From 77a78053e20e49a1c1878b01af0e90d36c249fb7 Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Thu, 8 Jan 2026 19:15:49 +0100 Subject: [PATCH] feat: Add netifyd plugin support to luci-app-secubox-netifyd (v1.1.0) - Add netifyd-plugin-setup script for Netify repository management - Add ipset and kmod-nft-compat dependencies - Add postinst to create plugin directories and ipsets - Extend UCI config with new plugin sections: - flow_actions: Flow Actions processor plugin - streaming: Streaming services IP set (Netflix, YouTube, etc.) - category_block: Category-based blocking (malware, ads, tracking) - flow_rule: Custom flow rules support - Update RPCD backend with apply_plugin_config for all plugins: - Auto-create ipsets (secubox-bittorrent, secubox-banned, secubox-streaming) - Auto-create nftables table/chain when enabled - Support for Flow Actions processor, IPSet, and nftables plugins - Update settings UI with new plugin configuration sections - Add plugin installation instructions in UI Plugin packages (from netify.ai repository): - netify-proc-flow-actions: Flow Actions processor - netify-sink-socket: Socket sink for local export Co-Authored-By: Claude Opus 4.5 --- .../secubox/luci-app-secubox-netifyd/Makefile | 30 ++- .../view/secubox-netifyd/settings.js | 160 +++++++++++- .../root/etc/config/secubox-netifyd | 52 +++- .../root/usr/bin/netifyd-plugin-setup | 231 ++++++++++++++++++ .../usr/libexec/rpcd/luci.secubox-netifyd | 109 ++++++++- 5 files changed, 566 insertions(+), 16 deletions(-) create mode 100644 package/secubox/luci-app-secubox-netifyd/root/usr/bin/netifyd-plugin-setup diff --git a/package/secubox/luci-app-secubox-netifyd/Makefile b/package/secubox/luci-app-secubox-netifyd/Makefile index ad534b04..e15ea41f 100644 --- a/package/secubox/luci-app-secubox-netifyd/Makefile +++ b/package/secubox/luci-app-secubox-netifyd/Makefile @@ -1,17 +1,21 @@ include $(TOPDIR)/rules.mk PKG_NAME:=luci-app-secubox-netifyd -PKG_VERSION:=1.0.3 +PKG_VERSION:=1.1.0 PKG_RELEASE:=1 PKG_LICENSE:=MIT PKG_MAINTAINER:=CyberMind PKG_ARCH:=all LUCI_TITLE:=SecuBox Netifyd Deep Packet Inspection Interface -LUCI_DEPENDS:=+luci-base +rpcd +netifyd +jq +secubox-core -LUCI_DESCRIPTION:=Complete LuCI interface for netifyd DPI engine with real-time flow monitoring, application detection, and network analytics +LUCI_DEPENDS:=+luci-base +rpcd +netifyd +jq +secubox-core +ipset +kmod-nft-compat +LUCI_DESCRIPTION:=Complete LuCI interface for netifyd DPI engine with real-time flow monitoring, application detection, network analytics, and flow action plugins LUCI_PKGARCH:=all +# Plugin packages from netify.ai repository (optional - require adding netify feed) +# netify-proc-flow-actions - Flow Actions processor plugin +# netify-sink-socket - Socket sink plugin for local export + # This is free software, licensed under the MIT License define Package/$(PKG_NAME)/install @@ -22,10 +26,30 @@ define Package/$(PKG_NAME)/install $(INSTALL_BIN) ./root/usr/sbin/secubox-netifyd-configure $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) ./root/usr/bin/netifyd-collector-setup $(1)/usr/bin/ + $(INSTALL_BIN) ./root/usr/bin/netifyd-plugin-setup $(1)/usr/bin/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./root/etc/init.d/secubox-netifyd-collector $(1)/etc/init.d/ endef +define Package/$(PKG_NAME)/postinst +#!