log('CertProvisioner stopped');
     }
+    
+    // Stop NFTablesManager
+    await this.nftablesManager.stop();
+    console.log('NFTablesManager stopped');
 
     // Stop the Port80Handler if running
     if (this.port80Handler) {
@@ -432,6 +448,39 @@ export class SmartProxy extends plugins.EventEmitter {
   public async updateRoutes(newRoutes: IRouteConfig[]): Promise<void> {
     console.log(`Updating routes (${newRoutes.length} routes)`);
 
+    // Get existing routes that use NFTables
+    const oldNfTablesRoutes = this.settings.routes.filter(
+      r => r.action.forwardingEngine === 'nftables'
+    );
+    
+    // Get new routes that use NFTables
+    const newNfTablesRoutes = newRoutes.filter(
+      r => r.action.forwardingEngine === 'nftables'
+    );
+    
+    // Find routes to remove, update, or add
+    for (const oldRoute of oldNfTablesRoutes) {
+      const newRoute = newNfTablesRoutes.find(r => r.name === oldRoute.name);
+      
+      if (!newRoute) {
+        // Route was removed
+        await this.nftablesManager.deprovisionRoute(oldRoute);
+      } else {
+        // Route was updated
+        await this.nftablesManager.updateRoute(oldRoute, newRoute);
+      }
+    }
+    
+    // Find new routes to add
+    for (const newRoute of newNfTablesRoutes) {
+      const oldRoute = oldNfTablesRoutes.find(r => r.name === newRoute.name);
+      
+      if (!oldRoute) {
+        // New route
+        await this.nftablesManager.provisionRoute(newRoute);
+      }
+    }
+
     // Update routes in RouteManager
     this.routeManager.updateRoutes(newRoutes);
 
@@ -440,6 +489,9 @@ export class SmartProxy extends plugins.EventEmitter {
 
     // Update port listeners to match the new configuration
     await this.portManager.updatePorts(requiredPorts);
+    
+    // Update settings with the new routes
+    this.settings.routes = newRoutes;
 
     // If NetworkProxy is initialized, resync the configurations
     if (this.networkProxyBridge.getNetworkProxy()) {
@@ -676,6 +728,13 @@ export class SmartProxy extends plugins.EventEmitter {
     return domains;
   }
   
+  /**
+   * Get NFTables status
+   */
+  public async getNfTablesStatus(): Promise<Record<string, any>> {
+    return this.nftablesManager.getStatus();
+  }
+
   /**
    * Get status of certificates managed by Port80Handler
    */

package/ts/proxies/smart-proxy/utils/index.ts

@@ -5,7 +5,8 @@
  * including helpers, validators, utilities, and patterns for working with routes.
  */
 
-// Route helpers have been consolidated in route-patterns.js
+// Export route helpers for creating route configurations
+export * from './route-helpers.js';
 
 // Export route validators for validating route configurations
 export * from './route-validators.js';

package/ts/proxies/smart-proxy/utils/route-helpers.ts

@@ -16,6 +16,7 @@
  * - WebSocket routes (createWebSocketRoute)
  * - Port mapping routes (createPortMappingRoute, createOffsetPortMappingRoute)
  * - Dynamic routing (createDynamicRoute, createSmartLoadBalancer)
+ * - NFTables routes (createNfTablesRoute, createNfTablesTerminateRoute)
  */
 
