tag process's future sockets for iptables rules?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* tag process's future sockets for iptables rules?
@ 2011-10-22 16:34 p. awa
  2011-10-22 20:43 ` Jan Engelhardt
  0 siblings, 1 reply; 6+ messages in thread
From: p. awa @ 2011-10-22 16:34 UTC (permalink / raw)
  To: netfilter

i used to do redirection and filtering based on the uid of a packet's
local socket. the point was to transparently proxy an arbitrary process's
outbound tcp connections through tor[1]. it had a nice enough interface:

$ sudo torified-user wget http://example.com/

then i switched to filtering based on gid instead of uid: having only
the gid of regular files created by a process screwed with was less
intrusive. but it is all still a hack that becomes unwieldy when you
need more complex filtering rules.

so i wonder if netfilter provides a facility that would allow a process
to specify tags that are then added onto all sockets/connections/packets
this process and its children create in the future, and to filter based
upon those tags. something like:

| netfilter_add_tag("public-addresses-proxied-via-tor");
| netfilter_add_tag("internal-addresses-directly");
| netfilter_remove_tag("proxy-dns");
| execlp("wget", ...);

plus corresponding iptables rules:

# iptables ... --with-tag    public-addresses-proxied-via-tor \
               --with-tag    internal-addresses-directly \
               --without-tag proxy-dns ...

is there such a thing? of course it wouldn't have to be this interface
exactly, e.g. instead of strings the tags could be bits like connmark's
value/mask. there wouldn't be by any chance a way to to set a "default
connmark value" from inside a process, would there?

please note that i'm only asking about this tagging facility, and not
about the proxying use case above (which is merely a simplified example).

cheers

[1] https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: tag process's future sockets for iptables rules?
  2011-10-22 16:34 tag process's future sockets for iptables rules? p. awa
@ 2011-10-22 20:43 ` Jan Engelhardt
  2011-10-22 23:28   ` pawa
  2011-10-23 17:18   ` p. awa
  0 siblings, 2 replies; 6+ messages in thread
From: Jan Engelhardt @ 2011-10-22 20:43 UTC (permalink / raw)
  To: p. awa; +Cc: netfilter

On Saturday 2011-10-22 18:34, p. awa wrote:

>i used to do redirection and filtering based on the uid of a packet's
>local socket. the point was to transparently proxy an arbitrary process's
>outbound tcp connections through tor[1]. it had a nice enough interface:
>
>$ sudo torified-user wget http://example.com/
>
>then i switched to filtering based on gid instead of uid: having only
>the gid of regular files created by a process screwed with was less
>intrusive. but it is all still a hack that becomes unwieldy when you
>need more complex filtering rules.
>
>so i wonder if netfilter provides a facility that would allow a process
>to specify tags that are then added onto all sockets/connections/packets
>this process and its children create in the future, and to filter based
>upon those tags. something like:
>
>| netfilter_add_tag("public-addresses-proxied-via-tor");
>| netfilter_add_tag("internal-addresses-directly");
>| netfilter_remove_tag("proxy-dns");
>| execlp("wget", ...);
>
>plus corresponding iptables rules:
>
># iptables ... --with-tag    public-addresses-proxied-via-tor \
>               --with-tag    internal-addresses-directly \
>               --without-tag proxy-dns ...
>
>is there such a thing? of course it wouldn't have to be this interface

A socket option, SO_MARK, for use with setsockopt/getsockopt.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: tag process's future sockets for iptables rules?
  2011-10-22 20:43 ` Jan Engelhardt
@ 2011-10-22 23:28   ` pawa
  2011-10-23 17:18   ` p. awa
  1 sibling, 0 replies; 6+ messages in thread
From: pawa @ 2011-10-22 23:28 UTC (permalink / raw)
  To: netfilter

> >| netfilter_add_tag("public-addresses-proxied-via-tor");
> >| netfilter_add_tag("internal-addresses-directly");
> >| netfilter_remove_tag("proxy-dns");
> >| execlp("wget", ...);
>
> A socket option, SO_MARK, for use with setsockopt/getsockopt.