/bin/sh +[ -n "$${IPKG_INSTROOT}" ] || { + # Create plugin directories + mkdir -p /etc/netifyd/plugins.d + mkdir -p /etc/netify.d + + # Initialize ipsets for plugins if not exist + ipset list secubox-bittorrent >/dev/null 2>&1 || \ + ipset create secubox-bittorrent hash:ip timeout 900 2>/dev/null + ipset list secubox-banned >/dev/null 2>&1 || \ + ipset create secubox-banned hash:ip timeout 3600 2>/dev/null + + # Restart rpcd + /etc/init.d/rpcd restart 2>/dev/null +} +exit 0 +endef + include $(TOPDIR)/feeds/luci/luci.mk # call BuildPackage - OpenWrt buildroot diff --git a/package/secubox/luci-app-secubox-netifyd/htdocs/luci-static/resources/view/secubox-netifyd/settings.js b/package/secubox/luci-app-secubox-netifyd/htdocs/luci-static/resources/view/secubox-netifyd/settings.js index 84c2f648..587cfbf7 100644 --- a/package/secubox/luci-app-secubox-netifyd/htdocs/luci-static/resources/view/secubox-netifyd/settings.js +++ b/package/secubox/luci-app-secubox-netifyd/htdocs/luci-static/resources/view/secubox-netifyd/settings.js @@ -317,22 +317,170 @@ return view.extend({ ); o.default = 'secubox-banned'; + // ========== Flow Actions Processor Plugin ========== + s = m.section(form.NamedSection, 'flow_actions', 'plugin', + E('span', [ + E('i', { 'class': 'fa fa-cogs', 'style': 'margin-right: 0.5rem' }), + _('Flow Actions Processor') + ]), + _('Enable the Flow Actions processor plugin for advanced flow handling.')); + s.addremove = false; + + o = s.option(form.Flag, 'enabled', + E('span', [ + E('i', { 'class': 'fa fa-toggle-on', 'style': 'margin-right: 0.5rem' }), + _('Enable Plugin') + ]), + _('Requires netify-proc-flow-actions package from Netify repository.') + ); + o.default = '0'; + o.rmempty = false; + + o = s.option(form.Value, 'config_file', + E('span', [ + E('i', { 'class': 'fa fa-file-code', 'style': 'margin-right: 0.5rem' }), + _('Configuration File') + ]), + _('Path to the flow actions JSON configuration file.') + ); + o.default = '/etc/netifyd/flow-actions.json'; + + // ========== Streaming Services IP Set ========== + s = m.section(form.NamedSection, 'streaming', 'plugin', + E('span', [ + E('i', { 'class': 'fa fa-play-circle', 'style': 'margin-right: 0.5rem' }), + _('Streaming Services IP Set') + ]), + _('Tag streaming service traffic (Netflix, YouTube, Spotify, etc.) with an ipset.')); + s.addremove = false; + + o = s.option(form.Flag, 'enabled', + E('span', [ + E('i', { 'class': 'fa fa-toggle-on', 'style': 'margin-right: 0.5rem' }), + _('Enable Plugin') + ]), + _('Add streaming service IPs to the configured ipset.') + ); + o.default = '0'; + o.rmempty = false; + + o = s.option(form.Value, 'ipset', + E('span', [ + E('i', { 'class': 'fa fa-database', 'style': 'margin-right: 0.5rem' }), + _('Target IP Set') + ]), + _('IP set name used to tag streaming traffic.') + ); + o.default = 'secubox-streaming'; + + o = s.option(form.ListValue, 'ipset_family', + E('span', [ + E('i', { 'class': 'fa fa-globe', 'style': 'margin-right: 0.5rem' }), + _('IP Family') + ]), + _('IP set family (inet or inet6).') + ); + o.value('inet', _('IPv4 (inet)')); + o.value('inet6', _('IPv6 (inet6)')); + o.default = 'inet'; + + o = s.option(form.Value, 'ipset_timeout', + E('span', [ + E('i', { 'class': 'fa fa-clock', 'style': 'margin-right: 0.5rem' }), + _('IP Set Timeout') + ]), + _('Timeout in seconds for ipset entries.') + ); + o.default = '1800'; + o.datatype = 'uinteger'; + + // ========== Category Blocking Plugin ========== + s = m.section(form.NamedSection, 'category_block', 'plugin', + E('span', [ + E('i', { 'class': 'fa fa-shield-alt', 'style': 'margin-right: 0.5rem' }), + _('Category Blocking') + ]), + _('Block traffic based on application categories (malware, ads, tracking).')); + s.addremove = false; + + o = s.option(form.Flag, 'enabled', + E('span', [ + E('i', { 'class': 'fa fa-toggle-on', 'style': 'margin-right: 0.5rem' }), + _('Enable Plugin') + ]), + _('Block flows matching specified categories.') + ); + o.default = '0'; + o.rmempty = false; + + o = s.option(form.Value, 'table', + E('span', [ + E('i', { 'class': 'fa fa-table', 'style': 'margin-right: 0.5rem' }), + _('nftables Table') + ]), + _('Table where the plugin will insert verdicts.') + ); + o.default = 'inet secubox'; + + o = s.option(form.Value, 'chain', + E('span', [ + E('i', { 'class': 'fa fa-chain', 'style': 'margin-right: 0.5rem' }), + _('nftables Chain') + ]), + _('Chain used by the verdicts.') + ); + o.default = 'flow_actions'; + + o = s.option(form.ListValue, 'action', + E('span', [ + E('i', { 'class': 'fa fa-ban', 'style': 'margin-right: 0.5rem' }), + _('Action') + ]), + _('Action applied when the plugin matches a flow.') + ); + o.value('drop', _('Drop')); + o.value('reject', _('Reject')); + o.default = 'drop'; + + // ========== Apply Plugins Button ========== + s = m.section(form.NamedSection, 'nftables', 'plugin'); + s.addremove = false; + s.anonymous = true; + o = s.option(form.Button, 'apply_plugins', E('span', [ E('i', { 'class': 'fa fa-sync', 'style': 'margin-right: 0.5rem' }), - _('Apply Flow Plugins') + _('Apply All Flow Plugins') ]), - _('Regenerate plugin configs and restart Netifyd.') + _('Regenerate all plugin configs and restart Netifyd.') ); - o.inputstyle = 'action'; + o.inputstyle = 'action important'; o.write = function() { netifydAPI.applyPluginConfig().then(function(result) { - ui.addNotification({ type: 'success', description: result.message || _('Plugin configuration applied') }); - }, function(err) { - ui.addNotification({ type: 'error', description: (err && err.error && err.error.message) || _('Plugin configuration failed') }); + ui.addNotification(null, E('p', result.message || _('Plugin configuration applied')), 'success'); + }).catch(function(err) { + ui.addNotification(null, E('p', (err && err.message) || _('Plugin configuration failed')), 'error'); }); }; + // ========== Plugin Setup Instructions ========== + s = m.section(form.NamedSection, 'settings', 'settings', + E('span', [ + E('i', { 'class': 'fa fa-info-circle', 'style': 'margin-right: 0.5rem' }), + _('Plugin Installation') + ]), + E('div', { 'style': 'background: #f0f4f8; padding: 15px; border-radius: 8px; margin-top: 10px;' }, [ + E('p', { 'style': 'margin: 0 0 10px 0;' }, _('To use plugins, add the Netify repository and install required packages:')), + E('pre', { 'style': 'background: #1e293b; color: #e2e8f0; padding: 10px; border-radius: 4px; overflow-x: auto;' }, + 'netifyd-plugin-setup add-feed\n' + + 'netifyd-plugin-setup install netify-proc-flow-actions\n' + + 'netifyd-plugin-setup create-ipsets' + ), + E('p', { 'style': 'margin: 10px 0 0 0; font-size: 0.9em; color: #64748b;' }, + _('See /usr/bin/netifyd-plugin-setup for more options.')) + ])); + s.addremove = false; + // ========== Monitoring Settings Section ========== s = m.section(form.TypedSection, 'monitoring', E('span', [ diff --git a/package/secubox/luci-app-secubox-netifyd/root/etc/config/secubox-netifyd b/package/secubox/luci-app-secubox-netifyd/root/etc/config/secubox-netifyd index c90e1c46..78ef3a4d 100644 --- a/package/secubox/luci-app-secubox-netifyd/root/etc/config/secubox-netifyd +++ b/package/secubox/luci-app-secubox-netifyd/root/etc/config/secubox-netifyd @@ -37,15 +37,63 @@ config sink 'sink' option tcp_port '9501' option collector_enabled '0' +# Flow Actions Processor Plugin +config plugin 