André Rodier wrote: > Hi, > > With iptables, I was able to use the match extension, and create rules per > program or pid, for isntance: > > iptables -A OUTPUT --match owner -p tcp --cmd-owner tinyproxy -j ACCEPT > iptables -A OUTPUT --match owner -p tcp --pid-owner 4554 -j ACCEPT > > How can I achieve the same, on Linux, using nftables, please ?
https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_by_socket_UID_.2F_GID You can use your user name to match traffic, eg. % nft add rule filter output meta skuid pablo counter Or the 32-bits unsigned integer (UID) in case there is no entry in /etc/passwd for a given user. % nft add rule filter output meta skuid 1000 counter It doesn't look like there's direct support for matching on process-ids, but cgroups can be matched. -dsr-
