refactor(netifyd, ns-dpi): blocking using conntrack labels

Author: Tbaile

packages/netifyd/Makefile

@@ -166,7 +166,6 @@ define Package/netifyd/install
 	$(INSTALL_DIR) $(1)/usr/share
 	$(INSTALL_DIR) $(1)/usr/share/netifyd
 	$(INSTALL_DIR) $(1)/usr/share/netifyd/plugins.d
-	$(INSTALL_DIR) $(1)/usr/share/nftables.d/table-pre
 
 	# netifyd
 	$(INSTALL_DATA) ./files/etc/config/netifyd $(1)/etc/config/netifyd
@@ -185,7 +184,6 @@ define Package/netifyd/install
 	$(INSTALL_DATA) ./files/usr/share/netifyd/netify-sink-http-auto.json $(1)/usr/share/netifyd/netify-sink-http-auto.json
 	$(INSTALL_DATA) ./files/usr/share/netifyd/plugins.d/99-netify-proc-core-auto.conf $(1)/usr/share/netifyd/plugins.d/99-netify-proc-core-auto.conf
 	$(INSTALL_DATA) ./files/usr/share/netifyd/plugins.d/99-netify-sink-http-auto.conf $(1)/usr/share/netifyd/plugins.d/99-netify-sink-http-auto.conf
-	$(INSTALL_DATA) ./files/usr/share/nftables.d/table-pre/10-netifyd.nft $(1)/usr/share/nftables.d/table-pre/10-netifyd.nft
 	$(LN) /usr/lib/libnetifyd.so.4.0.0 $(1)/usr/lib/libnetifyd.so
 	$(LN) /usr/lib/libnetifyd.so.4.0.0 $(1)/usr/lib/libnetifyd.so.4
 	# netify-plm

packages/netifyd/files/usr/share/nftables.d/table-pre/10-netifyd.nft

@@ -63,7 +63,7 @@ define Package/ns-dpi/install
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_DIR) $(1)/usr/share/ns-plug/hooks/unregister
 	$(INSTALL_DIR) $(1)/etc/xtables
-	$(INSTALL_CONF) ./files/connlabel.conf $(1)/etc/xtables/connlabel.conf
+	$(INSTALL_CONF) ./files/connlabel.conf $(1)/etc/connlabel.conf
 	$(INSTALL_BIN) ./files/dpi.init $(1)/etc/init.d/dpi
 	$(INSTALL_BIN) ./files/dpi-license-update.init $(1)/etc/init.d/dpi-license-update
 	$(INSTALL_BIN) ./files/dpi $(1)/usr/sbin/

packages/ns-dpi/Makefile

@@ -1,5 +1,5 @@
-0   dummy
-1   block
+0   netify-init
+1   netify-block
 2   bulk
 3   best_effort
 4   video

packages/ns-dpi/files/connlabel.conf

@@ -8,6 +8,6 @@
 # Generate netify flow actions config file
 /usr/sbin/dpi-config
 # Apply nftables rules
-/usr/sbin/dpi-nft | nft -f -
+/usr/sbin/dpi-nft
 # reload netifyd daemon
 /etc/init.d/netifyd reload

packages/ns-dpi/files/dpi

@@ -30,22 +30,17 @@ def get_interface_ips(interface):
 cfg_file = "/etc/netifyd/netify-proc-flow-actions.json"
 config = {
     "reprocess_flows": True,
+    "target_globals": {
+        "ctlabel": {
+            "connlabel_conf": "/etc/connlabel.conf"
+        },
+    },
     "targets": {
         "block": {
-            "target_type": "nftset",
+            "target_type": "ctlabel",
             "target_enabled": True,
-            "table_name": "fw4",
-            "table_family": "inet",
-            "size": 65535,
-            "ttl": 900,
-            "set_name": "nfa.blocks",
-            "set_family": "ipv4",
-            "flush_on_destroy": True,
-            "type": [
-                "local_addr",
-                "ip_proto",
-                "other_port",
-                "other_addr"
+            "labels": [
+                "netify-block"
             ]
         },
         "log": {

packages/ns-dpi/files/dpi-config

@@ -1,33 +1,46 @@
-#!/bin/sh
+#!/usr/bin/env python
 
 #
-# Copyright (C) 2025 Nethesis S.r.l.
+# Copyright (C) 2026 Nethesis S.r.l.
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
-#
-# DPI: generate NFT script
-#
+import os
+import subprocess
+
+from euci import EUci
+from jinja2 import Environment, BaseLoader
+
+CHAIN = """
+chain dpi_blocks {
+    type filter hook prerouting priority filter + 10; policy accept;
+
+    # init is to allow kernel to set labels
+    ct label set netify-init
+    ct label netify-block counter {% if log_enabled %}log prefix "DPI block: " limit rate {{ log_limit }} {% endif %}drop
+}
+
+"""
+
+
+def generate_dpi():
+    e_uci = EUci()
+    template = Environment(loader=BaseLoader()).from_string(CHAIN)
+    render = template.render(
+        log_enabled=e_uci.get('dpi', 'config', 'log_blocked', dtype=bool, default=False),
+        log_limit=e_uci.get('firewall', 'ns_defaults', 'rule_log_limit', dtype=str, default='1/second')
+    )
+    # save to nftables directory table-pre, only if the file is changed
+    file_path = '/usr/share/nftables.d/table-pre/dpi_blocks.nft'
+    current = None
+    if os.path.exists(file_path):
+        with open(file_path, 'r') as f:
+            current = f.read()
+    if current != render:
+        with open(file_path, 'w') as f:
+            f.write(render)
+        # reload nftables
+        subprocess.run(['fw4', 'reload'], check=True, capture_output=True)
 
-log_opt=""
-if [ $(uci -q get dpi.config.log_blocked) = "1" ]; then
-    log_opt='log prefix "DPI block: "'
-    limit=$(uci -q get firewall.ns_defaults.rule_log_limit)
-    # validate limit syntax to avoid error on nft rules
-    if echo "$limit" | grep -qE '^[0-9]+/s$'; then
-        limit="${limit}econd"
-    else
-        limit="1/second"
-    fi
-fi
-
-if nft list chain inet fw4 block_chain >/dev/null 2>&1; then
-    echo flush chain inet fw4 block_chain
-fi
-
-echo add set inet fw4 nfa.blocks.v4 '{ type ipv4_addr . inet_proto . inet_service . ipv4_addr; size 65536; timeout 15m; }'
-echo add chain inet fw4 block_chain '{ type filter hook forward priority -10; }'
-if [ -n "$log_opt" ]; then
-    echo add rule inet fw4 block_chain ip saddr . ip protocol . th dport . ip daddr @nfa.blocks.v4 limit rate $limit burst 5 packets $log_opt
-fi
-echo add rule inet fw4 block_chain ip saddr . ip protocol . th dport . ip daddr @nfa.blocks.v4 counter drop
+if __name__ == "__main__":
+    generate_dpi()

packages/ns-dpi/files/dpi-nft

@@ -25,7 +25,6 @@ start_service() {
 
 reload_service()
 {
-    stop
     start
 }