NethServer · Tbaile · Nov 25, 2025 · Dec 1, 2025 · Dec 17, 2025 · Dec 19, 2025
diff --git a/packages/netifyd/Makefile b/packages/netifyd/Makefile
@@ -157,6 +157,7 @@ define Package/netifyd/install
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/etc/netifyd
 	$(INSTALL_DIR) $(1)/etc/netifyd/categories.d
+	$(INSTALL_DIR) $(1)/etc/netifyd/interfaces.d
 	$(INSTALL_DIR) $(1)/etc/netifyd/plugins.d
 	$(INSTALL_DIR) $(1)/etc/netifyd/profiles.d
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
@@ -172,6 +173,7 @@ define Package/netifyd/install
 	$(INSTALL_DATA) ./files/etc/config/netifyd $(1)/etc/config/netifyd
 	$(INSTALL_BIN) ./files/etc/init.d/netifyd $(1)/etc/init.d/netifyd
 	$(INSTALL_DATA) ./files/etc/netifyd.conf $(1)/etc/netifyd.conf
+	$(INSTALL_DATA) ./files/etc/netifyd/interfaces.d/10-nfqueue.conf $(1)/etc/netifyd/interfaces.d/10-nfqueue.conf
 	$(INSTALL_DATA) ./files/etc/netifyd/netify-apps.conf $(1)/etc/netifyd/netify-apps.conf
 	$(INSTALL_DATA) ./files/etc/netifyd/netify-categories.json $(1)/etc/netifyd/netify-categories.json
 	$(INSTALL_DATA) ./files/etc/netifyd/profiles.d/00-default.conf $(1)/etc/netifyd/profiles.d/00-default.conf
@@ -185,7 +187,7 @@ define Package/netifyd/install
 	$(INSTALL_DATA) ./files/usr/share/netifyd/netify-sink-http-auto.json $(1)/usr/share/netifyd/netify-sink-http-auto.json
 	$(INSTALL_DATA) ./files/usr/share/netifyd/plugins.d/99-netify-proc-core-auto.conf $(1)/usr/share/netifyd/plugins.d/99-netify-proc-core-auto.conf
 	$(INSTALL_DATA) ./files/usr/share/netifyd/plugins.d/99-netify-sink-http-auto.conf $(1)/usr/share/netifyd/plugins.d/99-netify-sink-http-auto.conf
-	$(INSTALL_DATA) ./files/usr/share/nftables.d/table-pre/10-netifyd.nft $(1)/usr/share/nftables.d/table-pre/10-netifyd.nft
+	$(INSTALL_DATA) ./files/usr/share/nftables.d/table-pre/netifyd.nft $(1)/usr/share/nftables.d/table-pre/netifyd.nft
 	$(LN) /usr/lib/libnetifyd.so.4.0.0 $(1)/usr/lib/libnetifyd.so
 	$(LN) /usr/lib/libnetifyd.so.4.0.0 $(1)/usr/lib/libnetifyd.so.4
 	# netify-plm

