fix(ns-api): fix netifyd exclusion (#954)

Update exclusion logic and documentation for Netifyd #929
NethServer · Dec 5, 2024 · 7ef1d29 · 7ef1d29
2 parents 31e296d + 2e3e496
commit 7ef1d29
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 11 deletions.
diff --git a/packages/ns-api/files/post-commit/configure-netifyd.py b/packages/ns-api/files/post-commit/configure-netifyd.py
@@ -11,6 +11,7 @@
 # - reload netifyd service
 
 import subprocess
+from fnmatch import fnmatch
 from euci import EUci
 from nethsec import utils, firewall
 
@@ -25,7 +26,7 @@
         commit = True
 
     # Fetch excluded interfaces (one-liner)
-    excluded_interfaces = set(uci.get_all("netifyd").get(cname, {}).get("exclude", []))
+    excluded_interfaces = set(uci.get_all("netifyd").get(cname, {}).get("ns_exclude", []))
 
     # Collect interfaces
     internal_if = set()
@@ -36,8 +37,15 @@
         devices = utils.get_all_devices_by_zone(uci, zone['name'], exclude_aliases=True)
         # Filter interfaces based on exclusion patterns
         filtered_devices = set()
+        if not devices:
+            continue
         for iface in devices:
-            if any(iface.startswith(pattern) for pattern in excluded_interfaces):
+            skip = False
+            for pattern in excluded_interfaces:
+                if fnmatch(iface, pattern):  # Use fnmatch here
+                    skip = True
+                    break
+            if skip:
                 continue
             filtered_devices.add(iface.split('.')[0])  # Strip VLAN part for base interface
         filtered_devices = sorted(filtered_devices)  # Return sorted list
@@ -62,7 +70,6 @@
         if rule['device'] not in internal_if and rule['device'] not in external_if:
             uci.delete("dpi", r)
             commit = True
-
 if commit:
     uci.commit("netifyd")
     uci.commit("dpi")

diff --git a/packages/ns-dpi/README.md b/packages/ns-dpi/README.md
@@ -23,7 +23,7 @@ Global options:
 - `firewall_exemption`: can be `0` or `1`, if set to `1` all firewall IP addresses will be
   added to global exemption list and will not match DPI rules
 - `popular_filters`: list of filters that will be returned to from `api-cli ns.dpi list-popular` call.
-- `exclude`: list of network interface exclusions in Netifyd that will be returned by `uci show netifyd.@netifyd[0].exclude`
+- `ns_exclude`: list of network interface exclusions in Netifyd that will be returned by `uci show netifyd.@netifyd[0].ns_exclude`
 
 Rule options:
 
@@ -153,26 +153,29 @@ By default, Netifyd monitors all interfaces. To exclude specific interfaces, you
 
 - Add interfaces to exclusion list
 ```
-uci add_list netifyd.@netifyd[0].exclude='eth1'
-uci add_list netifyd.@netifyd[0].exclude='tun'
-uci add_list netifyd.@netifyd[0].exclude='wg'
+uci add_list netifyd.@netifyd[0].ns_exclude='eth1'
+uci add_list netifyd.@netifyd[0].ns_exclude='tun*'
+uci add_list netifyd.@netifyd[0].ns_exclude='wg*'
 uci commit netifyd
+echo '{"changes": {"network": {}}}' | /usr/libexec/rpcd/ns.commit call commit
 ```
 
 - Modify exclusion list
 ```
-uci delete netifyd.@netifyd[0].exclude='eth1'
-uci add_list netifyd.@netifyd[0].exclude='eth2'
+uci delete netifyd.@netifyd[0].ns_exclude='eth1'
+uci add_list netifyd.@netifyd[0].ns_exclude='eth2'
 uci commit netifyd
+echo '{"changes": {"network": {}}}' | /usr/libexec/rpcd/ns.commit call commit
 ```
 
 - Clear exclusion list
 ```
-uci delete netifyd.@netifyd[0].exclude
+uci delete netifyd.@netifyd[0].ns_exclude
 uci commit netifyd
+echo '{"changes": {"network": {}}}' | /usr/libexec/rpcd/ns.commit call commit
 ```
 
 - Return the exclusion list
 ```
-uci show netifyd.@netifyd[0].exclude
+uci show netifyd.@netifyd[0].ns_exclude
 ```