Add nftables WAN open ports as sub-services

Display open external ports from nftables firewall rules as sub-services
grouped by protocol. Only shows WAN incoming ports by filtering input chain
rules and excluding private network sources.

- Parse nftables ruleset for accept rules with dport in input chain
- Filter out internal network traffic (192.168.x, 10.x, 172.16.x, loopback)
- Extract single ports and port sets from rules
- Group and display as "TCP: 22, 80, 443" and "UDP: 53, 123"
- Update version to v0.1.247

Cargo.lock

@@ -279,7 +279,7 @@ checksum = "a1d728cc89cf3aee9ff92b05e62b19ee65a02b5702cff7d5a377e32c6ae29d8d"
 
 [[package]]
 name = "cm-dashboard"
-version = "0.1.245"
+version = "0.1.247"
 dependencies = [
  "anyhow",
  "chrono",
@@ -301,7 +301,7 @@ dependencies = [
 
 [[package]]
 name = "cm-dashboard-agent"
-version = "0.1.245"
+version = "0.1.247"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -325,7 +325,7 @@ dependencies = [
 
 [[package]]
 name = "cm-dashboard-shared"
-version = "0.1.245"
+version = "0.1.247"
 dependencies = [
  "chrono",
  "serde",

agent/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cm-dashboard-agent"
-version = "0.1.246"
+version = "0.1.247"
 edition = "2021"
 
 [dependencies]

agent/src/collectors/systemd.rs

@@ -180,6 +180,30 @@ impl SystemdCollector {
                         }
                     }
 
+                    if service_name == "nftables" && status_info.active_state == "active" {
+                        let (tcp_ports, udp_ports) = self.get_nftables_open_ports();
+
+                        if !tcp_ports.is_empty() {
+                            let metrics = Vec::new();
+                            sub_services.push(SubServiceData {
+                                name: format!("TCP: {}", tcp_ports),
+                                service_status: Status::Info,
+                                metrics,
+                                service_type: "firewall_port".to_string(),
+                            });
+                        }
+
+                        if !udp_ports.is_empty() {
+                            let metrics = Vec::new();
+                            sub_services.push(SubServiceData {
+                                name: format!("UDP: {}", udp_ports),
+                                service_status: Status::Info,
+                                metrics,
+                                service_type: "firewall_port".to_string(),
+                            });
+                        }
+                    }
+
                     // Create complete service data
                     let service_data = ServiceData {
                         name: service_name.clone(),
@@ -887,6 +911,124 @@ impl SystemdCollector {
         None
     }
 
+    /// Get nftables open ports grouped by protocol
+    /// Returns: (tcp_ports_string, udp_ports_string)
+    fn get_nftables_open_ports(&self) -> (String, String) {
+        let output = Command::new("timeout")
+            .args(&["3", "nft", "list", "ruleset"])
+            .output();
+
+        let output = match output {
+            Ok(out) if out.status.success() => out,
+            _ => return (String::new(), String::new()),
+        };
+
+        let output_str = match String::from_utf8(output.stdout) {
+            Ok(s) => s,
+            Err(_) => return (String::new(), String::new()),
+        };
+
+        let mut tcp_ports = std::collections::HashSet::new();
+        let mut udp_ports = std::collections::HashSet::new();
+
+        // Parse nftables output for WAN incoming accept rules with dport
+        // Looking for patterns like: tcp dport 22 accept or tcp dport { 22, 80, 443 } accept
+        // Only include rules in input chain without private network source restrictions
+        let mut in_input_chain = false;
+
+        for line in output_str.lines() {
+            let line = line.trim();
+
+            // Track if we're in the input chain
+            if line.contains("chain input") || line.contains("chain INPUT") {
+                in_input_chain = true;
+                continue;
+            }
+
+            // Reset when entering other chains
+            if line.starts_with("chain ") && !line.contains("input") && !line.contains("INPUT") {
+                in_input_chain = false;
+                continue;
+            }
+
+            // Only process rules in input chain
+            if !in_input_chain {
+                continue;
+            }
+
+            // Skip if not an accept rule
+            if !line.contains("accept") {
+                continue;
+            }
+
+            // Skip internal network traffic (LAN/private networks)
+            if line.contains("ip saddr 192.168.") ||
+               line.contains("ip saddr 10.") ||
+               line.contains("ip saddr 172.16.") ||
+               line.contains("iifname \"lo\"") {
+                continue;
+            }
+
+            // Parse TCP ports
+            if line.contains("tcp dport") {
+                for port in self.extract_ports_from_nft_rule(line) {
+                    tcp_ports.insert(port);
+                }
+            }
+
+            // Parse UDP ports
+            if line.contains("udp dport") {
+                for port in self.extract_ports_from_nft_rule(line) {
+                    udp_ports.insert(port);
+                }
+            }
+        }
+
+        // Sort and format
+        let mut tcp_vec: Vec<u16> = tcp_ports.into_iter().collect();
+        let mut udp_vec: Vec<u16> = udp_ports.into_iter().collect();
+        tcp_vec.sort();
+        udp_vec.sort();
+
+        let tcp_str = tcp_vec.iter().map(|p| p.to_string()).collect::<Vec<_>>().join(", ");
+        let udp_str = udp_vec.iter().map(|p| p.to_string()).collect::<Vec<_>>().join(", ");
+
+        (tcp_str, udp_str)
+    }
+
+    /// Extract port numbers from nftables rule line
+    /// Returns vector of ports (handles both single ports and sets)
+    fn extract_ports_from_nft_rule(&self, line: &str) -> Vec<u16> {
+        let mut ports = Vec::new();
+
+        // Pattern: "tcp dport 22 accept" or "tcp dport { 22, 80, 443 } accept"
+        if let Some(dport_pos) = line.find("dport") {
+            let after_dport = &line[dport_pos + 5..].trim();
+
+            // Handle port sets like { 22, 80, 443 }
+            if after_dport.starts_with('{') {
+                if let Some(end_brace) = after_dport.find('}') {
+                    let ports_str = &after_dport[1..end_brace];
+                    // Parse each port in the set
+                    for port_str in ports_str.split(',') {
+                        if let Ok(port) = port_str.trim().parse::<u16>() {
+                            ports.push(port);
+                        }
+                    }
+                }
+            } else {
+                // Single port
+                if let Some(port_str) = after_dport.split_whitespace().next() {
+                    if let Ok(port) = port_str.parse::<u16>() {
+                        ports.push(port);
+                    }
+                }
+            }
+        }
+
+        ports
+    }
+
     /// Get aggregate qBittorrent torrent statistics
     /// Returns: (active_count, download_mbps, upload_mbps)
     fn get_qbittorrent_stats(&self) -> Option<(u32, f32, f32)> {

dashboard/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cm-dashboard"
-version = "0.1.246"
+version = "0.1.247"
 edition = "2021"
 
 [dependencies]

shared/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cm-dashboard-shared"
-version = "0.1.246"
+version = "0.1.247"
 edition = "2021"
 
 [dependencies]