diff --git a/packages/netifyd/files/etc/netifyd/interfaces.d/10-nfqueue.conf b/packages/netifyd/files/etc/netifyd/interfaces.d/10-nfqueue.conf
@@ -0,0 +1,23 @@
+# Netify Agent Example Capture Interface Configuration
+# Copyright (C) 2024-2025 eGloo Incorporated
+#
+##############################################################################
+
+# Example Netfilter QUEUE capture source
+##############################################################################
+
+[capture-interface-LAN]
+capture_type = nfqueue
+role = lan
+queue_id = 10
+queue_instances = 10
+conntrack_counters = true
+
+[capture-interface-WAN]
+capture_type = nfqueue
+role = wan
+queue_id = 20
+queue_instances = 10
+conntrack_counters = true
+
+# vim: set ft=dosini :
diff --git a/packages/netifyd/files/etc/uci-defaults/99-netify-enable-nfqueue.uci-default b/packages/netifyd/files/etc/uci-defaults/99-netify-enable-nfqueue.uci-default
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+# Removing the interfaces from netifyd configuration, ignore exit codes
+if ! uci -q get netifyd.@netifyd[0].external_if; then
+    uci -q del netifyd.@netifyd[0].external_if
+fi
+if ! uci -q get netifyd.@netifyd[0].internal_if; then
+    uci -q del netifyd.@netifyd[0].internal_if
+fi
diff --git a/packages/netifyd/files/usr/share/nftables.d/table-pre/10-netifyd.nft b/packages/netifyd/files/usr/share/nftables.d/table-pre/10-netifyd.nft
diff --git a/packages/netifyd/files/usr/share/nftables.d/table-pre/netifyd.nft b/packages/netifyd/files/usr/share/nftables.d/table-pre/netifyd.nft
@@ -0,0 +1,33 @@
+chain nfq_input {
+    type filter hook input priority filter + 10; policy accept;
+    ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept
+    ip6 saddr ::1 ip6 daddr ::1 accept
+
+    ct packets > 32 counter accept
+    # Traffic FROM LAN interfaces -> Queue 10-19
+    iifname != $wan_devices queue flags bypass to 10-19
+    # Traffic FROM WAN interfaces -> Queue 20-29
+    iifname $wan_devices queue flags bypass to 20-29
+}
+
+chain nfq_forward {
+    type filter hook forward priority filter + 10; policy accept;
+
+    ct packets > 32 counter accept
+    # Traffic entering from LAN (Upload/LAN-to-LAN) -> Queue 10-19
+    iifname != $wan_devices queue flags bypass to 10-19
+    # Traffic entering from WAN (Download/Port Forwarding) -> Queue 20-29
+    iifname $wan_devices queue flags bypass to 20-29
+}
+
+chain nfq_output {
+    type filter hook output priority filter + 10; policy accept;
+    ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept
+    ip6 saddr ::1 ip6 daddr ::1 accept
+
+    ct packets > 32 counter accept
+    # Traffic going TO LAN interfaces -> Queue 10-19
+    oifname != $wan_devices queue flags bypass to 10-19
+    # Traffic going TO WAN interfaces -> Queue 20-29
+    oifname $wan_devices queue flags bypass to 20-29
+}
diff --git a/packages/ns-api/Makefile b/packages/ns-api/Makefile
@@ -177,7 +177,6 @@ define Package/ns-api/install
 	$(INSTALL_BIN) ./files/post-commit/restart-netdata.py $(1)/usr/libexec/ns-api/post-commit/
 	$(INSTALL_BIN) ./files/pre-commit/fix-redirect-reflections.py $(1)/usr/libexec/ns-api/pre-commit
 	$(INSTALL_BIN) ./files/pre-commit/update-objects.py $(1)/usr/libexec/ns-api/pre-commit
-	$(INSTALL_BIN) ./files/post-commit/configure-netifyd.py $(1)/usr/libexec/ns-api/post-commit
 	$(INSTALL_BIN) ./files/post-commit/reload-ipsets.py $(1)/usr/libexec/ns-api/post-commit
 	$(INSTALL_BIN) ./files/post-commit/restart-cron.py $(1)/usr/libexec/ns-api/post-commit
 	$(INSTALL_BIN) ./files/post-commit/restart-wireguard.py $(1)/usr/libexec/ns-api/post-commit

diff --git a/packages/ns-api/files/post-commit/configure-netifyd.py b/packages/ns-api/files/post-commit/configure-netifyd.py
diff --git a/packages/ns-dpi/Makefile b/packages/ns-dpi/Makefile
@@ -63,7 +63,7 @@ define Package/ns-dpi/install
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_DIR) $(1)/usr/share/ns-plug/hooks/unregister
 	$(INSTALL_DIR) $(1)/etc/xtables
-	$(INSTALL_CONF) ./files/connlabel.conf $(1)/etc/xtables/connlabel.conf
+	$(INSTALL_CONF) ./files/connlabel.conf $(1)/etc/connlabel.conf
 	$(INSTALL_BIN) ./files/dpi.init $(1)/etc/init.d/dpi
 	$(INSTALL_BIN) ./files/dpi-license-update.init $(1)/etc/init.d/dpi-license-update
 	$(INSTALL_BIN) ./files/dpi $(1)/usr/sbin/

diff --git a/packages/ns-dpi/files/connlabel.conf b/packages/ns-dpi/files/connlabel.conf
@@ -1,5 +1,5 @@
-0   dummy
-1   block
+0   netify-init
+1   netify-block
 2   bulk
 3   best_effort
 4   video

diff --git a/packages/ns-dpi/files/dpi b/packages/ns-dpi/files/dpi
@@ -8,6 +8,6 @@
 # Generate netify flow actions config file
 /usr/sbin/dpi-config
 # Apply nftables rules
-/usr/sbin/dpi-nft | nft -f -
+/usr/sbin/dpi-nft
 # reload netifyd daemon
 /etc/init.d/netifyd reload
diff --git a/packages/ns-dpi/files/dpi-config b/packages/ns-dpi/files/dpi-config
@@ -30,22 +30,17 @@ def get_interface_ips(interface):
 cfg_file = "/etc/netifyd/netify-proc-flow-actions.json"
 config = {
     "reprocess_flows": True,
+    "target_globals": {
+        "ctlabel": {
+            "connlabel_conf": "/etc/connlabel.conf"
+        },
+    },
     "targets": {
         "block": {
-            "target_type": "nftset",
+            "target_type": "ctlabel",
             "target_enabled": True,
-            "table_name": "fw4",
-            "table_family": "inet",
-            "size": 65535,
-            "ttl": 900,
-            "set_name": "nfa.blocks",
-            "set_family": "ipv4",
-            "flush_on_destroy": True,
-            "type": [
-                "local_addr",
-                "ip_proto",
-                "other_port",
-                "other_addr"
+            "labels": [
+                "netify-block"
             ]
         }
     },
@@ -84,6 +79,8 @@ for section in u.get_all('dpi'):
     if rule['action'] not in valid_actions or not rule['enabled']:
         continue
 
