I had some grand plans last year to get ndpi working but life got in the way
ntop are likely the primary developers on ndpi these days, and I don’t think the netfilter module is important to them since they implement their own traffic control in ntop.
I’ve tracked ndpi for a few years now and have always been excited about the possibilities of iptables L7 firewalling but the module is definitely problematic and frequently breaking as either the kernel or ndpi itself moves forward, whilst there is no strong backing to keep the ndpi-netfilter working.
I haven’t re-evaluated it for about a year, so maybe someone else has done yet another fork to make it temporarily work for an indeterminate amount of time before they lose interest
You may not be aware but Ubiquiti’s firewall product (which is a fork of Vyatta) does some L7 firewalling & reporting these days, although I haven’t reviewed it to see if it’s nDPI based.
I also wanted to say I think having L7/nDPI support in VyOS would be a major boon for people evaluating products as it is nearly a prerequisite in firewall products these days.
Another option is Snort & Openappid, although there is no direct iptables support, but I think you can leverage snort to mark the traffic based on app detection, and use traditional packet mark matching to reject.
A challenge all of these implementations have is flows often need to be established and packets sent back and forth for a while before an classifier can detect the application. That gets tricky when the use of RELATED,ESTABLISHED rules in iptables bypass lookups.