but setsockopt is per socket. i'm looking for something that is
per process (and inherited by children - in the example, wget).
this is to replace what i do at the moment, namely

| setgid(123);
| execlp("wget", ...);

and

# iptables ... -m owner --gid-owner 123 ...

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: tag process's future sockets for iptables rules?
  2011-10-22 20:43 ` Jan Engelhardt
  2011-10-22 23:28   ` pawa
@ 2011-10-23 17:18   ` p. awa
  2011-10-23 19:20     ` Nikolay S.
  1 sibling, 1 reply; 6+ messages in thread
From: p. awa @ 2011-10-23 17:18 UTC (permalink / raw)
  To: netfilter

> >| netfilter_add_tag("public-addresses-proxied-via-tor");
> >| netfilter_add_tag("internal-addresses-directly");
> >| netfilter_remove_tag("proxy-dns");
> >| execlp("wget", ...);
>
> A socket option, SO_MARK, for use with setsockopt/getsockopt.

but setsockopt is per socket. i'm looking for something that is
per process (and inherited by children - in the example, wget).
this is to replace what i do at the moment, namely

| setgid(123);
| execlp("wget", ...);

and

# iptables ... -m owner --gid-owner 123 ...

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: tag process's future sockets for iptables rules?
  2011-10-23 17:18   ` p. awa
@ 2011-10-23 19:20     ` Nikolay S.
  0 siblings, 0 replies; 6+ messages in thread
From: Nikolay S. @ 2011-10-23 19:20 UTC (permalink / raw)
  To: p. awa; +Cc: netfilter

В Вск, 23/10/2011 в 17:18 +0000, p. awa пишет:
> > >| netfilter_add_tag("public-addresses-proxied-via-tor");
> > >| netfilter_add_tag("internal-addresses-directly");
> > >| netfilter_remove_tag("proxy-dns");
> > >| execlp("wget", ...);
> >
> > A socket option, SO_MARK, for use with setsockopt/getsockopt.
> 
> but setsockopt is per socket. i'm looking for something that is
> per process (and inherited by children - in the example, wget).
> this is to replace what i do at the moment, namely
> 
> | setgid(123);
> | execlp("wget", ...);
> 
> and
> 
> # iptables ... -m owner --gid-owner 123 ...

Well, you could do interposition of libc's socket() with LD_PRELOAD, and
call setsockopt SO_MARK in the wrapper.

> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



^ permalink raw reply	[flat|nested] 6+ messages in thread

* tag process's future sockets for iptables rules?
@ 2011-10-22 14:44 p. awa
  0 siblings, 0 replies; 6+ messages in thread
From: p. awa @ 2011-10-22 14:44 UTC (permalink / raw)
  To: netfilter

i used to do redirection and filtering based on the uid of a packet's
local socket. the point was to transparently proxy an arbitrary process's
outbound tcp connections through tor[1]. it had a nice enough interface:

$ sudo torified-user wget http://example.com/

then i switched to filtering based on gid instead of uid: having only
the gid of regular files created by a process screwed with was less
intrusive. but it is all still a hack that becomes unwieldy when you
need more complex filtering rules.

so i wonder if netfilter provides a facility that would allow a process
to specify tags that are then added onto all sockets/connections/packets
this process and its children create in the future, and to filter based
upon those tags. something like:

| netfilter_add_tag("public-addresses-proxied-via-tor");
| netfilter_add_tag("internal-addresses-directly");
| netfilter_remove_tag("proxy-dns");
| execlp("wget", ...);

plus corresponding iptables rules:

# iptables ... --with-tag    public-addresses-proxied-via-tor \
               --with-tag    internal-addresses-directly \
               --without-tag proxy-dns ...

is there such a thing? of course it wouldn't have to be this interface
exactly, e.g. instead of strings the tags could be bits like connmark's
value/mask. there wouldn't be by any chance a way to to set a "default
connmark value" from inside a process, would there?

please note that i'm only asking about this tagging facility, and not
about the proxying use case above (which is merely a simplified example).

cheers

[1] https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2011-10-23 19:20 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-22 16:34 tag process's future sockets for iptables rules? p. awa
2011-10-22 20:43 ` Jan Engelhardt
2011-10-22 23:28   ` pawa
2011-10-23 17:18   ` p. awa
2011-10-23 19:20     ` Nikolay S.
  -- strict thread matches above, loose matches on Subject: below --
2011-10-22 14:44 p. awa

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox