l7-filter: Similar But Different
At a high level, the netifyd software can be used to replace the functionality of l7-filter. However, the Netify implementation is done quite differently and the data provided is much more detailed. Available DPI data includes:
- Hostname detection from HTTPS/SNI, HTTP, DNS, QUIC, and other protocols
- SSL cipher and encryption information
- DHCP fingerprints and classes
- Application data to complement protocol detection
- BitTorrent hashes
- mDNS requests
- HTTP user agents
- and more
With l7-filter, packets from a specific protocol were marked with user-specified numbers in netfilter/iptables. For example, let's say an administrator wanted to force all HTTP and SMTP traffic through a local server on the network, and block all HTTP and SMTP traffic to external servers on the Internet. The administrator's /etc/l7-filter.conf would look something like:
http 3 smtp 4
The administrator would then configure the iptables firewall rules to block or shape traffic using the mark number specified in the configuration file. l7-filter would put itself right in the middle of traffic flow in order to mark packets.
l7-filter interacted via a simple configuration file, but the Netify Agent interacts with the operating system via a near real-time JSON data stream. With this change, developers are not just locked into making decisions by protocol - they can use any field coming out of the DPI engine. You can find an example of the JSON data stream in the netifyd overview page.
To help get you started, we have an open-source firewall agent that consumes the JSON data stream and takes some kind of action in iptables, ip sets, and others. You can use this software to kickstart Netify integration into your product. And yes, it is open source too!