我正在尝试在 iptabes 中按进程名称匹配数据包。我尝试使用 ping 和从以下网址获得的示例:https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#OWNERMATCH
我输入的命令是:
iptables -N mychain
iptables -A OUTPUT -m owner --cmd -owner ping -j mychain
然而,我得到:
iptables v1.4.21: unknown option "--cmd-owner"
Try 'iptables -h' or 'iptables --help' for more information.
当我这样做时,我看不到“--cmd-owner”选项。这是因为该选项在 iptables v1.4.21 中不再可用吗?如果此选项不再可用,有人能告诉我如何在我的主机上计算每个进程的数据包数吗?
答案1
显然它在某个时候从 iptables 中删除了...我搞不清楚具体时间。我确实找到了这个 Ubuntu 错误报告。
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/800781
没有提到它被从 git 中删除,但有提到它最初被添加的时间。
https://git.netfilter.org/iptables/log/?qt=grep&q=cmd-owner
最终在这里找到了: http://www.spinics.net/lists/netfilter/msg49716.html
commit 34b4a4a624bafe089107966a6c56d2a1aca026d4
Author: Christoph Hellwig <hch@xxxxxx>
Date: Sun Aug 14 17:33:59 2005 -0700
[NETFILTER]: Remove tasklist_lock abuse in ipt{,6}owner
Rip out cmd/sid/pid matching since its unfixable broken and stands in the
way of locking changes to tasklist_lock.
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
It's a little late to come with "I need this" 5 years after the fact.
>Is there any alternative for this? I mean to set up a static rule that
>assigns specific command-line netfilter acls?
SELinux, SNET, or other LSMs.
如果这听起来没什么帮助,我很抱歉。这是我能做的最好的了。我不太擅长 iptables 的东西。