feat: Add netifyd plugin support to luci-app-secubox-netifyd (v1.1.0)

- Add netifyd-plugin-setup script for Netify repository management - Add ipset and kmod-nft-compat dependencies - Add postinst to create plugin directories and ipsets - Extend UCI config with new plugin sections: - flow_actions: Flow Actions processor plugin - streaming: Streaming services IP set (Netflix, YouTube, etc.) - category_block: Category-based blocking (malware, ads, tracking) - flow_rule: Custom flow rules support - Update RPCD backend with apply_plugin_config for all plugins: - Auto-create ipsets (secubox-bittorrent, secubox-banned, secubox-streaming) - Auto-create nftables table/chain when enabled - Support for Flow Actions processor, IPSet, and nftables plugins - Update settings UI with new plugin configuration sections - Add plugin installation instructions in UI Plugin packages (from netify.ai repository): - netify-proc-flow-actions: Flow Actions processor - netify-sink-socket: Socket sink for local export Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-08 19:15:49 +01:00 · 2026-01-08 19:15:49 +01:00 · 77a78053e2
commit 77a78053e2
parent c9f719a8de
5 changed files with 566 additions and 16 deletions
--- a/package/secubox/luci-app-secubox-netifyd/Makefile
+++ b/package/secubox/luci-app-secubox-netifyd/Makefile
@ -1,17 +1,21 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=luci-app-secubox-netifyd
-PKG_VERSION:=1.0.3
+PKG_VERSION:=1.1.0
 PKG_RELEASE:=1
 PKG_LICENSE:=MIT
 PKG_MAINTAINER:=CyberMind <contact@cybermind.fr>
 PKG_ARCH:=all

 LUCI_TITLE:=SecuBox Netifyd Deep Packet Inspection Interface
-LUCI_DEPENDS:=+luci-base +rpcd +netifyd +jq +secubox-core
-LUCI_DESCRIPTION:=Complete LuCI interface for netifyd DPI engine with real-time flow monitoring, application detection, and network analytics
+LUCI_DEPENDS:=+luci-base +rpcd +netifyd +jq +secubox-core +ipset +kmod-nft-compat
+LUCI_DESCRIPTION:=Complete LuCI interface for netifyd DPI engine with real-time flow monitoring, application detection, network analytics, and flow action plugins
 LUCI_PKGARCH:=all

+# Plugin packages from netify.ai repository (optional - require adding netify feed)
+# netify-proc-flow-actions - Flow Actions processor plugin
+# netify-sink-socket - Socket sink plugin for local export
+
 # This is free software, licensed under the MIT License

 define Package/$(PKG_NAME)/install
@ -22,10 +26,30 @@ define Package/$(PKG_NAME)/install
 	$(INSTALL_BIN) ./root/usr/sbin/secubox-netifyd-configure $(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) ./root/usr/bin/netifyd-collector-setup $(1)/usr/bin/
+	$(INSTALL_BIN) ./root/usr/bin/netifyd-plugin-setup $(1)/usr/bin/
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./root/etc/init.d/secubox-netifyd-collector $(1)/etc/init.d/
 endef

+define Package/$(PKG_NAME)/postinst
+#!/bin/sh
+[ -n "$${IPKG_INSTROOT}" ] || {
+	# Create plugin directories
+	mkdir -p /etc/netifyd/plugins.d
+	mkdir -p /etc/netify.d
+
+	# Initialize ipsets for plugins if not exist
+	ipset list secubox-bittorrent >/dev/null 2>&1 || \
+		ipset create secubox-bittorrent hash:ip timeout 900 2>/dev/null
+	ipset list secubox-banned >/dev/null 2>&1 || \
+		ipset create secubox-banned hash:ip timeout 3600 2>/dev/null
+
+	# Restart rpcd
+	/etc/init.d/rpcd restart 2>/dev/null
+}
+exit 0
+endef
+
 include $(TOPDIR)/feeds/luci/luci.mk

 # call BuildPackage - OpenWrt buildroot
--- a/package/secubox/luci-app-secubox-netifyd/htdocs/luci-static/resources/view/secubox-netifyd/settings.js
+++ b/package/secubox/luci-app-secubox-netifyd/htdocs/luci-static/resources/view/secubox-netifyd/settings.js
@ -317,22 +317,170 @@ return view.extend({
 	);
 	o.default = 'secubox-banned';

+	// ========== Flow Actions Processor Plugin ==========
+	s = m.section(form.NamedSection, 'flow_actions', 'plugin',
+		E('span', [
+			E('i', { 'class': 'fa fa-cogs', 'style': 'margin-right: 0.5rem' }),
+			_('Flow Actions Processor')
+		]),
+		_('Enable the Flow Actions processor plugin for advanced flow handling.'));
+	s.addremove = false;
+
+	o = s.option(form.Flag, 'enabled',
+		E('span', [
+			E('i', { 'class': 'fa fa-toggle-on', 'style': 'margin-right: 0.5rem' }),
+			_('Enable Plugin')
+		]),
+		_('Requires netify-proc-flow-actions package from Netify repository.')
+	);
+	o.default = '0';
+	o.rmempty = false;
+
+	o = s.option(form.Value, 'config_file',
+		E('span', [
+			E('i', { 'class': 'fa fa-file-code', 'style': 'margin-right: 0.5rem' }),
+			_('Configuration File')
+		]),
+		_('Path to the flow actions JSON configuration file.')
+	);
+	o.default = '/etc/netifyd/flow-actions.json';
+
+	// ========== Streaming Services IP Set ==========
+	s = m.section(form.NamedSection, 'streaming', 'plugin',
+		E('span', [
+			E('i', { 'class': 'fa fa-play-circle', 'style': 'margin-right: 0.5rem' }),
+			_('Streaming Services IP Set')
+		]),
+		_('Tag streaming service traffic (Netflix, YouTube, Spotify, etc.) with an ipset.'));
+	s.addremove = false;
+
+	o = s.option(form.Flag, 'enabled',
+		E('span', [
+			E('i', { 'class': 'fa fa-toggle-on', 'style': 'margin-right: 0.5rem' }),
+			_('Enable Plugin')
+		]),
+		_('Add streaming service IPs to the configured ipset.')
+	);
+	o.default = '0';
+	o.rmempty = false;
+
+	o = s.option(form.Value, 'ipset',
+		E('span', [
+			E('i', { 'class': 'fa fa-database', 'style': 'margin-right: 0.5rem' }),
+			_('Target IP Set')
+		]),
+		_('IP set name used to tag streaming traffic.')
+	);
+	o.default = 'secubox-streaming';
+
+	o = s.option(form.ListValue, 'ipset_family',
+		E('span', [
+			E('i', { 'class': 'fa fa-globe', 'style': 'margin-right: 0.5rem' }),
+			_('IP Family')
+		]),
+		_('IP set family (inet or inet6).')
+	);
+	o.value('inet', _('IPv4 (inet)'));
+	o.value('inet6', _('IPv6 (inet6)'));
+	o.default = 'inet';
+
+	o = s.option(form.Value, 'ipset_timeout',
+		E('span', [
+			E('i', { 'class': 'fa fa-clock', 'style': 'margin-right: 0.5rem' }),
+			_('IP Set Timeout')
+		]),
+		_('Timeout in seconds for ipset entries.')
+	);
+	o.default = '1800';
+	o.datatype = 'uinteger';
+
+	// ========== Category Blocking Plugin ==========
+	s = m.section(form.NamedSection, 'category_block', 'plugin',
+		E('span', [
+			E('i', { 'class': 'fa fa-shield-alt', 'style': 'margin-right: 0.5rem' }),
+			_('Category Blocking')
+		]),
+		_('Block traffic based on application categories (malware, ads, tracking).'));
+	s.addremove = false;
+
+	o = s.option(form.Flag, 'enabled',
+		E('span', [
+			E('i', { 'class': 'fa fa-toggle-on', 'style': 'margin-right: 0.5rem' }),
+			_('Enable Plugin')
+		]),
+		_('Block flows matching specified categories.')
+	);
+	o.default = '0';
+	o.rmempty = false;
+
+	o = s.option(form.Value, 'table',
+		E('span', [
+			E('i', { 'class': 'fa fa-table', 'style': 'margin-right: 0.5rem' }),
+			_('nftables Table')
+		]),
+		_('Table where the plugin will insert verdicts.')
+	);
+	o.default = 'inet secubox';
+
+	o = s.option(form.Value, 'chain',
+		E('span', [
+			E('i', { 'class': 'fa fa-chain', 'style': 'margin-right: 0.5rem' }),
+			_('nftables Chain')
+		]),
+		_('Chain used by the verdicts.')
+	);
+	o.default = 'flow_actions';
+
+	o = s.option(form.ListValue, 'action',
+		E('span', [
+			E('i', { 'class': 'fa fa-ban', 'style': 'margin-right: 0.5rem' }),
+			_('Action')
+		]),
+		_('Action applied when the plugin matches a flow.')
+	);
+	o.value('drop', _('Drop'));
+	o.value('reject', _('Reject'));
+	o.default = 'drop';
+
+	// ========== Apply Plugins Button ==========
+	s = m.section(form.NamedSection, 'nftables', 'plugin');
+	s.addremove = false;
+	s.anonymous = true;
+
 	o = s.option(form.Button, 'apply_plugins',
 		E('span', [
 			E('i', { 'class': 'fa fa-sync', 'style': 'margin-right: 0.5rem' }),
-			_('Apply Flow Plugins')
+			_('Apply All Flow Plugins')
 		]),
-		_('Regenerate plugin configs and restart Netifyd.')
+		_('Regenerate all plugin configs and restart Netifyd.')
 	);
-	o.inputstyle = 'action';
+	o.inputstyle = 'action important';
 	o.write = function() {
 		netifydAPI.applyPluginConfig().then(function(result) {
-			ui.addNotification({ type: 'success', description: result.message || _('Plugin configuration applied') });
-		}, function(err) {
-			ui.addNotification({ type: 'error', description: (err && err.error && err.error.message) || _('Plugin configuration failed') });
+			ui.addNotification(null, E('p', result.message || _('Plugin configuration applied')), 'success');
+		}).catch(function(err) {
+			ui.addNotification(null, E('p', (err && err.message) || _('Plugin configuration failed')), 'error');
 		});
 	};

