IP Sets Integration
Netify DPI - IP Sets Integration
The IP Sets Integration is a part of the Netify Flow Actions Plugin - a premium add-on to the Netify Agent.
For systems using Linux's iptables firewall, tc-based QoS engines, or other common tools, the Flow Actions plugin provides a way to create high-speed IP Sets based on DPI flow criteria. These sets can then be used to block, shape, mark or perform other actions on network traffic.
You may also want to review alternative options for taking actions on DPI flow data - see the nftables and connection tracking (CT) labels integrations for details.
to read the Network Policy Datasets document.
How It Works
The Netify Agent IP Sets integration provides a high-speed interface to the IP Sets Linux kernel framework. Flow detections are immediately available to the plugin where flow criteria is matched against user-defined expressions in the plugin. With an IP Set in place, you can use standard Linux tools to block, shape and mark traffic. Tools include:
- iptables - firewalling and audit trails
- tc - traffic control and QoS
- ip rule - routing policies
- dscp - DSCP flag control
- any custom tools using iptables marks
Example Configuration
Introduction
The netify-flow-actions.json JSON configuration file provides a starting point for implementing our solution. See sidebar for the configuration.
For this example, we are using basic configurations to demonstrate a core feature. The Netify Integrators Kit provides more detailed reference documentation. Notably, the Flow Actions Plugin provides a very powerful expression language for pinpointing network traffic.
Actions
The actions block defines the traffic that needs to be identified. In our example, we have created 3 different actions:
- YouTube application traffic
- BitTorrent protocol traffic
- All Social Media applications, except Twitter
Target
The targets block defines which engine to use for the flow action. In our example, we are creating IP Sets.
Target Defaults
The target_defaults section in the configuration provides baseline settings for the IP Sets target. This can be used to fine tune various policies for the IP Sets engine.
{
"version": 1,
"actions": {
"bittorrent": {
"criteria": "protocol == 'bittorrent';",
"targets": [
"ipset.bittorrent"
]
},
"youtube": {
"criteria": "app == 'youtube';",
"targets": [
"ipset.youtube"
]
},
"social": {
"criteria": "category == 'social-media';",
"targets": [
"ipset.social"
],
"exemptions": [
"app == 'netify.twitter';"
]
}
},
"targets": {
"ipset.bittorrent": {
"target_type": "ipset",
"set_name": "nfa.bittorrent"
},
"ipset.youtube": {
"target_type": "ipset",
"set_name": "nfa.youtube"
},
"ipset.social": {
"target_type": "ipset",
"set_name": "nfa.social"
}
},
"target_defaults": {
"ipset": {
"interface": "*",
"type": "hash:ip,port,ip",
"ttl": 120,
"managed": true,
"flush_on_create": true,
"flush_on_destroy": true
}
},
"exemptions": [
"192.168.1.1",
"protocol == 'dns';"
]
}
Example In Action
The ipset command can be used to view a list of active entries. In the adjacent sidebar, attempted BitTorrent connections are shown.
# ipset list
Name: nfa.bittorrent.v4
Type: hash:ip,port,ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 120 skbinfo
Size in memory: 2696
References: 0
Number of entries: 13
Members:
101.100.139.138,udp:51413,192.168.55.140 timeout 117
60.115.123.115,udp:55753,192.168.55.140 timeout 115
62.210.124.230,udp:51413,192.168.55.140 timeout 119
71.150.226.54,udp:51413,192.168.55.140 timeout 115
37.221.197.43,udp:51413,192.168.55.140 timeout 115
45.76.32.64,tcp:51413,192.168.55.140 timeout 115
Further Reading
Plugins and Addons
- Flow Actions Plugin
- Stats Plugin
- Signature Updates - 1500+ Applications and 200+ Protocols
Netify Agent
Getting Started
Plugins and Addons
Netify Tools
Open Source DPI
Evaluate Netify DPI
Do you want to get started with evaluating Netify DPI? Request the Integrators Kit today.
Integrators Kit