tag process's future sockets for iptables rules?

["p. awa" <pawa@tormail.net>]

i used to do redirection and filtering based on the uid of a packet's
local socket. the point was to transparently proxy an arbitrary process's
outbound tcp connections through tor[1]. it had a nice enough interface:

$ sudo torified-user wget http://example.com/

then i switched to filtering based on gid instead of uid: having only
the gid of regular files created by a process screwed with was less
intrusive. but it is all still a hack that becomes unwieldy when you
need more complex filtering rules.

so i wonder if netfilter provides a facility that would allow a process
to specify tags that are then added onto all sockets/connections/packets
this process and its children create in the future, and to filter based
upon those tags. something like:

| netfilter_add_tag("public-addresses-proxied-via-tor");
| netfilter_add_tag("internal-addresses-directly");
| netfilter_remove_tag("proxy-dns");
| execlp("wget", ...);

plus corresponding iptables rules:

# iptables ... --with-tag    public-addresses-proxied-via-tor \
               --with-tag    internal-addresses-directly \
               --without-tag proxy-dns ...

is there such a thing? of course it wouldn't have to be this interface
exactly, e.g. instead of strings the tags could be bits like connmark's
value/mask. there wouldn't be by any chance a way to to set a "default
connmark value" from inside a process, would there?

please note that i'm only asking about this tagging facility, and not
about the proxying use case above (which is merely a simplified example).

cheers

[1] https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy