Netify Netify logo Contact Us
Products Resources Documentation Blog Sign In

Set DSCP Bits for Zoom with CT Labels

This technical guide demonstrates how to use Netify's Connection Tracking (CT) Labels engine to prioritize Zoom videoconferencing over low-priority traffic. It uses connection tracking and nftables to set the DSCP (Differentiated Services Code Point) value for quality of service (QoS).

CT Labels can be used to implement bandwidth, firewall, and QoS policy on Linux systems operating as routers or firewalls. Netify's CT Labels integration lets you tag individual network connections based on deep packet inspection flow criteria. These labels can then be used to block, shape, mark, or otherwise control traffic.

Requirements

  • Netify Agent v5 with the Flow Actions Plugin installed
  • A Linux system with conntrack and nftables installed
  • Privileges to restart netifyd and manage nftables
  • CAP_NET_ADMIN for interacting with conntrack

Zoom is one of the protocols that is not properly detected in the open source Netify DPI signatures. It is important to make sure you have updated signatures.

Getting Started

In this example, only Zoom traffic is targeted. The connlabel.conf file must include a single label definition (0 zoom) so the Flow Actions target can apply that label to matching connections.

Tip #1 - The location of connlabel.conf varies by distribution. In Debian 11, the file is commonly expected in both /etc/connlabel.conf and /etc/xtables/connlabel.conf . Symlinks are common.

Tip #2 - If you add labels in Flow Actions targets, remember to define those same labels in connlabel.conf .

Terminal - Netify
× 
# /etc/xtables/connlabel.conf
0 zoom

# /etc/connlabel.conf
0 zoom

Configuration

Target Globals

Start with target_globals for the ctlabel target type. These settings should map to the capabilities of your Linux system.

max_bits
The maximum number of conntrack label bits available for use.
connlabel_conf
Path to the conntrack label mapping file used by the system.

Target Defaults

The target_defaults block defines defaults for all CT Label targets. In this example, log_errors is disabled to reduce noise in routine operation.

Targets

The targets block defines what to do when an action matches. The ctlabel.zoom target applies the zoom connection label to matching flows.

Actions

The actions block defines when to apply a target. Here, the action matches app == 'zoom'; and routes matching flows to ctlabel.zoom .

The Expression Engine is used for criteria , so you can extend this pattern to additional applications, categories, or protocol-based conditions.

netify-proc-flow-actions.json

{
  "version": 1,
  "target_globals": {
    "ctlabel": {
      "max_bits": 127,
      "connlabel_conf": "/etc/xtables/connlabel.conf"
    }
  },
  "target_defaults": {
    "ctlabel": {
      "log_errors": false
    }
  },
  "targets": {
    "ctlabel.zoom": {
      "target_type": "ctlabel",
      "labels": [
        "zoom"
      ]
    }
  },
  "actions": {
    "zoom": {
      "criteria": "app == 'zoom';",
      "targets": [
        "ctlabel.zoom"
      ]
    }
  }
}

Connection Tracking In Action

With the configuration in place and Netify restarted, the conntrack command can be used to see the labelling being performed by the Flow Actions Plugin:

Terminal - Netify
× 
$ modprobe xt_connlabel
$ conntrack -L -o extended,labels | grep --color labels=.*
ipv4  2 udp  17 119           src=192.168.1.100 dst=69.174.57.46 sport=57184 dport=8801 ... labels=zoom
ipv4  2 tcp  6  42  TIME_WAIT src=192.168.1.100 dst=69.174.57.46 sport=51066 dport=443 ... labels=zoom

Next, we can use the nft command (part of nftables) to set the DSCP flag and a counter. Every nftables implementation is different, so the commands below will need to be adjusted to match your environment. In case you are wondering, the 0x28 value in the command below is the hexadecimal equivalent of DSCP CS5 - a high traffic priority value.

Terminal - Netify
× 
$ nft add table ip mangle
$ nft add chain ip mangle FORWARD { type filter hook forward priority -150 \; }
$ nft add ip mangle FORWARD ct label zoom counter ip dscp set 0x28
$ nft list table ip mangle
table ip mangle {
	chain FORWARD {
		type filter hook forward priority mangle; policy accept;
		ct label "zoom" counter packets 10049 bytes 20638423 ip dscp set cs5
	}
}

With the above rule in place, all Zoom traffic flowing through the system will now be marked with the high-priority DSCP flag. The tcpdump command below provides a way to see traffic with DSCP CS5 / 0x28 set. Brush off your bitmask math, or take a look at this web page for the detailed breakdown. Bottom line: tos 0xa0 in the tcpdump output below is the expected value for the tos (Type of Service) field. This confirms that Zoom traffic has the DSCP field set to CS5. Mission accomplished.

Terminal - Netify
× 
$ tcpdump -v -n -i eth0 'ip and ip[1] & 0xfc == 160'
20:26:43.829960 IP (tos 0xa0, ttl 127, id 28155, offset 0, flags [DF], proto UDP (17), length 1117)
192.168.55.140.57184 > zoomtr46.zoom.us.8801: UDP, length 1089