'flow_actions' + option enabled '0' + option config_file '/etc/netifyd/flow-actions.json' + +# BitTorrent IP Set Plugin config plugin 'bittorrent' option enabled '0' option ipset 'secubox-bittorrent' option ipset_family 'inet' option match_application 'bittorrent' + option ipset_timeout '900' +# nftables Verdicts Plugin config plugin 'nftables' option enabled '0' - option table 'filter' - option chain 'SECUBOX' + option table 'inet secubox' + option chain 'flow_actions' option action 'drop' option target_ipset 'secubox-banned' + +# Streaming Services Detection Plugin +config plugin 'streaming' + option enabled '0' + option ipset 'secubox-streaming' + option ipset_family 'inet' + option ipset_timeout '1800' + list match_application 'netflix' + list match_application 'youtube' + list match_application 'spotify' + list match_application 'twitch' + list match_application 'disney' + list match_application 'amazon_video' + +# Application Category Blocking +config plugin 'category_block' + option enabled '0' + option table 'inet secubox' + option chain 'flow_actions' + option action 'drop' + list block_category 'malware' + list block_category 'ads' + list block_category 'tracking' + +# Custom Flow Rules +config flow_rule + option enabled '0' + option name 'block_social' + option match_type 'application' + option match_value 'facebook|instagram|tiktok' + option action 'drop' + option schedule '' + +config flow_rule + option enabled '0' + option name 'mark_gaming' + option match_type 'category' + option match_value 'game' + option action 'mark' + option mark_value '0x10' diff --git a/package/secubox/luci-app-secubox-netifyd/root/usr/bin/netifyd-plugin-setup b/package/secubox/luci-app-secubox-netifyd/root/usr/bin/netifyd-plugin-setup new file mode 100644 index 00000000..4d341ffc --- /dev/null +++ b/package/secubox/luci-app-secubox-netifyd/root/usr/bin/netifyd-plugin-setup @@ -0,0 +1,231 @@ +#!/bin/sh +# SecuBox Netifyd Plugin Setup +# Configures netify.ai repository and installs plugins +# Copyright (C) 2025 CyberMind.fr + +NETIFY_FEED_FILE="/etc/opkg/customfeeds.conf" +NETIFY_KEY_URL="https://download.netify.ai/openwrt/netify-repo.pub" +NETIFY_KEY_FILE="/etc/opkg/keys/netify-repo.pub" + +# Get OpenWrt version +get_openwrt_version() { + if [ -f /etc/os-release ]; then + . /etc/os-release + echo "${VERSION_ID:-23.05}" + else + echo "23.05" + fi +} + +# Get architecture +get_arch() { + local arch=$(uname -m) + case "$arch" in + x86_64) echo "x86_64" ;; + aarch64) echo "aarch64" ;; + armv7l) echo "arm_cortex-a7" ;; + mips*) echo "mips_24kc" ;; + *) echo "$arch" ;; + esac +} + +# Add netify repository +add_netify_feed() { + local version=$(get_openwrt_version) + local arch=$(get_arch) + local feed_url="https://download.netify.ai/5/openwrt/${version}/${arch}" + + echo "Adding Netify repository..." + echo " Version: $version" + echo " Architecture: $arch" + echo " Feed URL: $feed_url" + + # Check if feed already exists + if grep -q "download.netify.ai" "$NETIFY_FEED_FILE" 2>/dev/null; then + echo "Netify feed already configured" + else + echo "src/gz netify $feed_url" >> "$NETIFY_FEED_FILE" + echo "Feed added to $NETIFY_FEED_FILE" + fi + + # Download signing key + mkdir -p "$(dirname "$NETIFY_KEY_FILE")" + if [ ! -f "$NETIFY_KEY_FILE" ]; then + echo "Downloading Netify signing key..." + wget -q -O "$NETIFY_KEY_FILE" "$NETIFY_KEY_URL" 2>/dev/null || \ + curl -s -o "$NETIFY_KEY_FILE" "$NETIFY_KEY_URL" 2>/dev/null + if [ -f "$NETIFY_KEY_FILE" ]; then + echo "Signing key installed" + else + echo "Warning: Could not