Re: netfilter on bullseye: matching executable name or pid with nftables

To: André Rodier <andre@rodier.me>
Cc: Debian User <debian-user@lists.debian.org>
Subject: Re: netfilter on bullseye: matching executable name or pid with nftables
From: Dan Ritter <dsr@randomstring.org>
Date: Sun, 13 Feb 2022 10:17:43 -0500
Message-id: <[🔎] 20220213151743.kolhn6nx3cbthgev@randomstring.org>
In-reply-to: <[🔎] fe6acaa9-294e-6743-6c2e-b363205a399f@rodier.me>
References: <[🔎] fe6acaa9-294e-6743-6c2e-b363205a399f@rodier.me>

André Rodier wrote: 
> Hi,
> 
> With iptables, I was able to use the match extension, and create rules per
> program or pid, for isntance:
> 
> iptables -A OUTPUT --match owner -p tcp --cmd-owner tinyproxy -j ACCEPT
> iptables -A OUTPUT --match owner -p tcp --pid-owner 4554 -j ACCEPT
> 
> How can I achieve the same, on Linux, using nftables, please ?

https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_by_socket_UID_.2F_GID

  You can use your user name to match traffic, eg.

  % nft add rule filter output meta skuid pablo counter

  Or the 32-bits unsigned integer (UID) in case there is no entry
  in /etc/passwd for a given user.

  % nft add rule filter output meta skuid 1000 counter

It doesn't look like there's direct support for matching on
process-ids, but cgroups can be matched.

-dsr-

Reply to:

References:
- netfilter on bullseye: matching executable name or pid with nftables
  - From: André Rodier <andre@rodier.me>

Prev by Date: Re: Memory leak
Next by Date: Re: Memory leak
Previous by thread: netfilter on bullseye: matching executable name or pid with nftables
Next by thread: Setting Thunderbird to be the default mailto?
Index(es):
- Date
- Thread