l7-filter: Similar But Different
At a high level, the netifyd software can be used to replace the functionality of l7-filter. However, the Netify implementation is done quite differently and the data provided is much more detailed. Available DPI data includes:
- Protocol detection with the nDPI library
- Hostname detection from HTTPS/SNI, HTTP, DNS, QUIC, and other protocols
- SSL cipher and encryption information
- DHCP fingerprints and classes
- Application data to complement protocol detection
- BitTorrent hashes
- mDNS requests
- HTTP user agents
- and more
With l7-filter, packets from a specific protocol were marked with user-specified numbers in netfilter/iptables. For example, let's say an administrator wanted to force all HTTP and SMTP traffic through a local server on the network, and block all HTTP and SMTP traffic to external servers on the Internet. The administrator's /etc/l7-filter.conf would look something like:
http 3 smtp 4
The administrator would then configure the iptables firewall rules to block or shape traffic using the mark number specified in the configuration file. l7-filter would put itself right in the middle of traffic flow in order to mark packets.
The Netify IP Sets and CT Label plugins can be used in a similar way to the old L7 filter implementation. However, the plugins provide a much more powerful and expressive configuration language, not just a protocol-to-mark mapping.
In addition, developers are not just locked into making decisions by protocol - they can use any metadata coming out of the DPI engine, for example, flagging network traffic using weak encryption. You can find an example of the Netify JSON data on the data streams page.