+	// ========== Plugin Setup Instructions ==========
+	s = m.section(form.NamedSection, 'settings', 'settings',
+		E('span', [
+			E('i', { 'class': 'fa fa-info-circle', 'style': 'margin-right: 0.5rem' }),
+			_('Plugin Installation')
+		]),
+		E('div', { 'style': 'background: #f0f4f8; padding: 15px; border-radius: 8px; margin-top: 10px;' }, [
+			E('p', { 'style': 'margin: 0 0 10px 0;' }, _('To use plugins, add the Netify repository and install required packages:')),
+			E('pre', { 'style': 'background: #1e293b; color: #e2e8f0; padding: 10px; border-radius: 4px; overflow-x: auto;' },
+				'netifyd-plugin-setup add-feed\n' +
+				'netifyd-plugin-setup install netify-proc-flow-actions\n' +
+				'netifyd-plugin-setup create-ipsets'
+			),
+			E('p', { 'style': 'margin: 10px 0 0 0; font-size: 0.9em; color: #64748b;' },
+				_('See /usr/bin/netifyd-plugin-setup for more options.'))
+		]));
+	s.addremove = false;
+
 	// ========== Monitoring Settings Section ==========
 	s = m.section(form.TypedSection, 'monitoring',
 			E('span', [
--- a/package/secubox/luci-app-secubox-netifyd/root/etc/config/secubox-netifyd
+++ b/package/secubox/luci-app-secubox-netifyd/root/etc/config/secubox-netifyd
@ -37,15 +37,63 @@ config sink 'sink'
 	option tcp_port '9501'
 	option collector_enabled '0'

+# Flow Actions Processor Plugin
+config plugin 'flow_actions'
+	option enabled '0'
+	option config_file '/etc/netifyd/flow-actions.json'
+
+# BitTorrent IP Set Plugin
 config plugin 'bittorrent'
 	option enabled '0'
 	option ipset 'secubox-bittorrent'
 	option ipset_family 'inet'
 	option match_application 'bittorrent'
+	option ipset_timeout '900'

