l7-filter: Similar But Different
At a high level, the netifyd software can replace the functionality of l7-filter. However, the Netify implementation is done quite differently, and the data provided is much more detailed. Available DPI data includes:
- Protocol detection with the nDPI library
- Hostname detection from HTTPS/SNI, HTTP, DNS, QUIC, and other protocols
- SSL cipher and encryption information
- DHCP fingerprints and classes
- Application data to complement protocol detection
- mDNS requests
- HTTP user agents
- and more
With l7-filter, packets from a specific protocol were marked with user-specified numbers in netfilter/iptables. For example, let's say an administrator wanted to force all HTTP and SMTP traffic through a local server on the network and block all HTTP and SMTP traffic to external servers on the Internet. The administrator's /etc/l7-filter.conf would look something like this:
http 3 smtp 4
The administrator would then configure the iptables firewall rules to block or shape traffic using the mark number specified in the configuration file. l7-filter would put itself right in the middle of traffic flow to mark packets.
The Netify IP Sets, connection tracking labels, and nftables integrations can be used similary to the old L7 filter implementation. However, the integrations provide a much more powerful and expressive configuration language, not just a protocol-to-mark mapping.
In addition, developers are not just locked into making decisions by protocol. Integrators can use any metadata from the DPI engine to take action, for example, blocking network traffic using weak encryption. You can find an example of the Netify JSON data on the data streams page.