refactor: enabling nfqueue for netifyd

Author: Tbaile

packages/netifyd/Makefile

@@ -157,6 +157,7 @@ define Package/netifyd/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/etc/netifyd
 	$(INSTALL_DIR) $(1)/etc/netifyd/categories.d
+	$(INSTALL_DIR) $(1)/etc/netifyd/interfaces.d
 	$(INSTALL_DIR) $(1)/etc/netifyd/plugins.d
 	$(INSTALL_DIR) $(1)/etc/netifyd/profiles.d
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
@@ -172,6 +173,7 @@ define Package/netifyd/install
 	$(INSTALL_DATA) ./files/etc/config/netifyd $(1)/etc/config/netifyd
 	$(INSTALL_BIN) ./files/etc/init.d/netifyd $(1)/etc/init.d/netifyd
 	$(INSTALL_DATA) ./files/etc/netifyd.conf $(1)/etc/netifyd.conf
+	$(INSTALL_DATA) ./files/etc/netifyd/interfaces.d/10-nfqueue.conf $(1)/etc/netifyd/interfaces.d/10-nfqueue.conf
 	$(INSTALL_DATA) ./files/etc/netifyd/netify-apps.conf $(1)/etc/netifyd/netify-apps.conf
 	$(INSTALL_DATA) ./files/etc/netifyd/netify-categories.json $(1)/etc/netifyd/netify-categories.json
 	$(INSTALL_DATA) ./files/etc/netifyd/profiles.d/00-default.conf $(1)/etc/netifyd/profiles.d/00-default.conf
@@ -186,6 +188,7 @@ define Package/netifyd/install
 	$(INSTALL_DATA) ./files/usr/share/netifyd/plugins.d/99-netify-proc-core-auto.conf $(1)/usr/share/netifyd/plugins.d/99-netify-proc-core-auto.conf
 	$(INSTALL_DATA) ./files/usr/share/netifyd/plugins.d/99-netify-sink-http-auto.conf $(1)/usr/share/netifyd/plugins.d/99-netify-sink-http-auto.conf
 	$(INSTALL_DATA) ./files/usr/share/nftables.d/table-pre/10-netifyd.nft $(1)/usr/share/nftables.d/table-pre/10-netifyd.nft
+	$(INSTALL_DATA) ./files/usr/share/nftables.d/table-pre/10-netifyd-nfqueue.nft $(1)/usr/share/nftables.d/table-pre/10-netifyd-nfqueue.nft
 	$(LN) /usr/lib/libnetifyd.so.4.0.0 $(1)/usr/lib/libnetifyd.so
 	$(LN) /usr/lib/libnetifyd.so.4.0.0 $(1)/usr/lib/libnetifyd.so.4
 	# netify-plm

packages/netifyd/files/etc/netifyd/interfaces.d/10-nfqueue.conf

@@ -0,0 +1,23 @@
+# Netify Agent Example Capture Interface Configuration
+# Copyright (C) 2024-2025 eGloo Incorporated
+#
+##############################################################################
+
+# Example Netfilter QUEUE capture source
+##############################################################################
+
+[capture-interface-LAN]
+capture_type = nfqueue
+role = lan
+queue_id = 10
+queue_instances = 10
+conntrack_counters = true
+
+[capture-interface-WAN]
+capture_type = nfqueue
+role = wan
+queue_id = 20
+queue_instances = 10
+conntrack_counters = true
+
+# vim: set ft=dosini :

packages/netifyd/files/etc/uci-defaults/99-netify-enable-nfqueue.uci-default

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+# Removing the interfaces from netifyd configuration, ignore exit codes
+if uci -q get netifyd.@netifyd[0].external_if > /dev/null; then
+    uci -q del netifyd.@netifyd[0].external_if
+fi
+if uci -q get netifyd.@netifyd[0].internal_if > /dev/null; then
+    uci -q del netifyd.@netifyd[0].internal_if
+fi

packages/netifyd/files/usr/share/nftables.d/table-pre/10-netifyd-nfqueue.nft

@@ -0,0 +1,21 @@
+chain nfq_input {
+    type filter hook input priority filter + 10; policy accept;
+    ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept
+    ip6 saddr ::1 ip6 daddr ::1 accept
+
+    ct packets > 32 counter accept
+    # Traffic FROM LAN interfaces -> Queue 10-19
+    iifname != $wan_devices queue flags bypass to 10-19
+    # Traffic FROM WAN interfaces -> Queue 20-29
+    iifname $wan_devices queue flags bypass to 20-29
+}
+
+chain nfq_forward {
+    type filter hook forward priority filter + 10; policy accept;
+
+    ct packets > 32 counter accept
+    # Traffic entering from LAN (Upload/LAN-to-LAN) -> Queue 10-19
+    iifname != $wan_devices queue flags bypass to 10-19
+    # Traffic entering from WAN (Download/Port Forwarding) -> Queue 20-29
+    iifname $wan_devices queue flags bypass to 20-29
+}

packages/ns-api/Makefile

@@ -177,7 +177,6 @@ define Package/ns-api/install
 	$(INSTALL_BIN) ./files/post-commit/restart-netdata.py $(1)/usr/libexec/ns-api/post-commit/
 	$(INSTALL_BIN) ./files/pre-commit/fix-redirect-reflections.py $(1)/usr/libexec/ns-api/pre-commit
 	$(INSTALL_BIN) ./files/pre-commit/update-objects.py $(1)/usr/libexec/ns-api/pre-commit
-	$(INSTALL_BIN) ./files/post-commit/configure-netifyd.py $(1)/usr/libexec/ns-api/post-commit
 	$(INSTALL_BIN) ./files/post-commit/reload-ipsets.py $(1)/usr/libexec/ns-api/post-commit
 	$(INSTALL_BIN) ./files/post-commit/restart-cron.py $(1)/usr/libexec/ns-api/post-commit
 	$(INSTALL_BIN) ./files/post-commit/restart-wireguard.py $(1)/usr/libexec/ns-api/post-commit

packages/ns-api/files/post-commit/configure-netifyd.py

@@ -91,6 +91,8 @@ for section in u.get_all('dpi'):
     if rule['action'] not in valid_actions or not rule['enabled']:
         continue
 
+    device = rule.get('device', '*')
+
     if 'criteria' in rule:
         # criteria has precedence over sources, protocol, category and application
         criteria = rule['criteria'].replace('"',"'")
@@ -114,14 +116,14 @@ for section in u.get_all('dpi'):
 
         sources_s = ' or '.join(sources)
         applications_s = ' or '.join(applications)
+        criteria = f'(iface_nfq_src == \'{device}\' or iface_nfq_dst == \'{device}\') && '
         if len(sources) < 1:
-            criteria = f'({applications_s}) ;'
+            criteria += f'({applications_s}) ;'
         elif len(applications) < 1:
-            criteria = f'({sources_s}) ;'
+            criteria += f'({sources_s}) ;'
         else:
-            criteria = f'({sources_s}) && ({applications_s}) ;'
+            criteria += f'({sources_s}) && ({applications_s}) ;'
 
-    device = rule.get('device', '*')
     vlan_id = None
     base_if = None
     for item in utils.get_all_by_type(u, 'network', 'device').values():
@@ -139,7 +141,6 @@ for section in u.get_all('dpi'):
         targets.append('log')
     config["actions"][f"rule{rcount}"] = {
         "enabled": rule['enabled'] == '1',
-        "interface": device,
         "criteria": criteria,
         "targets": targets,
         "exemptions": rule.get('exemption', [])