IP Sets Integration
Netify DPI - IP Sets Integration
The IP Sets Integration is a part of the Netify Flow Actions Plugin - a premium add-on to the Netify Agent.
IP Sets can be used to implement bandwidth, firewall, and QoS solutions on routers, firewalls, and gateways. The Netify DPI IP Sets integration provides a way to create high-speed IP sets based on any Netify deep packet inspection flow criteria. These sets can then be used to block, shape, mark, or perform other actions to network traffic.
The example below will use Netify DPI's IP Sets integration to identify BitTorrent, YouTube, and Social Media applications.
You can also review alternative options for taking actions on DPI flow data - see the nftables and connection tracking (CT) labels integrations for details.
Prerequisites
- How It Works- Installing Netifyd
- Network Interface Configuration
- Flow Actions Plugin
Installation
IP Sets integration is part of the Flow Actions Plugin which is installed as a separate package. Please see your Integrators Kit instructions for details.
Example Configuration
Introduction
The netify-proc-flow-actions.json JSON configuration file provides a starting point for implementing our solution. See sidebar for the configuration.
For this example, we use basic configurations to demonstrate a core feature. The Netify Integrators Kit provides more detailed reference documentation. Notably, the Flow Actions Plugin provides a very powerful expression language for pinpointing network traffic.
Actions
The actions block defines the traffic that needs to be identified. In our example, we have created three different actions:
- YouTube application traffic
- BitTorrent protocol traffic
- All Social Media applications, except Twitter
Target
The targets block defines which engine to use for the flow action. In our example, we are creating IP Sets.
Target Defaults
The target_defaults section in the configuration provides baseline settings for the IP Sets target. This parameter can be used to fine-tune various policies for the IP Sets engine.
{
"version": 1,
"actions": {
"bittorrent": {
"criteria": "protocol == 'bittorrent';",
"targets": [
"ipset.bittorrent"
]
},
"youtube": {
"criteria": "app == 'youtube';",
"targets": [
"ipset.youtube"
]
},
"social": {
"criteria": "category == 'social-media';",
"targets": [
"ipset.social"
],
"exemptions": [
"app == 'netify.twitter';"
]
}
},
"targets": {
"ipset.bittorrent": {
"target_type": "ipset",
"set_name": "nfa.bittorrent"
},
"ipset.youtube": {
"target_type": "ipset",
"set_name": "nfa.youtube"
},
"ipset.social": {
"target_type": "ipset",
"set_name": "nfa.social"
}
},
"target_defaults": {
"ipset": {
"interface": "*",
"type": "hash:ip,port,ip",
"ttl": 120,
"managed": true,
"flush_on_create": true,
"flush_on_destroy": true
}
},
"exemptions": [
"192.168.1.1",
"protocol == 'dns';"
]
}
Example In Action
The ipset command can be used to view a list of active entries. In the adjacent sidebar, attempted BitTorrent connections are shown.
# ipset list
Name: nfa.bittorrent.v4
Type: hash:ip,port,ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 120 skbinfo
Size in memory: 2696
References: 0
Number of entries: 13
Members:
101.100.139.138,udp:51413,192.168.55.140 timeout 117
60.115.123.115,udp:55753,192.168.55.140 timeout 115
62.210.124.230,udp:51413,192.168.55.140 timeout 119
71.150.226.54,udp:51413,192.168.55.140 timeout 115
37.221.197.43,udp:51413,192.168.55.140 timeout 115
45.76.32.64,tcp:51413,192.168.55.140 timeout 115
Layer 3 Tools
The last step is to integrate Layer 3 tools with our IP Set information. Some examples:
- tc - traffic control and QoS
- ip route/rule - multiWAN policies via marks
- iptables/nftables - firewall management
IP sets are accessible in both userland and inside the kernel, so there is a lot of speed and flexibility. Going back to our Zoom scenario, an example firewall rule might look like this:
sudo iptables -t mangle -A PREROUTING -m set --match-set netify.zoom dst,dst,src -j MARK --set-mark 0x85
Don't get too hung up on the details of the firewall rule. It's just an example of how it's possible to use native iptables tools to classify Layer 7 traffic. The iptables system will mark Zoom traffic with mark 0x85. This can then be used in standard Linux traffic control rules to manage bandwidth/QoS, send the traffic out a specific WAN interface, or do other Linux things.
A Linux-based Layer 3 system now has access to Layer 7 detections. Ta-da!
Further Reading
Processors
Outputs
Netify Agent
Inputs
Processor Plugins
Output Plugins
Output Formats
Other Links
Evaluate Netify DPI
Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.
Integrators Kit