nftables-napi 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +9 -9
  2. package/lib/index.d.ts +19 -19
  3. package/lib/index.js +0 -1
  4. package/package.json +1 -1
  5. package/prebuilds/linux-arm64/nftables-napi.node +0 -0
  6. package/prebuilds/linux-x64/nftables-napi.node +0 -0
  7. package/src/nft_manager.cpp +12 -12
package/README.md CHANGED
@@ -35,9 +35,9 @@ const { NftManager } = require("nftables-napi");
35
35
 
36
36
  const nft = new NftManager({
37
37
  tableName: "myfw",
38
- sets: ["blacklist"],
39
- outSets: ["blocklist"],
40
- outPortSets: ["blocked_ports"],
38
+ ingressAddrSets: ["blacklist"],
39
+ egressAddrSets: ["blocklist"],
40
+ egressPortSets: ["blocked_ports"],
41
41
  });
42
42
 
43
43
  await nft.createTable();
@@ -82,9 +82,9 @@ await nft.deleteTable();
82
82
  | Option | Type | Required | Description |
83
83
  | --- | --- | --- | --- |
84
84
  | `tableName` | `string` | Yes | Base table name. IPv6 table auto-appends `'6'`. |
85
- | `sets` | `string[]` | Yes | Input/forward IP set names (≥1). Block by **source** address on input and forward chains. Rules: log + named counter + drop. IPv6 sets auto-append `'6'`. |
86
- | `outSets` | `string[]` | No | Output IP set names. Block by **destination** address on output chain. Rules: named counter + drop (no log). IPv6 sets auto-append `'6'`. |
87
- | `outPortSets` | `string[]` | No | Output port set names. Block by **destination port** (TCP/UDP) on output chain using concatenated `inet_proto . inet_service` sets. Ports are added to both IPv4 and IPv6 tables. IPv6 sets auto-append `'6'`. |
85
+ | `ingressAddrSets` | `string[]` | Yes | Input/forward IP set names (≥1). Block by **source** address on input and forward chains. Rules: log + named counter + drop. IPv6 sets auto-append `'6'`. |
86
+ | `egressAddrSets` | `string[]` | No | Output IP set names. Block by **destination** address on output chain. Rules: named counter + drop (no log). IPv6 sets auto-append `'6'`. |
87
+ | `egressPortSets` | `string[]` | No | Output port set names. Block by **destination port** (TCP/UDP) on output chain using concatenated `inet_proto . inet_service` sets. Ports are added to both IPv4 and IPv6 tables. IPv6 sets auto-append `'6'`. |
88
88
 
89
89
  ### Methods
90
90
 
@@ -99,7 +99,7 @@ All methods return `Promise<void>` and throw on error.
99
99
 
100
100
  #### IP address operations
101
101
 
102
- Work with both `sets` (input/forward) and `outSets` (output).
102
+ Work with both `ingressAddrSets` (input/forward) and `egressAddrSets` (output).
103
103
 
104
104
  | Method | Description |
105
105
  | --- | --- |
@@ -110,7 +110,7 @@ Work with both `sets` (input/forward) and `outSets` (output).
110
110
 
111
111
  #### Port operations
112
112
 
113
- Work with `outPortSets` only. Ports are added to both IPv4 and IPv6 tables.
113
+ Work with `egressPortSets` only. Ports are added to both IPv4 and IPv6 tables.
114
114
 
115
115
  | Method | Description |
116
116
  | --- | --- |
@@ -121,7 +121,7 @@ Work with `outPortSets` only. Ports are added to both IPv4 and IPv6 tables.
121
121
 
122
122
  ### What `createTable()` builds
123
123
 
124
- For a config with `sets: ["bl"]`, `outSets: ["out"]`, `outPortSets: ["ports"]`:
124
+ For a config with `ingressAddrSets: ["bl"]`, `egressAddrSets: ["out"]`, `egressPortSets: ["ports"]`:
125
125
 
126
126
  ```
127
127
  table ip myfw {
package/lib/index.d.ts CHANGED
@@ -9,31 +9,31 @@ export interface NftManagerOptions {
9
9
  /** Base table name. IPv6 table auto-appends '6'. */
10
10
  tableName: string;
11
11
  /**
12
- * Input/forward IP set names (≥1 required). Block by source address.
12
+ * Ingress IP set names (≥1 required). Block by source address.
13
13
  * Rules: log prefix "<setName>: " + named counter + drop on input and forward chains.
14
14
  * IPv6 sets auto-append '6'.
15
15
  */
16
- sets: string[];
16
+ ingressAddrSets: string[];
17
17
  /**
18
- * Output IP set names (optional). Block by destination address.
18
+ * Egress IP set names (optional). Block by destination address.
19
19
  * Rules: named counter + drop on output chain (no log).
20
20
  * IPv6 sets auto-append '6'.
21
21
  */
22
- outSets?: string[];
22
+ egressAddrSets?: string[];
23
23
  /**
24
- * Output port set names (optional). Block by tcp/udp destination port.
24
+ * Egress port set names (optional). Block by tcp/udp destination port.
25
25
  * Rules: single concatenated (proto . port) lookup + named counter + drop on output chain (no log).
26
26
  * Port is added to BOTH IPv4 and IPv6 tables (ports are family-independent).
27
27
  * IPv6 sets auto-append '6'.
28
28
  */
29
- outPortSets?: string[];
29
+ egressPortSets?: string[];
30
30
  }
31
31
 
32
32
  /** Options for adding a single address. */
33
33
  export interface AddAddressOptions {
34
34
  /** IPv4 or IPv6 address (e.g., "1.2.3.4" or "2001:db8::1"). */
35
35
  ip: string;
36
- /** Target set name (must match one from constructor's sets or outSets). */
36
+ /** Target set name (must match one from constructor's ingressAddrSets or egressAddrSets). */
37
37
  set: string;
38
38
  /** Timeout in seconds. Omit for permanent. */
39
39
  timeout?: number;
@@ -43,7 +43,7 @@ export interface AddAddressOptions {
43
43
  export interface RemoveAddressOptions {
44
44
  /** IPv4 or IPv6 address to remove. */
45
45
  ip: string;
46
- /** Target set name (must match one from constructor's sets or outSets). */
46
+ /** Target set name (must match one from constructor's ingressAddrSets or egressAddrSets). */
47
47
  set: string;
48
48
  }
49
49
 
@@ -51,7 +51,7 @@ export interface RemoveAddressOptions {
51
51
  export interface AddAddressesOptions {
52
52
  /** Array of IPv4/IPv6 addresses. */
53
53
  ips: string[];
54
- /** Target set name (must match one from constructor's sets or outSets). */
54
+ /** Target set name (must match one from constructor's ingressAddrSets or egressAddrSets). */
55
55
  set: string;
56
56
  /** Timeout in seconds. Omit for permanent. */
57
57
  timeout?: number;
@@ -61,7 +61,7 @@ export interface AddAddressesOptions {
61
61
  export interface RemoveAddressesOptions {
62
62
  /** Array of IPv4/IPv6 addresses to remove. */
63
63
  ips: string[];
64
- /** Target set name (must match one from constructor's sets or outSets). */
64
+ /** Target set name (must match one from constructor's ingressAddrSets or egressAddrSets). */
65
65
  set: string;
66
66
  }
67
67
 
@@ -69,7 +69,7 @@ export interface RemoveAddressesOptions {
69
69
  export interface AddPortOptions {
70
70
  /** Port number (0-65535). */
71
71
  port: number;
72
- /** Target port set name (must match one from constructor's outPortSets). */
72
+ /** Target port set name (must match one from constructor's egressPortSets). */
73
73
  set: string;
74
74
  /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