download signing key" + fi + fi + + # Update package lists + echo "Updating package lists..." + opkg update +} + +# List available plugins +list_plugins() { + echo "Available Netifyd Plugins:" + echo "" + echo " Processor Plugins:" + echo " netify-proc-core - Core processor (required for plugins)" + echo " netify-proc-flow-actions - Flow action rules (block, mark, ipset)" + echo " netify-proc-device-discovery - Device identification" + echo "" + echo " Sink Plugins:" + echo " netify-sink-socket - Export to Unix/TCP socket" + echo " netify-sink-http - Export to HTTP endpoint" + echo " netify-sink-mqtt - Export to MQTT broker" + echo " netify-sink-log - Export to log files" + echo "" + echo " Use: $0 install " +} + +# Install plugin +install_plugin() { + local plugin="$1" + if [ -z "$plugin" ]; then + echo "Error: Plugin name required" + list_plugins + return 1 + fi + + echo "Installing $plugin..." + opkg install "$plugin" + local rc=$? + + if [ $rc -eq 0 ]; then + echo "Plugin $plugin installed successfully" + echo "Restarting netifyd..." + /etc/init.d/netifyd restart + else + echo "Failed to install $plugin" + echo "Make sure the Netify feed is configured: $0 add-feed" + fi + + return $rc +} + +# Check installed plugins +check_plugins() { + echo "Checking installed Netifyd plugins..." + echo "" + + local plugin_dir="/usr/lib/netifyd" + if [ -d "$plugin_dir" ]; then + echo "Plugin libraries in $plugin_dir:" + ls -la "$plugin_dir"/*.so 2>/dev/null || echo " (none found)" + else + echo "Plugin directory not found: $plugin_dir" + fi + + echo "" + echo "Installed netify packages:" + opkg list-installed | grep -i netif +} + +# Create ipsets for plugins +create_ipsets() { + echo "Creating ipsets for plugins..." + + # BitTorrent ipset + if ! ipset list secubox-bittorrent >/dev/null 2>&1; then + ipset create secubox-bittorrent hash:ip timeout 900 + echo "Created ipset: secubox-bittorrent" + else + echo "Ipset secubox-bittorrent already exists" + fi + + # Banned IPs ipset + if ! ipset list secubox-banned >/dev/null 2>&1; then + ipset create secubox-banned hash:ip timeout 3600 + echo "Created ipset: secubox-banned" + else + echo "Ipset secubox-banned already exists" + fi + + # Streaming services ipset + if ! ipset list secubox-streaming >/dev/null 2>&1; then + ipset create secubox-streaming hash:ip timeout 1800 + echo "Created ipset: secubox-streaming" + else + echo "Ipset secubox-streaming already exists" + fi + + echo "Ipsets ready" +} + +# Setup nftables chain for plugins +setup_nftables() { + echo "Setting up nftables chain for plugins..." + + # Create secubox table and chain if not exists + nft list table inet secubox >/dev/null 2>&1 || { + nft add table inet secubox + echo "Created table: inet secubox" + } + + nft list chain inet secubox flow_actions >/dev/null 2>&1 || { + nft add chain inet secubox flow_actions + echo "Created chain: inet secubox flow_actions" + } + + echo "nftables setup complete" +} + +# Show usage +usage() { + echo "SecuBox Netifyd Plugin Setup" + echo "" + echo "Usage: $0 [options]" + echo "" + echo "Commands:" + echo " add-feed Add Netify.ai package repository" + echo " list List available plugins" + echo " install Install a plugin package" + echo " check Check installed plugins" + echo " create-ipsets Create ipsets for flow plugins" + echo " setup-nftables Setup nftables chain for plugins" + echo " init Full initialization (feed + ipsets + nftables)" + echo "" + echo "Examples:" + echo " $0 add-feed" + echo " $0 install netify-proc-flow-actions" + echo " $0 init" +} + +# Main +case "$1" in + add-feed) + add_netify_feed + ;; + list) + list_plugins + ;; + install) + install_plugin "$2" + ;; + check) + check_plugins + ;; + create-ipsets) + create_ipsets + ;; + setup-nftables) + setup_nftables + ;; + init) + add_netify_feed + create_ipsets + setup_nftables + echo "" + echo "Initialization complete. Install plugins with:" + echo " $0 install netify-proc-flow-actions" + ;; + *) + usage + ;; +esac diff --git a/package/secubox/luci-app-secubox-netifyd/root/usr/libexec/rpcd/luci.secubox-netifyd b/package/secubox/luci-app-secubox-netifyd/root/usr/libexec/rpcd/luci.secubox-netifyd index 3a0548e3..c464850b 100755 --- a/package/secubox/luci-app-secubox-netifyd/root/usr/libexec/rpcd/luci.secubox-netifyd +++ b/package/secubox/luci-app-secubox-netifyd/root/usr/libexec/rpcd/luci.secubox-netifyd @@ -74,27 +74,57 @@ EOF apply_plugin_config() { local plugin_dir="$NETIFYD_PLUGIN_CONF_DIR" + local flow_actions_conf="$plugin_dir/secubox-flow-actions.conf" local bittorrent_conf="$plugin_dir/secubox-bittorrent-ipset.conf" local nft_conf="$plugin_dir/secubox-nftables-block.conf" + local streaming_conf="$plugin_dir/secubox-streaming-ipset.conf" + local category_conf="$plugin_dir/secubox-category-block.conf" mkdir -p "$plugin_dir" mkdir -p "$NETIFYD_STATE_DIR" + # Ensure ipsets exist + ipset list secubox-bittorrent >/dev/null 2>&1 || \ + ipset create secubox-bittorrent hash:ip timeout 900 2>/dev/null + ipset list secubox-banned >/dev/null 2>&1 || \ + ipset create secubox-banned hash:ip timeout 3600 2>/dev/null + ipset list secubox-streaming >/dev/null 2>&1 || \ + ipset create secubox-streaming hash:ip timeout 1800 2>/dev/null + + # Flow Actions Processor Plugin + local flow_actions_enabled=$(uci -q get secubox-netifyd.flow_actions.enabled || echo 0) + local flow_actions_config=$(uci -q get secubox-netifyd.flow_actions.config_file || echo '/etc/netifyd/flow-actions.json') + + if [ "$flow_actions_enabled" -eq 1 ]; then + cat < "$flow_actions_conf" +[secubox-flow-actions] +enable = yes +plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-proc-flow-actions.so +conf_filename = $flow_actions_config +EOF + log_msg "INFO" "Flow Actions processor plugin enabled" + else + rm -f "$flow_actions_conf" + log_msg "INFO" "Flow Actions processor plugin disabled" + fi + + # BitTorrent IP Set Plugin local bittorrent_enabled=$(uci -q get secubox-netifyd.bittorrent.enabled || echo 0) local ipset_name=$(uci -q get secubox-netifyd.bittorrent.ipset || echo 'secubox-bittorrent') local ipset_family=$(uci -q get secubox-netifyd.bittorrent.ipset_family || echo 'inet') local match_app=$(uci -q get secubox-netifyd.bittorrent.match_application || echo 'bittorrent') + local ipset_timeout=$(uci -q get secubox-netifyd.bittorrent.ipset_timeout || echo '900') if [ "$bittorrent_enabled" -eq 1 ]; then cat < "$bittorrent_conf" [secubox-bittorrent-ipset] enable = yes -plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-bittorrent-ipset.so +plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-ipset.so conf_filename = ${NETIFYD_STATE_DIR}/secubox-bittorrent-ipset.json ipset-name = $ipset_name ipset-family = $ipset_family match-applications = $match_app -ipset-timeout = 900 +ipset-timeout = $ipset_timeout EOF log_msg "INFO" "BitTorrent ipset plugin enabled ($ipset_name)" else @@ -102,17 +132,22 @@ EOF log_msg "INFO" "BitTorrent ipset plugin disabled" fi + # nftables Verdicts Plugin local nft_enabled=$(uci -q get secubox-netifyd.nftables.enabled || echo 0) - local nft_table=$(uci -q get secubox-netifyd.nftables.table || echo 