npm - @push.rocks/smartproxy - Versions diffs - 21.1.7 → 22.6.0 - Mend

@push.rocks/smartproxy 21.1.7 → 22.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/ts/proxies/nftables-proxy/utils/index.ts ADDED Viewed

@@ -0,0 +1,38 @@
+/**
+ * NFTables Proxy Utilities
+ *
+ * This module exports utility functions and classes for NFTables operations.
+ */
+// Command execution
+export { NftCommandExecutor } from './nft-command-executor.js';
+export type { INftLoggerFn, INftExecutorOptions } from './nft-command-executor.js';
+// Port specification normalization
+export {
+  normalizePortSpec,
+  validatePorts,
+  formatPortRange,
+  portSpecToNftExpr,
+  rangesOverlap,
+  mergeOverlappingRanges,
+  countPorts,
+  isPortInSpec
+} from './nft-port-spec-normalizer.js';
+// Rule validation
+export {
+  isValidIP,
+  isValidIPv4,
+  isValidIPv6,
+  isValidHostname,
+  isValidTableName,
+  isValidRate,
+  validateIPs,
+  validateHost,
+  validateTableName,
+  validateQosSettings,
+  validateSettings,
+  isIPForFamily,
+  filterIPsByFamily
+} from './nft-rule-validator.js';

package/ts/proxies/nftables-proxy/utils/nft-command-executor.ts ADDED Viewed

@@ -0,0 +1,162 @@
+/**
+ * NFTables Command Executor
+ *
+ * Handles command execution with retry logic, temp file management,
+ * and error handling for nftables operations.
+ */
+import { exec, execSync } from 'child_process';
+import { promisify } from 'util';
+import { delay } from '../../../core/utils/async-utils.js';
+import { AsyncFileSystem } from '../../../core/utils/fs-utils.js';
+import { NftExecutionError } from '../models/index.js';
+const execAsync = promisify(exec);
+export interface INftLoggerFn {
+  (level: 'info' | 'warn' | 'error' | 'debug', message: string, data?: Record<string, any>): void;
+}
+export interface INftExecutorOptions {
+  maxRetries?: number;
+  retryDelayMs?: number;
+  tempFilePath?: string;
+}
+/**
+ * NFTables command executor with retry logic and temp file support
+ */
+export class NftCommandExecutor {
+  private static readonly NFT_CMD = 'nft';
+  private maxRetries: number;
+  private retryDelayMs: number;
+  private tempFilePath: string;
+  constructor(
+    private log: INftLoggerFn,
+    options: INftExecutorOptions = {}
+  ) {
+    this.maxRetries = options.maxRetries || 3;
+    this.retryDelayMs = options.retryDelayMs || 1000;
+    this.tempFilePath = options.tempFilePath || `/tmp/nft-rules-${Date.now()}.nft`;
+  }
+  /**
+   * Execute a command with retry capability
+   */
+  async executeWithRetry(command: string, maxRetries?: number, retryDelayMs?: number): Promise<string> {
+    const retries = maxRetries ?? this.maxRetries;
+    const delayMs = retryDelayMs ?? this.retryDelayMs;
+    let lastError: Error | undefined;
+    for (let i = 0; i < retries; i++) {
+      try {
+        const { stdout } = await execAsync(command);
+        return stdout;
+      } catch (err) {
+        lastError = err as Error;
+        this.log('warn', `Command failed (attempt ${i+1}/${retries}): ${command}`, { error: lastError.message });
+        // Wait before retry, unless it's the last attempt
+        if (i < retries - 1) {
+          await delay(delayMs);
+        }
+      }
+    }
+    throw new NftExecutionError(`Failed after ${retries} attempts: ${lastError?.message || 'Unknown error'}`);
+  }
+  /**
+   * Execute system command synchronously (single attempt, no retry)
+   * Used only for exit handlers where the process is terminating anyway.
+   */
+  executeSync(command: string): string {
+    try {
+      return execSync(command, { timeout: 5000 }).toString();
+    } catch (err) {
+      this.log('warn', `Sync command failed: ${command}`, { error: (err as Error).message });
+      throw err;
+    }
+  }
+  /**
+   * Execute nftables commands with a temporary file
+   */
+  async executeWithTempFile(rulesetContent: string): Promise<void> {
+    await AsyncFileSystem.writeFile(this.tempFilePath, rulesetContent);
+    try {
+      await this.executeWithRetry(
+        `${NftCommandExecutor.NFT_CMD} -f ${this.tempFilePath}`,
+        this.maxRetries,
+        this.retryDelayMs
+      );
+    } finally {
+      // Always clean up the temp file
+      await AsyncFileSystem.remove(this.tempFilePath);
+    }
+  }
+  /**
+   * Check if nftables is available
+   */
+  async checkAvailability(): Promise<boolean> {
+    try {
+      await this.executeWithRetry(`${NftCommandExecutor.NFT_CMD} --version`, this.maxRetries, this.retryDelayMs);
+      return true;
+    } catch (err) {
+      this.log('error', `nftables is not available: ${(err as Error).message}`);
+      return false;
+    }
+  }
+  /**
+   * Check if connection tracking modules are loaded
+   */
+  async checkConntrackModules(): Promise<boolean> {
+    try {
+      await this.executeWithRetry('lsmod | grep nf_conntrack', this.maxRetries, this.retryDelayMs);
+      return true;
+    } catch (err) {
+      this.log('warn', 'Connection tracking modules might not be loaded, advanced NAT features may not work');
+      return false;
+    }
+  }
+  /**
+   * Run an nft command directly
+   */
+  async nft(args: string): Promise<string> {
+    return this.executeWithRetry(`${NftCommandExecutor.NFT_CMD} ${args}`, this.maxRetries, this.retryDelayMs);
+  }
+  /**
+   * Run an nft command synchronously (for cleanup on exit)
+   */
+  nftSync(args: string): string {
+    return this.executeSync(`${NftCommandExecutor.NFT_CMD} ${args}`);
+  }
+  /**
+   * Get the NFT command path
+   */
+  static get nftCmd(): string {
+    return NftCommandExecutor.NFT_CMD;
+  }
+  /**
+   * Update the temp file path
+   */
+  setTempFilePath(path: string): void {
+    this.tempFilePath = path;
+  }
+  /**
+   * Update retry settings
+   */
+  setRetryOptions(maxRetries: number, retryDelayMs: number): void {
+    this.maxRetries = maxRetries;
+    this.retryDelayMs = retryDelayMs;
+  }
+}