+# nftables Verdicts Plugin
 config plugin 'nftables'
 	option enabled '0'
-	option table 'filter'
-	option chain 'SECUBOX'
+	option table 'inet secubox'
+	option chain 'flow_actions'
 	option action 'drop'
 	option target_ipset 'secubox-banned'
+
+# Streaming Services Detection Plugin
+config plugin 'streaming'
+	option enabled '0'
+	option ipset 'secubox-streaming'
+	option ipset_family 'inet'
+	option ipset_timeout '1800'
+	list match_application 'netflix'
+	list match_application 'youtube'
+	list match_application 'spotify'
+	list match_application 'twitch'
+	list match_application 'disney'
+	list match_application 'amazon_video'
+
+# Application Category Blocking
+config plugin 'category_block'
+	option enabled '0'
+	option table 'inet secubox'
+	option chain 'flow_actions'
+	option action 'drop'
+	list block_category 'malware'
+	list block_category 'ads'
+	list block_category 'tracking'
+
+# Custom Flow Rules
+config flow_rule
+	option enabled '0'
+	option name 'block_social'
+	option match_type 'application'
+	option match_value 'facebook|instagram|tiktok'
+	option action 'drop'
+	option schedule ''
+
+config flow_rule
+	option enabled '0'
+	option name 'mark_gaming'
+	option match_type 'category'
+	option match_value 'game'
+	option action 'mark'
+	option mark_value '0x10'
--- a/package/secubox/luci-app-secubox-netifyd/root/usr/bin/netifyd-plugin-setup
+++ b/package/secubox/luci-app-secubox-netifyd/root/usr/bin/netifyd-plugin-setup
@ -0,0 +1,231 @@
+#!/bin/sh
+# SecuBox Netifyd Plugin Setup
+# Configures netify.ai repository and installs plugins
+# Copyright (C) 2025 CyberMind.fr
+
+NETIFY_FEED_FILE="/etc/opkg/customfeeds.conf"
+NETIFY_KEY_URL="https://download.netify.ai/openwrt/netify-repo.pub"
+NETIFY_KEY_FILE="/etc/opkg/keys/netify-repo.pub"
+
+# Get OpenWrt version
+get_openwrt_version() {
+	if [ -f /etc/os-release ]; then
+		. /etc/os-release
+		echo "${VERSION_ID:-23.05}"
+	else
+		echo "23.05"
+	fi
+}
+
+# Get architecture
+get_arch() {
+	local arch=$(uname -m)
+	case "$arch" in
+		x86_64) echo "x86_64" ;;
+		aarch64) echo "aarch64" ;;
+		armv7l) echo "arm_cortex-a7" ;;
+		mips*) echo "mips_24kc" ;;
+		*) echo "$arch" ;;
+	esac
+}
+
+# Add netify repository
+add_netify_feed() {
+	local version=$(get_openwrt_version)
+	local arch=$(get_arch)
+	local feed_url="https://download.netify.ai/5/openwrt/${version}/${arch}"
+
+	echo "Adding Netify repository..."
+	echo "  Version: $version"
+	echo "  Architecture: $arch"
+	echo "  Feed URL: $feed_url"
+
+	# Check if feed already exists
+	if grep -q "download.netify.ai" "$NETIFY_FEED_FILE" 2>/dev/null; then
+		echo "Netify feed already configured"
+	else
+		echo "src/gz netify $feed_url" >> "$NETIFY_FEED_FILE"
+		echo "Feed added to $NETIFY_FEED_FILE"
+	fi
+
+	# Download signing key
+	mkdir -p "$(dirname "$NETIFY_KEY_FILE")"
+	if [ ! -f "$NETIFY_KEY_FILE" ]; then
+		echo "Downloading Netify signing key..."
+		wget -q -O "$NETIFY_KEY_FILE" "$NETIFY_KEY_URL" 2>/dev/null || \
+			curl -s -o "$NETIFY_KEY_FILE" "$NETIFY_KEY_URL" 2>/dev/null
+		if [ -f "$NETIFY_KEY_FILE" ]; then
+			echo "Signing key installed"
+		else
+			echo "Warning: Could not download signing key"
+		fi
+	fi
+
+	# Update package lists
+	echo "Updating package lists..."
+	opkg update
+}
+
+# List available plugins
+list_plugins() {
+	echo "Available Netifyd Plugins:"
+	echo ""
+	echo "  Processor Plugins:"
+	echo "    netify-proc-core          - Core processor (required for plugins)"
+	echo "    netify-proc-flow-actions  - Flow action rules (block, mark, ipset)"
+	echo "    netify-proc-device-discovery - Device identification"
+	echo ""
+	echo "  Sink Plugins:"
+	echo "    netify-sink-socket        - Export to Unix/TCP socket"
+	echo "    netify-sink-http          - Export to HTTP endpoint"