'filter') - local nft_chain=$(uci -q get secubox-netifyd.nftables.chain || echo 'SECUBOX') + local nft_table=$(uci -q get secubox-netifyd.nftables.table || echo 'inet secubox') + local nft_chain=$(uci -q get secubox-netifyd.nftables.chain || echo 'flow_actions') local nft_action=$(uci -q get secubox-netifyd.nftables.action || echo 'drop') local nft_ipset=$(uci -q get secubox-netifyd.nftables.target_ipset || echo 'secubox-banned') if [ "$nft_enabled" -eq 1 ]; then + # Create nftables table and chain if needed + nft list table $nft_table >/dev/null 2>&1 || nft add table $nft_table 2>/dev/null + nft list chain $nft_table $nft_chain >/dev/null 2>&1 || nft add chain $nft_table $nft_chain 2>/dev/null + cat < "$nft_conf" [secubox-nftables-block] enable = yes -plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-nftables-block.so +plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-nftables.so conf_filename = ${NETIFYD_STATE_DIR}/secubox-nftables-block.json table = $nft_table chain = $nft_chain @@ -124,6 +159,70 @@ EOF rm -f "$nft_conf" log_msg "INFO" "nftables plugin disabled" fi + + # Streaming Services IP Set Plugin + local streaming_enabled=$(uci -q get secubox-netifyd.streaming.enabled || echo 0) + local streaming_ipset=$(uci -q get secubox-netifyd.streaming.ipset || echo 'secubox-streaming') + local streaming_family=$(uci -q get secubox-netifyd.streaming.ipset_family || echo 'inet') + local streaming_timeout=$(uci -q get secubox-netifyd.streaming.ipset_timeout || echo '1800') + + if [ "$streaming_enabled" -eq 1 ]; then + # Get list of streaming applications + local streaming_apps="" + local apps=$(uci -q get secubox-netifyd.streaming.match_application) + if [ -n "$apps" ]; then + streaming_apps=$(echo "$apps" | tr ' ' '|') + else + streaming_apps="netflix|youtube|spotify|twitch|disney|amazon_video" + fi + + cat < "$streaming_conf" +[secubox-streaming-ipset] +enable = yes +plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-ipset.so +conf_filename = ${NETIFYD_STATE_DIR}/secubox-streaming-ipset.json +ipset-name = $streaming_ipset +ipset-family = $streaming_family +match-applications = $streaming_apps +ipset-timeout = $streaming_timeout +EOF + log_msg "INFO" "Streaming services ipset plugin enabled ($streaming_ipset)" + else + rm -f "$streaming_conf" + log_msg "INFO" "Streaming services ipset plugin disabled" + fi + + # Category Blocking Plugin + local category_enabled=$(uci -q get secubox-netifyd.category_block.enabled || echo 0) + local category_table=$(uci -q get secubox-netifyd.category_block.table || echo 'inet secubox') + local category_chain=$(uci -q get secubox-netifyd.category_block.chain || echo 'flow_actions') + local category_action=$(uci -q get secubox-netifyd.category_block.action || echo 'drop') + + if [ "$category_enabled" -eq 1 ]; then + # Get list of blocked categories + local categories="" + local cats=$(uci -q get secubox-netifyd.category_block.block_category) + if [ -n "$cats" ]; then + categories=$(echo "$cats" | tr ' ' '|') + else + categories="malware|ads|tracking" + fi + + cat < "$category_conf" +[secubox-category-block] +enable = yes +plugin_library = ${NETIFYD_PLUGIN_LIBDIR}/libnetify-plugin-nftables.so +conf_filename = ${NETIFYD_STATE_DIR}/secubox-category-block.json +table = $category_table +chain = $category_chain +action = $category_action +match-categories = $categories +EOF + log_msg "INFO" "Category blocking plugin enabled ($categories)" + else + rm -f "$category_conf" + log_msg "INFO" "Category blocking plugin disabled" + fi } # Get netifyd service status