Merge pull request #946 from NethServer/sdl-929

Enhance interface filtering and ensure uniqueness in netifyd configuration #929
NethServer · Dec 3, 2024 · f212ba9 · f212ba9
2 parents e1f6075 + 2993f7f
commit f212ba9
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 3 deletions.
diff --git a/packages/ns-api/files/post-commit/configure-netifyd.py b/packages/ns-api/files/post-commit/configure-netifyd.py
@@ -23,16 +23,30 @@
     if config[cname].get('autoconfig', '1') == "1":
         uci.set("netifyd", cname, "autoconfig", "0")
         commit = True
-
+
+    # Fetch excluded interfaces (one-liner)
+    excluded_interfaces = set(uci.get_all("netifyd").get(cname, {}).get("exclude", []))
+
+    # Collect interfaces
     internal_if = set()
     external_if = set()
     zones = firewall.list_zones(uci)
     for z in zones:
         zone = zones[z]
+        devices = utils.get_all_devices_by_zone(uci, zone['name'], exclude_aliases=True)
+        # Filter interfaces based on exclusion patterns
+        filtered_devices = set()
+        for iface in devices:
+            if any(iface.startswith(pattern) for pattern in excluded_interfaces):
+                continue
+            filtered_devices.add(iface.split('.')[0])  # Strip VLAN part for base interface
+        filtered_devices = sorted(filtered_devices)  # Return sorted list
+
+        # Assign devices to internal or external interfaces
         if zone['name'] == "wan":
-            external_if.update(utils.get_all_devices_by_zone(uci, zone['name'], exclude_aliases=True))
+            external_if.update(filtered_devices)
         else:
-            internal_if.update(utils.get_all_devices_by_zone(uci, zone['name'], exclude_aliases=True))
+            internal_if.update(filtered_devices)
 
     if tuple(internal_if) != uci.get("netifyd", cname, "internal_if", default=()):
         uci.set("netifyd", cname, "internal_if", list(internal_if))

diff --git a/packages/ns-dpi/README.md b/packages/ns-dpi/README.md
@@ -23,6 +23,7 @@ Global options:
 - `firewall_exemption`: can be `0` or `1`, if set to `1` all firewall IP addresses will be
   added to global exemption list and will not match DPI rules
 - `popular_filters`: list of filters that will be returned to from `api-cli ns.dpi list-popular` call.
+- `exclude`: list of network interface exclusions in Netifyd that will be returned by `uci show netifyd.@netifyd[0].exclude`
 
 Rule options:
 
@@ -145,3 +146,33 @@ Example:
 ```
 HOST=http://__USER__:[email protected] dpi-update
 ```
+
+## Managing Interface Exclusions in Netifyd
+
+By default, Netifyd monitors all interfaces. To exclude specific interfaces, you can define an exclusion list. Below are commands to add, modify, or remove excluded interfaces.
+
+- Add interfaces to exclusion list
+```
+uci add_list netifyd.@netifyd[0].exclude='eth1'
+uci add_list netifyd.@netifyd[0].exclude='tun'
+uci add_list netifyd.@netifyd[0].exclude='wg'
+uci commit netifyd
+```
+
+- Modify exclusion list
+```
+uci delete netifyd.@netifyd[0].exclude='eth1'
+uci add_list netifyd.@netifyd[0].exclude='eth2'
+uci commit netifyd
+```
+
+- Clear exclusion list
+```
+uci delete netifyd.@netifyd[0].exclude
+uci commit netifyd
+```
+
+- Return the exclusion list
+```
+uci show netifyd.@netifyd[0].exclude
+```