package/ts/proxies/nftables-proxy/utils/nft-port-spec-normalizer.ts ADDED Viewed

@@ -0,0 +1,125 @@
+/**
+ * NFTables Port Specification Normalizer
+ *
+ * Handles normalization and validation of port specifications
+ * for nftables rules.
+ */
+import type { PortRange } from '../models/index.js';
+import { NftValidationError } from '../models/index.js';
+/**
+ * Normalizes port specifications into an array of port ranges
+ */
+export function normalizePortSpec(portSpec: number | PortRange | Array<number | PortRange>): PortRange[] {
+  const result: PortRange[] = [];
+  if (Array.isArray(portSpec)) {
+    // If it's an array, process each element
+    for (const spec of portSpec) {
+      result.push(...normalizePortSpec(spec));
+    }
+  } else if (typeof portSpec === 'number') {
+    // Single port becomes a range with the same start and end
+    result.push({ from: portSpec, to: portSpec });
+  } else {
+    // Already a range
+    result.push(portSpec);
+  }
+  return result;
+}
+/**
+ * Validates port numbers or ranges
+ */
+export function validatePorts(port: number | PortRange | Array<number | PortRange>): void {
+  if (Array.isArray(port)) {
+    port.forEach(p => validatePorts(p));
+    return;
+  }
+  if (typeof port === 'number') {
+    if (port < 1 || port > 65535) {
+      throw new NftValidationError(`Invalid port number: ${port}`);
+    }
+  } else if (typeof port === 'object') {
+    if (port.from < 1 || port.from > 65535 || port.to < 1 || port.to > 65535 || port.from > port.to) {
+      throw new NftValidationError(`Invalid port range: ${port.from}-${port.to}`);
+    }
+  }
+}
+/**
+ * Format port range for nftables rule
+ */
+export function formatPortRange(range: PortRange): string {
+  if (range.from === range.to) {
+    return String(range.from);
+  }
+  return `${range.from}-${range.to}`;
+}
+/**
+ * Convert port spec to nftables expression
+ */
+export function portSpecToNftExpr(portSpec: number | PortRange | Array<number | PortRange>): string {
+  const ranges = normalizePortSpec(portSpec);
+  if (ranges.length === 1) {
+    return formatPortRange(ranges[0]);
+  }
+  // Multiple ports/ranges need to use a set
+  const ports = ranges.map(formatPortRange);
+  return `{ ${ports.join(', ')} }`;
+}
+/**
+ * Check if two port ranges overlap
+ */
+export function rangesOverlap(range1: PortRange, range2: PortRange): boolean {
+  return range1.from <= range2.to && range2.from <= range1.to;
+}
+/**
+ * Merge overlapping port ranges
+ */
+export function mergeOverlappingRanges(ranges: PortRange[]): PortRange[] {
+  if (ranges.length <= 1) return ranges;
+  // Sort by start port
+  const sorted = [...ranges].sort((a, b) => a.from - b.from);
+  const merged: PortRange[] = [sorted[0]];
+  for (let i = 1; i < sorted.length; i++) {
+    const current = sorted[i];
+    const lastMerged = merged[merged.length - 1];
+    if (current.from <= lastMerged.to + 1) {
+      // Ranges overlap or are adjacent, merge them
+      lastMerged.to = Math.max(lastMerged.to, current.to);
+    } else {
+      // No overlap, add as new range
+      merged.push(current);
+    }
+  }
+  return merged;
+}
+/**
+ * Calculate the total number of ports in a port specification
+ */
+export function countPorts(portSpec: number | PortRange | Array<number | PortRange>): number {
+  const ranges = normalizePortSpec(portSpec);
+  return ranges.reduce((total, range) => total + (range.to - range.from + 1), 0);
+}
+/**
+ * Check if a port is within the given specification
+ */
+export function isPortInSpec(port: number, portSpec: number | PortRange | Array<number | PortRange>): boolean {
+  const ranges = normalizePortSpec(portSpec);
+  return ranges.some(range => port >= range.from && port <= range.to);
+}

