Netify DPI - IP Sets Integration

The IP Sets Integration is a part of the Netify Flow Actions Plugin - a premium add-on to the Netify Agent.

IP Sets can be used to implement bandwidth, firewall, and QoS solutions on routers, firewalls, and gateways. The Netify DPI IP Sets integration provides a way to create high-speed IP sets based on any Netify deep packet inspection flow criteria. These sets can then be used to block, shape, mark, or perform other actions to network traffic.

The example below will use Netify DPI's IP Sets integration to identify BitTorrent, YouTube, and Social Media applications.

You can also review alternative options for taking actions on DPI flow data - see the nftables and connection tracking (CT) labels integrations for details.

Netify Network Policy Engine


IP Sets integration is part of the Flow Actions Plugin which is installed as a separate package. Please see your Integrators Kit instructions for details.

Example Configuration


The netify-proc-flow-actions.json JSON configuration file provides a starting point for implementing our solution. See sidebar for the configuration.

For this example, we use basic configurations to demonstrate a core feature. The Netify Integrators Kit provides more detailed reference documentation. Notably, the Flow Actions Plugin provides a very powerful expression language for pinpointing network traffic.


The actions block defines the traffic that needs to be identified. In our example, we have created three different actions:

  • YouTube application traffic
  • BitTorrent protocol traffic
  • All Social Media applications, except Twitter


The targets block defines which engine to use for the flow action. In our example, we are creating IP Sets.

Target Defaults

The target_defaults section in the configuration provides baseline settings for the IP Sets target. This parameter can be used to fine-tune various policies for the IP Sets engine.

  "version": 1,
  "actions": {
    "bittorrent": {
      "criteria": "protocol == 'bittorrent';",
      "targets": [
    "youtube": {
      "criteria": "app == 'youtube';",
      "targets": [
    "social": {
      "criteria": "category == 'social-media';",
      "targets": [
      "exemptions": [
        "app == 'netify.twitter';"
  "targets": {
    "ipset.bittorrent": {
      "target_type": "ipset",
      "set_name": "nfa.bittorrent"
    "": {
      "target_type": "ipset",
      "set_name": ""
    "": {
      "target_type": "ipset",
      "set_name": ""
  "target_defaults": {
    "ipset": {
      "interface": "*",
      "type": "hash:ip,port,ip",
      "ttl": 120,
      "managed": true,
      "flush_on_create": true,
      "flush_on_destroy": true
  "exemptions": [
    "protocol == 'dns';"

Example In Action

The ipset command can be used to view a list of active entries. In the adjacent sidebar, attempted BitTorrent connections are shown.

# ipset list
Name: nfa.bittorrent.v4
Type: hash:ip,port,ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 120 skbinfo
Size in memory: 2696
References: 0
Number of entries: 13
Members:,udp:51413, timeout 117,udp:55753, timeout 115,udp:51413, timeout 119,udp:51413, timeout 115,udp:51413, timeout 115,tcp:51413, timeout 115

Layer 3 Tools

The last step is to integrate Layer 3 tools with our IP Set information. Some examples:

  • tc - traffic control and QoS
  • ip route/rule - multiWAN policies via marks
  • iptables/nftables - firewall management

IP sets are accessible in both userland and inside the kernel, so there is a lot of speed and flexibility. Going back to our Zoom scenario, an example firewall rule might look like this:

sudo iptables -t mangle -A PREROUTING -m set --match-set netify.zoom dst,dst,src -j MARK --set-mark 0x85

Don't get too hung up on the details of the firewall rule. It's just an example of how it's possible to use native iptables tools to classify Layer 7 traffic. The iptables system will mark Zoom traffic with mark 0x85. This can then be used in standard Linux traffic control rules to manage bandwidth/QoS, send the traffic out a specific WAN interface, or do other Linux things.

A Linux-based Layer 3 system now has access to Layer 7 detections. Ta-da!

Further Reading



Evaluate Netify DPI

Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.

Integrators Kit