+    device = rule.get('device', '*')
+
     if 'criteria' in rule:
         # criteria has precedence over sources, protocol, category and application
         criteria = rule['criteria'].replace('"',"'")
@@ -107,14 +104,14 @@ for section in u.get_all('dpi'):
 
         sources_s = ' or '.join(sources)
         applications_s = ' or '.join(applications)
+        criteria = f'(iface_nfq_src == \'{device}\' or iface_nfq_dst == \'{device}\') && '
         if len(sources) < 1:
-            criteria = f'({applications_s}) ;'
+            criteria += f'({applications_s}) ;'
         elif len(applications) < 1:
-            criteria = f'({sources_s}) ;'
+            criteria += f'({sources_s}) ;'
         else:
-            criteria = f'({sources_s}) && ({applications_s}) ;'
+            criteria += f'({sources_s}) && ({applications_s}) ;'
 
-    device = rule.get('device', '*')
     vlan_id = None
     base_if = None
     for item in utils.get_all_by_type(u, 'network', 'device').values():
@@ -129,7 +126,6 @@ for section in u.get_all('dpi'):
 
     config["actions"][f"rule{rcount}"] = {
         "enabled": rule['enabled'] == '1',
-        "interface": device,
         "criteria": criteria,
         "targets": [rule['action']],
         "exemptions": rule.get('exemption', [])

diff --git a/packages/ns-dpi/files/dpi-nft b/packages/ns-dpi/files/dpi-nft
@@ -1,33 +1,46 @@
-#!/bin/sh
+#!/usr/bin/env python
 
 #
-# Copyright (C) 2025 Nethesis S.r.l.
+# Copyright (C) 2026 Nethesis S.r.l.
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
-#
-# DPI: generate NFT script
-#
+import os
+import subprocess
+
+from euci import EUci
+from jinja2 import Environment, BaseLoader
+
+CHAIN="""
+chain dpi_blocks {
+    type filter hook prerouting priority filter + 10; policy accept;
+
+    # init is to allow kernel to set labels
+    ct label set netify-init
+    ct label netify-block counter {% if log_enabled %}log prefix "DPI block: " limit rate {{ log_limit }} {% endif %}drop
+}
+
+"""
+
+
+def generate_dpi():
+    e_uci = EUci()
+    template = Environment(loader=BaseLoader()).from_string(CHAIN)
+    render = template.render(
+        log_enabled=e_uci.get('dpi', 'config', 'log_blocked', dtype=bool, default=False),
+        log_limit=e_uci.get('firewall', 'ns_defaults', 'rule_log_limit', dtype=str, default='1/second')
+    )
+    # save to nftables directory table-pre, only if the file is changed
+    file_path = '/usr/share/nftables.d/table-pre/dpi_blocks.nft'
+    current = None
+    if os.path.exists(file_path):
+        with open(file_path, 'r') as f:
+            current = f.read()
+    if current != render:
+        with open(file_path, 'w') as f:
+            f.write(render)
+        # reload nftables
+        subprocess.run(['fw4', 'reload'], check=True, capture_output=True)
 
-log_opt=""
-if [ $(uci -q get dpi.config.log_blocked) = "1" ]; then
-    log_opt='log prefix "DPI block: "'
-    limit=$(uci -q get firewall.ns_defaults.rule_log_limit)
-    # validate limit syntax to avoid error on nft rules
-    if echo "$limit" | grep -qE '^[0-9]+/s$'; then
-        limit="${limit}econd"
-    else
-        limit="1/second"
-    fi
-fi
-
-if nft list chain inet fw4 block_chain >/dev/null 2>&1; then
-    echo flush chain inet fw4 block_chain
-fi
-
-echo add set inet fw4 nfa.blocks.v4 '{ type ipv4_addr . inet_proto . inet_service . ipv4_addr; size 65536; timeout 15m; }'
-echo add chain inet fw4 block_chain '{ type filter hook forward priority -10; }'
-if [ -n "$log_opt" ]; then
-    echo add rule inet fw4 block_chain ip saddr . ip protocol . th dport . ip daddr @nfa.blocks.v4 limit rate $limit burst 5 packets $log_opt
-fi
-echo add rule inet fw4 block_chain ip saddr . ip protocol . th dport . ip daddr @nfa.blocks.v4 counter drop
+if __name__ == "__main__":
+    generate_dpi()
diff --git a/packages/ns-dpi/files/dpi.init b/packages/ns-dpi/files/dpi.init
@@ -25,7 +25,6 @@ start_service() {
 
 reload_service()
 {
-    stop
     start
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -25,7 +25,6 @@ start_service() { @@
     reload_service()
     {
-        stop
         start
     }
@@ Expand Down @@