package/ts/proxies/nftables-proxy/utils/nft-rule-validator.ts ADDED Viewed

@@ -0,0 +1,156 @@
+/**
+ * NFTables Rule Validator
+ *
+ * Handles validation of settings and inputs for nftables operations.
+ * Prevents command injection and ensures valid values.
+ */
+import type { PortRange, NfTableProxyOptions } from '../models/index.js';
+import { NftValidationError } from '../models/index.js';
+import { validatePorts } from './nft-port-spec-normalizer.js';
+// IP address validation patterns
+const IPV4_REGEX = /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))?$/;
+const IPV6_REGEX = /^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))(\/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$/;
+const HOSTNAME_REGEX = /^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$/;
+const TABLE_NAME_REGEX = /^[a-zA-Z0-9_]+$/;
+const RATE_REGEX = /^[0-9]+[kKmMgG]?bps$/;
+/**
+ * Validates an IP address (IPv4 or IPv6)
+ */
+export function isValidIP(ip: string): boolean {
+  return IPV4_REGEX.test(ip) || IPV6_REGEX.test(ip);
+}
+/**
+ * Validates an IPv4 address
+ */
+export function isValidIPv4(ip: string): boolean {
+  return IPV4_REGEX.test(ip);
+}
+/**
+ * Validates an IPv6 address
+ */
+export function isValidIPv6(ip: string): boolean {
+  return IPV6_REGEX.test(ip);
+}
+/**
+ * Validates a hostname
+ */
+export function isValidHostname(hostname: string): boolean {
+  return HOSTNAME_REGEX.test(hostname);
+}
+/**
+ * Validates a table name for nftables
+ */
+export function isValidTableName(tableName: string): boolean {
+  return TABLE_NAME_REGEX.test(tableName);
+}
+/**
+ * Validates a rate specification (e.g., "10mbps")
+ */
+export function isValidRate(rate: string): boolean {
+  return RATE_REGEX.test(rate);
+}
+/**
+ * Validates an array of IP addresses
+ */
+export function validateIPs(ips?: string[]): void {
+  if (!ips) return;
+  for (const ip of ips) {
+    if (!isValidIP(ip)) {
+      throw new NftValidationError(`Invalid IP address format: ${ip}`);
+    }
+  }
+}
+/**
+ * Validates a host (can be hostname or IP)
+ */
+export function validateHost(host?: string): void {
+  if (!host) return;
+  if (!isValidHostname(host) && !isValidIP(host)) {
+    throw new NftValidationError(`Invalid host format: ${host}`);
+  }
+}
+/**
+ * Validates a table name
+ */
+export function validateTableName(tableName?: string): void {
+  if (!tableName) return;
+  if (!isValidTableName(tableName)) {
+    throw new NftValidationError(
+      `Invalid table name: ${tableName}. Only alphanumeric characters and underscores are allowed.`
+    );
+  }
+}
+/**
+ * Validates QoS settings
+ */
+export function validateQosSettings(qos?: NfTableProxyOptions['qos']): void {
+  if (!qos?.enabled) return;
+  if (qos.maxRate && !isValidRate(qos.maxRate)) {
+    throw new NftValidationError(
+      `Invalid rate format: ${qos.maxRate}. Use format like "10mbps", "1gbps", etc.`
+    );
+  }
+  if (qos.priority !== undefined) {
+    if (qos.priority < 1 || qos.priority > 10 || !Number.isInteger(qos.priority)) {
+      throw new NftValidationError(
+        `Invalid priority: ${qos.priority}. Must be an integer between 1 and 10.`
+      );
+    }
+  }
+}
+/**
+ * Validates all NfTablesProxy settings
+ */
+export function validateSettings(settings: NfTableProxyOptions): void {
+  // Validate port numbers
+  validatePorts(settings.fromPort);
+  validatePorts(settings.toPort);
+  // Validate IP addresses
+  validateIPs(settings.ipAllowList);
+  validateIPs(settings.ipBlockList);
+  // Validate target host
+  validateHost(settings.toHost);
+  // Validate table name
+  validateTableName(settings.tableName);
+  // Validate QoS settings
+  validateQosSettings(settings.qos);
+}
+/**
+ * Check if an IP matches the given family (ip or ip6)
+ */
+export function isIPForFamily(ip: string, family: 'ip' | 'ip6'): boolean {
+  if (family === 'ip6') {
+    return ip.includes(':');
+  }
+  return ip.includes('.');
+}
+/**
+ * Filter IPs by family
+ */
+export function filterIPsByFamily(ips: string[], family: 'ip' | 'ip6'): string[] {
+  return ips.filter(ip => isIPForFamily(ip, family));
+}