75
75
  protocol?: 'tcp' | 'udp';
@@ -81,7 +81,7 @@ export interface AddPortOptions {
81
81
  export interface RemovePortOptions {
82
82
  /** Port number (0-65535). */
83
83
  port: number;
84
- /** Target port set name (must match one from constructor's outPortSets). */
84
+ /** Target port set name (must match one from constructor's egressPortSets). */
85
85
  set: string;
86
86
  /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
87
87
  protocol?: 'tcp' | 'udp';
@@ -91,7 +91,7 @@ export interface RemovePortOptions {
91
91
  export interface AddPortsOptions {
92
92
  /** Array of port numbers (0-65535). */
93
93
  ports: number[];
94
- /** Target port set name (must match one from constructor's outPortSets). */
94
+ /** Target port set name (must match one from constructor's egressPortSets). */
95
95
  set: string;
96
96
  /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
97
97
  protocol?: 'tcp' | 'udp';
@@ -103,7 +103,7 @@ export interface AddPortsOptions {
103
103
  export interface RemovePortsOptions {
104
104
  /** Array of port numbers (0-65535). */
105
105
  ports: number[];
106
- /** Target port set name (must match one from constructor's outPortSets). */
106
+ /** Target port set name (must match one from constructor's egressPortSets). */
107
107
  set: string;
108
108
  /** Protocol: 'tcp', 'udp', or omit for both. Default: both. */
109
109
  protocol?: 'tcp' | 'udp';
@@ -127,9 +127,9 @@ export class NftManager {
127
127
  * Creates:
128
128
  * - Named counter "processed" (global traffic counter per chain)
129
129
  * - Named counter per set (blocked traffic counter)
130
- * - Input chain with log + counter + drop rules (for sets)
131
- * - Forward chain with log + counter + drop rules (for sets)
132
- * - Output chain with counter + drop rules (for outSets and outPortSets, no log)
130
+ * - Input chain with log + counter + drop rules (for ingressAddrSets)
131
+ * - Forward chain with log + counter + drop rules (for ingressAddrSets)
132
+ * - Output chain with counter + drop rules (for egressAddrSets and egressPortSets, no log)
133
133
  * - Per-element counters on all sets
134
134
  *
135
135
  * @throws {Error} if nftables operation fails
@@ -147,7 +147,7 @@ export class NftManager {
147
147
  /**
148
148
  * Adds an IP address to a set.
149
149
  * Auto-detects IPv4 vs IPv6 and routes to the correct table/set.
150
- * Works with both input sets (sets) and output sets (outSets).
150
+ * Works with both input sets (ingressAddrSets) and output sets (egressAddrSets).
151
151
  *
152
152
  * @param options - Address, target set name, and optional timeout.
153
153
  * @throws {TypeError} if options or fields have wrong types
@@ -158,7 +158,7 @@ export class NftManager {
158
158
  /**
159
159
  * Removes an IP address from a set.
160
160
  * Idempotent — no error if IP is not in the set.
161
- * Works with both input sets (sets) and output sets (outSets).
161
+ * Works with both input sets (ingressAddrSets) and output sets (egressAddrSets).
162
162
  *
163
163
  * @param options - Address and target set name.
164
164
  * @throws {TypeError} if options or fields have wrong types
package/lib/index.js CHANGED
@@ -6,7 +6,6 @@ let binding;
6
6
  try {
7
7
  binding = require('node-gyp-build')(path.join(__dirname, '..'));
8
8
  } catch (e) {
9
- if (process.platform === 'linux') throw e;
10
9
  binding = null;
11
10
  }
12
11
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "nftables-napi",
3
