Hi. On Thu, Nov 15, 2018 at 10:26:03PM -0500, Celejar wrote: > > systemd may be controversial, but they got one thing right - per-service > > resource control. And that includes so-called 'user services' that GNOME > > programs start left and right and all other. > > > > So the framework is there. The problem is - they left the implementation > > of the policy of the user ☺ > > Would you mind explaining a bit further, or pointing me to something to > read about this?
kernel can mark any outgoing packet. These 'marks' are not actual modification of packet (hence they are invisible once packet goes into NIC), but rather a way to apply a pre-determined set of rules to it. net_cls controller is a way to apply such mark to any and all outgoing packet generated by a group of processes. A canonical example to (ab)use this resides in the kernel documentation (cgroup-v1/net_cls.txt.gz). Successful use requires understanding of at least iptables, tc, nfacct and may be nft as you need to jump via some impressive amount of hoops to make the thing work on inbound packets too. > > > > An application firewall might be useful here, but I have no experience > > > with such them. > > > > You're thinking of user traffic accounting. > > I don't think I follow you here - isn't "user traffic accounting" per > user, not per specific application? See above. 'User' is an ambiguous term here. > And what's wrong with my reference > to application firewalls? > > https://en.wikipedia.org/wiki/Application_firewall You need to block outgoing traffic based on some criteria - that's where firewall comes into the play, sure. But in this case the criteria is not only the application name (executable, or pid, or service or whatever), but also the amount of traffic that application consumed. Hence the need of traffic accounting. Reco
