feat(traffic): add per-node traffic collection via nftables counters

Implement network node traffic monitoring using nftables inline counters
in a separate table (system_control_stats) to avoid interference with
NAT rules. Fix 30m+ interval queries that returned empty data because
aggregated buckets didn't exist for recent time windows.

- Add SetupNodeCounters/CollectNodeCounters/CleanupNodeCounters to traffic engine
- Collect per-node traffic deltas in collector alongside interface stats
- Auto-refresh nftables counters when nodes are created/updated/deleted
- Combine raw + aggregated data in service queries to eliminate gaps
- Move interval selector below header, make sidebar sticky

Author: Fokir

cmd/server/main.go

@@ -147,6 +147,9 @@ func main() {
 	// Serve frontend SPA
 	r.Handle("/*", spaHandler())
 
+	// Wire traffic collector as node change listener
+	nodesSvc.SetNodeChangeListener(trafficCollector)
+
 	// Start node monitoring
 	nodesMonitor.Start()
 

internal/network_nodes/service.go

@@ -6,15 +6,32 @@ import (
 	"github.com/sokol/system-control/internal/pkg/validate"
 )
 
+// NodeChangeListener is notified when nodes are created, updated, or deleted.
+type NodeChangeListener interface {
+	RefreshNodes()
+}
+
 type Service struct {
-	repo    *Repository
-	monitor *Monitor
+	repo     *Repository
+	monitor  *Monitor
+	listener NodeChangeListener
 }
 
 func NewService(repo *Repository, monitor *Monitor) *Service {
 	return &Service{repo: repo, monitor: monitor}
 }
 
+// SetNodeChangeListener registers a listener for node changes.
+func (s *Service) SetNodeChangeListener(l NodeChangeListener) {
+	s.listener = l
+}
+
+func (s *Service) notifyChange() {
+	if s.listener != nil {
+		go s.listener.RefreshNodes()
+	}
+}
+
 func (s *Service) GetStatuses() []NodeStatus {
 	return s.monitor.GetStatuses()
 }
@@ -35,6 +52,7 @@ func (s *Service) Create(req CreateNodeRequest) (*NetworkNode, error) {
 	if err := s.repo.Create(node); err != nil {
 		return nil, fmt.Errorf("create node: %w", err)
 	}
+	s.notifyChange()
 	return node, nil
 }
 
@@ -50,9 +68,14 @@ func (s *Service) Update(id int64, req UpdateNodeRequest) (*NetworkNode, error)
 	if err := s.repo.Update(node); err != nil {
 		return nil, fmt.Errorf("update node: %w", err)
 	}
+	s.notifyChange()
 	return node, nil
 }
 
 func (s *Service) Delete(id int64) error {
-	return s.repo.Delete(id)
+	if err := s.repo.Delete(id); err != nil {
+		return err
+	}
+	s.notifyChange()
+	return nil
 }

internal/traffic/collector.go

@@ -19,6 +19,8 @@ type Collector struct {
 
 	// Previous counter values for computing deltas
 	prevIface map[string]InterfaceSnapshot
+	prevNode  map[int64]NodeTrafficSnapshot
+	nodesReady bool
 }
 
 func NewCollector(repo *Repository, engine *Engine, nodesRepo *network_nodes.Repository, interfaces []string, interval time.Duration) *Collector {
@@ -30,6 +32,7 @@ func NewCollector(repo *Repository, engine *Engine, nodesRepo *network_nodes.Rep
 		collectInterval: interval,
 		stop:            make(chan struct{}),
 		prevIface:       make(map[string]InterfaceSnapshot),
+		prevNode:        make(map[int64]NodeTrafficSnapshot),
 	}
 }
 
@@ -40,6 +43,7 @@ func (c *Collector) Start() {
 
 func (c *Collector) Stop() {
 	close(c.stop)
+	_ = c.engine.CleanupNodeCounters()
 }
 
 func (c *Collector) collectLoop() {
@@ -83,6 +87,71 @@ func (c *Collector) collect() {
 		}
 		c.prevIface[snap.Name] = snap
 	}
+
+	// Setup node counters on first run
+	if !c.nodesReady {
+		c.setupNodes()
+	}
+
+	// Collect node counters
+	if c.nodesReady {
+		c.collectNodes(now)
+	}
+}
+
+func (c *Collector) setupNodes() {
+	nodes, err := c.nodesRepo.GetAll()
+	if err != nil {
+		slog.Error("traffic: failed to get nodes for counter setup", "error", err)
+		return
+	}
+
+	infos := make([]NodeInfo, len(nodes))
+	for i, n := range nodes {
+		infos[i] = NodeInfo{ID: n.ID, IP: n.IP}
+	}
+
+	if err := c.engine.SetupNodeCounters(infos); err != nil {
+		slog.Error("traffic: failed to setup node counters", "error", err)
+		return
+	}
+
+	c.nodesReady = true
+	c.prevNode = make(map[int64]NodeTrafficSnapshot)
+}
+
+func (c *Collector) collectNodes(now time.Time) {
+	nodeSnaps, err := c.engine.CollectNodeCounters()
+	if err != nil {
+		slog.Error("traffic: failed to collect node counters", "error", err)
+		return
+	}
+
+	for _, snap := range nodeSnaps {
+		prev, exists := c.prevNode[snap.NodeID]
+		if exists && snap.BytesIn >= prev.BytesIn && snap.BytesOut >= prev.BytesOut {
+			deltaIn := int64(snap.BytesIn - prev.BytesIn)
+			deltaOut := int64(snap.BytesOut - prev.BytesOut)
+			if deltaIn > 0 || deltaOut > 0 {
+				nodeID := snap.NodeID
+				if err := c.repo.InsertRaw(&nodeID, "", deltaIn, deltaOut, now); err != nil {
+					slog.Error("traffic: failed to insert node data", "nodeId", snap.NodeID, "error", err)
+				}
+			}
+		}
+		c.prevNode[snap.NodeID] = snap
+	}
+}
+
+// RefreshNodes re-creates nftables counter rules for current nodes.
+// Called when nodes are added, updated, or deleted.
+func (c *Collector) RefreshNodes() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	c.nodesReady = false
+	c.prevNode = make(map[int64]NodeTrafficSnapshot)
+	c.setupNodes()
 }
 
 func (c *Collector) aggregateLoop() {

internal/traffic/engine_linux.go

@@ -5,10 +5,179 @@ package traffic
 import (
 	"bufio"
 	"fmt"
+	"log/slog"
+	"net"
 	"os"
+	"strconv"
 	"strings"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/expr"
 )
 