- "version": "0.2.0",
3
+ "version": "0.3.0",
4
4
  "description": "Native Node.js binding for nftables via libnftnl+libmnl — nftables firewall management",
5
5
  "author": {
6
6
  "name": "kastov",
package/src/nft_manager.cpp CHANGED
@@ -250,7 +250,7 @@ NftManager::NftManager(const Napi::CallbackInfo& info)
250
250
 
251
251
  if (info.Length() < 1 || !info[0].IsObject()) {
252
252
  Napi::TypeError::New(env,
253
- "NftManager requires options object with tableName and sets")
253
+ "NftManager requires options object with tableName and ingressAddrSets")
254
254
  .ThrowAsJavaScriptException();
255
255
  return;
256
256
  }
@@ -264,18 +264,18 @@ NftManager::NftManager(const Napi::CallbackInfo& info)
264
264
  return;
265
265
  }
266
266
 
267
- // sets — required non-empty array
268
- if (!opts.Has("sets") || !opts.Get("sets").IsArray()) {
269
- Napi::TypeError::New(env, "NftManager: 'sets' is required and must be an array of strings")
267
+ // ingressAddrSets — required non-empty array
268
+ if (!opts.Has("ingressAddrSets") || !opts.Get("ingressAddrSets").IsArray()) {
269
+ Napi::TypeError::New(env, "NftManager: 'ingressAddrSets' is required and must be an array of strings")
270
270
  .ThrowAsJavaScriptException();
271
271
  return;
272
272
  }
273
273
 
274
- Napi::Array sets_arr = opts.Get("sets").As<Napi::Array>();
274
+ Napi::Array sets_arr = opts.Get("ingressAddrSets").As<Napi::Array>();
275
275
  uint32_t len = sets_arr.Length();
276
276
 
277
277
  if (len == 0) {
278
- Napi::Error::New(env, "NftManager: 'sets' must contain at least one set name")
278
+ Napi::Error::New(env, "NftManager: 'ingressAddrSets' must contain at least one set name")
279
279
  .ThrowAsJavaScriptException();
280
280
  return;
281
281
  }
@@ -286,25 +286,25 @@ NftManager::NftManager(const Napi::CallbackInfo& info)
286
286
  for (uint32_t i = 0; i < len; ++i) {
287
287
  Napi::Value val = sets_arr[i];
288
288
  if (!val.IsString()) {
289
- Napi::TypeError::New(env, "NftManager: 'sets[" + std::to_string(i) + "]' must be a string")
289
+ Napi::TypeError::New(env, "NftManager: 'ingressAddrSets[" + std::to_string(i) + "]' must be a string")
290
290
  .ThrowAsJavaScriptException();
291
291
  return;
292
292
  }
293
293
  std::string name = val.As<Napi::String>().Utf8Value();
294
294
  if (name.empty()) {
295
- Napi::Error::New(env, "NftManager: 'sets[" + std::to_string(i) + "]' must not be empty")
295
+ Napi::Error::New(env, "NftManager: 'ingressAddrSets[" + std::to_string(i) + "]' must not be empty")
296
296
  .ThrowAsJavaScriptException();
297
297
  return;
298
298
  }
299
299
  in_sets.push_back(std::move(name));
300
300
  }
301
301
 
302
- // Parse optional outSets (OutIP)
303
- std::vector<std::string> out_sets = parse_optional_string_array(env, opts, "outSets", "NftManager");
302
+ // Parse optional egressAddrSets (OutIP)
303
+ std::vector<std::string> out_sets = parse_optional_string_array(env, opts, "egressAddrSets", "NftManager");
304
304
  if (env.IsExceptionPending()) return;
305
305
 
306
- // Parse optional outPortSets (OutPort)
307
- std::vector<std::string> out_port_sets = parse_optional_string_array(env, opts, "outPortSets", "NftManager");
306
+ // Parse optional egressPortSets (OutPort)
307
+ std::vector<std::string> out_port_sets = parse_optional_string_array(env, opts, "egressPortSets", "NftManager");
308
308
  if (env.IsExceptionPending()) return;
309
309
 
310
310
  // Cross-array duplicate check: all names must be unique across all arrays