package/ts/proxies/smart-proxy/index.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 /**
  * SmartProxy implementation
  *
- * Version 14.0.0: Unified Route-Based Configuration API
+ * Version 23.0.0: Rust-backed proxy engine
  */
 // Re-export models
 export * from './models/index.js';
@@ -9,21 +9,14 @@ export * from './models/index.js';
 // Export the main SmartProxy class
 export { SmartProxy } from './smart-proxy.js';
-// Export core supporting classes
-export { ConnectionManager } from './connection-manager.js';
-export { SecurityManager } from './security-manager.js';
-export { TimeoutManager } from './timeout-manager.js';
-export { TlsManager } from './tls-manager.js';
-export { HttpProxyBridge } from './http-proxy-bridge.js';
+// Export Rust bridge and helpers
+export { RustProxyBridge } from './rust-proxy-bridge.js';
+export { RoutePreprocessor } from './route-preprocessor.js';
+export { SocketHandlerServer } from './socket-handler-server.js';
+export { RustMetricsAdapter } from './rust-metrics-adapter.js';
 // Export route-based components
 export { SharedRouteManager as RouteManager } from '../../core/routing/route-manager.js';
-export { RouteConnectionHandler } from './route-connection-handler.js';
-export { NFTablesManager } from './nftables-manager.js';
-export { RouteOrchestrator } from './route-orchestrator.js';
-// Export certificate management
-export { SmartCertManager } from './certificate-manager.js';
 // Export all helper functions from the utils directory
 export * from './utils/index.js';

package/ts/proxies/smart-proxy/models/interfaces.ts CHANGED Viewed

@@ -89,7 +89,6 @@ export interface ISmartProxyOptions {
   enableDetailedLogging?: boolean; // Enable detailed connection logging
   enableTlsDebugLogging?: boolean; // Enable TLS handshake debug logging
   enableRandomizedTimeouts?: boolean; // Randomize timeouts slightly to prevent thundering herd
-  allowSessionTicket?: boolean; // Allow TLS session ticket for reconnection (default: true)
   // Rate limiting and security
   maxConnectionsPerIP?: number; // Maximum simultaneous connections from a single IP
@@ -100,10 +99,6 @@ export interface ISmartProxyOptions {
   keepAliveInactivityMultiplier?: number; // Multiplier for inactivity timeout for keep-alive connections
   extendedKeepAliveLifetime?: number; // Extended lifetime for keep-alive connections (ms)
-  // HttpProxy integration
-  useHttpProxy?: number[]; // Array of ports to forward to HttpProxy
-  httpProxyPort?: number; // Port where HttpProxy is listening (default: 8443)
   // Metrics configuration
   metrics?: {
     enabled?: boolean;
@@ -140,6 +135,12 @@ export interface ISmartProxyOptions {
    * Default: true
    */
   certProvisionFallbackToAcme?: boolean;
+  /**
+   * Path to the RustProxy binary. If not set, the binary is located
+   * automatically via env var, platform package, local build, or PATH.
+   */
+  rustBinaryPath?: string;
 }
 /**

package/ts/proxies/smart-proxy/route-preprocessor.ts ADDED Viewed

@@ -0,0 +1,122 @@
+import type { IRouteConfig, IRouteAction, IRouteTarget } from './models/route-types.js';
+import { logger } from '../../core/utils/logger.js';
+/**
+ * Preprocesses routes before sending them to Rust.
+ *
+ * Strips non-serializable fields (functions, callbacks) and classifies
+ * routes that must be handled by TypeScript (socket-handler, dynamic host/port).
+ */
+export class RoutePreprocessor {
+  /**
+   * Map of route name/id → original route config (with JS functions preserved).
+   * Used by the socket handler server to look up the original handler.
+   */
+  private originalRoutes = new Map<string, IRouteConfig>();
+  /**
+   * Preprocess routes for the Rust binary.
+   *
+   * - Routes with `socketHandler` callbacks are marked as socket-handler type
+   *   (Rust will relay these back to TS)
+   * - Routes with dynamic `host`/`port` functions are converted to socket-handler
+   *   type (Rust relays, TS resolves the function)
+   * - Non-serializable fields are stripped
+   * - Original routes are preserved in the local map for handler lookup
+   */
+  public preprocessForRust(routes: IRouteConfig[]): IRouteConfig[] {
+    this.originalRoutes.clear();
+    return routes.map((route, index) => this.preprocessRoute(route, index));
+  }
+  /**
+   * Get the original route config (with JS functions) by route name or id.
+   */
+  public getOriginalRoute(routeKey: string): IRouteConfig | undefined {
+    return this.originalRoutes.get(routeKey);
+  }
+  /**
+   * Get all original routes that have socket handlers or dynamic functions.
+   */
+  public getHandlerRoutes(): Map<string, IRouteConfig> {
+    return new Map(this.originalRoutes);
+  }
+  private preprocessRoute(route: IRouteConfig, index: number): IRouteConfig {
+    const routeKey = route.name || route.id || `route_${index}`;
+    // Check if this route needs TS-side handling
+    const needsTsHandling = this.routeNeedsTsHandling(route);
+    if (needsTsHandling) {
+      // Store the original route for handler lookup
+      this.originalRoutes.set(routeKey, route);
+    }
+    // Create a clean copy for Rust
+    const cleanRoute: IRouteConfig = {
+      ...route,
+      action: this.cleanAction(route.action, routeKey, needsTsHandling),
+    };
+    // Ensure we have a name for handler lookup
+    if (!cleanRoute.name && !cleanRoute.id) {
+      cleanRoute.name = routeKey;
+    }
+    return cleanRoute;
+  }
+  private routeNeedsTsHandling(route: IRouteConfig): boolean {
+    // Socket handler routes always need TS
+    if (route.action.type === 'socket-handler' && route.action.socketHandler) {
+      return true;
+    }
+    // Routes with dynamic host/port functions need TS
+    if (route.action.targets) {
+      for (const target of route.action.targets) {
+        if (typeof target.host === 'function' || typeof target.port === 'function') {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+  private cleanAction(action: IRouteAction, routeKey: string, needsTsHandling: boolean): IRouteAction {
+    const cleanAction: IRouteAction = { ...action };
+    if (needsTsHandling) {
+      // Convert to socket-handler type for Rust (Rust will relay back to TS)
+      cleanAction.type = 'socket-handler';
+      // Remove the JS handler (not serializable)
+      delete (cleanAction as any).socketHandler;
+    }
+    // Clean targets - replace functions with static values
+    if (cleanAction.targets) {
+      cleanAction.targets = cleanAction.targets.map(t => this.cleanTarget(t));
+    }
+    return cleanAction;
+  }
+  private cleanTarget(target: IRouteTarget): IRouteTarget {
+    const clean: IRouteTarget = { ...target };
+    // Replace function host with placeholder
+    if (typeof clean.host === 'function') {
+      clean.host = 'localhost';
+    }
+    // Replace function port with placeholder
+    if (typeof clean.port === 'function') {
+      clean.port = 0;
+    }
+    return clean;
+  }
+}