+	echo "    netify-sink-mqtt          - Export to MQTT broker"
+	echo "    netify-sink-log           - Export to log files"
+	echo ""
+	echo "  Use: $0 install <plugin-name>"
+}
+
+# Install plugin
+install_plugin() {
+	local plugin="$1"
+	if [ -z "$plugin" ]; then
+		echo "Error: Plugin name required"
+		list_plugins
+		return 1
+	fi
+
+	echo "Installing $plugin..."
+	opkg install "$plugin"
+	local rc=$?
+
+	if [ $rc -eq 0 ]; then
+		echo "Plugin $plugin installed successfully"
+		echo "Restarting netifyd..."
+		/etc/init.d/netifyd restart
+	else
+		echo "Failed to install $plugin"
+		echo "Make sure the Netify feed is configured: $0 add-feed"
+	fi
+
+	return $rc
+}
+
+# Check installed plugins
+check_plugins() {
+	echo "Checking installed Netifyd plugins..."
+	echo ""
+
+	local plugin_dir="/usr/lib/netifyd"
+	if [ -d "$plugin_dir" ]; then
+		echo "Plugin libraries in $plugin_dir:"
+		ls -la "$plugin_dir"/*.so 2>/dev/null || echo "  (none found)"
+	else
+		echo "Plugin directory not found: $plugin_dir"
+	fi
+
+	echo ""
+	echo "Installed netify packages:"
+	opkg list-installed | grep -i netif
+}
+
+# Create ipsets for plugins
+create_ipsets() {
+	echo "Creating ipsets for plugins..."
+
+	# BitTorrent ipset
+	if ! ipset list secubox-bittorrent >/dev/null 2>&1; then
+		ipset create secubox-bittorrent hash:ip timeout 900
+		echo "Created ipset: secubox-bittorrent"
+	else
+		echo "Ipset secubox-bittorrent already exists"
+	fi
+
+	# Banned IPs ipset
+	if ! ipset list secubox-banned >/dev/null 2>&1; then
+		ipset create secubox-banned hash:ip timeout 3600
+		echo "Created ipset: secubox-banned"
+	else
+		echo "Ipset secubox-banned already exists"
+	fi
+
+	# Streaming services ipset
+	if ! ipset list secubox-streaming >/dev/null 2>&1; then
+		ipset create secubox-streaming hash:ip timeout 1800
+		echo "Created ipset: secubox-streaming"
+	else
+		echo "Ipset secubox-streaming already exists"
+	fi
+
+	echo "Ipsets ready"
+}
+
+# Setup nftables chain for plugins
+setup_nftables() {
+	echo "Setting up nftables chain for plugins..."
+
+	# Create secubox table and chain if not exists
+	nft list table inet secubox >/dev/null 2>&1 || {
+		nft add table inet secubox
+		echo "Created table: inet secubox"
+	}
+
+	nft list chain inet secubox flow_actions >/dev/null 2>&1 || {
+		nft add chain inet secubox flow_actions
+		echo "Created chain: inet secubox flow_actions"
+	}
+
+	echo "nftables setup complete"
+}
+
+# Show usage
+usage() {
+	echo "SecuBox Netifyd Plugin Setup"
+	echo ""
+	echo "Usage: $0 <command> [options]"
+	echo ""
+	echo "Commands:"
+	echo "  add-feed          Add Netify.ai package repository"
+	echo "  list              List available plugins"
+	echo "  install <plugin>  Install a plugin package"
+	echo "  check             Check installed plugins"
+	echo "  create-ipsets     Create ipsets for flow plugins"
+	echo "  setup-nftables    Setup nftables chain for plugins"
+	echo "  init              Full initialization (feed + ipsets + nftables)"
+	echo ""
+	echo "Examples:"
+	echo "  $0 add-feed"
+	echo "  $0 install netify-proc-flow-actions"
+	echo "  $0 init"
+}
+
+# Main
+case "$1" in
+	add-feed)
+		add_netify_feed
+		;;
+	list)
+		list_plugins
+		;;
+	install)
+		install_plugin "$2"
+		;;
+	check)
+		check_plugins
+		;;
+	create-ipsets)
+		create_ipsets
+		;;
+	setup-nftables)
+		setup_nftables
+		;;
+	init)
+		add_netify_feed
+		create_ipsets
+		setup_nftables
+		echo ""
+		echo "Initialization complete. Install plugins with:"
+		echo "  $0 install netify-proc-flow-actions"
+		;;
+	*)
+		usage
+		;;
+esac
--- a/package/secubox/luci-app-secubox-netifyd/root/usr/libexec/rpcd/luci.secubox-netifyd
+++ b/package/secubox/luci-app-secubox-netifyd/root/usr/libexec/rpcd/luci.secubox-netifyd
@ -74,27 +74,57 @@ EOF

 apply_plugin_config() {
 	local plugin_dir="$NETIFYD_PLUGIN_CONF_DIR"
+	local flow_actions_conf="$plugin_dir/secubox-flow-actions.conf"
 	local bittorrent_conf="$plugin_dir/secubox-bittorrent-ipset.conf"
 	local nft_conf="$plugin_dir/secubox-nftables-block.conf"
+	local streaming_conf="$plugin_dir/secubox-streaming-ipset.conf"
+	local category_conf="$plugin_dir/secubox-category-block.conf"

 	mkdir -p "$plugin_dir"
 	mkdir -p "$NETIFYD_STATE_DIR"

+	# Ensure ipsets exist
+	ipset list secubox-bittorrent >/dev/null 2>&1 || \
+		ipset create secubox-bittorrent hash:ip timeout 900 2>/dev/null
+	ipset list secubox-banned >/dev/null 2>&1 || \
+		ipset create secubox-banned hash:ip timeout 3600 2>/dev/null
+	ipset list secubox-streaming >/dev/null 2>&1 || \
+		ipset create secubox-streaming hash:ip timeout 1800 2>/dev/null
+
+	# Flow Actions Processor Plugin
+	local flow_actions_enabled=$(uci -q get secubox-netifyd.flow_actions.enabled || echo 0)
+	local flow_actions_config=$(uci -q get secubox-netifyd.flow_actions.config_file || echo '/etc/netifyd/flow-actions.json')
+
+	if [ "$flow_actions_enabled" -eq 1 ]; then
+		cat <<EOF > "$flow_actions_conf"
+[secubox-flow-actions]
+enable = yes
+plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-proc-flow-actions.so
+conf_filename = $flow_actions_config
+EOF
+		log_msg "INFO" "Flow Actions processor plugin enabled"
+	else
+		rm -f "$flow_actions_conf"
+		log_msg "INFO" "Flow Actions processor plugin disabled"
+	fi
+
+	# BitTorrent IP Set Plugin
 	local bittorrent_enabled=$(uci -q get secubox-netifyd.bittorrent.enabled || echo 0)
 	local ipset_name=$(uci -q get secubox-netifyd.bittorrent.ipset || echo 'secubox-bittorrent')
 	local ipset_family=$(uci -q get secubox-netifyd.bittorrent.ipset_family || echo 'inet')
 	local match_app=$(uci -q get secubox-netifyd.bittorrent.match_application || echo 'bittorrent')
+	local ipset_timeout=$(uci -q get secubox-netifyd.bittorrent.ipset_timeout || echo '900')

 	if [ "$bittorrent_enabled" -eq 1 ]; then
 		cat <<EOF > "$bittorrent_conf"
 [secubox-bittorrent-ipset]
 enable = yes
-plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-bittorrent-ipset.so
+plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-ipset.so
 conf_filename = ${NETIFYD_STATE_DIR}/secubox-bittorrent-ipset.json
 ipset-name = $ipset_name
 ipset-family = $ipset_family
 match-applications = $match_app
-ipset-timeout = 900
+ipset-timeout = $ipset_timeout
 EOF
 		log_msg "INFO" "BitTorrent ipset plugin enabled ($ipset_name)"
 	else
@ -102,17 +132,22 @@ EOF
 		log_msg "INFO" "BitTorrent ipset plugin disabled"
 	fi

