CT Labels Integration
Netify DPI - CT Labels Integration
The Connection Tracking (CT) Labels Integration is a part of the Netify Flow Actions Plugin - a premium add-on to the Netify Agent.
For systems configured as routers/firewalls, the CT Labels system provides a precise way to identify and label individual connections on the network. This feature is provided through Linux's built-in conntrack stateful firewall engine.
You may also want to review alternative options for taking actions on DPI flow data - see the IP sets and nftables integrations for details.
to read the Network Policy Datasets document.
How It Works
In the example below, we will be using the Connection Tracking (CT) Labels feature to prioritize Zoom videoconferencing over less important traffic on the network. This solution uses three tools to implement the traffic prioritization:
- The Netify CT Labels engine to label all Zoom connections
- DSCP (Differentiated Services Code Point) marking for quality of service (QoS)
- nftables rules to set a DSCP value
Example Configuration
Introduction
The netify-flow-actions.json JSON configuration file provides a starting point for implementing our solution. See sidebar for the configuration.
For this example, we are using basic configurations to demonstrate a core feature. The Netify Integrators Kit provides more detailed reference documentation. Notably, the Flow Actions Plugin provides a very powerful expression language for pinpointing network traffic.
Connection Tracking Labels
In our example, we are only interested in Zoom traffic. The connlabel.conf configuration file needs to contain the single line ("0 zoom") to create the label for the Zoom application. See sidebar for details.
Tip #1 - The location of the connlabel.conf file varies from Linux to Linux. In Debian 11, the file must exist in both /etc/connlabel.conf and /etc/xtables/connlabel.conf. Symlinks are common.
Tip #2 - If you plan on adding new connection tracking labels in the Flow Actions configuration, please do not forget to add the labels to connlabel.conf.
# /etc/xtables/connlabel.conf
0 zoom
# /etc/connlabel.conf
0 zoom
# /etc/netify.d/netify-flow-actions.json
{
"version": 1,
"target_globals": {
"ctlabel": {
"max_bits": 127,
"connlabel_conf": "/etc/xtables/connlabel.conf"
}
},
"target_defaults": {
"ctlabel": {
"log_errors": false
}
},
"targets": {
"ctlabel.zoom": {
"target_type": "ctlabel",
"labels": [
"zoom"
]
}
},
"actions": {
"zoom": {
"criteria": "app == 'zoom';",
"targets": [
"ctlabel.zoom"
]
}
}
}
Example In Action
With the configuration in place and Netify restarted, the conntrack command can be used to see the labelling being performed by the Flow Actions Plugin:
# conntrack -L -o extended,labels | grep --color labels=.*
ipv4 2 udp 17 119 src=192.168.1.100 dst=69.174.57.46 sport=57184 dport=8801 ... labels=zoom
ipv4 2 tcp 6 42 TIME_WAIT src=192.168.1.100 dst=69.174.57.46 sport=51066 dport=443 ... labels=zoom
Next, we can use the nft command (part of nftables) to set the DSCP flag and a counter. Every nftables implementation is different, so the commands below will need to be adjusted to match your environment. In case you are wondering, the 0x28 value in the command below is the hexadecimal equivalent to DSCP CS5 - a high traffic priority value.
# nft add ip mangle FORWARD ct label zoom counter ip dscp set 0x28
# nft list table ip mangle
table ip mangle {
chain FORWARD {
type filter hook forward priority mangle; policy accept;
ct label "zoom" counter packets 10049 bytes 20638423 ip dscp set cs5
}
}
The tcpdump command below provides a way to see traffic with DSCP CS5 / 0x28 set. Brush off your knowledge of bitmask math, or take a look at this web page for the gory technical details. Bottom line: tos 0xa0 in the tcpdump output below is what we are expecting for the Terms of Service (tos) field. This confirms that Zoom traffic has the DSCP field set to CS5. Mission accomplished.
# tcpdump -v -n -i eth0 'ip and ip[1] & 0xfc == 160'
20:26:43.829960 IP (tos 0xa0, ttl 127, id 28155, offset 0, flags [DF], proto UDP (17), length 1117)
192.168.55.140.57184 > zoomtr46.zoom.us.8801: UDP, length 1089
Further Reading
Plugins and Addons
- Flow Actions Plugin
- Stats Plugin
- Signature Updates - 1500+ Applications and 200+ Protocols
Netify Agent
Getting Started
Plugins and Addons
Netify Tools
Open Source DPI
Evaluate Netify DPI
Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.
Integrators Kit