i used to do redirection and filtering based on the uid of a packet's local socket. the point was to transparently proxy an arbitrary process's outbound tcp connections through tor[1]. it had a nice enough interface: $ sudo torified-user wget http://example.com/ then i switched to filtering based on gid instead of uid: having only the gid of regular files created by a process screwed with was less intrusive. but it is all still a hack that becomes unwieldy when you need more complex filtering rules. so i wonder if netfilter provides a facility that would allow a process to specify tags that are then added onto all sockets/connections/packets this process and its children create in the future, and to filter based upon those tags. something like: | netfilter_add_tag("public-addresses-proxied-via-tor"); | netfilter_add_tag("internal-addresses-directly"); | netfilter_remove_tag("proxy-dns"); | execlp("wget", ...); plus corresponding iptables rules: # iptables ... --with-tag public-addresses-proxied-via-tor \ --with-tag internal-addresses-directly \ --without-tag proxy-dns ... is there such a thing? of course it wouldn't have to be this interface exactly, e.g. instead of strings the tags could be bits like connmark's value/mask. there wouldn't be by any chance a way to to set a "default connmark value" from inside a process, would there? please note that i'm only asking about this tagging facility, and not about the proxying use case above (which is merely a simplified example). cheers [1] https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
