condnet is LD_PRELOADable wrapper that can be used to prevent (to a degree)
a single process from accessing network. In a way, it can be used to create a
firewalled environment. In addition to blocking traffic, it can alter/spoof
name server queries.
Features
- Block traffic to specific hosts or ports
- Deny operations with custom return value and error code
- Set policy to deny all traffic by default, then poke holes as necessary
- Spoof name server queries to return custom responses
- Runs in userspace, per-process
As of 2 January 2015, condnet hooks only the following calls.
- connect
- getaddrinfo
- sendto
- accept
Experimental version
Source package(s) containing string “experimental” are even more incomplete and unsafe. Use at your own peril. Experimental features (may) include:
- Reverse resolving - block traffic to addresses that reverse-resolve to given host mask. This feature is experimental because the implementation depends on backtrace. Code also includes backtrace-independent implementation, but this is NOT thread safe.
Limitation
This LD_PRELOAD hack functions by creating entry points for a few commonly used libc calls and taking over from there. If the application uses dlopen and dlsym to find the functions, condnet is powerless. Also, not all network related calls are wrapped.
Usage
There is no documentation for the thing, but taking a look at the sources
should help. Also be sure to check file run in the sources for my brief
personal memos.
Compiling
If you don’t know how to compile or use it, either you don’t need or want this.
If you insist, see run in the package.