+const statsTableName = "system_control_stats"
+
+// SetupNodeCounters creates nftables counting rules for each node IP.
+// Uses a separate table to avoid interference with NAT rules.
+func (e *Engine) SetupNodeCounters(nodes []NodeInfo) error {
+	conn, err := nftables.New()
+	if err != nil {
+		return fmt.Errorf("nftables connect: %w", err)
+	}
+
+	// Delete existing stats table (ignore error if not exists)
+	conn.DelTable(&nftables.Table{Name: statsTableName, Family: nftables.TableFamilyIPv4})
+	_ = conn.Flush()
+
+	if len(nodes) == 0 {
+		return nil
+	}
+
+	conn, err = nftables.New()
+	if err != nil {
+		return fmt.Errorf("nftables connect: %w", err)
+	}
+
+	table := conn.AddTable(&nftables.Table{
+		Name:   statsTableName,
+		Family: nftables.TableFamilyIPv4,
+	})
+
+	// Forward chain to count traffic passing through this host to/from nodes
+	chain := conn.AddChain(&nftables.Chain{
+		Name:     "traffic_count",
+		Table:    table,
+		Type:     nftables.ChainTypeFilter,
+		Hooknum:  nftables.ChainHookForward,
+		Priority: nftables.ChainPriorityFilter,
+	})
+
+	for _, node := range nodes {
+		ip := net.ParseIP(node.IP).To4()
+		if ip == nil {
+			slog.Error("traffic: invalid node IP, skipping", "nodeId", node.ID, "ip", node.IP)
+			continue
+		}
+
+		nodeIDStr := strconv.FormatInt(node.ID, 10)
+
+		// Rule: match dst IP = node.IP → count incoming traffic to node
+		conn.AddRule(&nftables.Rule{
+			Table: table,
+			Chain: chain,
+			Exprs: []expr.Any{
+				&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4},
+				&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ip},
+				&expr.Counter{},
+			},
+			UserData: []byte("node:" + nodeIDStr + ":in"),
+		})
+
+		// Rule: match src IP = node.IP → count outgoing traffic from node
+		conn.AddRule(&nftables.Rule{
+			Table: table,
+			Chain: chain,
+			Exprs: []expr.Any{
+				&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4},
+				&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ip},
+				&expr.Counter{},
+			},
+			UserData: []byte("node:" + nodeIDStr + ":out"),
+		})
+	}
+
+	if err := conn.Flush(); err != nil {
+		return fmt.Errorf("nftables flush stats: %w", err)
+	}
+
+	slog.Info("traffic: node counters set up", "nodes", len(nodes))
+	return nil
+}
+
+// CollectNodeCounters reads nftables counter values for all node rules.
+func (e *Engine) CollectNodeCounters() ([]NodeTrafficSnapshot, error) {
+	conn, err := nftables.New()
+	if err != nil {
+		return nil, fmt.Errorf("nftables connect: %w", err)
+	}
+
+	table := &nftables.Table{Name: statsTableName, Family: nftables.TableFamilyIPv4}
+	chain := &nftables.Chain{Name: "traffic_count", Table: table}
+
+	rules, err := conn.GetRules(table, chain)
+	if err != nil {
+		return nil, fmt.Errorf("get rules: %w", err)
+	}
+
+	// Aggregate counters by node ID
+	type counterPair struct {
+		bytesIn  uint64
+		bytesOut uint64
+	}
+	counters := make(map[int64]*counterPair)
+
+	for _, rule := range rules {
+		if len(rule.UserData) == 0 {
+			continue
+		}
+		tag := string(rule.UserData)
+		// Format: "node:{id}:{in|out}"
+		parts := strings.SplitN(tag, ":", 3)
+		if len(parts) != 3 || parts[0] != "node" {
+			continue
+		}
+
+		nodeID, err := strconv.ParseInt(parts[1], 10, 64)
+		if err != nil {
+			continue
+		}
+		direction := parts[2]
+
+		// Find counter expression in rule
+		var bytes uint64
+		for _, e := range rule.Exprs {
+			if c, ok := e.(*expr.Counter); ok {
+				bytes = c.Bytes
+				break
+			}
+		}
+
+		pair, ok := counters[nodeID]
+		if !ok {
+			pair = &counterPair{}
+			counters[nodeID] = pair
+		}
+
+		switch direction {
+		case "in":
+			pair.bytesIn = bytes
+		case "out":
+			pair.bytesOut = bytes
+		}
+	}
+
+	results := make([]NodeTrafficSnapshot, 0, len(counters))
+	for nodeID, pair := range counters {
+		results = append(results, NodeTrafficSnapshot{
+			NodeID:   nodeID,
+			BytesIn:  pair.bytesIn,
+			BytesOut: pair.bytesOut,
+		})
+	}
+
+	return results, nil
+}
+
+// CleanupNodeCounters removes the stats table.
+func (e *Engine) CleanupNodeCounters() error {
+	conn, err := nftables.New()
+	if err != nil {
+		return fmt.Errorf("nftables connect: %w", err)
+	}
+	conn.DelTable(&nftables.Table{Name: statsTableName, Family: nftables.TableFamilyIPv4})
+	return conn.Flush()
+}
+
 // CollectInterfaces reads /proc/net/dev and returns per-interface byte counters.
 func (e *Engine) CollectInterfaces(names []string) ([]InterfaceSnapshot, error) {
 	f, err := os.Open("/proc/net/dev")

internal/traffic/engine_stub.go

@@ -9,3 +9,20 @@ func (e *Engine) CollectInterfaces(names []string) ([]InterfaceSnapshot, error)
 	slog.Debug("traffic engine: interface collection is only supported on Linux")
 	return nil, nil
 }
+
+// SetupNodeCounters is a no-op on non-Linux platforms.
+func (e *Engine) SetupNodeCounters(nodes []NodeInfo) error {
+	slog.Debug("traffic engine: node counters are only supported on Linux")
+	return nil
+}
+
+// CollectNodeCounters is a no-op on non-Linux platforms.
+func (e *Engine) CollectNodeCounters() ([]NodeTrafficSnapshot, error) {
+	slog.Debug("traffic engine: node counters are only supported on Linux")
+	return nil, nil
+}
+
+// CleanupNodeCounters is a no-op on non-Linux platforms.
+func (e *Engine) CleanupNodeCounters() error {
+	return nil
+}

internal/traffic/models.go

@@ -30,3 +30,9 @@ type NodeTrafficSnapshot struct {
 	BytesIn  uint64
 	BytesOut uint64
 }
+
+// NodeInfo is a lightweight struct for setting up node counters.
+type NodeInfo struct {
+	ID int64
+	IP string
+}