Netify DPI - CT Labels Integration

The Connection Tracking (CT) Labels Integration is a part of the Netify Flow Actions Plugin - a premium add-on to the Netify Agent.

For systems configured as routers/firewalls, the CT Labels system provides a precise way to identify and label individual connections on the network. This feature is provided through Linux's built-in conntrack stateful firewall engine.

You may also want to review alternative options for taking actions on DPI flow data - see the IP sets and nftables integrations for details.

Before getting started, please take 5 minutes
to read the Network Policy Datasets document.
Netify Network Policy Engine

How It Works

In the example below, we will be using the Connection Tracking (CT) Labels feature to prioritize Zoom videoconferencing over less important traffic on the network. This solution uses three tools to implement the traffic prioritization:

  • The Netify CT Labels engine to label all Zoom connections
  • DSCP (Differentiated Services Code Point) marking for quality of service (QoS)
  • nftables rules to set a DSCP value

Example Configuration


The netify-flow-actions.json JSON configuration file provides a starting point for implementing our solution. See sidebar for the configuration.

For this example, we are using basic configurations to demonstrate a core feature. The Netify Integrators Kit provides more detailed reference documentation. Notably, the Flow Actions Plugin provides a very powerful expression language for pinpointing network traffic.

Connection Tracking Labels

In our example, we are only interested in Zoom traffic. The connlabel.conf configuration file needs to contain the single line ("0 zoom") to create the label for the Zoom application. See sidebar for details.

Tip #1 - The location of the connlabel.conf file varies from Linux to Linux. In Debian 11, the file must exist in both /etc/connlabel.conf and /etc/xtables/connlabel.conf. Symlinks are common.

Tip #2 - If you plan on adding new connection tracking labels in the Flow Actions configuration, please do not forget to add the labels to connlabel.conf.

# /etc/xtables/connlabel.conf
0 zoom

# /etc/connlabel.conf
0 zoom

# /etc/netify.d/netify-flow-actions.json
  "version": 1,
  "target_globals": {
    "ctlabel": {
      "max_bits": 127,
      "connlabel_conf": "/etc/xtables/connlabel.conf"
  "target_defaults": {
    "ctlabel": {
      "log_errors": false
  "targets": {
    "ctlabel.zoom": {
      "target_type": "ctlabel",
      "labels": [
  "actions": {
    "zoom": {
      "criteria": "app == 'zoom';",
      "targets": [

Example In Action

Zoom is one of the protocols that is not properly detected in the open source signatures. Before testing Zoom network traffic, it is important to make sure you have a recent application and protocol signatures update - instructions are provided in the Integrators Kit.

With the configuration in place and Netify restarted, the conntrack command can be used to see the labelling being performed by the Flow Actions Plugin:

# conntrack -L -o extended,labels | grep --color labels=.*
ipv4  2 udp  17 119           src= dst= sport=57184 dport=8801 ... labels=zoom
ipv4  2 tcp  6  42  TIME_WAIT src= dst= sport=51066 dport=443 ... labels=zoom

Next, we can use the nft command (part of nftables) to set the DSCP flag and a counter. Every nftables implementation is different, so the commands below will need to be adjusted to match your environment. In case you are wondering, the 0x28 value in the command below is the hexadecimal equivalent to DSCP CS5 - a high traffic priority value.

# nft add ip mangle FORWARD ct label zoom counter ip dscp set 0x28
# nft list table ip mangle
table ip mangle {
	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
		ct label "zoom" counter packets 10049 bytes 20638423 ip dscp set cs5

The tcpdump command below provides a way to see traffic with DSCP CS5 / 0x28 set. Brush off your knowledge of bitmask math, or take a look at this web page for the gory technical details. Bottom line: tos 0xa0 in the tcpdump output below is what we are expecting for the Terms of Service (tos) field. This confirms that Zoom traffic has the DSCP field set to CS5. Mission accomplished.

# tcpdump -v -n -i eth0 'ip and ip[1] & 0xfc == 160'
20:26:43.829960 IP (tos 0xa0, ttl 127, id 28155, offset 0, flags [DF], proto UDP (17), length 1117) > UDP, length 1089

Further Reading

Plugins and Addons

Evaluate Netify DPI

Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.

Integrators Kit