[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: tag process's future sockets for iptables rules?
From:       "Nikolay S." <nowhere () hakkenden ! ath ! cx>
Date:       2011-10-23 19:20:58
Message-ID: 1319397658.9866.6.camel () hakkenden ! homenet
[Download RAW message or body]

В Вск, 23/10/2011 в 17:18 +0000, p. awa пишет:
> > >| netfilter_add_tag("public-addresses-proxied-via-tor");
> > >| netfilter_add_tag("internal-addresses-directly");
> > >| netfilter_remove_tag("proxy-dns");
> > >| execlp("wget", ...);
> >
> > A socket option, SO_MARK, for use with setsockopt/getsockopt.
> 
> but setsockopt is per socket. i'm looking for something that is
> per process (and inherited by children - in the example, wget).
> this is to replace what i do at the moment, namely
> 
> | setgid(123);
> | execlp("wget", ...);
> 
> and
> 
> # iptables ... -m owner --gid-owner 123 ...

Well, you could do interposition of libc's socket() with LD_PRELOAD, and
call setsockopt SO_MARK in the wrapper.

> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]