In case it helps anyone else, here's what I came up with as starting points while spending about 15 minutes researching ways to either tag or virtualize packet routing on a per-process basis:

A. PID-oriented iptables was always broken on systems with more than one CPU and seems to have been removed, so that's not an option.

B. According to these pages, I could use the net_cls cgroup to tag sections of the process hierarchy and then use iptables to DROP any outbound UDP or TCP SYN packets that originated from my user account but weren't launched in the whitelist cgroup... but I'd first need to install a newer kernel and iptables in my Lubuntu 14.04.

It could be accomplished in one of three ways:

• DROP processes with "--uid-owner ssokolow" that lack some whitelist tag


• Launch the DE under a blacklist tag and then move certain descendant processes back out


• Accept the risk of the occasional phone-home slipping through and explicitly launch games with a blacklist tag instead.

• http://www.evolware.org/?p=369


• http://serverfault.com/a/486104


• https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/Starting_a_Process.html

C. I'll need to research the easiest way to do it without altering the execution environment for the game (namespace control requires root) and it's a less elegant solution than cgroups, but it's also possible to use Linux network namespaces to launch games on a virtual subnet and then set up a filtering bridge to the real LAN subnet:

• http://www.evolware.org/?p=293


• http://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/


• http://unix.stackexchange.com/questions/125599/settings-when-using-a-bridge


• http://libvirt.org/firewall.html

D. ...and, if all else fails, I could always investigate whether using LXC (and one the alternative approaches to virtualized networking it supports) produces a container flexible enough to run my games without doing anything ugly like forcing rendering via the host X server to take a slower fallback.

• https://linuxcontainers.org/


• https://www.digitalocean.com/community/tutorials/getting-started-with-lxc-on-an-ubuntu-13-04-vps


• http://askubuntu.com/questions/293275/what-is-lxc-and-how-to-get-started


• https://wiki.debian.org/LXC


• http://containerops.org/2013/11/19/lxc-networking/


• https://wiki.debian.org/LXC/SimpleBridge


• https://help.ubuntu.com/lts/serverguide/lxc.html


• https://help.ubuntu.com/community/LXC

Of course, a little Python or shell scripting should make it easy to poke holes in the iptables restrictions so it's possible to join multiplayer games hosted by IP addresses known to belong to friends.

...now to just find the time to make the damn thing. I guess I'll be sticking to mostly non-game entertainment for a while.

View this comment - View article - View full comments