Netify DPI - CT Labels Integration

The Connection Tracking (CT) Labels Integration is a part of the Netify Flow Actions Plugin - a premium add-on to the Netify Agent.

CT Labels can be used to implement bandwidth, firewall, and QoS solutions on Linux systems configured as routers/firewalls. The Netify DPI CT Labels integration provides a way to label individual network connections based on any Netify deep packet inspection flow criteria. These labels can then be used to block, shape, mark, or perform other actions to network traffic.

In the example below, we will use Netify DPI's Connection Tracking integration to prioritize Zoom videoconferencing over less important traffic on the network.

You can also review alternative options for taking actions on DPI flow data - see the IP sets and nftables integrations for details.


Netify Network Policy Engine

Prioritizing Zoom Traffic

In the example below, we will use the CT Labels feature to prioritize Zoom videoconferencing over other low-priority traffic. This solution uses three tools to implement traffic prioritization:

  • The Netify CT Labels engine to label all Zoom connections
  • DSCP (Differentiated Services Code Point) marking for quality of service (QoS)
  • nftables rules to set a DSCP value

Installation

CT Labels integration is part of the Flow Actions Plugin which is installed as a separate package. Please see your Integrators Kit instructions for details.

Example Configuration

Introduction

The netify-proc-flow-actions.json JSON configuration file provides a starting point for implementing our solution. See sidebar for the configuration.

For this example, we use basic configurations to demonstrate a core feature. The Netify Integrators Kit provides more detailed reference documentation. Notably, the Flow Actions Plugin provides a very powerful expression language for pinpointing network traffic.

Connection Tracking Labels

In our example, we are only interested in Zoom traffic. The connlabel.conf configuration file needs to contain the single line ("0 zoom") to create the label for the Zoom application. See sidebar for details.

Tip #1 - The location of the connlabel.conf file varies from Linux to Linux. In Debian 11, the file must exist in both /etc/connlabel.conf and /etc/xtables/connlabel.conf. Symlinks are common.

Tip #2 - If you plan on adding new connection tracking labels in the Flow Actions configuration, please do not forget to add the labels to connlabel.conf.

# /etc/xtables/connlabel.conf
0 zoom

# /etc/connlabel.conf
0 zoom

# /etc/netifyd/netify-proc-flow-actions.json
{
  "version": 1,
  "target_globals": {
    "ctlabel": {
      "max_bits": 127,
      "connlabel_conf": "/etc/xtables/connlabel.conf"
    }
  },
  "target_defaults": {
    "ctlabel": {
      "log_errors": false
    }
  },
  "targets": {
    "ctlabel.zoom": {
      "target_type": "ctlabel",
      "labels": [
        "zoom"
      ]
    }
  },
  "actions": {
    "zoom": {
      "criteria": "app == 'zoom';",
      "targets": [
        "ctlabel.zoom"
      ]
    }
  }
}

Example In Action

Zoom is one of the protocols that is not properly detected in the open source Netify DPI signatures. Before testing Zoom network traffic, it is important to make sure you have a recent application and protocol signatures update. Instructions are provided in the Integrators Kit.

With the configuration in place and Netify restarted, the conntrack command can be used to see the labelling being performed by the Flow Actions Plugin:

# modprobe xt_connlabel
# conntrack -L -o extended,labels | grep --color labels=.*
ipv4  2 udp  17 119           src=192.168.1.100 dst=69.174.57.46 sport=57184 dport=8801 ... labels=zoom
ipv4  2 tcp  6  42  TIME_WAIT src=192.168.1.100 dst=69.174.57.46 sport=51066 dport=443 ... labels=zoom

Next, we can use the nft command (part of nftables) to set the DSCP flag and a counter. Every nftables implementation is different, so the commands below will need to be adjusted to match your environment. In case you are wondering, the 0x28 value in the command below is the hexadecimal equivalent to DSCP CS5 - a high traffic priority value.

# nft add ip mangle FORWARD ct label zoom counter ip dscp set 0x28
# nft list table ip mangle
table ip mangle {
	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
		ct label "zoom" counter packets 10049 bytes 20638423 ip dscp set cs5
	}
}

The tcpdump command below provides a way to see traffic with DSCP CS5 / 0x28 set. Brush off your knowledge of bitmask math, or take a look at this web page for the gory technical details. Bottom line: tos 0xa0 in the tcpdump output below is what we are expecting for the Terms of Service (tos) field. This confirms that Zoom traffic has the DSCP field set to CS5. Mission accomplished.

# tcpdump -v -n -i eth0 'ip and ip[1] & 0xfc == 160'
20:26:43.829960 IP (tos 0xa0, ttl 127, id 28155, offset 0, flags [DF], proto UDP (17), length 1117)
    192.168.55.140.57184 > zoomtr46.zoom.us.8801: UDP, length 1089

Further Reading

Processors

Outputs

Evaluate Netify DPI

Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.

Integrators Kit