RE: Howto: filtering on a per process/program basis

"Jeff Haran" <jharan@xxxxxxxxxxxxxx> · Fri, 16 Sep 2011 10:11:04 -0700

> -----Original Message-----
> From: netfilter-devel-owner@xxxxxxxxxxxxxxx [mailto:netfilter-devel-
> owner@xxxxxxxxxxxxxxx] On Behalf Of U.Mutlu
> Sent: Friday, September 16, 2011 3:49 AM
> To: netfilter-devel@xxxxxxxxxxxxxxx
> Subject: Howto: filtering on a per process/program basis
> 
> Hi,
> I need filtering on a per process (ie. program name) basis.
> Is this already possible in iptables/netfilter/xtables etc., or in an addon?
> 
> Practically:
>    Normal filtering rules based on srcaddr, dstaddr, proto, srcport, dstport etc,
>    Allow only specified applications sending of packets,
>    Allow only specified applications reception of packets,
>    Optionally log anything else,
>    Discard anything else.
> 
> When I write and install a netfilter module then how would
> I go to get the process name from within the kernel module?

I don't know how you'd get the process name, but an alternative that might work for you if you have control over the applications' implementation would be to have those applications set the SO_MARK socket option on the sockets they use. You could then use the standard iptables mark match extension to filter on the mark and save yourself the bother of writing a kernel module.

Jeff Haran

��.n��������+%������w��{.n����z��׫���n�r������&��z�ޗ�zf���h���~����������_��+v���)ߣ