Netify DPI - IP Sets Integration

The IP Sets Integration is a part of the Netify Flow Actions Plugin - a premium add-on to the Netify Agent.

For systems using Linux's iptables firewall, tc-based QoS engines, or other common tools, the Flow Actions plugin provides a way to create high-speed IP Sets based on DPI flow criteria. These sets can then be used to block, shape, mark or perform other actions on network traffic.

You may also want to review alternative options for taking actions on DPI flow data - see the nftables and connection tracking (CT) labels integrations for details.

Before getting started, please take 5 minutes
to read the Network Policy Datasets document.
Netify Network Policy Engine

How It Works

The Netify Agent IP Sets integration provides a high-speed interface to the IP Sets Linux kernel framework. Flow detections are immediately available to the plugin where flow criteria is matched against user-defined expressions in the plugin. With an IP Set in place, you can use standard Linux tools to block, shape and mark traffic. Tools include:

  • iptables - firewalling and audit trails
  • tc - traffic control and QoS
  • ip rule - routing policies
  • dscp - DSCP flag control
  • any custom tools using iptables marks

Example Configuration


The netify-flow-actions.json JSON configuration file provides a starting point for implementing our solution. See sidebar for the configuration.

For this example, we are using basic configurations to demonstrate a core feature. The Netify Integrators Kit provides more detailed reference documentation. Notably, the Flow Actions Plugin provides a very powerful expression language for pinpointing network traffic.


The actions block defines the traffic that needs to be identified. In our example, we have created 3 different actions:

  • YouTube application traffic
  • BitTorrent protocol traffic
  • All Social Media applications, except Twitter


The targets block defines which engine to use for the flow action. In our example, we are creating IP Sets.

Target Defaults

The target_defaults section in the configuration provides baseline settings for the IP Sets target. This can be used to fine tune various policies for the IP Sets engine.

  "version": 1,
  "actions": {
    "bittorrent": {
      "criteria": "protocol == 'bittorrent';",
      "targets": [
    "youtube": {
      "criteria": "app == 'youtube';",
      "targets": [
    "social": {
      "criteria": "category == 'social-media';",
      "targets": [
      "exemptions": [
        "app == 'netify.twitter';"
  "targets": {
    "ipset.bittorrent": {
      "target_type": "ipset",
      "set_name": "nfa.bittorrent"
    "": {
      "target_type": "ipset",
      "set_name": ""
    "": {
      "target_type": "ipset",
      "set_name": ""
  "target_defaults": {
    "ipset": {
      "interface": "*",
      "type": "hash:ip,port,ip",
      "ttl": 120,
      "managed": true,
      "flush_on_create": true,
      "flush_on_destroy": true
  "exemptions": [
    "protocol == 'dns';"

Example In Action

The ipset command can be used to view a list of active entries. In the adjacent sidebar, attempted BitTorrent connections are shown.

# ipset list
Name: nfa.bittorrent.v4
Type: hash:ip,port,ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 120 skbinfo
Size in memory: 2696
References: 0
Number of entries: 13
Members:,udp:51413, timeout 117,udp:55753, timeout 115,udp:51413, timeout 119,udp:51413, timeout 115,udp:51413, timeout 115,tcp:51413, timeout 115

Further Reading

Plugins and Addons

Evaluate Netify DPI

Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.

Integrators Kit