Netify Netify logo Contact Us
Products Resources Documentation Blog Sign In

Mark Traffic with IP Sets

This guide walks through an end-to-end policy using the Flow Actions Plugin and IP Sets to classify BitTorrent, YouTube, and social media traffic using standard Linux networking tools.

You can also review alternative methods for acting on DPI flow data, including nftables enforcement and DSCP-based traffic marking.

Requirements

  • Netify Agent with the Flow Actions Plugin installed
  • A Linux system with ipset and iptables installed
  • Privileges to restart netifyd and manage firewall/IP set state

IP Sets Primer

If you're already familiar with IP sets, feel free to skip ahead. Otherwise, this section provides a practical quick primer.

IP sets are commonly used to implement bandwidth controls, firewall policy, and QoS on routers, firewalls, and gateways. Netify's integration lets you generate high-speed IP sets from deep packet inspection flow criteria, then use those sets to block, shape, mark, or otherwise control traffic.

Linux IP sets provide a fast in-kernel lookup table for addresses and ports. You can inspect and test sets from the command line with ipset . A set to track low-priority traffic can be created like this:

Terminal - Netify
× 
ipset create priority.low "hash:ip,port,ip" timeout 120

The hash:ip,port,ip type matches the Flow Actions configuration used in this example. Entries expire automatically after the configured timeout unless refreshed by new matches. You can add a sample entry and inspect it with:

Terminal - Netify
× 
$ ipset add priority.low 101.100.139.138,51413,192.168.55.140
$ ipset list priority.low
... snip ...
Members:
101.100.139.138,udp:51413,192.168.55.140 timeout 117

In production, Netify's IP Sets engine maintains these entries automatically; there's no need to manually manage these sets with external commands or tools.

Configuration

Target

Start with the target configuration. A target defines what to do when a flow matches our specified criteria. When a matching criterion is met, flow details are added to our target IP sets. In this example, two distinct IP set buckets are defined for use in traffic control policies:

ipset.low
Populates the priority.low IP set
ipset.high
Populates the priority.high IP set

Target Defaults

The target_defaults section allows us to create some default settings for the ipset rules. You can find details about the IP set properties in the IP Set reference documentation.

Our two configured targets inherit the defaults provided here. We can override the default values, for example, the ipset.high configuration overrides the default TTL.

Actions

The actions block specifies the logic of when to perform an action. In this example, three specific traffic types are identified:

bittorrent
Identifies BitTorrent protocol traffic
youtube
Identifies YouTube application traffic
social
Identifies all social media apps, except Reddit

The Expression Engine is used to define the criteria property. These are intentionally simple examples; the expression engine supports much more advanced matching. The exemptions property uses the same expression engine to exempt the Reddit application.

In the configuration, you can see that the bittorrent target is the low priority IP set. The youtube and social targets are the high priority IP set.

Global Exemptions

The top-level exemptions list is applied globally across all actions. This is useful for trusted infrastructure such as local DNS resolvers, management hosts, or internal service endpoints that should never be affected by policy enforcement.

netify-proc-flow-actions.json

{
  "version": 1,
  "targets": {
    "ipset.low": {
      "target_type": "ipset",
      "set_name": "priority.low"
    },
    "ipset.high": {
      "target_type": "ipset",
      "set_name": "priority.high"
      "ttl": 240,
    },
  },
  "target_defaults": {
    "ipset": {
      "interface": "*",
      "type": "hash:ip,port,ip",
      "ttl": 120,
      "managed": true,
      "flush_on_create": true,
      "flush_on_destroy": true
    }
  },
  "actions": {
    "bittorrent": {
      "criteria": "protocol == 'bittorrent';",
      "targets": [
        "ipset.low"
      ]
    },
    "youtube": {
      "criteria": "app == 'youtube';",
      "targets": [
        "ipset.high"
      ]
    },
    "social": {
      "criteria": "category == 'social-media';",
      "targets": [
        "ipset.high"
      ],
      "exemptions": [
        "app == 'netify.reddit';"
      ]
    }
  },
  "exemptions": [
    "192.168.1.1",
    "protocol == 'dns';"
  ]
}

IP Sets In Action

Once traffic matches the defined criteria, Netify populates the IP sets. Use the ipset command to inspect active entries.

Terminal - Netify
× 
# ipset list
Name: priority.low.v4
Type: hash:ip,port,ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 timeout 120 skbinfo
Size in memory: 2696
References: 0
Number of entries: 13
Members:
101.100.139.138,udp:51413,192.168.55.140 timeout 117
60.115.123.115,udp:55753,192.168.55.140 timeout 115
62.210.124.230,udp:51413,192.168.55.140 timeout 119
71.150.226.54,udp:51413,192.168.55.140 timeout 115
37.221.197.43,udp:51413,192.168.55.140 timeout 115
45.76.32.64,tcp:51413,192.168.55.140 timeout 115

Next Steps

The final step is integrating standard layer 3 Linux tools with the generated IP set data. Some examples:

  • tc - traffic control and QoS
  • ip route/rule - multiWAN policies via marks
  • iptables/nftables - firewall management

IP sets are accessible from both user space and the kernel, providing speed and flexibility. Here are iptables examples showing how to mark traffic:

Terminal - Netify
× 
iptables -t mangle -A PREROUTING -m set --match-set priority.low.v4 dst,dst,src -j MARK --set-mark 0x85
iptables -t mangle -A PREROUTING -m set --match-set priority.high.v4 dst,dst,src -j MARK --set-mark 0x86

A Linux Layer 3 policy engine now has direct access to Netify Layer 7 detections.