+	# nftables Verdicts Plugin
 	local nft_enabled=$(uci -q get secubox-netifyd.nftables.enabled || echo 0)
-	local nft_table=$(uci -q get secubox-netifyd.nftables.table || echo 'filter')
-	local nft_chain=$(uci -q get secubox-netifyd.nftables.chain || echo 'SECUBOX')
+	local nft_table=$(uci -q get secubox-netifyd.nftables.table || echo 'inet secubox')
+	local nft_chain=$(uci -q get secubox-netifyd.nftables.chain || echo 'flow_actions')
 	local nft_action=$(uci -q get secubox-netifyd.nftables.action || echo 'drop')
 	local nft_ipset=$(uci -q get secubox-netifyd.nftables.target_ipset || echo 'secubox-banned')

 	if [ "$nft_enabled" -eq 1 ]; then
+		# Create nftables table and chain if needed
+		nft list table $nft_table >/dev/null 2>&1 || nft add table $nft_table 2>/dev/null
+		nft list chain $nft_table $nft_chain >/dev/null 2>&1 || nft add chain $nft_table $nft_chain 2>/dev/null
+
 		cat <<EOF > "$nft_conf"
 [secubox-nftables-block]
 enable = yes
-plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-nftables-block.so
+plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-nftables.so
 conf_filename = ${NETIFYD_STATE_DIR}/secubox-nftables-block.json
 table = $nft_table
 chain = $nft_chain
@ -124,6 +159,70 @@ EOF
 		rm -f "$nft_conf"
 		log_msg "INFO" "nftables plugin disabled"
 	fi
+
+	# Streaming Services IP Set Plugin
+	local streaming_enabled=$(uci -q get secubox-netifyd.streaming.enabled || echo 0)
+	local streaming_ipset=$(uci -q get secubox-netifyd.streaming.ipset || echo 'secubox-streaming')
+	local streaming_family=$(uci -q get secubox-netifyd.streaming.ipset_family || echo 'inet')
+	local streaming_timeout=$(uci -q get secubox-netifyd.streaming.ipset_timeout || echo '1800')
+
+	if [ "$streaming_enabled" -eq 1 ]; then
+		# Get list of streaming applications
+		local streaming_apps=""
+		local apps=$(uci -q get secubox-netifyd.streaming.match_application)
+		if [ -n "$apps" ]; then
+			streaming_apps=$(echo "$apps" | tr ' ' '|')
+		else
+			streaming_apps="netflix|youtube|spotify|twitch|disney|amazon_video"
+		fi
+
+		cat <<EOF > "$streaming_conf"
+[secubox-streaming-ipset]
+enable = yes
+plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-ipset.so
+conf_filename = ${NETIFYD_STATE_DIR}/secubox-streaming-ipset.json
+ipset-name = $streaming_ipset
+ipset-family = $streaming_family
+match-applications = $streaming_apps
+ipset-timeout = $streaming_timeout
+EOF
+		log_msg "INFO" "Streaming services ipset plugin enabled ($streaming_ipset)"
+	else
+		rm -f "$streaming_conf"
+		log_msg "INFO" "Streaming services ipset plugin disabled"
+	fi
+
+	# Category Blocking Plugin
+	local category_enabled=$(uci -q get secubox-netifyd.category_block.enabled || echo 0)
+	local category_table=$(uci -q get secubox-netifyd.category_block.table || echo 'inet secubox')
+	local category_chain=$(uci -q get secubox-netifyd.category_block.chain || echo 'flow_actions')
+	local category_action=$(uci -q get secubox-netifyd.category_block.action || echo 'drop')
+
+	if [ "$category_enabled" -eq 1 ]; then
+		# Get list of blocked categories
+		local categories=""
+		local cats=$(uci -q get secubox-netifyd.category_block.block_category)
+		if [ -n "$cats" ]; then
+			categories=$(echo "$cats" | tr ' ' '|')
+		else
+			categories="malware|ads|tracking"
+		fi
+
+		cat <<EOF > "$category_conf"
+[secubox-category-block]
+enable = yes
+plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-nftables.so
+conf_filename = ${NETIFYD_STATE_DIR}/secubox-category-block.json
+table = $category_table
+chain = $category_chain
+action = $category_action
+match-categories = $categories
+EOF
+		log_msg "INFO" "Category blocking plugin enabled ($categories)"
+	else
+		rm -f "$category_conf"
+		log_msg "INFO" "Category blocking plugin disabled"
+	fi
 }

 # Get netifyd service status