Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DPI Filter does not support VLAN filtering after Netifyd configuration changes #1101

Open
cotosso opened this issue Feb 28, 2025 · 0 comments
Open

DPI Filter does not support VLAN filtering after Netifyd configuration changes #1101

cotosso opened this issue Feb 28, 2025 · 0 comments
Assignees
@Tbaile
Milestone
NethSecurity 8.5

Comments

@cotosso
Copy link
Contributor

cotosso commented Feb 28, 2025
edited by gsanchietti
Loading

Description:
Following the modifications introduced in issue #929 to improve the configuration of netifyd, the DPI filter no longer works with VLANs. The following issues have been identified:

  1. VLAN-based interfaces are missing from the list of filterable interfaces. This is likely because they are being read from the netifyd configuration instead of the network configuration.
  2. Even when attempting to manually modify the DPI configuration file from the command line, specifiyng the device with itrs tag (e.g. eth0.20) rules are not applied correctly.
    The issue arises because the generated netify-flow-actions.json file is not consistent with the new netifyd configuration.

Steps to Reproduce:

  1. Attempt to filter VLAN-based interfaces using the DPI filter.
  2. Check the available interfaces in the DPI configuration.
  3. Modify the DPI configuration manually and observe that changes are not applied.

Expected Behavior:

  • VLAN-based interfaces should appear in the list of filterable interfaces.
  • DPI filtering should correctly apply rules to VLAN-based traffic.

Actual Behavior:

  • VLAN-based interfaces are not available for filtering.
  • Manually applied DPI rules are not effective due to inconsistencies in netify-flow-actions.json.

Example configuration before fix:

  "actions": {
    "rule0": {
      "enabled": true,
      "interface": "eth0.20",
      "criteria": "(app == 'netify.youtube' or app == 'netify.facebook' or app == 'netify.amazon-prime' or app == 'netify.netflix' or proto == 'doh' or proto == 'dot') ;",
      "targets": [
        "block"
      ],
      "exemptions": []
    }
  }

Example of proposed fix:
The actions in netify-flow-actions.json need to be modified as follows:

  "actions": {
    "rule0": {
      "enabled": true,
      "interface": "eth0",
      "criteria": "vlan_id == 20 and (app == 'netify.youtube' or app == 'netify.facebook' or app == 'netify.amazon-prime' or app == 'netify.netflix' or proto == 'doh' or proto == 'dot') ;",
      "targets": [
        "block"
      ],
      "exemptions": []
    }
  }

Diff:

-      "interface": "eth0.20",
-      "criteria": "(app == 'netify.youtube' or app == 'netify.facebook' or app == 'netify.amazon-prime' or app == 'netify.netflix' or proto == 'doh' or proto == 'dot') ;"
+      "interface": "eth0",
+      "criteria": "vlan_id == 20 and (app == 'netify.youtube' or app == 'netify.facebook' or app == 'netify.amazon-prime' or app == 'netify.netflix' or proto == 'doh' or proto == 'dot') ;"

Components
NethSecurity 23.05.5
@cotosso cotosso added this to the NethSecurity 8.5 milestone Feb 28, 2025
@github-project-automation github-project-automation bot moved this to ToDo 🕐 in NethSecurity Feb 28, 2025
This was referenced Mar 6, 2025
Draft
Draft
@Tbaile Tbaile moved this from ToDo 🕐 to In Progress 🛠 in NethSecurity Mar 6, 2025
@Tbaile Tbaile self-assigned this Mar 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Tbaile Tbaile

Labels
None yet
Projects
NethSecurity
Status: In Progress 🛠
Milestone
NethSecurity 8.5
Development

No branches or pull requests
2 participants
@cotosso @Tbaile