On Saturday 2011-10-22 18:34, p. awa wrote: >i used to do redirection and filtering based on the uid of a packet's >local socket. the point was to transparently proxy an arbitrary process's >outbound tcp connections through tor[1]. it had a nice enough interface: > >$ sudo torified-user wget http://example.com/ > >then i switched to filtering based on gid instead of uid: having only >the gid of regular files created by a process screwed with was less >intrusive. but it is all still a hack that becomes unwieldy when you >need more complex filtering rules. > >so i wonder if netfilter provides a facility that would allow a process >to specify tags that are then added onto all sockets/connections/packets >this process and its children create in the future, and to filter based >upon those tags. something like: > >| netfilter_add_tag("public-addresses-proxied-via-tor"); >| netfilter_add_tag("internal-addresses-directly"); >| netfilter_remove_tag("proxy-dns"); >| execlp("wget", ...); > >plus corresponding iptables rules: > ># iptables ... --with-tag public-addresses-proxied-via-tor \ > --with-tag internal-addresses-directly \ > --without-tag proxy-dns ... > >is there such a thing? of course it wouldn't have to be this interface A socket option, SO_MARK, for use with setsockopt/getsockopt. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
