Netify Integrates with Netfilter Conntrack for High-Performance DPI and Flow Offloading

---

Netify Integrates with Netfilter Conntrack for High-Performance DPI and Flow Offloading

Netify's DPI engine now includes native support for Netfilter's conntrack and NFQUEUE subsystems, offering a streamlined alternative to traditional capture methods like PCAP and TPACKETv3 for early flow classification and fastpath handling. This isn't just an incremental improvement - it's a fundamental shift in how Netify processes and classifies traffic.

Smarter Capture, Faster Processing

With this new approach, only the first N packets (up to 32, configurable) of a flow are sent to Netify's DPI engine for classification. Once identified, all subsequent packets are handled by Netfilter's conntrack system, bypassing Netify entirely. This "fastpath" dramatically reduces the load on the system by avoiding redundant analysis, while still ensuring complete flow visibility through conntrack statistics.

This model delivers over 90% reduction in CPU usage on typical networks - a staggering improvement that pushes Netify into a whole new performance class.

DPI on Commodity Hardware

By shifting away from full packet inspection and embracing NFQUEUE's lightweight handoff model, we've unlocked a surprising new capability: Layer 7 classification on commodity network interfaces. Combined with modern NICs that support hardware offload and acceleration, Netify now opens the door to software-based DPI at wire speed - no expensive specialized hardware required.

Introducing Flow Action 'marks': Policy-Based Power

Alongside the NFQUEUE integration, we've expanded the capabilities of the Netify Flow Action plugin with a new target: marks.

This feature allows Netify to apply custom policy marks to flows based on L2–L7 metadata - directly from within the plugin itself. No firewall rules, no handoff to iptables or nftables - just clean, efficient tagging at the DPI layer. Whether it's identifying video streams, blocking certain apps, or prioritizing specific traffic classes, you now have the flexibility to act instantly and precisely on what Netify sees.

What This Means

This is more than a technical enhancement. It's a redefinition of what's possible with software-based DPI. We're now looking at:

• Wire-speed Layer 7 classification
• Massive performance gains on existing hardware
• Lower barriers for deploying intelligent traffic policy
• Simplified architecture with smarter integration

Learn More

To find out more about Netify's DPI Agent, click here or contact hello@netify.ai.

Recent Articles

• Blog and News Home
• Netify Integrates with Netfilter Conntrack for High-Performance DPI and Flow Offloading
• Introducing the Netify Data Feed API: Powering Application Insights
• Netify DPI Agent Version 5 Now Supports All Turnium SD-WAN Platforms
• Netify Deep Packet Inspection Agent Version 5 Released
• Pyramite Integrates Netify Into Splynx Wireless ISP Solution
• Selecting A Packet Capture Library
• Netify Agent Adds TPACKETv3 Support
• Netify Deep Packet Inspection Agent Version 4.2 Now Available
• Zyxel Networks Integrates Netify Deep Packet Inspection Engine
• Fusion Broadband Adopts Netify Informatics Into SD-WAN
• Juniper and eGloo Sign Business Agreement
• Netify and Terminus Positronics Partnership
• Netify Adds GTP Encapsulation Support
• K4 Mobility Selects Netify for Deep Packet Inspection
• Netify and Open Source Cyber Fusion Centre
• Netify Informatics Cloud Platform v2.0 Released
• Netify App for Android/iOS Now Available
• Netify for OPNsense Now Available
• Netify for CentOS 8 Now Available
• Netify and Netify FWA for pfSense Now Available
• Network Visibility Command Line Tool for Nerds
• Netify for ClearOS Now Available
• Netify 1.0 Release Available
• Netify on CENGN's Next Generation Networks