 import type { IRouteConfig, IRouteMatch, IRouteAction, IRouteTarget, TPortRange, IRouteContext } from '../models/route-types.js';
@@ -618,4 +619,195 @@ export function createSmartLoadBalancer(options: {
     priority: options.priority,
     ...options
   };
+}
+
+/**
+ * Create an NFTables-based route for high-performance packet forwarding
+ * @param nameOrDomains Name or domain(s) to match
+ * @param target Target host and port
+ * @param options Additional route options
+ * @returns Route configuration object
+ */
+export function createNfTablesRoute(
+  nameOrDomains: string | string[],
+  target: { host: string; port: number | 'preserve' },
+  options: {
+    ports?: TPortRange;
+    protocol?: 'tcp' | 'udp' | 'all';
+    preserveSourceIP?: boolean;
+    ipAllowList?: string[];
+    ipBlockList?: string[];
+    maxRate?: string;
+    priority?: number;
+    useTls?: boolean;
+    tableName?: string;
+    useIPSets?: boolean;
+    useAdvancedNAT?: boolean;
+  } = {}
+): IRouteConfig {
+  // Determine if this is a name or domain
+  let name: string;
+  let domains: string | string[] | undefined;
+  
+  if (Array.isArray(nameOrDomains) || (typeof nameOrDomains === 'string' && nameOrDomains.includes('.'))) {
+    domains = nameOrDomains;
+    name = Array.isArray(nameOrDomains) ? nameOrDomains[0] : nameOrDomains;
+  } else {
+    name = nameOrDomains;
+    domains = undefined; // No domains
+  }
+  
+  // Create route match
+  const match: IRouteMatch = {
+    domains,
+    ports: options.ports || 80
+  };
+  
+  // Create route action
+  const action: IRouteAction = {
+    type: 'forward',
+    target: {
+      host: target.host,
+      port: target.port
+    },
+    forwardingEngine: 'nftables',
+    nftables: {
+      protocol: options.protocol || 'tcp',
+      preserveSourceIP: options.preserveSourceIP,
+      maxRate: options.maxRate,
+      priority: options.priority,
+      tableName: options.tableName,
+      useIPSets: options.useIPSets,
+      useAdvancedNAT: options.useAdvancedNAT
+    }
+  };
+  
+  // Add security if allowed or blocked IPs are specified
+  if (options.ipAllowList?.length || options.ipBlockList?.length) {
+    action.security = {
+      ipAllowList: options.ipAllowList,
+      ipBlockList: options.ipBlockList
+    };
+  }
+  
+  // Add TLS options if needed
+  if (options.useTls) {
+    action.tls = {
+      mode: 'passthrough'
+    };
+  }
+  
+  // Create the route config
+  return {
+    name,
+    match,
+    action
+  };
+}
+
+/**
+ * Create an NFTables-based TLS termination route
+ * @param nameOrDomains Name or domain(s) to match
+ * @param target Target host and port
+ * @param options Additional route options
+ * @returns Route configuration object
+ */
+export function createNfTablesTerminateRoute(
+  nameOrDomains: string | string[],
+  target: { host: string; port: number | 'preserve' },
+  options: {
+    ports?: TPortRange;
+    protocol?: 'tcp' | 'udp' | 'all';
+    preserveSourceIP?: boolean;
+    ipAllowList?: string[];
+    ipBlockList?: string[];
+    maxRate?: string;
+    priority?: number;
+    tableName?: string;
+    useIPSets?: boolean;
+    useAdvancedNAT?: boolean;
+    certificate?: 'auto' | { key: string; cert: string };
+  } = {}
+): IRouteConfig {
+  // Create basic NFTables route
+  const route = createNfTablesRoute(
+    nameOrDomains,
+    target,
+    {
+      ...options,
+      ports: options.ports || 443,
+      useTls: false
+    }
+  );
+  
+  // Set TLS termination
+  route.action.tls = {
+    mode: 'terminate',
+    certificate: options.certificate || 'auto'
+  };
+  
+  return route;
+}
+
+/**
+ * Create a complete NFTables-based HTTPS setup with HTTP redirect
+ * @param nameOrDomains Name or domain(s) to match
+ * @param target Target host and port
+ * @param options Additional route options
+ * @returns Array of two route configurations (HTTPS and HTTP redirect)
+ */
+export function createCompleteNfTablesHttpsServer(
+  nameOrDomains: string | string[],
+  target: { host: string; port: number | 'preserve' },
+  options: {
+    httpPort?: TPortRange;
+    httpsPort?: TPortRange;
+    protocol?: 'tcp' | 'udp' | 'all';
+    preserveSourceIP?: boolean;
+    ipAllowList?: string[];
+    ipBlockList?: string[];
+    maxRate?: string;
+    priority?: number;
+    tableName?: string;
+    useIPSets?: boolean;
+    useAdvancedNAT?: boolean;
+    certificate?: 'auto' | { key: string; cert: string };
+  } = {}
+): IRouteConfig[] {
+  // Create the HTTPS route using NFTables
+  const httpsRoute = createNfTablesTerminateRoute(
+    nameOrDomains,
+    target,
+    {
+      ...options,
+      ports: options.httpsPort || 443
+    }
+  );
+  
+  // Determine the domain(s) for HTTP redirect
+  const domains = typeof nameOrDomains === 'string' && !nameOrDomains.includes('.') 
+    ? undefined 
+    : nameOrDomains;
+  
+  // Extract the HTTPS port for the redirect destination
+  const httpsPort = typeof options.httpsPort === 'number' 
+    ? options.httpsPort 
+    : Array.isArray(options.httpsPort) && typeof options.httpsPort[0] === 'number' 
+      ? options.httpsPort[0] 
+      : 443;
+  
+  // Create the HTTP redirect route (this uses standard forwarding, not NFTables)
+  const httpRedirectRoute = createHttpToHttpsRedirect(
+    domains as any, // Type cast needed since domains can be undefined now
+    httpsPort,
+    {
+      match: {
+        ports: options.httpPort || 80,
+        domains: domains as any // Type cast needed since domains can be undefined now
+      },
+      name: `HTTP to HTTPS Redirect for ${Array.isArray(domains) ? domains.join(', ') : domains || 'all domains'}`
+    }
+  );
+  
+  return [httpsRoute, httpRedirectRoute];
 }