[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: Re: tag process's future sockets for iptables rules?
From: "Nikolay S." <nowhere () hakkenden ! ath ! cx>
Date: 2011-10-23 19:20:58
Message-ID: 1319397658.9866.6.camel () hakkenden ! homenet
[Download RAW message or body]
В Вск, 23/10/2011 в 17:18 +0000, p. awa пишет:
> > >| netfilter_add_tag("public-addresses-proxied-via-tor");
> > >| netfilter_add_tag("internal-addresses-directly");
> > >| netfilter_remove_tag("proxy-dns");
> > >| execlp("wget", ...);
> >
> > A socket option, SO_MARK, for use with setsockopt/getsockopt.
>
> but setsockopt is per socket. i'm looking for something that is
> per process (and inherited by children - in the example, wget).
> this is to replace what i do at the moment, namely
>
> | setgid(123);
> | execlp("wget", ...);
>
> and
>
> # iptables ... -m owner --gid-owner 123 ...
Well, you could do interposition of libc's socket() with LD_PRELOAD, and
call setsockopt SO_MARK in the wrapper.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic