nDPI integration, what is required?
It looks interesting and I think QoS is a good application of nDPI. I'm a little nervous about what the performance and stability implications are. Not having looked into it much is it implemented as a module that could be disabled if needed?
Well, I think, I can try to make this thing work on VyOS, especially if the community is interested.
@elico, it seems to me to be that if you have this thing working with ubuntu you already have some debian folder which produces .deb's on dpkg-buildpackage correctly, or you mean that after just "make && make install" on running system, it installs and works?
@mickvav I learned the debian packaging and produced more then one or these for Squid-Cache but everytime I am sitting on the build it's from 0.
To deploy most of my compiled softwares I am using a tar.xz which can be deployed ontop of the existing system as a 'module' and I found it much simpler for me to work with simple bash scripts then the debian packaging.
Without someone helping me to repackage over and over couple times of packages then it's not being pulled into the box but merely passing from one side to the other...
@dmbaturin gave me couple tips and cleared things for me.
I will try to finish couple things here before we\I can dive into the subject.
@elico, have a look at https://github.com/mickvav/ipt-netflow-code - it's my vyos/debian repackage for ipt-netflow - another iptables target module which I've ported (and use in production) on my own vyos repackage. If you take it's "debian/" folder, put in your repo, than we can fork it and maintain as submodule.
If you need to integrate with vyos configuration system - you need also some time to understand, which configuration and operation mode commands you need and I can help you (or write for you) the corresponding menu template scripts.
@mickvav I do not need it personally since it works for me fine on other systems but I would like to put my efforts in order to have others have some benefit from my work.
I will take a look at the ipt-netflow-code work and with time I will probably practice it.
I have used nDPI on CentOS 5 in the past with 'fair' results. The problem is that the makers of nDPI went commercial and their old/OSS package is afair not maintained anymore.
edit: I confused opendpi with ndpi, all green for me. I like this.
@EwaldvanGeffen The main point is that the basic and working extra modules should be usable to the public since it gives anyone that want's to enhance the existing code.
The main example is blocking windows updates, if you have the sources you can see it's being blocked based couple simple things:
domain name in plain HTTP
domain name in SNI of SSL
It is true that many changes happen since the modules was created but if it's not there then it it's like nothing.
In order to speed up the build process I want us to work on the VYOS development docker container.
Once we will have this I and others can do things much faster.
I will try to share my build node for debian in two days and then we can move forward from this one step forward towards simple kernel compilation for VYOS in a docker container.
After we will have this we can simply buidl the NDPI modules(which are being used in zeroshell....).
I think the next step for this proof-of-concept is to be tried and validated (setup log rules, tcpdump and send in traffic, manually compare counters to dump) then merged into the regular build-process and finally come up with a CLI syntax.
Well, just to make things clear - nDPI is actually a userspace software, that performs DPI analisis of data flow (from pcap-ed interface in real time or from .pcap file). It's interface to netfilter goes through ndpi-netfilter package, which actually opens kernel-userspace socket to forward some packets throug nDPI in userspace. If I am right in brief, we have two important steps:
- Make userspace software compile and work.
I thing, this should require almost no vyos-specific coding - just original package should be compiled on vyos vuild system into .deb
- Make netfilter-related package integrate into vyos iptables configuration.
Here we need to create some package like vyos-ndpi-netfilter, which fetches and compiles ndpi-netfilter, handles vyos configuration templates and creates correctly working .deb with all this stuff.
vyos-ndpi-netfilter.deb should depend on ndpi.deb
@mickvav The userspace software is not something that we need in the build.
I have just built it since it's in the packages\repo.
The important thing is the module and the libraries to build them.
I will try to disable the userspace software build and move on from there.